FOR OFFICIAL DEPARTMENT OF ENERGY USE ONLY 
        _____________________________________________________
              The Computer Incident Advisory Capability
                         ___  __ __    _     ___
                        /       |     / \   /
                        \___  __|__  /___\  \___
        _____________________________________________________
                        Informational Bulletin                                 

                         End of FY90 Update

September 30, 1990, 1300 PST                             Number A-34
 
During the twelve months of this fiscal year,  CIAC team members have
engaged in a number of activities.  One of the main activities has been
assisting sites in recovering from incidents.   Our involvement has led
to a number of valuable lessons learned--things that can improve your
site's computer security as well as enhance the DOE community's
coordination and handling of incidents.

1.  Password problems.  The main contributor to network intrusions has
been poorly chosen passwords.   There are still too many accounts in
which the username and password are identical--an easy target for
network attackers and worms.  There is a great need for system managers
to perform regular checks on passwords using tools such as the Security
Profile Inspector (SPI) for UNIX and VMS systems.  (Contact CIAC to
obtain a copy of SPI.)   Accounts such as DEMO, GUEST, TEST, FIELD, and
others need to be closed--these accounts provide an easy way for
attackers to gain unauthorized access to systems.  Prohibit passwords
that can be found in the English dictionary.  CIAC strongly recommends
that your site as well as your system(s) have a written password
policy.  This policy should be required reading for users before they
are given an account.  Violations of this policy should result in a
lower level of privileges, i.e., lower usage priority (if practical to
implement), or in the case of repeated violations, termination of usage
altogether.

2.      Vulnerabilities.  A frequent contributor to network intrusions
is unpatched operating system vulnerabilities.   In CIAC Bulletin A-23
we described the major exploited vulnerabilities in UNIX systems.  In
particular, ensure that sendmail, finger, ftp, tftp, the DECODE alias,
and the host.equiv configuration do not allow attackers opportunity for
intrusion.   In CIAC Bulletin A-31 steps to improve the security of VMS
systems are presented.   It is important to secure DECNET,  enhance
auditing, disuser (or protect in other ways) all old or infrequently
used accounts, and improve login security with LGI_xxx SYSGEN
parameters.  If you are not sure how to patch vulnerabilities, which
particular vulnerabilities apply to your system, how to install a TAR
tape, etc. call CIAC for assistance!  Again, having a site policy for
dealing with vulnerabilities is essential!

3.      Viruses.  The major viruses with which we have dealt in the
MS-DOS arena during the last 12 months are Jerusalem, Stoned, Cascade
(1701/1704), Ohio, Ping Pong, and Disk Killer.  Of these viruses,
Jerusalem and Disk Killer are most likely to produce damage.  In the
Macintosh arena, nVIR and WDEF are most prevalent, although neither is
likely to damage a system.   For a summary of the major viruses, refer
to CIAC Bulletin A-15.  In addition to frequently obtaining reports of
viruses spreading through exchange of removable media (disks), we are
also hearing about  viruses spreading rapidly through Novelle and other
microcomputer networks (see CIAC Bulletin A-33).  Vendor demonstrations
and shrink wrap software are increasingly becoming a source of virus
outbreaks.  We have found that sites with implemented procedures for
detecting and eradicating viruses have significantly decreased the time
and effort involved in recovering from this type of incident.  Users of
PCs, PC clones, and Macintoshes frequently do not know exactly whom to
call if there is a suspected virus infection--the number of a support
person should be posted on every small system!  This is particularly
important with users of classified systems.  Finally, Disinfectant 2.1
and FPROT (freeware detection/ eradication packages for Macintosh and
MS-DOS computers, respectively) are available from CIAC for the
asking.

4.      User Accountability and Legal Considerations.  We recommend
that every user should be required to sign a statement indicating
exactly what the user is and is not permitted to do before being
allowed to use a computing system.  We also recommend that if possible
every system should display a login banner that prohibits unauthorized
use (see CIAC Bulletin A-22).   Failure to take these steps may provide
a legal loophole during prosecution for computer misuse and/or damage.

5.      Distribution of CIAC Bulletins.  Many sites promptly distribute
CIAC and other bulletins widely throughout the site.  Some users and
system managers, however, report that they are not receiving CIAC
bulletins, or, if they are, there is a substantial delay.  CIAC
bulletins are sent to every site's security managers (e.g., Computer
Security Site Managers and Computer Protection Program Managers).   It
is critical to ensure that these bulletins quickly get to those who
need them.  It is also important to avoid distributing bulletins marked
FOR OFFICIAL DEPARTMENT OF ENERGY USE ONLY outside of the DOE community.

6.      Reporting of Incidents.   Sometimes a CIAC team member will
call a system manager and inform that the system manager's system has
been probed or penetrated by an attacker.  Too often the system manager
will not report the incident to the site security manager(s).   CIAC
does not report incidents; however, it is essential that site personnel
comply with DOE Orders 1360.2A and 5637.1 in reporting incidents.

7.      Getting Information to CIAC.  When you have an incident that
might affect others throughout DOE (e.g., a network intrusion, worm,
new vulnerability, widespread virus infection, etc.), call CIAC.  A
large number of CIAC bulletins this fiscal year have been based on
information supplied to us by sites.  Many thanks go to the "good
computer security citizens" who furnish this information to us--timely
warnings have spared many sites from incidents.

8.      Training and Awareness.  The CIAC team has already presented
the two-day workshop on incident handling at many sites .  We
appreciate the comments and feedback that have enhanced this workshop
considerably.   The aim of the workshop is to enable system managers,
managers, and users to respond to incidents more efficiently as well as
become more aware of sound computer security practices.    For
additional information, or to bring this workshop to your site, call
CIAC.

As a parenthetical note, please be advised that the identification
number for CIAC bulletins issued on or after October 1, 1990 will begin
with "B."  Thus, the first bulletin will be B-1, the second will be
B-2, etc.

For additional information or assistance, please contact CIAC:

  Eugene Schultz
  (415) 422-8193 or (FTS) 532-8193
  FAX:  (415) 423-0913 or (FTS) 543-0913 

 Send e-mail to:

  ciac@tiger.llnl.gov
 
Neither the United States Government nor the University of California nor any of
their employees, makes any warranty, expressed or implied, or assumes any legal
liability or responsibility for the accuracy, completeness, or usefulness of any
information, product, or process disclosed, or represents that its use would not
infringe privately owned rights.  Reference herein to any specific commercial
products, process, or service by trade name, trademark manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation, or favoring by the United States Government or the University of
California.  The views and opinions of authors expressed herein do not
necessarily state or reflect those of the United States Government nor the
University of California, and shall not be used for advertising or product
endorsement purposes.