U.S. DOE's Computer Incident Advisory Capability ___ __ __ _ ___ __ __ __ __ __ / | /_\ / |\ | / \ | |_ /_ \___ __|__ / \ \___ | \| \__/ | |__ __/ Number 02e May 12, 1994 ------------------- A - T - T - E - N - T - I - O - N ------------------- | Recently some DOE sites have needed to contact CIAC during off hours. | | CIAC is available 24-hours a day via its two skypage numbers. To use | | this service, dial 1-800-759-7243. The PIN numbers are: 8550070 (for | | the CIAC duty person) and 8550074 (for the CIAC manager). Please keep | | these numbers handy. | ------------------------------------------------------------------------- Welcome to the second issue of CIAC Notes! CIAC has experienced its busiest three months since the Internet Morris Worm attack November 2, 1988. Recent headlines such as "Security Breach at the Internet Raises Worries" barely exposes the potential consequences of the recent Internet attacks. Of the estimated hundred thousand accounts (passwords, userIDs and hostnames) captured by unauthorized personnel, some are DOE related. As long as login passwords must travel in plain text over our networks, the DOE and other organizations connected to the Internet must give serious consideration to using one-time passwords. S/Key(tm) is a Bellcore developed, one-time password implementation available via anonymous ftp from thumper.bellcore.com. Additional sources of information and tools that can help security professionals respond to the present Internet Attack are included in the feature articles and in the Unix user section of this issue. In future issues, CIAC plans articles on one-time passwords and the security concerns around E-mail, gopher and mosaic. If you have topics you would like CIAC to address or have feedback on what is useful and what is not, please contact the editor, Allan L. Van Lehn, CIAC, 510-422-8193 or send E-mail to ciac@llnl.gov. TABLE of CONTENTS Feature: FIRST the Forum of Incident Response and Security Teams Available Security Tools for Unix and Other Systems Some Upcoming Computer Security Related Conferences Unix user: Network Sniffer Attacks Continue DEC user: OpenVMS Security Update Patch Kits for VAX and AXP users PC user: Current PC Anti-Virus Software Maltese Amoeba False Positive Detection - PKZIP Math Co-processor Problem Lotus cc:Mail Caution MAC user: Current Macintosh Anti-Virus Software New Macintosh Virus: Init-9403 CIAC info: CIAC Bulletins Issued Recently Subscribing to CIAC Electronic Publications Security Profile Inspector Mailing List CIAC Publications Who is CIAC Contacting CIAC ============================== FEATURE ARTICLES ------------------------------ FIRST the Forum of Incident Response and Security Teams CIAC is a member of FIRST. This group includes response teams from the U.S. government such as the DoD's ASSIST and NASA's NASIRC; university teams such as CERT/cc; international teams such as CERT-NL in the Netherlands; and commercial teams such as Apple's APPLECORE group. FIRST members work together handling major incidents and sharing information needed to combat hacker- intruders and system vulnerabilities. Much of the administrative support for FIRST comes from NIST, the National Institute for Standards and Technology which maintains FIRST mailing lists, document servers, etc. A list of FIRST member organizations and their constituencies can be obtained by sending E-mail to first-request@first.org with an empty subject line and a message body containing the line: send first-contacts. Information about FIRST can be obtained by sending E-mail to first-request@first.org with an empty subject line and a message body containing the line: send info. Information about FIRST's Annual Computer Security Incident Handling Workshops can be obtained by sending E-mail to workshop-info@first.org with an empty subject line and a message body containing the line: send info. The following feature article on available security tools is based on information collected by FIRST. The sections on CrackLib, NID, SPI, S/Key(tm) and Tripwire have been added or revised. ------------------------------ AVAILABLE SECURITY TOOLS FOR Unix AND OTHER SYSTEMS Of the many tools available for system and network security, a number are useful in incident handling. This article provides access information for a subset of tools considered most useful for incident handling. The tools are divided into four categories: 1 - tracing and tracking tools - for tracing connections and examining raw TCP/IP data. 2 - security assessment tools - for examining host security, passwords, and configuration. 3 - security enhancement - for improving host security. 4 - encryption - useful utilities for storing and exchanging encrypted data. NIST has now released a Federal Information Processing Standard (FIPS) allowing for software implementation of DES. Several are listed. Active use of these tools can enhance security, prevent break-ins, or help you determine if your system has been compromised. The vast majority of these tools are for Unix and all have something to do with the Internet and the TCP/IP protocol suite. If you recommend other tools, please contact CIAC. To obtain up-to-date, tools-related information, you can subscribe to the following E-mail lists and news groups: cert-tools - send E-mail to cert-tools-request@cert.org comp.security.misc sci.crypt comp.sources.binaries 1. Tracing/Tracking Tools Tool: NID (Network Intrusion Detector) Description: NID is an Ethernet Monitoring tool that checks packet streams for known suspicious security activities. Session isolation and replay capabilities are offered. Availability: While not available to the general public, it is available free of charge to all U.S. Department of Energy sites and contractors. Send E-mail to ciac@llnl.gov. It is also available to all U.S. Department of Defense organizations via DISA's ASSIST Team. Send E-mail to assist@assist.ims.disa.mil. Unix Tool: traceroute Description: For tracing routes between the current host and other Internet sites. Useful for examining hops, detecting sites that are down, or sites that do not resolve properly. Availability: in comp.sources.Unix archives, ftp from many sites including ftp.uu.net. Unix Tool: tcpdump Description: For monitoring TCP/IP packets for BSD-based Unix systems. Availability: anonymous ftp from ftp.ee.lbl.gov. Unix Tool: dig Description: For querying Domain Name Service servers in a more flexible, convenient manner than nslookup. Availability: anonymous ftp from venera.isi.edu. 2. Security Assessment Tools OpenVMS Tool: SPI/VMS (Security Profile Inspector for OpenVMS) Description: SPI/VMS is an administrator's tool that checks configuration options, includes a file-change (integrity) checker to monitor for backdoors and alteration of identified files, and various other security checks. Availability: While not available to the general public, it is available free of charge to all U.S. Department of Energy sites and contractors. Send E-mail to ciac@llnl.gov. It is also available to all U.S. Department of Defense organizations via DISA's ASSIST Team. Send E-mail to assist@assist.ims.disa.mil. Unix Tool: SPI/Unix (Security Profile Inspector for Unix) Description: SPI/Unix is a screen-based administrator's tool, which is a superset of COPS, that checks configuration options, includes a file-change (integrity) checker to monitor for backdoors and viruses, and various other security checks. Availability: While not available to the general public, it is available free of charge to all U.S. Department of Energy sites and contractors. Send E-mail to ciac@llnl.gov. It is also available to all U.S. Department of Defense organizations via DISA's ASSIST Team. Send E-mail to assist@assist.ims.disa.mil. Unix Tool: COPS (Computer Oracle and Password System) Description: A collection of programs that each attempt to tackle a different problem area of Unix security. Following is a list of the areas checked: - file, directory, and device permissions/modes - poor passwords - content, format, and security of password and group files - the programs and files run in /etc/rc* and cron(tab) files - existence of root-SUID files - a CRC check against important binaries or key files - writability of users home directories and startup files (.profile, .cshrc, etc.) - anonymous ftp setup - unrestricted tftp, decode alias in sendmail, SUID uudecode problems, hidden shells inside inetd.conf, rexd running in inetd.conf - miscellaneous root checks Availability: anonymous ftp from cert.org Unix Tool: CRACK Description: CRACK is a fast Unix password cracking program designed to assist site administrators in ensuring effective password use. It is approximately eight times faster than standard DES routines, enabling one to check more passwords in a given time. CRACK is widely available and presumed to be used by intruders. Availability: anonymous ftp from cert.org Unix Tool: TAMU Suite of Tools Description: This package includes three coordinated sets of tools: "drawbridge," a powerful bridge filtering package; "tiger," a set of machine checking programs; and "netlog," a set of intrusion detection, network monitoring programs. Availability: anonymous ftp from sc.tamu.edu 3. Security Enhancement Tools Unix Tool: TCP Wrapper Description: With this package you can monitor incoming connections to the SYSTAT, FINGER, FTP, TELNET, RLOGIN, RSH, EXEC, TFTP, TALK, and other IP network utilities. Connections are reported through the syslog daemon. Requirements are that network daemons are started by the inetd program or something similar, and the availability of a syslog(3) library. Optional features are: access controls to limit the number of hosts that can connect to your network daemons, remote user name lookups with the RFC 931 protocol, and protection against hosts that pretend to have someone else's host name. Availability: anonymous ftp from ftp.win.tue.nl Unix Tool: passwd+ Description: Passwd+ is a proactive password checker that replaces /bin/passwd on your system. It is rule-based and easily configurable. It prevents users from selecting a weak password so that programs like CRACK can't guess it, and it provides enhanced syslog logging. Availability: anonymous ftp from dartmouth.edu Unix Tool: securelib Description: SecureLib contains replacement routines for three SunOS kernel calls: accept(), recvfrom(), recvmsg(). These replacements, compatible with the originals, add functionality to check the Internet address of the machine initiating the connection making sure that it is allowed. A configuration file defines what hosts are allowed for a given program. Once these replacement routines are compiled, they can be used when building a new shared libc library. The resulting "libc.so" can then be put in a special place. Any program that should be protected can then be started with an alternate LD_LIBRARY_PATH. Availability: anonymous ftp from eecs.nwu.edu Unix Tool: socks Description: "Sockd" and the "socks library" provide another way to implement a "TCP Wrapper." It is not intended to make the system it runs on secure, but rather to centralize ("firewall") all external Internet services. The sockd process is started by inetd whenever a connection is requested for certain services, and then only allows connections from approved hosts (listed in a configuration file). Sockd also will LOG information about the connection. You can use the Socks Library to modify the client software to directly utilize sockd for outgoing connections. This is very tedious and requires you to have client program source code. Availability: anonymous ftp from s1.gov Unix Tool: npasswd Description: Like passwd+, npasswd is a replacement for the standard "passwd" command that prevents users from selecting easily- guessable passwords. Availability: anonymous ftp from emx.utexas.edu Unix Tool: Tripwire Description: Tripwire is an integrity-monitor for Unix systems. It uses checksums and message digests to build a list of "signatures" for monitored files, and can be rerun to check for changes. It can monitor selected items of system-maintained information, changes in permissions, links, sizes of directories and files, and additions or deletions of files from watched directories. It should work on almost any version of Unix, makes no changes to system files and does not require root privilege to run. It is distributed as papers and source code. Availability: anonymous ftp from ftp.cs.purdue.edu/pub/spaf/COAST/Tripwire or WWW http from www.cs.purdue.edu/homes/spaf/coast.html Unix Toolkit: CrackLib Description: CrackLib is a library of C functions to be used in your own password checking program. Prevents users from choosing passwords that could be guessed by "Crack." NOTE WELL: CrackLib is NOT a replacement "passwd" program. CrackLib is a LIBRARY. You must add it into your own "passwd" program (if you have source code) or to "shadow" (off of the net). Availability: anonymous ftp (CrackLib + large dictionary) from black.ox.ac.uk:~ftp/src/security/cracklib25.tar.Z 4. Encryption/Authentication Tools Tool: DES - KA9Q Description: A U.S. written implementation of DES is part of the KA9Q packet radio implementation. This version is not exportable. Availability: anonymous ftp from ucsd.edu:/hamradio/packet/tcpip/crypto/des.tar.Z Tool: DES Description: An implementation of DES suitable for use with Kerberos and compatible with DES packages offered by several Unix vendors. Because this implementation was not created in the U.S., export restrictions do not apply. Availability: anonymous ftp from kampi.hut.fi Unix Tool: MD4/MD5 Description: MD4 is another message-digest function proposed by Ron Rivest, similar to SNEFRU but implemented differently, produces a fixed 128 bit output. MD5 is newer and slightly more secure in the face of certain cryptographic attacks. Availability: anonymous ftp from rsa.com Tool: kerberos Description: Kerberos is a DES-based encryption scheme that encrypts sensitive information, such as passwords, sent via the network from client software to the server daemon process. The network services will automatically make requests to the Kerberos server for permission "tickets." You will need to have the source to your client/server programs so that you can use the Kerberos libraries to build new applications. Availability: anonymous ftp from athena-dist.mit.edu Tool: S/Key(tm) Description: Bellcore developed S/Key(tm), a one-time password system providing authentication over networks that are subject to eavesdropping/replay attacks. The user's secret password never crosses the network during login, or when executing other commands requiring authentication. No secret information is stored anywhere, and the algorithm is public knowledge. The remote (client) end of this system can be run on any computer. The host (server) end can be integrated into any application requiring authentication. A prototype system has been built for a Unix, MAC and PC environment, but there is nothing Unix-specific about the design. Availability: anonymous ftp from thumper.bellcore.com/pub/skey ------------------------------ UPCOMING COMPUTER SECURITY RELATED CONFERENCES DOE's Computer Security Training Conference May 2-5, 1994 Sheraton Denver Tech Center Hotel, Denver, Colorado Who to contract: DOE CSG Training 301-903-4195 Ms. Eunice Warmoth, Conference Chair, EG&G Mound Applied Technologies Dr. Rowena Chester, Program Chair, Martin Marietta Energy Systems Conference Registration must be received by April 22, 1994. This is a forum for DOE and DOE contractor personnel to share computer security information and concerns. Five parallel workshop sessions will be offered. Technical sessions are divided into three tracks: technical, management, and general. A computer security video session and some "birds of a feather" technical sessions are also planned. Sixth Annual Computer Security Incident Handling Workshop hosted by FIRST July 25-29, 1994 Boston, Massachusetts This annual Incident Handling Workshop is part of FIRST's ongoing program of education and awareness for its members and others. The workshop is targeted at the growing number of computer security professionals who must deal with increasingly sophisticated security incidents and system vulnerabilities. The focus of this year's three day workshop is on tools for incident handling in an international arena. The workshop is being conducted as a series of tutorials, seminars, and hands-on sessions on related topics. Presentations will focus on tools that are utilized in incident handling such as: intrusion/vulnerability detection tools, system/network monitoring tools, informational resources, legal and administrative issues in incident handling for international incidents, incident handling and the National Information Infrastructure. If you have questions regarding this year's event, please direct them to: FIRST Secretariat: workshop-info@first.org ============================== UNIX USER ARTICLES ------------------------------ NETWORK SNIFFER ATTACKS CONTINUE The magnitude of this problem continues to be revealed by discovery of more Internet monitoring attacks affecting additional systems and sites. CIAC urges all Unix System Administrators to take steps to learn about the nature of these attacks and employ the countermeasures needed. Please refer to CIAC Advisories E-09, E-12, and E-13. Advisory E-12 has a lengthy listing of cryptographic checksums and a tool to automate system inspection. As corrected or new information comes to our attention, we are updating the list used by this tool. The most current data will be available via anonymous ftp from irbis.llnl.gov in the directory /pub/util/crypto/md5_sun.v(1, 2, ... etc.). System administrators must check all Unix systems to ensure that no Trojan horse files have replaced system utilities and libraries. If the system is "clean," then all known security patches must be installed. If the system is compromised, a complete backup should be done, a "clean" system and security patches must be installed. New passwords must be required for all accounts, and hidden logs of sniffed accounts and passwords found. All logs should be searched for evidence of other compromised systems. The security of each system can be greatly enhanced by requiring one-time passwords, installing software that limits system access (e.g., TCP wrapper), a monitor for unauthorized system changes (e.g., SPI) and a monitor for intrusions (e.g., NID). Please see the above feature article "Available Security Tools for Unix and Other Systems" for availability information. ============================== DEC USER ARTICLES ------------------------------ OpenVMS SECURITY UPDATE PATCH KITS Digital Equipment Corporation has developed OpenVMS VAX and Alpha AXP patch kits for their software warranty and software contract maintenance customers. The kit for OpenVMS VAX versions 5.4-3, 5.5, 5.5-1, 5.5-2, 5.5-2H4, 5.5-2HF, and 6.0 began to ship mid-March. The kit for OpenVMS AXP versions 1.5 and 1.5-1H1 shipped in January '94. These kits contain a large number of patches available from Digital. The kits make it easy to install this collection of remedial fixes, thus helping those running older versions. A few of the patches provide enhanced security, hence the designation "security kit." Future releases of OpenVMS will incorporate these patches. To obtain further information, contact Allan L. Van Lehn, CIAC, 510-422-8193 or send E-mail to ciac@llnl.gov. ============================== PC USER ARTICLES ------------------------------ CURRENT PC ANTI-VIRUS SOFTWARE Reference to any specific commercial product does not necessarily constitute or imply its endorsement, recommendation or favoring by CIAC, the United States Government or the University of California. As of March 9, 1994, current versions of PC anti-virus software are: PRODUCT_NAME COMPANY VERSION DATE_RELEASED ------------ ------- ------- ------------- AVP Kami Limited 1.07 October 1993 w 1/94 update CP AntiVirus (CPAV) Central Point Software Inc. 2.1 November 1993 Data Physician PLUS!* Digital Dispatch Inc. 4.0C January 1994 FindVirus/Dr.Solomon's Ontrack Computer Systems Inc. FV 6.54 March 1994 AntiVirus Toolkit F-PROT FRISK Associates 2.11 February 1994 IBM Antivirus IBM Corp. 1.05 February 1994 Integrity Master Stiller Research, Dept. B1 2.21 February 1994 Norton AntiVirus (NAV) Symantec Corp. 3.0.2 December 1993 PC Rx Antivirus Trend Micro Devices Inc. 2.65 ? SCAN McAfee Associates 921v111 January 1994 Thunderbyte 6.10 January 1994 Untouchable Fifth Generation Systems Inc. 29.04 ? VET Cybec 7.52 November 1993 Virex for the PC Datawatch, Triangle Sw. Div. 2.93 February 1994 ViruSave EliaShim Microcomputers Inc. 5.3 ? VirusBuster Leprechaun Sw. Int'l Ltd. 3.98 ? * Note: The Department of Energy has a site license for Data Physician Plus. It is available from your site CPPM. To obtain further information, contact Karyn Pichnarczyk, CIAC, 510-422-8193 or send E-mail to ciac@llnl.gov. ------------------------------ MALTESE AMOEBA FALSE POSITIVE DETECTION - PKZIP Version 2.04C of PKZIP, the popular file compression utility is known to cause false positive detection of the Maltese Amoeba Virus by several well- known anti-virus scanners. The current versions of anti-virus scanners have been updated to correct this problem, and PKZIP has been updated to version 2.04D, which does not cause a positive detection by old versions of the scanners. If you have a detection of the Maltese Amoeba in PKUNZIP.EXE, and it came from version 2.04C (PKZ204C.EXE), and you are using an old version of an anti-virus scanner, then you probably don't have a virus infection. However, you should still treat it as a virus infection until you can scan the program with a newer version of your virus scanner. To obtain further information, contact William J. Orvis, CIAC, 510-422-8193 or send E-mail to ciac@llnl.gov. ------------------------------ MATH CO-PROCESSOR PROBLEM CIAC received information from Pacific Northwest Laboratory about the following problem and fix. There is a potential problem with floating point calculations, recently discovered on the following systems: * Zeos 486DX with the Award BIOS v3.1, revisions 452-0005-02A and 452-0005-01B and Gateway 486DX machines with Phoenix BIOS 0.10 G14. * IBM 486DX Valuepoint (not enough information available yet as to particular BIOS revisions or models). * A couple no-name brands (seriously, there was no identification on the case) with 386DX processors and 80387 co-processors and the American Megatrends BIOS. In particular, several configurations were found that improperly report the results of a "divide by zero" floating point operation. NOTE: It is not known if the problem is restricted to these particular machines or whether it is a configuration issue on these machines. Examples of applications which use floating point operations are CAD/CAM, custom developed and statistical applications. The impact on floating point operations by EXCEL and other office automation applications is being checked. Procedures for checking a standalone system for the floating point "divide by zero": 1) Place a copy of FPTEST.EXE and DIVZERO.EXE on a floppy. 2) Restart the computer you want to test by rebooting. 3) Place the floppy in drive A or B. 2) Change to that drive. 3) Type at the A:> (or whatever drive you are at) FPTEST -D The program will tell you it is testing the math co-processor and whether or not it passes the test. The programs, FPTEST.EXE and DIVZERO.EXE, are now available to DOE sites via anonymous ftp from ftp.pnl.gov in the directory /pub/outgoing (files will be deleted automatically in seven calendar days). Non-DOE sites wanting anonymous access to ftp.pnl.gov should mail a request to ftpadmin@ftp.pnl.gov. ------------------------------ LOTUS CC:MAIL CAUTION CIAC recently released CIAC Bulletin E-11, "Lotus cc:Mail Security Upgrade Available." In response to that bulletin, CIAC received the following information about a function in cc:Mail that has security implications. The following three lines may be visible in your CONFIG.SYS file: SET CCNAME=Your Name SET CCPASSWORD = Your Password SET CPATH=Your Post Office path name The "Your Password" field will be visible in plain text. CIAC has contacted Lotus about this and they have answered that this information will ONLY be placed at the end of a user's CONFIG.SYS file if the user selects the automatic login option at cc:Mail installation. CIAC strongly recommends that this automatic login option NOT be selected. To determine if your system has been set up in this manner, type out your CONFIG.SYS file. If the SET CCPASSWORD line is present, simply edit the line out of the file using any file editor. Once edited out of the file, the system will prompt you for a password at each login. CIAC would like to thank Tom Obenauf of Sandia National Laboratories for bringing this to our attention. To obtain further information, contact Karyn Pichnarczyk, CIAC, 510-422-8193 or send E-mail to ciac@llnl.gov. ============================== MAC USER ARTICLES ------------------------------ CURRENT MACINTOSH ANTI-VIRUS SOFTWARE Reference to any specific commercial product does not necessarily constitute or imply its endorsement, recommendation or favoring by CIAC, the United States Government or the University of California. As of March 9, 1994, the current versions of Macintosh anti-virus software [all released early March, 1994] are: PRODUCT_NAME VERSION COMMENTS ------------ ------- -------- CPAV 3.0c Central Point Software Inc. BBS: 503-690-6650 New 'MacSig' antidote file 3/4/94 Disinfectant 3.4.1 Free Software. Vers 3.4 released for INIT-9403 had a minor bug Gatekeeper 1.3.1 Free Software. Rival INIT-9403 E-mailed to all registered users. Vaccine The vaccine will be sent only if you have upgraded to vers 1.2.5. SAM Virus Clinic & Intercept 3.5.11 Symantec Customer Svc 800-441-7234 Virex 4.1 Datawatch Corp. Triangle Sw. Div. 919-549-0711, BBS: 919-549-0042 VirusDetective 5.0.11 Shareware (product phasing out). Search strings sent to registered users only. To obtain further information, contact Karyn Pichnarczyk, CIAC, 510-422-8193 or send E-mail to ciac@llnl.gov. ------------------------------ NEW MACINTOSH VIRUS: INIT-9403 The discovery of a new Macintosh virus was announced March 3rd, 1994. This virus, the INIT-9403 Virus, is a malicious virus which will erase disk information on all connected hard drives, as well as erase the boot volume after a preset number of files have been infected. The virus initially infects by altering the Finder file, then may insert copies of itself in various compaction, compression, and archive programs (programs most likely to be shared with other Macintoshes). This virus has only been seen on Italian systems, so far. If you detect this virus on a non-Italian system, please contact CIAC immediately. New releases of anti-virus software for the Macintosh detect and eradicate this virus. At least one vendor has decided to call the INIT-9403 virus the "SysX" virus. Since there is no common naming scheme for new Mac viruses, expect to see the names "INIT-9403" and "SysX" as aliases. An unexpected system conflict sometimes results in Disinfectant 3.4 giving the "unexpected error -192" message when running on Macs with enabler versions 003 (the LC III) and 040 (the Centris/Quadra 610, 650, and 800), and with the 32 bit system enabler. You can safely ignore this error message as it does not signify a real problem. Disinfectant 3.4 and the Disinfectant INIT can both be safely used on all Macintosh systems to protect against all known Macintosh viruses. John Norstad, the author of Disinfectant, released version 3.4.1 to fix this bug. It has been announced and made available in the usual places, e.g., ftp.acns.nwu.edu, sumex-aim.stanford.edu, AppleLink, rascal.ics.utexas.edu, America Online, CompuServe, Genie, Calvacom, MacNet, Delphi, and comp.binaries.mac. CIAC would like to thank Gene Spafford of Purdue University for releasing the information about this virus. To obtain further information, contact Karyn Pichnarczyk, CIAC, 510-422-8193 or send E-mail to ciac@llnl.gov. ============================== CIAC INFORMATION ARTICLES ------------------------------ CIAC BULLETINS ISSUED RECENTLY CIAC issues two categories of computer security announcements: the information bulletin and the advisory notice. Information bulletins describe security vulnerabilities and recommend countermeasures. Advisory notices are more imperative, urging prompt action to close potentially or actively exploited vulnerabilities. Advisory notices are delivered as quickly as possible via FAX, E-mail, and postal service. E-07 Bulletin Unix sendmail Vulnerabilities Update Gives status of vendor security patches to correct vulnerabilities in the Unix sendmail utility (see CIAC Advisory E-03). Workarounds given in E-03 may be safely used even after vendor patches have been installed. January 7, 1994, 0900 PST E-08 Bulletin Restricted Distribution January 25, 1994, 1530 PST E-09 Advisory Network Monitoring Attacks Unauthorized access and use of resources; exposure of username, password, host-name combinations, as well as other sensitive information. February 3, 1994, 2130 PST E-10 Bulletin IBM AIX Performance Tools Vulnerability Unprivileged local users may gain unauthorized root access. February 24, 1994, 2000 PST E-11 Bulletin Lotus cc:Mail Security Upgrade Available Accounts could be compromised if another person is allowed access to a cc:Mail user's personal computer. March 7, 1994, 0900 PST E-12 Advisory Network Monitoring Attacks Update New information on the problem, actions to take to eliminate vulnerabilities and strengthen system security. Tables of checksums for many SunOS files and patches. March 18, 1994, 1800 PST E-13 Advisory Sun Announces Patches for /etc/utmp Vulnerability SunOS 4.1.x systems (but not SunOS 4.1.3_U1 or Solaris 2.x) systems need to patch dump, in.comsat, in.talkd, shutdown, syslogd, and write. March 21, 1994, 1200 PST E-14 Advisory wuarchive ftpd Trojan Horse Some copies of the wuarchive FTP daemon before version 2.3 have been modified to contain a Trojan Horse. April 6, 1994, 1640 PDT E-15a Bulletin Restricted Distribution April 7, 1994, 0930 PDT E-16a Bulletin Restricted Distribution April 7, 1994, 1000 PDT E-17 Bulletin FTP Daemon Vulnerabilities There are active exploitations of several implementations of the FPT daemon. Immediate upgrade recommended. April 14, 1994, 1130 PDT To obtain further information, contact Allan L. Van Lehn, CIAC, 510-422-8193 or send E-mail to ciac@llnl.gov. ------------------------------ SUBSCRIBING TO CIAC ELECTRONIC PUBLICATIONS CIAC has several self-subscribing mailing lists for electronic publications: 1. CIAC-BULLETIN for Advisories, highest priority - time critical information and Bulletins, important computer security information; 2. CIAC-NOTES for Notes, a collection of computer security articles; 3. SPI-ANNOUNCE for official news about Security Profile Inspector (SPI) software updates, new features, distribution and availability; 4. SPI-NOTES, for discussion of problems and solutions regarding the use of SPI products. Our mailing lists are managed by a public domain software package called ListProcessor, which ignores E-mail header subject lines. To subscribe (add yourself) to one of our mailing lists, send the following request as the E-mail message body, substituting CIAC-BULLETIN, CIAC-NOTES, SPI-ANNOUNCE or SPI-NOTES for "list-name" and valid information for "LastName" "FirstName" and "PhoneNumber"; E-mail to ciac-listproc@llnl.gov: subscribe list-name LastName, FirstName PhoneNumber e.g., subscribe ciac-notes O'Hara, Scarlett 404-555-1212 x36 You will receive an acknowledgment containing address, initial PIN, and information on how to change either of them, cancel your subscription, or get help. To subscribe an address which is a distribution list, first subscribe the person responsible for your distribution list. You will receive an acknowledgment (as described above). Change the address to the distribution list by sending a second E-mail request. As the body of this message, send the following request, substituting valid information for "list-name," "PIN", and "address of the distribution list"; E-mail to ciac-listproc@llnl.gov: set list-name address PIN distribution_list_address e.g., set ciac-notes address 001860 remailer@tara.georgia.orb To be removed from this mailing list, send the following request: unsubscribe list-name For more information, send the following request: help If you have any questions about this list, you may contact the list's owner: listmanager@cheetah.llnl.gov. ------------------------------ SECURITY PROFILE INSPECTOR MAILING LIST The Security Profile Inspector (SPI) Development team has established two self-subscribing E-mail lists to service the SPI user community. These lists are titled SPI-ANNOUNCE and SPI-NOTES. The SPI-ANNOUNCE list will be used by the SPI team to provide official news about SPI software updates, new features, and general information regarding SPI distribution availability. The second list, SPI-NOTES, is an unmoderated forum for users to discuss problems and solutions regarding the use of SPI products. To subscribe to one of these mailing lists, in the body of the message substitute SPI-ANNOUNCE or SPI-NOTES for "list-name" and valid information for "LastName" "FirstName" and "PhoneNumber" when sending E-mail to ciac-listproc@llnl.gov: subscribe list-name LastName, FirstName PhoneNumber e.g., subscribe spi-announce Butler, Rhett G. 404-555-1212 x42 You will receive an acknowledgment containing address, initial PIN, and information about how to change either of them, cancel your subscription, or get help. PLEASE NOTE: The RETURN ADDRESS of the E-mail you send is used by ciac-listproc to identify incoming requests. Mail from a new address will be rejected until you send a "set" command changing your subscription address. You may use this address change to subscribe a distribution-list address to the SPI-ANNOUNCE service, rather than have each of the recipients subscribe to the service individually. If you have any questions about this list, you may contact the list's owner: listmanager@cheetah.llnl.gov. ------------------------------ CIAC PUBLICATIONS CIAC is preparing publications on a variety of computer security related topics. Many of these will be updated as needed to keep the information current. The publications will be available in electronic form via CIAC's servers or in printed form for those who do not have Internet or telephone- modem access. We welcome suggestions for topics that you feel would be valuable. The publications available are: CIAC # TITLE 2300 Abstracts of the CIAC-2300 Series Documents 2301 Computer Virus Information Update 2302 The FELICIA Bulletin Board System and the IRBIS Anonymous FTP Server 2303 The Console Password Feature for DEC Workstations To obtain further information, contact Allan L. Van Lehn, CIAC, 510-422-8193 or send E-mail to ciac@llnl.gov. ------------------------------ WHO IS CIAC? CIAC is the United States Department of Energy's Computer Incident Advisory Capability. We provide incident handling assistance, computer security training and awareness activities, and related services. The following people are presently assigned to the CIAC Team. Each has varied computer security experience and specializations. Sandra L. Sparks is the CIAC Project Leader. Sandy is available to talk with you via phone at 510-422-6856 or E-mail as ssparks@llnl.gov. In an emergency incident situation, she can be contacted via the secondary skypage: call 1-800-SKYPAGE (759-7243) and enter PIN number 8550074. Name Technical Support Areas ---- ----------------------- Sandy Sparks IBM VM/CMS, PC systems Rich Feingold OpenVMS, ULTRIX, Unix, PC, networks, training Bill Orvis (half time) DOS, Macintosh, UNICOS, OpenVMS, engineering Karyn Pichnarczyk DOS, Macintosh, viruses, Unix Sandy Sydnor Administrative support coordinator Allan Van Lehn OpenVMS, sys admin, special projects, Notes editor Steve Weeber SunOS, Unix, X-windows, firewalls, Netmap To obtain further information contact, Allan L. Van Lehn, CIAC, 510-422-8193 or send E-mail to ciac@llnl.gov. ------------------------------ CONTACTING CIAC If you require additional assistance or wish to report a vulnerability, call CIAC at 510-422-8193, fax messages to 510-423-8002 or send E-mail to ciac@llnl.gov. For emergencies and off-hour assistance, call 1-800-SKYPAGE (1-800-759-7243) and enter PIN number 8550070 (primary) or 8550074 (secondary). The CIAC Duty Officer, a rotating responsibility, carries the primary skypager. The Project Leader carries the secondary skypager. If you are unable to contact CIAC via phone, please use the skypage system. ------------------------------ This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. ------------------------------ End of CIAC Notes Number 02e 94_05_12 **************************************