|
|
By means of various Unix programmes it is possible to read/extract user-related data held in the IT system. This also covers data which can furnish information on the user performance profile. Therefore, attention must be paid both to privacy protection aspects and to the risk that such information may facilitate abuse.
Example:
With a simple program which, at certain intervals analyses the information provided by the who command, any user can extract a precise utilisation profile for an account. In this way it is possible, for instance, to establish the periods of absence of the system administrator(s) in order to exploit these absences for illicit acts. Also, it can be established which terminals are approved for privileged access.
Other programs with similar abuse possibilities are finger or ruser.
| © Copyright
by Bundesamt für Sicherheit in der Informationstechnik |