Date: Wed, 31 Jan 90 23:23:25 PST Subject: Security Digest V2 #5 Security Digest Volume 2 Issue 5 subject(s): Sun Sendmail Vulnerability Book Announcement ------------------------------------------------------------------------ Date: Mon, 29 Jan 90 16:47:21 EST From: Kenneth R. van Wyk Subject: Sun Sendmail Vulnerability [ This was explained in detail in volume 1, issue 34 of the security digest dated 26-sep-89. Now that the patent and some other stuff is out of the way, I *promise* that I will set up the automated archive service real soon now. - neil ] CERT Advisory 29 January 1990 Sun Sendmail Vulnerability The Computer Emergency Response Team Coordination Center (CERT/CC) has learned of, and has verified, break-ins on several Internet systems in which the intruders have exploited a vulnerability in the Sun sendmail program. This vulnerability exists in all versions of SunOS up to and including the current version, 4.0.3 on Sun 3, Sun 4, and Sun 386i systems (note that 4.0.2 is the most current version of SunOS on the 386i machines). That is, all current Sun systems. The vulnerability has previously been reported to Sun and a solution to this problem (Sun bug # 1028173) is available via a new version of sendmail supplied by Sun. The new sendmail is available directly from the Sun Answer Center (1-800-USA-4SUN). Sun 3 and Sun 4 sendmail binaries are also available via anonymous FTP from uunet.uu.net in the /sun-fixes directory. This incident underscores the need for system administrators to maintain an awareness of the steps their vendors are taking to improve the security aspects of their products, and to seriously consider upgrading system configurations when solutions to security problems are made available. Administrators of Sun systems are urged to contact Sun for the new version of the sendmail program. Administrators of machines other than Suns are urged to contact their vendors to verify that they are running the latest version of sendmail, since there may have been security related fixes to it in the past year. If you need further information on this problem, contact your Sun representative or CERT/CC. CERT/CC can be contacted by telephone at (412) 268-7090 (24 hours) or email to cert@cert.sei.cmu.edu (monitored daily). Our thanks to Matt Bishop and Wayne Cripps for their efforts in analyzing and investigating this problem and its solution. ------------------------------------------------------------------------ Date: Mon, 29 Jan 90 10:59:36 EST From: Gene Spafford Subject: Book Announcement [ Gene Spafford sent this to me with a question about whether it is appropriate material for the security list. I would not normally put book announcements in, but in this case I will gladly make an exception. - neil ] "Computer Viruses: Dealing with Electronic Vandalism and Programmed Threats" by Eugene Spafford, Kathleen Heaphy, and David Ferbrache. 1989, 109 pages. Published by ADAPSO. The book has been written to be an accessible resource guide for computer users and managers (PC and mainframe). It presents a high-level discussion of computer viruses, explaining how they work, who writes them, and what they do. It is not intended to serve as a technical reference on viruses, both because the audience for such a work would be limited, and because such a reference might serve to aid potential virus authors. The goal of the book is to dispell some common myths about viruses (and worms, trojan horses, et. al.), and provide simple, effective suggestions for how to protect computer systems against these threats. It furthermore stresses that most systems face greater threats from other areas, so the proper attitude to take is to strengthen overall security; concrete suggestions for enhancing overall security are also presented. The appendices provide extensive references to other publications, security organizations, anti-viral software sources, applicable (U.S.) state and Federal laws against computer crime, and detailed descriptions of all IBM and Apple Macintosh viruses known as of 1 October 1989. Although written for ADAPSO members, almost any computer user should find it instructive. The appendices are an excellent source of further information, addresses and phone numbers, and pointers to software. At least one university professor has indicated he will use the book in a security course, and some law enforcement agencies are also considering using the book for instructional purposes. The authors are interested in comments and feedback about the book, especially in areas where information might be added. You can contact them by sending mail to "virus-book@cs.purdue.edu" Table of Contents: Preface Executive Summary Introduction Programmed Threats Definitions Damage Authors Entry Summary What is a Computer Virus? Names A History Lesson Formal Structure How do viruses spread? The three stages of a virus's life Replication strategies Recognizing a viral infection Dealing with Viruses Prevention Detection of a viral infection Recovery Summary Security A definition of security Security as a goal Risk assessment Some General Approaches Summary Legal Issues Criminal laws Civil suits Summary Attitudes Further Information on Viruses Characteristic lengths Names of Known Viruses Known IBM PC viruses by Characteristics Known Apple Macintosh Viruses Characteristic resources for Mac viruses Information on Anti-Viral Software Selected reviews of Anti-viral Software Easily obtained software Internet Archives Other Places to Look Further Information on Legal Aspects of Viruses Federal Laws State Laws Other Sources of Information Further Reading and Resources Organizations and Associations Government Agencies Journals and Newsletters Other Readings A copy can be ordered from ADAPSO 1300 North Seventeenth St. Suite 300 Arlington, VA 22209 USA Attn: Mr. John Gracza Single copies are $30. Copies ordered on university stationery or on stationery of ADAPSO member companies is only $20, and $16 for the second and subsequent copies. Requests for review copies or special considerations should be addressed directly to John Gracza. Copies have been given away to ADAPSO member companies, and various state and Federal law enforcement agencies, so check with others in your organization to see if a copy isn't already available for review. Overseas orders will be shipped surface mail. Overseas orders that are to be shipped air mail should include an additional $10 for postage. All payment should be in US dollars, no cash or stamps. ------------------------------------------------------------------------ End of Security Digest Volume 2 Issue 5 **********************