Security Basics mailing list archives
RE: Verifying E-Mail Addresses
From: "Isaac Van Name" <ivanname () southerlandsleep com>
Date: Thu, 16 Nov 2006 08:28:13 -0600
Actually, that's a very good point, and one that I missed myself when replying to this thread. You can't check your email without internet access... duh. :-) I'm a bit daft sometimes... bear with me. Another approach might be to disallow email addresses that are of the "free and anonymous" nature like Yahoo, Hotmail, Gmail, etc. and require an email address that is actually tied to some type of verifiable personal information. The chess server I play on does this, believe it or not... they require a "real" email address to create an account. By "real", it could be a person's work email, their AO_Hell account, etc. ... Of course, this wouldn't really work if the person worked at Yahoo... :-) Or you could try catching the MAC address when the person connects successfully and track their activity. Of course, anyone that's smart enough to do anything REALLY bad is going to know how to change their MAC address. Hopefully, your IDS would pick up the activity and alert you in time for something to be done. Really, all it boils down to is what I saw someone else say, and I'm going to have to agree: Maybe the question should be why your company wants/needs such a resource, instead of how to secure it. If your company doesn't need that resource, then you're looking at investing a lot of time and work for nothing. I would like to see more ideas on how this could be secured, though it seems impractical. This is turning into an interesting thread. Isaac Van Name Systems Administrator "What good would you do with an ignorant employee? Ignorance is grounds for dismissal..." - Mario Spinthiras Open Source developing at its finest: "Written in vim, W3C valid and UTF-8 encoded, for her pleasure." Disclaimer: This email is intended only to be used to feign intellectual mastery of a subject or superhuman command of the English language, when profanity is involved. By reading this email, you are agreeing to cease all correspondence with the sender upon realizing your own ignorance, and furthermore to refrain from taking legal action against said sender when your compounding ignorance crushes your inadequate self-esteem. Have a nice day. Original> -----Original Message----- Original> From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] Original> On Behalf Of Jeffrey F. Bloss Original> Sent: Tuesday, November 14, 2006 1:58 PM Original> To: security-basics () securityfocus com Original> Subject: Re: Verifying E-Mail Addresses Original> Original> Will Yonker wrote: Original> Original> > >> I do recognize that somebody can enter a valid e-mail address that Original> > >> does not belong to them, but we are trying to address one issue at Original> > >> a time. At this point we are just trying to prevent people who Original> > >> give us "dude () dude com" from getting on to our network. Original> > Original> > I agree, you really should require a working email address that they Original> > have access to. I would say your best bet would be to use the same Original> > sort of verification that most email lists use. You could easily Original> > automate the whole thing. It could go something like this: Original> > Original> > The user turns on his PC and you assign him all the right DHCP info. Original> > He then opens his browser and is directed to your login page. Original> > He then has to enter his email address if he needs to create an Original> > account. Then you send him an email with the password. Original> Original> <snippage> Original> Original> Unless you've already granted at least some level of the access you're Original> trying to control, how would the potential user receive the email? :) Original> Original> Wasn't this scenario basically a municipal/public access point trying Original> to at least in some way validate prospective users? Unless this is Original> implemented as a subscription service where the user can "go home and Original> get the password" when it's issued, it won't easily work. Original> Original> You can't send it to them via the web interface or any other webmail, or Original> you've pretty much eviscerated the whole process. If you let them have Original> limited access to certain resources so they can get their Original> "challenge/response" email from an account outside your control you're Original> not only dealing with the nightmare of managing that resource, but Original> opening yourself up to an easy circumvention of all your hard work by Original> people using disposable email accounts like Pookmail, Jetable, Original> Spamgourmet, some "bot" machine in New Jersey, their Siberian hacker Original> friend's private server on a roving DynDNS enabled box that's hooked up Original> to some flaky cafe WiFi just for today, etc... Original> Original> -- Original> Hand crafted on 14 November, 2006 at 14:53:23 EST using Original> only the finest domestic and imported ASCII. Original> Original> Abandon the search for truth; settle for a good fantasy. --------------------------------------------------------------------------- This list is sponsored by: Norwich University EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life. http://www.msia.norwich.edu/secfocus ---------------------------------------------------------------------------
Current thread:
- Re: Verifying E-Mail Addresses Jason Muskat, GCFA, GCUX, de VE3TSJ (Nov 03)
- Re: Verifying E-Mail Addresses Will Yonker (Nov 14)
- Re: Verifying E-Mail Addresses tommie (Nov 15)
- Re: Verifying E-Mail Addresses AragonX (Nov 15)
- RE: Verifying E-Mail Addresses Isaac Van Name (Nov 15)
- Re: Verifying E-Mail Addresses Jeffrey F. Bloss (Nov 16)
- Re: Verifying E-Mail Addresses tommie (Nov 15)
- Re: Verifying E-Mail Addresses Jeffrey F. Bloss (Nov 15)
- RE: Verifying E-Mail Addresses Isaac Van Name (Nov 16)
- Re: Verifying E-Mail Addresses Jeffrey F. Bloss (Nov 17)
- Re: Verifying E-Mail Addresses Will Yonker (Nov 14)
- <Possible follow-ups>
- Re: Verifying E-Mail Addresses Andrew Wheeler (Nov 16)
- Re: Verifying E-Mail Addresses Jeffrey F. Bloss (Nov 17)
- Re: Verifying E-Mail Addresses Jeffrey F. Bloss (Nov 17)
- Re: Verifying E-Mail Addresses Hylton Conacher(ZR1HPC) (Nov 20)