Subject: Re: security/2075
To: Elad Efrat <elad@NetBSD.org>
From: Steven M. Bellovin <email@example.com>
Date: 08/14/2005 14:24:06
In message <42FF84D9.6050209@NetBSD.org>, Elad Efrat writes:
>4. An attacker trying to brute-force an account password (with or
> without a master.passwd), let alone the root password, is very
> uncommon; I believe the majority, if not all, of inexperienced
> attackers today will attempt to run their arsenal of exploits on a
> target system.
> Experienced attackers will attempt their *private* arsenal of
> exploits on a target system. :)
This is not correct. There are exploits in the wild that try
password-guessing attacks via ssh. In fact, the attack is quite common.
--Steven M. Bellovin, http://www.cs.columbia.edu/~smb