Original issue date: April 18, 1991<BR>
Last revised: September 18, 1997<BR>
Attached copyright statement
<P>A complete revision history is at the end of this file.
<H2>I. Description</H2>
The Computer Emergency Response Team/Coordination Center (CERT/CC) has
received several incident reports concerning users receiving requests
to take an action that results in the capturing of their password. The
request could come in the form of an e-mail message, a broadcast, or a
telephone call. The latest ploy instructs the user to run a "test"
program, previously installed by the intruder, which will prompt the
user for his or her password. When the user executes the program, the
user's name and password are e-mailed to a remote site. We are
including an example message at the end of this advisory.
<P>These messages can appear to be from a site administrator or root. In
reality, they may have been sent by an individual at a remote site, who
is trying to gain access or additional access to the local machine via
the user's account.
<P>While this advisory may seem very trivial to some experienced users,
the fact remains that MANY users have fallen for these tricks (refer to
CERT Advisory CA-91.03).
<H2>II. Impact</H2>
An intruder can gain access to a system through the unauthorized use of
the (possibly privileged) accounts whose passwords have been
compromised. This problem could affect all systems, not just UNIX
systems or systems on the Internet.
<H2>III. Solution</H2>
The CERT/CC recommends the following actions:
<OL><LI>
Any users receiving such a request should verify its authenticity
with their system administrator before acting on the instructions
within the message. If a user has received this type of
request and actually entered a password, he/she should immediately
change his/her password to a new one and alert the system
administrator.
<LI><P>System administrators should check with their user communities
to ensure that no user has followed the instructions in such
a message. Further, the system should be carefully examined for
damage or changes that the intruder may have caused. We also
ask that you contact the CERT/CC.
<LI><P>The CERT/CC urges system administrators to educate their users
so that they will not fall prey to such tricks.
</OL>
<HR>
<STRONG>SAMPLE MESSAGE as received by the CERT (including spelling errors,
etc.)</STRONG>
<P>OmniCore is experimenting in online - high resolution graphics
display on the UNIX BSD 4.3 system and it's derivitaves. But, we
need you're help in testing our new product - TurboTetris.
So, if you are not to busy, please try out the ttetris game in your
machine's /tmp directory. just type:
<PRE>
/tmp/ttetris
</PRE>
Because of the graphics handling and screen-reinitialazation, you will
be prompted to log on again. Please do so, and use your real password.
Thanks you for your support. You'll be hearing from us soon!
<P>OmniCore
<P>
<STRONG>END OF SAMPLE MESSAGE</STRONG>
<!--#include virtual="/include/footer_nocopyright.html" -->
<P>Copyright 1991 Carnegie Mellon University.</P>
<HR>
Revision History
<PRE>
September 18,1997 Attached Copyright Statement
</PRE> |