From real@freenet.edmonton.ab.ca Sun Feb 22 15:47:38 1998 Newsgroups: alt.2600.moderated Subject: RCMP From: real@freenet.edmonton.ab.ca () Date: 22 Feb 1998 23:47:38 GMT http://www.rcmp-grc.gc.ca/html/bull45-e.htm Information Technology Security Bulletin 45 IT SECURITY BRANCH, RCMP January 1998 -- NUMBER 45 * The Macro Virus Cap * Cellular Telephone and Personal Communication Service Security Concerns * Windows NT Security Checklist The battle against macro viruses continues. A macro virus that was first detected in the spring of 1997 has quickly become widespread in government departments that use Microsoft(R) Word(tm). The virus consists of one large macro called CAP which is called from nine other specific macros inconspicuously named AutoExec, AutoOpen, FileSave, FileSaveAs, FileTemplates, Tools Macro, FileClose, FileOpen and AutoClose. While it has been suggested that the virus has no damaging payload or trigger, it does in fact remove some legitimate system macros that are defined in the global template file. The actual damage then is primarily in the amount of time lost in recovering from these incidents. One department has reported 2,368 incidents of this virus to the RCMP Security Evaluation and Inspection Team (SEIT) for only the first nine months of the year. The time spent in restoring the original system macros can be significant and costly. This downtime is further impacted by the inability of antivirus products to detect and repair the virus damage. The virus itself has been well researched and documented. According to various international anti-virus groups, the CAP macro contains the following text: C.A.P:Un virus social.. y ahora digital.. j4cKyQw3rTy (jqw3rty@hotmail.com). Venezuela, Maracay, Dic 1996. P.D. Que haces gochito ? Nunca seras Simon Bolivar.. Bolsa ! However, this text is never displayed on a screen or inserted into a document. The CAP macro virus spreads via Word documents by firstly copying the set of 10 macros mentioned above into the userÆs template. The virus then browses the Word menu items for custom macros intercepting up to five of these additional macros and placing inside them a pointer to the main CAP macro. In addition, any system macros previously defined in a global template before the infection are deleted. The virus also removes the menu items "Tools/ Macro" and "Tools/Customize". The "File/Templates" menu item is present after infection but does not work. The virus uses information from the macro description field found at the bottom of Tool/Macro box to recognize its own main macros. These have "F%" at the beginning of a description (FileOpen has F%O, FileClose - F%C, FileSave and FileSaveAs - F%SA). System administrators can manually check for these descriptions. The CAP macro virus can be effectively removed in two steps: 1.Run a recent antivirus scanner (which has been updated to detect and repair the CAP damage). This procedure will remove the virus and all related (infected) macros. 2.Rename the global template (NORMAL.DOT) to some other unique (.DOT) name. The next time Word is started, it will automatically create a new global template file. This second step is necessary to get rid of the menu customization created by the virus and to put in place a new NORMAL.DOT file. It is then a matter of using the Tools/Macro (Organizer option) to copy the required macros from the renamed template file, thereby preserving all the departmentÆs required custom macros. Departments are reminded and encouraged to report their virus incidents to SEIT. This facilitates the ability to track the spread of incidents and to share virus recovery techniques. For further information contact David Black of the RCMP IT Security Branch at 613-993-6579, or send an E-mail to dblack@seit.com. Cellular Telephones The Advanced Mobile Phone System (AMPS) is the original standard for the North American cellular telephone system. The system allows two service providers. In Canada, the "A" side is allotted to the non-hardwired carrier (Cantel), while the "B" side is assigned to the wired service provider (Bell Mobility). The cellular telephone system, unlike the old radio telephone system, reuses the same set of assigned frequencies over and over again. The reuse is accomplished by first dividing the assigned frequencies into groups. Each of these groups is then assigned to a specific cell site. When all groups have been used, the first group of frequencies is assigned as far as possible geographically from the original group assignment. The geographic separation ensures that the cell sites do not interfere with each otherÆs traffic. The frequency designations are as follows: the base station or forward channel frequencies range from 869 MHz to 894 MHz. These are the channels that allow the cell site to talk to the mobile. The mobile cellular channels or reverse channels range from 824 MHz to 849 MHz. Currently, most cellular telephone traffic is in analog or plain language format, and scanners can readily be modified to monitor these frequencies. An eavesdropper utilizing two scanners set 45 MHz apart will be able to intercept both sides of an ongoing conversation. Since the cellular telephone is simply a radio transceiver that receives and broadcasts radio signals, users are unaware if their calls are being monitored. The AMPS control channels use frequency-shift keying (FSK) to transmit the userÆs mobile identification number (MIN), electronic serial number (ESN) and number assignment module (NAM) information. The voice channels, however, have been using the analog format, making them vulnerable to interception. The recent introduction of digital cellular telephones, primarily using time-division multiple access (TDMA), has allowed service providers to triple the bandwidth of the AMPS network. Scanners cannot demodulate voice channel information transmitted in digital format. Digital cellular telephones operate in a dual-mode capacity. The cellular telephone must be able to communicate with the cell site in both analog and digital formats; however, the method of communications is transparent to the user. A user could therefore expect a measure of voice privacy inherent with digital communications while conducting a conversation on a digital cellular telephone, but actually be communicating in analog. The mobile communication format is dictated by the cell site. Each cell site may have only a limited number of TDMA-capable channels, and if these channels are all in use then the mobile will be required to communicate in analog. An estimated 95 percent of all cellular calls are still transmitted in analog format. The digital cellular telephone does not encrypt its voice channel information. Devices capable of converting the digital mode to analog are currently available, but expensive. Personal Communication Service The first personal communication service (PCS) system marketed in Canada was MicrocellÆs "Fido", with a very limited infrastructure providing service in Quebec City, Montreal, Ottawa, Toronto and Vancouver. Fido uses the global system for mobile communications standard at 1900 MHz, or GSM-1900. ClearnetÆs PCS service uses a code-division multiple access (CDMA) format. PCS is a fully digital network offering advanced options such as call forwarding, call waiting and multi-party calling. The telephone set uses smart card technology to store user information. The voice channel on the GSM-1900 system is digitized and encrypted, with the encryption key stored on the smart card. The service area for PCS is very limited compared to the cellular network. To overcome this problem, Microcell has entered into an agreement with Bell Mobility to use the cellular network where Fido service does not exist. As a result of this decision, Fido must now become a dual-mode telephone, as is ClearnetÆs PCS. Dual mode refers to the capability of functioning on both the GSM-1900 and the AMPS systems. The caller has then lost the security advantages of the GSM-1900 system and reverted to the analog AMPS system. Some telephone models will have a light-emitting diode (LED) display on the unit to indicate the status of the call, whether "secure" in digital-encrypted PCS mode or in "non-secure" or plain-language AMPS format. The method of communication with the mobile telephone will be determined by the service providerÆs PCS network. If the security indication is missed by the user, a sensitive call believed to be broadcast in encrypted-digital PCS may actually have been switched by the service provider to the AMPS network without the knowledge of the caller. A switch from PCS to AMPS may also occur during the conversation and will also change the security status of the call without the knowledge of the user. The dual-mode function eliminates the security advantages of PCS and opens the door to the cellular network vulnerabilities. The RCMP Counter Technical Intrusion Section recommends that sensitive information not be discussed on a cellular telephone, including digital cellular telephones, due to the uncertainty of the broadcast format. If it is necessary to transmit sensitive information over the airwaves, the use of a STU III cellular in encrypted mode is recommended. However, this only enables secure communication with a second STU III cellular or land line which is also in encrypted mode. As with most operating systems, Windows NT has been designed with a myriad of security features which may be activated or de-activated in accordance with the organizationÆs security requirements and the sensitivity level of the information processed. To ensure that Windows NT is implemented in compliance with the security policy developed by Information Technology Security (ITS) personnel, system administrators must become knowledgeable about the security features and carefully plan the implementation. This, on the surface, may appear to be a simple task but in practice requires significant effort and technical expertise. The administrators must fully understand the Windows NT security architecture and also remain aware of all known security vulnerabilities. A test Windows NT LAN was established by the RCMP Security Evaluation and Inspection Team (SEIT) to assist departments in implementing Windows NT servers with adequate security features. This LAN, consisting of one Windows NT version 4.0 server and several Windows NT and Windows 95 clients, was set up to review the various security-related features of the operating system. In addition, SEIT reviewed the Microsoft documentation, industry publications, the Windows NT implementation and guidance books, and also researched Internet resources, to compile a Windows NT security checklist. This checklist, when completed, will provide information that will assist Windows NT system administrators in adequately securing their Windows NT networks. The Windows NT operating system provides a number of security features including the ability to uniquely identify each user, clear memory immediately after it is freed by a process, disallow the recovery of information in disk clusters which have been allocated from another user, allow administrators to track security-related activities of all users in the system, and shield the security log from all but administrative users. These features, when properly configured and implemented, provide substantial safeguards to protect the confidentiality, integrity and availability concerns of the data and the network. However, there are some potentially vulnerable areas which must be addressed by system administrators. Operating systems are dynamic entities requiring frequent updates. From time to time, operating system security vulnerabilities are uncovered and heavily publicized. It is essential that system administrators remain aware of maintenance and security issues and immediately apply approved fixes to identified security vulnerabilities. Some of the concerns that should be considered when configuring a Windows NT network are listed below. A more detailed list will be provided in the Windows NT security checklist. File Systems Windows NT supports both the New Technology File System (NTFS) and the File Access Table (FAT) file systems. SEIT recommends that, when installing Windows NT, NTFS be implemented. NTFS is the only file system capable of utilizing all the security features built into Windows NT. The FAT file system does not support Windows NT access control lists. Implementing FAT instead of NTFS prevents system administrators from assigning either file or directory level security restrictions necessary to achieve the National Computer Security Center (NCSC)Æs C2 security level. Windows NT system disks formatted using the FAT file system do support the use of filenames up to 255 characters long. However, the FAT file system provides only limited means to recover from system faults. The majority of third party disk repair tools that are able to repair damage to FAT file systems support only the 8 + 3 filename convention. Files which utilize the longer naming convention are often viewed as damaged files, and treated accordingly. Logging The system logging capability is not automatically enabled when installing Windows NT. Enabling both system and security auditing/logging can inform system administrators of actions that pose security risks and possibly help detect security breaches. Windows NT saves the logs in the %SystemRoot%\System32\Config directory on the disk. Hackers or malicious users often cover their tracks by modifying the log files after they have compromised a system. Therefore, only a limited number of trusted individuals should have full rights to these log files. Disk Space Quotas Windows NT does not have the capability of assigning disk space quotas to system users. This provides an opportunity for users or perpetrators to launch a denial-of-service attack against an NT system by filling the file system. Third-party utilities are available to enforce disk space quotas. Boot Procedure Many Windows NT installations are run on Intel-based hardware. Most Intel-based hardware lacks strong boot protection so that anyone who has physical access to the system can reboot that system from any bootable device, including a floppy drive. An effective way to counter this type of attack is to combine good physical security of the server with the use of strong encryption on system and data files. File Access Controls Administrators must be aware that the default permissions for all new file shares give Full Control rights to the Everyone placeholder. Users have full control of any file in any share unless steps are taken by the share operator to reduce the potential risk. Share operators should be instructed to modify the permissions on all file shares immediately after they are created. Last Signon Notification By default, Windows NT 4.0, at the client or server level, displays the name of the last person who logged on to the system. This may pose a security threat, especially if a user's password can be guessed from the account name or the login environment. The display of the last user logged-on can be disabled by changing a registry key setting. Information Resources New security vulnerabilities are periodically discovered and reported. Many general computer security announcements originate from both the Computer Emergency Response Team (CERT) mailing list (URL http://www.cert.org) and the Forum of Incident Response and Security Teams (FIRST) mailing list (URL -http://www.first.org); these constitute excellent information resources for tracking operating system vulnerabilities. NT security mailing lists are another Internet resource. To subscribe to the NTSECURITY mailing list, send the text "Subscribe NTSECURITY" in an E-mail message to NTSecurity-Request@iss.net. To subscribe to the NTBUGTRAQ mailing list, send the text "Subscribe NTBUGTRAQ firstname lastname" or "Subscribe NTBUGTRAQ Anonymous" in an E-mail message to listserv@listserv.ntbugtraq.com. These lists have no official connection to Microsoft. The Information Technology Security Bulletin is published 3 times a year by the Technical Publications Section of the RCMP. Managing Editor: Loretta Parsons Editor: Jean Perreault Any part of this bulletin may be reproduced and used in another publication, providing the source is acknowledged (Information Technology Security Bulletin, RCMP IT Security Branch). For information concerning other IT security publications, contact: Technical Publications Section Technical Operations Directorate Royal Canadian Mounted Police 1426 St.Joseph Boulevard Gloucester, Ontario K1A 0R2 Tel.: 613-990-0678 613-993-8798 613-993-8797 Fax: 613-993-2107 Electronic Bulletin Board : 613-941-6344, 613-993-6536 Internet address: techpubs@seit.com Visit the IT Security Branch web site: http://www.rcmp-grc.gc.ca/html/itsb-e.htm Copyright RCMP/GRC 1998 -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Graham-John Bullers Moderator of alt.2600.moderated ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ email : : ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://www.freenet.edmonton.ab.ca/~real/index.html ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~