Internet Security Whitepapers

Biometric Authentication Systems

Internet Security Whitepapers Physical Security System Hacking Web Based Password Cracking

This paper presents our conclusions from a year-long study of biometric authentication techniques and actual deployment potential, together with an independent testing of various biometric authentication products and technologies. We believe that our experience can help the reader in considering whether and what kind of biometric authentication should or should not be used in a given system. Biometric technology has not been studied solely to authenticate humans. A biometric system for race horses is being investigated in Japan and a company that imports pedigree dogs into South Africa uses a biometric technique to verify the dogs being imported.

Blind SQL Injection

Internet Security Whitepapers SQL Injection

Hackers typically test for SQL injection vulnerabilities by sending the application input that would cause the server to generate an invalid SQL query. If the server then returns an error message to the client, the attacker will attempt to reverse-engineer portions of the original SQL query using information gained from these error messages. The typical administrative safeguard is simply to prohibit the display of database server error messages. Regrettably, that's not sufficient.

Blindfolded SQL Injection

Internet Security Whitepapers SQL Injection

In the past few years, SQL Injection attacks have been on the rise. The increase in the number of Database based applications, together with various publications that explain the problem and how it can be exploited (in both electronic and printed formats), have led to many attacks and abuse of this type of attack.

Bluefire Mobile Security Professional Agent

Internet Security Whitepapers Bluetooth Hacking

This document provides step-by-step instructions on how to install, administer and use the Professional Edition of the Bluefire Mobile Security Agent. The Professional Edition of the Mobile Security Agent includes the set of security components that run on the device. Within this document the Professional Edition of the Mobile Security Agent is also referred to as the Professional Mobile Security Agent, the Professional Agent or simply as the Agent.

Bluetooth Security Analysis Tools and New Security Attacks

Internet Security Whitepapers Bluetooth Hacking

This report describes the details of two new proof-of-concept Bluetooth security analysis tools and two new attacks against Bluetooth security. On-Line PIN Cracking script is a security analysis tool for on-line Bluetooth device PIN cracking. Brute-Force BD ADDR Scanning script is a security analysis tool for brute-force discovery of the addresses of Bluetooth devices that want to be private. Scripts of both our security analysis tools exist and can be demonstrated to Bluetooth device manufacturers or press if required, but they will not be released in any public domain because due to their e±ciency they can be very dangerous. Our new attacks, BTKeylogging and BTVoiceBugging, extend On-Line PIN Cracking attack.

Bookmarks for Extreme Googling

Internet Security Whitepapers Google Hacking

Google Bookmarks is a free online bookmark storage service, available to Google Account holders. Google Bookmarks allows one to bookmark favorite websites and add labels or tags, and also notes. Users can access their bookmarks from any computer by signing in to their Gmail account. The bookmarks are searchable, and searches are performed on the full text of the bookmarked pages, not just the labels and notes. Google toolbar has tools enabling a user to easily create bookmarks and quickly access them. Bookmarks can also be created manually from the web interface, or by use of third-party tools such as Firefox extensions created for the purpose of managing the user's Google Bookmarks account and keeping them synchronized to the browser's bookmarks. A simple javascript function labeled Google Bookmark is created on the Firefox Bookmarks Toolbar, which opens a window to save the bookmark to the Google Bookmarks. This same function can be imported into other browsers as a bookmarklet.

Buffer Overflow

Internet Security Whitepapers Buffer Overflows

In this paper we discuss how buffer overflow vulnerabilities are exploited, how operating system properties are used in favor of attackers, how poor programming language constructs produce harder to detect but easily exploitable code, and discuss solutions proposed to avoid vulnerable code. Although buffer overflow has been the popular vulnerability there are others that can be just as effective, such as input validation and format string vulnerabilities. In comparison, both these methods are easier to detect and fix than buffer overflow. In this paper we focus on buffer overflow vulnerabilities; readers interested in format string vulnerabilities are referred to [Ref].

Buffer Overflow Study Attacks and Defenses

Internet Security Whitepapers Buffer Overflows Exploit Writing Techniques

Most of the exploits based on buffer overflows aim at forcing the execution of malicious code, mainly in order to provide a root shell to the user. The principle is quite simple: malicious instructions are stored in a buffer, which is overflowed to allow an unexpected use of the process, by altering various memory sections. Thus, we will introduce in this document the way a process is mapped in the machine memory, as well as the buffer notion; then we will focus on two kinds of exploits based on buffer overflow : stack overflows and heap overflows.

Buffer Overflows Attacks and Defenses for the Vulnerability of the Decade

Internet Security Whitepapers Buffer Overflows Exploit Writing Techniques

Buffer overflows have been the most common form of security vulnerability for the last ten years. More over, buffer overflow vulnerabilities dominate the area of remote network penetration vulnerabilities, where an anonymous Internet user seeks to gain partial or total control of a host. If buffer overflow vulnerabilities could be effectively eliminated, a very large portion of the most serious security threats would also be eliminated. In this paper, we survey the various types of buffer overflow vulnerabilities and attacks, and survey the various defensive measures that mitigate buffer overflow vulnerabilities, including our own StackGuard method. We then consider which combinations of techniques can eliminate the problem of buffer overflow vulnerabilities, while preserving the functionality and performance of existing systems.

Building a Console Cable

Internet Security Whitepapers Hacking Routers, Cable Modems and Firewalls

Many embedded devices (such as switches, routers, cable modems, and so on) have an internal communication port known as a console port. This type of port is typically used for configuring the device and issuing commands with root-level access. If the device is offline, this port can also be used to reconfigure the device locally. However, if it is online, other administration protocols can also be used, such as telnet or rlogin.