Comparing the Strongbox Security Systemtm to its competitors...
You be the judge:
- Password Sentry:
We'll let a customer answer that one. Steve at SGS-WebMedia says:
"The worst day was the day that password sentry was put on there. It was a cookie thing. Password Sentry requires cookies. So many customers surf with them off, and where they were in before they couldn't understand it. I think we had 4 hours sleep in 48 with that one. Macs were a particular problem. Password Sentry is virtually unusable now if you have a *real* number of members."
First off, the Strongbox Security Systemtm isn't really directly comparable to PennyWize or anything else out there that I know of. To explain why, I have to get a little technical. Before I do, let me point out that with the Strongbox Security Systemtm there is no monthly fee and no reliance on someone else's server for your protection. Pennywize is an old solution to an old problem. The script kiddies, real hackers, and just plain password sites figured out how to beat PennyWize around 1999-2000. As more and more password sites and software did their end runs around PennyWize, we began developing the Strongbox Security Systemtm as the next generation in security.
Now for the technical part:
Pennywize and similar services are needed because most web sites today use something called "Basic Authentication", which is implemented in a part of Apache called "mod_auth". This "Basic Authentication" is the system where the gray box pops up asking for your username and password. When the designers of mod_auth first released the design for that system, they were very careful to point out that it was not intended to be secure. It was intended to be a very basic system that could be used to put a password on your stats page until something better was designed. One major weakness is that Basic Authentication - the pop up gray box - does not distinguish between the two main phases that you learn about in security 101. The first day of a computer security course you'll hear about the two phases of "authentication", making sure the user is who they say they are, and "authorization", checking if they are allowed to access this particular page, etc. The authentication phase is when they login, the authorization happens every time they view a page or image. With basic auth, they never login. Their username and password is sent by the browser every time it requests a page or image. Because they never actually login, you never get to thoroughly check them out. There are a lot of other problems too, like the fact that the whole thing is based on a very short password that can be shared. Pennywize and similar programs try to tape up the holes in basic auth. That's a very tall order, because basic auth is built like a chain link fence - way too many holes to try to keep taped up. PennyWize and similar programs end up working like a burglar alarm inside the fence - trying to detect an intruder after they get in and then trying to deal with them after it's too late. The Strongbox Security Systemtm, on the other hand, gets rid of the whole "basic authentication" fence and puts up a thick brick wall instead. It doesn't tape up any holes, because it throws that fence full of holes in the trash pile behind the woodshed and puts in its own far superior system. PennyWize and similar systems are also easily defeated by proxy based attacks.
- Proxies & IP counting:
Older systems that simply count IPs are also easily defeated by proxy based attacks. What are these "open proxies" that people tell me the hackers use?
Besides replacing usernames and passwords with secure tokens, how is the Strongbox Security Systemtm so much more effective than PennyWize or Password Sentry?
An http proxy is a server that let's you surf the web through it. Your computer connects to the proxy and tells the proxy what page you want to see. The proxy gets the page for you and forwards it on to you. From the server's perspective, you are invisible - it only sees the address of the proxy. When people do a brute force, or "hurling", attack, they might use 20 different proxies, so the server sees the requests coming from 20 different IP addresses. They do this to fool software like Password Sentry, which merely counts how many times a certain IP has tried a different username and password. These older, simpler "patch up" systems will let each of the attackers IP addresses guess many usernames each hour, never recognizing that the guesses from the 20 different IPs are all coming from the same person and their brute force, or "hurling" software.
The Strongbox Security Systemtm isn't so easily fooled. The Strongbox Security Systemtm blocks these open proxies right away. There are some legitimate proxies. For example, AOL uses proxies so they don't have to have different IPs for each user. Legitimate proxies that you want to let through, though, are closed proxies - AOL proxies, for example, can only be used by AOL customers. Companies set up legitimate proxies so that only their employees or customers can access them. Script kiddies, hackers, and other undesirables don't pay for access to 20 different proxies from 20 different companies, of course. Instead use servers that have been misconfigured or hacked so that anyone can use them as a proxy, or one of a couple proxies put up by nefarious characters specifically for the purpose of allowing various kinds of wrong doing to be accomplished without showing the perpetrators IP address. These proxies which anyone can access are called open proxies. As they are often used by people attacking sites and rarely or never used by legitimate users, the Strongbox Security System tm blocks access from these open proxies.
Note - This proxy defense module was originally designed as an extra cost option to enhance the Strongbox Security Systemtm's already high resistance to these types of attacks. We have decided to include this module as a free bonus with every the Strongbox Security Systemtm installation right now.