Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Web-App-Sec
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Likelihood of brute force attacks against web apps

from [Glyn Geoghegan] Network Security [Permanent Link]
Subject: RE: Likelihood of brute force attacks against web apps
Date: Sat, 23 Oct 2004 15:02:57 +1000 
Hi Dave,

That solution includes two dangerous assumptions:

1/ That the password is stored by the application in recoverable form
(rather than a hash for example); both bad practice and a possible breach of
data protection laws. 

2/ That sending a user's password in clear text over email systems is a
secure method; inappropriate for most sites.  For example, an attacker could
provoke the password recovery procedure for his colleague and sniff the
email containing the password with relative ease.

What Stephen is after are 'real' anecdotes to build a more compelling
argument for the use of technologies like Captcha.  It's easy to identify
these risks and propose solutions, but it is important to demonstrate that
these attacks really are likely and the risks real.  

Otherwise the recommendations may be perceived as potentially costly
solutions pitched from a security best-practice perspective for the sake of
it.

Cheers,
Glyn.

-- 
G l y n   G e o g h e g a n
Principal Security Consultant
http://www.corsaire.com


-----Original Message-----
From: Dave Ferguson [mailto:dferguson@touchnet.com] 
Sent: 23 October 2004 07:09
To: webappsec@securityfocus.com
Subject: Re: Likelihood of brute force attacks against web apps

In scenario #2, rather than resetting the password, wouldn't 
it be better to have the user enter his e-mail address and 
then (asssuming it is a valid address in the system) have the 
system send an e-mail to that address with his current password?  

Thanks,
Dave F.

Saqib.N.Ali@seagate.com wrote:




Hello,

Why don't you use captcha for both of these scenarios? It 

should prevent

any brute force attacks.

For scenario #2, you can restrict to 3 attempts from a 

given IP, within a

24 hour period.

Thanks.
Saqib Ali
http://validate.sf.net

Stephen de Vries <stephen@corsaire.com> wrote on 10/12/2004 

04:58:20 AM:




Hi list,

We frequently warn clients of the risks of brute force or automated
attacks against their sites and recommend the use of CAPTCHA
(www.captcha.net) systems, or "secret questions" to 

mitigate this risk.

 For example:

- The registration process does not use captcha like 

systems and could

allow attackers to use an automated script to generate thousands of
fictitious users.  These users can then be used to perform 

transactions

that could lead to financial loss (e.g. costs due to rejected credit
card), or waste resources through database access (and 

wasted storage).


- The password reminder mechanism requires only the user's email
address which is used to send them an email for resetting their
password.  But since it requires no further auth from the 

user (such as

an answer to a secret question), an attacker could enumerate all the
valid email addresses registered to the site by writing a 

brute force

script and using a database of email addresses (this may be
particularly useful to a competitor).  Of course, if the 

email address

is used as the username, this problem becomes more serious.

Although these risks are real - and I don't doubt they will 

be used in

the future - I'm not aware of any attacks of this sort 

being  conducted

in the past.  Is anyone aware of these types of attacks in 

real-world

scenarios?  Do you think these pose a serious threat?

regards,
Stephen


 

----------------------------------------------------------------------

 CONFIDENTIALITY: This e-mail and any files transmitted with it are
 confidential and intended solely for the use of the 

recipient(s) only.

 Any review, retransmission, dissemination or other use 

of, or taking

 any action in reliance upon this information by persons 

or entities

 other than the intended recipient(s) is prohibited. If you have
 received this e-mail in error please notify the sender immediately
 and destroy the material whether stored on a computer or 

otherwise.

 

----------------------------------------------------------------------

 DISCLAIMER: Any views or opinions presented within this e-mail are
 solely those of the author and do not necessarily represent those
 of Corsaire Limited, unless otherwise specifically stated.
 

----------------------------------------------------------------------
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Hacking/security in main-stream media, Thierry Laurion
Next by Date:  Re: Recommendations for web app test?, subscriber
Previous by Thread:  Re: Likelihood of brute force attacks against web apps, Dave Ferguson
Next by Thread:  RE: Likelihood of brute force attacks against web apps, Bryan Murphy
Indexes:  [Date] [Thread] [Top] [All Lists]