Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security SecProg
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Account Lockouts

from [Michael Silk] Network Security [Permanent Link]
Subject: Re: Account Lockouts
Date: Fri, 3 Dec 2004 08:24:47 +1100 
Hi,

 If you are truly concerned about the visually challenged there could
be a link to a sound which they must play ... but then what if they
don't have speakers .. etc.

 The obvious solution here is to allow them to disable this seconday
confirmation via a call to the helpdesk.

 As to the not-so obvious problem ... yes, it's an issue to be
considered, but think about the problem that we are trying to solve
... IMO I wouldn't be concerned about this kind of attack.

-- Michael


On Thu, 02 Dec 2004 12:52:34 -0500, valdis.kletnieks@vt.edu
<valdis.kletnieks@vt.edu> wrote:

On Thu, 02 Dec 2004 15:10:21 +1100, Michael Silk said:

Hi,

 A pretty easy solution exists and is to use "http://www.captcha.net/";
images before locking the account.


The obvious problem is that a visually-challenged user is screwed.

The not-so-obvious problem is that although it "proves" the person is a 
person,
it doesn't prove that the person who entered the response is the "alledged
person or script" you sent the image to.

Some spammers have found a way to deal with these - they grab the image, and
pass it through to some *other* user as a captcha to get into a "free porn"
site or similar.  So the user sees it, types it in for the spammer, and then
the spammer redirects the response to whoever originally sent it.
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: Account Lockouts, Eric Coleman
Next by Date:  Re: Account Lockouts, Valdis . Kletnieks
Previous by Thread:  Re: Account Lockouts, Valdis . Kletnieks
Next by Thread:  Re: Account Lockouts, Valdis . Kletnieks
Indexes:  [Date] [Thread] [Top] [All Lists]