U.S. DOE's Computer Incident Advisory Capability ___ __ __ _ ___ __ __ __ __ __ / | /_\ / |\ | / \ | |_ /_ \___ __|__ / \ \___ | \| \__/ | |__ __/ Number 94-03a July 6, 1994 ------------------- A - T - T - E - N - T - I - O - N ------------------- | CIAC is available 24-hours a day via its two skypage numbers. To use | | this service, dial 1-800-759-7243. The PIN numbers are: 8550070 (for | | the CIAC duty person) and 8550074 (for the CIAC manager). Please keep | | these numbers handy. | ------------------------------------------------------------------------- Welcome to the third issue of CIAC Notes! We are adding the year to the issue number to make referencing easier. Our guest author on Firewalls has promised future articles. And we've dropped the tables of PC and Mac Anti-Virus product updates from this issue in the interests of time and space. Let us know if you have topics you would like addressed or have feedback on what is useful and what is not. Please contact the editor, Allan L. Van Lehn, CIAC, 510-422-8193 or send E-mail to ciac@llnl.gov. $-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$ $ Reference to any specific commercial product does not necessarily $ $ constitute or imply its endorsement, recommendation or favoring by $ $ CIAC, the University of California, or the United States Government.$ $-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$ TABLE of CONTENTS Feature = Internet Sniffer Update : Social Engineering : Firewalls : Security Information and Resources via WWW : Some Upcoming Computer Security Related Conferences DEC User = ULTRIX and OSF/1 Patch Kits Available PC User = CD-IT.ZIP Trojan : Three New PC Viruses: Natas, Junkie, CHiLL TOUCH MAC User = Defeating FileMaker Password Protection CIAC Information = CIAC Bulletins Issued Recently : Subscribing to CIAC Electronic Publications : Accessing CIAC's Electronic Information Servers : Publications Available from CIAC : Who is CIAC : Contacting CIAC =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= FEATURE ARTICLES ------------------------------- Internet Sniffer Update Internet Sniffer attacks are still with us! Everyone, including the DOE and its contractors, is becoming more reliant on electronic communications. If you remotely log into a host system, you should consider changing your password weekly. You are especially at risk when login information travels over public networks such as the Internet. However, it is not just your login information that is at risk! Assume that whatever you send to your colleagues across the site, nation or world, can and may be seen by someone else. Today, because E-mail is so convenient and rapid, users sometimes include sensitive information in the message body or in an attachment assuming it is safe. This should not be done! If you have not encrypted your message or your attachment, this information can be "grabbed" surreptitiously by a computer cracker. It also can be misdirected to someone other than the intended recipient. CIAC has seen instances of both. You may have heard of Privacy Enhanced Mail (PEM), Pretty Good Privacy (PGP) or other products from commercial vendors. Secure and authenticated E-mail is still being developed and waiting for standardization. Conclusion: E-mail should not be used for sensitive discussions unless the messages and associated attachments are DES encrypted. Many DOE/DOE contractor sites already have established policies regarding the use of E-mail. Check with your site CPPM/CSSM to learn your organization's policy. To obtain further information, contact Sandy Sparks, CIAC, 510-422-8193 or send E-mail to ciac@llnl.gov. ------------------------------ Social Engineering In today's world of computer crime, all perpetrators don't have to come in over the Internet; they may just as easily get information simply by asking. Beware of the friendly insider or the official sounding outsider; they may be playing on your good will or naivete to get what they need. A few examples should help... A technician answers the telephone. "Bill Jones, Telecom Operations." "Hello. This is Martin White with AT&T Operations. We think someone may have broken into your PBX switch. Can I talk to the technical person in charge?" "That's me," Bill says. "How're you doing, Bill?" "Good. And you?" A deep breath. "Not too bad, except that it's Friday afternoon and I think we're going to have to wade through a mountain of paper. Anyway, as I was saying, we think your switch has been compromised." "What makes you think so?" "Your toll free dial in is 800-555-1212 isnÕt it?" "Yeah." "We alarmed on someone sequence dialing all the 555 numbers. The sequence stopped on yours, then randomly searched for dial out access codes. If they found it, you know how bad that can be." "Well, can't you tell for certain?" Bill asks. "Sure, I'm searching now, but it's so much paper."The sound of a page being flipped. "What scares me is that while I'm doing this, the bad guys could be selling your long distance on the streets right now. Maybe you better take your 800 service off line or change the access code." "Jeez, I can't do that. The people in the field...our business depends on it." Martin sighs. "That's too bad. The intruders may not have even cracked the code." The sound of another page being flipped and then fingers snapping. "Bill, I just thought of something. I have all this on line. It would just take a minute to search for your access code." A heavy sigh. "Why didn't I think of this before? It's been a long week-too many hours looking at numbers." A pause. "Okay, what's your access code?" "I...er," Bill hesitates. "Oh, yeah, you shouldn't give it out. I understand. "The sound of another page being flipped. "It was such a good idea, too." Pause. "These guys sure tried a lot of permutations. These eight digit codes..." Another page. "Hey," Bill says, "we could be here all night. Forget I told you this: the code is 98765432." "Thanks. Great. Hold on." The sound of keys being typed. "Okay. Let me double check." More typing. "That's it. Good news, they never got to it." Pause. "Thanks a lot, Bill. We would have been here half the night for a non-event. By the way, once they pass you by, it's very rare that they'd come back. You're in good shape. Though you probably want to change that access code." "Nah, that would be a real pain. Everyone in the field would have to be informed. Maybe I'll kick it up to the boss on Monday. Have a good weekend." "You too." "Martin White" will have a good weekend. He and his confederates will sell discount long distance service on the streets of New York City at public phone booths, a zero overhead pure profit enterprise. The costs to Bill's organization will be over $150,000. This is one (fictionalized but only too realistic) example of what's called "Social Engineering," an ironic characterization of the non technical aspect of Information Technology (IT) crime. In other human interactions it's called a "Con (or Confidence) Game" where Martin is the "Con Artist." The underlying idea is simple: deceive the victim into revealing secret information or taking inappropriate action for the attacker's benefit. Most of us are helpful and trusting - it's human nature. We want to be good neighbors and have good neighbors. Americans are especially trusting and as foreign industrial espionage increases, we must check on requesters before we hand over either access or information. Social Engineers exploit this cooperative inclination. They also employ intimidation and impersonation as well as plain old fashioned snooping and eavesdropping. A confused and befuddled person will telephone a clerk and ask for his password to be changed. An important sounding man identifying himself as an executive will telephone a new system administrator and demand access to his account NOW! A person at an airport will look over your shoulder ("shoulder surfing") as you key in your telephone credit card or ATM PIN (they even use binoculars and camcorders). A visitor will watch you type your username and password at your keyboard. A confident person will call up a computer operator and ask him or her to type in a few lines of instruction at the console. An attacker will sift through your paper trash ("dumpster diving"), looking for clues to unlock your IT treasures. Unlike the technology it targets, social engineering is an old profession with a new name. It succeeds frequently because our culture has not caught up with its own technology. A social engineer would have a much more difficult time getting the combination to a safe than a password, or even the combination to a locker at the health club. The best defense is simple: it's education, training, and awareness. For further information, please contact Richard Feingold, CIAC, 510-422-8193 or send E-mail to ciac@llnl.gov. ------------------------------ Internet Firewalls by Stephen P. Cooper, CSTC, LLNL As more computers and larger networks get attached to the Internet, it gets more difficult to keep them secure from some of the hostile or curious elements on the Internet. An increasingly popular method of connecting to the Internet is through firewalls. A firewall is a combination of hardware and software components that provide a choke point between a "trusted" network, such as an organizational network, and an "untrusted" network such as the Internet. The firewall provides a certain level of control as to what can go between the two networks. Firewall technology has not yet reached the "turn-key" stage, although the number of commercial product announcements is increasing. There are several ways to make your own firewalls and there are a number of people and companies doing firewall consulting. There is also a lot of free software and advice available over the Internet. Several references are listed at the end of this article. There are several different ways to configure a firewall. Two common hardware (and software) components are a screening router and an application gateway (also called a "bastion" host). The screening router provides the primary connection between a trusted and an untrusted network. It routes protocol packets and can be configured to block packets by hardware address, IP address, or TCP or UDP port in the case of those protocols. For example, the router can be configured to block incoming FTP requests and all NFS traffic. The screening router is limited to these low-level network functions, and many network applications have protocols too complex to be handled at this level. That is where an application gateway is used. An application gateway is used to provide an extra layer of protection to certain network applications. For incoming Telnet or FTP connections, it may provide one-time password authentication to prevent an unauthorized user from capturing and reusing a password to get into the trusted network. This is just a sample of the terminology and configuration possibilities of Internet firewalls. Because of the importance of this area in computer security, CIAC/CSTC will continue to investigate firewall configurations and technology and will produce a series of firewall articles in future issues of CIAC Notes. If you have questions or topics you would like to see covered, send mail to ciac@llnl.gov. Until then, the following are some good sources of information and discussion about firewall topics: (1) Books William R. Cheswick and Steven M. Bellovin. Firewalls and Internet Security; Repelling the Wily Hacker. Addison-Wesley, Reading, Massachusetts, 1994. (2) Anonymous FTP Information Ftp.greatcircle.com - Firewalls mailing list archives. Directory: pub/firewalls Ftp.tis.com - Internet firewall toolkit and papers. Directory: pub/firewalls Research.att.com - Papers on firewalls and breakins. Directory: dist/internet_security Net.Tamu.edu - Texas AMU security tools. Directory: pub/security/TAMU (3) Mailing Lists The Internet firewalls mailing list is a forum for firewall administrators and implementors. To subscribe to Firewalls, send "subscribe firewalls" in the body of a message (not on the "Subject:" line) to "Majordomo@GreatCircle.COM". Archives of past Firewalls postings are available via anonymous FTP from ftp.greatcircle.com in pub/firewalls/archive. ----------------------------- Security Information and Resources via WWW The following information from a recent posting to the firewalls mailing list (see the above article) was provided by Rodney Campbell, Telecom, Australia, who has created a World Wide Web page. It is an index to sources of network and computer security information. The index currently contains pointers to the following topics: Frequently Asked Questions WWW Information Sources USENet News Groups FTP Sites Mailing Lists & Mail Addresses The Uniform Resource Locator (URL) for the index is http://www.tansu.com.au/Info/security.html Or if you are reading this with a web browser: Security Reference Index Note: The index has some Australian touches to it. ------------------------------- Upcoming computer security related conferences Sixth Annual Computer Security Incident Handling Workshop Boston Park Plaza Hotel Boston, Massachusetts July 25 - 29, 1994 Sponsored by: Forum of Incident Response and Security Teams (FIRST) Since November of 1988, there has been an almost continuous stream of security-related incidents that have affected thousands of computer systems and networks throughout the world. To address this threat, a growing number of government and private sector organizations in North America, Europe and Australia have worked together to exchange information and coordinate response activities. This coalition, known as FIRST, brings together a variety of computer security incident response teams from the government, commercial, and academic organizations. FIRST aims to foster cooperation and coordination in incident prevention, to prompt rapid reaction to incidents, and to promote information sharing among members and the community at large. Focus The focus of this year's workshop is on tools for incident handling in an international arena. The workshop is being conducted as a series of tutorials, seminars, and hands-on sessions on related topics. Two all day tutorials stressing basic network security and incident handling issues will be available for all participants on the first day. A half day of working groups sharing information, requirements and guidance in an informal interactive environment will be held on the second day. Groups will produce notes and/or documents to be shared with other workshop attendees. The workshop will begin in the afternoon of the second day with presentations focusing on tools that are utilized in incident handling. As part of the registration fee, all participants will receive a CD-ROM containing many of the tools discussed at the workshop that includes but is not limited to: . Advisories . Mailing list archives . Security related papers and documents . Password security software . Network security software . Firewalls software . Authentication software Preliminary Agenda . Tutorials: Security for Managers, Incident Handling for Techies . Working Groups: Collecting Computer Crime Statistics, Internet Security/Insecurity, FIRST Membership Responsibilities . Introduction of incident handling teams . Discussion of non-traditional and public domain network servers . Vendor panel on how vendors respond to incident response teams . Panel discussion on interoperability in the FIRST community . Invited talks on recent detection and analysis tools . Panel on forming an incident response team . Discussion of the trends in legal and administrative issues with a focus on international issues Registration The registration fee is $275.00 per person. Registration includes coffee breaks, two lunches, a reception, and workshop materials. In order to be pre-registered and have your name appear on a preliminary participants list, registration must be received by July 11, 1994. Requests for cancellations or refunds must be submitted in writing by July 11, 1994. For additional registration information, please contact Lori Phillips, NIST, 301-975-3881, Fax: 301-948-2067. Additional Details For additional technical information, contact Marianne Swanson or John Wack, NIST, 301-975-3359, E-mail: workshop-info@first.org. =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= DEC USER ARTICLES ------------------------------- DEC ULTRIX, DECnet ULTRIX and OSF/1 Patches Available Digital Equipment Corporation has prepared Security Patch Kits for the following versions of ULTRIX Risc and VAX 4.3, 4.3A, 4.4; DECnet-ULTRIX 4.2; and OSF/1 1.2, 1.3, 1.3A, and 2.0 systems. These kits are available from DEC via normal software maintenance contract services, from your local office, or via anonymous FTP from ciac.llnl.gov. To obtain further information, contact Allan L. Van Lehn, CIAC, 510-422-8193 or send E-mail to ciac@llnl.gov. =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= PC USER ARTICLES ------------------------------- CD-IT.ZIP Trojan In early May, a Trojan program was identified in the CD-IT.ZIP archive available via bulletin boards and Internet file transfer sites. Documentation in the archive indicated that these programs were from Chinon, a manufacturer of CD-ROM drives. However, they were not from Chinon, and Chinon issued a press release warning users to not use the software contained in the archive. The warning states that the archive contained a Trojan program that destroys the contents of hard disk drives. CIAC distributed that press release in its Information Bulletin E-20, issued May 6, 1994. We have since obtained a copy of the bogus CD-IT.ZIP archive and are analyzing its contents. The archive contains two programs, some documents, and data files. WARNING: If you should find a copy of this archive, do not run the program INSTALL.COM, as it contains the Warpcom-2 Trojan. The documentation contained in the archive claims that this is a utility program that will enable you to "READ and WRITE to your CD-ROM!" That statement in itself should be a tip-off that there is something wrong here, as it is physically impossible to write with a standard CD-ROM drive. Even writable CDÕs (CD-R) can only be written in a special drive that contains additional hardware. Scanning for the Trojan program with anti-virus scanners may not locate it, as most scanners look only for virus code, not Trojans. However, F-PROT version 2.10c does detect and identify this Trojan, and the upcoming release of DataPhysician Plus 4.0D will also detect it. The Trojan program overwrites the copy of COMMAND.COM pointed to by the current COMSPEC environment variable. COMMAND.COM is overwritten with binary ones (Hex FF), except for a few bytes at the beginning. Those few bytes at the beginning of COMMAND.COM are a short program to overwrite the first 256 sectors of your D: drive with garbage. The next time the system needs to reload COMAND.COM, the small program trashes the D: drive and then the system crashes trying to execute invalid code. The hard disk then becomes unbootable, because COMMAND.COM is needed to boot the system. While we have not extensively examined the effects of the Trojan, the damage to the C: drive can be repaired by replacing the damaged copy of COMMAND.COM with a new, undamaged one. The damage to the D: drive may not be repairable, though you may be able to recover some of the files using a disk recovery program such as Norton Utilities, or PCTools. Be sure to replace the correct copy of COMMAND.COM. The copy to replace is the one pointed to by the COMSPEC environment variable. To see the current value of COMSPEC, type SET followed by a Return. The default value is C:\COMMAND.COM, where C: is the boot drive (It will be the A: drive if you boot from a floppy). If you boot from a floppy drive to repair a system, the SET command will not show you the correct copy of COMMAND.COM to replace, as it will point to the copy of COMMAND.COM on the floppy disk. To find the correct copy of COMMAND.COM to replace, see if the value of COMSPEC has been set in the CONFIG.SYS file on the hard disk. If it is not set there, then the copy of COMMAND.COM to replace is the one in the root directory of the C: drive. Note that there is usually a second copy of COMMAND.COM in the DOS directory on the C: drive, that can be copied into the root directory. Since the copy of COMMAND.COM is not necessarily run right away, you have a chance to save your D: drive. If after mistakenly running the INSTALL.COM program, your system seems to be running OK, immediately replace the copy of COMMAND.COM with a good one. If you can replace it before it is executed, your D: drive will not be overwritten. Note: Chinon indicated that there is a legitimate program called CD-IT that is used with CD-ROM drives. If the documentation claims to give you write access to a CD-ROM, then you have the bogus archive. To obtain further information, contact William J. Orvis, CIAC, 510-422-8193 or send E-mail to ciac@llnl.gov. ------------------------------- Three new PC viruses: Natas, Junkie, CHiLL TOUCH Natas According to knowledgeable sources in the Anti-Virus (AV) community, this virus was written by the author of the Satan Bug virus (Natas is Satan backwards), and has many of the same characteristics. CIAC has received information that the Natas computer virus for MS-DOS/PC-DOS computers has been seen in the Los Angeles area. Previously this virus was known to be widespread in the Mexico City area. Natas is a super-polymorphic, multipartite virus. A polymorphic virus changes how it looks with each new infection to make it difficult for an anti-virus signature scanner to detect it. A multipartite virus infects both programs and boot sectors. Natas also infects system (.SYS) programs and memory managers like QEMM and EMM386, causing those programs to report memory errors. Most AV scanners should be able to detect this virus by name in the next release. Current AV program change detectors should be able to detect the presence of this virus now. Junkie Several press reports distributed over the Internet have raised speculation that a new, very dangerous computer virus named Junkie is spreading around the country. Unfortunately, those reports are exaggerating the importance of this virus by claiming that it is widespread and that it contains new technology that present anti-virus products cannot counter. Anti-virus authorities report that Junkie is a relatively unsophisticated virus with no new technology, and that the change detection (new virus) scanners in most anti-virus packages should detect it. The following is an excerpt from a Norton Anti-Virus (Symantec Corp.) press release that describes Junkie: "Junkie, which reportedly first infected a company in the Netherlands after being downloaded from a bulletin board, is a multipartite virus that infects hard drives or floppy disks and files. It writes the virus code to the Master Boot Record (MBR) on the hard drive, the DOS boot record on floppies, and only infects .COM files. Junkie is not a stealth virus. It is variably encrypted, but not polymorphic. No "trigger" or "payload" has been identified for the Junkie virus." All AV change detectors will detect it, and all scanners should detect it by name in their next released version. CHiLL TOUCH The CHiLL TOUCH virus was found in some game programs on ZiffNet's Ziff Public Brand Software Arcade Forum which about forty people downloaded. If you obtained this software (listed below) between June 3rd and 14th, you should not run or redistribute it. Delete it and obtain new copies from ZiffNet. ZiffNet and Compuserve have tried to contact all the people that downloaded it. ZiffNet also said that the virus did not originate from any of these files and that versions of these programs downloaded before June 3rd are absolutely fine. The programs are: Animated Clock (ACLOCK.ZIP) John's Animated Computer Game (AJOHN.ZIP) Animated Alphabet (ALPHA.ZIP) Animated Memory Game (AMEM.ZIP) BAT Commander (BATCMD.ZIP) Big Red Self-Test (BRTEST.ZIP) Dungeon, v9.0 (DUNGN.ZIP) SHEZ, v10.0 (SHEZ.ZIP) Stealth, v5.0 (STLTH.ZIP) The CHiLL TOUCH virus is a resident .COM infector, affecting only .COM files larger than 64K. The payload is disabled because it appears that the virus writer was having trouble getting it to work. It is variably encrypted. It is not a stealth virus. It is not polymorphic. It does not infect the boot block of hard drives or floppy disks. To obtain further information, contact William J. Orvis, CIAC, 510-422-8193 or send E-mail to ciac@llnl.gov. =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= MAC USER ARTICLES ------------------------------- Defeating FileMaker Password Protections CIAC has examined an application programmed to defeat the password protection scheme in ClarisÕ FileMaker Databases (FileMaker II, FileMaker Pro v1.0 and v2.0) for the Macintosh. A DOS version may be available by the time you read this. This application is being distributed freely via several bulletin board systems. By using this application, anyone can modify (or modify a copy of) the database file. Any FileMaker database that can be seen on a network is at risk. This means that shared folders and/or files even if they are restricted to read-only access can be copied and altered to remove their password protection. It is quite possible that other "password" protected databases are vulnerable to this kind of attack. You might want to question your software vendor about this before you select your next database engine. To obtain further information, contact Allan L. Van Lehn, CIAC, 510-422-8193 or send E-mail to ciac@llnl.gov. =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= CIAC INFORMATION ------------------------------- CIAC Bulletins Issued recently CIAC issues two categories of computer security announcements: the information bulletin and the advisory notice. Information bulletins describe security vulnerabilities and recommend countermeasures. Advisory notices are more imperative, urging prompt action for actively exploited vulnerabilities. Advisory notices are delivered as quickly as possible via E-mail and FAX. E-18 Bulletin Sun Announces Patches for automountd Vulnerability May 05,1994, 1200 PDT E-19 Advisory nVir A Virus Found on CD-ROM May 05, 1994, 1500 PDT E-20 Bulletin Trojan Attack on Chinon CD-ROM Drives May 06, 1994, 1200 PDT E-21 Bulletin Restricted Distribution May 11, 1994, 0845 PDT E-22 Bulletin Restricted Distribution May 11, 1994, 0845 PDT E-23b Bulletin Vulnerability in HP-UX systems with HP Vue 3.0 May 17, 1994, 0930 PDT E-24 Bulletin Security Patch Kits for ULTRIX, DECnet-ULTRIX and OSF/1 May 18, 1994, 1530 PDT E-25a Bulletin BSD lpr Vulnerability in SGI IRIX May 19, 1994, 1600 PDT E-26 Advisory UNIX /bin/login Vulnerability May 23, 1994, 0700 PDT E-27 Bulletin Restricted Distribution May 23, 1994, 1430 PDT E-28 Bulletin Restricted Distribution May 26, 1994, 0930 PDT E-29a Bulletin IBM AIX bsh Queue Vulnerability Remote users may access a privileged account via the bsh batch queue. Disable the queue, then install a fix. June 3, 1994, 1500 PDT E-30 Bulletin Majordomo distribution list administrator vulnerabilities Intruders may gain remote access to the Majordomo account and execute arbitrary commands. Upgrade to version 1.92. June 15, 1994, 1400 PDT To obtain further information, contact Allan L. Van Lehn, CIAC, 510-422-8193 or send E-mail to ciac@llnl.gov. ------------------------------ Subscribing to CIAC Electronic Publications CIAC has several self-subscribing mailing lists for electronic publications: 1. CIAC-BULLETIN for Advisories, highest priority - time critical information and Bulletins, important computer security information; 2. CIAC-NOTES for Notes, a collection of computer security articles; 3. SPI-ANNOUNCE for official news about Security Profile Inspector (SPI) software updates, new features, distribution and availability; 4. SPI-NOTES, for discussion of problems and solutions regarding the use of SPI products. Our mailing lists are managed by a public domain software package called ListProcessor, which ignores E-mail header subject lines. To subscribe (add yourself) to one of our mailing lists, send the following request as the E-mail message body, substituting CIAC-BULLETIN, CIAC-NOTES, SPI-ANNOUNCE or SPI-NOTES for list-name and valid information for LastName FirstName and PhoneNumber. Send E-mail to ciac-listproc@llnl.gov: subscribe list-name LastName, FirstName PhoneNumber e.g., subscribe ciac-notes O'Hara, Scarlett W. 404-555-1212 x36 You will receive an acknowledgment containing address, initial PIN, and information on how to change either of them, cancel your subscription, or get help. To subscribe an address which is a distribution list, first subscribe the person responsible for your distribution list. You will receive an acknowledgment (as described above). Change the address to the distribution list by sending a second E-mail request. As the body of this message, send the following request, substituting valid information for list-name, PIN, and address of the distribution list. Send E-mail to ciac-listproc@llnl.gov: set list-name address PIN distribution_list_address e.g., set ciac-notes address 001860 remailer@tara.georgia.orb To be removed from this mailing list, send the following request: unsubscribe list-name For more information, send the following request: help If you have any questions about this list, you may contact the listÕs owner: listmanager@cheetah.llnl.gov. ------------------------------ Accessing CIAC's Electronic Information Servers CIAC operates two file server systems for the DOE community: the CIAC Bulletin Board System (CIAC BBS) and an anonymous File Transfer Protocol (FTP) server, also named CIAC. CIAC BBS used to be named FELICIA and before that, FELIX. The BBS is accessible via telephone using a modem. The FTP server is accessible via the Internet. Both of these file servers contain all of the publicly available CIAC, CERT/cc, NIST, and DDN bulletins, virus descriptions, the virus-l moderated virus bulletin board, copies of public domain and shareware virus detection/protection software, copies of useful public domain and shareware utility programs, and patch files for some operating systems. The CIAC BBS Our BBS is accessed via analog telephone line, a modem, and a terminal or computer running a terminal emulator program. Set your modem transmission protocol to 8 bit, no parity, one stop bit. The access numbers are: 510-423-4753 - 2400 baud or slower 510-423-3331 - 9600 baud V.32 or slower The first time you call in, please register your name and address. To download or read files, switch to the file section and follow the directions. Most of the popular downloading protocols are available, including XMODEM, YMODEM, SEALink, and Kermit. The FTP server ciac.llnl.gov The new name of our Internet FTP server is ciac.llnl.gov, formerly irbis.llnl.gov. Use FTP to access it either by name or IP address (128.115.19.53). The operation and prompt will depend on which vendor's FTP you are running. Usually, you must first log in before you can list directory contents and transfer files. Use "ftp" or "anonymous" for Name or Foreign username unless given a general prompt such as ciac.llnl.gov> or ftp>. In that case, enter the keyword "user" or "login" before "ftp" or "anonymous" (e.g. user ftp). Use your Internet E-mail address for the Password. Once logged in you may type a question mark to find out what key-words are recognized. The file 0-index.txt (in the top level directory /ftp) is a document explaining the directory structure for downloadable files. The file whatsnew.txt (in directory /ftp/pub/ciac) contains a list of the new files placed in the archive. Use the command get [for single files] or mget [for multiple files] to download one or more files to your own machine. ------------------------------ Publications Available from CIAC CIAC prepares publications on a variety of computer security related topics, the CIAC 2300 series. Many of these will be updated as needed to keep the information current. We welcome suggestions for topics that you feel would be valuable. We also make available some documents from other sources. In the table below, column E is for electronic documents available via CIAC's servers (see above article). Column P is for printed documents, for those who do not have Internet or telephone-modem access. The electronic formats are: *.txt for ASCII, *.ps for PostScriptª, *.hqx for bin-hexed Microsoft Word, *.wp5 for PC Word Perfect v 5.0. No. E P TITLE 2300 x x Abstracts of the CIAC-2300 Series Documents 2301 x x Computer Virus Information Update 2302 x x The FELICIA Bulletin Board System and the IRBIS Anonymous FTP Server 2303 x x The Console Password Feature for DEC Workstations CIAC x Incident Handling Guidelines LLNL x User Accountability Statement, E. Eugene Schultz, Jr. SRI x Improving the Security of your Unix System, David A. Curry LLNL x Incident Handling Primer, Russell L. Brand ORNL x Terminal Servers and Network Security, Curtis E. Bemis & Lynn Hyman To obtain further information, contact Allan L. Van Lehn, CIAC, 510-422-8193 or send E-mail to ciac@llnl.gov. ------------------------------ Who is CIAC CIAC is the United States Department of Energy's Computer Incident Advisory Capability. We provide incident handling assistance, computer security training and awareness activities, and related services. The following people are presently assigned to the CIAC Team. Each has varied computer security experience and specializations. Sandra L. Sparks is the CIAC Project Leader. Sandy is available to talk with you via phone at 510-422-6856 or E-mail as ssparks@llnl.gov. In an emergency incident situation, she can be contacted via the secondary skypage: call 1-800-SKYPAGE(759-7243) and enter PIN number 8550074. Name Technical Support Areas Sandy Sparks Unclassified computer security, ibm vm/cms Rich Feingold Training, openvms, ultrix, unix, pc's, networks Bill Orvis Viruses, pc's, hardware, unix Karyn Pichnarczyk Viruses, pc's, unix Sandy Sydnor Administrative support coordinator Allan Van Lehn OpenVMS, sys admin, publications, unix, pc's Steve Weeber SunOS, unix, x-windows, firewalls, networks To obtain further information contact, Allan L. Van Lehn, CIAC, 510-422-8193 or send E-mail to ciac@llnl.gov. ------------------------------ Contacting CIAC If you require additional assistance or wish to report a vulnerability, call CIAC at 510-422-8193, fax messages to 510-423-8002 or send E-mail to ciac@llnl.gov. For emergencies and off-hour assistance, call 1-800-SKY-PAGE (759-7243) and enter PIN number 8550070 (primary) or 8550074 (secondary). The CIAC Duty Officer, a rotating responsibility, carries the primary skypager. The Project Leader carries the secondary skypager. If you are unable to contact CIAC via phone, please use the skypage system. ------------------------------ This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. ------------------------------ End of CIAC Notes Number 94-03a 94_07_06 *****************************************