On Thu, 06 Jun 2002 17:40:07 PDT, Chris <brahmaat_private> said: > Sorry if this is a bit off topic but I really didn't know any other lists > closer to my question. I was wondering if anyone would know where I could > obtain factual information regarding Dial-Up account abuse in conjunction > with weak passwords. A study or information gathered by a credible source. A much bigger problem is the use of throw-away dialup accounts by spammers and other miscreants. > As in someone brute forcing/guessing/conning a password for a dial-up > account and using that account to launch attacks on systems and do generally > malicious things. I am trying to show the importance of forcing customers > to select secure passwords (8 char+ w/ numbers, letters and other printable > char) to my staff. Any suggestions would be great. Brute forcing is probably impractical - remember that if you don't get the password right, you have to wait for a dial tone and re-dial and wait for the modem to connect again. Guessing is *possibly* practical, if you know the victim well enough to form a reasonable guess. Conning is a non-issue - if you talk the person into giving you the password, it doesn't matter if it's simple or complex. The big issue to focus on is probably the fact that they are using the SAME password for other things (possibly as part of a single sign-on scheme), and that there are other services that are more vulnerable to attack. For instance, an ISP will *probably* have their users with the same password for their RADIUS access to the modem pool, and for access to their POP server, just because that way they can run one authentication server for both. But it doesn't matter if you can only try 3 passwords a minute on the modem pool if the POP server allows 250/minute..... Sorry, no hard numbers, just 20 years of watching it happen... ;) -- Valdis Kletnieks Computer Systems Senior Engineer Virginia Tech
This archive was generated by hypermail 2b30 : Fri Jun 07 2002 - 10:49:49 PDT