Re: Passwords

From: Vin McLellan (vinat_private)
Date: Sun Oct 17 1999 - 18:50:47 PDT

Next message: JSK: "RE: Firewall(s) "maxed" out"

Previous message: Jan B. Koum : "imap and pop over ssl"
Maybe in reply to: Rex Murphy: "Passwords"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

        Don Helms <dhelmsat_private> wrote:

>>However, you can track the activity on a given account and see if the patterns
>>change.  For example, the guy that logs in to one app every moorning, does his
>>work and goes home.  If suddenly that user is running this app, that app and 
>>poking round at random, his password might have been compromised.  Also keep 
>>an eye on time of day for new and unusual activity.  

        Rick Smith <rick_smithat_private> replied:

>Does anyone have experience with such a thing in an operational
>environment? My impression was that these systems were had very limited
>benefits. At most they might help with network and server performance
>tuning, not security. In the real world it seemed that they'd either be
>useless at detecting intrusions or they'd be constantly nagged with false
>alarms (i.e. changes from one project to another).

        I'm one of probably hundreds of thousands who have benefited from a
similar system that recognized when my telephone credit card number had been
swiped (probably when it was used in one of several airports on a business
trip) and flipped overseas for criminal exploitation.  I got a call from
Bell Atlantic asking if I had bounced around Europe over the weekend.

        I also recall that TRW -- somewhere in the mid-80s, I think --
claimed great success in establishing and codifying a pattern of use for
valid subscribers who had legitimate access to your personal credit
history... and using variance in that pattern to identify hackers who had
somehow obtained valid passwords and were using them (in off hours and
through different access points) than the legitimate users of a particular
account.

        Don't most users have fairly set patterns of use: working hours, IP
address, at least? Exceptions outside those patterns should be fairly easy
to alarm.  That's really only an attempt to automate and scale the
know-your-users credo that is the norm for small installations.

         I suspect its only when you get into subtle variances (which app,
etc.) that  you get swamped with false alarms.  YMMV.

        Anyone have a name for any of the utilities which can do this?

                        Suerte,
                                        _Vin

>The fact that an intrusion took place doesn't prove the password was
>compromised, though it's probably the way to bet with most systems these
>days.
>
>Rick.
>smithat_private
>"Internet Cryptography" at http://www.visi.com/crypto/
>
>

Next message: JSK: "RE: Firewall(s) "maxed" out"
Previous message: Jan B. Koum : "imap and pop over ssl"
Maybe in reply to: Rex Murphy: "Passwords"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:43:57 PDT