UpDate - Vol. 11, No. 18, Page 6
February 6, 1992
Staff should protect passwords

     A caller using an assumed name has been contacting University
employees, requesting their passwords to gain access to accounts on the
UNIX Time Sharing Systems.
     According to Richard Gordon, manager of consulting in Computing and
Network Services, as of Feb. 1, six people had been called and one was
tricked into revealing her password.
     "He's been very persuasive," Gordon said. "The person who was
tricked is a very experienced user."
     The caller's method of operation is to contact employees at their
home or office and say he is attempting to fix disk space. He asks such
questions as, "Have you noticed the system is slow lately?," and will
verify the person's name and account information.
     He asks employees to spell their password, soliciting specific
information about which letters are capitals and how many letters are in
the word.
     "Nobody in the Computer Center ever calls and asks for a
password," Gordon stressed.
     No University employees should reveal such information if called,
he said.
     Gordon said he does not believe the caller is after specific files
but is trying to gain access to a computer that has excellent
connections into an international network.
     "This is just a classic case of how people try to get passwords,"
he said.
     "Typically, they call people such as secretaries and student
employees, and identify themselves as an assistant to an upper-level
supervisor.
     "Any large organization like ours is vulnerable to an attack,"
Gordon said.
     If you are contacted by the caller or have any other relevant
information,