U.S. DOE's Computer Incident Advisory Capability
___ __ __ _ ___ __ __ __ __ __
/ | /_\ / |\ | / \ | |_ /_
\___ __|__ / \ \___ | \| \__/ | |__ __/
Number 94-05d January 11, 1995
Welcome to the fifth issue of CIAC Notes, the United States Department of
Energy's (DOE) Computer Incident Advisory Capability (CIAC) electronic
publication for articles on relevant computer security topics. This "E-zine"
is a service requested by our DOE and DOE contractor customers, and is open
to subscription by anyone who can receive E-mail via the Internet.
Hopefully we are giving you a gift of information to begin 1995. If you
have topics you would like addressed or have feedback on this issue, please
contact the editor, Allan L. Van Lehn, CIAC, (510) 422-8193 or send E-mail to
ciac@llnl.gov.
$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$
$ Reference to any specific commercial product does not necessarily $
$ constitute or imply its endorsement, recommendation or favoring by $
$ CIAC, the University of California, or the United States Government.$
$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$
TABLE OF CONTENTS
Feature Articles How Trusting Can We Be?
Internet Firewalls - Part 2
More On The Good Times Virus Hoax
CIAC Plans To Have A Home Page In January
Security Information Servers
MAC / PC User PowerMAC Users Beware
Data Physician Plus! 4.0E Available
Novell Users
CIAC Information Who Is CIAC?
CIAC Bulletins Issued Recently
Subscribing To CIAC Electronic Publications
Accessing CIAC's Electronic Information Servers
Publications Available From CIAC
Contacting CIAC
FEATURE ARTICLES
------------------------------
How Trusting Can We Be?
The capacity for information exchange has increased significantly in the last
couple of years, with numerous new information sharing services, info
servers, becoming available. However, there are security risks associated
with these info servers, especially if they are left unprotected or are
incorrectly configured. Sites that have or are planning to have info servers
need to understand the inherent risks and how to manage them.
Many DOE sites are enthusiastically embracing the functionality provided by
the Internet. Especially attractive is the ease with which the Internet can
be used to provide information. More and more sites are establishing
anonymous FTP, gopher, archie, WAIS, and WWW info servers. These provide a
fast and easy way to share research, ask questions and, in general,
collaborate with colleagues around the world. CIAC uses this technology to
provide DOE and the interested public with its warning notices (advisories
and bulletins), useful tools, pertinent computer security-documents, and
other reference material.
The main security issue is configuration. Are your Internet-accessible
information services configured properly? Do they control who has access to
what information? Can unauthorized changes be made? Recently, members of
the CIAC team created a publication called "Securing Internet Information
Servers." CIAC also developed a companion course called "Connecting to the
Internet Securely." Both the document and the class discuss the risks
associated with these services when they are provided on a UNIX-based
platform. They also include instruction on how to reduce your risk level.
The document is available through CIAC's anonymous FTP server, ciac.llnl.gov,
and DOE Headquarters plans for CIAC to provide the course at various DOE
locations across the U.S. in FY95.
After your server is properly configured, consider the sensitivity and
appropriateness of the information that is being made "public", especially on
Web servers where pictures and sound can be delivered as well as text. In
our excitement to "brag" about our organizations or share information we
know, it is easy to forget that the Internet is home to 20 million plus
individuals both within and outside the U.S. Among these individuals are
persons or organizations who are involved in breaking into other people's
systems. Their goal may be as benign as being able to brag about gaining
access to your site or they may do deliberate damage by erasing information
or stealing information to sell, i.e., information trafficking. There are
also reporters regularly "surfing" the Internet looking for embarrassing
information that gets them headline stories such as the pirate software
exchanges.
When establishing Internet information servers, the key is "managed" servers.
Before establishing a server, be sure you know who can establish publicly
available servers in your organization, what information is deseminated, and
what release processes exist, if any. Plan to periodically review the
information to ensure that it is appropriate.
We should all remember that those who access our servers are not necessarily
looking out for our best interests. Do you publicly "share" information that
should remain internal to your organization? Whenever you put information on
a server, ask yourself if an "outsider" could use this information against
you. For example, do you have your site's network diagram publicly available
over the network? A hacker could use such information to target an attack
specifically aimed at you. Do you provide information on the hardware,
software and LANs used at your site? Again this information could make it
easier for a hacker/cracker to penetrate your site. Information about your
internal operation, network configurations, hardware, and software should be
limited to internal access only servers. Do you have sensitive business
information lying on a publicly accessible server? Who controls write access
to your servers? A disgruntled employee could place an embarrassing
"Internal Use Only" memo on an anonymous FTP server.
The risks involved in setting up and using an Internet information server
should not dissuade you from using them. The potential opportunities to
share, market, learn and collaborate far outweigh the risks involved as long
as you understand the risks and properly manage them. Managers, security
professionals, program and project leaders - all must understand the
communication technologies they use on a daily basis so they can effectively
evaluate risk. For additional information on the topic of the Internet and
security see the November 28, 1994 Issue of Information Week, "Is Your Data
Safe?" and December 12, 1994 Information Week, "Internet: How Safe?"
------------------------------
Internet Firewalls - Part 2
by John M. Sayer, LLNL
Firewalls are not a complete network security solution. In fact, probably
nothing is. So while firewalls are an important network security component,
it is worth noting a few of the problems inherent with any firewall
arrangement. The problems can be grouped into three categories: software,
policies and users.
Since firewall systems depend on software programs, they likely will have
bugs in them. Expect these bugs to be immune to rational methods of
detection, since they are the ones which passed through the debugging phase
of the system.(1) The "paranoid" approach to firewall set-up is to reject
everything incoming unless an explicit exception is made for it. But any
exception in a possibly flawed system can still carry risks of
penetration.(2)
Also, there are concerns about address spoofing since there is presently no
fool-proof authentication method. It is possible for a presumed excluded
service to "tunnel" through a firewall by being enclosed in an allowed
service.
Firewall policies pose problems also. It takes equipment to enforce and
people to administer them and this combination can result in a security
breach, even with 'bug-free' software. The following incident happened at a
large research facility:(3)
1. A gateway machine malfunctioned on a holiday weekend, when
none of the usual systems administrators were available.
2. The backup expert could not diagnose the problem over the
phone and needed a guest account created.
3. The operator added the account guest, with no password.
4. The expert neglected to add a password.
5. The operator forgot to delete the account.
6. Some university students found the account within a day
and told their friends.
The policy was deficient in not requiring an experienced administrator for
holidays. The humans erred at the user name-password level. It all added up
to trouble. Policies, like software, probably can't be perfect. While a
shakedown will help eliminate the obvious problems, there are still
unpredictable intersections of human activity which no policy can withstand.
The imperfections of firewalls underscore the need for host-based security.
Machines on the local network should be analyzed for vulnerabilities using
tools such as the Security Profile Inspector (SPI)(4) . A network can then
be configured and procedures can be adopted to minimize access from the
breach point. User security education is the most important factor in a
secure firewall, since legitimate users are already inside the firewall.
Users easily develop a cavalier attitude since the firewall 'protects' them.
For instance, a person may connect his/her machine to a modem because of the
convenience or necessity of working from home. The firewall is now
circumvented and anyone at the user's house or with a system that can
dial-out to the telephone can run riot through the local network.(5)
Legitimate users can inadvertently subvert host-based security simply by
changing the contents of a configuration file or changing a file access
permission. The most common means of cracking a network is usually due to a
poor choice of user passwords. Fast PC's allow hackers to 'guess' thousands
of passwords in a short time. Thus any password that anybody might guess is
probably a bad choice. A list of poor and good qualities for passwords can
be found in reference (6) below.
(1) Cheswick and Bellovin, "Firewalls and Internet Security," pg. 7.
(2) ibid., pg. 83.
(3) ibid., pg. 8.
(4) SPI has a limited distribution (contact ciac@llnl.gov), but
commercial and freeware products are also available (see CIAC Notes
02e, May 12, 1994).
(5) ibid., pg. 11.
(6) Garfinkel and Spafford, "Practical Unix Security," O'Reilly &
Associates, Inc. (1991), pp. 32-35.
------------------------------
More on the Good Times Virus Hoax
CIAC recently sent out a Notes 94-04 telling its clients that the "good
times" virus message circulating around the Internet was a bogus virus alert.
Having malicious code (malware) buried in the body of an E-mail message that
would "infect" your computer is not a very likely possibility because
characters in an E-mail message are displayed, not executed.
CIAC still affirms that reading E-mail, using typical mail agents, will not
activate malware delivered in or with the message. However, the amount of
E-mail CIAC received in response to issue 4 was extrordinary. To summarize
what we received: lots of thank you's for exposing "good times" and "xxx-1"
viruses as urban legends (hoaxes); no E-mail viruses have been captured (and
brought to us for examination); the FCC warning concerning "good times" was
retracted; the warning message and its denounciation are seen to behave like
viruses (memetic lifeforms) with a human serving as the replicating mechanism
(just like chain letters); many people believe "in theory" that malware can
be delivered and activated by some mail agents that have automated services.
The best example of such malware was mail delivered to a PC that has
embedded, seemingly invisible escape sequences which affect screen display or
program the keyboard to do some nastiness when some key is "accidently"
pressed. This case is described more fully below.
CIAC did not claim that E-mail could not be a delivery agent for malware. A
real threat comes from attached files which could contain viruses or Trojan
programs. You should scan any executable attachment before executing it in
the same way that you scan all new software before using it . It is possible
to create a file that remaps keys when displayed on a PC/MS-DOS machine with
the ANSI.SYS driver loaded. However, this only works on PC/MS-DOS machines
with the text displayed on the screen in text mode. It would not work in
Windows or in most text editors or mailers. A key could be remapped to
produce any command sequence when pressed, for example DEL or FORMAT.
However, the command is not issued until the remapped key is pressed and the
command issued by the remapped key would be visible on the screen. You could
protect yourself by removing ANSI.SYS from the CONFIG.SYS file, but many DOS
programs use the functionality of ANSI.SYS to control screen functions and
colors. Windows programs are not effected by ANSI.SYS, though a DOS program
running in Windows would be.
CIAC Plans To Have A Mosaic Home Page In January
We have been working with several people to coordinate the WWW server support
for Web home pages for LLNL, the Computer Security Technology Center (CSTC)
and CIAC. When we are ready to go, there will be much easier access to
information on CIAC and our electronic publications. In the meantime, you
might find the listing of security information servers (below) of interest.
------------------------------
Security Information Servers
Novell:
http://www.novell.com/cgi-bin/ftpsearch.pl?QString=security
Microsoft Windows:
gopher://198.105.232.4:70/77%5Ckb%5Cperopsys%5Cwindows%5Cwindows.src?security
gopher://198.105.232.4:70/77%5Ckb%5Cperopsys%5Cwindows%5Cwindows.src?patches
FIRST's WWW server:
http://www.first.org/first/
NIST/CSRC
http://cs-www.ncsl.nist.gov
Purdue Computer Emergency Response Team (PCERT)
http://www.cs.purdue.edu/pcert/pcert.html
NASA Automated Systems Incident Response Capability (NASIRC)
(this is accessible to *.nasa.gov systems only, but it can be accessed though
the FIRST server or you can contact NASIRC to be added to their hosts.allow
file)
http://nasirc.nasa.gov/NASIRC_home.html
Naval Computer Incident Response Team (NAVCIRT)
http://infosec.nosc.mil/niseeast/html/navcirt.html
Australian Computer Emergency Response Team (AUSCERT)
http://www.auscert.org.au (Proposed to be up in a couple of weeks)
http://www.uq.oz.au/pcc/services/sert/home.html (Currently active)
DFN-CERT
German Home Page - http://www.cert.dfn.de/
English Home Page - http://www.cert.dfn.de/eng/
Computer Emergency Response Team (CERT)
http://www.sei.cmu.edu/SEI/programs/cert.html
Veterans Health Administration (VHA)
http://www.va.gov
Small Business Administration (SBA) (Should be up soon)
http://www.sbaonline.gov/
IBM Computer Virus Information Center
gopher://index.almaden.ibm.com/1virus/virus.70
Italian Computer Antivirus Research Organization
http://www-iwi.unisg.ch/~sambucci/icaro/index.html
If you know of others, please send mail to ciac@llnl.gov.
MACINTOSH & PC USER ARTICLES
------------------------------
PowerMAC Users Beware
PowerMAC and Macintosh users who also use PC emulator programs such as SoftPC
or SoftWindows need to remember that they need to have both DOS and Mac virus
checkers. Currently CIAC knows of no single product that scans both the Mac
and DOS sides of a Macintosh. The hard disk drive for a PC emulator running
on a Macintosh is a Macintosh file. While a Macintosh anti-virus scanner can
read the file, it only recognizes Macintosh viruses, and won't recognize any
PC viruses contained in the file. To scan the file for PC viruses, you must
run the PC emulator program and then run a DOS anti-virus product within the
emulator to scan for PC viruses. Neither SoftPC (which can run on a 68K
Macintosh) or SoftWindows use a disk partition for the PC side, both use a
Mac file.
------------------------------
Data Physician Plus! 4.0E Available
All DOE sites should now have Data Physician Plus! 4.0E for use on IMBpc
compatable systems. Contact your site CPPM if you have not obtained an
update. This version does provide protection from the KAOS4 and One_half
viruses (see CIAC Bulletin E-32 for further information on KAOS4 and E-34 for
information on One_half).
------------------------------
Novell NetWare Users
CIAC is receiving more and more calls from our DOE clients asking for
information on minimizing the risks associated with installing NetWare and in
further connecting these LANs to the Internet. To supplement our own
experiences CIAC is interested in partnering with other experts to create a
comprehensive package of information that could be made available to all
sites. If you have Novell NetWare expertise and would like to be a CIAC
associate, please send a note to ciac@llnl.gov.
CIAC INFORMATION
------------------------------
Who is CIAC?
CIAC is the U.S. Department of Energy's Computer Incident Advisory
Capability. Established in 1989, shortly after the Internet Worm, CIAC
provides various computer security services free of charge to employees and
contractors of the DOE, such as:
o Incident Handling Consulting
o Computer Security Information
o On-site Workshops
CIAC is located at Lawrence Livermore National Laboratory in Livermore,
California, and is a part of its Computer Security Technology Center. CIAC
is also a founding member of FIRST, the Forum of Incident Response and
Security Teams, a global organization established to foster cooperation and
coordination among computer security teams worldwide. Further information can
be found at http://www.first.org/first/
------------------------------
CIAC Bulletins Issued recently
CIAC issues two categories of computer security announcements: the
information bulletin and the advisory notice. Information bulletins describe
security vulnerabilities and recommend countermeasures. Advisory notices are
more imperative, urging prompt action for actively exploited vulnerabilities.
Advisory notices are delivered as quickly as possible via E-mail and FAX.
F-01 Advisory
SGI IRIX serial_ports Vulnerability
Oct. 4, 1994, 1600 PDT
F-02 Bulletin
Summary of HP Security Bulletins
Nov. 17, 1994, 1300 PDT
F-03 Bulletin
Restricted Distribution
F-04 Bulletin
Security Vulnerabilities in DECnet/OSI for OpenVMS
Nov. 28, 1994, 0900 PDT
F-05 Bulletin
SCO Unix at, login, prwarn, sadc, and pt_chmod Patches Available
Dec. 06, 1994, 0800 PDT
F-06 Bulletin
Novell UnixWare sadc, urestore, and suic_exec Vulnerabilities
Dec. 14, 1994, 0800 PDT
------------------------------
Contacting CIAC
DOE and DOE contractor sites that require additional assistance or wish to
report a vulnerability: call CIAC at 510-422-8193, fax messages to
510-423-8002 or send E-mail to ciac@llnl.gov.
------------------- A - T - T - E - N - T - I - O - N ---------------------
| For emergencies and off-hour assistance, CIAC is available 24-hours a day |
| to DOE and DOE contractors via an integrated voicemail and SKYPAGE number.|
| To use this service, dial 1-510-422-8193 or 1-800-759-7243 (SKYPAGE). The |
| primary SKYPAGE PIN number, 8550070 is for the CIAC duty person. A second |
| PIN, 8550074 is for the CIAC Project Leader. Keep these numbers handy. |
---------------------------------------------------------------------------
------------------------------
CIAC's Electronic Publications
Previous CIAC Bulletins and other information are available via anonymous FTP
from ciac.llnl.gov.
CIAC has several self-subscribing mailing lists for electronic publications:
1. CIAC-BULLETIN for Advisories, highest priority -time critical information
and Bulletins, important computer security information;
2. CIAC-NOTES for Notes, a collection of computer security articles;
3. SPI-ANNOUNCE for official news about Security Profile Inspector (SPI)
software updates, new features, distribution and availability;
4. SPI-NOTES, for discussion of problems and solutions regarding the use of
SPI products.
Our mailing lists are managed by a public domain software package called
ListProcessor, which ignores E-mail header subject lines. To subscribe (add
yourself) to one of our mailing lists, send requests of the following form:
subscribe list-name LastName, FirstName PhoneNumber
as the E-mail message body, substituting CIAC-BULLETIN, CIAC-NOTES,
SPI-ANNOUNCE or SPI-NOTES for list-name and valid information for LastName
FirstName and PhoneNumber.
Send to: ciac-listproc@llnl.gov (not to: ciac@llnl.gov)
e.g.,
subscribe ciac-notes O'Hara, Scarlett W. 404-555-1212 x36
subscribe ciac-bulletin O'Hara, Scarlett W. 404-555-1212 x36
You will receive an acknowledgment containing address, initial PIN, and
information on how to change either of them, cancel your subscription, or get
help. To subscribe an address which is a distribution list, first subscribe
the person responsible for your distribution list. You will receive an
acknowledgment (as described above). Change the address to the distribution
list by sending a second E-mail request. As the body of this message, send
the following request, substituting valid information for list-name, PIN, and
address of the distribution list:. Send
E-mail to ciac-listproc@llnl.gov:
set list-name address PIN distribution_list_address
e.g., set ciac-notes address 001860 rE-mailer@tara.georgia.orb
To be removed from this mailing list, send the following request:
unsubscribe list-name
For more information, send the following request:
help
If you have any questions about this list, you may contact the list's owner:
listmanager@cheetah.llnl.gov.
------------------------------
Accessing CIAC's Electronic Information Servers
CIAC operates a security information server for anonymous FTP at
ciac.llnl.gov which contains all of the publicly available CIAC, CERT/cc,
NIST, and DDN bulletins, virus descriptions, the virus-l moderated virus
bulletin board, copies of public domain and shareware virus
detection/protection software, copies of useful public domain and shareware
utility programs, and patch files for some operating systems.
Use FTP to access it either by name or IP address (128.115.19.53). The
operation and prompt will depend on which vendor's FTP you are running.
Usually, you must first log in before you can list directory contents and
transfer files. Use "FTP" or "anonymous" for Name or Foreign username unless
given a general prompt such as ciac.llnl.gov> or FTP>. In that case, enter
the keyword "user" or "login" before "FTP" or "anonymous" (e.g., user FTP).
Use your Internet E-mail address for the Password.
Once logged in you may type a question mark to find out what key-words are
recognized. The file 0-index.txt (in the top level directory /FTP) is a
document explaining the directory structure for downloadable files. The file
whatsnew.txt (in directory /FTP/pub/ciac) contains a list of the new files
placed in the archive. Use the command get [for single files] or mget [for
multiple files] to download one or more files to your own machine.
------------------------------
Publications Available from CIAC
CIAC prepares publications on a variety of computer security related topics,
the CIAC 2300 series. Many of these will be updated as needed to keep the
information current. We welcome suggestions for topics that you feel would
be valuable. We also make available some documents from other sources. In
the table below, column E is for electronic documents available via CIAC's
servers (see above). Column P is for printed documents, for those who do not
have Internet or telephone-modem access. If neither column is checked, the
document is soon to be released. The electronic formats are: *.txt for
ASCII, *.ps for PostScript(tm), *.hqx for bin-hexed Microsoft Word, *.wp5 for
PC Word Perfect v5.0.
No. E P TITLE
2300 x x Abstracts of the CIAC-2300 Series Documents
2301 x x Computer Virus Information Update
2302 Accessing The CIAC Computer Security Archives
2303 x x The Console Password Feature for DEC Workstations
2304 Data Security Vulnerabilities of Facsimile Machines
and Digital Copiers
2305 x Unix Incident Guide: How To Detect A Unix Intrusion
2308 x Securing Internet Information Servers
CIAC x Incident Handling Guidelines
LLNL x User Accountability Statement, E. Eugene Schultz, Jr.
SRI x Improving the Security of your Unix System, David A. Curry
LLNL x Incident Handling Primer, Russell L. Brand
ORNL x Terminal Servers and Network Security, Curtis E. Bemis & Lynn Hyman
To obtain further information, contact Allan L. Van Lehn, CIAC, 510-422-8193
or send E-mail to ciac@llnl.gov.
------------------------------
This document was prepared as an account of work sponsored by an agency of
the United States Government. Neither the United States Government nor the
University of California nor any of their employees, makes any warranty,
express or implied, or assumes any legal liability or responsibility for the
accuracy, completeness, or usefulness of any information, apparatus, product,
or process disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products, process,
or service by trade name, trademark, manufacturer, or otherwise, does not
necessarily constitute or imply its endorsement, recommendation or favoring
by the United States Government or the University of California. The views
and opinions of authors expressed herein do not necessarily state or reflect
those of the United States Government or the University of California, and
shall not be used for advertising or product endorsement purposes.
------------------------------
End of CIAC Notes Number 94-05d 95_01_11
*****************************************
Credits
-- UnKnown --
|