[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-security] user name = user
- Subject: Re: [cobalt-security] user name = user
- From: "Steve Werby" <steve-lists@xxxxxxxxxxxx>
- Date: Mon, 23 Jul 2001 14:59:45 -0400
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
"Malcolm Wild" <cobaltsec@xxxxxxxxxxx> wrote:
> 1 - the autoresponder on raqs has a from email address or
> USERNAME@xxxxxxxxxxxxxx - yet just guess the password!
> 2 - what is the admin user account on every RaQ - err admin - no guessing
> required
> 3 - if any users has shell access /etc/passwd is rw-r-r so they can read
all
> the usernames anyway
>
> the only real fix is to ensure your clients use descent 8 charatcher
> passwords and change them often.
Not allowing clients to access the GUI can go a long ways too. <grin>
Perhaps that isn't a viable option for most of you, but it is for some. I
haven't looked at the code responsible for generating users, but I'm sure
it's quite trivial to build a text file of restricted usernames and hack
Cobalt's code to deny creation of usernames that match any from that list.
--
Steve Werby
President, Befriend Internet Services LLC
http://www.befriend.com/