_____________________________________________________ The Computer Incident Advisory Capability ___ __ __ _ ___ / | / \ / \___ __|__ /___\ \___ _____________________________________________________ Information Bulletin April 4, 1991, 1630 PST Number B-22 Attempts by Network Intruders to Obtain Passwords _______________________________________________________________________ PROBLEM: Network intruders are sending bogus e-mail messages or calling users, instructing them to change or supply their password. PLATFORM: Computers connected to the Internet DAMAGE: May allow unauthorized access to user accounts. SOLUTIONS: Inform users to contact site authorities in case of such attempts; do not comply with any such requests without appropriate verification. ______________________________________________________________________ Critical Information about Attempts to Obtain Passwords We have received numerous reports that network intruders have recently been attempting to deceive Internet users into supplying their passwords. These intruders are using the passwords obtained to gain unauthorized access to systems. The two patterns used by these intruders include sending bogus e-mail messages instructing users to change passwords to a designated password (known by the intruders), and calling users and instructing them to reveal their password: 1. A bogus electronic mail message instructs users of UNIX systems to change their password to a new password supplied in the mail message. Although these messages appear to originate from the local root account, they usually originate from a remote machine used by the sender. If a user follows the instructions given in the mail message, the intruder is able to gain unauthorized access to the user's account from a remote location. Several variations of these e-mail messages have been observed. One such example follows: Sample Bogus Electronic Mail Message (includes grammatical and spelling errors) {Header, which may or may not appear to originate locally} From: root To: user Subject: This is the system administration: Because of security faults, we request that you change your password to "systest001". This change is MANDATORY and should be done IMMEDIATLY. You can make this change by typing "passwd" at the shell prompt. Then, follow the directions from there on. Again, this change should be done IMMEDIATLY. We will inform you when to change your password back to normal, which should not be longer than ten minutes. Thank you for your cooperation, The system administration (root) - ------------------ End of Bogus Electronic Mail Message ----------------------- There is currently no practical method to prevent delivery of these bogus messages. It is important, therefore, for users to understand that messages received via electronic mail are not necessarily from the identified sender, and that they should phone or personally contact their system manager and/or site security officer immediately after receiving such a request. 2. Network intruders have been telephoning users and system managers, masquerading as computer security officers or maintenance personnel. These intruders typically invent a story about a serious problem with a user's system or account. The intruder then asks (or demands) the user's password immediately for the alleged purpose of fixing this problem. Again, it is important for users to understand this threat, and to directly contact the appropriate authority at your site immediately after receiving such a phone call. Should either of the above attempts to compromise systems be observed at your site, please also contact CIAC to assist us in tracking the current rash of network intrusions. For additional information or assistance, please contact CIAC: Tom Longstaff (415) 423-4416 or (FTS) 543-4416 longstaf@cheetah.llnl.gov During working hours call CIAC at (415) 422-8193 or (FTS) 532-8193 or send e-mail to ciac@cheetah.llnl.gov. Send FAX messages to: (415) 423-0913 or (FTS) 543-0913. Several anonymous users and CERT/CC; provided part of the information contained in this bulletin. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes.