Re: CRIME EarthLink Password Security Story

From: Crispin Cowan (crispin@private)
Date: Tue Jun 18 2002 - 15:25:21 PDT

  • Next message: George Heuston: "CRIME FW: NIPC Daily Report 18 June 2002"

    Seth Arnold wrote:
    
    >On Tue, Jun 18, 2002 at 01:31:16PM -0700, Crispin Cowan wrote:
    >  
    >
    >>So the "tell me, yes/no" hack is nearly as dangerous as having full text 
    >>access to the password file.
    >>    
    >>
    >What method would work better for authenticating users to tech support?
    >
    True, that is a problem. The main thrust of my argument is that it 
    should not be the same method as used to authenticate users to the 
    computer system: that leads to social engineering attacks, which are 
    already too easy.
    
    Seth does raise a good point: the *other* social engineering attack is 
    to call up tech support in the name of some other user, and start 
    messing with the account. Current common authentication practice is to 
    ask for a zip code and a social security number. That sucks, because 
    I've already seen at least one on-line service that will cough up zip 
    codes for arbitrary people's names.
    
    Fortunately for me, that service had data-mined my zip from a false 
    entry that I gave Yahoo :)
    
    Crispin
    
    -- 
    Crispin Cowan, Ph.D.
    Chief Scientist, WireX Communications, Inc. http://wirex.com/~crispin/
    Security Hardened Linux Distribution:       http://immunix.org
    Available for purchase: http://wirex.com/Products/Immunix/purchase.html
    



    This archive was generated by hypermail 2b30 : Tue Jun 18 2002 - 16:20:19 PDT