***********************************************************************
DDN Security Bulletin 9010       DCA DDN Defense Communications System
16 Aug 90               Published by: DDN Security Coordination Center
                                     (SCC@NIC.DDN.MIL)  (800) 235-3155

                        DEFENSE  DATA  NETWORK
                          SECURITY  BULLETIN

The DDN  SECURITY BULLETIN  is distributed  by the  DDN SCC  (Security
Coordination Center) under  DCA contract as  a means of  communicating
information on network and host security exposures, fixes, &  concerns
to security & management personnel at DDN facilities.  Back issues may
be  obtained  via  FTP  (or  Kermit)  from  NIC.DDN.MIL  [192.67.67.20]
using login="anonymous" and password="guest".  The bulletin
pathname is SCC:DDN-SECURITY-yynn (where "yy" is the year the bulletin
is issued and "nn" is a bulletin number, e.g. SCC:DDN-SECURITY-9001).
**********************************************************************

        Sun Microsystems Customer Warning System Established


The below information is an announcement by Sun Microsystems that Sun
has established a Customer Warning System to handle computer security
incidents and their prevention.  In addition, the announcement
describes the characteristics of the warning system and the methods
Sun customers should use to report problems and receive Sun security
warnings.



From: Beverly Ulbrich - Product Manager, Software Security
      Jack Collins - Director, Technical Support Services

Subject:  Announcing Sun Microsystem's Customer Warning System 
                   for Security Incident Handling  

Date:   August 14, 1990


In order to best serve our customers' service needs, Sun has established a 
Customer Warning System (CWS) for handling security incidents.  This is a 
formal process which includes:
	- Having a well advertised point of contact in Sun for reporting 
	  security problems. 			
	- Pro-actively alerting customers of worms, viruses or other security 
	  holes that could affect their systems. 
	- Distributing the patch (and/or work-around) to our customers as 
	  quickly as possible.

More specifically, the CWS is being set up as follows:

We have created an email address ( security-alert@sun.com ) which will enable 
both internal and external people to have a single place to report security 
problems.  We have provided a voice-mail back-up ( (415)-336-7205 ) for the 
cases where sending email is not possible.   *ALL* SECURITY HOLES SHOULD BE 
REPORTED TO THIS ALIAS.

We have filled the position of "Security Coordinator" in our Customer Service 
Organization.  The Security Coordinator is responsible for manning the email 
and voice mail hotlines and evaluating the security problems.   We have a 
Customer Warning System "SWAT Team" in place to address severe security 
incidents.  The CWS SWAT Team consists of knowledgeable senior people within 
Sun Corporate who are committed to being available to meet whenever required 
and who are empowered to make all necessary decisions.  

We plan on publicizing the CWS bi-monthly to the allsun alias.  It will 
also be announced (and supported) by the various Computer Emergency Response 
Teams Sun works with.  Please pass this information along to whoever you 
feel is appropriate.  Sales Representatives should be certain to send this 
information to all their security-conscious customers!

Customers and Sun Field Offices may send us a "Security Contact" from their
organizations.  This is the person Sun should contact in the case of any 
new security problems.  He or she will be sent information on the problem at 
hand, including work-arounds and how and when to obtain fixes.  Preferably, 
your Security Contact should be technical.  He or she should be your site's 
System Administrator (or System Security Administrator).  The information we 
need for the Security Contact from the three geographies for customers is as 
follows:

---------------------- U.S. Security Contact Information --------------------

Company Name:
Security Contact's Name:
Customer Number (from Cullinet):
Address ID (from Cullinet)*:

Postal address: 
Email address: 
Phone number:
Fax number: 
Preferred method of contact (from above: 1st, 2nd and 3rd choice):


* If there is not an existing Address ID, we need the full address for
  the security contact.



----------------- Europe and ICON Security Contact Information ---------

Company Name:
Security Contact's Name:
Customer Number:
Address Id:
If there is no customer number or Address ID, then we need the following
information for each customer:

Postal Address:
Email Address:
Phone Number:
Fax Number:
Preferred method of contact (from above: 1st, 2nd and 3rd choice):


--------------- Sun Field Office Security Contact Information ---------------

Office Location:
Security Contact's Name*:
Email address:

*One per office


----------------------------------------------------------------------------


*****   PLEASE SEND THIS INFORMATION TO:   *****

 	  security-alert@sun.com
  
or, if you prefer postal mail:

	Brad Powell
	c/o Sun Microsystems
	MTV18-04
	2550 Garcia Ave.
	Mt. View, CA 94043


All questions should be sent to bju@sun.com.