antispam.servers.aueb.gr | |
autolearn=no version=3.1.8 | |
Delivered-To: | dds@aueb.gr |
Return-Path: | <risks-bounces+dds=aueb.gr@csl.sri.com> |
Received: | from mailgate-internal1.sri.com ([::ffff:128.18.84.103]) |
by s6 with esmtp; Fri, 03 Aug 2007 22:39:39 +0300 | |
id 002CB178.46B3847B.00005FBC | |
Received: | from localhost (HELO mailgate-internal1.SRI.COM) (127.0.0.1) |
by mailgate-internal1.sri.com with SMTP; 3 Aug 2007 19:30:29 -0000 | |
Received: | from mx1.csl.sri.com ([130.107.1.29]) |
by mailgate-internal1.SRI.COM (SMSSMTP 4.1.11.41) with SMTP id M2007080312302829416 | |
for <dds@aueb.gr>; Fri, 03 Aug 2007 12:30:29 -0700 | |
Received: | from postal.csl.sri.com (postal.csl.sri.com [130.107.1.19]) |
by mx1.csl.sri.com (8.13.8/8.12.11) with ESMTP id l73JUSip043359 | |
(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) | |
for <dds@aueb.gr>; Fri, 3 Aug 2007 12:30:28 -0700 (PDT) | |
(envelope-from risks-bounces+dds=aueb.gr@csl.sri.com) | |
Received: | from postal.csl.sri.com (localhost [127.0.0.1]) |
by postal.csl.sri.com (8.13.8/8.13.4) with ESMTP id l73JUSpL067224 | |
for <dds@aueb.gr>; Fri, 3 Aug 2007 12:30:28 -0700 (PDT) | |
(envelope-from risks-bounces+dds=aueb.gr@csl.sri.com) | |
From: | RISKS List Owner <risko@csl.sri.com> |
Date: | Fri, 3 Aug 2007 12:14:16 PDT |
precedence: | bulk |
To: | risks-resend@csl.sri.com |
Message-ID: | <CMM.0.90.4.1186168456.risko@chiron.csl.sri.com> |
Cc: | |
Subject: | [RISKS] Risks Digest 24.77 |
List-Id: | RISKS <risks.csl.sri.com> |
List-Unsubscribe: | <http://lists.csl.sri.com/mailman/listinfo/risks>, |
<mailto:risks-request@csl.sri.com?subject=unsubscribe> | |
List-Post: | <mailto:risks@csl.sri.com> |
List-Help: | <mailto:risks-request@csl.sri.com?subject=help> |
List-Subscribe: | <http://lists.csl.sri.com/mailman/listinfo/risks>, |
<mailto:risks-request@csl.sri.com?subject=subscribe> | |
Sender: | risks-bounces+dds=aueb.gr@csl.sri.com |
Errors-To: | risks-bounces+dds=aueb.gr@csl.sri.com |
RISKS-LIST: Risks-Forum Digest Friday 3 August 2007 Volume 24 : Issue 77 ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as <http://catless.ncl.ac.uk/Risks/24.77.html> The current issue can be found at <http://www.csl.sri.com/users/risko/risks.txt> Contents: Structural problems with the I-35W bridge span (PGN) Driver follows GPS when he should not (Erwan David) "Meteorology Police -- you're BUSTED!" (Annie Johnson via Paul Saffo) Hacked passport crashes RFID readers (Jeff Jonas) IRS computer security/privacy problems (PGN) User-hostile behavior (Steve Summit) Location-Based Dictionary Attacks (Diomidis Spinellis) Amazon chasing 2-cent Web services bill (Martin Redington) Windows Live Messenger blocking even more completely innocuous text (Cody Boisclair) Re: Accuracy of Hawkeye at Wimbledon (Paul Wallich) Fraudproof voting protocols from scientists (Warren Smith) REVIEW: "Implementing ITIL", Randy A. Steinberg (Rob Slade) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- [...] ------------------------------ Date: Thu, 02 Aug 2007 10:08:29 +0300 From: Diomidis Spinellis <dds@aueb.gr> Subject: Location-Based Dictionary Attacks I get daily security reports from the hosts I manage. Typically these contain invalid user attempts for users like guest, www, and root. (Although FreeBSD doesn't allow remote logins for root, I was surprised to find out that many Linux distributions allow them.) Today's log surprised me, because it contained only Greek names. Here is an excerpt from the log. Aug 1 00:19:42 istlab sshd[22137]: Invalid user achaikos from 210.17.252.20 Aug 1 00:19:45 istlab sshd[22191]: Invalid user achilleus from 210.17.252.20 Aug 1 00:19:48 istlab sshd[22218]: Invalid user actaeon from 210.17.252.20 Aug 1 00:19:51 istlab sshd[22244]: Invalid user acteon from 210.17.252.20 Aug 1 00:19:55 istlab sshd[22279]: Invalid user adelpha from 210.17.252.20 Aug 1 00:19:58 istlab sshd[22302]: Invalid user adelphe from 210.17.252.20 Aug 1 00:20:01 istlab sshd[22321]: Invalid user adelphie from 210.17.252.20 Aug 1 00:20:04 istlab sshd[22353]: Invalid user adonia from 210.17.252.20 Aug 1 00:20:08 istlab sshd[22387]: Invalid user adonis from 210.17.252.20 Aug 1 00:20:11 istlab sshd[22400]: Invalid user adrasteia from 210.17.252.20 Aug 1 00:20:14 istlab sshd[22417]: Invalid user adrastos from 210.17.252.20 The attack to this host (which is based in Athens, Greece) came from a Hong-Kong-based machine, and the list contained many exotic Greek names while also missing many common ones. Therefore, I doubt that this was a local attack. A Google search revealed that the name list was obtained by merging male Greek names and female Greek names from http://www.20000-names.com. Most probably an attack tool contains lists of names for specific countries (the same site also provides, African, Chinese, English, French, German, Hebrew, Irish, Italian, Japanese, Polish, Spanish, and Welsh names). The tool also maps the IP address of the host it attacks to a specific country, for instance, through the geolocation data of the IP-to-Country databases http://ip-to-country.webhosting.info/. Finally, the attack tool uses the country-specific list for trying to log in to those accounts. Attackers seem to be getting more sophisticated with every passing day. Diomidis Spinellis - http://www.spinellis.gr ------------------------------ [...] ------------------------------ End of RISKS-FORUM Digest 24.77 ************************