pennywize_v3

For all GFY members - Pennywize has three big announcements for November:


PENNYWIZE ONLINE

On the November 1st 2002, Pennywize will release version 3.0 of Pennywize Online, the market leading software for the prevention of password traders and brute force attacks. This release has been a year in the making and introduces a number of new features which significantly improves the effectiveness of Pennywize.

These include:

o New innovative dictionary attack blocking algorithm
o Much quicker stats parsing and account blocking
o No longer required to call the script as a CGI to block accounts
o More secure (your username and password aren't hardcoded within the script anymore)
o Large scale deployment ready (for hosting companies and ISP's)
o Enhanced reporting
o Easier to install

Pennywize also :

1. Allows you to put limits on the number of bytes per day a user can download
2. Records the number of minutes each user has been online for
3. Allows you to block or unblock any account from the admin section on our website

One of the most innovative features in the new version is our new "brute force" (or dictionary attack) blocking algorithm. A great portion of our research for this version has been into these intensive kinds of attacks and we have finally discovered a unique way to stop them cold, something which no other product on the market can match.

Hosting companies and large scale clients will also benefit from this new version, because one instance of Pennywize can be run per server to protect ALL of the sites on that server (as opposed to having one instance per site).

We encourage all members and current users to upgrade to the new version to receive the benefit of the new features. Pennywize is located at http://www.pennywize.com

You can now try Pennywize for FREE on your site - No creditcard required


PENNYWIZE PAYMENTS

* New Product *

If you are a webmaster who has contemplated processing through your own merchant account, then you might be interested in our new service called "Pennywize Payments". Once you have a merchant account, your biggest cost will be to develop a software system to accept credit card information, communicate with your banks gateway and then rebill that subscription periodically. Pennywize payments is a complete merchant processing solution designed by the team at Pennywize which facilitates all this and more!

We have invested hundreds of hours to build a solid solution which simply 'plugs in' to the wide array of merchant banks out there, saving you the time and hassle of having to program an interface to every bank you want to process through, and write software to handle the rebilling of your customers.

Once you have established a merchant account, simply accept a transaction through your website, and pass it onto Pennywize Payments (through a secure SSL call) and let the gateway do all the low-level talking to your back-end merchant bank or facility on your behalf. The gateway will also rebill the transaction according to any number of pre-defined schedules you can create, and can also optionally pre-scrub the transaction through a growing number of 3rd party services. Pennywize can also bill at any currency your merchant account provides for.

Pennywize Payments also provides comprehensive reporting on all aspects of your transactions, from approves to declines, success rates, failure reasons etc..
This service is in beta testing now with a few clients, and will be available in the coming weeks at http://www.pennywizepayments.com



PENNYWIZE BANNER AFFILIATE SYSTEM

* New Product *

Over the last few years, the team behind Pennywize have been responsible for building, maintaining and operating some of the largest banner affiliate programs on the internet today. This exclusive technology was previously bound to a select number of clients, however we are now able to license this extremely powerful and flexible affiliate system to any webmaster on a monthly lease basis. Prices start at $USD 3000/mth.

For more information, please email [email protected]





Regards
The Pennywize Team

DrGuile

pennywize_v3
I am probably spamming


lol

good product tough

__________________
LiveBucks / Privatefeeds - Giving you money since 1999
Up to 50% Commission!
25% Webmaster Referal
Powered by Gamma

Darren

admitedly a great product, but what makes u think u have right to post news here? why not purchase advertising or at least contribute to the forum before posting ur spam.

maybe its late and im just moody.....

__________________


Penis enlargement / male enhancement pills - earn up to $229.48 per signup

ICQ: 46335817

Sleepy

No.. dont beat him up. I want to hear this..

dictionary attacks :
Does your method allow even one user/pass to be guessed through a proxy ? ..... because, if you allow even one guess the hacker still gets to guess and it's useless.
1 Guess times 90,000 proxies = 90,000 guesses

nocostporn

uh you two boneheads above me,this is WANTED spam...DO you offer this product? NO,not too many people do so there is no competition...A LOT of people use pennywize... Looks good fella's

__________________
CashTheChecks.com -coming soon-
"Exclusive sites for Exclusive Webmasters"
ICQ-119966868,add me first don't message

pennywize_v3

Hey Sleepy,

>Does your method allow even one user/pass to be guessed >through a proxy ? ..... because, if you allow even one guess the >hacker still gets to guess and it's useless.
>1 Guess times 90,000 proxies = 90,000 guesses

You cannot simply block ALL guesses. This would mean that nobody can log in. Also, when you first click on a members section button with your browser, you are generating one incorrect login right there (with no username/password) which Apache rejects with a 401, and then your browser pops up the familiar username/password box.

The new Pennywize uses two pieces of limiting technology -:

a) Per second blocks
b) Per minute blocks

If the number of FAILED login attempts per ip address exceeds the per second or per minute thresholds, the ip is immediately blocked. By being 'blocked' all future requests are immediately invalidated.

BTW, beware of other products which may artificially delay a response back to the user to slow them down (ie. pause for 1 second), because this takes up one valuable slot of your web server, and can lead to a Denial-Of-Service effectively.

Thanks,

Steve

drops

Pennywize saves me 1000's in bandwidth charges.. Period

It's worth it..

__________________
<img src=http://porndollar.com/webmasters/banners/porndollar/120x60_25_pd.gif border=0><br>$84 Per Signup | $25 Per Free Signup | $20 Per Cross Sales | Credits On Exits | Paid Weekly
<br>Contact Info. http://porndollar.com/support.html

dantheman

Good announcement.....there's alot of webmastes/sites here who use pennywize

__________________
M3server.com
VPS>Get your 2nd month free
Ded>$100 off your 2nd month
since 1996
icq-25135623
dannyh at~m3server DOT com

Mutt

Pennywize is the best of them all.

Like that feature which will log how much each user is downloading so if necessary you can boot the site suckers who are there only on a trial and to download the whole friggin site.

Can Pennywize limit the number of connections one user has - meaning limit how many files a user can download concurrently?

__________________

Spoonie Luv

fuck, my cracking days are numbered...

Is there such a thing as good spam? Somebody else was just posting about this (cracking sites) and I was thinking of pennywize, but I couldn't remember the name...

CoolE

How does one do this? There doesn't appear to be a way to do this on the site or in the current customers area.

pennywize_v3

Hey CoolE,

It comes out November 1st! :-)


Steve

Jizar II

Hi Mr. penny! - we tried to sign up for your service 6 months ago, never got any feedback. So it was never setup. We´re using Password Trojan now, why should we move to you? What makes your solution better? - And did you service improve since then?

pennywize_v3

Hi Jizar II,

If you're happy with PT, then stay with it, but if you want to switch over, i'd be happy to personally help you out. I am sure that once you see how Pennywize works, you won't want to switch back, but that's just my opinion ;-)

We are re-organising all our customer support at the moment, so that we have a dedicated full time support person, because we have had alot of requests lately. Plus we're anticipating a flood of installation requests after the 1st.

Drop me an email if you like - You can try it out free for a while to make sure it works okay on your site.

Steve

Jon

damn i thought it was gonna be some news from the band..

__________________
WickedFire.com - Stay here. We don't need more of you. Not unless you have money, then, fine...

Sleepy

Steve,
I use ProxyPass right now which is written in C and it looks at each request then performs a test to see if it is coming from an open or closed proxy. If the request comes from an open proxy it simply does not respond to the request. The test is done so fast that it's not noticeable ( maybe 1/100 of a second or less ).

I like you guys at pennywize. In fact, you have on of my quotes on your testimonials page. Your software worked fantastic until I had about 8000 members and all this proxy hacking started a few years back.

Would you agree that if a hacker gets even one guess through an open proxy, and has a list of 90,000 proxies to use, that he would essentially still get 90,000 guesses ?

Im sorry, I could have been much clearer. What Im speaking of is open proxy problems because they are the REAL problem.

pennywize_v3

Hi Sleepy,

Yep, i don't disagree. If you had 90,000 proxies, then 1 guess through each would be 90,000 guesses. Now, proxypass has good intentions (even tho someone from there seems to want to slam pennywize at every opportunity for his own gain -- but i'm not going to get into that) however by 'blacklisting' zillions of proxies, I believe you're probably going to do more harm than good.

Also, regardless of whether you have proxypass or not, your server (apache) is still going to have to 'accept' 90,000 TCP connections, examine the request, examine the IP and then drop the connection. Unless you firewall each IP out (which is even more horrendous) then there is no way around this, even with a C module.

For example, what if a guy starts hacking through an AOL/@home/etc proxy. It gets blocked. But then it gets blocked for *all* proxypasses clients, and any legitimate members would be disadvantaged. I dont think this is acceptable and i wouldnt put it in Pennywize. I dont also want to play god and say what IP addresses are going to be banned for all my clients, we'd get overrun with complaints from clients.

Pennywize has had reasonable proxy protection until now, but in the new version 3, it *really* steps upto the plate. With the new per second/minute/day thresholds, we could configure any level of tolerance you wish.

Steve

Sleepy

So then whats the point ? Why block them at all ? The hacker still gets what they want if you dont attack the root of the problem ( open proxies ).




What they do is they keep a central database of open proxies. They have a server that then tests the blocked proxies repeatedly until they are properly closed. Large ISPs like AOL and Home rarely fuck up and leave a server open but when they do their ( Danube's ) software notifies the admin by e-mail.

Sure, a legit ISP could be blocked for a few hours but to me thats a small price to pay to make sure my legit members do not have their user/pass stolen. Legit members are already paying me $34.95 per month and once their user/pass is stolen you cant simply explain the situation to them. As soon as you say "hacked" they think their credit card could be compromised and its a guaranteed chargeback.



Im not going to go much further with this steve. Your a good guy and you were good to me when I used Pennywize. Still, the bottom lines is that if you dont stop the "open proxy" requests you might as well be pissing in the wind.

pennywize_v3

(I wish i knew how to quote properly!!)

I understand your point of view, totally. And I agree that it is a big problem. My point is, that if a guy is gonna try 90,000 proxies with you once, then for every attempt, apache has to accept the TCP connection, which uses up a very valuable slot.

If you're talking about concurrency of 50, then a potential hacker could use 50 'slots' at once, right?

Ok, well then regardless of whether they are immediately cutoff or not with software, apache has still had 50 slots 'used' in the process. That impacts your server any way you look at it. So the only difference proxypass makes, is that it cuts them off a tad quicker than they would be anyway.

Ideally, the only true way to block them out is to firewall each proxy at the OS level, so that the TCP request never even gets as far as apache, but this is kind of outside the scope of a simple software product.

If you have any ideas or methods that you can suggest might work, I'd love to hear them and incorporate them into the product. We are *always* looking for ways to improve it :-)
And if you want to give the new Pennywize a try later on next month, i'd be happy to help and old friend.

Thanks,

Steve

Libertine

One thing you can do to annoy the cracker is mix in a few 202's every once in a while instead of just 403's (while not granting access ofcourse). That way, he might think he has succeeded in cracking the site, while in reality he has non-existent user/pass combos. The least thing it does is make it a lot harder for the cracker to find the 'good ones' if he catches those.

I know from experience how easy it is to get a list of 70k+ working proxies and a cracking program to go along with it. 70k attempts is most often enough to get in with non-random user/pass combos (people are predictable).

Also a good idea would be to block users from getting usernames or passwords that can be found in wordlists. Just requires you to update often...

__________________
/(bb|[^b]{2})/

PxG

Just wanted to follow up on some of the questions about those features that really distinguish the ProxyPass from competitive products. It really has a number of first-in-class (i.e. proxies, load-balancing) and best-in-class (i.e. optimized architecture) features that make it an excellent solution:

--Detection and denial of open, abusable proxies. AOL and other
legitimate proxies and gateways are -not- denied because of this.

--Detection and denial of single-source IP and non-proxy, distributed IP (e.g. drones or collaborative cracker rings) attacks.

--Detection and denial of password sharing violations.

--Optimized C module implementation providing for the fastest possible solution. The performance is much better than any sort of high-level scripted solution. The ProxyPass drops crack connections much earlier in the Apache response cycle than a cgi, php, or other response-handler-level script. This is one of the features that has yielded performance improvements between 10x and 50x for customers that have switched to the
ProxyPass from competitive products. When a customer's load average drops that significantly under heavy crack attempts, that really translates into a much lower total cost of ownership for webmasters. Its much more than a 'tad' difference.
(read the testimonial here: http://www.proxypass.com/modules.php...rder=0&thold=0)

--Performance isolation between the customer Apache server and the centralized ProxyPass machines. If the network between them is slow or the ProxyPass servers unreachable for some other reason, the customer Apache server performance will -not- be impacted.

--Real time administration tool on the customers Apache server. Why log in to a remote machine to administer your account when it simply adds another potential point of failure to the overall solution? With the ProxyPass, webmasters have total control over blocks and configuration settings directly on their own server.

--Ability to share information across load-balanced clusters of apache servers. This is a huge benefit to enterprise level, load-balanced setups and eliminates partial-block problems.

Steve, also not sure where you're coming with the comment (even tho someone from there (proxypass) seems to want to slam pennywize at every opportunity for his own gain -- but i'm not going to get into that)....anyways, best of luck w/ your release!

If anyone has Qs about the ProxyPass or wants to give it a shot please hit me up on ICQ: 153529369

...and thanks for your comments Sleepy.


Best regards,
Laszlo
ICQ:153529369

__________________
Kill Password Hackers Now!
Kill Hit-Botters Now!
_____________________________