____________________________________________________

_____________________________________________________

The Computer Incident Advisory Capability

___ __ __ _ ___

/ | / \ /

\___ __|__ /___\ \___

_____________________________________________________

Informational Bulletin

End of FY90 Update

September 30, 1990, 1300 PST Number A-34

During the twelve months of this fiscal year, CIAC team members have

engaged in a number of activities. One of the main activities has been

assisting sites in recovering from incidents. Our involvement has led

to a number of valuable lessons learned--things that can improve your

site's computer security as well as enhance the DOE community's

coordination and handling of incidents.

1. Password problems. The main contributor to network intrusions has

been poorly chosen passwords. There are still too many accounts in

which the username and password are identical--an easy target for

network attackers and worms. There is a great need for system managers

to perform regular checks on passwords using tools such as the Security

Profile Inspector (SPI) for UNIX and VMS systems. (Contact CIAC to

obtain a copy of SPI.) Accounts such as DEMO, GUEST, TEST, FIELD, and

others need to be closed--these accounts provide an easy way for

attackers to gain unauthorized access to systems. Prohibit passwords

that can be found in the English dictionary. CIAC strongly recommends

that your site as well as your system(s) have a written password

policy. This policy should be required reading for users before they

are given an account. Violations of this policy should result in a

lower level of privileges, i.e., lower usage priority (if practical to

implement), or in the case of repeated violations, termination of usage

altogether.

2. Vulnerabilities. A frequent contributor to network intrusions

is unpatched operating system vulnerabilities. In CIAC Bulletin A-23

we described the major exploited vulnerabilities in UNIX systems. In

particular, ensure that sendmail, finger, ftp, tftp, the DECODE alias,

and the host.equiv configuration do not allow attackers opportunity for

intrusion. In CIAC Bulletin A-31 steps to improve the security of VMS

systems are presented. It is important to secure DECNET, enhance

auditing, disuser (or protect in other ways) all old or infrequently

used accounts, and improve login security with LGI_xxx SYSGEN

parameters. If you are not sure how to patch vulnerabilities, which

particular vulnerabilities apply to your system, how to install a TAR

tape, etc. call CIAC for assistance! Again, having a site policy for

dealing with vulnerabilities is essential!

3. Viruses. The major viruses with which we have dealt in the

MS-DOS arena during the last 12 months are Jerusalem, Stoned, Cascade

(1701/1704), Ohio, Ping Pong, and Disk Killer. Of these viruses,

Jerusalem and Disk Killer are most likely to produce damage. In the

Macintosh arena, nVIR and WDEF are most prevalent, although neither is

likely to damage a system. For a summary of the major viruses, refer

to CIAC Bulletin A-15. In addition to frequently obtaining reports of

viruses spreading through exchange of removable media (disks), we are

also hearing about viruses spreading rapidly through Novelle and other

microcomputer networks (see CIAC Bulletin A-33). Vendor demonstrations

and shrink wrap software are increasingly becoming a source of virus

outbreaks. We have found that sites with implemented procedures for

detecting and eradicating viruses have significantly decreased the time

and effort involved in recovering from this type of incident. Users of

PCs, PC clones, and Macintoshes frequently do not know exactly whom to

call if there is a suspected virus infection--the number of a support

person should be posted on every small system! This is particularly

important with users of classified systems. Finally, Disinfectant 2.1

and FPROT (freeware detection/ eradication packages for Macintosh and

MS-DOS computers, respectively) are available from CIAC for the

asking.

4. User Accountability and Legal Considerations. We recommend

that every user should be required to sign a statement indicating

exactly what the user is and is not permitted to do before being

allowed to use a computing system. We also recommend that if possible

every system should display a login banner that prohibits unauthorized

use (see CIAC Bulletin A-22). Failure to take these steps may provide

a legal loophole during prosecution for computer misuse and/or damage.

5. Distribution of CIAC Bulletins. Many sites promptly distribute

CIAC and other bulletins widely throughout the site. Some users and

system managers, however, report that they are not receiving CIAC

bulletins, or, if they are, there is a substantial delay. CIAC

bulletins are sent to every site's security managers (e.g., Computer

Security Site Managers and Computer Protection Program Managers). It

is critical to ensure that these bulletins quickly get to those who

need them. It is also important to avoid distributing bulletins marked

FOR OFFICIAL DEPARTMENT OF ENERGY USE ONLY outside of the DOE community.

6. Reporting of Incidents. Sometimes a CIAC team member will

call a system manager and inform that the system manager's system has

been probed or penetrated by an attacker. Too often the system manager

will not report the incident to the site security manager(s). CIAC

does not report incidents; however, it is essential that site personnel

comply with DOE Orders 1360.2A and 5637.1 in reporting incidents.

7. Getting Information to CIAC. When you have an incident that

might affect others throughout DOE (e.g., a network intrusion, worm,

new vulnerability, widespread virus infection, etc.), call CIAC. A

large number of CIAC bulletins this fiscal year have been based on

information supplied to us by sites. Many thanks go to the "good

computer security citizens" who furnish this information to us--timely

warnings have spared many sites from incidents.

8. Training and Awareness. The CIAC team has already presented

the two-day workshop on incident handling at many sites . We

appreciate the comments and feedback that have enhanced this workshop

considerably. The aim of the workshop is to enable system managers,

managers, and users to respond to incidents more efficiently as well as

become more aware of sound computer security practices. For

additional information, or to bring this workshop to your site, call

CIAC.

As a parenthetical note, please be advised that the identification

number for CIAC bulletins issued on or after October 1, 1990 will begin

with "B." Thus, the first bulletin will be B-1, the second will be

B-2, etc.

For additional information or assistance, please contact CIAC:

Eugene Schultz

(415) 422-8193 or (FTS) 532-8193

FAX: (415) 423-0913 or (FTS) 543-0913

Send e-mail to:

[email protected]

Neither the United States Government nor the University of California nor any of

their employees, makes any warranty, expressed or implied, or assumes any legal

liability or responsibility for the accuracy, completeness, or usefulness of any

information, product, or process disclosed, or represents that its use would not

infringe privately owned rights. Reference herein to any specific commercial

products, process, or service by trade name, trademark manufacturer, or

otherwise, does not necessarily constitute or imply its endorsement,

recommendation, or favoring by the United States Government or the University of

California. The views and opinions of authors expressed herein do not

necessarily state or reflect those of the United States Government nor the

University of California, and shall not be used for advertising or product

endorsement purposes.