Re: breaking news tools, for an ever changing community

[n3td3v <n3td3v () gmail com>]

On 6/4/06, Eric Ericson <harlequin () earthlink net> wrote:
> Well, on top of that what if you don't have a static IP at home? Or what
if
> your outbound NAT at the office is actually a /28 pool that it selects
from
> based on load?
>
> Interesting idea, but it seems a bit unworkable.
>
> -E2
>
> --
> Eric Ericson
> harlequin () earthlink net
>
> Commitment, n.:
>        Commitment can be illustrated by a breakfast of ham and eggs.
> The chicken was involved, the pig was committed.

i've had a workable version to protect myself from logging in to account(s)
from home by mistake when i only want to login from a public computer.

it might be 'unworkable' to implement into Yahoo but its workable to
implement into a website designed for a target audience of security
professionals.

for our mailing list, posters will need a n3td3v e-mail address to post,
this makes sure we're in control of whats going on.

in the future though i think its workable for yahoo users to select a 'bind
my account to my isp' where your account must be accessed by an 'aol' host,
or 'bt' host depending what service provider you're with.

the idea that attackers are successfully accessing a yahoo account on a 'bt'
host, when the actual account owner has been an 'aol' user for ten years and
has never used a 'bt' host and will never access their account from a 'bt'
account is laughable. yahoo users should be able to assign isp's they use,
and deny all access to the account if a host who doesn't meet the rules set
by the actual account owner tries to login. think of it as a user friendly
account firewall, easily setup by kids and the elderly, because yahoo would
detect the isp trends of the actual account user, and all the user needs to
do is select yes or no to setup rules based on isp information yahoo
displays to them via a web interface. its as simple as 'yahoo detects you're
using aol, set your account to accept aol only access to this account?',
'add a new isp?', 'delete this isp?', 'make aol your default isp for this
account?' or if the user is too confused, yahoo can have a 'turn off isp
recognition for this account?'
...and so on.

this might be too unfriendly for typical yahoo consumers, but it could be
used by corporate users to define an isp list for individual employees
wanting to login to the corporate network from a remote location (eg. home)

why allow your corporate network to be hacked on an isp your employee has
and/or will never use? even before the attacker has the right password or
request new password info, your backend corporate infrastructure would
already be in 'paranoid mode' to reject a correct password or cookie due to
a bogus login attempt on a 'bad isp'

yahoo could call it 'yahoo account isp recognition' or 'paranoid mode' for
fun.

on small sites, like mine, it is 'workable' to use the more advanced version
of 'isp recognition' than the user friendly yahoo version i''m talking
about.

all the time i hear of script kids and/or hackers who have obtained a
password and access corporate web interface to control load balancing and
other network configuration or databases of yahoo payroll, with names and
home addresses and social security numbers.

these folks might be logging in on comcast and other proxies, where the
login is only used by corporate users who would never be on a comcast or
other proxy to access the corporate infrastructre under legitmate
circumstances.

i've for years wondered why yahoo make it so easy for their 'shizzle' to get
hacked by such small time means of obtaining a password and simply logging
in, which your gran could do blind folded.

yahoo, implement a corporate account isp recognition system and save all the
embarassment of kids walking all over your network.

i'll send you my source code if you think its 'unworkable'
i know seccy pros at yahoo are more than capable of writing up their own
system however for 'isp recognition' to protect its corporate data
interests.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/