CERT^® Advisory CA-1991-03 Unauthorized Password Change Requests Via Mail Messages

A complete revision history is at the end of this file.

I. Description

These mail messages can be made to look as if they have been sent from a site administrator or root. In reality, they may have been sent by an individual at a remote site, who is trying to gain access to the local machine via the user's account.

Several variations of these mail messages are circulating via the Internet community. We are including one such example at the end of this advisory.

II. Impact

II. Solution

1. Any user receiving such a message should verify its authenticity with his/her system administrator before acting on the instructions within the mail message. If a user has changed his/her password per the instructions, he/she should immediately change it again to a secure password and alert his/her system administrator.

2. System administrators should check with their user communities to ensure that no user has changed his/her password in response to one of these mail messages. If this has occurred, immediately have the password changed again. Further, the system should be carefully examined for damage, or changes that may have been caused by the intruder. We also ask that you please contact the CERT/CC.

3. The CERT/CC recommends that system administrators NEVER mail such a request to a user. That is, NEVER send a request for a password change to a user and also specify the new password that should be used.

:

{mail header which may or may not be local} 

:

Because of security faults, we request that you change your password to "systest001". This change is MANDATORY and should be done IMMEDIATLY. You can make this change by typing "passwd" at the shell prompt. Then, follow the directions from there on.

Again, this change should be done IMMEDIATLY. We will inform you when to change your password back to normal, which should not be longer than ten minutes.

Thank you for your cooperation,

The system administration (root)

END OF SAMPLE MAIL MESSAGE

CERT/CC Contact Information

Email: cert@cert.org
Phone: +1 412-268-7090 (24-hour hotline)
Fax: +1 412-268-6989
Postal address:

CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213-3890
U.S.A.

CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends.

Using encryption

We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from

http://www.cert.org/CERT_PGP.key

If you prefer to use DES, please call the CERT hotline for more information.

Getting security information

CERT publications and other security information are available from our web site

http://www.cert.org/

* "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office.

NO WARRANTY
Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement.

Copyright 1991 Carnegie Mellon University.

September 18,1997  Attached Copyright Statement