Greenguy's Board - View Single Post

raymor · 2004-02-04, 09:56 PM

First off, Strongbox isn't really directly compareable to PennyWize
or anything else out there that I know of.
To explain why, I have to get a little technical.
Before I do, let me point out that with Strongbox there is no
monthly fee and no reliance on someone elses server for your protection.
Pennywize is an old solution to an old problem.
The script kiddies, real hackers, and just plain password
sites figured out how to beat PennyWize around 1999-2000.
As more and more password sites and software did their end runs
around PennyWize, we began developing Strongbox
as the next generation in security.

Now for the technical part:

Pennywize and similar services are needed because most web sites
today use something called "Basic Authentication", which is implemented
in a part of Apache called "mod_auth".
This "Basic Authentication" is the system where the gray box pops
up asking for your username and password.
When the designers of mod_auth first released the design
for that system, they were very careful to point out that it was not
intended to be secure. It was intended to be a very basic system
that could be used to put a password on your stats page until something
better was designed. One major weakness is that Basic Authentication -
the pop up gray box - does not distinguish between the two main
phases that you learn about in security 101.
The first day of a computer security course you'll hear about
the two phases of "authentication", making sure the user is
who they say they are, and "authorization", checking if they
are allowed to access this particular page, etc.
The authentication phase is when they login, the
authorization happens
every time they view a page or image.

With basic auth, they never login. Their username and password
is sent by the browser every time it requests a page or image.
Because they never actually login, you never get to thoroughly check them out.
There are a lot of other problems too, liek the fact that the whole
thing is based on a very short password that can be shared.
Pennywize and similar programs try to tape up the holes in basic auth.
That's a very tall order, because basic auth is built like a chain link fence -
way too many holes to try to keep taped up.
PennyWize and similar programs end up working like a burglar alarm
inside the fence - trying to detect an intruder after they get in and
then trying to deal with them after it's too late.

Strongbox, on the other hand, gets rid of the whole "basic authentication"
fence and puts up a thick brick wall instead.
It doesn't tape up any holes, because it throws that fence full
of holes in the trash pile behind the woodshed and puts in it's
own far superior system.

PennyWize and similar systems are also easily defeated by
proxy based attacks.
An http proxy is a server that let's you
surf the web through it. Your computer connects
to the proxy and tells the proxy what page
you want to see. The proxy gets the page
for you and forwards it on to you. From the
server's perspective, you are invisible -
it only sees the address of the proxy.
When people doo a brute force, or "hurling",
attack, they might use 20 different proxies,
so the server sees the requests coming from
20 different IP addreses. They do this to
fool software like Password Sentry, which
merely counts how many times a certain IP
has tried a different username and password.
These older, simpler "patch up" systems will let each
of the attackers IP addresses guess many
usernames each hour, never recognizing that the
guesses from the 20 different IPs are all coming
from the same person and their brute force,
or "hurling" software.
Strongbox isn't so easily fooled. Strongbox
blocks these open proxies right away. There
are some legitimate proxies. For example,
AOL uses proxies so they don't have to have
different IPs for each user. Legitimate
proxies that you want to let through, though,
are closed proxies - AOL proxies, for example,
can only be used by AOL customers. Companies
set up legitimate proxies so that only their
employees or customers can access them. Script
kiddies, hackers, and other undesirables don't
pay for access to 20 different proxies from
20 different companies, of course. Instead
use servers that have been misconfigured or
hacked so that anyone can use them as a proxy,
or one of a couple proxies put up by nerfarious
characters specifically for the purpose of
allowing various kinds of wrong doing to be
accomplished without showing the perpetrators
IP address. These proxies which anyone can
access are called open proxies. As they are
often used by people attacking sites and
rarely or never used by legitimate users,
Strongbox blocks access from these open proxies immediately.

This proxy defense module was originally
designed as an extra cost option to enhance
Strongbox's already high resistance to these
types of attacks. We have decided to include
this module as a free bonus with every Strongbox
installation right now.

2004-02-04, 09:56 PM	#8
raymor The only guys who wear Hawaiian shirts are gay guys and big fat party animals Join Date: Jan 2004 Posts: 178	First off, Strongbox isn't really directly compareable to PennyWize or anything else out there that I know of. To explain why, I have to get a little technical. Before I do, let me point out that with Strongbox there is no monthly fee and no reliance on someone elses server for your protection. Pennywize is an old solution to an old problem. The script kiddies, real hackers, and just plain password sites figured out how to beat PennyWize around 1999-2000. As more and more password sites and software did their end runs around PennyWize, we began developing Strongbox as the next generation in security. Now for the technical part: Pennywize and similar services are needed because most web sites today use something called "Basic Authentication", which is implemented in a part of Apache called "mod_auth". This "Basic Authentication" is the system where the gray box pops up asking for your username and password. When the designers of mod_auth first released the design for that system, they were very careful to point out that it was not intended to be secure. It was intended to be a very basic system that could be used to put a password on your stats page until something better was designed. One major weakness is that Basic Authentication - the pop up gray box - does not distinguish between the two main phases that you learn about in security 101. The first day of a computer security course you'll hear about the two phases of "authentication", making sure the user is who they say they are, and "authorization", checking if they are allowed to access this particular page, etc. The authentication phase is when they login, the authorization happens every time they view a page or image. With basic auth, they never login. Their username and password is sent by the browser every time it requests a page or image. Because they never actually login, you never get to thoroughly check them out. There are a lot of other problems too, liek the fact that the whole thing is based on a very short password that can be shared. Pennywize and similar programs try to tape up the holes in basic auth. That's a very tall order, because basic auth is built like a chain link fence - way too many holes to try to keep taped up. PennyWize and similar programs end up working like a burglar alarm inside the fence - trying to detect an intruder after they get in and then trying to deal with them after it's too late. Strongbox, on the other hand, gets rid of the whole "basic authentication" fence and puts up a thick brick wall instead. It doesn't tape up any holes, because it throws that fence full of holes in the trash pile behind the woodshed and puts in it's own far superior system. PennyWize and similar systems are also easily defeated by proxy based attacks. An http proxy is a server that let's you surf the web through it. Your computer connects to the proxy and tells the proxy what page you want to see. The proxy gets the page for you and forwards it on to you. From the server's perspective, you are invisible - it only sees the address of the proxy. When people doo a brute force, or "hurling", attack, they might use 20 different proxies, so the server sees the requests coming from 20 different IP addreses. They do this to fool software like Password Sentry, which merely counts how many times a certain IP has tried a different username and password. These older, simpler "patch up" systems will let each of the attackers IP addresses guess many usernames each hour, never recognizing that the guesses from the 20 different IPs are all coming from the same person and their brute force, or "hurling" software. Strongbox isn't so easily fooled. Strongbox blocks these open proxies right away. There are some legitimate proxies. For example, AOL uses proxies so they don't have to have different IPs for each user. Legitimate proxies that you want to let through, though, are closed proxies - AOL proxies, for example, can only be used by AOL customers. Companies set up legitimate proxies so that only their employees or customers can access them. Script kiddies, hackers, and other undesirables don't pay for access to 20 different proxies from 20 different companies, of course. Instead use servers that have been misconfigured or hacked so that anyone can use them as a proxy, or one of a couple proxies put up by nerfarious characters specifically for the purpose of allowing various kinds of wrong doing to be accomplished without showing the perpetrators IP address. These proxies which anyone can access are called open proxies. As they are often used by people attacking sites and rarely or never used by legitimate users, Strongbox blocks access from these open proxies immediately. This proxy defense module was originally designed as an extra cost option to enhance Strongbox's already high resistance to these types of attacks. We have decided to include this module as a free bonus with every Strongbox installation right now. __________________ Ray Morris support@bettercgi.com Strongbox/Throttlebox & more TXDPS #A14012 Last edited by raymor; 2004-02-04 at 10:11 PM..