funsec mailing list archives

Re: Question for the group

From: "Fergie" <fergdawg () netzero net>
Date: Sat, 11 Feb 2006 21:52:23 GMT

Paul,

Could this possibly be an (obviously underhanded) attempt to
simply gather news & public information? I mean, given the situation
with press freedoms in China, etc...

Just a thought....

- ferg

ps. Still thinking about the problem at hand, so no immediate
advice...


-- Paul Schmehl <pauls () utdallas edu> wrote:

Recently we discovered that some message boards in China were posting the 
urls for web proxies at various universities, along with "login 
credentials".  In our case that meant the url and a sixteen digit number 
that represented our "Comet Card" IDs, smart cards that we issue to every 
student, staff and faculty member when they arrive.

It wasn't long before someone wrote a script that automated the process of 
logging in to the exProxy server in order to generate a list of valid IDs.

In the meantime, I was in discussions with the library and explained to 
them that the sixteen digit numbers weren't sufficient and they needed 
security.  As a stopgap measure, they added a second "credential", the 
user's last name.

Now we're seeing scripted attacks cycling through our directory (last name 
only) and then attempting each of those last names along with a valid id, 
in an effort to generate a list of valid "login" combinations.

Here's the question I have.  We were just notified by another university 
that they had detected bots on *their* network running the above script 
against our proxy.  According to their security officer (whom I know is 
competent), these bots were infected with breplibot.

Is this something new?  And why the hell do they want to grab books and 
periodicals?  Can they sell them?

(I know what the solution to the library's problem is.  I just have to get 
them to accept that what I told them early on is the only answer - tie in 
to our LDAP auth system short term, and use CAS once it's implemented.)

Paul Schmehl (pauls () utdallas edu)
Adjunct Information Security Officer
University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/


--
"Fergie", a.k.a. Paul Ferguson
 Engineering Architecture for the Internet
 fergdawg () netzero net or fergdawg () sbcglobal net
 ferg's tech blog: http://fergdawg.blogspot.com/


_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.

Current thread:

Question for the group Paul Schmehl (Feb 11)
- Re: Question for the group Blue Boar (Feb 11)
  - Re: Question for the group Paul Schmehl (Feb 11)
    - Re: Question for the group Blue Boar (Feb 11)
- Re: Question for the group TheGesus (Feb 12)
  - Re: Question for the group Paul Schmehl (Feb 12)
- Re: Question for the group xyberpix (Feb 16)
- <Possible follow-ups>
- Re: Question for the group Fergie (Feb 11)