Vulnerability Development mailing list archives

Re: Single SignOn

From: thegnome () NMRC ORG (Simple Nomad)
Date: Thu, 24 Feb 2000 08:55:43 -0600


The best (or worse, depending on perspective) thing about single signon is
that it simplifies the cracking process. If an intruder knows that single
signon is in use at a corporation s/he wishes to crack, they attack the
weakest or least protected system, and then have access to all of them.

This is probably the main reason you do not see more info on the net about
them. One of the weakest points in the security chain has got to be the
poorly-chosen end-user password. Example:

0. Attacker wants to get to mainframe-based payroll system to cut themself
a check. The only cool privately held thing in their toolbox is a Unix
exploit which requires local access. BTW the attacker is a disgruntled
employee.
1. Attacker launches L0phtcrack and sniffs hashes. Cracks some passwords.
2. One of the users cracked also is on Unix, but not in Payroll.
3. Attacker logs in to Unix and runs his exploit.
4. Installs sniffer to capture passwords.
5. Eventually gets a user/password combo for someone in Payroll.

Now that I no longer work for a Fortune 200 company, I love Single SignOn
;-)

-         Simple Nomad          -  No rest for the Wicca'd  -
-      thegnome () nmrc org        -        www.nmrc.org       -
-  thegnome () razor bindview com  -     razor.bindview.com    -

On Wed, 23 Feb 2000, Vanna P. Rella wrote:

BlueBoar and Friends,
I am evaluating 2 products for securing e-commerce applications. These are GetAccess by EnCommerce and Secure Net by 
IBM. Please break both of these products and let me know which one is more secure. Ok, just kidding. Have any of your 
heard of any gotchas or security holes with either of these products? I've already checked out the major 
vulnerability sites cve.mitre.org, securityfocus.com, attrition.org, ntbugtraq.com, etc. I've also checked the 
usenet. And I can't believe that there aren't any holes. What is the most popular e-commerce single sign-on out 
there, anyway?

Thanks!
---
Your Best Friend,
Vamprella
---
http://www.vamprella.com -- 1998 SN&R Award  -- 1999 Losers Award
http://www.TheGirlBox.com -- Get TheGirlBox and give her one less thing to complain about.
"Worship Me and Await Instructions"





***********************************
chickclick.com
http://www.chickclick.com
girl sites that don't fake it.
http://www.chickmail.com
sign up for your free email.
http://www.chickshops.com
boutique shopping from chickclick.com
***********************************

Current thread:

Information on Raptor Martin M Samson (Feb 20)
- Re: Information on Raptor Yiorgos Adamopoulos (Feb 21)
- (Fwd) Re: vulnerability database Felix Harris (Feb 21)
- Re: Information on Raptor Malikai (Feb 21)
  - Re: Information on Raptor James Crooks (Feb 22)
    - Re: Information on Raptor Malikai (Feb 23)
    - Consulting lameness, RE: Information on Raptor Ben Grubin (Feb 23)
    - Single SignOn Vanna P. Rella (Feb 23)
    - Re: Single SignOn Simple Nomad (Feb 24)
  - office 2k security bug? Torgeir Hansen (Feb 22)
    - R: office 2k security bug? Raistlin (Feb 23)
    - Fwd: ANNOUNCEMENT: Lighting Firewall for Linux released Grzegorz Stelmaszek (Feb 23)
- Re: Information on Raptor James Crooks (Feb 21)
- Re: Information on Raptor David J Laumann (Feb 21)
- <Possible follow-ups>
- Re: Information on Raptor Marcelo Amaral - ALTAVISTA.NET (Feb 21)
- Re: Information on Raptor CL: Nelson, Jeff (Feb 24)
  - Re: Information on Raptor IC&S - Eelco van Beek (Feb 25)
  - Re: Information on Raptor Daniel Liebster (Feb 25)
- Re: Information on Raptor Ben Grubin (Feb 24)

(Thread continues...)