[149618] in North American Network Operators' Group
Re: Dear RIPE: Please don't encourage phishing
daemon@ATHENA.MIT.EDU (Steven Bellovin)
Fri Feb 10 12:29:18 2012
From: Steven Bellovin <smb@cs.columbia.edu>
In-Reply-To: <CACB24MuxBvWwKATdV6FgKbSHAF=DzU6COYVmO5jXvjf+ue-gLg@mail.gmail.com>
Date: Fri, 10 Feb 2012 12:28:22 -0500
To: Richard Barnes <richard.barnes@gmail.com>
Cc: NANOG list <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
If they're intended as a path to log in with a typed password, that's =
correct.
Sad, but correct.
On Feb 10, 2012, at 12:18 PM, Richard Barnes wrote:
> So because of phishing, nobody should send messages with URLs in them?
>=20
>=20
>=20
> On Fri, Feb 10, 2012 at 8:56 AM, Steven Bellovin <smb@cs.columbia.edu> =
wrote:
>> I received the enclosed note, apparently from RIPE (and the headers =
check out).
>> Why are you sending messages with clickable objects that I'm supposed =
to use to
>> change my password?
>>=20
>> -------
>>=20
>> From: RIPE_DBannounce@ripe.net
>> Subject: Advisory notice on passwords in the RIPE Database
>> Date: February 9, 2012 1:16:15 PM EST
>> To: XXXXXXXX
>>=20
>> [Apologies for duplicate e-mails]
>>=20
>> Dear Colleagues,
>>=20
>> We are contacting you with some advice on the passwords used in the =
RIPE
>> Database. There is no immediate concern and this notice is only =
advisory.
>> At the request of the RIPE community, the RIPE NCC recently deployed =
an
>> MD5 password hash change.
>>=20
>> Before this change was implemented, there was a lot of discussion on =
the
>> Database Working Group mailing list about the vulnerabilities of MD5
>> passwords with public hashes. The hashes can now only be seen by the =
user
>> of the MNTNER object. As a precaution, now that the hashes are =
hidden,
>> we strongly recommend that you change all MD5 passwords used by your =
MNTNER
>> objects in the RIPE Database at your earliest convenience. When =
choosing
>> new passwords, make them as strong as possible.
>>=20
>> To make it easier for you to change your password(s) we have improved
>> Webupdates. On the modify page there is an extra button after the =
"auth:"
>> attribute field. Click this button for a pop up window that will =
encrypt
>> a password and enter it directly into the "auth:" field.
>>=20
>> Webupdates: https://apps.db.ripe.net/webupdates/search.html
>>=20
>> There is a RIPE Labs article explaining details of the security =
changes
>> and the new process to modify a MNTNER object in the RIPE Database:
>> =
https://labs.ripe.net/Members/denis/securing-md5-hashes-in-the-ripe-databa=
se
>>=20
>> We are sending you this email because this address is referenced in =
the
>> MNTNER objects in the RIPE Database listed below.
>>=20
>> If you have any concerns about your passwords or need further advice =
please
>> contact our Customer Services team at ripe-dbm@ripe.net. (You cannot =
reply
>> to this email.)
>>=20
>> Regards,
>>=20
>> Denis Walker
>> Business Analyst
>> RIPE NCC Database Group
>>=20
>> Referencing MNTNER objects in the RIPE Database:
>> maint-rgnet
>>=20
>>=20
>>=20
>>=20
>>=20
>>=20
>=20
--Steve Bellovin, https://www.cs.columbia.edu/~smb
