Date: Tue, 11 May 1999 19:22:59 +0100 From: "Robson, Ken" To: BUGTRAQ@netspace.org Subject: Sun Microsystems Leaks extensive Amounts of Information About Itself & It's Customers Through Its Sunsolve Database... Hi Folks, I have just been scouring Sun's Bug Reports for some information and I discovered that you can easily trawl for useful information about both Sun and its clients. Information exposed includes:- * Copies of /etc/passwd (i.e. user names) * Copies of /etc/shadow (i.e. encrypted passwords) * Configuration of network services (i.e. inetd.conf) It is trivial to put together searches that glean this for some of their customers. Whilst the contract services restrictions are in place for accessing these accounts, logins must be in wide circulation. I know 3 or 4 accounts from various past employers myself. When logging a support call I do not often consider what might happen to the call notes. I am sure that Sun are not the only company doing this and this is not aimed at Sun in particular, they are just an example. Serious consideration should be given to what information you are prepared to pass to those who support you - do you trust the rest of their customers (at best) or the entire internet (at worst). Anyway not earth shattering but food for thought. Regards, Ken. PS - Please do not interpret the domain that this mail comes from as any indication that I work for the European Bank for Reconstruction & Development. I in fact contract to Hewlett Packard and am simply based at the bank - all the opinions expressed above are my own and have nothing to do with either of these organisations. ----------------------------------------------------------------------------- Date: Wed, 12 May 1999 09:56:00 -0700 From: Alan Coopersmith To: BUGTRAQ@netspace.org Subject: Re: Sun Microsystems Leaks extensive Amounts of Information About Itself & It's Customers Through Its Sunsolve Database > When logging a support call I do not often consider what might happen to the > call notes. I am sure that Sun are not the only company doing this and this > is not aimed at Sun in particular, they are just an example. Serious > consideration should be given to what information you are prepared to pass > to those who support you - do you trust the rest of their customers (at > best) or the entire internet (at worst). The actual service order notes are not available to customers through SunSolve - but parts of bug reports that may be generated by them are. At least a few years ago when I worked in SunService they reminded us not to put customer information in the public part of bug reports, but there was no review system to make sure we didn't screw up. If you want to protect yourself, make sure that if your call results in a bug report you go to SunSolve and review the public copy to make sure there's nothing in there you wouldn't want others to see and if there is, call up your service rep and make them move it to the sun-internal-access-only section of the bug report. Disclaimer: I no longer work in Tech Support at Sun and do not and cannot speak for SunService or whatever they're called after the latest "realignment of the Sun planets". -- ________________________________________________________________________ Alan Coopersmith alanc@godzilla.EECS.Berkeley.EDU Univ. of California at Berkeley http://soar.Berkeley.EDU/~alanc/ aka: alanc@{CSUA,OCF,CS,BMRC,EECS,ucsee.eecs,cory.eecs}.Berkeley.EDU