From: Chris McDonald STEWS-IM-CM-S (11/3/93) To: jwilson@alexandria-emh1.army.MI, bcertain@redstone-emh2.army.MIL, sclark@apg-9.apg.army.MIL, wancho@wsmr-emh34.army.MIL, jims%fs6.ima@baileys-emh3.army., vavrina@melpar-emh3.army.MIL, agorosp@mepcom-emh1.army.MIL, jmcleod@apg-9.apg.army.MIL, schillip@ftbliss-emh1.army.MIL, bennypat@usarc-emh1.army.MIL, griffin@stl-06sima.army.MIL, rthum@wsmr-emh34.army.MIL, dnichols@wsmr-emh86.army.MIL, dwatson@wsmr-emh81.army.MIL, jbarnes@wsmr-emh100.army.MIL, lgraham@pica.army.MIL, bstring@heidelberg-emh17.army.M, kaplan@mis.arizona.EDU, dibblel@cc.ims.disa.MIL, adpsec@mercury.arl.army.MIL, dickerr0@hoffman-emh1.army.MIL, dlang@tacom-emh1.army.MIL, thinkle@letterkenn-emh2.army.MI, reich%doim2@monmouth-emh3.army., brunsc@pentagon-hqdadss.army.MI, ecastor@wsmr-emh82.army.MIL, abland@dodds-wash.af.MIL, scheftel@dockmaster.ncsc.MIL, tucker@gordon-emh2.army.MIL, carrigm@nic.ddn.MIL, tnguyen@dodds-wash.af.MIL, aeagisb2@grafenwoeh-emh1.army.M, knoxpao@ftknox-amedd.army.MIL, asqe-x-kis@kaiserslau-emh1.army, peter_roome@merck.COM, moszman@wsmr-emh34.army.MIL, csrc@nist.GOV, rogers@marlin.nosc.MIL, karyn@cheetah.llnl.GOV, postmaster@hemkosys.COM, Mildner@dockmaster.ncsc.MIL, LaBarge@dockmaster.ncsc.MIL, ecortes@philly.cerf.fred.ORG, orvis@llnl.GOV, pockbert@ansbach-emh1.army.MIL CC: krvw@bull-run.ims.disa.MIL Mail*Link¨ SMTP Information Systems Securit # 93-24 1. The October 1993 edition of the "ISS Products and Services Catalogue" has an interesting addition under Chapter Eight: NSA Degausser Products List. For the first time in the list one now finds approved degaussers for what is called "extended range degaussers". If you have followed the history and discussion over Type I, Type II and Type III media, you know that approved degaussers have peaked at 750 oersteds. The current Chapter Eight identifies two products to address media having a coercivity rating of 900 oersteds. 2. Distribution of the products test index and the report of infections in commercial/government media and software occurred on 1 Nov 93. If you did not receive the updates, please send me a message. Product test reports will continue to be slow in completion and in updating since such work is now a recreational hobby. 3. Dr. Gene Spafford of Purdue recently distributed a short synopsis of two tools developed under his auspices and the COAST project. The synopsis follows. COPS is a package of tools that check for common configuration errors, examine files for proper settings, check some transitive file relations (e.g., writable files referenced by setuid files), and check files against published CERT advisories. Included in COPS is a basic CRC checker, a simple password cracker, and modularized tools that can be used to extend the checks performed. COPS can best be classified as a static audit tool. COPS was written primarily by Dan Farmer. Tripwire is a single tool that examines a preset list of files and directories to detect tampering. It uses checksums and message digests to build a list of "signatures" of the monitored files, and can later be rerun to check for changes. It also examines user-selected directory information for changes (e.g., owner, permissions, access time). Tripwire can detect insertion of backdoors, unauthorized replacement of source code, viruses, and any other integrity-based threat. Tripwire was written primarily by Gene Kim. The two packages are quite different in what they do. They complement each other: if you remove the CRC check from COPS, COPS and Tripwire do nothing in common. However, that is not to say that they don't have things in common! Both were written by exceptional Purdue students under my guidance and direction, both address common problems with Unix security, both have been widely ported and used world-wide, both have been successful at exposing system intrusions, and both are available at no cost. (Yes, other tools with these "features" are planned, too -- that's one of the purposes of my COAST group here...assuming we can get appropriate funding and outside support.) Thus, I'd suggest that you plan on running both systems if you are interested in the coverage they provide. Cheers, --gene spafford Director, COAST Project and Laboratory I have used COPS for years with excellent results. If anyone has had experience with Tripwire, I would appreciate your comments. 4. Two new viral strains have appeared in the Macintosh environment. Full details and updates to the respective anti-viral tools should appear around 5 Nov 93. One virus appears to be new; the remaining strain appears to be related to the MBDF. 5. For those who have accounts on the NSA host dockmaster, you might want to check out the "epl" discussion group under "Forum". The latest postings contain "interpretations" to several of the NCSC criteria. ------------------ RFC822 Header Follows ------------------ Received: by internetqm.llnl.gov with SMTP;3 Nov 1993 14:25:35 -0800 Return-path: cmcdonal@wsmr-emh34.army.MIL Received: from icdc.llnl.gov by icdc.llnl.gov (PMDF #3384 ) id <01H4VREOSAWGAW79EK@icdc.llnl.gov>; Wed, 3 Nov 1993 14:25:15 PDT Received: from pierce.llnl.gov by icdc.llnl.gov (PMDF #3384 ) id <01H4VRCYJZV4AW79P6@icdc.llnl.gov>; Wed, 3 Nov 1993 14:24:54 PDT Received: by pierce.llnl.gov (4.1/LLNL-1.18/llnl.gov-05.92) id AA05034; Wed, 3 Nov 93 14:24:49 PST Received: from wsmr-emh34.army.mil by pierce.llnl.gov (4.1/LLNL-1.18/llnl.gov-05.92) id AA04979; Wed, 3 Nov 93 14:24:25 PST Date: 03 Nov 1993 14:39:53 -0700 (MST) From: Chris McDonald STEWS-IM-CM-S Subject: Information Systems Security Update, # 93-24 Resent-to: BILL_ORVIS@QUICKMAIL.llnl.GOV To: jwilson@alexandria-emh1.army.MIL, bcertain@redstone-emh2.army.MIL, sclark@apg-9.apg.army.MIL, wancho@wsmr-emh34.army.MIL, jims%fs6.ima@baileys-emh3.army.MIL, vavrina@melpar-emh3.army.MIL, agorosp@mepcom-emh1.army.MIL, jmcleod@apg-9.apg.army.MIL, schillip@ftbliss-emh1.army.MIL, bennypat@usarc-emh1.army.MIL, griffin@stl-06sima.army.MIL, rthum@wsmr-emh34.army.MIL, dnichols@wsmr-emh86.army.MIL, dwatson@wsmr-emh81.army.MIL, jbarnes@wsmr-emh100.army.MIL, lgraham@pica.army.MIL, bstring@heidelberg-emh17.army.MIL, kaplan@mis.arizona.EDU, dibblel@cc.ims.disa.MIL, adpsec@mercury.arl.army.MIL, dickerr0@hoffman-emh1.army.MIL, dlang@tacom-emh1.army.MIL, thinkle@letterkenn-emh2.army.MIL, reich%doim2@monmouth-emh3.army.MIL, brunsc@pentagon-hqdadss.army.MIL, ecastor@wsmr-emh82.army.MIL, abland@dodds-wash.af.MIL, scheftel@dockmaster.ncsc.MIL, tucker@gordon-emh2.army.MIL, carrigm@nic.ddn.MIL, tnguyen@dodds-wash.af.MIL, aeagisb2@grafenwoeh-emh1.army.MIL, knoxpao@ftknox-amedd.army.MIL, asqe-x-kis@kaiserslau-emh1.army.MIL, peter_roome@merck.COM, moszman@wsmr-emh34.army.MIL, csrc@nist.GOV, rogers@marlin.nosc.MIL, karyn@cheetah.llnl.GOV, postmaster@hemkosys.COM, Mildner@dockmaster.ncsc.MIL, LaBarge@dockmaster.ncsc.MIL, ecortes@philly.cerf.fred.ORG, orvis@llnl.GOV, pockbert@ansbach-emh1.army.MIL Cc: krvw@bull-run.ims.disa.MIL Resent-message-id: <01H4VREOUZCYAW79EK@icdc.llnl.gov> Message-id: <9311032224.AA04979@pierce.llnl.gov> X-Envelope-to: BILL_ORVIS@QUICKMAIL.llnl.gov X-VMS-To: IN%"jwilson@alexandria-emh1.army.MIL", IN%"bcertain@redstone-emh2.army.MIL", IN%"sclark@apg-9.apg.army.MIL", IN%"wancho@wsmr-emh34.army.MIL", IN%"jims%fs6.ima@baileys-emh3.army.MIL", IN%"vavrina@melpar-emh3.army.MIL", IN%"agorosp@mepcom-emh1.army.MIL", X-VMS-Cc: IN%"krvw@bull-run.ims.disa.MIL" Content-transfer-encoding: 7BIT ======================================================================