[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-security] user name = user

Subject: Re: [cobalt-security] user name = user
From: "Steve Werby" <steve-lists@xxxxxxxxxxxx>
Date: Mon, 23 Jul 2001 14:59:45 -0400
List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>

"Malcolm Wild" <cobaltsec@xxxxxxxxxxx> wrote:
> 1 - the autoresponder on raqs has a from email address or
> USERNAME@xxxxxxxxxxxxxx - yet just guess the password!
> 2 - what is the admin user account on every RaQ - err admin - no guessing
> required
> 3 - if any users has shell access /etc/passwd is rw-r-r so they can read
all
> the usernames anyway
>
> the only real fix is to ensure your clients use descent 8 charatcher
> passwords and change them often.

Not allowing clients to access the GUI can go a long ways too.  <grin>
Perhaps that isn't a viable option for most of you, but it is for some.  I
haven't looked at the code responsible for generating users, but I'm sure
it's quite trivial to build a text file of restricted usernames and hack
Cobalt's code to deny creation of usernames that match any from that list.

--
Steve Werby
President, Befriend Internet Services LLC
http://www.befriend.com/

References:
- RE: [cobalt-security] user name = user
  - From: Malcolm Wild

Prev by Date: Re: [cobalt-security] Using a separate machine for firewalling.
Next by Date: Re: [cobalt-security] Using a separate machine for firewalling.
Previous by thread: RE: [cobalt-security] user name = user
Next by thread: Re: [cobalt-security] user name = user

Sun Cobalt Security Message Index

Sun Cobalt Security Thread Index