************************************************************************** Security Bulletin 9406 DISA Defense Communications System February 15, 1994 Published by: DDN Security Coordination Center (SCC@NIC.DDN.MIL) 1-(800) 365-3642 DEFENSE DATA NETWORK SECURITY BULLETIN The DDN SECURITY BULLETIN is distributed by the DDN SCC (Security Coordination Center) under DISA contract as a means of communicating information on network and host security exposures, fixes, and concerns to security and management personnel at DDN facilities. Back issues may be obtained via FTP (or Kermit) from NIC.DDN.MIL [192.112.36.5] using login="anonymous" and password="guest". The bulletin pathname is scc/ddn-security-yynn (where "yy" is the year the bulletin is issued and "nn" is a bulletin number, e.g. scc/ddn-security-9302). ************************************************************************** + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + ! ! ! The following important advisory was issued by the Computer ! ! Emergency Response Team (CERT) and is being relayed unedited ! ! via the Defense Information Systems Agency's Security ! ! Coordination Center distribution system as a means of ! ! providing DDN subscribers with useful security information. ! ! ! + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Automated Systems Security Incident Support Team _____ ___ ___ _____ ___ _____ | / /\ / \ / \ | / \ | | / Integritas / \ \___ \___ | \___ | | < et /____\ \ \ | \ | | \ Celeritas / \ \___/ \___/ __|__ \___/ | |_____\ <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Bulletin 94-02B Release date: 11 February 1994, 1500 EST Subject: Actions to be taken by DoD systems affected by the recent MILNET/Internet intrusions detailed in ASSIST Bulletin 94-02. SUMMARY: ASSIST has received numerous calls from persons requesting additional information about which systems were affected by recent large scale network sniffer incidents, and what actions must be taken to correct problems. These points were addressed in ASSIST Bulletin 94-02, but various interpretations of the information has resulted in some confusion. This bulletin attempts to clarify the confusion. Additional ASSIST Bulletins will be released as more information becomes available. BACKGROUND: ASSIST Bulletin 94-02 described a recent network security event that affects every MILNET host that accepts remote network connections (FTP, telnet, and rlogin). The event has been ongoing since at least mid-December. The compromise of account information occurred using network eavesdropping software ("packet sniffers") operating on major Internet backbones, as well as at least one MILNET system. IMPORTANT: SINCE THESE PACKET SNIFFERS DO NOT SPECIFICALLY TARGET INFORMATION FROM UNIX SYSTEMS, ALL SYSTEMS ON THE NETWORK ARE POTENTIALLY VULNERABLE TO THE EAVESDROPPING, REGARDLESS OF SYSTEM TYPE. The packet sniffers compromise any FTP, rlogin, or telnet packet regardless of the type of operating system (e.g., UNIX, VMS, MVS, PC, Macintosh) the packet was sent from or to. IMPORTANT: A SYSTEM DOES NOT HAVE TO BE COMPROMISED ITSELF TO BE AFFECTED BY THIS INCIDENT; IT SIMPLY HAD TO TRANSMIT ONE OF THE TARGETED PACKETS THROUGH A COMPROMISED NETWORK HOST. Thus, any system on the network can have its usernames and passwords compromised when accepting an FTP, telnet, or rlogin session from a remote system. Additionally, all MILNET sites should verify that their computer systems have not had the sniffer software installed on them. The particular sniffer software used in this incident only runs on UNIX systems that have the /dev/nit device; refer to ASSIST Bulletin 94-02 for additional information on how to detect the presence of a sniffer on a UNIX computer. IMPACT: All connected network sites that use the network to access remote systems are at risk from this attack. All user account and password information derived from FTP, telnet, and rlogin sessions and passing through the same network as a compromised host could be disclosed. ASSIST continues to operate on a 24 hour basis in support of the numerous requests for assistance. IMMEDIATE ACTIONS REQUIRED: A. ALL PASSWORDS ON ALL MILNET SYSTEMS THAT HAVE NOT YET BEEN CHANGED AS DIRECTED IN ASSIST BULLETIN 94-02 MUST BE CHANGED IMMEDIATELY. Systems that have not changed their passwords are in considerable risk of intrusion. B. Check all UNIX systems on the MILNET for the sniffer program as described in ASSIST Bulletin 94-02. ASSIST is an element of the Defense Information Systems Agency (DISA), Center for Information Systems Security (CISS), that provides service to the entire DoD community. If you have any questions about ASSIST or computer security issues, contact ASSIST using one of the methods listed below. If you would like to be included in the distribution list for these bulletins, send your MILNET (Internet) e-mail address to assist-request@assist.ims.disa.mil. Back issues of ASSIST bulletins, and other security related information, is available on the ASSIST bbs (see below), and through anonymous FTP from assist.ims.disa.mil (IP address 137.130.234.30). Note: assist.ims.disa.mil will only accept anonymous FTP connections from MILNET addresses. ASSIST contact information: PHONE: 703-756-7974, DSN 289, 24 hrs/day during the immediate handling of this incident. Afterwards, duty hours will return to 06:30 to 17:00 Monday through Friday. During off duty hours, weekends, and holidays, ASSIST can be reached via pager at 800-SKY-PAGE (800-759-7243) PIN 2133937. Your page will be answered within 30 minutes, however if a quicker response is required, prefix your phone number with "999" ELECTRONIC MAIL: assist@assist.ims.disa.mil. ASSIST BBS: 703-756-7993/4, DSN 289, leave a message for the "sysop". Privacy Enhanced Mail (PEM): ASSIST uses PEM, a public key encryption tool, to digitally sign all bulletins that are distributed through e-mail. The section of seemingly random characters between the "BEGIN PRIVACY-ENHANCED MESSAGE" and "BEGIN ASSIST BULLETIN" contains machine-readable digital signature information generated by PEM, not corrupted data. PEM software for UNIX systems is available from Trusted Information Systems (TIS) at no cost, and can be obtained via anonymous FTP from ftp.tis.com (IP 192.94.214.100). Note: The TIS software is just one of several implementations of PEM currently available and additional versions are likely to be offered from other sources in the near future. **************************************************************************** * * * The point of contact for MILNET security-related incidents is the * * Security Coordination Center (SCC). * * * * E-mail address: SCC@NIC.DDN.MIL * * * * Telephone: 1-(800)-365-3642 * * * * NIC Help Desk personnel are available from 7:00 a.m.-7:00 p.m. EST, * * Monday through Friday except on federal holidays. * * * ****************************************************************************