Date: 17 Mar 1994 07:52:56 -0700 (MST) From: Chris McDonald Subject: Information Systems Security Update, # 94-05 To: orvis@icdc.llnl.gov Content-transfer-encoding: 7BIT [To]: cmcdonal@wsmr-emh34.army.mil Apparently-To: orvis@icdc.llnl.gov # 94-05 1. The Preliminary Conference Program for the 16th DOE Computer Security Group Training Conference has been distributed. The dates are May 2-5, 1994 in Denver, Colorado. I have always recommended the conference as an extremely valuable forum. Telephone and facsimile inquiries may be addressed as follows: phone 301-903- 4195; fax 301-903-7396. There are three tracks this year: Technical, Management, and General. May 2nd is reserved for technical workshops/ tutorials. While the conference obviously aims to satisfy the requirements of the DOE community and its contractors, there has always been an intellectual and practical climate conducive for a wider audience. 2. The National Computer Security Center has released "A Guide to Understanding Covert Channel Analysis of Trusted Systems", November 1993 (NCSC-TG-030, version 1). The document clearly states that the normal reader will be an "operating system designer or evaluator already familiar with the notion of covert channels in operating systems". But for the "abnormal" reader--such as I--the document represents what is both "good" and "bad" in the Rainbow Series. The "good" is that the document confronts the interesting dilemma that NCSC has created for itself. On one hand, NCSC wants to promote the development, production, and acquisition of trusted systems. On the other hand, a reader by page 6 in the document has had five different definitions of covert channels proposed. Only an intrepid designer would want to proceed with the development of B2-A1 system classes. The layers of complexity in addressing covert channels illustrates the very serious thought process that has gone into the document. The "bad" aspect is that the question of relevancy to a large audience of users must be asked. Users are not beating vendors over the head with demands for B2-A1 systems. The slogan of "C-2 by 92" is only a dim memory. While DOD activities wait for the "B-2 by 2002" voices, the recent Internet attacks suggest that most have more immediate concerns than covert channel analysis. 3. The March 1994 edition of "Virus Bulletin" has a tutorial article by James Beckett "Viruses on Unix Systems". It is pretty basic material, but the author does an interesting job of frequently drawing comparisons between MS-DOS and Unix architectures which may or may not assist a viral author. I believe there is at least one mistake when Mr. Beckett states that Tom Duff of AT&T has produced the "only form of Unix virus yet seen". There are other individuals who have written viruses for Unix systems with Fred Cohen being one notable example. 4. The author of Gatekeeper/Gatekeep Aid has announced over his user mail group that he is currently testing an update to his Macintosh anti- malicious program tool (reference PT-53). Chris Johnson has stated that his intention is to build into the program more robust mechanisms for addressing the recent INIT-9403 virus as well as potentially future variants or similar classes of viruses. 5. One aspect of incident handling which oftens appears to be forgotten is in the registration of hosts with NIC. I have lost count of the number of times that our system administrators have observed an anomaly or a possible attack. Where an IP path could be determined, our administrators and I have been frustrated when the NIC information on POCs and system administrators at the perceived attacking site has been found to be obsolete. In a real emergency it is critical to be able to communicate with real people. So ask yourself if you know whether your site information is accurate at the appropriate registration point.