_____________________________________________________ The Computer Incident Advisory Capability ___ __ __ _ ___ / | / \ / \___ __|__ /___\ \___ _____________________________________________________ Information Bulletin September 30, 1991, 1700 PST Number B-45 End of FY91 Update During this fiscal year, CIAC team members have engaged in a number of activities, including assisting sites in recovering from incidents and helping sites prepare for future incidents by presenting the CIAC workshops. Our involvement has led to a number of valuable lessons learned--things that can improve your site's computer security as well as enhance the DOE community's coordination and handling of incidents. 1. Internet Attacks and Probes. Many DOE sites are now connected to the Internet and have all of the additional functionality and risks associated with this connection. We have found that DOE sites tend to be better protected against attacks originating from the Internet than many other agencies and institutions connected to the Internet. Systems designed to protect and partially isolate a site's network from Internet attackers (known as firewall systems) have been installed at many sites. CIAC has found that these sites have fewer network intrusions, and that those attacks have been readily detected by these firewall systems. In addition, security tools such as the Security Profile Inspector (SPI) and network monitoring software have increased the ability of individual sites to rapidly detect and analyze attacks coming from outside the site. This has resulted in ability to gather evidence and, in some cases, to assist investigative agencies in criminal prosecution. Therefore, we recommend that Internet sites institute a policy of network monitoring and consider restructuring the network architecture to support the firewall concept. CIAC has also drafted a set of guidelines to assist sites in the determination of policy and procedure in preparation for and handling of computer security incidents. These guidelines are structured as a short overview followed by technical recommendations for the implementation of network monitoring, security tools on individual systems, and firewall systems. While this document is still in draft form, it is expected to be released to the DOE community during the 1992 fiscal year. We also have a sample user accountability statements that may be used to define conditions of authorized and unauthorized use of computer systems for users of these systems. The Department of Justice has urged us to advise sites of the increasing legal necessity of having users sign statements of accountability. To obtain this user accountability statement, please contact CIAC. 2. Vulnerabilities. During the past 12 months, CIAC has placed an increased emphasis on analyzing and patching vulnerabilities. CIAC worked with with the appropriate software or hardware vendors to assure that these problems were closed in a short time throughout the community. CIAC has assisted vendors and sites in the timely distribution of security patches and work-around solutions as a liaison between the vendors and the sites. As an aid to people at your site to locate and eliminate security bugs, we have prepared a detailed summary of patches and workarounds described in all unclassified CIAC information bulletins and advisory notices to date. If you are a DOE site or contractor, contact CIAC for this information. 3. Viruses. During the past year, viruses on MS-DOS and Macintosh computers continued to infect a small but significant number of systems throughout DOE. In the MS-DOS arena, the Jerusalem-B, Cascade, and Disk-Killer viruses continued to be most prevalent. Of these viruses, Disk Killer and Jerusalem-B were most likely to cause damage to systems. During this last fiscal year, the Stoned-2, Horse, and Horse-2 viruses emerged as new threats. In the Macintosh arena, WDEF and nVIR continued to be the major source of threat, but with the advent of Macintosh System-7, the WDEF threat has been reduced since this virus will not run on this version of the operating system. Networked file systems and demonstration software continues to be the main source of these virus infections, and we continued to receive reports of infected vendor software (see CIAC bulletin B-40). CIAC Bulletin B-16 provided an updated list of viruses and their symptoms (updated from information provided in A-15). CIAC assisted DOE in evaluating an anti-viral product to be purchased and licenced throughout DOE. This product, "Data Physician Plus," is very effective in finding and eradicating viruses on MS-DOS platforms. For the Macintosh, Disinfectant (the latest version is 2.5.2) continues to be a good anti-viral freeware package. Contact CIAC for assistance in obtaining anti-virus packages. Note that information about the current virus threat and anti-viral software may be obtained from the CIAC anonymous FTP server irbis.llnl.gov (ip address 128.115.19.60) to sites connected to the Internet. 4. Getting Information to CIAC. One of the major difficulties facing CIAC over the past year has been obtaining information from sites currently involved in a multi-site Internet or virus attack. Some system and network managers are not allowed to contact CIAC when such incidents occur, and this has prevented effective coordination of the tracing and prevention of these attacks across the DOE computing community. Other network and system managers have sometimes contacted another agencies' response teams instead of CIAC. This results not only in the spread of information about DOE security incidents outside of our own community, but also deprives CIAC of the information it needs to assist and alert you! Please keep CIAC aware of major computer security developments at your site. 5. Training and Awareness. During the past fiscal year, CIAC has expanded its training and awareness capability in several ways. In addition to the two-day workshop on incident handling, there are now workshops of varying length designed to educate and inform administrative managers on the problems of computer security and of handling these problems. There is also an Internet version of the workshop designed to provide technical information on incident handling to those sites connected to the Internet. All of these workshops can be tailored according to time and expertise constraints, and have been very well received at sites throughout the community during the past 12 months. To bring these workshops to your site, please contact CIAC. As a parenthetical note, please be advised that the identification number for CIAC bulletins issued on or after October 1, 1991 will begin with "C." Thus, the first bulletin will be C-1, the second will be C-2, etc. For additional information, please contact CIAC or any of the team members listed below. Please note that on Sept. 1, 1991 the area code for CIAC changed from 415 to 510. There has been some difficulty in reaching CIAC using the new 510 area code. If you cannot reach CIAC through this area code, you may substitute 415 until February, 1992, at which time the 415 area code will become invalid. The CIAC Team: Gene Schultz, Project Leader Karyn Pichnarczyk (510) 422-7781/(FTS) 532-7781 (510) 422-1779/(FTS) 532-1779 gschultz@cheetah.llnl.gov karyn@cheetah.llnl.gov Tom Longstaff Hal Brand (510) 423-4416/(FTS) 543-4416 (510) 422-0039/(FTS) 532-0039 longstaf@llnl.gov brand@cheetah.llnl.gov David Brown Bill Orvis (510) 423-9878/(FTS) 543-9878 (510) 422-8649/(FTS) 532-8649 dsbrown@llnl.gov orvis@icdc.llnl.gov Ken Pon (510) 422-1783/(FTS) 532-1783 pon@cheetah.llnl.gov Send e-mail to ciac@llnl.gov or call CIAC at (510) 422-8193/(FTS) 532-8193. FAX messages to: (510) 423-8002/(FTS) 543-8002. Previous CIAC bulletins and other information is available via anonymous FTP on the Internet from the system irbis.llnl.gov (ip address 128.115.19.60). Neither the United States Government nor the University of California nor any of their employees, makes any warranty, expressed or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government nor the University of California, and shall not be used for advertising or product endorsement purposes.