Hiya..
Yeah.. The captcha systems also prevent the (often) hidden danger re:
bruteforcing.. and that is that account lock-out is largely useless in
many cases..
Any web-app that plays with money (or something of a high value) at the
back end has to consider that the attacker does not necc. want to break in
to a specific targets account and will happily settle for the first
account he can get his hands on..
Having a lockout on failed attempts for incorrect usernames may protect
individual users (those with non brain-dead passwords) but will fail
miserably (especially on web based systems) to give adequate coverage
against attackers with > 2 braincells..
Somethign we have been preaching to our customers for a while for example,
is that traditional lock-out may stop an attacker who tries multiple
passwords on a single (valid) username but is totally silent while an
attacker tries multiple usernames on a single password..
An attack like this would run thru the space of usernames using
(LOCKOUT_NUMBER - 1) passwords, picking out the low hanging fruit.. and as
we preach to our customers (and as we all know).. the attacker only has to
win once..
/MH
On Tue, 12 Oct 2004, Stephen de Vries wrote:
Hi list,
We frequently warn clients of the risks of brute force or automated attacks
against their sites and recommend the use of CAPTCHA (www.captcha.net)
systems, or "secret questions" to mitigate this risk. For example:
- The registration process does not use captcha like systems and could allow
attackers to use an automated script to generate thousands of fictitious
users. These users can then be used to perform transactions that could lead
to financial loss (e.g. costs due to rejected credit card), or waste
resources through database access (and wasted storage).
- The password reminder mechanism requires only the user's email address
which is used to send them an email for resetting their password. But since
it requires no further auth from the user (such as an answer to a secret
question), an attacker could enumerate all the valid email addresses
registered to the site by writing a brute force script and using a database
of email addresses (this may be particularly useful to a competitor). Of
course, if the email address is used as the username, this problem becomes
more serious.
Although these risks are real - and I don't doubt they will be used in the
future - I'm not aware of any attacks of this sort being conducted in the
past. Is anyone aware of these types of attacks in real-world scenarios? Do
you think these pose a serious threat?
regards,
Stephen
----------------------------------------------------------------------
CONFIDENTIALITY: This e-mail and any files transmitted with it are
confidential and intended solely for the use of the recipient(s) only.
Any review, retransmission, dissemination or other use of, or taking
any action in reliance upon this information by persons or entities
other than the intended recipient(s) is prohibited. If you have
received this e-mail in error please notify the sender immediately
and destroy the material whether stored on a computer or otherwise.
----------------------------------------------------------------------
DISCLAIMER: Any views or opinions presented within this e-mail are
solely those of the author and do not necessarily represent those
of Corsaire Limited, unless otherwise specifically stated.
----------------------------------------------------------------------
--
======================================================================
Haroon Meer MH
SensePost Information Security +27 83786 6637
PGP : http://www.sensepost.com/pgp/haroon.txt haroon@sensepost.com
======================================================================
