Reply to post: Putting it into perspective...

Burglars' delight no more: Immobilise UK secures property list


Putting it into perspective...

Hi Tom

I'm very grateful you've actually thought the risk through and I suspect you already know the following, but let me clarify a couple of points for everyone else.

In order to locate an item (or all items), you'd need to enumerate every possible combination, like so:

User 1

Cert 1, then 2, then 3, then 4 etc... until 28,000,000.

User 2

Cert 1, then 2, then 3, then 4 etc... until 28,000,000.

... and so on until you reach all 4.2 million members.

At first glance, that seems infeasible... but it all depends how smart the script is. There's no doubt it'd take many hours and almost certainly trip an IDS warning, but there are far more efficient ways to go about it.

For example...

1) We know there are 4.2 million members & 28 million records, meaning an average of 7 items per user.

2) It's also reasonable to assume many of those items will be added one after another, but we need a fair tolerance to account for edge cases. Instead of blindly searching every cert ID, we can limit the scope to 1000 records before & after the data from the previous attempt.

3) With each successful "hit", we're able to narrow the search space considerably.

If user ID 400 and cert ID 10200084 (10 million, 200 thousand and 84) is successful, we'll know to start user ID 401 from cert ID 10200085 and above.

That way, successful hits happen faster as the time increases, but also limits the amount of requests necessary to pull off the attack, reducing the impact of IDS/IPS constraints.

There's a wealth of other information an attacker could use to make the attack not only effective, but very efficient.

Keep a look out for the follow up article on the blog & BBC. This is the tip of the iceberg.


POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021