Security Basics mailing list archives

RE: News Item: UN warns on password 'explosion'

From: "Andrew Aris" <andrew () dev bigfishinternet co uk>
Date: Tue, 5 Dec 2006 14:29:29 -0000

1) Rather than the popularity of the actual forum itself I think more the
issue is the popularity of the software being used to run it. The more
popular the forum platform the more likely that its going to become the
target of a spamming bot.

2) Which would work - but would possibly infuriate the users, what would you
rather do: remember a password or have to wait an hour before you could post
again?

3) I can see why some users *might* prefer it but in my own opinion this
would be best used to allow "Guests" to post (in fact I think it would be
damn handy for one-off posters). Regular users of a forum would probably
prefer to have a login and cookie it.



-----Original Message-----
From: Saqib Ali [mailto:docbook.xml () gmail com] 
Sent: 05 December 2006 12:18
To: Andrew Aris
Cc: security-basics
Subject: Re: News Item: UN warns on password 'explosion'

Interesting feedback.

I implemented a discussion forum at ASU (university) for Objectivity DB
using the email auth that i mentioned in my last email. So here are some of
my thoughts about the issues that you raise.

1) True. If there was a spam attack it would generate lot of bounce backs,
which could in turn a cause a DOS scenario. However we never received such a
attack (I guess the forum wasn't popular enough ;)) But my .procmail was
setup to /dev/null any non-standard emails, so I didn't see any bounce back
cause by spams.

2) True. I don't have a solution to this. Maybe only allowing 1 post / hour
is a way to mitigate this.

3) Captcha should solve this issue, and issues #1 and #2 as well.
Granted captcha requires additional work on part of the user, but isn't
typing a 5 digit number easier then remembering usernames/password for X
number of forums ??? In my opinion using captcha is much more easier and
convenient for users. I know some people might not agree with this.

Just a thought....

saqib
http://www.full-disk-encryption.net

On 12/5/06, Andrew Aris <andrew () dev bigfishinternet co uk> wrote:

Nice idea, but it does have some flaws..

1) Any attempts to spam the forum using invalid email addresses will 
result in the form sending large amounts of wasted e-mail out, 
followed by receiving large amounts of bounces back.

2) You could use it to "attack" peoples mail boxes by posting a lot to 
a forum with their email address, generateing lots of "authorisation" 
messages to their address.

3) Authorisation emails would probably be easy enough to automate a 
response to - allowing spammers to post on the forum. Sure you could 
use image verification but then you wouldn't have many posters as not 
many would be bothered to go through the hassle.

All of the above combine to make it an unattractive idea to forum admins.

-----Original Message-----
From: listbounce () securityfocus com 
[mailto:listbounce () securityfocus com] On Behalf Of Saqib Ali
Sent: 04 December 2006 14:53
To: security-basics
Subject: News Item: UN warns on password 'explosion'

Nothing new: Username + Password reuse will make the net less secure 
which in turn make people wary of spending money online.

Still a good read.

My question is why so many online discussion forum require logon to 
post messages? Currently I have 20+ discussion forum account for the 
various vendors that I deal with (e.g. citrix, wise, altiris, active batch

etc) .

Why can't they be like mailing lists where the
username+password is optional/not-required.

Discussion forums use username+password as mean to
1) control access,
2) tie the post to a email address; and
3) prevent  anonymous spam.

Alternatively this can also be achieved by simply requiring  email 
address along with post, and then sending a authorization email to the 
poster before making the post visible on the forum. This will achieve 
the same effect, and the user will not be burdened with remembering
username+password for each forum where they make posts.

--
Saqib Ali, CISSP, ISSAP
http://www.full-disk-encryption.net



--
Saqib Ali, CISSP, ISSAP
http://www.full-disk-encryption.net



---------------------------------------------------------------------------
This list is sponsored by: ByteCrusher

Detect Malicious Web Content and Exploits in Real-Time.
Anti-Virus engines can't detect unknown or new threats.
LinkScanner can. Web surfing just became a whole lot safer.

http://www.explabs.com/staging/promotions/xern_lspro.asp?loc=sfmaildetect
---------------------------------------------------------------------------

Current thread:

News Item: UN warns on password 'explosion' Saqib Ali (Dec 04)
- Re: News Item: UN warns on password 'explosion' Alexander Klimov (Dec 06)
- RE: News Item: UN warns on password 'explosion' Andrew Aris (Dec 06)
  - Re: News Item: UN warns on password 'explosion' Saqib Ali (Dec 06)
    - RE: News Item: UN warns on password 'explosion' Andrew Aris (Dec 06)
    - Re: News Item: UN warns on password 'explosion' Saqib Ali (Dec 06)
    - RE: News Item: UN warns on password 'explosion' Pranav Lal (Dec 07)
- RE: News Item: UN warns on password 'explosion' Lall, Navneet Singh (Dec 12)