Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Dial-Up Percentage Abuse

From: Rob Shein <shoten () starpower net>
Date: 07 Jun 2002 14:33:38 -0400
On Fri, 2002-06-07 at 13:49, Nathan Vack wrote:

Chris wrote:


 

- Assume a username is known
- Assume the attacker knows the password to be contained in a 10,000 
word dictionary
- Assume a dial-up and password try takes 5 seconds on average
- Assume dialing up is free (not true in many parts of the US, at least)


</snip lots of good math here that equate to it taking a long time to
brute force>

Or, you assume that the account's password is the same as the password
used to retrieve POP mail from the user.  You go to the ISP's web page
to get the name of the mail server, and use brutus to brute-force
against the POP server instead, which saves a lot of time compared to
dialing in repeatedly.  Furthermore, the brute force is less likely to
be logged, as every ISP I've ever known logs phone numbers religiously.


#################################################################
#################################################################
#################################################################
#####
#####
#####
#################################################################
#################################################################
#################################################################

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
Previous By Date Next
Previous By Thread Next

Current thread: