[ARIN-consult] Consultation on Password Security for ARIN Online Accounts

Fri Feb 19 11:00:43 EST 2021

Does anybody know why ARIN and RIPE are being attacked in this way?
Is the purpose merely credential discovery or would access be used in a
nefarious way?
In ARIN these credentials would not allow for the sale of an address block.
But they could allow for rDNS entries that would enable mailing on a
hijacked block.
And I suppose they could facilitate the leasing out of the block through ROA
generation.
Any thoughts on the reason behind these recent attacks on two RIRs?
Are the attacked usernames targeted in any way, like associated with blocks
that aren't currently in use?
Maybe if the purpose of the attackers was clear, the security solution would
be easier to consider.

Regards,
Mike Burns
IPTrading.com

-----Original Message-----
From: ARIN-consult <arin-consult-bounces at arin.net> On Behalf Of William
Herrin
Sent: Thursday, February 18, 2021 12:20 PM
To: Michael Richardson <mcr at sandelman.ca>
Cc: <arin-consult at arin.net> <arin-consult at arin.net>
Subject: Re: [ARIN-consult] Consultation on Password Security for ARIN
Online Accounts

On Thu, Feb 18, 2021 at 9:06 AM Michael Richardson <mcr at sandelman.ca> wrote:
> William Herrin <bill at herrin.us> wrote:
>     > I don't know the current state of ARIN's account recovery process
but
>     > unless ARIN first gets religion for it, there's not much point in
>     > forcing 2FA in the primary authentication path. "Click this email
link
>     > to reset your password" is single-factor and not even strong
>     > single-factor.
>
> ARIN requires a phone call.

Hi Michael,

That's single-factor: control of a phone number.

AT&T defended itself from a lawsuit a year or two ago where someone lost
millions of dollars of bitcoin because a hacker was able to get AT&T to
activate a new phone with their phone number and then use that to reset the
brokerage password. AT&T's position, which the court accepted, was that cell
phone service was not advertised as or secured to a standard appropriate for
authentication thus anyone who relied on it for such did so at their own
risk.

Regards,
Bill Herrin

--
William Herrin
bill at herrin.us
https://bill.herrin.us/
_______________________________________________
ARIN-Consult
You are receiving this message because you are subscribed to the ARIN
Consult Mailing List (ARIN-consult at arin.net).
Unsubscribe or manage your mailing list subscription at:
https://lists.arin.net/mailman/listinfo/arin-consult Please contact the ARIN
Member Services Help Desk at info at arin.net if you experience any issues.