This has always been a problem with the web. Not only do you not have
physical security of the device, you can not even be sure that it is the
device you are thinking it may be.
So the only way to protect this is to track the number of login attempts that
go against any invalid User Name, and if above a certain threshold, to notify
security. I also do the same if a particular user attempts to log in more
then 3 times in a row with a good User Name and bad password. This also lets
me know when Users may be having difficulty as well as potential hacking
attempts.
Andy
-----Original Message-----
From: Michael Dinowitz [mailto:[EMAIL PROTECTED]
Sent: Thursday, October 02, 2003 4:52 PM
To: CF-Talk
Subject: security flaw in web services
It looks to me like there's a problem with web services, specifically the
ones
that allow logins. Basically, a username/password is sent to the service and
it
responds with data if the person is a valid user. What stops someone from
using
the web service again and again to test a un/pw until they get the right
one?
Maybe the answer is obvious and I don't see it.
checking amount of attempts per IP - ip can be forged
checking amount of attempts per UN - scheduled attempt or multiple UN tries
hidden communications key in stream - can be 'seen' (combined with SSL might
work)
--
Michael Dinowitz
Finding technical solutions to the problems you didn't know you had yet
[Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
