Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Web-App-Sec
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Account Lockouts

from [Michael Silk] Network Security [Permanent Link]
Subject: Re: Account Lockouts
Date: Fri, 3 Dec 2004 09:38:28 +1100 
Sending the "user" a captcha to re-validate their userid isn't a good idea
when there's a known way to beat the captcha.  If you bobble this one, then
all you've done is enabled the attacker to use the captcha to re-enable the
userid so they can toss *another* bunch of invalid attempts for the purpose
of locking the user out again


A known way which is pretty complicated and not just anyone can set up.

And you can only "beat" the captcha in this scenario by getting the password
_right_. That would mean sending out a captcha image for each password
you attempt.

I can't believe you think captcha add's "no" security here. It add's a
great deal
of complications for someone trying to annoy the site - probably far too much
to bother with.

-- Michael

On Thu, 02 Dec 2004 17:24:09 -0500, valdis.kletnieks@vt.edu
<valdis.kletnieks@vt.edu> wrote:

On Fri, 03 Dec 2004 08:24:47 +1100, Michael Silk said:

 If you are truly concerned about the visually challenged there could
be a link to a sound which they must play ... but then what if they
don't have speakers .. etc.


You know that, I know that, but an amazing number of sites that try to
deploy captchas don't actually *do* that...


 As to the not-so obvious problem ... yes, it's an issue to be
considered, but think about the problem that we are trying to solve
... IMO I wouldn't be concerned about this kind of attack.


Actually, you *do* need to consider it.  Remember we're positing the
existence of a script designed to do nasty things by locking out 15K or so 
users.

Sending the "user" a captcha to re-validate their userid isn't a good idea
when there's a known way to beat the captcha.  If you bobble this one, then
all you've done is enabled the attacker to use the captcha to re-enable the
userid so they can toss *another* bunch of invalid attempts for the purpose
of locking the user out again.....

In other words, the use of a captcha doesn't *add* any security at all here -
and if a site Gets It Wrong by coding "if the captcha is solved, it's a person
and not the script, so we can re-enable the account again" they're just 
extending
the same failure mode....
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: Account Lockouts, Tarun Bansal
Next by Date:  Re: Account Lockouts, Valdis . Kletnieks
Previous by Thread:  Re: Account Lockouts, Valdis . Kletnieks
Next by Thread:  Re: Account Lockouts, Valdis . Kletnieks
Indexes:  [Date] [Thread] [Top] [All Lists]