Quote:
Hackers don't do bruteforcing of usernames, they
simply take them from the database/file. Installing
phantomfrog doesn't make a site unexploitable.
Exploitable != getting a valid pass.
|
Your point is well taken. That was an unfortunate
choice of words. There are two seperate issues here.
Webmasters who voluntarily plant passwords to entice
leechers to join their site. Any webmaster doing this
would obviously ignore or exempt his planted passes
from being blocked.
The second issue concerns malicious hackers who use
one of two methods to extract stolen passwords from
a site with the intent of publishing them on trading
forums for free-for-all use. There are the so-called
script kiddies who use programs like AD and Sentry
via brute force methods to expose stolen passwords
using themed wordlists. Then there are the more
serious infractions by malicious, misguided but more
technically oriented hackers who can locate entire
password files. No password protection system will
prevent this kind of password theft.
However, what a truly effective system WILL do is
ensure that those stolen (not planted) passwords
have no lifetime! The longer a stolen password is
working, the more exposure the webmaster has
to potential content theft and bandwidth abuse.
That is the point I was emphasizing about Phantom
Frog. Early detection is your best protection!
Frog's Geo-IP Tracking will detect pass abuse down
to the city level increasing the resolution of your
radar for catching this abuse.
Those are the hacker discussion threads I was referring
to where they are dumbfounded by how quickly their
stolen passes die due to the intervention of Frog!
Thanks for Your Insight
George