Security Basics mailing list archives
Re: Verifying E-Mail Addresses
From: "Jeffrey F. Bloss" <jbloss () tampabay rr com>
Date: Thu, 16 Nov 2006 22:32:16 -0500
Isaac Van Name wrote:
Actually, that's a very good point, and one that I missed myself when replying to this thread. You can't check your email without internet access... duh. :-) I'm a bit daft sometimes... bear with me.
Sometimes the most obvious things are the easiest to overlook. ;)
Another approach might be to disallow email addresses that are of the "free and anonymous" nature like Yahoo, Hotmail, Gmail, etc. and require an email address that is actually tied to some type of verifiable personal information. The chess server I play on does this, believe it or not... they require a "real" email address to
You talking about FICS? I have an account there too. I set one up for a customer last week whose only usable email was a Yahoo account (they'd long since forgotten their ISP account password *sigh*). It's not the first time I've had this problem either. I usually solve it by finding a web based account the service doesn't know about. There's a ton of them out there, but this person was adamant about not having to use another account. So this time I just set up a forward from an account on my own personal server. This "customer" happened to be a next door neighbor and a friend. ;) The point is, these methods don't work. The only one you're blocking is the innocent person who lacks some pretty basic skills and knowledge. A gear head like me or some kid looking to play adolescent games with impunity will find a way through or around any challenge/response setup like this on their worst day. It simply doesn't address the problem, and hurts your legitimate customers.
create an account. By "real", it could be a person's work email, their AO_Hell account, etc. ... Of course, this wouldn't really work if the person worked at Yahoo... :-)
There's so many free, disposable, or insecure web/email providers out there who don't validate their users it would be impossible to know them all.
Or you could try catching the MAC address when the person connects successfully and track their activity. Of course, anyone that's smart enough to do anything REALLY bad is going to know how to change their MAC address. Hopefully, your IDS would pick up the activity and alert you in time for something to be done.
MAC addresses are trivial to spoof. Some hardware allows them to be configured, and there exists dozens of software solutions from special "drivers" to live CD distributions that do it by default. Again, you're really only keeping out innocent users who don't know how to jump through your hoops. Anyone with a modicum of experience or determination will find a way, be they good guys or bad.
Really, all it boils down to is what I saw someone else say, and I'm going to have to agree: Maybe the question should be why your company wants/needs such a resource, instead of how to secure it. If
I agree too. This really shouldn't be an issue because it's an essentially unsolvable problem. If you're loosing sleep over keeping the bad guys off your public access network, you really need to take a long, hard look at whether you should be running one or not.
your company doesn't need that resource, then you're looking at investing a lot of time and work for nothing. I would like to see more ideas on how this could be secured, though it seems impractical. This is turning into an interesting thread.
There's only two sides to the issue. You're either running a secure network, or you're running an open one. If you're running an open one it's not secure. Simple math. You'll never secure it without making it a closed network. You can do this in a "public access" scenario by personally validating each user in some way that has nothing to do with the network. Like photo ID. A quick Driver's license check or what not. Physically secure it this way, and deal with the abuse problems you'll *still* have quickly and decisively. Your keen eye and reputation will server you better than any "challenge/response" gimmick you'll ever devise. -- Hand crafted on 16 November, 2006 at 22:06:11 EST using only the finest domestic and imported ASCII. Please don't make me angry, I'm running out of places to hide the bodies.
Attachment:
signature.asc
Description:
Current thread:
- Re: Verifying E-Mail Addresses Jason Muskat, GCFA, GCUX, de VE3TSJ (Nov 03)
- Re: Verifying E-Mail Addresses Will Yonker (Nov 14)
- Re: Verifying E-Mail Addresses tommie (Nov 15)
- Re: Verifying E-Mail Addresses AragonX (Nov 15)
- RE: Verifying E-Mail Addresses Isaac Van Name (Nov 15)
- Re: Verifying E-Mail Addresses Jeffrey F. Bloss (Nov 16)
- Re: Verifying E-Mail Addresses tommie (Nov 15)
- Re: Verifying E-Mail Addresses Jeffrey F. Bloss (Nov 15)
- RE: Verifying E-Mail Addresses Isaac Van Name (Nov 16)
- Re: Verifying E-Mail Addresses Jeffrey F. Bloss (Nov 17)
- Re: Verifying E-Mail Addresses Will Yonker (Nov 14)
- <Possible follow-ups>
- Re: Verifying E-Mail Addresses Andrew Wheeler (Nov 16)
- Re: Verifying E-Mail Addresses Jeffrey F. Bloss (Nov 17)
- Re: Verifying E-Mail Addresses Jeffrey F. Bloss (Nov 17)
- Re: Verifying E-Mail Addresses Hylton Conacher(ZR1HPC) (Nov 20)