From: Kenneth R. van Wyk (The Moderator) Errors-To: krvw@CERT.SEI.CMU.EDU To: VIRUS-L@IBM1.CC.LEHIGH.EDU Path: cert.sei.cmu.edu!krvw Subject: VIRUS-L Digest V3 #119 Reply-To: VIRUS-L@IBM1.CC.LEHIGH.EDU -------- VIRUS-L Digest Tuesday, 3 Jul 1990 Volume 3 : Issue 119 Today's Topics: New files on MIBSRV (PC) re: I'm bummed. (re BITFTP access to Scandanavia) RE: Oversized mail. Alex's SAM reports... (Mac) Info needed: virus protection for OS/2 4096 virus frequencies? (PC) Re: Mainframe attacks (MVS) Re: Mainframe attacks Secure UNIX VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to LEHIIBM1.BITNET for BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk --------------------------------------------------------------------------- Date: Fri, 29 Jun 90 09:37:13 -0500 From: James Ford Subject: New files on MIBSRV (PC) The following files have been placed on MIBSRV.MIB.ENG.UA.EDU (130.160.20.80) in the directory pub/ibm-antivirus for anonymous FTPing. Uploaded on June 29, 1990. - -------------------------- 0validate.crc - McAfee's listing of validation strings for various programs scanv64.zip - McAfee's SCAN V64 vshld64.zip - McAfee's VShield V64 vcopy64.zip - McAfee's VCopy V64 netscn64.zip - McAfee's Scan for Networks V64 cleanp64.zip - McAfee's CleanUp V64 The earlier version of these programs (V63) will remain on MIBSRV until July 5, 1990 for possible requests queued at BITFTP@PUCC. Someone on the list made a comment concerning F-Prot v111. Is this program actually out? The latest version I'm aware of is F-Prot v110. - ---------- There are no winners in life; only survivors. - ---------- James Ford - JFORD@UA1VM.BITNET, JFORD@MIBSRV.MIB.ENG.UA.EDU THE University of Alabama (in Tuscaloosa, Alabama USA) ------------------------------ Date: Fri, 29 Jun 90 12:27:16 -0400 From: Peter Jones Subject: re: I'm bummed. (re BITFTP access to Scandanavia) On Wed, 27 Jun 90 17:07:32, in >VIRUS-L Digest Friday, 29 Jun 1990 Volume 3 : Issue 118, (Steven W. Smith) said: > >I tried to access chyde.uwasa.fi via BITFTP@PUCC.BITNET and received not >fprot111.zip, but: > > > 19:50:36 > FTP chyde.uwasa.fi UUENCODE > > 19:50:36 > USER anonymous > > 19:50:36 >>>> Access to the Scandinavian nodes has been > > 19:50:36 >>>> discontinued, due to the slowness > > 19:50:36 >>>> and unreliability of the network connections. > > 19:50:36 >>>> Please try to confine your BITFTP requests > > 19:50:37 >>>> to North American nodes. Thank you. > >Any suggestions? Maybe a North American site with fprot111.zip, although I'd >prefer an alternative to BITFTP (short of going Unix, that is)... Antivirus software is also available at the SIMTEL20 archives. FTP access is supported. If you don't have FTP, send the following commands to LISTSERV@RPIECS: HELP GET PDGET HELP /PDDIR PD:FPROT* 365 /PDGET BITSEND PD:FPROT111.ZIP > "A Kleenex in the the hand is worth two in the box" "History repeats itself. History repeats itself. History repeats itself. Histor Peter Jones (514)-987-3542 Internet:Peter Jones UUCP: ...psuvax1!uqam.bitnet!maint ------------------------------ Date: Fri, 29 Jun 90 09:54:23 -0700 From: EETP735@CALSTATE.BITNET Subject: RE: Oversized mail. regarding: Subject: 4096 virus frequencies? (PC) Does anyone have a strong feeling (or even hard evidence!) for how widespread the 4096 virus is? We have seen very few first-hand reports, but there are rumors, from the direction of Israel in particular, that it is beginning to become a significant problem in some places. Does anyone know any more than I do on this subject? DC ------------------------------ Date: 03 Jul 90 04:27:54 +0000 From: fasteddy@amarna.gsfc.nasa.gov (John 'Fast-Eddie' McMahon) Subject: Re: Mainframe attacks (MVS) CAH0@gte.com (Chuck Hoffman) writes... : On Digital VAXs, the VMS system technically is C2, but in my opinion :the architecture is so cumbersome that systems managers have some :justification when they say that you need system privileges all the time :just to do a job. Yes, it's C2, but so many people end up with privileges :that it hardly matters. I have gotten conflicting answers on this, so I'll ask again... My understanding is that VMS 4.3 was the version rated at C2, and that rating did not automatically carry over to later versions of VMS. Hence, if you are running 4.3 you have (potentially) a C2 system. But if you are running 4.4 through 5.4 you don't. Can someone explain how these ratings apply when a system is upgraded ? - ------------------------------------------------------------------------------ John "Fast Eddie" McMahon FASTEDDY@DFTNIC.GSFC.NASA.GOV Code 930.4 - Advanced Data Flow Technology Office SDCDCL::FASTEDDY (SPAN) NASA Goddard Space Flight Center in Greenbelt, MD (301) 286-2045 (Soon to be at TGV, Incorporated - MCMAHON@TGV.COM) - ------------------------------------------------------------------------------ Disclaimer: These are my views. Although I am a NASA contractor, I do not speak for NASA or ST Systems Corporation. Va guvf tybony ivyyntr xabja nf gur argjbex, jr ner nyy cevfbaref... Or frrvat lbh... ------------------------------ Date: 03 Jul 90 12:36:40 +0000 From: CAH0@gte.com (Chuck Hoffman) Subject: Re: Mainframe attacks Emily H. Lonsford of Mitre writes: "Is that what CA is telling you? I just looked in my April 1990 'Information Systems Security Products and Services Catalog', a government publication, and CA is not in the list of vendors in the evaluation process." Her question relates to my comment that Computer Associates is "in the process" of raising the rating of ACF2 and Top Secret from C2 to B1, which will make hacking more difficult. What CA is telling all of us is in the form of product announcements for CA-ACF2 and CA-Top Secret. I have the ones for the MVS versions of these products. There probably are also announcements for the VM versions, but I haven't seen them. The announcements are dated February 15, 1990, but I just got them in the mail recently. The announcements are almost identical to each other, so I will quote parts of the CA-ACF2 MVS text: "CA-ACF2 MVS Release 5.2 PTFs permit security operation following the Department of Defense Trusted Computer System Evaluation Criteria (DOD 5200.28-STD) for a Mandatory Access Control (MAC) security system at the B1 level." "Available 3rd Quarter 1990 - Beta Test" "In August 1989, CA filed proposals with the NCSC to have CA-ACF2 MVS, CA-ACF2 VM, CA-TOP SECRET MVS and CA-TOP SECRET VM formally evaluated to ensure full compliance with the Department of Defense Trusted Computer Systems Evaluation Criteria (DOD5200.28-STD) at a B1 level. Although CA cannot guarantee that CA-ACF2 MVS will receive a B1 rating nor is it possible for CA to provide a specific date for when a formal evaluation will be completed, CA has worked successfully with the NCSC on numerous occasions and completed several evaluations." That's what they're saying. Evaluate it for yourself. Personally, I will believe it when I see it. The announcement is sort of like telling people 's p oint about the rating's not applying to an individual site's implementation is well taken. The rating is for the PRODUCT, not for your installation. For instance, if you give security privileges to large numbers of people, you couldn't expect to call your installation "secure" even if the product has a B1 rating. And who knows what your system modifications might do? Emily writes about the first copy of ACF2 being written at London Life in Ontario. I can add that copy #2 went to Linda Vetter's installation at GM; Linda was one of the chair people of the security committee at SHARE, and later became a Vice President at SKK. Copy #3 came here, to GTE Laboratories, in 1978. It was installed personally by Barry Schraeger, Eb Klemmons, and Scott Kruger, the original "SKK." Several releases, and years, later, I was having some difficulty getting an answer to a technical question from SKK Tech Support. By then, they had a "Level 1" and "Level 2" structure which was getting in the way. Finally, in frustration, I said "Look, this product was installed on our system by Barry, Scott, and Eb. Now it doesn't work, and it's impacting our business. I want the installers back out here on site." We got INSTANT attention. Since we deinstalled the IBM systems last December, we probably have the distinction of being the longest running ACF2 site to remove the product, too. I expect lively discussion at the CA Security and Audit conference in Orlando this coming week. Unfortunately for me, the session concerning new features is scheduled opposite one I will be giving (on granting privileges to systems programmers!). I thank Emily for her comments. Those certainly were interesting times. - -Chuck - - Chuck Hoffman, GTE Laboratories, Inc. cah0@bunny.gte.com Telephone (U.S.A.) 617-466-2131 GTE VoiceNet: 679-2131 GTE Telemail: C.HOFFMAN ------------------------------ Date: Mon, 02 Jul 90 17:09:22 -0400 From: Wes Morgan Subject: Secure UNIX m19940@mwvm.mitre.org (Emily H. Lonsford) writes: >To me, the worst problem is with UNIX's root account; there it's all or >nothing when it comes to privileges. There's no such thing as "separation of >duties." And so far the "more secure" versions of UNIX really haven't >addressed that. AT&T has a product called "System V/MLS" (Multi-Level Security), which they released in 1989. Reading from the product announcement, I see that System V/MLS was certified at the B1 security level by the NCSC. It is configurable at C1, C2, and B1 levels. System V/MLS is available (at least at initial release) for the 3B2/500 and 3B2/600 computers; I'd be surprised if AT&T hasn't ported it further up the product line. There is also a windowing terminal that maintains a B3 trusted path to the security kernel. They also have a suite of trusted RFC networking utilities. After reading the Orange Book, I'm reasonably sure that AT&T has achieved the "separation of duties" to which Emily refers. I haven't used this product, nor have I read any reviews; I just know what I read in the literature. Wes - -- | Wes Morgan, not speaking for | {any major site}!ukma!ukecc!morgan | | the University of Kentucky's | morgan@engr.uky.edu | | Engineering Computing Center | morgan%engr.uky.edu@UKCC.BITNET | Lint is the compiler's only means of dampening the programmer's ego. ------------------------------ End of VIRUS-L Digest [Volume 3 Issue 119] ******************************************