FW: SECURITY NOTICE: insecure passwords on your machine

Bill Murray bmurray at snf.stanford.edu
Mon Dec 6 08:26:43 PST 2004


Guys,

Here's my two cents.  It is never acceptable to post passwords even in a
a locked-down facility with security guards.  The only secure option is to
remove the machines from the network or assign login names and passwords 
using a secure mechanism.

Bill

On Mon, 6 Dec 2004, Dick Crane wrote:

> Hi Mary,
> 
> We choose option 1 last week with the active participation of Paul J. and Mike D.
> The new passwords are posted at the tool or in the tool's logbook.
> 
> Dick
> 
> Mary Tang wrote:
> 
> > Hi all --
> >
> > Although I know little about these machines, it seems to me that they
> > have "bad" passwords because they are general-use machines -- they were
> > set up so that anyone who takes a picture on the SEM or the microscope
> > can upload their data on the network.  However, the network security
> > concerns are serious.  We have this problem (or may have) on other
> > systems in the lab as well.  It seems to me that we have a couple of
> > ways to approach this:
> >
> > 1.  Choose better account names and passwords and post these at the
> > station.  This is presuming that the security problem is from "outside"
> > rather than "inside" the lab.
> > 2.  Take the systems off the network.  We should then upgrade these
> > systems to accomodate USB keys or other the media of choice.  (This is
> > what we did for the CAD PC's.)
> >
> > Any other suggestions?
> >
> > Mary
> >
> > Dick Crane wrote:
> >
> > >Mike,
> > >
> > >I'll have them changed tomorrow.
> > >
> > >Dick
> > >
> > >Michael Bell wrote:
> > >
> > >
> > >
> > >>Mary and Dick,
> > >>
> > >>I wasn't sure who was responsible for setting the passwords on these two
> > >>pieces of equipment, but it appears as though these are general passwords
> > >>that are well known and used by a number of people. It would probably make
> > >>sense to change both the user "USER" and the password before redistributing
> > >>the information. There is a link below that talks about making good
> > >>passwords.
> > >>
> > >>Regards,
> > >>
> > >>Mike
> > >>
> > >>-----Original Message-----
> > >>From: Information Security [mailto:security at stanford.edu]
> > >>Sent: Wednesday, December 01, 2004 6:39 PM
> > >>To: michael.bell at stanford.edu
> > >>Subject: SECURITY NOTICE: insecure passwords on your machine
> > >>
> > >>Dear michael.bell at stanford.edu,
> > >>
> > >>The Stanford campus has been experiencing a series of attacks by viruses
> > >>that take advantage of computer accounts with weak passwords.  Below is
> > >>a list of Windows computers that have been found to have one or more
> > >>accounts with blank or easily guessed passwords.  You are listed as an
> > >>administrative contact for these machines (or at least the most recent
> > >>person to have been associated with them).
> > >>
> > >>IP Address      Machine Name                 Vulnerable Accounts
> > >>==============  ===========================
> > >>==================================
> > >>171.64.100.35   snf-sem.Stanford.EDU         User 'USER' has password 'snf'
> > >>171.64.101.112  snf-microscope.Stanford.EDU  User 'USER' has password
> > >>'stanford'
> > >>
> > >>To protect your computers and those around you, it is very important
> > >>that you set good passwords for *all* the accounts on these machines (the
> > >>list provided is not guaranteed to be complete).  For more information on
> > >>setting good quality passwords, see:
> > >>
> > >>http://security.stanford.edu/passwords
> > >>
> > >>Setting a good password before a break-in takes only a few seconds.
> > >>Rebuilding a system after a break-in can take hours, and your lost
> > >>data may not be recoverable at all.  A small preventive effort will
> > >>significantly lower the possiblity that your machine will be compromised
> > >>and will greatly improve the security of the entire Stanford network.
> > >>
> > >>Thank you for helping to secure Stanford's computing environment.
> > >>
> > >>Sincerely,
> > >>David Hoffman
> > >>Information Security
> > >>
> > >>
> >
> > --
> > Mary X. Tang, Ph.D.
> > Stanford Nanofabrication Facility
> > CIS Room 136, Mail Code 4070
> > Stanford, CA  94305
> > (650)723-9980
> > mtang at stanford.edu
> > http://snf.stanford.edu
> 




More information about the computer mailing list