U.S. DOE's Computer Incident Advisory Capability ___ __ __ _ ___ __ __ __ __ __ / | /_\ / |\ | / \ | |_ /_ \___ __|__ / \ \___ | \| \__/ | |__ __/ Number 94-05d January 11, 1995 Welcome to the fifth issue of CIAC Notes, the United States Department of Energy's (DOE) Computer Incident Advisory Capability (CIAC) electronic publication for articles on relevant computer security topics. This "E-zine" is a service requested by our DOE and DOE contractor customers, and is open to subscription by anyone who can receive E-mail via the Internet. Hopefully we are giving you a gift of information to begin 1995. If you have topics you would like addressed or have feedback on this issue, please contact the editor, Allan L. Van Lehn, CIAC, (510) 422-8193 or send E-mail to ciac@llnl.gov. $-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$ $ Reference to any specific commercial product does not necessarily $ $ constitute or imply its endorsement, recommendation or favoring by $ $ CIAC, the University of California, or the United States Government.$ $-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$ TABLE OF CONTENTS Feature Articles How Trusting Can We Be? Internet Firewalls - Part 2 More On The Good Times Virus Hoax CIAC Plans To Have A Home Page In January Security Information Servers MAC / PC User PowerMAC Users Beware Data Physician Plus! 4.0E Available Novell Users CIAC Information Who Is CIAC? CIAC Bulletins Issued Recently Subscribing To CIAC Electronic Publications Accessing CIAC's Electronic Information Servers Publications Available From CIAC Contacting CIAC FEATURE ARTICLES ------------------------------ How Trusting Can We Be? The capacity for information exchange has increased significantly in the last couple of years, with numerous new information sharing services, info servers, becoming available. However, there are security risks associated with these info servers, especially if they are left unprotected or are incorrectly configured. Sites that have or are planning to have info servers need to understand the inherent risks and how to manage them. Many DOE sites are enthusiastically embracing the functionality provided by the Internet. Especially attractive is the ease with which the Internet can be used to provide information. More and more sites are establishing anonymous FTP, gopher, archie, WAIS, and WWW info servers. These provide a fast and easy way to share research, ask questions and, in general, collaborate with colleagues around the world. CIAC uses this technology to provide DOE and the interested public with its warning notices (advisories and bulletins), useful tools, pertinent computer security-documents, and other reference material. The main security issue is configuration. Are your Internet-accessible information services configured properly? Do they control who has access to what information? Can unauthorized changes be made? Recently, members of the CIAC team created a publication called "Securing Internet Information Servers." CIAC also developed a companion course called "Connecting to the Internet Securely." Both the document and the class discuss the risks associated with these services when they are provided on a UNIX-based platform. They also include instruction on how to reduce your risk level. The document is available through CIAC's anonymous FTP server, ciac.llnl.gov, and DOE Headquarters plans for CIAC to provide the course at various DOE locations across the U.S. in FY95. After your server is properly configured, consider the sensitivity and appropriateness of the information that is being made "public", especially on Web servers where pictures and sound can be delivered as well as text. In our excitement to "brag" about our organizations or share information we know, it is easy to forget that the Internet is home to 20 million plus individuals both within and outside the U.S. Among these individuals are persons or organizations who are involved in breaking into other people's systems. Their goal may be as benign as being able to brag about gaining access to your site or they may do deliberate damage by erasing information or stealing information to sell, i.e., information trafficking. There are also reporters regularly "surfing" the Internet looking for embarrassing information that gets them headline stories such as the pirate software exchanges. When establishing Internet information servers, the key is "managed" servers. Before establishing a server, be sure you know who can establish publicly available servers in your organization, what information is deseminated, and what release processes exist, if any. Plan to periodically review the information to ensure that it is appropriate. We should all remember that those who access our servers are not necessarily looking out for our best interests. Do you publicly "share" information that should remain internal to your organization? Whenever you put information on a server, ask yourself if an "outsider" could use this information against you. For example, do you have your site's network diagram publicly available over the network? A hacker could use such information to target an attack specifically aimed at you. Do you provide information on the hardware, software and LANs used at your site? Again this information could make it easier for a hacker/cracker to penetrate your site. Information about your internal operation, network configurations, hardware, and software should be limited to internal access only servers. Do you have sensitive business information lying on a publicly accessible server? Who controls write access to your servers? A disgruntled employee could place an embarrassing "Internal Use Only" memo on an anonymous FTP server. The risks involved in setting up and using an Internet information server should not dissuade you from using them. The potential opportunities to share, market, learn and collaborate far outweigh the risks involved as long as you understand the risks and properly manage them. Managers, security professionals, program and project leaders - all must understand the communication technologies they use on a daily basis so they can effectively evaluate risk. For additional information on the topic of the Internet and security see the November 28, 1994 Issue of Information Week, "Is Your Data Safe?" and December 12, 1994 Information Week, "Internet: How Safe?" ------------------------------ Internet Firewalls - Part 2 by John M. Sayer, LLNL Firewalls are not a complete network security solution. In fact, probably nothing is. So while firewalls are an important network security component, it is worth noting a few of the problems inherent with any firewall arrangement. The problems can be grouped into three categories: software, policies and users. Since firewall systems depend on software programs, they likely will have bugs in them. Expect these bugs to be immune to rational methods of detection, since they are the ones which passed through the debugging phase of the system.(1) The "paranoid" approach to firewall set-up is to reject everything incoming unless an explicit exception is made for it. But any exception in a possibly flawed system can still carry risks of penetration.(2) Also, there are concerns about address spoofing since there is presently no fool-proof authentication method. It is possible for a presumed excluded service to "tunnel" through a firewall by being enclosed in an allowed service. Firewall policies pose problems also. It takes equipment to enforce and people to administer them and this combination can result in a security breach, even with 'bug-free' software. The following incident happened at a large research facility:(3) 1. A gateway machine malfunctioned on a holiday weekend, when none of the usual systems administrators were available. 2. The backup expert could not diagnose the problem over the phone and needed a guest account created. 3. The operator added the account guest, with no password. 4. The expert neglected to add a password. 5. The operator forgot to delete the account. 6. Some university students found the account within a day and told their friends. The policy was deficient in not requiring an experienced administrator for holidays. The humans erred at the user name-password level. It all added up to trouble. Policies, like software, probably can't be perfect. While a shakedown will help eliminate the obvious problems, there are still unpredictable intersections of human activity which no policy can withstand. The imperfections of firewalls underscore the need for host-based security. Machines on the local network should be analyzed for vulnerabilities using tools such as the Security Profile Inspector (SPI)(4) . A network can then be configured and procedures can be adopted to minimize access from the breach point. User security education is the most important factor in a secure firewall, since legitimate users are already inside the firewall. Users easily develop a cavalier attitude since the firewall 'protects' them. For instance, a person may connect his/her machine to a modem because of the convenience or necessity of working from home. The firewall is now circumvented and anyone at the user's house or with a system that can dial-out to the telephone can run riot through the local network.(5) Legitimate users can inadvertently subvert host-based security simply by changing the contents of a configuration file or changing a file access permission. The most common means of cracking a network is usually due to a poor choice of user passwords. Fast PC's allow hackers to 'guess' thousands of passwords in a short time. Thus any password that anybody might guess is probably a bad choice. A list of poor and good qualities for passwords can be found in reference (6) below. (1) Cheswick and Bellovin, "Firewalls and Internet Security," pg. 7. (2) ibid., pg. 83. (3) ibid., pg. 8. (4) SPI has a limited distribution (contact ciac@llnl.gov), but commercial and freeware products are also available (see CIAC Notes 02e, May 12, 1994). (5) ibid., pg. 11. (6) Garfinkel and Spafford, "Practical Unix Security," O'Reilly & Associates, Inc. (1991), pp. 32-35. ------------------------------ More on the Good Times Virus Hoax CIAC recently sent out a Notes 94-04 telling its clients that the "good times" virus message circulating around the Internet was a bogus virus alert. Having malicious code (malware) buried in the body of an E-mail message that would "infect" your computer is not a very likely possibility because characters in an E-mail message are displayed, not executed. CIAC still affirms that reading E-mail, using typical mail agents, will not activate malware delivered in or with the message. However, the amount of E-mail CIAC received in response to issue 4 was extrordinary. To summarize what we received: lots of thank you's for exposing "good times" and "xxx-1" viruses as urban legends (hoaxes); no E-mail viruses have been captured (and brought to us for examination); the FCC warning concerning "good times" was retracted; the warning message and its denounciation are seen to behave like viruses (memetic lifeforms) with a human serving as the replicating mechanism (just like chain letters); many people believe "in theory" that malware can be delivered and activated by some mail agents that have automated services. The best example of such malware was mail delivered to a PC that has embedded, seemingly invisible escape sequences which affect screen display or program the keyboard to do some nastiness when some key is "accidently" pressed. This case is described more fully below. CIAC did not claim that E-mail could not be a delivery agent for malware. A real threat comes from attached files which could contain viruses or Trojan programs. You should scan any executable attachment before executing it in the same way that you scan all new software before using it . It is possible to create a file that remaps keys when displayed on a PC/MS-DOS machine with the ANSI.SYS driver loaded. However, this only works on PC/MS-DOS machines with the text displayed on the screen in text mode. It would not work in Windows or in most text editors or mailers. A key could be remapped to produce any command sequence when pressed, for example DEL or FORMAT. However, the command is not issued until the remapped key is pressed and the command issued by the remapped key would be visible on the screen. You could protect yourself by removing ANSI.SYS from the CONFIG.SYS file, but many DOS programs use the functionality of ANSI.SYS to control screen functions and colors. Windows programs are not effected by ANSI.SYS, though a DOS program running in Windows would be. CIAC Plans To Have A Mosaic Home Page In January We have been working with several people to coordinate the WWW server support for Web home pages for LLNL, the Computer Security Technology Center (CSTC) and CIAC. When we are ready to go, there will be much easier access to information on CIAC and our electronic publications. In the meantime, you might find the listing of security information servers (below) of interest. ------------------------------ Security Information Servers Novell: http://www.novell.com/cgi-bin/ftpsearch.pl?QString=security Microsoft Windows: gopher://198.105.232.4:70/77%5Ckb%5Cperopsys%5Cwindows%5Cwindows.src?security gopher://198.105.232.4:70/77%5Ckb%5Cperopsys%5Cwindows%5Cwindows.src?patches FIRST's WWW server: http://www.first.org/first/ NIST/CSRC http://cs-www.ncsl.nist.gov Purdue Computer Emergency Response Team (PCERT) http://www.cs.purdue.edu/pcert/pcert.html NASA Automated Systems Incident Response Capability (NASIRC) (this is accessible to *.nasa.gov systems only, but it can be accessed though the FIRST server or you can contact NASIRC to be added to their hosts.allow file) http://nasirc.nasa.gov/NASIRC_home.html Naval Computer Incident Response Team (NAVCIRT) http://infosec.nosc.mil/niseeast/html/navcirt.html Australian Computer Emergency Response Team (AUSCERT) http://www.auscert.org.au (Proposed to be up in a couple of weeks) http://www.uq.oz.au/pcc/services/sert/home.html (Currently active) DFN-CERT German Home Page - http://www.cert.dfn.de/ English Home Page - http://www.cert.dfn.de/eng/ Computer Emergency Response Team (CERT) http://www.sei.cmu.edu/SEI/programs/cert.html Veterans Health Administration (VHA) http://www.va.gov Small Business Administration (SBA) (Should be up soon) http://www.sbaonline.gov/ IBM Computer Virus Information Center gopher://index.almaden.ibm.com/1virus/virus.70 Italian Computer Antivirus Research Organization http://www-iwi.unisg.ch/~sambucci/icaro/index.html If you know of others, please send mail to ciac@llnl.gov. MACINTOSH & PC USER ARTICLES ------------------------------ PowerMAC Users Beware PowerMAC and Macintosh users who also use PC emulator programs such as SoftPC or SoftWindows need to remember that they need to have both DOS and Mac virus checkers. Currently CIAC knows of no single product that scans both the Mac and DOS sides of a Macintosh. The hard disk drive for a PC emulator running on a Macintosh is a Macintosh file. While a Macintosh anti-virus scanner can read the file, it only recognizes Macintosh viruses, and won't recognize any PC viruses contained in the file. To scan the file for PC viruses, you must run the PC emulator program and then run a DOS anti-virus product within the emulator to scan for PC viruses. Neither SoftPC (which can run on a 68K Macintosh) or SoftWindows use a disk partition for the PC side, both use a Mac file. ------------------------------ Data Physician Plus! 4.0E Available All DOE sites should now have Data Physician Plus! 4.0E for use on IMBpc compatable systems. Contact your site CPPM if you have not obtained an update. This version does provide protection from the KAOS4 and One_half viruses (see CIAC Bulletin E-32 for further information on KAOS4 and E-34 for information on One_half). ------------------------------ Novell NetWare Users CIAC is receiving more and more calls from our DOE clients asking for information on minimizing the risks associated with installing NetWare and in further connecting these LANs to the Internet. To supplement our own experiences CIAC is interested in partnering with other experts to create a comprehensive package of information that could be made available to all sites. If you have Novell NetWare expertise and would like to be a CIAC associate, please send a note to ciac@llnl.gov. CIAC INFORMATION ------------------------------ Who is CIAC? CIAC is the U.S. Department of Energy's Computer Incident Advisory Capability. Established in 1989, shortly after the Internet Worm, CIAC provides various computer security services free of charge to employees and contractors of the DOE, such as: o Incident Handling Consulting o Computer Security Information o On-site Workshops CIAC is located at Lawrence Livermore National Laboratory in Livermore, California, and is a part of its Computer Security Technology Center. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. Further information can be found at http://www.first.org/first/ ------------------------------ CIAC Bulletins Issued recently CIAC issues two categories of computer security announcements: the information bulletin and the advisory notice. Information bulletins describe security vulnerabilities and recommend countermeasures. Advisory notices are more imperative, urging prompt action for actively exploited vulnerabilities. Advisory notices are delivered as quickly as possible via E-mail and FAX. F-01 Advisory SGI IRIX serial_ports Vulnerability Oct. 4, 1994, 1600 PDT F-02 Bulletin Summary of HP Security Bulletins Nov. 17, 1994, 1300 PDT F-03 Bulletin Restricted Distribution F-04 Bulletin Security Vulnerabilities in DECnet/OSI for OpenVMS Nov. 28, 1994, 0900 PDT F-05 Bulletin SCO Unix at, login, prwarn, sadc, and pt_chmod Patches Available Dec. 06, 1994, 0800 PDT F-06 Bulletin Novell UnixWare sadc, urestore, and suic_exec Vulnerabilities Dec. 14, 1994, 0800 PDT ------------------------------ Contacting CIAC DOE and DOE contractor sites that require additional assistance or wish to report a vulnerability: call CIAC at 510-422-8193, fax messages to 510-423-8002 or send E-mail to ciac@llnl.gov. ------------------- A - T - T - E - N - T - I - O - N --------------------- | For emergencies and off-hour assistance, CIAC is available 24-hours a day | | to DOE and DOE contractors via an integrated voicemail and SKYPAGE number.| | To use this service, dial 1-510-422-8193 or 1-800-759-7243 (SKYPAGE). The | | primary SKYPAGE PIN number, 8550070 is for the CIAC duty person. A second | | PIN, 8550074 is for the CIAC Project Leader. Keep these numbers handy. | --------------------------------------------------------------------------- ------------------------------ CIAC's Electronic Publications Previous CIAC Bulletins and other information are available via anonymous FTP from ciac.llnl.gov. CIAC has several self-subscribing mailing lists for electronic publications: 1. CIAC-BULLETIN for Advisories, highest priority -time critical information and Bulletins, important computer security information; 2. CIAC-NOTES for Notes, a collection of computer security articles; 3. SPI-ANNOUNCE for official news about Security Profile Inspector (SPI) software updates, new features, distribution and availability; 4. SPI-NOTES, for discussion of problems and solutions regarding the use of SPI products. Our mailing lists are managed by a public domain software package called ListProcessor, which ignores E-mail header subject lines. To subscribe (add yourself) to one of our mailing lists, send requests of the following form: subscribe list-name LastName, FirstName PhoneNumber as the E-mail message body, substituting CIAC-BULLETIN, CIAC-NOTES, SPI-ANNOUNCE or SPI-NOTES for list-name and valid information for LastName FirstName and PhoneNumber. Send to: ciac-listproc@llnl.gov (not to: ciac@llnl.gov) e.g., subscribe ciac-notes O'Hara, Scarlett W. 404-555-1212 x36 subscribe ciac-bulletin O'Hara, Scarlett W. 404-555-1212 x36 You will receive an acknowledgment containing address, initial PIN, and information on how to change either of them, cancel your subscription, or get help. To subscribe an address which is a distribution list, first subscribe the person responsible for your distribution list. You will receive an acknowledgment (as described above). Change the address to the distribution list by sending a second E-mail request. As the body of this message, send the following request, substituting valid information for list-name, PIN, and address of the distribution list:. Send E-mail to ciac-listproc@llnl.gov: set list-name address PIN distribution_list_address e.g., set ciac-notes address 001860 rE-mailer@tara.georgia.orb To be removed from this mailing list, send the following request: unsubscribe list-name For more information, send the following request: help If you have any questions about this list, you may contact the list's owner: listmanager@cheetah.llnl.gov. ------------------------------ Accessing CIAC's Electronic Information Servers CIAC operates a security information server for anonymous FTP at ciac.llnl.gov which contains all of the publicly available CIAC, CERT/cc, NIST, and DDN bulletins, virus descriptions, the virus-l moderated virus bulletin board, copies of public domain and shareware virus detection/protection software, copies of useful public domain and shareware utility programs, and patch files for some operating systems. Use FTP to access it either by name or IP address (128.115.19.53). The operation and prompt will depend on which vendor's FTP you are running. Usually, you must first log in before you can list directory contents and transfer files. Use "FTP" or "anonymous" for Name or Foreign username unless given a general prompt such as ciac.llnl.gov> or FTP>. In that case, enter the keyword "user" or "login" before "FTP" or "anonymous" (e.g., user FTP). Use your Internet E-mail address for the Password. Once logged in you may type a question mark to find out what key-words are recognized. The file 0-index.txt (in the top level directory /FTP) is a document explaining the directory structure for downloadable files. The file whatsnew.txt (in directory /FTP/pub/ciac) contains a list of the new files placed in the archive. Use the command get [for single files] or mget [for multiple files] to download one or more files to your own machine. ------------------------------ Publications Available from CIAC CIAC prepares publications on a variety of computer security related topics, the CIAC 2300 series. Many of these will be updated as needed to keep the information current. We welcome suggestions for topics that you feel would be valuable. We also make available some documents from other sources. In the table below, column E is for electronic documents available via CIAC's servers (see above). Column P is for printed documents, for those who do not have Internet or telephone-modem access. If neither column is checked, the document is soon to be released. The electronic formats are: *.txt for ASCII, *.ps for PostScript(tm), *.hqx for bin-hexed Microsoft Word, *.wp5 for PC Word Perfect v5.0. No. E P TITLE 2300 x x Abstracts of the CIAC-2300 Series Documents 2301 x x Computer Virus Information Update 2302 Accessing The CIAC Computer Security Archives 2303 x x The Console Password Feature for DEC Workstations 2304 Data Security Vulnerabilities of Facsimile Machines and Digital Copiers 2305 x Unix Incident Guide: How To Detect A Unix Intrusion 2308 x Securing Internet Information Servers CIAC x Incident Handling Guidelines LLNL x User Accountability Statement, E. Eugene Schultz, Jr. SRI x Improving the Security of your Unix System, David A. Curry LLNL x Incident Handling Primer, Russell L. Brand ORNL x Terminal Servers and Network Security, Curtis E. Bemis & Lynn Hyman To obtain further information, contact Allan L. Van Lehn, CIAC, 510-422-8193 or send E-mail to ciac@llnl.gov. ------------------------------ This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. ------------------------------ End of CIAC Notes Number 94-05d 95_01_11 *****************************************