|
Original issue date: April 18, 1991<BR> Last revised: September 18, 1997<BR> Attached copyright statement <P>A complete revision history is at the end of this file. <H2>I. Description</H2> The Computer Emergency Response Team/Coordination Center (CERT/CC) has received several incident reports concerning users receiving requests to take an action that results in the capturing of their password. The request could come in the form of an e-mail message, a broadcast, or a telephone call. The latest ploy instructs the user to run a "test" program, previously installed by the intruder, which will prompt the user for his or her password. When the user executes the program, the user's name and password are e-mailed to a remote site. We are including an example message at the end of this advisory. <P>These messages can appear to be from a site administrator or root. In reality, they may have been sent by an individual at a remote site, who is trying to gain access or additional access to the local machine via the user's account. <P>While this advisory may seem very trivial to some experienced users, the fact remains that MANY users have fallen for these tricks (refer to CERT Advisory CA-91.03). <H2>II. Impact</H2> An intruder can gain access to a system through the unauthorized use of the (possibly privileged) accounts whose passwords have been compromised. This problem could affect all systems, not just UNIX systems or systems on the Internet. <H2>III. Solution</H2> The CERT/CC recommends the following actions: <OL><LI> Any users receiving such a request should verify its authenticity with their system administrator before acting on the instructions within the message. If a user has received this type of request and actually entered a password, he/she should immediately change his/her password to a new one and alert the system administrator. <LI><P>System administrators should check with their user communities to ensure that no user has followed the instructions in such a message. Further, the system should be carefully examined for damage or changes that the intruder may have caused. We also ask that you contact the CERT/CC. <LI><P>The CERT/CC urges system administrators to educate their users so that they will not fall prey to such tricks. </OL> <HR> <STRONG>SAMPLE MESSAGE as received by the CERT (including spelling errors, etc.)</STRONG> <P>OmniCore is experimenting in online - high resolution graphics display on the UNIX BSD 4.3 system and it's derivitaves. But, we need you're help in testing our new product - TurboTetris. So, if you are not to busy, please try out the ttetris game in your machine's /tmp directory. just type: <PRE> /tmp/ttetris </PRE> Because of the graphics handling and screen-reinitialazation, you will be prompted to log on again. Please do so, and use your real password. Thanks you for your support. You'll be hearing from us soon! <P>OmniCore <P> <STRONG>END OF SAMPLE MESSAGE</STRONG> <!--#include virtual="/include/footer_nocopyright.html" --> <P>Copyright 1991 Carnegie Mellon University.</P> <HR> Revision History <PRE> September 18,1997 Attached Copyright Statement </PRE> |