[funsec] Question for the group
fergdawg at netzero.net
Sat Feb 11 15:52:23 CST 2006
Could this possibly be an (obviously underhanded) attempt to
simply gather news & public information? I mean, given the situation
with press freedoms in China, etc...
Just a thought....
ps. Still thinking about the problem at hand, so no immediate
-- Paul Schmehl <pauls at utdallas.edu> wrote:
Recently we discovered that some message boards in China were posting the
urls for web proxies at various universities, along with "login
credentials". In our case that meant the url and a sixteen digit number
that represented our "Comet Card" IDs, smart cards that we issue to every
student, staff and faculty member when they arrive.
It wasn't long before someone wrote a script that automated the process of
logging in to the exProxy server in order to generate a list of valid IDs.
In the meantime, I was in discussions with the library and explained to
them that the sixteen digit numbers weren't sufficient and they needed
security. As a stopgap measure, they added a second "credential", the
user's last name.
Now we're seeing scripted attacks cycling through our directory (last name
only) and then attempting each of those last names along with a valid id,
in an effort to generate a list of valid "login" combinations.
Here's the question I have. We were just notified by another university
that they had detected bots on *their* network running the above script
against our proxy. According to their security officer (whom I know is
competent), these bots were infected with breplibot.
Is this something new? And why the hell do they want to grab books and
periodicals? Can they sell them?
(I know what the solution to the library's problem is. I just have to get
them to accept that what I told them early on is the only answer - tie in
to our LDAP auth system short term, and use CAS once it's implemented.)
Paul Schmehl (pauls at utdallas.edu)
Adjunct Information Security Officer
University of Texas at Dallas
AVIEN Founding Member
"Fergie", a.k.a. Paul Ferguson
Engineering Architecture for the Internet
fergdawg at netzero.net or fergdawg at sbcglobal.net
ferg's tech blog: http://fergdawg.blogspot.com/
More information about the funsec