Date: 13 Jul 1994 08:16:40 -0600 (MDT) From: Chris McDonald Subject: Information Systems Security Update, # 94-12 To: orvis@icdc.llnl.gov To: cmcdonal@wsmr-emh34.army.mil Cc: krvw@agarne.ims.disa.mil Apparently-To: orvis@icdc.llnl.gov # 94-12 Contents Virus Bulletin -- July 1994 The RSA-129 Message ISSA White Paper Disaster Symposium in Georgia Product Test Update Internet Security Scanner 1. The July 1994 edition of "Virus Bulletin" is probably the best so far this year. There is a mid year review of 27 MS-DOS scanner programs. The analysis also lists all the names of those viruses used in each of the test suites. There is an overview of Mark Ludwig's CD-ROM Collection. In the feature many of the comments previously discussed in recent ISS updates appear. There is some additional information to supplement my results on scanning tests against the NEW_VIR directory: specifically that 86 of the files are not actually viruses. You might remember that with full heuristics activated version 6.20 of the Thunderbyte Anti-Virus alarmed for approximately 70% of the executables in this directory. If one factors out the additional 86, then the TBAV results look even better. Finally, there is a "thumbs up" review of the Commonwealth Films video on computer viruses "Virus: Prevention, Detection and Recovery"--a film similarly recommended in a previous ISS update. 2. The July 1994 edition of "Scientific American" has the best description of the recent "hack" of the RSA cipher recently broken by over 600 volunteers over an eight month period. While many articles in the press and over the Internet had published the RSA-129 64-digit factor and its 65-digit cofactor, I had not seen what the cipher said. "The Magic Words Are Squeamish Ossifrage" was, according to Ron Rivest, chosen at random. 3. The Information Systems Security Association, INC., has issued a white paper on national cryptographic policy with emphasis on the key escrow concept. An abridged version can be found in the June 1994 of the ISSA "Password" which is normally distributed to members only. If you are not a member, you can probably contact a local chapter president or the national ISSA headquarters at 708-699-6441 to obtain a copy. ISSA also an an Internet address, issa@mcs.com. 4. The Disaster Recovery Journal will host the Sixth International Disaster Recovery Symposium and Exhibition in Atlanta, GA from September 12-14, 1994. One can obtain information by calling 314-894-0276. The advance program has many familiar topics and faces, but there appears to be a wide selection of session choices. 5. Product test reviews distributed over the last two weeks included revisions to F-PROT Professional (PT-65) and to Thunderbyte Anti-Virus (PT-39). As luck would have it, both authors issued updates immediately after my distribution. F-PROT Professional is now at version 2.13; TBAV is at version 6.22. 6. In May 1994 Christopher Klaus announced a commercial version of his Internet Security Scanner, version 2.0. I was intrigued enough to finally ftp what I believe was the last "free" version, version 1.21, for a few tests. The program compiled without a problem on several Sun OS 4.xx systems. It would not compile gracefully on several AT&T 3B2s running System V, on several Unisys 5000/80s running System V, or on a Pyramid running BSD 4.3. The problems on these systems involved syntax errors and undefined parameter flags. Since I am not a programer, when the going got tough, I quit. The readme.iss file states: "ISS will scan a domain sequentially looking for connections. When it finds a host it will try to connect to various ports. For starters, it tries the telnet port. When it connects to the telnet port, it logs any information that the host displays." The readme file goes on to discuss various options to test for default accounts; mail aliases; ftp/rpc/YPServ/Select_svr/Rexd vulnerabilities; and several other automated tests. The program seems to work as documented. Over the internal network where I have conducted the tests, the program moved rather slowly. Depending upon the specific test run, the actual results require some sophistication on the part of an individual as to how certain vulnerabilities might be exploited. This is probably why the author indicates that version 2.0 has an ISS Analyzer module to facilitate analysis and diagnosis of a system's vulnerabilities. Although version 1.21 does not test for several of the more recent "bugs", clearly it might serve as a valuable training tool for those unfamiliar with automated tools. If anyone has actually purchased version 2.0, I would appreciate receiving your comments on the program. Version 1.21 may still be available at aql.gatech.edu. [Disclaimer: Information Systems Security Updates represent the opinions and views of the author, not his employer. Recipients are free to quote all/parts of the ISSU with credit/blame to the author.]