New Whitepaper: Anti Brute Force Resource Metering

["Gunter Ollmann (NGS)" <gunter () ngssoftware com>]

Hi List,

It's been a couple of months since my last whitepaper, so time for a new
one.  This new whitepaper focuses upon a method known as "resource metering"
to actively restrict (and possibly prevent) many brute force guessing attack
vectors that target custom web authentication processes.

The paper is now available from the NGS website:
http://www.ngssoftware.com/papers/NISR-AntiBruteForceResourceMetering.pdf

As always, I'm happy to discuss the topic further and would value
discussions about the techniques talked about in the paper.

Abstract:     
"Web-based applications authentication processes are frequently vulnerable
to automated brute force guessing attacks.  Whilst commonly proposed
solutions make use of escalating time delays and minimum lockout threshold
strategies, these tend to prove ineffectual in real attacks and may actually
promote additional attack vectors.           

Resource metering through client-side computationally intensive "electronic
payments" can provide an alternative strategy in defending against brute
force guessing attacks.  This whitepaper discusses how such a solution works
and the security advantages it can bring."


Cheers,

Gunter Ollmann

------------------------------------------------------
G u n t e r   O l l m a n n,            MSc(Hons), BSc
Professional Services Director                        
                                                      
Next  Generation  Security  Software  Ltd.            
First Floor, 52 Throwley Way  Tel: +44 (0)208 401 0089
Sutton, Surrey, SM1 4BF, UK   Mob: +44 (0)7710 496 714
http://www.nextgenss.com      Fax: +44 (0)208 401 0076
------------------------------------------------------