Forgot your password?
typodupeerror
Security Linux

The "Hail Mary Cloud" Is Growing 102

Posted by Soulskill
from the like-a-zombie-chia-pet dept.
badger.foo writes "The Australian rickrolling of jailbroken iPhones only goes to prove that bad passwords are bad for you, Peter Hansteen points out, as he reports on the further exploits of the password-guessing Hail Mary Cloud (which we've discussed in the past). The article contains log data that could indicate that the cloud of distributed, password-guessing hosts is growing. 'With 1767 hosts in the current sample it is likely that we have a cloud of at least several thousand, and most likely no single guessing host in the cloud ever gets around to contacting every host in the target list. The busier your SSH deamon is with normal traffic, the harder it will be to detect the footprint of Hail Mary activity, and likely a lot of this goes undetected.'"
This discussion has been archived. No new comments can be posted.

The "Hail Mary Cloud" Is Growing

Comments Filter:
  • Re:Denyhosts (Score:2, Insightful)

    by turtleshadow (180842) on Sunday November 15, 2009 @12:51PM (#30106872) Homepage

    The article noted that this is a vulnerability to cracked smartphones with ssh installed for which the user will likely not even know opens up such a vulnerability to their cell.

      I think that this is more serious for wi-fi and bluetooth enabled devices as the data charge is circumvented making it even harder to detect?

    I'd hate to start streaming my smartphone's logs back to my IDS, but brute force is not a new reality but the environment is very precarious as the smartphone does a lot now but may not "do" enough to protect its own resources from attack.

  • by FunPika (1551249) on Sunday November 15, 2009 @01:26PM (#30107172) Journal

    (or make lawmakers force them to)

    I can't wait for the day that Congress passes a law to the effect of "If malware causes your computer to do something illegal, you will be held responsible for said illegal activities in court even if you can prove malware was the cause."

  • by Hurricane78 (562437) <deleted@slashd[ ]org ['ot.' in gap]> on Sunday November 15, 2009 @01:32PM (#30107230)

    s/cloud/network/

    There. Done it for ya. Was that so hard?

    We should make a Greasemonkey script out of it. :)

  • by zigziggityzoo (915650) on Sunday November 15, 2009 @01:42PM (#30107376)
    I changed SSH to a nonstandard port and reduced attempts by 95%. Then I started a whitelist (hosts.allow) for SSH. That took care of the rest.
  • Re:Denyhosts (Score:3, Insightful)

    by ToasterMonkey (467067) on Sunday November 15, 2009 @02:06PM (#30107606) Homepage

    all of whom should have a more sensible password policy.

    Why does a cellphone OS need a user authentication system in the first place? Maybe at the application level.. no, I can't see that either. Anyway, this phone has one, and it's not meant to be used this way. These things are not meant to have SSH running on them, and whomever released the SSH package for them is irresponsible for not taking that into account.
    It doesn't even need to authenticate using system methods, it could generate a random password at install - display on screen, and do it's own authentication. Maybe even offer to pop up an accept dialog before allowing access? Just a thought..

    Sorry, I just can't understand how the phone and users continue to be blamed because in free software land developers are void of any and all quality concerns. At some point.. not the developers involved, but "free software" is going to get rap it deserves. It is what everyone makes it. Look after your own, if you see a free turd, call it a turd.

  • by Opportunist (166417) on Sunday November 15, 2009 @03:23PM (#30108464)

    This is pretty much what I fear will happen eventually. Right after we'll all be equipped with "trusted" computers that will only run what we want if we jailbreak them, which will not only void their warranty but also open us up to trains of thought such as: If you didn't jailbreak and thus could only run software approved by The Powers That Are, you would not be susceptible to malware (or if, TPTA would have to take responsibility) and are thus fully liable.

    Sounds far fetched? Think about it. Outlawing jailbreaking will probably not really work out, even if it was outlawed, who cares (how do you want to prosecute it)? But locked down devices that, in theory, cannot be harmful being spam chuckers will essentially mean you broke the lock. And then your lawmaker may choose, either he'll slap you for breaking the lock or, if he can't do that for some odd reason like a device that you own belonging to you, will catch you with the angle that you're causing damage with it and that can incur a hefty bill.

    Don't tell me it ain't possible. If you haven't been asleep the last 10 years and when you look at the way things turned, it's anything but unlikely to become the next angle to ensure we only run what we're supposed to run.

    And if at all possible, I'd like to avoid giving anyone a reason to follow that train of thought.

  • by herojig (1625143) on Monday November 16, 2009 @12:38AM (#30112294) Homepage
    Dude, I totally agree with you. We are being channeled into systems that will not be under our full control, and doing anything about going down that path (other then willingly) is to be deemed unlawful. But I am not sure if freedom-loving individuals have any choice at this point...talking about it on /. is not going to change anything, other then providing a record of the dissent. So as they say here, "Ke Garne" or what to do?

Moneyliness is next to Godliness. -- Andries van Dam

Working...