Date : Thu, 17 Nov 2011 18:47:32 +0100
From : rick@... (Rick Murray)
Subject: Security Project - Update 1
On 16/11/2011 22:19, Martyn Ruks wrote ... possibly, the quoting of said
message was something of a disaster - what's with the asterisk prefix
instead of the well known and understood ">"?
> between "user not known" and "wrong password" to determine if a
> user exists.
> * Yes, you would be suprised how many systems and applications
> still let you do this today
Only *crap* poorly implemented systems.
ArcBBS would drop the line if you entered a wrong password three times
in a row. [in its day it would be effective as connection charges would
mount up quickly]
The sort-of server I wrote myself would do likewise, but since it was
written in the internet era, it would record the time of the last failed
logon and if another failure occurred within a specific length of time,
the user would be blocked.
Good systems will accept *any* username and only throw a generic "login
error" fault after the password, thus neither confirming nor denying the
username is valid. Most POP3 mail servers work this way.
Please don't hold a (admittedly, remarkably weak, even in its day) local
area network server to the same standards. It might we worth remembering
that Level2 was the first Econet server to actually offer support for
user level access.
http://www.heyrick.co.uk/econet/intro/servers.html
The earlier Level1 was *EXTREMELY* simplistic and was little more than a
shared disc drive.
> * Yes and not an elegant attack by any means.
I would say for Econet, the system is going to be "attacked" by a
different methodology than trying to break into a military server.
For example - the account we're wanting to access is most likely going
to be called SYST. Sure, an annoying admin might change that, but how
many did? I knew of three Econets in three schools, all of which used SYST.
Secondly - we have to consider that an attacker is likely to be on-site
so will have some idea of the usernaming scheme. It is pointless to try
an autogenerated name like "FIDSJSO" if the usual scheme is something
like "Y<year>U<number>". Furthermore, you *really* want admin access, so
searching for random usernames will be a mostly-productive waste of time.
Thirdly - given the Econet topology and the on-site nature, a much more
productive (and harder to detect) method is to make up some code to bury
on an unused machine (or if there are many Beebs, jack a Beeb into the
network wiring and hide it above the polystyrene ceiling tiles). This
can then just keep an eye on the data transmissions looking for login
attempts. Won't work with the MDFS encryption system, but any Acorn
LevelX stuff will be a doddle. Then you'll have a list of usernames and
passwords, and you can probably narrow down quickly ones which are "just
users" and ones which are potentially more interesting.
Frankly, and given the response speed of the average FileStore, a brute
force attack is laughably useless. Even brute-forcing SYST (assuming
it's a real account) with a random password attack is likely to take
LONGER than watching the wire waiting for a manager to log in.
You could take this a step further and modify your program to look also
for certain management commands (FSMODE, FSUSER, etc) and flag up which
user is performing these commands. This (assuming some regular luser
doesn't try them "just to see it fail") means you'll then be able to log
which user is capable of admin commands, and by then you'll ought to
have their password too.
> This leads to an interesting question, as a gut feel how many admins
> used to keep the monitor turned on to watch what was going on like a
> hawk and how many would have flicked it off?
My school? Never. Not only would monitoring tie up a Beeb (remember back
then such machines were *expensive*), but I don't think my school's
admin even fully understood what netmon was for.
How do I know? Because I ended up doing part-time admin duties. Me, a
rebel student that wanted to do CS, didn't want to do IT, and hence
didn't tend to even bother going to the lessons all that often [yes,
sir, I *know* what a database is for, how about we look at methods of
sorting to be effective with large amounts of data on restricted memory
machin... what, that's not what IT is? yes, I know what a database is for!]
Best wishes,
Rick.
--
Rick Murray, eeePC901 & ADSL WiFI'd into it, all ETLAs!
BBC B: DNFS, 2 x 5.25" floppies, EPROM prog, Acorn TTX
E01S FileStore, A3000/A5000/RiscPC/various PCs/blahblah...