Path: utzoo!utgpu!news-server.csri.toronto.edu!mailrus!uwm.edu!rpi!zaphod.mps.ohio-state.edu!uakari.primate.wisc.edu!ra!Ra.msstate.edu!lush From: lush@EE.MsState.Edu (Edward Luke) Newsgroups: comp.unix.internals Subject: Re: Finding Passwords Message-ID: Date: 21 Sep 90 13:36:25 GMT References: <8354@helios.TAMU.EDU> <11133@galbp.LBP.HARRIS.COM> Sender: usenet@ra.MsState.Edu Distribution: usa Organization: MSU NSF ERC for CFS Lines: 24 In-reply-to: mhw@wittsend.syntrex.com's message of 20 Sep 90 15:13:57 GMT In article <11133@galbp.LBP.HARRIS.COM> mhw@wittsend.syntrex.com (Michael H. Warfield (Mike)) writes: > It is possible to "catch" passwords while they are being typed at a >terminal, but this generally requires intimate knowledge of the system and >often requires superuser priviledges. A typical "trogan horse" attach would >be to leave a dummy "login" program on the line to catch the next guy's login. >You give him a bogus "Incorrect login" and drop out to let getty give him >a legitimate shot at loging in. Normal system security for terminal devices >and honest, diligent system administrators can prevent most of this or make it >so difficult, it's not worth the effort. Unfortunately this is not true. Trojan Horses are very easy to implement, and they don't require super user access. All an evil trojan horse writer would need is access to that terminal... Log in, run login program that looks identical to the normal login procedure. This proceduer would snarf up the passwd, tell the user "Sorry wrong password", and then exit back to the real login procedure. If your terminal is in a highly accessible location, a trojan horse is certainly an option for obtaining passwords. Edward Luke lush@ee.msstate.edu Mississippi State University NSF Engineering Research Center for Complex Field Simulation