RE: Likelihood of brute force attacks against web apps

["Glyn Geoghegan" <glyng () corsaire com>]

Hi Dave,

That solution includes two dangerous assumptions:

1/ That the password is stored by the application in recoverable form
(rather than a hash for example); both bad practice and a possible breach of
data protection laws. 

2/ That sending a user's password in clear text over email systems is a
secure method; inappropriate for most sites.  For example, an attacker could
provoke the password recovery procedure for his colleague and sniff the
email containing the password with relative ease.

What Stephen is after are 'real' anecdotes to build a more compelling
argument for the use of technologies like Captcha.  It's easy to identify
these risks and propose solutions, but it is important to demonstrate that
these attacks really are likely and the risks real.  

Otherwise the recommendations may be perceived as potentially costly
solutions pitched from a security best-practice perspective for the sake of
it.

Cheers,
Glyn.

-- 
G l y n   G e o g h e g a n
Principal Security Consultant
http://www.corsaire.com

> -----Original Message-----
> From: Dave Ferguson [mailto:dferguson () touchnet com] 
> Sent: 23 October 2004 07:09
> To: webappsec () securityfocus com
> Subject: Re: Likelihood of brute force attacks against web apps
>
> In scenario #2, rather than resetting the password, wouldn't 
> it be better to have the user enter his e-mail address and 
> then (asssuming it is a valid address in the system) have the 
> system send an e-mail to that address with his current password?  
>
> Thanks,
> Dave F.
>
> Saqib.N.Ali () seagate com wrote:
> > Hello,
> >
> > Why don't you use captcha for both of these scenarios? It 
> should prevent
> > any brute force attacks.
> >
> > For scenario #2, you can restrict to 3 attempts from a 
> given IP, within a
> > 24 hour period.
> >
> > Thanks.
> > Saqib Ali
> > http://validate.sf.net
> >
> > Stephen de Vries <stephen () corsaire com> wrote on 10/12/2004 
> 04:58:20 AM:
> > > Hi list,
> > >
> > > We frequently warn clients of the risks of brute force or automated
> > > attacks against their sites and recommend the use of CAPTCHA
> > > (www.captcha.net) systems, or "secret questions" to 
> mitigate this risk.
> > >  For example:
> > >
> > > - The registration process does not use captcha like 
> systems and could
> > > allow attackers to use an automated script to generate thousands of
> > > fictitious users.  These users can then be used to perform 
> transactions
> > > that could lead to financial loss (e.g. costs due to rejected credit
> > > card), or waste resources through database access (and 
> wasted storage).
> > > - The password reminder mechanism requires only the user's email
> > > address which is used to send them an email for resetting their
> > > password.  But since it requires no further auth from the 
> user (such as
> > > an answer to a secret question), an attacker could enumerate all the
> > > valid email addresses registered to the site by writing a 
> brute force
> > > script and using a database of email addresses (this may be
> > > particularly useful to a competitor).  Of course, if the 
> email address
> > > is used as the username, this problem becomes more serious.
> > >
> > > Although these risks are real - and I don't doubt they will 
> be used in
> > > the future - I'm not aware of any attacks of this sort 
> being  conducted
> > > in the past.  Is anyone aware of these types of attacks in 
> real-world
> > > scenarios?  Do you think these pose a serious threat?
> > >
> > > regards,
> > > Stephen
> > >
> > >
> > >  
> ----------------------------------------------------------------------
> > >  CONFIDENTIALITY: This e-mail and any files transmitted with it are
> > >  confidential and intended solely for the use of the 
> recipient(s) only.
> > >  Any review, retransmission, dissemination or other use 
> of, or taking
> > >  any action in reliance upon this information by persons 
> or entities
> > >  other than the intended recipient(s) is prohibited. If you have
> > >  received this e-mail in error please notify the sender immediately
> > >  and destroy the material whether stored on a computer or 
> otherwise.
> > >  
> ----------------------------------------------------------------------
> > >  DISCLAIMER: Any views or opinions presented within this e-mail are
> > >  solely those of the author and do not necessarily represent those
> > >  of Corsaire Limited, unless otherwise specifically stated.
> > >  
> ----------------------------------------------------------------------
> > >