Newspaper reports over the weekend about the vast number of Internet passwords potentially cracked, have painted the mechanism as a big mystery – but the advisory published on the net by the Computer Emergency Response Team at Carnegie Mellon University on February 3 makes it clear that the miscreants have taken advantage of a specific network interface /dev/nit, using its ‘promiscuous mode’ where it captures all network packets: the intruders first have to break in through any one of Unix’s holes and gain root access, they then install a Trojan Horse, which captures the first 128 keystrokes of all newly opened FTP telnet and rlogin sessions – keystrokes that typically contain host, account and password information; current speculation on the net indicates that these kinds of tools have been around for ages, but have only recently become widely distributed; the watchdog reports that the common trojans are /usr/etc/in.telnetd and /bin/login; at the same time, the hackers tamper with bin/ps, a utility that could be used for detection since it lists processes running on a Unix box – unfortunately, the amended version fails to report the rogue process; short-term action, the Response Team suggests, includes disabling the devnit device, but it admits that the only absolute cure answer is to stop sending reusable, unencrypted passwords…
