Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
Date: Fri Jun 07 2002 - 12:31:27 CDT
On Thu, 06 Jun 2002 17:40:07 PDT, Chris <brahmamendolink.com> said:
> Sorry if this is a bit off topic but I really didn't know any other lists
> closer to my question. I was wondering if anyone would know where I could
> obtain factual information regarding Dial-Up account abuse in conjunction
> with weak passwords. A study or information gathered by a credible source.
A much bigger problem is the use of throw-away dialup accounts by spammers
and other miscreants.
> As in someone brute forcing/guessing/conning a password for a dial-up
> account and using that account to launch attacks on systems and do generally
> malicious things. I am trying to show the importance of forcing customers
> to select secure passwords (8 char+ w/ numbers, letters and other printable
> char) to my staff. Any suggestions would be great.
Brute forcing is probably impractical - remember that if you don't get the
password right, you have to wait for a dial tone and re-dial and wait for
the modem to connect again.
Guessing is *possibly* practical, if you know the victim well enough to
form a reasonable guess.
Conning is a non-issue - if you talk the person into giving you the password,
it doesn't matter if it's simple or complex.
The big issue to focus on is probably the fact that they are using the SAME
password for other things (possibly as part of a single sign-on scheme),
and that there are other services that are more vulnerable to attack.
For instance, an ISP will *probably* have their users with the same password
for their RADIUS access to the modem pool, and for access to their POP server,
just because that way they can run one authentication server for both. But
it doesn't matter if you can only try 3 passwords a minute on the modem pool
if the POP server allows 250/minute.....
Sorry, no hard numbers, just 20 years of watching it happen... ;)
-- Valdis Kletnieks Computer Systems Senior Engineer Virginia Tech
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: Exmh version 2.5 07/13/2001
iD8DBQE9AO3ucC3lWbTT17ARAhEDAJ9g9hZww0fmfKZFwRnSn9UkrdS3gQCgziEN O+yvxQGcx/3uxlbsjKNQ90o= =zAFL -----END PGP SIGNATURE-----