From: CRDGW2::CRDGW2::MRGATE::"SMTP::CRVAX.SRI.COM::RELAY-INFO-VAX" 20-OCT-1989 11:24 To: MRGATE::"ARISIA::EVERHART" Subj: furtherto: worm and password practise. Received: From UGW.UTCS.UTORONTO.CA by CRVAX.SRI.COM with TCP; Fri, 20 OCT 89 07:27:41 PDT Received: from UTORMED (stdin) by ugw.utcs.utoronto.ca with BSMTP id 57673; Fri, 20 Oct 89 10:22:57 EDT Date: Fri, 20 Oct 89 10:23:00 EDT From: James MacEwan Subject: furtherto: worm and password practise. To: info-vax@sri.COM X-Vms-To: INFOVAX Message-Id: <89Oct20.102257edt.57673@ugw.utcs.utoronto.ca> > Subj: Re: password security and worms > > In article <2257@ddnvx1.afwl.af.mil>, RIDOUT@ddnvx1.afwl.af.mil (Brian Ridout > AFWL/SCEV (av) 244-1654 (505) 844-1654) writes: > > > password practice. So I would like to check the UAF for obvious passwords > > such as password is the username. This is to protect our site from > > worms such as the "WANK". Does anyone have a program to do this sort of > > thing? I didn't see it in our DECUS tapes. Please let me know whete to > > find it. > > Thanks > > Brian > > Brian, > > Look again!!!!! Spring VAX SIG tape in the saveset VAX89A2. > Directory [VAX89A2.NIELAND.CHECKPASS] should be what you are looking for. > > > -- > Earle Ake > Science Applications International Corporation - Dayton, Ohio > Internet: dayvb!fac2@uunet.uu.net uucp: uunet!dayvb!fac2 > ------------------------------------------------------------------------------ - Earle and Brian (and the world at large), I may be like other folk who have no hope of ever convincing my boss to get DECUS tapes, so things like CHECKPASS are beyond my reach. If there is demand would it be possible for someone to post a copy of this program to INFO-VAX? If there is not demand could you (Earle or Brian) send me a copy directly? (addresses given below) FYI: I did the following to check if username=password for every account on my machine, which people with smaller numbers of users in the uaf might find useful: I created a com file to read in every user name from sys$system:sysuaf.lis and write out a file of the form $set host 0 FRED FRED JOE JOE SAM SAM $set host 0 ... where FRED, JOE and SAM are usernames pulled from the sysuaf.lis. since this runs on one terminal (typically RTA1), eventually my security provisions lock out the terminal as being broken into. the security alarms echo in the security output (typically to the console) the username and password for the attempted breakin. IF THE PASSWORD IS VALID THE PASSWORD IS NOT OUTPUT BUT THE WORD "" IS!!!! a review of the security output will indicate if you are vulnerable to such a simple breakin attempt. I actually found an account that had username=password!!!! (hard to believe that it could happen to me and it was a systems person who had done it!!) James MacEwan. medac1::macewan on university of toronto decnet macewan@utormed on bitnet macewan@medac3.utoronto.ca or macewan@medac1.utoronto.ca on internet Disclaimer: If you believe that you can eat the fish from Lake Ontario, then you might as well believe the preceeding.