***********************************************************************
DDN Security Bulletin 9104       DCA DDN Defense Communications System
5 APR 91                Published by: DDN Security Coordination Center
                                     (SCC@NIC.DDN.MIL)  (800) 235-3155

                        DEFENSE  DATA  NETWORK
                          SECURITY  BULLETIN

The DDN  SECURITY BULLETIN  is distributed  by the  DDN SCC  (Security
Coordination Center) under  DCA contract as  a means of  communicating
information on network and host security exposures, fixes, &  concerns
to security & management personnel at DDN facilities.  Back issues may
be  obtained  via  FTP  (or  Kermit)  from  NIC.DDN.MIL  [192.67.67.20]
using login="anonymous" and password="guest".  The bulletin pathname is
SCC:DDN-SECURITY-yynn (where "yy" is the year the bulletin is issued
and "nn" is a bulletin number, e.g. SCC:DDN-SECURITY-9001).
**********************************************************************

                   Unauthorized Password Change Requests
                            Via Mail Messages


+ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - +
!                                                                       !
!     The following important  advisory was  issued by the Computer     !
!     Emergency Response Team (CERT)  and is being relayed unedited     !
!     via the Defense Communications Agency's Security Coordination     !
!     Center  distribution  system  as a  means  of  providing  DDN     !
!     subscribers with useful security information.                     !
!                                                                       !
+ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - +

CA-91:03                       CERT Advisory
                               April 4, 1991
                    Unauthorized Password Change Requests
                             Via Mail Messages

---------------------------------------------------------------------------

DESCRIPTION:

The Computer Emergency Response Team/Coordination Center (CERT/CC) has
received a number of incident reports concerning the receipt of mail
instructing the user to immediately change his/her password.  The user
is further instructed to change the password to one that is specified in
the mail message. 

These mail messages can be made to look as if they have been sent from
a site administrator or root.  In reality, they may have been sent by 
an individual at a remote site, who is trying to gain access to the 
local machine via the user's account.

Several variations of these mail messages are circulating via the Internet 
community.  We are including one such example at the end of this
advisory.


IMPACT:

An intruder can gain access to a system through the unauthorized
use of the (possibly privileged) accounts whose passwords have been 
changed.


SOLUTION:

The CERT/CC recommends the following actions:

    1)  Any user receiving such a message should verify its authenticity
        with his/her system administrator before acting on the instructions
        within the mail message.  If a user has changed his/her password
        per the instructions, he/she should immediately change it again 
        to a secure password and alert his/her system administrator.

    2)  System administrators should check with their user communities
        to ensure that no user has changed his/her password in response to
        one of these mail messages.  If this has occurred, immediately
        have the password changed again.  Further, the system should be
        carefully examined for damage, or changes that may have been
        caused by the intruder.  We also ask that you please contact the
	CERT/CC.

    3)  The CERT/CC recommends that system administrators NEVER mail
        such a request to a user.  That is, NEVER send a request for
        a password change to a user and also specify the new password
        that should be used. 


---------------------------------------------------------------------------
SAMPLE MAIL MESSAGE as received by the CERT (including spelling errors, etc.)

    :

  {mail header which may or may not be local} 

    :

This is the system administration:

     Because of security faults, we request that you change your password
     to "systest001". This change is MANDATORY and should be done IMMEDIATLY.
     You can make this change by typing "passwd" at the shell prompt. Then,
     follow the directions from there on.

     Again, this change should be done IMMEDIATLY. We will inform you when
     to change your password back to normal, which should not be longer than
     ten minutes.

                Thank you for your cooperation,

                 The system administration (root)


END OF SAMPLE MAIL MESSAGE
---------------------------------------------------------------------------


If you believe that your system has been compromised, contact CERT/CC via
telephone or e-mail.

Computer Emergency Response Team/Coordination Center (CERT/CC)
Software Engineering Institute
Carnegie Mellon University
Pittsburgh, PA 15213-3890

Internet E-mail: cert@cert.sei.cmu.edu
Telephone: 412-268-7090 24-hour hotline:
           CERT/CC personnel answer 7:30a.m.-6:00p.m. EST,
           on call for emergencies during other hours.

Past advisories and other computer security related information are available
for anonymous ftp from the cert.sei.cmu.edu (128.237.253.5) system.