Quote:
|
Originally Posted by Deek
password cracking....
Ok first, md5 is busted, mainly because of the invention of the rainbow tables. Basically what people have done is taken and computed the md5 hashes then simply compare the hash to those stored in their database
2nd.. Sure if your inside of the network you have direct access to the hashes, most wont and will be attempting to break into the site via webform. Thats what the image verification is trying to prevent.. Not attacks against the hash it self.
The proxy comment, the propper use of the published lists via ARIN can reduce the number of attacks from proxies considerably. Why? most of these attacks happen from outside of the united states. And this is also related to vuln scanning/port scanning. Blocking this at your edge device (router/firewall etc NOT YOUR SERVER!)
Im new to porn, so this statement may be wrong... It doesnt seem like many people care much for traffic outside of north america/europe. IE china/asia/russia, this is where a great deal (not alot of them) of proxies exist. So blocking the not so well liked countries servers two perposes, both security and more legit traffic. Again im new so im unsure how well this paragraph will fly.
Also most attacks by "Script kids" are not even geard towards adult. Its geard towards a pool of addresses. One of the botnets i busted in Feb 05 had bots which were assigned seperate areas of the net to search for open window file shares.
Im going post a poll after this... asking about how many actually check their logs...
Image verification is a major hassel. Dont get me wrong it upsets me. However image verification is typically implemented on community websites to prevent spammers. This is what i like. The use of a image verification on a pay site prior to payment does not make sense to me, because its unlikly (to me being new to the porn industry) that someone is going to take a credit card and apply to a whole series of pay sites.. If a person has the loot, their likly going for electronics which are easier to sell say on ebay.
As a gentleman stated before, theres no fool proof security mechinism, you can however be aware of the risks around you, and implement as many speed bumps as you can.
In security you must balance the "CIA", confidentiality, integrity, and the availability.
-Deek
3420164
|
1 - Ever made tables? Takes a long time to make ones with any significance. I have. I actually crashed a drive making them because it got over heated after the abuse on day 10. The majority of password crackers and hackers are no smarter than your Maytag repairman. Even still, cracking MD5 with rainbow tables still takes a lot longer than 400,000 c/s with DES.
2 - Belive it or not... most websites have been hacked at some point. When I say most I mean 80% and I am being generous. When Globill got hacked, every single member they ever processed became public domain. All 1.2 million. Consiquently they filed for bankruptsy not long after. Hackers don't care about strongbox, they prey on the idiot webmaster using phpBB, Awstats or a host of other hackable apps. They still the password DB/file and then decrypt it or get lucky because it is in plain text and just use the account in reverse figuring the last person that signed up has another 30 days left. No bruteforce needed.
Proxies - From my own experience, 10% give or take a few points is how much money comes in from outside UK, CA, US, DE and MX. If you ask someone to give up on those sales, you are asking the wrong industry unfortunately. Everyone here is just way to greedy.
Most crackers who are cracking basic auth or the form are not port scanning and doing other shit. Why would they? They are planning on going in on port 80, why do I care if port 3306 has mysql running if I won't be using it?
Script Kids - I lived in the cracking world for years. They are 99% Script Kids... and when I say Kids, I mean Kids... as in 15 - 22.
Log Checking - Most of the people here that run porn sites have no clue about their logs or even if they do log. They 'pay people to do that sort of stuff.' But no one ever gets around to it. Or they think their managed hosting includes such services and don't realise the host is only responsible for the server hardware, apache and mysql and the kernal. Everything else is the clients problem.
Image Verification - ??? I don't know of many pornsites that require it to signup, but I know of a lot who require it to login. If you cannot figure out the image we have Darwin Awards available on your way out. I personally think that if it is to hard, perhaps you should live with someone who takes care of you because you must be a fucking retard.
As the gentleman - Dude, there are no gentlemen here...
Ohh, before I forget...
