VIRUS-L Digest             Tuesday, 15 Nov 1988          Volume 1 : Issue 9

Today's Topics:
Worms and Censorship (from ETHICS-L list)
Request for info on CHRISTMA EXEC (IBM mainframe VM/CMS)
[email protected] -- has anyone seen it?
Request for general virus information
FBI request for Internet Worm info
Re: Virus writers
Nightline report on computer (Internet) worm
Comments on "Computer Viruses" book

---------------------------------------------------------------------------

Date:         Fri, 11 Nov 88 16:38:00 EDT
From:         "Peter D. Junger" <JUNGER@CWRU>
Subject:      Worms and Censorship (from ETHICS-L list)

On the off-chance that nobody else forwarded this message to virus-l,
and knowing that the list is now moderated, here is:

- ----------------------------Original message----------------------------

       I am surprised that I have, as yet, seen no discussion on this
list (or Virus-L or Risks) of the issues raised by an article which
appears in today's (11/11) National Edition of The New York Times on
page 12 under the byline of John Narkoff and headlined: U.S. Is Moving
to Restrict Access To Facts About Computer Virus."

       I shall type in the first two paragraphs, and trust that you
will forgive my typos.

       "Government officails are moving to bar wider dissemination of
information on techniques used in a rogue software program that jammed
more than 6,000 computers in a nationwide computer network last week.

       "Their action comes amid bitter debate among computer
scientists over whether the Government should permit widespread
publication of details about how disruptive programs work and about
flaws in computer networks that can be exploited.  Some oppose
restrictions, while others argue that such details should be treated
as highly sensitive information."

       The fourth, and key, paragraph reads as follows:

       "Yesterday, officials of the National Computer Security
Center, a division of the National Security Agency, contacted
researchers at Purdue University in West Lafayette, Ind., and asked
them to remove information from campus computers describing the
internal workings of the software program that jammed computers around
the nation on Nov. 3."

       How many members of this list have been visited by the
censors?  How many have purged their-or public-files at the request
of the government?  How many have told the spooks to go fly a kite?

Peter D. Junger
JUNGER@CWRU

------------------------------

Date: 15 November 1988, 12:28:19 GMT
From: Ahmet Koltuksuz           (51)275858           BILSER3  at TREARN
Subject: Request for info on CHRISTMA EXEC (IBM mainframe VM/CMS)

hi there
i am collecting all the available info on christmas exec trojan horse
which infected ibm mainframes couple of years ago...all info and/or
source address which an info may be got welcome...... thanks to all in
advance.
ahmet koltuksuz
grad.student of computer sci. specializing in comp. security

e mail ======     bilser3 at trearn

------------------------------

Date: Mon, 14 Nov 88 23:16:30 est
From: [email protected]
Subject: [email protected] -- has anyone seen it?


Has anyone received any messages from [email protected] or its
Bitnet redistributions since about the beginning of 1988?  I haven't,
and I'd love to see what they had to say about the Sendmail virus.  Of
course there'd be reprints from RISKS and probably Virus-L :-), but
they would probably have a lot of stuff we haven't seen here.  But
they don't seem to exist, as far as I can see.

[Ed. I'm also on that list, and can't remember the last time that I
saw any output from it.]

Also, has the virus generated any talk on Info-VAX?  I don't read it
because it's too unreliable and creates too much traffic, but I would
hope that someone there is discussing the problem with Ultrix.
(Though every time there was a VMS security hole discovered, half the
net was flaming the other half to the effect that it shouldn't be
talked about because the wrong people might hear about it!  I've got
news for them, the wrong people already have heard before anybody on
that list...)

Don't reply to the list unless you come up with an interesting
cross-post.  Just mail me here at [email protected].

Thanks,
Jim

------------------------------

Date:         Tue, 15 Nov 1988 09:09 EST
From:         [Ed. Sorry, this is all the header info I got.]
Subject:      Request for general virus information

Date: 15 Nov 88

Since some of the users of this discussion list had mentioned that
were working on manuals and/or presentations concerning computer
security in the academic world, I am passing on to you a request from
a BITNET user.

Liisa Rautianen, a Finnish university sudent, is preparing a thesis on
computer security.  While I have provided some materials about
computer security, they have been from a business world viewpoint.
She is looking for additional information and points specific to the
academic world.

If anyone can help her, please contact me or Liisa
at ([email protected]).

Thank you.

------------------------------

Date: Tue, 15 Nov 1988 9:39:27 EST
From: Ken van Wyk <[email protected]>
Subject: FBI request for Internet Worm info

This was found recently in Usenet newsgroup comp.protocols.tcp-ip:

From: [email protected]
Newsgroups: comp.protocols.tcp-ip
Subject: FBI Contact re: November Internet Virus
Date: 14 Nov 88 05:03:00 GMT


        Were YOU hit by the November Internet Virus?

                     The FBI wants to hear from you!

The Federal Bureau of Investigation is attempting to gather critical
information necessary to pursue this case under the Computer Fraud and
Abuse Act of 1986.  (This is the statute that makes it a federal crime
to penetrate a computer owned by or run on the behalf of the
Government.)

The FBI Case Agent has asked the Defense Data Network Project
Management Office to collect the names of organizations and Points of
Contact (names and phone numbers) that were hit by the Virus.  The
Defense Communications Agency has established an E-Mail address for
this collection at:

                      INFO-VACC [at] BEAST.DDN.MIL

   Points of Contact should expect to be contacted by their local FBI
   agents for dispositions due to the wide geographical area involved.


                    I * M * P * O * R * T * A * N * T

           The FBI needs this information to pursue the case.

     If we expect their aid in the future, we need to help them now.

PLEASE GIVE THIS MESSAGE MAXIMUM DISTRIBUTION; NOT EVERYONE IS ON "TCP-IP"!

/s/
Tom Zmudzinski
DDN Security Officer
(703) 285-5206

------------------------------

Date:  Tue, 15 Nov 88 07:58 EST
From:  [email protected]
Subject:  Re: Virus writers
In-Reply-To:  Message of 14 Nov 88 11:24 EST from "Ed Nilges"

>I'd like to begin a dialogue about virus threats to VM/CMS.

Be careful what you ask for; you might get it.

>.......... and Object Code Only creates alienated and ignorant
>systems installers.

Arguable at best, argumentative at worst, not likely to lead to a very
productive discussion.

>These two technical holes are said to be closed in release 5, but there
>is discussion of more and better facilities on VM for remote execution.
>This  discussion  should take the MOrris  virus into account.

IBM has done an outstanding job of plugging the special exposures in
RSCS.  They have done it on a timely basis.  They have employed the
safe defaults, even when these were disruptive to existing
applications or not "user friendly."

Nonetheless, Ed is correct.  As demonstrated by the Christmas Card, VM
systems and nets are very vulnerable.  The vulnerability arises more
from the style of use than from product characteristics, but the
design does contribute somewhat.

The Christmas Card simply duped users; it did not exploit any special
vulnerabilities.  The only way to have protected against the CC would
have been to so restrict function as to do away with the system.  This
is to say, users and style of use will always be the biggest exposures
in VM.

The feature that concerns me the most is that executables and other
data objects share the same name space.  Most loaders and interpreters
in VM expect filetypes such as EXEC, MODULE, MACRO and PROFILE.  This
is a short list.  However, this is a convention only; there is no hard
and fast separation between procedures and data.

As Ed's posting suggests, there are a number of remote execution
facilities implemented under VM.  Indeed, any user can leave his
virtual machine running, in disconnected mode, and with a remote
execution facility running.  He can write such a facility himself, or
he can get it from somewhere else.

However, remote execution facilities are not exposures in and of
themselves.  Sendmail was an exposure because it was widely used.  A
single instance would not have been an exposure; neither would have
been a collection of disimilar facilities.

[I have been, in what seems the distant past, employed by IBM.]

William Hugh Murray, Fellow, Information System Security, Ernst & Whinney
2000 National City Center Cleveland, Ohio 44114
21 Locust Avenue, Suite 2D, New Canaan, Connecticut 06840

------------------------------

Date:  Tue, 15 Nov 88 09:46 EST
From:  Dana Kiehl <[email protected]>
Subject:  Nightline report on computer (Internet) worm

I watched the "Nightline" report on the computer worm last Thursday
the 10th.  The taped report on the worm was done very well and I got
the impression that even those who don't know much about computers
could easily understand it.  However, the live interview with the
computer experts (including Wozniak(sp?))  was in my opinion,
completely worthless.  The two men argued back and forth about whether
a bank's computer could be hit with a virus (among other things) and I
myself was never satisfied with anybody's answer.  I don't think even
Koppel was enlightened at all.  If anybody watched it to understand
about the worm or potential future virus invasions, they came away
even more confused, myself included.

[Ed. I saw it too, (Thanks for the tape, David!) and I agree; it
didn't say much.  There seemed to have been just too much to cover in
too short a time to too limited an audience.]

------------------------------

Date: Tue, 15 Nov 1988 11:29:39 EST
From: Ken van Wyk <[email protected]>
Subject: Comments on "Computer Viruses" book

I skimmed over the book "Computer Viruses" by Ralph Roberts (Compute!
Books Publications, Copyright 1988, list price $14.95) last night, and
it seemed to be a pretty fair layman's description of the past year's
viruses, particularly microcomputer viruses (PC, Mac, and Amiga).  It
seemed to be written along the lines of most computer books;
relatively short (167 pages), easily readable, and concise, but
without covering too much information.  It also includes a review of a
whole slew of anti-virus products that's worth looking at (it covers
software for PCs, Macs, and Amigas).  Don't expect the world, but it's
not a bad overview, in my opinion.

Ken

------------------------------

End of VIRUS-L Digest
*********************
Downloaded From P-80 International Information Systems 304-744-2253

You are viewing proxied material from infinitelyremote.com. The copyright of proxied material belongs to its original authors. Any comments or complaints in relation to proxied material should be directed to the original authors of the content concerned. Please see the disclaimer for more details.