| Sun | Mon | Tue | Wed | Thu | Fri | Sat |
|---|---|---|---|---|---|---|
| 1 | 2 | 3 | ||||
| 4 | 5 | 6 | 7 | 8 | 9 | 10 |
| 11 | 12 | 13 | 14 | 15 | 16 | 17 |
| 18 | 19 | 20 | 21 | 22 | 23 | 24 |
| 25 | 26 | 27 | 28 | 29 | 30 |
| Months | ||
|---|---|---|
| Jan | Feb | Mar |
| Apr | May | Jun |
| Jul | Aug | Sep |
| Oct | Nov | Dec |
Tue, 06 Sep 2005
[02:08] Lotus Notes Login Dialog
Date: 9/6/05 at 10:08AM
I don't know if anyone out there is (or has been) subjected to the interesting experience that is Lotus Notes. Currently I am being forced to use it, amongst a bevy of other Groupware solutions - why have one when you can have MANY!!! Anyway, below is the login dialog for Notes (6.5):
Normally is doesn't say CENSORED across the bottom but everything else you can see is "normal". That bloody keyring has been annoying me for a while. After you type in four characters every new character prompts the keychain to morph. Below are some examples:
I asked a Notesy friend of mine why this is and he gave me this answer:
I think it's supposed to throw off anyone watching you type in your password. That's what a guy told me when I was on a lotus course. dunno if it's true.
I found myself doubting the veracity of the aforementioned "guy on a lotus course" so I did a little digging...it appears that these images are displayed and changed by running the characters you've entered through an algorithm so that the sequence of pictures generated whilst you type your password is unique (in the same way that your password hash is 'unique'). This is meant to aid in the detection of a spoofed login dialog, allegedly. You're meant to take particular note of the keychain image that is present when you finish typing your password and if it changes from normal then panic or something. An unconfirmed report I found in Google Groups suggests that this was requested by the CIA and/or NSA whom are both allegedly Notes users (apparently Notes is preferred because there are less viruses targeting it).
I initially doubted that this works or provides any useful functionality because it is mostly post-departure barn door bolting. Why? No-one has mentioned this to me, the Notes user, nor to ANYONE in the room whom I've asked whom are all Notes users. What's more - the bloke I orignally asked has several Lotus certifications AND was on a Lotus course when he tried to find out about it. If no-one, including Lotus community developers, knows what the hell it is I doubt that it's really going to help much :)
Also, this is a keylogger they're trying to thwart, any semi-decent keylogger isn't waiting for you to hit enter or press OK before logging/sending the keys - they're logged as you type. All you're doing with this functionality is identifying that your system has been compromised - this isn't bad per se but it IS the last level of defense against external attackers. However, on further reflection this is a useful feature if you've got internal attackers (ie employees) as they don't need to circumvent firewalls and mail filters to get trojans onto the system - they can use USB/Floppy/Internal Mail.
Just in case you're interested, I tracked the authorative answer down at the IBM RedBooks repository. The document in question is the Lotus Security Handbook and the section I've reproduced below is "6.1.4 - Notes passwords" from page 220:
Anti-spoofing password dialog box
To defeat dictionary or brute force attacks on ID file passwords and to reduce the
risk of password capture, Notes employs an anti-spoofing password dialog box.
This was introduced in R4 and has been retained in version 6 of Notes.
If a user enters an incorrect password, Notes waits for several seconds before
allowing them to try again. This delay increases with each incorrect attempt to a
maximum of thirty seconds. The delay feature makes it difficult to try many
passwords in rapid succession in the hope of guessing the right combination.
The anti-spoofing aspect of the Notes password dialog box resides in the
changing pattern to the left of the password input text field.
In R4 and R5, this was a set of four Egyptian hieroglyphic symbols. In version 6,
these hieroglyphics have been replaced by a picture of a key ring, with the
attached objects (such as keys, flashlight, pocket knife, and so forth) changing
after the fifth character is typed in.
These dynamic symbols make it more difficult to substitute a false dialog box that
captures passwords in place of the Notes Password dialog box. Users should be
made aware of the particularities of this dialog box and of the fact that the
symbols change as they enter their passwords. If they notice that the symbols do
not change or are not present, they should stop entering their password and click
Cancel. As well, they should memorize the last image after they’ve typed their
password because the algorithm behind the symbols will always compute to the
same symbol in the end. (However, the algorithm is complicated enough that it is
not easy to sort out the password just by looking at the symbols and the way they
change).
So there you go! I don't know about the "click Cancel" advice - I'd be inclined to say leave it the hell alone and call IT Support pronto - Cancel could self destruct or something and like I said before, they keys are already logged (more than likely) anyway.
category: /modblog | permalink | Comments suspended due to spamwhores