VIRUS-L Digest   Friday, 29 Jun 1990    Volume 3 : Issue 118

Today's Topics:

I'm bummed. (re BITFTP access to Scandanavia)
query - virus software licensing
The Worm That Turned
Warning - Jerusalem B from mail-order company. (PC)
Mainframe attacks
F-FCHK.ZIP update (PC)
Hacking
Virus on Startup Screen? (MAC)

VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a non-digested Usenet counterpart.
Discussions are not limited to any one hardware/software platform -
diversity is welcomed.  Contributions should be relevant, concise,
polite, etc.  Please sign submissions with your real name.  Send
contributions to [email protected] (that's equivalent to
LEHIIBM1.BITNET for BITNET folks).  Information on accessing
anti-virus, documentation, and back-issue archives is distributed
periodically on the list.  Administrative mail (comments, suggestions,
and so forth) should be sent to me at: [email protected].

  Ken van Wyk

---------------------------------------------------------------------------

Date:    Wed, 27 Jun 90 17:07:32
From:    <[email protected]> (Steven W. Smith)
Subject: I'm bummed. (re BITFTP access to Scandanavia)

Hello, all. After seeing the following:

 > From:    [email protected] (Harri Valkama LAKE)
 > Subject: fprot111.zip (PC)
 > Fridrik Skulason has uploaded his latest version of F-PROT (heavy
 > package of virus protection utils) to chyde.uwasa.fi (128.214.12.3)

I tried to access chyde.uwasa.fi via [email protected] and received not
fprot111.zip, but:

 > 19:50:36 > FTP chyde.uwasa.fi UUENCODE
 > 19:50:36 > USER anonymous
 > 19:50:36 >>>> Access to the Scandinavian nodes has been
 > 19:50:36 >>>> discontinued, due to the slowness
 > 19:50:36 >>>> and unreliability of the network connections.
 > 19:50:36 >>>> Please try to confine your BITFTP requests
 > 19:50:37 >>>> to North American nodes.  Thank you.

Any suggestions? Maybe a North American site with fprot111.zip, although I'd
prefer an alternative to BITFTP (short of going Unix, that is)...
Many thanks
 _,_/|
 \o.O;   Steven W. Smith, Programmer/Analyst
=(___)=  Glendale Community College, Glendale Az. USA
   U     [email protected]

------------------------------

Date:    27 Jun 90 14:30:22 +0000
From:    [email protected] (Jon Alexander)
Subject: query - virus software licensing

In the Macintosh world, we have available a number of
anti-virus software utilties that are free or minimal in
cost (e.g. Disinfectant, GateKeeper programs).

In the PC-DOS and compatible world, we have found no such
software. (Note: we have downloaded a copy of F-PROT,
but we have no experience with it, and we've seen very
little discussion of it, up to now).

We are currently looking at several options, including
a SITE LICENCE for the McAfee suite of anti-virus
tools. To all readers: Does your organization have
any experience with site-licensing PC anti-virus
software?

Specifically, we are wondering how much hassle
sites have encountered with administering this
kind of licence.

Jon Alexander
University of Toronto Computing Services
Toronto, Ontario, CANADA
PHONE:  +1-416-978-6230
E-MAIL: [email protected]

------------------------------

Date:    Thu, 28 Jun 90 12:12:37 +0100
From:    [email protected]
Subject: The Worm That Turned

Article in the UK magazine Personal Computer World July 1990 p.202-206
"The Worm That Turned" by Ian Witten and Harold Thimbleton.
Describes how they have utilised the same mechanism that a virus employs to
spread itself to create dtabases that automatically update themselves.
They call their software "liveware."
Some definitions:
Liveware - a hypertext (or other) database that updates itself automatically
whenever the occasion arises.
Enliven - to innoculate a person's computer with a Liveware information owner
an owner of one or more cards in the database, and the only person permitted
to change them.
Database owner - the person responsible for the Liveware database as a whole.
They are not empowered to alter information belonging to others.
Signature - a code identifying an owner including their full name and perhaps
an encrypted secret password that only they can generate.
Livestamp - the Liveware information recorded on each card; signature
information and time stamp.
Merge - the joining of two Liveware databases together so that both contain
the most recent information.
Thimbleby works at Stirling University, Scotland.
Witten is with the Department of Computer Science, University of Calgary,
Canada.
Rgds,
Iain Noble
Teesside Polytechnic Library, UK
- -----------------------------------------------------------------------------
Iain Noble                                   |
[email protected]                           |  Post:  Main Site Library,
JANET: [email protected]                    |         Teesside Polytechnic,
EARN/BITNET: LBA002%pa.tp.ac.uk@UKACRL       |         Middlesbrough,
INTERNET: LBA002%[email protected] |         Cleveland, UK, TS1 3BA
UUCP: LBA002%[email protected]            |  Phone: +44 642 218121 x 4371
- -----------------------------------------------------------------------------

------------------------------

Date:    Thu, 28 Jun 90 02:50:00 -0400
From:    [email protected]
Subject: Warning - Jerusalem B from mail-order company. (PC)

I'm new to this group, but I thought I'd put the word out so others don't get
their computers infected.  I recently bought a I/O - floppy drive controller
card (SUPER MULTI I/O)  from Jems Computers in San Jose, California.  Along
with it came a floppy with the setup programs for the clock/cal.  It turns out
that it was infected with the Jerusalm-B virus.  Unfortunately, I didn't find
out until it had infected about 40% of my .EXE and .COM files.  I called them
and they said that the disk came with the card from the manufactuer.  I would
be VERY careful with any software that comes from there...mind you I'm not
saying not to buy from there (the card and the 1.44M drive I recieved are
excellent) but just check out the software extra carefully.  We now return you
to the regularly scheduled programming.
                                                                            FF
*******************************************************************************
A. Poulias *"And you run and you run to catch up with the sun, but it's sinking
MIAMI U.   * And racing around to come up behind you again
Oxford, OH * The sun is the same in the relative way, but you're older
          * Shorter of breath and one day closer to death
          **************         - Pink Floyd Time - The Dark Side of the Moon
[email protected] *
[email protected]  *******************************************************
*************************

       B-T-W, I was able to remove the virus with CLEANUP from McAffee
Associates.  If anyone from there is reading this, my registration is on
the way.

------------------------------

Date:    Thu, 28 Jun 90 14:17:05 -0500
From:    [email protected] (Emily H. Lonsford)
Subject: Mainframe attacks

Chuck Hoffman of GTE Laboratories, Inc., writes:

"   That also was about two years before the time that the Security group at
SHARE formed, which developed the specifications for the product which became
ACF2 in 1978.  Simultaneously, IBM was secretly developing RACF."

My recollection is that RACF came before ACF2.  David Chess can probably
clarify the exact date.  Barry Schrager of SKK (the original developers of
ACF2) was a member of the SHARE committee that wrote the first security white
paper, on what an access control system should do.  IBM's response, RACF, fell
far short of the mark - for one thing, in early releases it protected BY
EXCEPTION rather than BY DEFAULT.  SKK decided they could do a better job, and
went off and wrote ACF2 on London Life's computer in Toronto.  I did a survey
of the two packages in the 78-79 time frame and ended up choosing ACF2 for my
employer, an energy company.

"it became much more difficult for hackers who were not in the systems
programming groups to make significant intrusions into MVS systems. "

I think you meant to say that it requires knowledge of MVS.  True, the
controls are there with ACF2, RACF and TopSecret to prevent non-sysprogs from
hacking into MVS.  but how _well_ are they implemented?  All it takes is one
privileged ID with a trivial password, or one unprotected APF library,
installation ID with the default password, etc. etc.

And you have to be cautious about the sysprogs.  They have the knowledge and
the power to do lots of damage, just by accident.

"Computer Associates is in the process of raising the rating of ACF2 and Top
Secret from C2 to B1."

Is that what CA is telling you?  I just looked in my April 1990 "Information
Systems Security Products and Services Catalog", a government publication, and
CA is not in the list of vendors in the evaluation process.  The process
normally takes at least 2 years.  Interestingly enough, IBM _is_ listed in the
evaluation process for MVS-ESA/RACF, aiming at a B level evaluation.
Currently MVS/XA with RACF, ACF2 or TopSecret is rated at C2.  You might want
to get a copy of the catalog from your local GPO Bookstore.  It has some
interesting information in it about lots of security products.

And just because the OS is evaluated at B1 doesn't mean _in your implemen-
tation_ that it's B1 secure.  For one thing, any OS modifications (SVCs exits
etc.) invalidate the rating. Can you imagine MVS without add-ons?

"On Digital VAXs, the VMS system technically is C2, but in my opinion the
architecture is so cumbersome that systems managers have somejustification
when they say that you need system privileges all the time just to do a job.
Yes, it's C2, but so many people end up with privileges that it hardly
matters."

I agree that it's difficult to manage the privileges on VAX/VMS.  But at least
DEC included C2 level protection in the OS, rather than making the user buy an
ADD-ON package to get security.  Let's face it:  without ACF2, RACF or
TopSecret, "MVS security" is an oxymoron.

To me, the worst problem is with UNIX's root account; there it's all or
nothing when it comes to privileges.  There's no such thing as "separation of
duties."  And so far the "more secure" versions of UNIX really haven't
addressed that.

As always, my opinions are my own, not necessarily those of my employer.
*        Emily H. Lonsford
*        MITRE - Houston W123  (713) 333-0922

------------------------------

Date:    Thu, 28 Jun 90 13:05:25 -0500
From:    James Ford <[email protected]>
Subject: F-FCHK.ZIP update (PC)

An update to FProtects F-FCHK has been added to MIBSRV.MIB.ENG.UA.EDU
(130.160.20.80) in the directory pub/ibm-antivirus.  (again, thanks to
Jim Wright).

FPROT110.ZIP - Origional ZIP file of FProtect
F-FCHK.ZIP - one file (f-fchk.exe)

FPROT110A.ZIP - FProtect package with updated F-FCHK.EXE file.  Note
               that the name is *not* standard DOS (9 characters
               instead of 8).  - ( I don't think this will be a problem
               but if it is, then let me know..JF) -
- ----------
Life is what goes by while you are watching television.
- ----------
James Ford -  [email protected], [email protected]
             THE University of Alabama (in Tuscaloosa, Alabama  USA)

------------------------------

Date:    29 Jun 90 12:21:22 +0100
From:    [email protected]
Subject: Hacking

Hi, I'm a PhD student doing a thesis on the phenomena of hacking and viruses
I'd really appreciate any information that people come across that might be
of use to me,especially stuff from "The Whole Earth Review" and "2600" which
I'm having difficulty getting access to here in the U.K.. Please E-mail me
or my postal address is, The Politics Dept., 31 Buccleuch Place, Edinburgh,
EH8 9JT. Thanks very much in advance,
Paul A.Taylor.

------------------------------

Date:    Thu, 28 Jun 90 16:48:11 -0400
From:    [email protected] (Bruce Barnett)
Subject: Virus on Startup Screen? (MAC)

We have been having problems with MacIIci and Microsoft mail.
I suspect a new type of virus.

The Mac crashes when clicking "SETUP" in the chooser when selecting
         a mail server.
The Mac also crashes when opening the Microsoft Mail DA.

I have replaced the entire system folder, and re-installed TOPS, etc.

If I put back the start-up screen in the system folder, Microsoft
Mail crashes. (System error 12, or the screen freezes.)
When I move the start-up screen to a new place and
restart the Mac, everything works fine.

This is repeatable. The start-up screen seems to be infected.

This problem has happened on several new Mac's (all MacIIci's)
in far ends of the building.  OS 6.0.4 and 6.0.5.
But not every MacIIci crashes.

I haven't narrowed it down to an exact combination of what must be
replaced when this crash occurs. But replacing (not updating) the
system, re-installing TOP and Microsoft mail, and deleting the
start-up screen seem like the best solution we have right now.

This corrupted "system" problem has been ten times harder to fix
than any virus we have seen. We use SAM 2.0 and Disinfectant 1.8, and
they find nothing wrong with the startup screen.

Can the startup screen contain a virus?

- --
Bruce G. Barnett    [email protected]  uunet!crdgw1!barnett

------------------------------

End of VIRUS-L Digest [Volume 3 Issue 118]
******************************************
Downloaded From P-80 International Information Systems 304-744-2253

You are viewing proxied material from infinitelyremote.com. The copyright of proxied material belongs to its original authors. Any comments or complaints in relation to proxied material should be directed to the original authors of the content concerned. Please see the disclaimer for more details.