Frackin script kiddies!!

Richard Pieri richard.pieri-Re5JQEeQqe8AvxtiuMwx3w at public.gmane.org
Wed Aug 4 21:31:19 EDT 2010


> Yes, I still contend that you've left a lot of my questions without
> any satisfactory answer. So no, I'm not convinced. Regardless, I've
> actually enjoyed the discussion, and I apologize for wasting your
> time. :)

Let's start with the simple one: what does SSL do.  SSL protects the communications between browser and server.  It keeps eavesdroppers off your back.  That's all it does.  In practice, it makes it very expensive for an attacker to sniff your login credentials.  It does not prevent an attacker from launching an attack against a server in an attempt to guess those credentials.

In contrast, an authenticated communication link such as used by SSH PK auth denies direct attack against the server.  As someone else noted, an attacker would have to attack both the key and the credentials.  The attacks would need to be simultaneous because it is not obvious from the outside if one or the other is correct.  They all need to be correct for positive authentication else the link is never established.

This is where X.509 certificate authentication comes into play.  Certificates provide the same kind of PK authentication between client and server as SSH keys.  You have to have one half of a key pair generated for you installed in your browser or you can't even talk to the server.  As with SSH PK auth, an attacker needs to attack both the certificate and the credentials in order to even establish a link.

Back to the financials.  Big traders don't use SSL.  They have dedicated lines connecting them directly to their trading systems.  Attackers can't get in from the outside.  They would have to attack the physical lines directly.  Insert quip about data center infiltration here.  So, really, who is vulnerable?  You and me.

This is where intrusion detection systems come into play.  The simplest example is locking the account after a number of consecutive failed login attempts.  It is unlikely that an attacker will guess everything right the first three (say) times before an account gets locked and requires human intervention to regain access.  Another simple example is throttling or rejecting excessive connection attempts from a single IP address.

Let's assume that an attacker manages to get through all of that.  These companies have neural networks monitoring activity patterns.  They flag aberrations and put holds on accounts pending humans calling account owners to confirm the transactions.

Banks and such have many layers of security around them.  Your MythTV has one.

"Everything."

--Rich P.








More information about the Discuss mailing list