Newsgroup: comp.risks


antispam.servers.aueb.gr
autolearn=no version=3.1.8
Delivered-To: dds@aueb.gr
Return-Path: <risks-bounces+dds=aueb.gr@csl.sri.com>
Received: from mailgate-internal1.sri.com ([::ffff:128.18.84.103])
by s6 with esmtp; Fri, 03 Aug 2007 22:39:39 +0300
id 002CB178.46B3847B.00005FBC
Received: from localhost (HELO mailgate-internal1.SRI.COM) (127.0.0.1)
by mailgate-internal1.sri.com with SMTP; 3 Aug 2007 19:30:29 -0000
Received: from mx1.csl.sri.com ([130.107.1.29])
by mailgate-internal1.SRI.COM (SMSSMTP 4.1.11.41) with SMTP id M2007080312302829416
for <dds@aueb.gr>; Fri, 03 Aug 2007 12:30:29 -0700
Received: from postal.csl.sri.com (postal.csl.sri.com [130.107.1.19])
by mx1.csl.sri.com (8.13.8/8.12.11) with ESMTP id l73JUSip043359
(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO)
for <dds@aueb.gr>; Fri, 3 Aug 2007 12:30:28 -0700 (PDT)
(envelope-from risks-bounces+dds=aueb.gr@csl.sri.com)
Received: from postal.csl.sri.com (localhost [127.0.0.1])
by postal.csl.sri.com (8.13.8/8.13.4) with ESMTP id l73JUSpL067224
for <dds@aueb.gr>; Fri, 3 Aug 2007 12:30:28 -0700 (PDT)
(envelope-from risks-bounces+dds=aueb.gr@csl.sri.com)
From: RISKS List Owner <risko@csl.sri.com>
Date: Fri, 3 Aug 2007 12:14:16 PDT
precedence: bulk
To: risks-resend@csl.sri.com
Message-ID: <CMM.0.90.4.1186168456.risko@chiron.csl.sri.com>
Cc:
Subject: [RISKS] Risks Digest 24.77
List-Id: RISKS <risks.csl.sri.com>
List-Unsubscribe: <http://lists.csl.sri.com/mailman/listinfo/risks>,
<mailto:risks-request@csl.sri.com?subject=unsubscribe>
List-Post: <mailto:risks@csl.sri.com>
List-Help: <mailto:risks-request@csl.sri.com?subject=help>
List-Subscribe: <http://lists.csl.sri.com/mailman/listinfo/risks>,
<mailto:risks-request@csl.sri.com?subject=subscribe>
Sender: risks-bounces+dds=aueb.gr@csl.sri.com
Errors-To: risks-bounces+dds=aueb.gr@csl.sri.com
RISKS-LIST: Risks-Forum Digest  Friday 3 August 2007  Volume 24 : Issue 77

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
  <http://catless.ncl.ac.uk/Risks/24.77.html>
The current issue can be found at
  <http://www.csl.sri.com/users/risko/risks.txt>

  Contents:
Structural problems with the I-35W bridge span (PGN)
Driver follows GPS when he should not (Erwan David)
"Meteorology Police -- you're BUSTED!" (Annie Johnson via Paul Saffo)
Hacked passport crashes RFID readers (Jeff Jonas)
IRS computer security/privacy problems (PGN)
User-hostile behavior (Steve Summit)
Location-Based Dictionary Attacks (Diomidis Spinellis)
Amazon chasing 2-cent Web services bill (Martin Redington)
Windows Live Messenger blocking even more completely innocuous text
  (Cody Boisclair)
Re: Accuracy of Hawkeye at Wimbledon (Paul Wallich)
Fraudproof voting protocols from scientists (Warren Smith)
REVIEW: "Implementing ITIL", Randy A. Steinberg (Rob Slade)
Abridged info on RISKS (comp.risks)

----------------------------------------------------------------------
[...]
------------------------------

Date: Thu, 02 Aug 2007 10:08:29 +0300
From: Diomidis Spinellis <dds@aueb.gr>
Subject: Location-Based Dictionary Attacks

I get daily security reports from the hosts I manage. Typically these
contain invalid user attempts for users like guest, www, and root.
(Although FreeBSD doesn't allow remote logins for root, I was surprised to
find out that many Linux distributions allow them.)

Today's log surprised me, because it contained only Greek names. Here is an
excerpt from the log.

Aug  1 00:19:42 istlab sshd[22137]: Invalid user achaikos from 210.17.252.20
Aug  1 00:19:45 istlab sshd[22191]: Invalid user achilleus from 210.17.252.20
Aug  1 00:19:48 istlab sshd[22218]: Invalid user actaeon from 210.17.252.20
Aug  1 00:19:51 istlab sshd[22244]: Invalid user acteon from 210.17.252.20
Aug  1 00:19:55 istlab sshd[22279]: Invalid user adelpha from 210.17.252.20
Aug  1 00:19:58 istlab sshd[22302]: Invalid user adelphe from 210.17.252.20
Aug  1 00:20:01 istlab sshd[22321]: Invalid user adelphie from 210.17.252.20
Aug  1 00:20:04 istlab sshd[22353]: Invalid user adonia from 210.17.252.20
Aug  1 00:20:08 istlab sshd[22387]: Invalid user adonis from 210.17.252.20
Aug  1 00:20:11 istlab sshd[22400]: Invalid user adrasteia from 210.17.252.20
Aug  1 00:20:14 istlab sshd[22417]: Invalid user adrastos from 210.17.252.20

The attack to this host (which is based in Athens, Greece) came from a
Hong-Kong-based machine, and the list contained many exotic Greek names
while also missing many common ones. Therefore, I doubt that this was a
local attack. A Google search revealed that the name list was obtained by
merging male Greek names and female Greek names from
http://www.20000-names.com. Most probably an attack tool contains lists of
names for specific countries (the same site also provides, African, Chinese,
English, French, German, Hebrew, Irish, Italian, Japanese, Polish, Spanish,
and Welsh names). The tool also maps the IP address of the host it attacks
to a specific country, for instance, through the geolocation data of the
IP-to-Country databases http://ip-to-country.webhosting.info/. Finally, the
attack tool uses the country-specific list for trying to log in to those
accounts. Attackers seem to be getting more sophisticated with every passing
day.

Diomidis Spinellis - http://www.dmst.aueb.gr/dds

------------------------------
[...]
------------------------------

End of RISKS-FORUM Digest 24.77
************************




Newsgroup comp.risks contents
Newsgroup list
Diomidis Spinellis home page

Creative Commons License Unless otherwise expressly stated, all original material on this page created by Diomidis Spinellis is licensed under a Creative Commons Attribution-Share Alike 3.0 Greece License.