Re: Not so much a bug as a warning of new brute force attack

[pcl () foo oucs ox ac uk (Paul C Leyland)]

> From: "Brett L. Hawn" <blh () nol net>

Hi, Brett --- they're still giving you hassle, eh?

> Using the pop3 mechanism to crack user passwords
>
> Given a file full of usernames and the standard 'dict file' one can
> currently connect to the pop3 daemon and effiecently try passwords for a
> user until the proper one is gotten or one runs out of passwords without any
...

> Solution:
>
> Implement random delay times, logging, and disconnection within the pop3
> daemom
>
> I am currently adding a random delay of 5-10 seconds after a bad password to
> not only slow down, but possibly break the crack mechanism. Along with this
> I am adding logging of any attempt that gives a bad password and a
> disconnection scheme that will disconnect the process after 3 bad passwords.

I'd recommend not bothering with the random delay, though it would seem
to be harmless.  The second half of the solution is the way to go.

Unlike the subject line suggests, I am reporting a bug.  One which makes
brute force cracking much more likely to succeed.

We run Digital Unix V3.2c here with the C2 security options.  We
discovered that although login correctly disabled an account for a
period after a specified number of failed authentication events, the
authenticator supplied in the libraries did not.  We found out because
someone successfully ran a guessing attempt against our ftpd.

We played hell with DEC, who eventually gave us patched libraries.

Moral:  ALL daemons which do authentication have to be linked with a
properly functioning authenticator.

Advice: If you are running Digital Unix in C2 mode, check that your
libraries do repeated bad password detection and account locking.  If
they do not, call DEC immediately and insist that you get the patched
libraries.  Tell them I sent you 8-)

Paul