_____________________________________________________
             The Computer Incident Advisory Capability
                         ___  __ __    _     ___
                        /       |     / \   /
                        \___  __|__  /___\  \___
        _____________________________________________________
                         Information Bulletin

April 4, 1991, 1630 PST                                     Number B-22

          Attempts by Network Intruders to Obtain Passwords

_______________________________________________________________________
PROBLEM:   Network intruders are sending bogus e-mail messages or
   calling users, instructing them to change or supply their password.
PLATFORM:   Computers connected to the Internet 
DAMAGE:   May allow unauthorized access to user accounts.
SOLUTIONS: Inform users to contact site authorities in case of such
   attempts; do not comply with any such requests without appropriate
   verification.  
______________________________________________________________________
       Critical Information about Attempts to Obtain Passwords

We have received numerous reports that network intruders have recently
been attempting to deceive  Internet users into supplying their
passwords.  These intruders are using the passwords obtained to gain
unauthorized access to systems.  The two patterns used by these
intruders include sending bogus e-mail messages instructing users to
change passwords to a designated password (known by the intruders), and
calling users and instructing them to reveal their password:

1.      A bogus electronic mail message instructs users of UNIX systems
to change their password to a new password supplied in the mail
message.  Although these messages appear to originate from the local
root account, they usually originate from a remote machine used by the
sender.  If a user follows the instructions given in the mail
message, the intruder is able to gain unauthorized access to the user's
account from a remote location.

Several variations of these e-mail messages have been observed.  One
such example follows:

Sample Bogus Electronic Mail Message (includes grammatical and spelling errors) 

  {Header, which may or may not appear to originate locally}

From: root
To: user
Subject: 

This is the system administration:

     Because of security faults, we request that you change your password
     to "systest001". This change is MANDATORY and should be done IMMEDIATLY.
     You can make this change by typing "passwd" at the shell prompt. Then,
     follow the directions from there on.

     Again, this change should be done IMMEDIATLY. We will inform you when
     to change your password back to normal, which should not be longer than
     ten minutes.

                Thank you for your cooperation,

                 The system administration (root)

- ------------------ End of Bogus Electronic Mail Message -----------------------

There is currently no practical method to prevent delivery of these
bogus messages.  It is important, therefore, for users to understand
that messages received via electronic mail are not necessarily from the
identified sender, and that they should phone or personally contact
their system manager and/or site security officer immediately after
receiving such a request.

2.      Network intruders have been telephoning users and system
managers, masquerading as computer security officers or maintenance
personnel.   These intruders typically invent a story about a serious
problem with a user's system or account.  The intruder then asks (or
demands) the user's password immediately for the alleged purpose of
fixing this problem.  Again, it is important for users to understand
this threat, and to directly contact the appropriate authority at your
site immediately after receiving such a phone call.

Should either of the above attempts to compromise systems be observed
at your site, please also contact CIAC to assist us in tracking the
current rash of network intrusions.

For additional information or assistance, please contact CIAC:   
 
  Tom Longstaff
  (415) 423-4416 or (FTS) 543-4416
        longstaf@cheetah.llnl.gov

  During working hours call CIAC at (415) 422-8193 or (FTS)
  532-8193 or send e-mail to ciac@cheetah.llnl.gov.  

  Send FAX messages to:  (415) 423-0913 or (FTS) 543-0913.

Several anonymous users and CERT/CC; provided part of the information
contained in this bulletin.  This document was prepared as an account
of work sponsored by an agency of the United States Government. Neither
the United States Government nor the University of California nor any
of their employees, makes any warranty, express or implied, or assumes
any legal liability or responsibility for the accuracy, completeness,
or usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.