[ARIN-consult] Consultation on Password Security for ARIN Online Accounts

John Sweeting jsweeting at arin.net
Fri Feb 19 14:13:57 EST 2021 

Mike, while we are not entirely sure of the motives, you have definitely outlined a few that we are looking at. See Inline:

On 2/19/21, 11:00 AM, "ARIN-consult on behalf of Mike Burns" <arin-consult-bounces at arin.net on behalf of mike at iptrading.com> wrote:

    Does anybody know why ARIN and RIPE are being attacked in this way?
    Is the purpose merely credential discovery or would access be used in a
    nefarious way?

(JS) ARIN believes that the purpose of credential stuffing is for the purpose of using the resources associated with the account in nefarious ways. 

    In ARIN these credentials would not allow for the sale of an address block.

(JS) that is correct, the rigorous process and procedure for completing a transfer would not allow for someone that merely has access to an account resources to transfer them. 

    But they could allow for rDNS entries that would enable mailing on a
    hijacked block.

(JS) that is correct as well and yes, we have seen instances of this in the past. We have learned that several "market places" for leasing of resources require proof of control of the IP resources in order to list them. This is one of the "prove you control these blocks" methods.

    And I suppose they could facilitate the leasing out of the block through ROA
    generation.

(JS) Again correct, we have also confirmed that this is another "proof of control" that is used.

    Any thoughts on the reason behind these recent attacks on two RIRs?

(JS) ARIN continues to capture forensics and will absolutely cooperate with law enforcement agencies when deemed the correct course of action. ARIN is meticulously gathering and logging all forensics associated with these attacks. The numbers are somewhat staggering as noted here in a recent attack:

Login Harvesting Attack Metrics
Invalid Password: 9,711
Invalid Captcha: 249,205
Invalid Username: 10,999,044

As you can see the attacks are extremely onerous and the amount of data associated with each attack makes it a challenge to identify the true aspirations of the people behind the attacks. We have developed much of the captured data and are currently in the process of analyzing it in order to develop and deploy deterrents to stop this. While we cannot go into specifics there is a significant amount of information captured in order to aid law enforcement agencies to become involved. 

    Are the attacked usernames targeted in any way, like associated with blocks
    that aren't currently in use?

(JS) Still unable to get to that level of detail but it does appear to be true.

    Maybe if the purpose of the attackers was clear, the security solution would
    be easier to consider.

(JS) ARIN has taken several measures to make these attempts less effective and we are currently coding additional safeguards such as the topic of this consultation. Rest assured that this is of the highest priority to ARIN. 

    Regards,
    Mike Burns
    IPTrading.com


    -----Original Message-----
    From: ARIN-consult <arin-consult-bounces at arin.net> On Behalf Of William
    Herrin
    Sent: Thursday, February 18, 2021 12:20 PM
    To: Michael Richardson <mcr at sandelman.ca>
    Cc: <arin-consult at arin.net> <arin-consult at arin.net>
    Subject: Re: [ARIN-consult] Consultation on Password Security for ARIN
    Online Accounts

    On Thu, Feb 18, 2021 at 9:06 AM Michael Richardson <mcr at sandelman.ca> wrote:
    > William Herrin <bill at herrin.us> wrote:
    >     > I don't know the current state of ARIN's account recovery process
    but
    >     > unless ARIN first gets religion for it, there's not much point in
    >     > forcing 2FA in the primary authentication path. "Click this email
    link
    >     > to reset your password" is single-factor and not even strong
    >     > single-factor.
    >
    > ARIN requires a phone call.

    Hi Michael,

    That's single-factor: control of a phone number.

    AT&T defended itself from a lawsuit a year or two ago where someone lost
    millions of dollars of bitcoin because a hacker was able to get AT&T to
    activate a new phone with their phone number and then use that to reset the
    brokerage password. AT&T's position, which the court accepted, was that cell
    phone service was not advertised as or secured to a standard appropriate for
    authentication thus anyone who relied on it for such did so at their own
    risk.

    Regards,
    Bill Herrin


    --
    William Herrin
    bill at herrin.us
    https://bill.herrin.us/
    _______________________________________________
    ARIN-Consult
    You are receiving this message because you are subscribed to the ARIN
    Consult Mailing List (ARIN-consult at arin.net).
    Unsubscribe or manage your mailing list subscription at:
    https://lists.arin.net/mailman/listinfo/arin-consult Please contact the ARIN
    Member Services Help Desk at info at arin.net if you experience any issues.

    _______________________________________________
    ARIN-Consult
    You are receiving this message because you are subscribed to the ARIN Consult Mailing
    List (ARIN-consult at arin.net).
    Unsubscribe or manage your mailing list subscription at:
    https://lists.arin.net/mailman/listinfo/arin-consult Please contact the ARIN Member Services
    Help Desk at info at arin.net if you experience any issues.

More information about the ARIN-consult mailing list