A type of daemon which runs under most unices. These allow you to get information about a user solely from their email address, but is also one of the most powerful tools available to crackers. Fingering an actual address will provide some basic information about the luser, such as when they were last logged in, what shell they use and if its a corporation or college, their phone number and or room number. Its all up to the administrator. The security hole appears when an outside user is allowed to finger a certain special user name, which I won't mention here (I'd hate to spawn more trouble), the output of their request is all users logged in at the moment. This may sound innocuous but in reality, it allows a cracker to more easily guess the passwords to login names that they are now aware of. Now, you might say, they can find out the user names by fingering the specific user. After you said this, you'd stop for a moment and realize you'd need to know the user names to finger the users. So, if you run Linux make sure you edit your /etc/services file to exclude fingerd unless you really need it.

Log in or register to write something here or to contact authors.