_____________________________________________________ The Computer Incident Advisory Capability ___ __ __ _ ___ / | / \ / \___ __|__ /___\ \___ _____________________________________________________ Informational Bulletin End of FY90 Update September 30, 1990, 1300 PST Number A-34 During the twelve months of this fiscal year, CIAC team members have engaged in a number of activities. One of the main activities has been assisting sites in recovering from incidents. Our involvement has led to a number of valuable lessons learned--things that can improve your site's computer security as well as enhance the DOE community's coordination and handling of incidents. 1. Password problems. The main contributor to network intrusions has been poorly chosen passwords. There are still too many accounts in which the username and password are identical--an easy target for network attackers and worms. There is a great need for system managers to perform regular checks on passwords using tools such as the Security Profile Inspector (SPI) for UNIX and VMS systems. (Contact CIAC to obtain a copy of SPI.) Accounts such as DEMO, GUEST, TEST, FIELD, and others need to be closed--these accounts provide an easy way for attackers to gain unauthorized access to systems. Prohibit passwords that can be found in the English dictionary. CIAC strongly recommends that your site as well as your system(s) have a written password policy. This policy should be required reading for users before they are given an account. Violations of this policy should result in a lower level of privileges, i.e., lower usage priority (if practical to implement), or in the case of repeated violations, termination of usage altogether. 2. Vulnerabilities. A frequent contributor to network intrusions is unpatched operating system vulnerabilities. In CIAC Bulletin A-23 we described the major exploited vulnerabilities in UNIX systems. In particular, ensure that sendmail, finger, ftp, tftp, the DECODE alias, and the host.equiv configuration do not allow attackers opportunity for intrusion. In CIAC Bulletin A-31 steps to improve the security of VMS systems are presented. It is important to secure DECNET, enhance auditing, disuser (or protect in other ways) all old or infrequently used accounts, and improve login security with LGI_xxx SYSGEN parameters. If you are not sure how to patch vulnerabilities, which particular vulnerabilities apply to your system, how to install a TAR tape, etc. call CIAC for assistance! Again, having a site policy for dealing with vulnerabilities is essential! 3. Viruses. The major viruses with which we have dealt in the MS-DOS arena during the last 12 months are Jerusalem, Stoned, Cascade (1701/1704), Ohio, Ping Pong, and Disk Killer. Of these viruses, Jerusalem and Disk Killer are most likely to produce damage. In the Macintosh arena, nVIR and WDEF are most prevalent, although neither is likely to damage a system. For a summary of the major viruses, refer to CIAC Bulletin A-15. In addition to frequently obtaining reports of viruses spreading through exchange of removable media (disks), we are also hearing about viruses spreading rapidly through Novelle and other microcomputer networks (see CIAC Bulletin A-33). Vendor demonstrations and shrink wrap software are increasingly becoming a source of virus outbreaks. We have found that sites with implemented procedures for detecting and eradicating viruses have significantly decreased the time and effort involved in recovering from this type of incident. Users of PCs, PC clones, and Macintoshes frequently do not know exactly whom to call if there is a suspected virus infection--the number of a support person should be posted on every small system! This is particularly important with users of classified systems. Finally, Disinfectant 2.1 and FPROT (freeware detection/ eradication packages for Macintosh and MS-DOS computers, respectively) are available from CIAC for the asking. 4. User Accountability and Legal Considerations. We recommend that every user should be required to sign a statement indicating exactly what the user is and is not permitted to do before being allowed to use a computing system. We also recommend that if possible every system should display a login banner that prohibits unauthorized use (see CIAC Bulletin A-22). Failure to take these steps may provide a legal loophole during prosecution for computer misuse and/or damage. 5. Distribution of CIAC Bulletins. Many sites promptly distribute CIAC and other bulletins widely throughout the site. Some users and system managers, however, report that they are not receiving CIAC bulletins, or, if they are, there is a substantial delay. CIAC bulletins are sent to every site's security managers (e.g., Computer Security Site Managers and Computer Protection Program Managers). It is critical to ensure that these bulletins quickly get to those who need them. It is also important to avoid distributing bulletins marked FOR OFFICIAL DEPARTMENT OF ENERGY USE ONLY outside of the DOE community. 6. Reporting of Incidents. Sometimes a CIAC team member will call a system manager and inform that the system manager's system has been probed or penetrated by an attacker. Too often the system manager will not report the incident to the site security manager(s). CIAC does not report incidents; however, it is essential that site personnel comply with DOE Orders 1360.2A and 5637.1 in reporting incidents. 7. Getting Information to CIAC. When you have an incident that might affect others throughout DOE (e.g., a network intrusion, worm, new vulnerability, widespread virus infection, etc.), call CIAC. A large number of CIAC bulletins this fiscal year have been based on information supplied to us by sites. Many thanks go to the "good computer security citizens" who furnish this information to us--timely warnings have spared many sites from incidents. 8. Training and Awareness. The CIAC team has already presented the two-day workshop on incident handling at many sites . We appreciate the comments and feedback that have enhanced this workshop considerably. The aim of the workshop is to enable system managers, managers, and users to respond to incidents more efficiently as well as become more aware of sound computer security practices. For additional information, or to bring this workshop to your site, call CIAC. As a parenthetical note, please be advised that the identification number for CIAC bulletins issued on or after October 1, 1990 will begin with "B." Thus, the first bulletin will be B-1, the second will be B-2, etc. For additional information or assistance, please contact CIAC: Eugene Schultz (415) 422-8193 or (FTS) 532-8193 FAX: (415) 423-0913 or (FTS) 543-0913 Send e-mail to: ciac@tiger.llnl.gov Neither the United States Government nor the University of California nor any of their employees, makes any warranty, expressed or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government nor the University of California, and shall not be used for advertising or product endorsement purposes.