lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Sun Jun 4 20:07:22 2006 From: n3td3v at gmail.com (n3td3v) Subject: breaking news tools, for an ever changing community On 6/4/06, Eric Ericson <harlequin@...thlink.net> wrote: > Well, on top of that what if you don't have a static IP at home? Or what if > your outbound NAT at the office is actually a /28 pool that it selects from > based on load? > > Interesting idea, but it seems a bit unworkable. > > -E2 > > -- > Eric Ericson > harlequin@...thlink.net > > Commitment, n.: > Commitment can be illustrated by a breakfast of ham and eggs. > The chicken was involved, the pig was committed. i've had a workable version to protect myself from logging in to account(s) from home by mistake when i only want to login from a public computer. it might be 'unworkable' to implement into Yahoo but its workable to implement into a website designed for a target audience of security professionals. for our mailing list, posters will need a n3td3v e-mail address to post, this makes sure we're in control of whats going on. in the future though i think its workable for yahoo users to select a 'bind my account to my isp' where your account must be accessed by an 'aol' host, or 'bt' host depending what service provider you're with. the idea that attackers are successfully accessing a yahoo account on a 'bt' host, when the actual account owner has been an 'aol' user for ten years and has never used a 'bt' host and will never access their account from a 'bt' account is laughable. yahoo users should be able to assign isp's they use, and deny all access to the account if a host who doesn't meet the rules set by the actual account owner tries to login. think of it as a user friendly account firewall, easily setup by kids and the elderly, because yahoo would detect the isp trends of the actual account user, and all the user needs to do is select yes or no to setup rules based on isp information yahoo displays to them via a web interface. its as simple as 'yahoo detects you're using aol, set your account to accept aol only access to this account?', 'add a new isp?', 'delete this isp?', 'make aol your default isp for this account?' or if the user is too confused, yahoo can have a 'turn off isp recognition for this account?' ...and so on. this might be too unfriendly for typical yahoo consumers, but it could be used by corporate users to define an isp list for individual employees wanting to login to the corporate network from a remote location (eg. home) why allow your corporate network to be hacked on an isp your employee has and/or will never use? even before the attacker has the right password or request new password info, your backend corporate infrastructure would already be in 'paranoid mode' to reject a correct password or cookie due to a bogus login attempt on a 'bad isp' yahoo could call it 'yahoo account isp recognition' or 'paranoid mode' for fun. on small sites, like mine, it is 'workable' to use the more advanced version of 'isp recognition' than the user friendly yahoo version i''m talking about. all the time i hear of script kids and/or hackers who have obtained a password and access corporate web interface to control load balancing and other network configuration or databases of yahoo payroll, with names and home addresses and social security numbers. these folks might be logging in on comcast and other proxies, where the login is only used by corporate users who would never be on a comcast or other proxy to access the corporate infrastructre under legitmate circumstances. i've for years wondered why yahoo make it so easy for their 'shizzle' to get hacked by such small time means of obtaining a password and simply logging in, which your gran could do blind folded. yahoo, implement a corporate account isp recognition system and save all the embarassment of kids walking all over your network. i'll send you my source code if you think its 'unworkable' i know seccy pros at yahoo are more than capable of writing up their own system however for 'isp recognition' to protect its corporate data interests. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20060604/75e767f8/attachment.html
Powered by blists - more mailing lists