To:      orvis@llnl.gov 
Subject: Information Systems Security Update, # 96-12
# 96-12


     Rootkit is not a dental problem!
     CSI Security Journal Articles 
     /dev/thermite--in case it's still there
     Robert Morris Jr. makes the IEEE timeline!


1.  The November 1996 edition of "Sys Admin" devotes itself to
security issues.  Five articles include:  (a)  "Recognizing and
Recovering from Rootkit Attacks" by David O'Brien; (b)  "Creating
a Secure CGI Environment" by David Endler; (c)  "Enhanced Security
on Digital UNIX" by Mattthew Cheek; (d)  "Assorted Security Tips
for UNIX" by Arthur Donkers"; and (e)  "An Introduction to Client/
Server Security" by Jack Maynard.  I found the first article most
interesting in that Mr. O'Brien has analyzed seven different SunOS
Rootkit samples and three Linux Rootkit samples.  Rootkit is a
collection of programs "whose purpose is to allow an intruder to
install and operate an Ethernet sniffer".

2.  The "Computer Security Journal", Fall 1996, has several
articles of interest:  (a)  If you missed the Senate testimony of
Special Agent Jim Christy, USAF, on the Rome AFB intrusions, it
appears as a case study; (b)  An introduction and overview of
network intrusion recovery procedures by Marvin Christensen, DOE
CIAC; (c)  A synopsis of issues associated with single sign-on
products by Fred Trickey with a matrix of vendors and product
information; and (d)  An article by Gerald Isaacson on the process
used at the Massachusetts Institute of Technology to develop a
disaster recovery capability.
  
3.  The October 1996 USENIX ";login:" has a report on papers
presented at the Sixth USENIX Security Symposium in San Jose, CA,
July 22-25, 1996.  One synopsis caught my attention:  namely,
"Secure Deletion of Data from Magnetic and Solid State Memory" by
Peter Gutmann, Department of Computer Science, University of
Auckland.  The presentation addressed techniques for recovering
"erased" data from various types of disk drives using Magnetic
Force Microscopy (MFM).  Examples of the recovery of erased and
overwritten files are available at www.di.com/Theater/nt_mfm.html.
I must confess I visited the site and got lost in the maze.  The
USENIX summarizer, Avi Rubin from Bellcore, quotes Mr. Gutmann as
commenting the best way to protect data on magnetic disk was to
melt the disk down to a "pile of molten slag".  At which point
Steve Bellovin suggested that systems have installed a
"/dev/thermite". 

4.  The October 1986 IEEE "Computer" devotes itself to essays on
fifty years of computing.  There is an interesting timeline of
significant computing history events, one of which may raise some
eyebrows.  On page 105 appears this item for 1988:  "Graduate
student Robert Morris Jr. reveals the need for greater network
security by releasing a worm program into the Internet on November
2."  Somewhat disappointing to have IEEE propose that Mr. Morris
"revealed" anything that was not already known by anyone seriously
interested or involved in Internet security.  Personally I would
have chosen Cliff Stoll's 1985/1986 tracking of the Hanover hackers
as a more meaningful wakeup call for increased network security. 

  
[Disclaimer:  Information Systems Security Updates represent the
opinions and views of the author (mcdonalc@wsmr.army.mil), not his
employer.  Recipients are free to quote all/parts of the ISSU with
credit/blame to the author.]