VIRUS-L Digest Tuesday, 15 Nov 1988 Volume 1 : Issue 9 Today's Topics: Worms and Censorship (from ETHICS-L list) Request for info on CHRISTMA EXEC (IBM mainframe VM/CMS) Security@Aim.Rutgers.Edu -- has anyone seen it? Request for general virus information FBI request for Internet Worm info Re: Virus writers Nightline report on computer (Internet) worm Comments on "Computer Viruses" book --------------------------------------------------------------------------- Date: Fri, 11 Nov 88 16:38:00 EDT From: "Peter D. Junger" Subject: Worms and Censorship (from ETHICS-L list) On the off-chance that nobody else forwarded this message to virus-l, and knowing that the list is now moderated, here is: - ----------------------------Original message---------------------------- I am surprised that I have, as yet, seen no discussion on this list (or Virus-L or Risks) of the issues raised by an article which appears in today's (11/11) National Edition of The New York Times on page 12 under the byline of John Narkoff and headlined: U.S. Is Moving to Restrict Access To Facts About Computer Virus." I shall type in the first two paragraphs, and trust that you will forgive my typos. "Government officails are moving to bar wider dissemination of information on techniques used in a rogue software program that jammed more than 6,000 computers in a nationwide computer network last week. "Their action comes amid bitter debate among computer scientists over whether the Government should permit widespread publication of details about how disruptive programs work and about flaws in computer networks that can be exploited. Some oppose restrictions, while others argue that such details should be treated as highly sensitive information." The fourth, and key, paragraph reads as follows: "Yesterday, officials of the National Computer Security Center, a division of the National Security Agency, contacted researchers at Purdue University in West Lafayette, Ind., and asked them to remove information from campus computers describing the internal workings of the software program that jammed computers around the nation on Nov. 3." How many members of this list have been visited by the censors? How many have purged their-or public-files at the request of the government? How many have told the spooks to go fly a kite? Peter D. Junger JUNGER@CWRU ------------------------------ Date: 15 November 1988, 12:28:19 GMT From: Ahmet Koltuksuz (51)275858 BILSER3 at TREARN Subject: Request for info on CHRISTMA EXEC (IBM mainframe VM/CMS) hi there i am collecting all the available info on christmas exec trojan horse which infected ibm mainframes couple of years ago...all info and/or source address which an info may be got welcome...... thanks to all in advance. ahmet koltuksuz grad.student of computer sci. specializing in comp. security e mail ====== bilser3 at trearn ------------------------------ Date: Mon, 14 Nov 88 23:16:30 est From: shafferj@amethyst.bucknell.edu Subject: Security@Aim.Rutgers.Edu -- has anyone seen it? Has anyone received any messages from Security@Aim.Rutgers.Edu or its Bitnet redistributions since about the beginning of 1988? I haven't, and I'd love to see what they had to say about the Sendmail virus. Of course there'd be reprints from RISKS and probably Virus-L :-), but they would probably have a lot of stuff we haven't seen here. But they don't seem to exist, as far as I can see. [Ed. I'm also on that list, and can't remember the last time that I saw any output from it.] Also, has the virus generated any talk on Info-VAX? I don't read it because it's too unreliable and creates too much traffic, but I would hope that someone there is discussing the problem with Ultrix. (Though every time there was a VMS security hole discovered, half the net was flaming the other half to the effect that it shouldn't be talked about because the wrong people might hear about it! I've got news for them, the wrong people already have heard before anybody on that list...) Don't reply to the list unless you come up with an interesting cross-post. Just mail me here at shafferj@amethyst.bucknell.edu. Thanks, Jim ------------------------------ Date: Tue, 15 Nov 1988 09:09 EST From: [Ed. Sorry, this is all the header info I got.] Subject: Request for general virus information Date: 15 Nov 88 Since some of the users of this discussion list had mentioned that were working on manuals and/or presentations concerning computer security in the academic world, I am passing on to you a request from a BITNET user. Liisa Rautianen, a Finnish university sudent, is preparing a thesis on computer security. While I have provided some materials about computer security, they have been from a business world viewpoint. She is looking for additional information and points specific to the academic world. If anyone can help her, please contact me or Liisa at (TKOP-LR@FINOU.BITNET). Thank you. ------------------------------ Date: Tue, 15 Nov 1988 9:39:27 EST From: Ken van Wyk Subject: FBI request for Internet Worm info This was found recently in Usenet newsgroup comp.protocols.tcp-ip: From: TomZ@DDN1.ARPA Newsgroups: comp.protocols.tcp-ip Subject: FBI Contact re: November Internet Virus Date: 14 Nov 88 05:03:00 GMT Were YOU hit by the November Internet Virus? The FBI wants to hear from you! The Federal Bureau of Investigation is attempting to gather critical information necessary to pursue this case under the Computer Fraud and Abuse Act of 1986. (This is the statute that makes it a federal crime to penetrate a computer owned by or run on the behalf of the Government.) The FBI Case Agent has asked the Defense Data Network Project Management Office to collect the names of organizations and Points of Contact (names and phone numbers) that were hit by the Virus. The Defense Communications Agency has established an E-Mail address for this collection at: INFO-VACC [at] BEAST.DDN.MIL Points of Contact should expect to be contacted by their local FBI agents for dispositions due to the wide geographical area involved. I * M * P * O * R * T * A * N * T The FBI needs this information to pursue the case. If we expect their aid in the future, we need to help them now. PLEASE GIVE THIS MESSAGE MAXIMUM DISTRIBUTION; NOT EVERYONE IS ON "TCP-IP"! /s/ Tom Zmudzinski DDN Security Officer (703) 285-5206 ------------------------------ Date: Tue, 15 Nov 88 07:58 EST From: WHMurray@DOCKMASTER.ARPA Subject: Re: Virus writers In-Reply-To: Message of 14 Nov 88 11:24 EST from "Ed Nilges" >I'd like to begin a dialogue about virus threats to VM/CMS. Be careful what you ask for; you might get it. >.......... and Object Code Only creates alienated and ignorant >systems installers. Arguable at best, argumentative at worst, not likely to lead to a very productive discussion. >These two technical holes are said to be closed in release 5, but there >is discussion of more and better facilities on VM for remote execution. >This discussion should take the MOrris virus into account. IBM has done an outstanding job of plugging the special exposures in RSCS. They have done it on a timely basis. They have employed the safe defaults, even when these were disruptive to existing applications or not "user friendly." Nonetheless, Ed is correct. As demonstrated by the Christmas Card, VM systems and nets are very vulnerable. The vulnerability arises more from the style of use than from product characteristics, but the design does contribute somewhat. The Christmas Card simply duped users; it did not exploit any special vulnerabilities. The only way to have protected against the CC would have been to so restrict function as to do away with the system. This is to say, users and style of use will always be the biggest exposures in VM. The feature that concerns me the most is that executables and other data objects share the same name space. Most loaders and interpreters in VM expect filetypes such as EXEC, MODULE, MACRO and PROFILE. This is a short list. However, this is a convention only; there is no hard and fast separation between procedures and data. As Ed's posting suggests, there are a number of remote execution facilities implemented under VM. Indeed, any user can leave his virtual machine running, in disconnected mode, and with a remote execution facility running. He can write such a facility himself, or he can get it from somewhere else. However, remote execution facilities are not exposures in and of themselves. Sendmail was an exposure because it was widely used. A single instance would not have been an exposure; neither would have been a collection of disimilar facilities. [I have been, in what seems the distant past, employed by IBM.] William Hugh Murray, Fellow, Information System Security, Ernst & Whinney 2000 National City Center Cleveland, Ohio 44114 21 Locust Avenue, Suite 2D, New Canaan, Connecticut 06840 ------------------------------ Date: Tue, 15 Nov 88 09:46 EST From: Dana Kiehl Subject: Nightline report on computer (Internet) worm I watched the "Nightline" report on the computer worm last Thursday the 10th. The taped report on the worm was done very well and I got the impression that even those who don't know much about computers could easily understand it. However, the live interview with the computer experts (including Wozniak(sp?)) was in my opinion, completely worthless. The two men argued back and forth about whether a bank's computer could be hit with a virus (among other things) and I myself was never satisfied with anybody's answer. I don't think even Koppel was enlightened at all. If anybody watched it to understand about the worm or potential future virus invasions, they came away even more confused, myself included. [Ed. I saw it too, (Thanks for the tape, David!) and I agree; it didn't say much. There seemed to have been just too much to cover in too short a time to too limited an audience.] ------------------------------ Date: Tue, 15 Nov 1988 11:29:39 EST From: Ken van Wyk Subject: Comments on "Computer Viruses" book I skimmed over the book "Computer Viruses" by Ralph Roberts (Compute! Books Publications, Copyright 1988, list price $14.95) last night, and it seemed to be a pretty fair layman's description of the past year's viruses, particularly microcomputer viruses (PC, Mac, and Amiga). It seemed to be written along the lines of most computer books; relatively short (167 pages), easily readable, and concise, but without covering too much information. It also includes a review of a whole slew of anti-virus products that's worth looking at (it covers software for PCs, Macs, and Amigas). Don't expect the world, but it's not a bad overview, in my opinion. Ken ------------------------------ End of VIRUS-L Digest *********************