Dear RIPE: Please don't encourage phishing
Steven Bellovin
smb at cs.columbia.edu
Fri Feb 10 17:28:22 UTC 2012
If they're intended as a path to log in with a typed password, that's correct.
Sad, but correct.
On Feb 10, 2012, at 12:18 PM, Richard Barnes wrote:
> So because of phishing, nobody should send messages with URLs in them?
>
>
>
> On Fri, Feb 10, 2012 at 8:56 AM, Steven Bellovin <smb at cs.columbia.edu> wrote:
>> I received the enclosed note, apparently from RIPE (and the headers check out).
>> Why are you sending messages with clickable objects that I'm supposed to use to
>> change my password?
>>
>> -------
>>
>> From: RIPE_DBannounce at ripe.net
>> Subject: Advisory notice on passwords in the RIPE Database
>> Date: February 9, 2012 1:16:15 PM EST
>> To: XXXXXXXX
>>
>> [Apologies for duplicate e-mails]
>>
>> Dear Colleagues,
>>
>> We are contacting you with some advice on the passwords used in the RIPE
>> Database. There is no immediate concern and this notice is only advisory.
>> At the request of the RIPE community, the RIPE NCC recently deployed an
>> MD5 password hash change.
>>
>> Before this change was implemented, there was a lot of discussion on the
>> Database Working Group mailing list about the vulnerabilities of MD5
>> passwords with public hashes. The hashes can now only be seen by the user
>> of the MNTNER object. As a precaution, now that the hashes are hidden,
>> we strongly recommend that you change all MD5 passwords used by your MNTNER
>> objects in the RIPE Database at your earliest convenience. When choosing
>> new passwords, make them as strong as possible.
>>
>> To make it easier for you to change your password(s) we have improved
>> Webupdates. On the modify page there is an extra button after the "auth:"
>> attribute field. Click this button for a pop up window that will encrypt
>> a password and enter it directly into the "auth:" field.
>>
>> Webupdates: https://apps.db.ripe.net/webupdates/search.html
>>
>> There is a RIPE Labs article explaining details of the security changes
>> and the new process to modify a MNTNER object in the RIPE Database:
>> https://labs.ripe.net/Members/denis/securing-md5-hashes-in-the-ripe-database
>>
>> We are sending you this email because this address is referenced in the
>> MNTNER objects in the RIPE Database listed below.
>>
>> If you have any concerns about your passwords or need further advice please
>> contact our Customer Services team at ripe-dbm at ripe.net. (You cannot reply
>> to this email.)
>>
>> Regards,
>>
>> Denis Walker
>> Business Analyst
>> RIPE NCC Database Group
>>
>> Referencing MNTNER objects in the RIPE Database:
>> maint-rgnet
>>
>>
>>
>>
>>
>>
>
--Steve Bellovin, https://www.cs.columbia.edu/~smb
More information about the NANOG
mailing list