COMPUTER SECURITY ***************** Compiled, edited & written by Ian Douglas InterNet iandoug@aztec.co.za May 1995 edition =================================================================== Major story this month was the arrival of SATAN. No, this is not another April Fool's joke. SATAN stands for Security Analysis Tool for Auditing Networks. What that gobbledygook means is that it is an attack scanner - it scans OTHER systems on the internet to see if they are vulnerable to breakings. This sounded like a teenage cracker's dream come true, and when the package was released on 5 April, the distribution sites were immediately clogged with people ftping it. Most were disappointed. The package is a combination of scripts and programs, and needs SERIOUS hardware to run - a workstation of the SUN/Sparc type power, and 32 MBytes of memory as minimum. Not your average teenage cracker setup... The manuals are apparently not exactly user friendly (see: obscure, confusing, complex) either. There were of course also bugs in the software, which introduced security holes where there had been none before. This resulted in so far TWO update releases. Each new update of course includes code to exploit the bugs in the previous version. One of the authors, Dan Farmer, who wrote the program in his spare time, was forced to resign from his day job at Silicon Graphics, because of the negative publicity surrounding the release of SATAN. There are other attack scanners on the market, but these distributors are very fussy about who they sell the products to. SATAN was available to all comers, a very controversial step. SATAN's release was immediately followed by anti-SATAN software from other people. Programs include NATAS and Gabriel, both released free as a public service. Also, the CyberGuard Firewall is claimed to be impervious to SATAN. Top Ten ways you can tell SATAN has invaded your network 10. All keys except the 6 are suddenly disabled. 9. Your monitor starts spinning around in circles. 8. File server starts emitting pea soup. 7. Your router begins sending outgoing packets to hell.org. 6. 10BaseT wire flies up and wraps around roving sysadmin. 5. Your bastion host starts smoking. 4. Anonymous FTP rips off its mask to reveal horns and a goatee. 3. X terminals become XXX terminals. 2. Standard Unix prompt replaced by inverted cross. 1. Your firewall turns into a ring of flames. =========================================================================== An insight into the mind of a would-be virus writer: "Don't know how many ppl out there are windoze haters like me... but I have an idea for an Anti-Windoze virus... but could use a little help in aquiring some various virii to look from... so far my idea would entail: 1) being able to know when the windoze program would be loaded; 2) be able to delete the entire windoze system and output a message similiar to "I don't think you really want to do that :)"; 3) Do a disk wipe over the area previously holding the windoze files; 4) Write itself to a certain sector of the HD, and mark itself as bad blocks. 5) Then if windoze is re-installed and ran again go through the process all over again." =========================================================================== Ever wondered where the term 'hacker' came from? " 'Hacker' goes back to the horse-drawn 'hack'. A skilled driver was called a 'hacker'. The term continued into the motor powered taxi-cab business with the same meaning. Various fields have adopted it. Many early computer 'hackers' had part time jobs while students as taxi drivers, and carried the term back to the 'computer center'. The original meanings had NOTHING TO DO with breakins. " =========================================================================== Atlas Computer Systems has fired the advertising consultant who suggested that posting an advertisement to all the Usenet newsgroups was an effective way of advertising a 1-gigabyte hard disc drive. Atlas suffered several days of mail-bombing as well as repeated calls to its 1-800 number from irritated Usenet readers. The New Scientist quotes Atlas's vice-president Matt Nye as saying that the consultant suggested spamming the newsgroups after reading Canter and Siegel's infamous publication "How to make a fortune on the Information Superhighway". =========================================================================== Subject: FORM Virus on DEMO Disk (PC) From: baran@Kodak.COM Date: 13 Apr 1995 12:03:26 -0000 Information Security Services Subject: FORM Virus on DEMO Disk Recently, demo disks labeled "Purify Organics by Melt Crystallization - Interactive Process Simulator & Applications Quiz" were sent to our Research community by Sulzer ChemTech, Sulzer Canada Inc. These disks also included the FORM virus. =========================================================================== Subject: Software Time-Bomb From: DPMullin@ix.netcom.com (Douglas Mullin) Date: 14 Apr 1995 13:03:33 -0000 There is a company called American Business Information that puts out several products that I have become NOT VERY FOND OF! The one that has woke me up to what is going on is called American Business Phonebook. I had this software installed on my system. I bought the software at a computer show on a CD-ROM disk. I was also dumb enough to buy their 70 million households phonebook and their 9-digit zip code directory. The other day when I went to access the business phone book to look up a number for a business their software trashed my system, WITH NO WARNING! I found out by looking at the package on the back in very small letters it has some kind of warning that the software is only good for one year. When I checked into the other two software packages I found out that these also have built in time bombs to disable the software and or the entire system. I had to go in and fix things after this little dissaster struck my hard drive. After I got things back on line I went in and removed all reference to this software in my system. I have to assume that they put some type of command in the software that brings down the system if you try to use it after a certain date. I only wish that that these people where kind enough to put some kind of warning in the software to let you know about the impending doom that is about to happen when the time runs out. I do have some other better products that I have been using for well over a year with no problems. AMERICAN BUSINESS INFORMATION products will never be used on any of my systems in the future because of the poor quality software that they seem to have. =========================================================================== The "Good Times" email 'virus' was reported running around on the USA dial-up service America On-Line. The reports apear to be a hoax. =========================================================================== In a minor nappy war in the Usenet group comp.virus and alt.comp.virus, Vesselin Bontchev took the package InVircible to task. Programs from this package will delete files named SOFIA and WRITEST if they are in the current directory. Vesselin happened to have such a file with important data in, and was most upset when it was deleted and he was unable to recover it. Zvi Netiv, the author, claimed that newer versions of his program did not do this anymore. However Vesselin succeeded in having all programs from Zvi Netiv removed from, and banned from, the SimTel ftp archives, because of this trojan activity. =========================================================================== Subject: End of Account From: sbringer@netcom.com (Scott B. Ringer) Date: Mon, 24 Apr 1995 16:13:33 GMT Greets, My account is closing today.... I'll be out for a while... Cheers, Stormbringer, Phalcon/SKISM Wonder why? I know various people have been putting pressure on the internet access provider Netcom in the USA, to 'clean up' their system and remove the underground stuff. For those who don't know, Phalcon/SKISM is a virus writing group. =========================================================================== Subject: Re: New Virus Alert Date: 24 Apr 1995 22:04:47 GMT I've received a file that is called BESTSSVR.ARJ that contains two .DOC files and an executable file called COOLSVR.COM. It purports to be a DOS Screen Saver demo. However, I believe it is a virus dropper. It is a run time infector and only infects .com files. It is not detected by any of the current scanners I have (F-Prot, Thunderbyte or McAfee's). I don't know whether it will jump directories. It may be slightly polymorphic, either that or the writer has some wierd affection for NOP instructions. The encryption is standard xor stuff, though the decryptor is located to the end of the file, which is probably why Thunderbyte did not notice it. The reason I believe the package is a deliberate attempt to spread a virus is that the virus is imbedded deep into COOLSVR.COM, not at the end as one would expect had this been a legitimate program that was infected. The front end code almost appears to be set up by a C or C++ compiler, though I'm not 100% sure about this. It will infect multiple .com files. It contains, in the encrypted area, text strings that are essentially the usual and customary hate message to John McAfee and Patricia Hoffman as well as others. It has the string "Caiuba" in it as well. The person who gave it to me downloaded it from a BBS and infected his system. The COOLSVR.COM file does display some graphic images. =========================================================================== There was an article in the Saturday San Francisco Chronicle with the headline, "Police Hunt Slayer of Oakland School Cop." At first glance this appears to be yet another sad tale of inner-city violence with no relation to computer RISKS. However, buried in the middle of the article is the statement, "The source also said that the slain officer was found sitting in his patrol vehicle and may have been using his patrol car computer at the time of the shooting." Could it be that the visual and mental concentration required to operate a computer can constitute a potentially fatal distraction for a police officer? Note also that IF the cop was logged in at the time of his murder, his assailant could have continued to access the Police systems as he wished... =========================================================================== A story on BBC radio 4 news described the arrest of an alleged supermarket blackmailer. He was arrested for planting (fake) bombs in supermarkets. The reporter went on to say that he had been caught because the police had been able to trace him as the owner of the shoebox used in one of the fake bombs. It seems to me that the police must have traced the stock number on the box down the distribution chain using the shoemakers computer systems. Once they determined which shop it was sold from they must have used the shop's stock control system to determine when it was sold. In order for the police to determine who bought the shoes (and the box) the arrestee must have used a means of payment (e.g., credit card) that included his name. In a similar event, the FBI used the rear axle from the van that exploded in Oklahoma City to find the owner of the vehicle. USA cars have vehicle ID codes in various parts of the body, to prevent theft. These are databased on computers. The van was traced to a car rental agency. Police were able to obtain good descriptions of the two men who hired it. As it happens, Timothy McVeigh had been arrested on another charge shortly after the bomb went off. An alert policeman noticed that the suspect, who was soon to pay his bail and leave, was the country's most wanted man... On Friday, 7 April 1995, KNOW (the St. Paul, Minnesota, National Public Radio affiliate) reported that a jewelry store in St. Cloud had been burglarized. In order to circumvent the jewelry store's alarm the thief first broke into an adjacent florist's shop. He then used a pickaxe to hack his way through an interior wall into the jewerly store. He looted the store at his leisure and fled leaving no prints or other evidence behind--except the pickaxe. A sharp-eyed police officer noticed a barcode sticker was still attached to the pickaxe. The officer took the tool to a local hardware store and had the owner scan the code into his register (the reporter did not say if the officer visited multiple hardware stores). Voila! The pickaxe had been sold the day before the burglary. By matching the time of sale as recorded in the register's database to the time stamp on the store's video-surveillance tapes a clear picture of the suspected burglar was obtained. At air time he had not yet been apprehended. =========================================================================== Problems in USA: Computer software used to track blood supplies in about 250 blood banks has been recalled because of the possibility that it could allow the release of contaminated blood. Among the problems with the software: * Untested blood donated by a person for his or her own use could be release for general transfusions. * Blood that should be quarantined while being test could remain available for use !!if two computer users changed its status at the same time!! * The status of a donor whose blood should not be used, after being updated, could revert to its former status, resulting in blood from an ineligible donor being used. The FDA caught the errors in an inspection of Informedics (which is doing business as Western Star), the Lake Oswego, Oregon company that produces the software. John Torici, president of Informedics, said that his company has about 250 clients in six countries, "and in the 12 years we've in in the business they've processed literally millions of units of blood and there has never been an incident of bad blood being released as a result of our software" =========================================================================== At a software engineering course for aspiring managers the participants are asked: If your team of programmers/analysts implemented airplane control software, and you were flying one day, finding out before take-off that this plane was one of those equipped with YOUR software, how many of you would get out? All except one person raised their hands. The course instructor asked the only one to have left his hand down "What would you do?" "Stay in my seat -- if my team wrote the software for this plane, it wouldn't move, let alone take off." =========================================================================== I've always considered FedEx to be far superior to the Post Office because you their computer system tracks the packages to the correct destination. Today's WSJ (April 11, 1995, B1) offers a story describing how lawyers routinely subpoena FedEx for these same computerized shipping records. The article mentions a tobacco researcher who had his FedEx shipments subpoenaed by a tobacco company interested in his correspondence. Being a curious and frequent customer of Federal Express, I called up their legal department to find out if anyone had been subpoenaing my shipping records. This seemed to upset them because they get 300-500 subpoenas a day and their data base just wasn't set up to look for my name. They did tell me that they can only offer proof of delivery and copies of the airbills generated from microfiche. These do not arrive overnight, however, because it takes them 2-6 weeks to process each court order. Oh, they did mention in passing that they don't keep any records of cash transactions. =========================================================================== Mark L. Farley, 34, of Lowell, was arrested on 9 Apr 1995. Working as an orthopedic technician in the Newton-Wellesley Hospital, he allegedly accessed a former employee's computer account to search through 954 confidential files of patients (mostly young females) for telephone numbers, which he then used to make obscene calls. (He had pleaded guilty in 1984 to raping an eight-year-old girl in Erving.) He is apparently the first person to be charged under a new Massachusetts statute that makes it a criminal offense to use someone else's password to gain access to a computer system. He is also accused of stealing hospital trade secrets, and making obscene or annoying telephone calls -- apparently from the hospital. =========================================================================== Eleven Electronic Bulletin Board Systems Dismantled (From A Royal Canadian Mounted Police news release) Montreal, April 12, 1995 - Seventeen searches conducted in the Greater Montreal area by the Copyright Investigations Unit of the Montreal RCMP Federal Enforcement Section put an end to the operation of eleven electronic bulletin board systems (BBS). Since 6 o'clock this morning, 75 RCMP members have been dismantling bulletin boards specialized in circulating copyrighted Canadian software such as Le Correcteur 101, CorelDraw, Winfax PRO, as well as products developed by Autodesk, Borland, Clark Development, DataStorm, Disney, IBM, Lotus, Microsoft, Windows 95, Mustang Software, Novell, Playboy, Quarterdeck, Sierra, Symantec and many other firms. Computers and peripherals worth more than one hundred thousand dollars were seized, along with millions of dollars of pirated software. This is the most important operation of this kind yet in Canada against illicit bulletin board systems. About 15 persons will appear in court at a later date to face charges under the Copyright Act which sets out severe penalties for offenders: - 6 months and/or $25,000.00 per count for summary conviction offenses; - 2 years and/or $1,000,000.00 per count for indictable offenses. Key points from the article: o News of the raid spread rapidly through the Internet; o The 11 BBSs were involved in large-scale fraud in N.America and Europe. Subscription fees of C$30-C$50 per month allowed participants to download copies of proprietary software at will. o "Everything available legally on the market was offered by these BBSs," said Sgt Corriveau. o Some of the more audacious BBSs offered beta copies of Windows95. o There are about 700 BBSs in the greater Montreal area; the RCMP estimate that three-quarters of them traffic in stolen software. o Some of the BBS have become virtual flea markets of pornography, bomb-making instructions, and details of how to succeed at suicide. o In one of the shut-down systems, stolen goods and illegal assault weapons were advertised for sale. o It has taken a year to infiltrate the BBSs; some officers had to wait up to four months to gain entrance to the inner areas of the boards they were investigating. o The raids involved 75 officers in Montreal, Outremont, Repentigny, Longueuil, Saint-Amable, and the St-Jerome area. o The BBSs shut down are: Notice, Twins, Red Alert, Perfect Crime, Beyond Corruption, Line-Up, Wolf Pack, On the World, Restricted Area and Necromancer Mecon. o Most had about 6 telephone lines for full-time access, serving 100-250 clients, with some in Europe. The larges, Notice, had 350 clients who each paid $50/month, for an untaxed revenue of C$210,000 per year. o The police estimate that 11 to 15 criminal hackers will be indicted as a result of the raids. They each face fines of C$25,000 to C$100,000. =========================================================================== Snippets from the press: A cracker in the US was found guilty of seven offences, including wire fraud, conspiracy, and intercepting wire comunications. The cracker, Poulson, has already served about 4 years during the legal process. Poulson attempted to discover the names of undercover FBI businesses, invaded an army network with stolen codes, eavesdropped on phonecalls to his former girlfriend, and tapped into the conversations of the telephone officials investigating him. He also faces seperate charges for espionage. This may result in up to 85 years in jail... The Church of Scientology (not my favourite organisation) has filed a lawsuit against a former member. He is posting confidential and copyrighted church material (somewhat damming and damaging) onto the internet. The church is also seeking for his internet access providers to deny him access. Microsoft is playing the Big Heavy again, this time against a small Jewish publisher. He publishes a CD-ROM titled "The First Electronic Jewish Bookshelf." Microsoft claims to have copyright on the term 'bookshelf' (I kid you not!). Microsoft claims his title will lead to confusion in the marketplace, and want him to stop using it. The cost of the changes is likely to bankrupt the publisher. Philips and Sony are set to release a new CD-ROM drive that will read, record and erase CD-ROMs. Twenty leading international electronic and computer companies have agreed to the new standard. It will be able to play back CD-ROMs, and video and audio disks. It will also make recordings onto erasable CD's, unerasable recordings onto blank CD's, and record computer and multimedia data. Windows 95 (or is that 96 - reports of serious bugs continue..) will need at least 8 to 16 MBytes of RAM to get full functionality. If you have only 4 Meg, you will not be able to multitask, but you will be able to task switch. If you are planning on getting Windows 95, I suggest you buy your RAM now - the demand for RAM is likely to push the price higher. =========================================================================== Current versions of popular anti-virus software available in SA: McAfee: v2.20e F-Prot: v2.17 ThunderByte: v6.34 Oliver Steudler of Dynamic Solutions reports nothing major in the last month - just the usual Exe_Bug, Michelangelo, etc. Mitch Dove of Gas Software in Johannesburg reports what looks like a new Novell Netware virus. The symptoms indicate a possible virus or a trojan of sorts, it has the ability to format the workstation only if logged in as supervisor, all traces thereafter are deleted; it also writes a four letter word on the screen. He also reports Exebug.C, Exebug.A, Exebug Variant unknown, Parity.B. + Exebug (double infection), and Stoned.Standard. =========================================================================== Patricia Hoffman's Vsum scanner Test, March 1995. Note that there are around 6000 known viruses at present. This test uses about half, the next one about a third. VSUM Virus Library Version: X503 Date: Mar 31, 1995 Total Viruses: 2,905 File Viruses: 2,811 Boot Viruses: 94 ÉÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍËÍÍÍÍÍÍËÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍËÍÍÍÍÍ» º VSUM Certified º 1st º - Viruses Detected - º Tot º º Product Name & Version º Cert º Total ³ Boot ³ File º % º º ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÎÍÍÍÍÍÍÎÍÍÍÍÍÍÍØÍÍÍÍÍÍØÍÍÍÍÍÍÍÎÍÍÍÍ͹ º DOS Based Scanning Products: º º ³ ³ º º º ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ º º ³ ³ º º º Central Point CPAV 2.2 9503 º X503 º 2,399 ³ 86 ³ 2,313 º 82.6º ºøCommand Software's F-Prot º º ³ ³ º º º Professional Version 2.17 º X503 º 2,830 ³ 93 ³ 2,737 º 97.4º º Dr. Solomon's AVTK 7.00 º X503 º 2,805 ³ 92 ³ 2,713 º 96.6º º IBM Anti-Virus/DOS 2.10 º X503 º 2,757 ³ 94 ³ 2,663 º 94.9º º McAfee Assoc ViruScan 2.1.7 º X503 º 2,835 ³ 94 ³ 2,741 º 97.6º º Microsoft AV DOS 6.22 º X502 º 1,125 ³ 64 ³ 1,061 º 38.7º º Norton Anti-Virus 3.05 9503 º X503 º 2,341 ³ 88 ³ 2,253 º 80.6º º Sophos' Sweep 2.71 º X503 º 2,800 ³ 91 ³ 2,709 º 96.4º ÈÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÊÍÍÍÍÍÍÊÍÍÍÍÍÍÍÏÍÍÍÍÍÍÏÍÍÍÍÍÍÍÊÍÍÍÍͼ Virus test from Henri Delger, who regularly posts tests results on the Prodigy online service in the USA. "I've tested a number of anti-virus scanners, with these results (percent detected, 1,659 viruses): Missed: Detected: Pct. Program: 23 1,636 98.6% ThunderByte's TBScan-6.34 55 1,604 96.7% Look's Virus Alert VAScan-3.34 57 1,602 96.6% Skulason's FProt-2.17 76 1,583 95.4% IBM's AVSP-2.1 94 1,565 94.3% McAfee's ViruScan-2.2.0 160 1,499 90.4% Stiller's IM-2.42b 278 1,381 83.2% Symantec's NAV-3.0+ 311 1,348 81.3% VDS Research's VDS-3.0s 341 1,318 79.4% Datawatch's VPCScan-2.95 Those percentages don't tell the whole story, since other parts of some programs do things other than simply scan for known viruses. However, scanning new disks and programs is the first line of defense. The percentages also are not an expression of true risk - or safety. While there are thousands of DOS viruses, 95% of them are not widespread enough to be a serious threat. So in reality, a scanner which detected the 200 most commonly reported viruses could provide a 98% safety margin. A scanner which detects 2,000 viruses is not twenty times better than one which detected only the one hundred most commonly reported viruses." =========================================================================== fin =================================================================== fin