Re: CRIME EarthLink Password Security Story

From: Crispin Cowan (crispin@private)
Date: Tue Jun 18 2002 - 13:31:16 PDT

  • Next message: Seth Arnold: "Re: CRIME EarthLink Password Security Story"

    Seth Arnold wrote:
    
    >It is possible for them to not have plaintext access to your password
    >and still use this authentication method -- the tech could type it into
    >a text box somewhere and get a "YES/NO" response back. (Not likely, I
    >fully expect them to have plaintext passwords available, but the
    >possibility exists for them to Do It Correctly. :)
    >
    That still is not even close to correct. It has two big problems:
    
       1. (modest problem) The service tech. now has your password. With
          high probability, the user uses the same password everywhere. Much
          better for the tech to reset the password to something and tell
          you what it is.
       2. (BIG problem) The social engineering attack.  Attacker phones you
          & says "I'm from tech support, and I need your password ..."
           Users have been trained for years to NEVER give their password to
          ANYONE, for this reason. Corrollary: tech support should never ask
          for or accept a password, they should just remind the user to
          never tell their password to anyone.
    
    So the "tell me, yes/no" hack is nearly as dangerous as having full text 
    access to the password file.
    
    Crispin
    
    -- 
    Crispin Cowan, Ph.D.
    Chief Scientist, WireX Communications, Inc. http://wirex.com/~crispin/
    Security Hardened Linux Distribution:       http://immunix.org
    Available for purchase: http://wirex.com/Products/Immunix/purchase.html
    



    This archive was generated by hypermail 2b30 : Tue Jun 18 2002 - 14:31:36 PDT