336 computer science students at the University of Sydney were sent an email
message asking them to supply their password to `validate' the password
database after a suspected breakin. 138 of them returned a valid password; 30
returned a plausible looking but invalid password; and over 200 changed their
passwords without official prompting in the two weeks following the experiment.
However, very few attempts were made to report the message to the university
authorities.
Source: ACM SIGSAC Reviw v 14 no 2 (Apr 96) pp 9--14.
I wonder how many hospitals, general practices and health authorities
perform similar penetration testing, whether as an audit exercise or
as part of staff awareness training?
Ross
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|