home *** CD-ROM | disk | FTP | other *** search
-
- -----BEGIN PGP SIGNED MESSAGE-----
-
- - ---------------------------------------------------------------------------
- CA-91:03 CERT Advisory
- April 4, 1991
- Unauthorized Password Change Requests
- Via Mail Messages
-
- - ---------------------------------------------------------------------------
-
- DESCRIPTION:
-
- The Computer Emergency Response Team/Coordination Center (CERT/CC) has
- received a number of incident reports concerning the receipt of mail
- instructing the user to immediately change his/her password. The user
- is further instructed to change the password to one that is specified in
- the mail message.
-
- These mail messages can be made to look as if they have been sent from
- a site administrator or root. In reality, they may have been sent by
- an individual at a remote site, who is trying to gain access to the
- local machine via the user's account.
-
- Several variations of these mail messages are circulating via the Internet
- community. We are including one such example at the end of this
- advisory.
-
-
- IMPACT:
-
- An intruder can gain access to a system through the unauthorized
- use of the (possibly privileged) accounts whose passwords have been
- changed.
-
-
- SOLUTION:
-
- The CERT/CC recommends the following actions:
-
- 1) Any user receiving such a message should verify its authenticity
- with his/her system administrator before acting on the instructions
- within the mail message. If a user has changed his/her password
- per the instructions, he/she should immediately change it again
- to a secure password and alert his/her system administrator.
-
- 2) System administrators should check with their user communities
- to ensure that no user has changed his/her password in response to
- one of these mail messages. If this has occurred, immediately
- have the password changed again. Further, the system should be
- carefully examined for damage, or changes that may have been
- caused by the intruder. We also ask that you please contact the
- CERT/CC.
-
- 3) The CERT/CC recommends that system administrators NEVER mail
- such a request to a user. That is, NEVER send a request for
- a password change to a user and also specify the new password
- that should be used.
-
-
- - ---------------------------------------------------------------------------
- SAMPLE MAIL MESSAGE as received by the CERT (including spelling errors, etc.)
-
- :
-
- {mail header which may or may not be local}
-
- :
-
- This is the system administration:
-
- Because of security faults, we request that you change your password
- to "systest001". This change is MANDATORY and should be done IMMEDIATLY.
- You can make this change by typing "passwd" at the shell prompt. Then,
- follow the directions from there on.
-
- Again, this change should be done IMMEDIATLY. We will inform you when
- to change your password back to normal, which should not be longer than
- ten minutes.
-
- Thank you for your cooperation,
-
- The system administration (root)
-
-
- END OF SAMPLE MAIL MESSAGE
- - ---------------------------------------------------------------------------
-
-
- If you believe that your system has been compromised, contact CERT/CC via
- telephone or e-mail.
-
- Computer Emergency Response Team/Coordination Center (CERT/CC)
- Software Engineering Institute
- Carnegie Mellon University
- Pittsburgh, PA 15213-3890
-
- Internet E-mail: cert@cert.org
- Telephone: 412-268-7090 24-hour hotline:
- CERT/CC personnel answer 7:30a.m.-6:00p.m. EST,
- on call for emergencies during other hours.
-
- Past advisories and other computer security related information are available
- for anonymous ftp from the cert.org (192.88.209.5) system.
-
-
- -----BEGIN PGP SIGNATURE-----
- Version: 2.6.2
-
- iQCVAwUBMaMwn3VP+x0t4w7BAQE5CAP/XFKumpW9wbKxiqmM4IpS6dqBVlNhjzKh
- ILqZlyseADqS7kgVtaFBsFyroJyLlI4f0VUt++EOO3Wv6E6rUOtgCJ6VAG4s4daQ
- cqYXU1agGecnMbgRjockG26haPR0+zyBxMOSRMNzFldRSMZPkCTUzwZ2HrTqY3ij
- 9Oy+do2gjpA=
- =Ykkw
- -----END PGP SIGNATURE-----
-
-
