Security Incidents mailing list archives
Re: Dial-Up Percentage Abuse
From: Rob Shein <shoten () starpower net>
Date: 07 Jun 2002 14:33:38 -0400
On Fri, 2002-06-07 at 13:49, Nathan Vack wrote:
Chris wrote:
- Assume a username is known - Assume the attacker knows the password to be contained in a 10,000 word dictionary - Assume a dial-up and password try takes 5 seconds on average - Assume dialing up is free (not true in many parts of the US, at least)
</snip lots of good math here that equate to it taking a long time to brute force> Or, you assume that the account's password is the same as the password used to retrieve POP mail from the user. You go to the ISP's web page to get the name of the mail server, and use brutus to brute-force against the POP server instead, which saves a lot of time compared to dialing in repeatedly. Furthermore, the brute force is less likely to be logged, as every ISP I've ever known logs phone numbers religiously. ################################################################# ################################################################# ################################################################# ##### ##### ##### ################################################################# ################################################################# ################################################################# ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Dial-Up Percentage Abuse Chris (Jun 07)
- Re: Dial-Up Percentage Abuse Valdis . Kletnieks (Jun 07)
- Re: Dial-Up Percentage Abuse measl (Jun 07)
- Re: Dial-Up Percentage Abuse Nathan Vack (Jun 07)
- Re: Dial-Up Percentage Abuse Rob Shein (Jun 07)
- <Possible follow-ups>
- RE: Dial-Up Percentage Abuse Rob Keown (Jun 07)
- Re: Dial-Up Percentage Abuse Chris (Jun 07)