OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Valdis.Kletnieksvt.edu
Date: Fri Jun 07 2002 - 12:31:27 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    On Thu, 06 Jun 2002 17:40:07 PDT, Chris <brahmamendolink.com> said:
    > Sorry if this is a bit off topic but I really didn't know any other lists
    > closer to my question. I was wondering if anyone would know where I could
    > obtain factual information regarding Dial-Up account abuse in conjunction
    > with weak passwords. A study or information gathered by a credible source.

    A much bigger problem is the use of throw-away dialup accounts by spammers
    and other miscreants.

    > As in someone brute forcing/guessing/conning a password for a dial-up
    > account and using that account to launch attacks on systems and do generally
    > malicious things. I am trying to show the importance of forcing customers
    > to select secure passwords (8 char+ w/ numbers, letters and other printable
    > char) to my staff. Any suggestions would be great.

    Brute forcing is probably impractical - remember that if you don't get the
    password right, you have to wait for a dial tone and re-dial and wait for
    the modem to connect again.

    Guessing is *possibly* practical, if you know the victim well enough to
    form a reasonable guess.

    Conning is a non-issue - if you talk the person into giving you the password,
    it doesn't matter if it's simple or complex.

    The big issue to focus on is probably the fact that they are using the SAME
    password for other things (possibly as part of a single sign-on scheme),
    and that there are other services that are more vulnerable to attack.

    For instance, an ISP will *probably* have their users with the same password
    for their RADIUS access to the modem pool, and for access to their POP server,
    just because that way they can run one authentication server for both. But
    it doesn't matter if you can only try 3 passwords a minute on the modem pool
    if the POP server allows 250/minute.....

    Sorry, no hard numbers, just 20 years of watching it happen... ;)

    -- 
    				Valdis Kletnieks
    				Computer Systems Senior Engineer
    				Virginia Tech
    

    -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: Exmh version 2.5 07/13/2001

    iD8DBQE9AO3ucC3lWbTT17ARAhEDAJ9g9hZww0fmfKZFwRnSn9UkrdS3gQCgziEN O+yvxQGcx/3uxlbsjKNQ90o= =zAFL -----END PGP SIGNATURE-----