This is part of a document written by Andrew Cormack, head of JANET-CERT.
Vulnerabilities in the authentication process. Users need to authenticate
themselves to the system; so do its administrators. How robust is that
process, what factors does it use, and how easily is it fooled? It may be a
good thing if administrative access to the system is only possible from
pre-configured IP addresses. Static usernames and passwords may be
inevitable from a convenience point of view, but it's good to protect them
by using an encrypted channel to send them across the network. If you are
permitting access across an external network then I'd suggest that
something like SSL should be mandatory. You also need to have logs of
authentication attempts and to check them. What happens if someone
repeatedly fails to log in? Does the system lock their account after a
certain number of failures? If it doesn't then an intruder can write a
program to try all the passwords in the dictionary and be reasonably
confident of getting into someone's account.
Paul Wakefield
E-learning Business Manager
UKERNA
Tel: +44 1235 822239 Fax: +44 1235 822399 Mobile 07866 389444
***************** List information: *****************
Remember - replies go by default to the entire list.
Access the list via the web on http://www.jiscmail.ac.uk/lists/vle.html
To unsubscribe, email [log in to unmask] with the message: leave vle
|