| Pages: 1 [2] 3 :: one page |
|
|
| Author |
Thread Statistics | Show CCP posts - 1 post(s) |
El'essar Viocragh
Minmatar
Meltdown Luftfahrttechnik
   |
Posted - 2010.03.23 17:52:00 -
[31]
@CCP: just remember, when in doubt about a security feature, always take the paranoid option.
--
[17:47] <Mephysto> its dead, jim |
Paknac Queltel
Standards and Practices
|
Posted - 2010.03.23 21:59:00 -
[32]
 Originally by: Agent Unknown
Most browsers store username/passwords for autocomplete encrypted with a master password (IE doesn't though).
Except when they don't. Most people saving passwords won't use a master password, which means that their password store is encrypted with a key that is stored on the hard drive or derived from the hardware. Malware will easily manage to get into the password files of 80% infected users.
Malware written by a persistant programmer will happily and eagerly wait for the remaining 20% to enter their master password.
|
Vaerah Vahrokha
Minmatar
Vahrokh Consulting
|
Posted - 2010.03.24 10:09:00 -
[33]
I don't see how this feature is going to help people who got infected with the usual keylogger / trojan.
Before this change I typed my username and password only at browser cookies etc. clear, that is like once per month tops.
If I had a keylogger in the last week, I'd have fed the hacker my user name, password *and* characters names about 20 times per day, which is the frequency I get asked for the same stuff all the time.
Furthermore, I am strongly pushed at using a *weaker* password (and easier to guess user name and in game characters name) because typing them all day long is so utterly annoying (the browser won't retain them for some reason) that making them dumb and short seems the only way to save some minutes.
Of course I could just copy and paste them, too bad every good keylogger sniffs the clipboard as a priority...
-
Auditing & consulting
When looking for investors, please read
http://tinyurl.com/n5ys4h + http://tinyurl.com/lrg4oz
|
Abrazzar
|
Posted - 2010.03.24 13:07:00 -
[34]
Originally by: Vaerah Vahrokha
I don't see how this feature is going to help people who got infected with the usual keylogger / trojan.
It will help not at all. It's not the point of this feature. It's there to keep hackers brute forcing access to accounts by adding a third variable to what they need to guess right.
Try it, type in a random account name and password. You will then get prompted to add a character name without any hint if the account name or password were right. You will then get the error message that either of the typed in information was wrong.
This system decreases the success chance for brute force by an order of magnitude.
If you get a trojan/keylogger on your computer, you're ****ed anyway in more areas than just EVE. But that's your job to keep from happening, not CCP's.
--------
|
Vaerah Vahrokha
Minmatar
Vahrokh Consulting
|
Posted - 2010.03.24 15:52:00 -
[35]
Edited by: Vaerah Vahrokha on 24/03/2010 15:54:04
Quote:
This system decreases the success chance for brute force by an order of magnitude.
If you get a trojan/keylogger on your computer, you're ****ed anyway in more areas than just EVE. But that's your job to keep from happening, not CCP's.
Solving a barely existant problem (brute force) by making everyone vulnerable to a massively spreaded problem is less than smart imho.
Also, I missed where this solution makes EvE client brute force less functional. I also miss how all of this is smarter to do than just decoupling forum credentials off the game credentials. Edit: and imposing them being different.
-
Auditing & consulting
When looking for investors, please read
http://tinyurl.com/n5ys4h + http://tinyurl.com/lrg4oz
|
Vaerah Vahrokha
Minmatar
Vahrokh Consulting
|
Posted - 2010.03.24 16:06:00 -
[36]
Edited by: Vaerah Vahrokha on 24/03/2010 16:12:37
Edited by: Vaerah Vahrokha on 24/03/2010 16:10:02
For more reference, here's how to forfeit this whole thing:
1) Most used way: just keylog it all. With this authentication scheme it's FAR easier since people are typing their full details all the time.
2) Phishing site. User registers as Spartakus, passord "blah". An user names + passwords list is made and sold, including that guy.
Remember, this authentication is to prevent people using *same* username and passwords on ie. a forum and in EvE game from being easily hacked.
3) Perspective EvE account hacker EvE-searches for Spartakus with a macro. Macro finds Spartakus Shoefingers, Spartakus Wellmade and Spartakus Abidima.
4) He logs in. Even in case the account name was not just "Spartakus", he will try the 3 found names, one of them corresponds to the right one and since (as per point 2) the user was dumb enough to call his account and characters with similar names, the guy gets hacked.
5) For maximum delight, the hacker inputs one of those autograbbed names and posts on the forum as well.
Now, point 4 won't hold if the user Spartakus was smart, made different account and character names and so on and on. But that won't be the case, since the authenticatin scheme is exactly to "help" the Spartakus that are not smart.
Another edit: in closing, is inconveniencing legit users and forcing them to be much more vulnerable and use dumber names and passowords going to counter those in phishing site lists enough to justify it?
-
Auditing & consulting
When looking for investors, please read
http://tinyurl.com/n5ys4h + http://tinyurl.com/lrg4oz
|
Cherubior
Resonance.
RED.OverLord
|
Posted - 2010.03.25 23:06:00 -
[37]
anything that helps against hacked accounts is great.
keep up the good work
------------------------------------
------------------------------------ |
Villa Wolfsbane
Amarr
IT Alliance
|
Posted - 2010.03.27 12:32:00 -
[38]
Originally by: Jimer Lins
Among the better ways to defeat brute-force attacks:
After X invalid login attempts (optionally within Y window), account is disabled for N hours and cannot be accessed.
Griefing and getting people's accounts disabled can be addressed by autoblocking IP source of invalid login attempts from ANY access to ANY account. Also, allow people to change their login name if it becomes exposed, preventing further griefing.
I'm sure this and many other things are being discussed, but it's disheartening to see that the actual measures being implemented are arguably WORSE for security, and the net effect is mostly to reduce forum usage because people can't be arsed to go through the login every time they browse over to the forums.
I'll bet the forum use logs show a marked decrease in post volume, but a smaller decrease in reads, particularly by users not logged in.
While not a per-se bad idea, it does have the unfortunate consequence of making username/password pairs easier to brute force find.
With no blocking, then an attacker knows only that the username/password pairing used was invalid. However, should the account be blocked, and a differential message returned, the attacker knows that the username is valid, and only the password was invalid - thus simplyfying the problem of gaining access considerably.
|
Blane Xero
Amarr
The Firestorm Cartel
|
Posted - 2010.03.29 05:55:00 -
[39]
Originally by: Villa Wolfsbane
Originally by: Jimer Lins
Among the better ways to defeat brute-force attacks:
After X invalid login attempts (optionally within Y window), account is disabled for N hours and cannot be accessed.
Griefing and getting people's accounts disabled can be addressed by autoblocking IP source of invalid login attempts from ANY access to ANY account. Also, allow people to change their login name if it becomes exposed, preventing further griefing.
I'm sure this and many other things are being discussed, but it's disheartening to see that the actual measures being implemented are arguably WORSE for security, and the net effect is mostly to reduce forum usage because people can't be arsed to go through the login every time they browse over to the forums.
I'll bet the forum use logs show a marked decrease in post volume, but a smaller decrease in reads, particularly by users not logged in.
While not a per-se bad idea, it does have the unfortunate consequence of making username/password pairs easier to brute force find.
With no blocking, then an attacker knows only that the username/password pairing used was invalid. However, should the account be blocked, and a differential message returned, the attacker knows that the username is valid, and only the password was invalid - thus simplyfying the problem of gaining access considerably.
Then simply make it block people out if they try using an invalid username OR password X amount of times. Simply loop it to a site saying "You have entered invalid credentials X times, please try again later" and block that IP from trying to log in for half an hour to an hour. Worst case scenario, the brute-forcer has to force an IP change every X tries if they can, or start using a hilarious amount of proxies.
_____________________________________
Haruhiist since December 2008
Originally by: CCP Fallout
:facepalm:
|
Hildi78
|
Posted - 2010.03.31 11:15:00 -
[40]
I think that IP-blocking is not the way - there are certain statistics that show the useag of "one-way-IPs" by spammers and I see no reason, why a professional attack should not use the same ways to hide itself.
Every computer does not just have an IP address, its network adapters also have a MAC-address (Thats not the same like in apple macintosh!) which is technically unique - or at least that is what the manufactureres claim...
So if we whitelist some... let's say three MAC-addresses, that should be enough out of the box to have another factor in authentification - not just the username / password which is something that can be guessed, but also a technical detail which is pretty hard to guess. Of course you should be able to add more computers (MAC-addresses) in case you play at a friends computer or your hardware dies... For adding new MAC there should be a computer key required, just like the API keys everyone knows.
If you implement that, there can be a much better filtering and monitoring of attacks - CCP could block out the involved account by simply allowing only access from the whitelisted MACs and could notify a user to change password for security reasons.
In my opinion, all that should be implemented "under the hood", because making the system complicated to useres will NOT work at all. Scared or annoyed users will simply leave...
More ideas about that from me only on demand 
|
|
|
Angry Poster
|
Posted - 2010.03.31 16:58:00 -
[41]
Can we please get RSA authenticators (like the ones available for wow since about a year)? Now THAT would really help to prevent account hacks. Just make the aithenticators cost like 10Ç and be usable for multiple accounts. Problem solved.
My eve account is really important to me (especially considering the dismal customer support and week long waiting times in cases of account hacking - and only getting the ISK back is also pretty bad). So if i can prevent such probs with a 10Ç investment then i'd jump at the opportunity.
|
Cipher Jones
Minmatar
|
Posted - 2010.04.01 16:02:00 -
[42]
Originally by: GM Grimmi
The change made last week is intended to prevent automatic logins by bots running enormous lists of username and password pairs. This has been the main cause of problems with account security for a while now, with hundreds of thousands such pairs being tried every day.
Key-loggers are of course a problem and to limit potential problems with this we reinstated the auto-complete of usernames last Friday. Users can set their browsers to complete passwords as well as this sort of option is available in most frequently used browsers.
This is the first step of many in account security upgrades and we are working hard on improvements. Unfortunately, such measures are likely to cause some annoyance but we try to minimize that as much as possible.
Luckily I was already paper trained with this concept from another game. The first time I saw it I rebelled but quickly realized it would only take 2 seconds and that its keeping accounts safe. I appreciate the effort CCP and keep up the good work.
This is clearly a signature. |
Captain Pompous
Is Right Even When He's Wrong So Deal With It
|
Posted - 2010.04.03 18:20:00 -
[43]
Edited by: Captain Pompous on 03/04/2010 18:25:48
It's ****, to be frank.
I don't pay my subscription for you to treat me like a mental invalid and assume that I'm an inept fool who can't be trusted with anything. Seriously, find some proper solutions rather than shouldering all of these onerous burdens (the warning link, the auto logout, the need to re-enter password details again and ****ing again) on us.
e: having written that, I've calmed down considerably. Please accept my apologies CCP but it really is of the highest importance that a balance between usability and security is found 
---
Even though you might disagree with what I say, that doesn't automatically make me a troll. |
Alsyth
Night Warder
|
Posted - 2010.04.08 13:17:00 -
[44]
To avoid brute force, just send a mail to any account which had more than 4 failed attempts to log in less than an hour, and propose on the mail to authorize only some IP address (or MAC address if it is possible) ?
But anyway, let them aware that someone try to log on their account. Provide a log of IP (& MAC, if possible) trying to access the account, and let us block or authorise some of them.
|
Hakaru Ishiwara
Minmatar
Republic Military School
|
Posted - 2010.04.09 14:21:00 -
[45]
Originally by: Captain Pompous
Edited by: Captain Pompous on 03/04/2010 18:25:48
It's ****, to be frank.
I don't pay my subscription for you to treat me like a mental invalid and assume that I'm an inept fool who can't be trusted with anything. Seriously, find some proper solutions rather than shouldering all of these onerous burdens (the warning link, the auto logout, the need to re-enter password details again and ****ing again) on us.
e: having written that, I've calmed down considerably. Please accept my apologies CCP but it really is of the highest importance that a balance between usability and security is found
Actually, Captain, I believe that your original paragraph is on the mark. Having to re-log in to post on the forum during the same browser session and w/in a 24 hour time period is ****ing ridiculous. No other major web site that I use extracts such a toll.
At some point, the security of account credentials becomes the responsibility of the subscriber to manage.
Simple things such as mandatory strong passwords and additional credential challenges when brute force attacks are suspected are two mechanisms CCP can provide to its subscribers in order to secure their own **** all-the-while reducing the occurrence of account theft.
|
Umbroso
|
Posted - 2010.04.10 18:57:00 -
[46]
Too little too late. This is the only game where my account was hacked and it was hacked today 4/10/2010, a full 2 weeks after this posting. Consequently, I will not be returning to this game and will be advising everyone I meet about the poor security.
Originally by: GM Grimmi
The change made last week is intended to prevent automatic logins by bots running enormous lists of username and password pairs. This has been the main cause of problems with account security for a while now, with hundreds of thousands such pairs being tried every day.
Key-loggers are of course a problem and to limit potential problems with this we reinstated the auto-complete of usernames last Friday. Users can set their browsers to complete passwords as well as this sort of option is available in most frequently used browsers.
This is the first step of many in account security upgrades and we are working hard on improvements. Unfortunately, such measures are likely to cause some annoyance but we try to minimize that as much as possible.
|
Root Canal
|
Posted - 2010.04.12 19:26:00 -
[47]
I am strongly against changes in how I have to log into the game. I am less concerned about annoyances logging into the Forums. The Forums are not essential and if it's too annoying I just won't post to the Forums. But the game is why I'm here. If logging into the game changes and annoys me, I will stop logging in and stop paying for Eve. Seriously.
The logical way to stop brute force login attempts is by IP address. I don't know why there is resistance to this. Any frequency of login attempts significantly greater than a human can do should result in blocking the IP and placing it in a queue to be examined by a human for long term blocking. A lesser frequency that is still suspicious should result in a short term block, say one or two minutes. The system should NOT accept repeated login attempts at a frequency higher than a human can type.
P.S. What is this stupid new Forum software that flags words like "login" and "IP" as spelling errors?
|
Napro
Caldari
Buccaneers of New Eden
death from above..
|
Posted - 2010.04.13 10:08:00 -
[48]
I cant believe brute force attacks were allowed for so long... Brute Force went out of style in the early 2000s what with account locking and IP banning become prevalent. Sorry to see CCP Just catching up but I guess better late than never
|
diabetegirl
|
Posted - 2010.04.14 00:03:00 -
[49]
Edited by: diabetegirl on 14/04/2010 00:05:05
I can't believe this...
Hundreds of thousands of brute force attacks every day that you had not even noticed! To then be stingy on compensations for account hackings and lecture you about the safety of your own computer...
After the hacking of one of my corpmates' account. We have lost almost 32 billion ISK in corporate and personnal assets. CCP didn't want to replace those assets. They instead refunded the price that the hacker struck in selling off the items (or 15 billion). But you'll tell me : "hey what's 17 billion nowdays, peanuts!" 
I can tell that you will soon hear from us so we can have our assets back 
|
Lothros Andastar
Gallente
|
Posted - 2010.04.15 12:55:00 -
[50]
Edited by: Lothros Andastar on 15/04/2010 12:55:42
Originally by: Umbroso
Edited by: Umbroso on 14/04/2010 20:10:00
Too little too late. This is the only game where my account was hacked and it was hacked today 4/10/2010, a full 2 weeks after this posting.
Originally by: GM Grimmi
The change made last week is intended to prevent automatic logins by bots running enormous lists of username and password pairs. This has been the main cause of problems with account security for a while now, with hundreds of thousands such pairs being tried every day.
Key-loggers are of course a problem and to limit potential problems with this we reinstated the auto-complete of usernames last Friday. Users can set their browsers to complete passwords as well as this sort of option is available in most frequently used browsers.
This is the first step of many in account security upgrades and we are working hard on improvements. Unfortunately, such measures are likely to cause some annoyance but we try to minimize that as much as possible.
CCP refunded the cost of the items lost within 2 business days.
IMO CCP should have just laughed at you and not given you anything back. If you get hacked it's your own fault, either by allowing a Keylogger or by having a ****ty Brute-Forceable USer/PW combo.
Here is a tip people:
DON'T BUY ISK AND YOU WON'T GET HACKED! 
|
|
|
Kuolematon
Space Perverts and Forum Warriors United
|
Posted - 2010.04.21 12:50:00 -
[51]
This change also makes it kinda annoying to avoid "Wait 5 min" rule but oh well, luckily there is still ways to get around it but more work
"The Amarr are the tanking and ganking floating rods of goldcrap"
|
insanebe
Caldari
Cruentus Invicta
|
Posted - 2010.04.24 10:20:00 -
[52]
Edited by: insanebe on 24/04/2010 10:21:16
Follow the banks example and in addition to a password, have a security word and a system where the user is asked to enter random characters
,for example
"enter the 2nd and 6th character of your security word", and have a scroll down list of all the alpha numerical characters,
this will defeat bots and keyloggers alike, along with password stealing virus's
The question defeats the bots
The scroll down list defeats the keyloggers and password harvesting virus's
|
MaxxOmega
Caldari
Caldari Provisions
|
Posted - 2010.04.29 17:43:00 -
[53]
I approve of most security options to protect my account short of coming at me with a rubber glove and a jar of lube...
|
Pankas Carter
|
Posted - 2010.05.01 20:14:00 -
[54]
Originally by: Agent Unknown
Originally by: Paknac Queltel
Originally by: Professor Tarantula
Originally by: Blane Xero
Can you, pretty, pretty please, return the "Remember Me" button, even if you have to be logged in and have to answer some random security question first to trigger it instead of selecting it at the login section? Please? Typing out my password over and over every time the forums kick me off isn't fun.
You using IE or something? Firefox asks if you'd like it to remember any password you use.
Because, you know, browser cache is a secure place to keep your passwords, that malware won't read at all.
Also, every time you log out, even automatically, all the unread flags clear.
Most browsers store username/passwords for autocomplete encrypted with a master password (IE doesn't though). When you log in, your session key determines your login by comparing it with information on the web server; if something doesn't match, the cookie is considered invalid (IP address, etc).
Just so you all know though - the Firefox master password isn't as great as it sounds. If you want it to be secure, you'll need to go enable FIPS - however this means you have to type your master password to enable SSL as well.
-- (start sig) --
Quote:
A great city is not to be confounded with a populous one.
- Aristotle
|
Dabljuh
|
Posted - 2010.05.02 11:34:00 -
[55]
Edited by: Dabljuh on 02/05/2010 11:35:27
No one needs to keylog these days. It's just too easy getting into 100s of accounts with minimal-effort brute force.
Brute forcing / dictionary attacking has recently begun to become brutally effective.
The reason for this is that many sites actually do have some standards for passwords. They prevent words in the dictionary, require at least 6 signs, and frequently at least a combination of a number and a letter.
Users however still behave like users and tend to use one single password for multiple sites. Furthermore, passwords end up being simple figures on the keyboard, or dictionary words with a number attached to them, which those methods for enforcing "strong" passwords do not recognize. In fact, the suggestion of adding a number to a dictionary word has sometimes been explicitely named as a "good" security measure.
So what you end up with is thousands of people with the password of "password1" and the like. This isn't in most websters-based dictionaries.
What happened in December 2009 was that a particularly large music site got hacked and ~30 million user datasets were released. This means there is now a list on the internets floating around with 30 million LIVE passwords.
Anyone who knows vaguely how computers operate realizes what's going to happen next. You distill the most frequently used live passwords, and you have a dictionary useable for attack with a success rate that hasn't been seen since the first servers started to block simple dictionary words as passwords in the 70ies.
My own eve account got hacked the other day, and aftermath analysis showed that the only realistic vector of entry had been a direct brute force dictionary attack against EVE Online's website. The password I used was one of several weak/public passwords, that older sites had estimated to have a reasonable strength for years, but is now obsoleted.
What CCP must do without delay, i.e. NOW is:
1. AGRESSIVELY stop brute force attacks. If you let any individual IP do more than 10 tries per day, you're doing it wrong. Hackers often have 100s of hacked hosts and even more IPs at their disposal. Ten thousand tries a day can equal a hundred cracked accounts per day!
2. Strictly enforce a strong-password policy. Distill the 100'000 or so most frequently used passwords from the rockyou list and prevent any user from setting a password like that. Because those are the passwords that are currently checked against by brute-forcing hackers. Make people change their accounts.
Security analysis paper:
http://www.imperva.com/docs/WP_Consumer_Password_Worst_Practices.pdf
torrent to the password data:
http://thepiratebay.org/torrent/5232943/RockYou.com_UserAccount-passwords
|
Dabljuh
|
Posted - 2010.05.02 16:22:00 -
[56]
As the forums awesomely don't allow editing past an hour or so, here's also a bunch of pre-rendered lists based on that. to save time. See if your password is in the 75% success rate list and if it is, change it now.
http://www.skullsecurity.org/blog/?p=516
also, apparently rockyou isn't actually a "music site" but... I don't know what they do. They made zooworld, which sounds like a farmville knockoff.
|
Kolatha
|
Posted - 2010.05.03 11:24:00 -
[57]
For those who keep going on an on about "all you have to do is block ip/mac addresses" please refer to the following two documents.
IP Spoofing
MAC Spoofing
Basically it is no effort at all to have each brute force attempt use a new randomly generated address. From my understanding and experience this is how some brute force attacks already operate. I know that DOS attacks use this as well.
I've already had to deal with someone attacking my personal server. They basically used a dictionary attack that cycled sequentially through an entire IP block. The only thing that saved me is that my system's security was set up by someone who specialises in paranoid levels of security.
Originally by: Dabljuh
Edited by: Dabljuh on 02/05/2010 11:48:35
My own eve account got hacked the other day, and aftermath analysis showed that the only realistic vector of entry had been a direct brute force dictionary attack against EVE Online's website. The password I used was one of several weak/public passwords, that older sites had estimated to have a reasonable strength for years, but is now obsoleted.
If you use GMail, Hotmail or any of the free services then do not so readily discount those as the source of your compromise.
Constant hacking and more compromised accounts than they could handle is precisely why GMail added the little tool that lets you see where and when someone last logged in to your email account. Below your inbox you will see a little line that says something along the lines of "Last account activity: 23 minutes ago on this computer."
Originally by: Dabljuh
Edited by: Dabljuh on 02/05/2010 11:48:35
What CCP must do without delay, i.e. NOW is:
1. AGRESSIVELY stop brute force attacks. If you let any individual IP do more than 10 tries per day, you're doing it wrong. Hackers often have 100s of hacked hosts and even more IPs at their disposal. Ten thousand tries a day can equal a hundred cracked accounts per day!
See my comments above about IP/MAC address spoofing and the recent issue I had to deal with. One disgruntled attacker with a small botnet can pretty much lock out the entire eve community if you implement this level of automated IP blocking.
Originally by: Dabljuh
Edited by: Dabljuh on 02/05/2010 11:48:35
2. Strictly enforce a strong-password policy. Distill the 100'000 or so most frequently used passwords from the rockyou list and prevent any user from setting a password like that. Because those are the passwords that are currently checked against by brute-forcing hackers. Make people change their existing passwords.
Enforcing strong passwords is pretty much the safest way to deal with this. I agree that CCP needs to seriously go down this path now rather than later. Also adding a separate password for the forum wouldn't hurt.
|
Dabljuh
|
Posted - 2010.05.03 15:32:00 -
[58]
Edited by: Dabljuh on 03/05/2010 15:35:34
Originally by: Kolatha
For those who keep going on an on about "all you have to do is block ip/mac addresses" please refer to the following two documents.
IP Spoofing
MAC Spoofing
Basically it is no effort at all to have each brute force attempt use a new randomly generated address. From my understanding and experience this is how some brute force attacks already operate. I know that DOS attacks use this as well.
I'm sorry, but that's not how IP spoofing works. Or rather: You can't combine brute forcing and IP spoofing. IP spoofing works for DOS attacks, but password cracking attacks require a valid IP. There's no excuse other than gross negligence to not keep brute force attacks in check agressively.
Besides, mac spoofing is to my knowledge irrelevant on the internet (that is to say, outside a LAN/WAN)
|
Kolatha
|
Posted - 2010.05.04 03:21:00 -
[59]
Edited by: Kolatha on 04/05/2010 03:22:26
Originally by: Dabljuh
Edited by: Dabljuh on 03/05/2010 15:59:14
I guess either your security setup is even more screwed up than CCPs, or you do not understand the fundamental differences in requirements on the IP layer between a flood/DOS and a password cracking attack.
I am aware of the difference between a basic ip request and the 3 way handshake tcp requires. I don't claim to understand the security setup beyond that. My provider looks after that and my system came through uncompromised due to the security measures.
All the information I had on this incident was a log file full of failed login attempts tied to a hundred or so sequential ip addresses before my upstream host closed the doors to that block. They did so because I wasn't the only one on site being attacked, I was probably just collateral damage as I have nothing of value on my server. I found out it cycled through the whole block from the logs of my upstream provider. It was an external block and I trust my provider's security skills.
If spoofing is not supposed to work like that then I acknowledge I have misunderstood what was happening. But I would like to know how they can tie a dictionary attack to a cycled ip block like that if spoofing won't do it.
As for the mac address, it was only mentioned because people keep insisting that if IP blocking won't work then locking a connection to a mac address would.
|
Dabljuh
|
Posted - 2010.05.04 04:29:00 -
[60]
Edited by: Dabljuh on 04/05/2010 04:32:01
I'm not a certified security expert either. My biggest boast is ARP spoofing a LAN party to hijack the internet router, so every internet access was routed through my proxy and would result in gratuitous gay ****ography.
A sequential block of IPs (like, all in the same class B network) doing authentication attacks sounds a lot like a guy on dialup / dynamic IP, switching his IP each time he gets blocked. At least that's what I consider the most probable scenario.
|
|
|
|
|
| |
|
| Pages: 1 [2] 3 :: one page |
| First page | Previous page | Next page | Last page |