Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

OWASP Chapter meeting, All welcome

  • 02-06-2005 12:40pm
    #1
    OWASPIreland
    Closed Accounts Posts: 5


    Can anyone interested in attending the OWASP Ireland chapter meeting in mid June in Dublin drop me a line??
    Agenda is:
    A few presentations,
    One on webservices security from a world renowned XML security vendor.
    Another on actual insider threats in the modern office, pretty cool stuff.

    A call for any bright ideas anyone has that OWASP could implement.

    Currently we are trying to interface with Irish universities to get an army of developers to code app security tools.
    - anybody interested in getting involved, drop me a line or give me a call.

    After that, a few pints?
    Come along, and bring your friends, enemies and pets!

    CISSP's, for every hour of attendance at an OWASP meeting counts as one CPE credit !!


    regards,

    Eoin
    (OWASP-Ireland Chapter Lead)
    [HTML]<mailto:eoin.keary@owasp.org>[/HTML]


Comments

  • #2
    Martyr
    Closed Accounts Posts: 1,567 ✭✭✭Martyr


    An internal threat for atleast a windows network.. authentication schemes.

    I know for HTTP proxy ISA, Internet Explorer uses NTLM authentication, and this is also extended to other microsoft products which access IMAP/SMTP/POP3 services.

    Surely most company networks using Windows would have atleast a proxy server, like ISA?

    But what do the other non-microsoft products use for authenticaton?

    Netscape browser, (atleast a couple of years ago) used SHA-1 with no challenge.

    Alot use MD5, and then some use nothing but basic authentication, (the username/password encoded with base64.)

    Some are quite vulnerable, and not all that much of the topic has been discussed as a threat.

    Maybe you could write a simple TCP/IP sniffer to monitor the network, capture packets on ports specific to HTTP/POP3/SMTP/IMAP, analyse them..determine if for authentication.. and then attempt to find the plaintext password to the hash, either in realtime, for a short specified length in size, or just dump the hash to file for later attempts.

    Some webmail services like Yahoo, use MD5 and a random challenge from the server.
    You could find the password if it were 5 characters using letters of A-Z/0-9/a-z in less than a minute on a 2.5 Ghz computer.
    Thats assuming the yahoo user doesn't use SSL.

    Although its unlikely all PC's on a network would each have a 2.5 Ghz CPU, it could be done offline by an attacker..at home, or in distributed manner,
    which would find a password even quicker.

    What an attacker could do with the usernames and passwords, i suppose access information/resources they're not supposed to, it may also be a future threat if implemented in malicious programs,a virus maybe.

    Just as a proof of concept tool, for a presentation, i'd be interested to see how effective such a program would be.

    Doesn't have to be released to anyone, if i had access to a small network, i'd write something like that, just to see how well it would work.

    Then try come up with a way to prevent people exploiting it.


Advertisement