[ARIN-consult] Consultation on Password Security for ARIN Online Accounts
Mike Burns
mike at iptrading.com
Fri Feb 19 14:47:16 EST 2021
Thanks John. For what it's worth, I would guess that the miscreants would not be expecting a long-term access to any blocks brought under control in this manner, and for this reason would want to realize the most revenue possible in a short time. And this probably means spamming. For which rdns has great value.
I would put another padlock on rdns changes, is it possible to have staff review changes in rdns delegation in anything like real-time?
Regards,
Mike
-----Original Message-----
From: John Sweeting <jsweeting at arin.net>
Sent: Friday, February 19, 2021 2:14 PM
To: Mike Burns <mike at iptrading.com>; 'William Herrin' <bill at herrin.us>; 'Michael Richardson' <mcr at sandelman.ca>
Cc: arin-consult at arin.net
Subject: Re: [ARIN-consult] Consultation on Password Security for ARIN Online Accounts
Mike, while we are not entirely sure of the motives, you have definitely outlined a few that we are looking at. See Inline:
On 2/19/21, 11:00 AM, "ARIN-consult on behalf of Mike Burns" <arin-consult-bounces at arin.net on behalf of mike at iptrading.com> wrote:
Does anybody know why ARIN and RIPE are being attacked in this way?
Is the purpose merely credential discovery or would access be used in a
nefarious way?
(JS) ARIN believes that the purpose of credential stuffing is for the purpose of using the resources associated with the account in nefarious ways.
In ARIN these credentials would not allow for the sale of an address block.
(JS) that is correct, the rigorous process and procedure for completing a transfer would not allow for someone that merely has access to an account resources to transfer them.
But they could allow for rDNS entries that would enable mailing on a
hijacked block.
(JS) that is correct as well and yes, we have seen instances of this in the past. We have learned that several "market places" for leasing of resources require proof of control of the IP resources in order to list them. This is one of the "prove you control these blocks" methods.
And I suppose they could facilitate the leasing out of the block through ROA
generation.
(JS) Again correct, we have also confirmed that this is another "proof of control" that is used.
Any thoughts on the reason behind these recent attacks on two RIRs?
(JS) ARIN continues to capture forensics and will absolutely cooperate with law enforcement agencies when deemed the correct course of action. ARIN is meticulously gathering and logging all forensics associated with these attacks. The numbers are somewhat staggering as noted here in a recent attack:
Login Harvesting Attack Metrics
Invalid Password: 9,711
Invalid Captcha: 249,205
Invalid Username: 10,999,044
As you can see the attacks are extremely onerous and the amount of data associated with each attack makes it a challenge to identify the true aspirations of the people behind the attacks. We have developed much of the captured data and are currently in the process of analyzing it in order to develop and deploy deterrents to stop this. While we cannot go into specifics there is a significant amount of information captured in order to aid law enforcement agencies to become involved.
Are the attacked usernames targeted in any way, like associated with blocks
that aren't currently in use?
(JS) Still unable to get to that level of detail but it does appear to be true.
Maybe if the purpose of the attackers was clear, the security solution would
be easier to consider.
(JS) ARIN has taken several measures to make these attempts less effective and we are currently coding additional safeguards such as the topic of this consultation. Rest assured that this is of the highest priority to ARIN.
Regards,
Mike Burns
IPTrading.com
-----Original Message-----
From: ARIN-consult <arin-consult-bounces at arin.net> On Behalf Of William
Herrin
Sent: Thursday, February 18, 2021 12:20 PM
To: Michael Richardson <mcr at sandelman.ca>
Cc: <arin-consult at arin.net> <arin-consult at arin.net>
Subject: Re: [ARIN-consult] Consultation on Password Security for ARIN
Online Accounts
On Thu, Feb 18, 2021 at 9:06 AM Michael Richardson <mcr at sandelman.ca> wrote:
> William Herrin <bill at herrin.us> wrote:
> > I don't know the current state of ARIN's account recovery process
but
> > unless ARIN first gets religion for it, there's not much point in
> > forcing 2FA in the primary authentication path. "Click this email
link
> > to reset your password" is single-factor and not even strong
> > single-factor.
>
> ARIN requires a phone call.
Hi Michael,
That's single-factor: control of a phone number.
AT&T defended itself from a lawsuit a year or two ago where someone lost
millions of dollars of bitcoin because a hacker was able to get AT&T to
activate a new phone with their phone number and then use that to reset the
brokerage password. AT&T's position, which the court accepted, was that cell
phone service was not advertised as or secured to a standard appropriate for
authentication thus anyone who relied on it for such did so at their own
risk.
Regards,
Bill Herrin
--
William Herrin
bill at herrin.us
https://bill.herrin.us/
_______________________________________________
ARIN-Consult
You are receiving this message because you are subscribed to the ARIN
Consult Mailing List (ARIN-consult at arin.net).
Unsubscribe or manage your mailing list subscription at:
https://lists.arin.net/mailman/listinfo/arin-consult Please contact the ARIN
Member Services Help Desk at info at arin.net if you experience any issues.
_______________________________________________
ARIN-Consult
You are receiving this message because you are subscribed to the ARIN Consult Mailing
List (ARIN-consult at arin.net).
Unsubscribe or manage your mailing list subscription at:
https://lists.arin.net/mailman/listinfo/arin-consult Please contact the ARIN Member Services
Help Desk at info at arin.net if you experience any issues.
More information about the ARIN-consult
mailing list