White papers - the latest thinking from NGS

The NGSSoftware Insight Security Research team (NISR) have distilled their extensive experience in the field of software security into a catalogue of detailed papers exploring technical skills development and threat dissection.

The papers listed below are provided free of charge and we always welcome intelligent feedback on their contents. The following papers are divided into the following categories: NISR papers, Business Whitepapers and Papers written by NISR team members prior to joining NGSSoftware.

Please note that you will need the latest version of Adobe Reader to view these papers.

NISR papers
Business white papers
Other

NISR papers

24/11/08	Oracle Forensics Part 7: Using the Oracle System Change Number in Forensic Investigations
23/07/08	Bypassing Oracle DBMS_ASSERT
16/08/07	Oracle Forensics Part 6: Examining Undo Segments, Flashback and the Oracle Recycle Bin
10/08/07	Oracle Forensics Part 5: Finding Evidence of Data Theft in the Absence of Auditing
06/08/07	Attacking the Windows Kernel (Black Hat Las Vegas 2007)
06/08/07	Hacking the Extensible Firmware Interface (Black Hat Las Vegas 2007)
06/08/07	VoIP Security: Methodology and Results (Black Hat Las Vegas 2007)
10/07/07	DNS Pinning and Web Proxies
19/06/07	A Simple and Practical Approach to Input Validation
20/04/07	Oracle Forensics Part 4: Live Response
27/03/07	Oracle Forensics Part 3: Isolating Evidence of Attacks Against the Authentication Mechanism
24/03/07	Oracle Forensics Part 2: Locating Dropped Objects
21/03/07	Oracle Forensics Part 1: Dissecting the Redo Logs
05/03/07	Inter-Protocol Exploitation
28/02/07	Advanced Exploitation of Oracle PL/SQL Flaws (Black Hat Washington 2007)
28/02/07	Firmware Rootkits: The Threat to the Enterprise (Black Hat Washington 2007)
21/02/07	Exploiting PL/SQL Injection Flaws With Only CREATE SESSION Privileges
06/02/07	Weak Randomness
15/01/07	Oracle Passwords and OraBrute
23/11/06	Dangling Cursor Snarfing - A new class of attack in Oracle
21/11/06	Microsoft's SQL Server vs. Oracle's RDBMS
15/11/06	Implementing and Detecting a PCI Rootkit
13/09/06	Inter-Protocol Communication
12/09/06	Low Cost Attacks on Smart Cards - The Electromagnetic Side-Channel
16/11/05	Database Servers on Windows XP and the Unintended Consequences of Simple File Sharing
08/11/05	Securing PL/SQL Applications with DBMS_ASSERT
30/09/05	Buffer Underruns, DEP, ASLR and Improving the Exploitation Prevention Mechanisms (XPMs) on the Windows Platform
30/09/05	Data-Mining With SQL Injection and Inference
19/09/05	Writing Small Shellcode
25/08/05	An Introduction to Heap overflows on AIX 5.3L
22/08/05	The Pharming Guide: Understanding & Preventing DNS Related Attacks by Phishers
26/04/05	Stopping Automated Attack Tools
21/03/05	Anti Brute Force Resource Metering
28/01/05	Security Best Practice: Host Naming & URL Conventions
22/12/04	Blind Exploitation of Stack Overflow Vulnerabilities
01/11/04	Second-Order Code Injection Attacks
22/09/04	The Phishing Guide: Understanding & Preventing Phishing Attacks
05/07/04	Hackproofing MySQL
05/04/04	Mail Non-Delivery Notice Attacks
04/02/04	Passive Information Gathering - The Analysis of Leaked Network Security Information
08/09/03	Defeating the Stack Based Buffer Overflow Prevention Mechanism of Microsoft Windows 2003 Server
10/07/03	Variations in Exploit methods between Linux and Windows
09/05/03	Writing Secure ASP Scripts
21/03/03	New Attack Vectors and a Vulnerability Dissection of MS03-007
14/01/03	Quantum Cryptography - A Study Into Present Technologies and Future Applications (Appendix)
03/09/02	Threat Profiling Microsoft SQL Server (A Guide to Security Auditing)
08/07/02	Microsoft SQL Server Passwords (Cracking the password hashes)
24/06/02	Violating Database Security Measures
18/06/02	(more) Advanced SQL Injection
05/06/02	Non-stack Based Exploitation of Buffer Overrun Vulnerabilities on Windows NT/2000/XP
28/02/02	Assessing IIS Configuration Remotely (Low Level IIS Application Assessment)
06/02/02	Hackproofing Oracle Application Server (A Guide to Securing Oracle 9)
31/01/02	Advanced SQL Injection in SQL Server Applications
09/01/02	Email spoofing and CDONTS.NEWMAIL (Protecting Microsoft Active Server Pages Applications)
08/01/02	Creating Arbitrary Shellcode in Unicode Expanded Strings (The "Venetian" Exploit)
20/12/01	Hackproofing Lotus Domino Web Server

12/03	Instant Messenger Security
03/03	Application Assessment Questioning
01/03	Web-Based Session Management
11/02	HTML Code Injection and Cross-Site Scripting
05/02	Custom HTML Authentication
03/02	URL Encoded Attacks
02/02	Assessing Your Security
01/02	Application Security Assessments
10/01	Securing WLAN Technologies
05/01	Windows 2000 Format String Vulnerabilities
03/01	Buffer Overflows on SPARC Architecture
03/01	Web Application Disassembly with ODBC Error Messages
07/00	Buffer Overflows for Beginners
04/99	Exploiting Windows NT 4.0 Buffer Overruns (A Case Study: RASMAN.EXE)
	Oracle Corporation based their whitepaper Configuring a Secure Oracle9i Application Server Environment on vulnerability research by NGSSoftware's Managing Director David Litchfield.

Main Navigation

Toolbar links

Site Search

White papers - the latest thinking from NGS

NISR papers

Business white papers

Papers authored by NISR team members before joining NGS

Section Navigation

Red Nose Day 2009

Customer Testimonials

Speaking Events

OWASP AppSec Europe 2008

AusCERT 2008

ITWeb Security Summit

NGS Publications

Web Application Hacker's Handbook

Oracle Hacker's Handbook

Database Hacker's Handbook

The Shellcoder's Handbook

SQL Server Security

Configuring IPCop Firewalls