Computer underground Digest Tue Mar 25, 1997 Volume 9 : Issue 24 ISSN 1004-042X Editor: Jim Thomas (cudigest@sun.soci.niu.edu) News Editor: Gordon Meyer (gmeyer@sun.soci.niu.edu) Archivist: Brendan Kehoe Shadow Master: Stanton McCandlish Shadow-Archivists: Dan Carosone / Paul Southworth Ralph Sims / Jyrki Kuoppala Ian Dickinson Field Agent Extraordinaire: David Smith Cu Digest Homepage: http://www.soci.niu.edu/~cudigest CONTENTS, #9.24 (Tue, Mar 25, 1997) File 1--Coup-d-etat on the Internet around Usenet hierarchy ? File 2--SANS Network Security Digest vol.1, No.2 File 3--Cu Digest Header Info (unchanged since 13 Dec, 1996) CuD ADMINISTRATIVE, EDITORIAL, AND SUBSCRIPTION INFORMATION APPEARS IN THE CONCLUDING FILE AT THE END OF EACH ISSUE. --------------------------------------------------------------------- Date: Mon, 17 Mar 1997 10:25:05 -0500 From: Paul Kneisel Subject: File 1--Coup-d-etat on the Internet around Usenet hierarchy ? On Sun, 16 Mar 1997 23:54:39 GMT, tale@isc.org (David C Lawrence) <858556478.926@isc.org> wrote announcing the creation of a new meta-hierarchial group under the hierarchy.: I, like many others, have not followed every discussion on as closely as I could have. But I do not recall reading or seeing any Request For Discussion document filed in or for the creation of such changes. Nor do I recall seeing any Call For Votes document for such a massive change in the hierarchy. I certainly could have missed such RFDs and CFVs. But, assuming that I did not miss them because neither was ever issued, am I the only one to see in the sudden creation of a slippery slope of globally massive dimensions whereby the U.S. and inferentially other governments just launched a info-war coup-d-etat on UseNet in particular and the Internet in general? [END TALLPAUL INSERT] [BEGIN LAWRENCE INSERT] Newsgroups--news.announce.newgroups,news.groups,news.admin.hierarchies Subject--ANNOUNCE--GovNews gov.* hierarchy started for government information Followup-To--news.admin.hierarchies Message-ID--<858556478.926@isc.org> Approved--newgroups-request@isc.org Archive-Name--other.articles/govnews Date--Sun, 16 Mar 1997 23:54:39 GMT Lines--282 -----BEGIN PGP SIGNED MESSAGE----- The GovNews hierarchy, gov.*, is a new framework for exchange of public information at all levels of government around the world via the Internet. It is a tool to improve communication to the government, from the government, and between various governmental bodies by providing both announcement channels and topical discussion groups. Users can currently access the hierarchy via the NNTP server at news.govnews.org. Many major sites, including AOL, AT&T, BBN Planet, CompuServe, MCI, Sprint and UUNET, are also already carrying and feeding the initial set of gov.* newsgroups, and it is listed in . The GovNews Project workers ask news administrators to please carry this new hierarchy at their own sites as their resources allow. The volume of the hierarchy is expected to be roughly that of comp.* or rec.* --- far less than that of alt.binaries.*, since the majority of traffic will be non-binary messages. This message contains all the information news administrators need to create the hierarchy at their own sites. Below is the PGP information (see ) for gov.* control messages. Following it is a list of the initial set of newsgroups for gov.*, with their descriptions. It is suitable for input to INN's "docheckgroups" or C News's "checkgroups" scripts, or can be suitably massaged on other systems to generate the list of groups to add. Please note that many are moderated. Additional information about the GovNews Project can be found at . Thank you for your interest. Control message PGP Signing Information: Control message sender--gov-usenet-announce-moderator@govnews.org Key User ID--gov.usenet.announce Administrative group--gov.usenet.announce Check also: + http://www.govnews.org/govnews/site-setup/gov.pgpkeys + pgp-public-keys@pgp.ai.mit.edu ("Subject--GET 0x7FFD7855", empty body) - -----BEGIN PGP PUBLIC KEY BLOCK----- Version--2.6.2 mQCNAzG6NYoAAAEEAOC2bDAFQlM5l81+WgWjJErVSCDeEyk+gzLionO42/CcC4Wm eLgCLhl6y4OywoCDipYgOta0FG/dOMP9zTHaptc6HQJ2C+7rlWtSIn/g+Z4skgsP SK2JbHe6FCPUphkV7MZ9iwOeTWpGeVo7T+ujSFRRd4dVk5ap2izi3FB//XhVAAUR tBNnb3YudXNlbmV0LmFubm91bmNliQCVAwUQMwnq+Czi3FB//XhVAQFYxQQA1IGF oFena1a9SI3lC9clkRr9w5nF7y4hh7T0DRg6M6r4naiegmisPFqvM1j8dnC3tU6x 5Vz1ATsP/Uu1GFecJ31u55m+N6pMrv56pqivK5PxV3PbEKV/9fHUT7o/2vsw3wge AmsQ590GSur09cpxSY0TAU/hMQlK0FkN4jnGrAQ= =rTFC - -----END PGP PUBLIC KEY BLOCK----- Thus, INN's control.ctl file would have lines like these: newgroup:gov-usenet-announce-moderator@govnews.org:gov.*:verify-gov.usenet.a nnounce rmgroup:gov-usenet-announce-moderator@govnews.org:gov.*:verify-gov.usenet.an nounce checkgroups:gov-usenet-announce-moderator@govnews.org:gov.*:verify-gov.usene t.announce Newsgroups file lines: gov.org.admin.financenet FinanceNet - information on public financial management. (Moderated) gov.org.g7.announce Announcements on G7 activities. (Moderated) gov.org.g7.environment G7 Environment and Natural Resources Project. (Moderated) gov.org.g7.misc General G7 related discussions. (Moderated) gov.topic.admin.finance.accounting Public accounting. (Moderated) gov.topic.admin.finance.asset-liab-mgt Asset-liability management. (Moderated) gov.topic.admin.finance.audits Financial audits of government agencies. (Moderated) gov.topic.admin.finance.budgeting Appropriations and budgeting management. (Moderated) gov.topic.admin.finance.calendar Calendar of public finance events. (Moderated) gov.topic.admin.finance.int-controls Internal financial controls. (Moderated) gov.topic.admin.finance.misc General public finance topics. (Moderated) gov.topic.admin.finance.municipalities Municipal financial issues. (Moderated) gov.topic.admin.finance.news General government finance news. (Moderated) gov.topic.admin.finance.payroll Government payroll issues. (Moderated) gov.topic.admin.finance.perf-measures Financial performance measures. (Moderated) gov.topic.admin.finance.policy Government financial policy. (Moderated) gov.topic.admin.finance.procurement Procurement management. (Moderated) gov.topic.admin.finance.reporting Financial statements & reporting. (Moderated) gov.topic.admin.finance.state-county State and county financial issues. (Moderated) gov.topic.admin.finance.systems Financial software and hardware systems. (Moderated) gov.topic.admin.finance.training Financial personnel & training. (Moderated) gov.topic.admin.finance.travel-admin Travel administration. (Moderated) gov.topic.admin.privatization Privatization of government, Public/Private partnerships. (Moderated) gov.topic.finance.banks Banking, monetary supply, currency exchange. (Moderated) gov.topic.finance.securities Securities, commodity futures, etc. (Moderated) gov.topic.forsale.misc Miscellaneous government asset sales. (Moderated) gov.topic.info.systems.epub Government use of electronic publishing. (Moderated) gov.topic.info.systems.year2000 Accomodating dates after the year 2000. gov.topic.telecom.announce Telecommunications related announcements. (Moderated) gov.topic.telecom.misc Telecommunications- telephone, radio, TV, Internet. (Moderated) gov.topic.transport.air Aviation, aircraft, travel by air. (Moderated) gov.topic.transport.misc General international transportation. (Moderated) gov.topic.transport.navigation Navigation systems. (Moderated) gov.topic.transport.rail Railroad transportation. (Moderated) gov.topic.transport.road Transportation over roads, auto safety, mass transit. (Moderated) gov.topic.transport.shipping International shipping and package delivery. (Moderated) gov.topic.transport.water Maritime related issues, transportation over water. (Moderated) gov.us.fed.cia.announce Central Intelligence Agency announcements. (Moderated) gov.us.fed.congress.announce Announcements about Congress. (Moderated) gov.us.fed.congress.bills.house Bill text from the House. (Moderated) gov.us.fed.congress.bills.senate Bill text from the Senate. (Moderated) gov.us.fed.congress.calendar.house House calendar of activities. (Moderated) gov.us.fed.congress.calendar.senate Senate calendar of activities. (Moderated) gov.us.fed.congress.discuss Followup discussions on Congress. (Moderated) gov.us.fed.congress.documents Congressional documents. (Moderated) gov.us.fed.congress.gao.announce Announcements about the Government Accounting Office. (Moderated) gov.us.fed.congress.gao.decisions Decisions from the Comptroller General. (Moderated) gov.us.fed.congress.gao.discuss Discussion on the Government Accounting Office. (Moderated) gov.us.fed.congress.gao.reports Reports from the Government Accounting Office. (Moderated) gov.us.fed.congress.record.digest Digest from the Congressional Record. (Moderated) gov.us.fed.congress.record.extensions Extension of remarks in the Congressional Record. (Moderated) gov.us.fed.congress.record.house House pages from the Congressional Record. (Moderated) gov.us.fed.congress.record.index Index to the Congressional Record. (Moderated) gov.us.fed.congress.record.senate Senate pages from the Congressional Record. (Moderated) gov.us.fed.congress.reports Congressional reports. (Moderated) gov.us.fed.courts.announce U.S. Courts announcements. (Moderated) gov.us.fed.dhhs.announce Department of Health and Human Services announcements. (Moderated) gov.us.fed.dhhs.fda.announce Food and Drug Administration announcements. (Moderated) gov.us.fed.dhhs.ssa.announce Social Security Administration announcements. (Moderated) gov.us.fed.doc.announce Department of Commerce announcements. (Moderated) gov.us.fed.doc.cbd.awards Contract awards in Commerce Business Daily. (Moderated) gov.us.fed.doc.cbd.forsale Surplus Property Sales in Commerce Business Daily. (Moderated) gov.us.fed.doc.cbd.notices General notices in Commerce Business Daily. (Moderated) gov.us.fed.doc.cbd.solicitations Procurement solicitation in Commerce Business Daily. (Moderated) gov.us.fed.doc.cbd.standards Foreign standards notices in Commerce Business Daily. (Moderated) gov.us.fed.doc.census.announce Census Bureau announcements. (Moderated) gov.us.fed.doc.noaa.announce National Oceanic and Atmospheric Administration announcements. (Moderated) gov.us.fed.dod.announce Department of Defense announcements. (Moderated) gov.us.fed.dod.army.announce Department of the Army announcements. (Moderated) gov.us.fed.dod.navy.announce Department of the Navy announcements. (Moderated) gov.us.fed.dod.usaf.announce Department of the Air Force announcements. (Moderated) gov.us.fed.doe.announce Department of Energy announcements. (Moderated) gov.us.fed.doi.announce Department of the Interior announcements. (Moderated) gov.us.fed.doj.announce Department of Justice announcements. (Moderated) gov.us.fed.dol.announce Department of Labor announcements. (Moderated) gov.us.fed.dot.announce Department of Transportation announcements. (Moderated) gov.us.fed.dot.faa.announce Federal Aviation Administration announcements. (Moderated) gov.us.fed.dot.nhtsa.announce National Highway Traffic Safety Administration announcements. (Moderated) gov.us.fed.dot.uscg.announce United States Coast Guard announcements. (Moderated) gov.us.fed.ed.announce Department of Education announcements. (Moderated) gov.us.fed.eop.announce Executive Office of the President announcements. (Moderated) gov.us.fed.eop.white-house.announce The President and White House Staff announcements. (Moderated) gov.us.fed.epa.announce Environmental Protection Agency announcements. (Moderated) gov.us.fed.fcc.announce Federal Communications Commission announcements. (Moderated) gov.us.fed.fdic.announce Federal Deposit Insurance Corporation announcements. (Moderated) gov.us.fed.fema.announce Federal Emergency Management Agency announcements. (Moderated) gov.us.fed.ferc.announce Federal Energy Regulatory Commission announcements. (Moderated) gov.us.fed.fmc.announce Federal Maritime Commission announcements. (Moderated) gov.us.fed.frs.announce Federal Reserve System announcements. (Moderated) gov.us.fed.gsa.announce General Services Administration announcements. (Moderated) gov.us.fed.hud.announce Department of Housing and Urban Development announcements. (Moderated) gov.us.fed.nara.announce National Archives and Records Administration announcements. (Moderated) gov.us.fed.nara.fed-register.announce Announcements about the Federal Register. (Moderated) gov.us.fed.nara.fed-register.authoring Discussion for Federal Register authors. (Moderated) gov.us.fed.nara.fed-register.contents Contents and Indexes of the Federal Register. (Moderated) gov.us.fed.nara.fed-register.corrections Corrections in the Federal Register. (Moderated) gov.us.fed.nara.fed-register.notices Notices in the Federal Register. (Moderated) gov.us.fed.nara.fed-register.presidential Presidential Documents in the Federal Register. (Moderated) gov.us.fed.nara.fed-register.proposed-rules Proposed Regulations in the Federal Register. (Moderated) gov.us.fed.nara.fed-register.rules Rules and Regulations in the Federal Register. (Moderated) gov.us.fed.nasa.announce National Aeronautics and Space Administration announcements. (Moderated) gov.us.fed.nasa.ksc.announce NASA Kennedy Space Center specific announcements. (Moderated) gov.us.fed.nrc.announce Nuclear Regulatory Commission announcements. (Moderated) gov.us.fed.nsf.announce National Science Foundation announcements. (Moderated) gov.us.fed.nsf.documents National Science Foundation documents. (Moderated) gov.us.fed.nsf.grants National Science Foundation grant information. (Moderated) gov.us.fed.opm.announce Office of Personnel Management announcements. (Moderated) gov.us.fed.sba.announce Small Business Administration announcements. (Moderated) gov.us.fed.sec.announce Securities and Exchange Commission announcements. (Moderated) gov.us.fed.state.announce Department of State announcements. (Moderated) gov.us.fed.treasury.announce Department of the Treasury announcements. (Moderated) gov.us.fed.treasury.irs.announce Internal Revenue Service announcements. (Moderated) gov.us.fed.usaid.announce US Agency for International Development, IDCA, OPIC. (Moderated) gov.us.fed.usaid.pib USAID Procurement Information Bulletin. (Moderated) gov.us.fed.usda.announce Department of Agriculture announcements. (Moderated) gov.us.fed.va.announce Department of Veterans Affairs announcements. (Moderated) gov.us.org.admin.aga Association of Government Accountants. (Moderated) gov.us.org.admin.fasab Federal Accounting Standards Advisory Board. (Moderated) gov.us.org.admin.gfoa Government Finance Officers Association. (Moderated) gov.us.org.info.ace Americans Communicating Electronically. (Moderated) gov.us.org.info.ala American Library Association. (Moderated) gov.us.topic.agri.farms Farming- growing crops, raising livestock. (Moderated) gov.us.topic.agri.food Food production and distribution, nutrition of food. (Moderated) gov.us.topic.agri.misc General agricultural issues. (Moderated) gov.us.topic.agri.statistics Detailed statistics on crop, livestock, and food production. (Moderated) gov.us.topic.ecommerce.announce Government electronic commerce infrastructure announcements. (Moderated) gov.us.topic.ecommerce.misc Discussions concerning government electronic commerce. (Moderated) gov.us.topic.ecommerce.standards Standards for government electronic commerce. (Moderated) gov.us.topic.emergency.alerts Important bulletins for immediate broadcasting. (Moderated) gov.us.topic.emergency.misc Natural disasters, recovery, prevention. (Moderated) gov.us.topic.energy.misc Generation and delivery of energy. (Moderated) gov.us.topic.energy.nuclear Nuclear power and radioactive materials. (Moderated) gov.us.topic.energy.utilities Regulated utilities providing gas and electricity. (Moderated) gov.us.topic.environment.air Air quality, ozone, greenhouse gases, noise. (Moderated) gov.us.topic.environment.announce Announcements on environmental protection. (Moderated) gov.us.topic.environment.misc General environmental protection. (Moderated) gov.us.topic.environment.toxics Hazardous material use, disposal, cleanup. (Moderated) gov.us.topic.environment.waste Waste disposal, recycling. (Moderated) gov.us.topic.environment.water Water issues--drinking, irrigation, sewage. (Moderated) gov.us.topic.finance.banks Banking, monetary supply, currency exchange. (Moderated) gov.us.topic.finance.securities Securities, commodity futures, etc.. (Moderated) gov.us.topic.foreign.news Selected news media reports from outside the US. (Moderated) gov.us.topic.foreign.trade.leads Information on trade opportunities collected by US governments. (Moderated) gov.us.topic.foreign.trade.misc Issues involving foreign trade, importation, customs. (Moderated) gov.us.topic.foreign.trade.statistics Detailed statistical reports on import/exports. (Moderated) gov.us.topic.gov-jobs.employee.issues Discussions on government employee issues. (Moderated) gov.us.topic.gov-jobs.employee.news News of interest to government employees. (Moderated) gov.us.topic.gov-jobs.hr-admin Human Resources administration. (Moderated) gov.us.topic.gov-jobs.offered.admin Administrative job opportunities in government. (Moderated) gov.us.topic.gov-jobs.offered.admin.finance Jobs in public financial management. (Moderated) gov.us.topic.gov-jobs.offered.admin.ses Senior Executive Service job opportunity. (Moderated) gov.us.topic.gov-jobs.offered.announce Announcements on job hunting in government. (Moderated) gov.us.topic.gov-jobs.offered.clerical Clerical job opportunities in government. (Moderated) gov.us.topic.gov-jobs.offered.engineering Engineering related job opportunities in government. (Moderated) gov.us.topic.gov-jobs.offered.foreign Federal job opportunities located outside the US. (Moderated) gov.us.topic.gov-jobs.offered.health Medical and health related job opportunities in government. (Moderated) gov.us.topic.gov-jobs.offered.law-enforce Law enforcement job opportunities in government. (Moderated) gov.us.topic.gov-jobs.offered.math-comp Math and computer related job opportunities in government. (Moderated) gov.us.topic.gov-jobs.offered.misc Unclassified public sector job opportunities. (Moderated) gov.us.topic.gov-jobs.offered.questions Questions and answers on job hunting in government. (Moderated) gov.us.topic.gov-jobs.offered.science Physical sciences job opportunities in government. (Moderated) gov.us.topic.gov-jobs.offered.technical Technical job opportunities in government. (Moderated) gov.us.topic.grants.research Grant opportunities for research. (Moderated) gov.us.topic.info.abstracts.cdrom Abstracts of new CD-ROM releases. (Moderated) gov.us.topic.info.abstracts.epub Abstracts of new publications available electronically. (Moderated) gov.us.topic.info.abstracts.infosystems Abstracts of new online systems and services. (Moderated) gov.us.topic.info.abstracts.print Abstracts of new publications available in hard copy. (Moderated) gov.us.topic.info.libraries.govdocs Government documents libraries. (Moderated) gov.us.topic.info.libraries.technology Library information technology discussion. (Moderated) gov.us.topic.info.policy.announce Announcements on government information policy. (Moderated) gov.us.topic.info.policy.misc Discussions on government information policy. (Moderated) gov.us.topic.law.pub-contract Lawyers discuss Federal public contract law. (Moderated) gov.us.topic.nat-resources.forests Forestry, logging and wood production. (Moderated) gov.us.topic.nat-resources.land Other uses of public land, e.g. grazing, wetlands, watershed. (Moderated) gov.us.topic.nat-resources.marine Fishing, aquaculture, marine sanctuaries. (Moderated) gov.us.topic.nat-resources.minerals Extraction and transportation of minerals. (Moderated) gov.us.topic.nat-resources.oil-gas Extraction and transportation of oil and gas. (Moderated) gov.us.topic.nat-resources.parks Public land for recreation & tourism, museums. (Moderated) gov.us.topic.nat-resources.wildlife Wildlife management, hunting. (Moderated) gov.us.topic.statistics.announce Brief announcements on economic and demographic statistics. (Moderated) gov.us.topic.statistics.reports Detailed reports on economic and demographic statistics. (Moderated) gov.us.topic.telecom.announce Announcements on general telecom policy issues. (Moderated) gov.us.topic.telecom.misc Discussion on general telecom policy issues. (Moderated) gov.us.topic.transport.air Aviation, aircraft, travel by air. (Moderated) gov.us.topic.transport.misc General transportation in the US. (Moderated) gov.us.topic.transport.rail Railroad transportation. (Moderated) gov.us.topic.transport.road Transportation over roads, auto safety, mass transit. (Moderated) gov.us.topic.transport.shipping International shipping and package delivery. (Moderated) gov.us.topic.transport.water Maritime related issues, transportation over water. (Moderated) gov.us.usenet.admin Discussion of gov.us news admin. gov.us.usenet.announce Admin announcements. (Moderated) gov.us.usenet.answers FAQs and periodic articles. (Moderated) gov.us.usenet.control Control messages for US gov newsgroup changes. (Moderated) gov.us.usenet.groups Discussion of gov.us management. gov.us.usenet.lists News related statistics and lists. (Moderated) gov.us.usenet.questions Q & A for users new to gov.us newsgroups. gov.us.usenet.software Discuss gov.us specific software. gov.us.usenet.test Use in testing news software setups. gov.usenet.admin Discussion of gov news admininstration. gov.usenet.announce Admin announcements. (Moderated) gov.usenet.answers FAQs and periodic articles. (Moderated) gov.usenet.control Control messages for top gov newsgroup changes. (Moderated) gov.usenet.groups Discussion of gov hierarchy management. gov.usenet.lists News related statistics and lists. (Moderated) gov.usenet.questions Q & A for users new to gov newsgroups. gov.usenet.software Discuss gov news specific software. gov.usenet.test Use in testing news software setups. -----BEGIN PGP SIGNATURE----- Version--2.6.2 iQCVAwUBMythp40r1Dwz5C7pAQH7DgQAn5gXkWrMohbh8BrNkhSyO8CIHDhhdmwz 8LltFPw6Yl3sbQo/yeMKk6FYCFxjkbJV4vmmEtC3Vdbbv72/MObT2IxbFByjSIWP SOBhY15ICPvdAR+OElkH5cpabsdfuiOkoL1J8bacBRBhhxIMWXQPsSbMgJbVULgW D4AV6M562B8= =NN77 -----END PGP SIGNATURE----- [END LAWRENCE INSERT] ------------------------------ Date: Sun, 16 Mar 1997 22:50:55 -0500 (EST) From: SANS'96 Conference Office Subject: File 2--SANS Network Security Digest vol.1, No.2 | | | The SANS Network Security Digest | | Contributing Editors: | | Michele Crabb, Matt Bishop, Rob Kolstad | | Marcus Ranum, Gene Schultz | --A Resource for Computer and Network Security Professionals--- CONTENTS 1) BUFFER OVERFLOW BUG DISCOVERED IN RLOGIN 2) LAYMAN's EXPLANATION OF BUFFER OVERFLOW 3) YASB - YET ANOTHER SENDMAIL BUG 4) SERIOUS BUG IN WU-FTPD V2.4 5) TWO NEW NT SECURITY MAILING LISTS GO ONLINE 6) VULNERABILITY DISCOVERED IN NT RPC CODE 7) COPS V1.04 STILL MOST POPULAR HOST-BASED AUDITING TOOL 8) MACRO VIRUS PROBLEM CONTINUES TO GROW 9) MICROSOFT'S MACRO VIRUS PROTECTION TOOL (MVTOOL): AV OR PR?10) THE NEVER-ENDING HOAX VIRUSES NON NEWS: 11) RECOMMENDATIONS PLEASE: MOST USEFUL COMMERCIAL TOOLS? --------------------------------------------------------------- 1) BUFFER OVERFLOW BUG DISCOVERED IN RLOGIN Yet another program has fallen victim to the buffer overflow vulnerability family. This vulnerability allows a user with access to an account on the host to potentially overrun a buffer and possibly execute programs as root on the local machine. Patches are available from some vendors and CERT has provided a wrapper program as a workaround. For more information, see --------------------------------------------------------------- --------------------------------------------------------------- 2) A LAYMAN's EXPLANATION OF BUFFER OVERFLOW Stack and buffer overflows? Still wondering what it all means? Security vulnerabilities resulting from buffer overflow problems are very common today. To see how common, see Aleph One's "Smashing the Stack for Fun and Profit." It's a layman's explanation of the inner workings of buffer overflow problems. The article is located at: Recent victim program of the buffer overflow problem include: sendmail, gethostbyname, syslog, Linux/FreeBSD mount, and rlogin. --------------------------------------------------------------- --------------------------------------------------------------- 3) YASB - YET ANOTHER SENDMAIL BUG A new vulnerability concerning a buffer overflow in the MIME section of code has been discovered in Sendmail versions 8.8.3 and 8.8.4. This vulnerability allows an external attacker to possibly gain access to a local host. Version 8.8.5, corrects this bug and several others found in earlier versions. It's available at: Vendor patches for their versions of sendmail are available from many of the vendors. Refer to the CERT advisory located at: Those of you who are unable to upgrade to the latest version or cannot install the vendor patch right away, will find a useful a workaround described in that CERT Advisory. --------------------------------------------------------------- --------------------------------------------------------------- 4) SERIOUS BUG IN WU-FTPD V2.4 A new, potentially serious flaw was discovered in the wu-ftpd code. The flaw is present in version 2.4 as well as in the version available form Academ. The problem has been corrected in the Academ version 2.4.2-beta-12. The vulnerability may allow regular and anonymous users to access files on your ftp server as root. The problem lies in the signal handling section of the code. An advisory sent out by AUSCERT on 1/29/97 advises that this particular bug may also be present in some vendor versions as well. For more information, refer to the AUSCERT advisory at: --------------------------------------------------------------- 5) TWO NEW NT SECURITY MAILING LISTS GO ONLINE Has your beloved desktop UNIX box been replaced with an NT? Are you concerned about what security problems may be lurking on this new platform? Two new NT security discussions mail lists may help you find all the answers you seek. The first, NTbugtraq was created in the spirit of bugtraq mailing list. To subscribe, send a message to Listserv@rc.on.ca with "SUB NTBUGTRAQ Your Name" in the text. The second, hosted by ISS, is called ntsecurity. To subscribe send email to request-ntsecurity@iss.net and in the text put "subscribe ntsecurity". --------------------------------------------------------------- --------------------------------------------------------------- 6) VULNERABILITY DISCOVERED IN NT RPC CODE While we are discussing NT, does your new Pentium Pro 200MHZ processor running NT seem v e r y s l o w . . . ? Perhaps the RPC services running on your workstation have been confused and are consuming all the CPU resources. Recent postings to the NT security mailing lists discuss how RPC services running on NT (3.51 and 4.0) can be confused by a simple telnet to TCP port 135 and typing more than 15 characters. Microsoft has a patch for the problem. Refer to: --------------------------------------------------------------- --------------------------------------------------------------- 7) COPS V1.04 STILL MOST POPULAR HOST-BASED AUDITING TOOL COPS is a UNIX security toolkit that analyzes your system security. COPS version 1.04 still leads the charge for testing system integrity and vulnerability level. Despite being several years old, COPS continues to be an excellent public domain product for examining group and password files, root environment and system setup, user home directories, important system configuration files, ftp setup and several miscellaneous problems. If you are already using COPS, then you are well aware of the benefits provided. If you are not yet using COPS, it makes sense to at least try it out. You can find it at: COPS is one of many tools described in Matt Bishop's latest course on security tools which he will present at SANS97 in April. See for more information. --------------------------------------------------------------- --------------------------------------------------------------- 8) MACRO VIRUS PROBLEM CONTINUES TO GROW The remorseless rise of the macro virus continues. The latest Macro Virus List published by the Virus Test Centre at the University of Hamburg lists 205 viruses, most of which are Word viruses The list also includes ten Trojan Horses (malicious programs which don't replicate) and five macro virus generators (programs which allow the wannabe virus coder to 'create' viruses without the hassle of actual programming). The list is located at: The December WildList reports more than twenty macro viruses as being in the wild. Another twenty or so made the Supplemental List. The WildList gives some idea of which viruses are actually in the wild by tracking virus incidents reported by at least two of the of the 45 virus information professionals who participate in the list. The Supplemental List includes viruses which only one of these professionals has reported. The most common reports are of WM.Concept.A (the original 'prank macro'), WM.Wazzu.A, and the comparatively recent NPad (Jakarta). The Wildlist also provides a listing of the most frequently reported viruses (those reported by at least one-third of the 45 participants). You can find the December Wildlist at two locations: --------------------------------------------------------------- --------------------------------------------------------------- 9) Microsoft's Macro Virus Protection Tool (MVTOOL): AV or PR? Microsoft's ScanProt protection tool (a collection of WordBasic macros) is frequently recommended as a prophylactic against macro viruses. However, MVTOOLS's capabilities should not be overestimated. The primary purpose of the tool is to alert users to the existence of macros in their documents. - It actually recognizes only the original Concept virus (WM.Concept.A). It can clean Concept, but is liable to crash if it encounters too many infected files. - Though other viruses are mentioned in the README.DOC which accompanies the protection tool, the others are not specifically recognized now and may never be. It's best to supplement MVTOOL by purchasing one of the many anti-virus utilities such as F-Prot Professional or VirusScan. For more information on MVTOOL see: --------------------------------------------------------------- --------------------------------------------------------------- 10) THE NEVER-ENDING HOAX VIRUSES Hoax alerts are becoming an increasing drain on corporate resources. As more companies implement effective virus-control strategies, most viruses being detected at the point of entry. Security professionals increasingly find themselves spending more time on hoaxes, jokes and erroneous alerts than on 'real' virus incidents. Many hoax alerts are variations on the infamous 'Good Times' virus - for instance Deeyenda, PenPal Greetings, and Irina are all fairly easily identified, even by the technically challenged, by symptoms such as a surfeit of capital letters and exclamation marks, citing of unlikely authorities such as the FCC, and urgings to forward the alert to as many people as possible. While it is easy enough to circulate details of known hoaxes, it gets harder to tell non-experts how to recognize a new hoax as they become more numerous and ingenious. Two suggestions: (1) Refer all alerts to a security professional with the contacts and experience to verify them, or the will to acquire the experience. (2) Make it a matter of policy that users don't forward alerts without having them verified. Newbie hoax-watchers are advised to keep an eye on the following web sites: http://ciac.llnl.gov/ciac/CIACHoaxes.html http://www.kumite.com/myths/ http://www.datafellows.com/ http://www.drsolomon.com/ NON-NEWS: 11) RECOMMENDATIONS PLEASE: MOST USEFUL COMMERCIAL TOOLS? We've persuaded the leading vendors in several categories to show their newest offerings at SANS (O'Reilly for books; Axent for access control; Syntax for network integration of UNIX, Netware, NT and Mac; ESM for name space management for intranets; Auspex and Falcon for very fast NFS Servers; and PDC for backup, plus a bunch more.) Nine spots are left, and we want to reserve them for organizations that are leaders in other useful categories or for innovative small companies on the East Coast. If you have an opinion about candidates in either category, please email alanpaller@aol.com, with your suggestion and an explanation of why their product is important enough to be in the SANS97 exhibits. ==================================================================== Subscription deadline: March 31, 1997 - If you have a forwarded copy, please register before then. The SANS Network Security Digest is published eight times per year as a service to those who attend SANS and the Network Security conferences. Others may subscribe, as well. (Current registered subscriber base is 6,437) To subscribe, send email to sans@clark.net with 'Subscribe Network Security Digest your name' in the first line of text or in the subject line. Subscriptions (running through Dec. 1998) are free for those who subscribe before March 31, 1997. After that date, subscriptions cost $80/year for those who do not attend SANS or Network Security. This issue is the last one that may be freely copied and re-distributed. Please subscribe if your copy did not come directly from SANS. ------------------------------ Date: Thu, 15 Dec 1996 22:51:01 CST From: CuD Moderators Subject: File 3--Cu Digest Header Info (unchanged since 13 Dec, 1996) Cu-Digest is a weekly electronic journal/newsletter. Subscriptions are available at no cost electronically. CuD is available as a Usenet newsgroup: comp.society.cu-digest Or, to subscribe, send post with this in the "Subject:: line: SUBSCRIBE CU-DIGEST Send the message to: cu-digest-request@weber.ucsd.edu DO NOT SEND SUBSCRIPTIONS TO THE MODERATORS. The editors may be contacted by voice (815-753-0303), fax (815-753-6302) or U.S. mail at: Jim Thomas, Department of Sociology, NIU, DeKalb, IL 60115, USA. To UNSUB, send a one-line message: UNSUB CU-DIGEST Send it to CU-DIGEST-REQUEST@WEBER.UCSD.EDU (NOTE: The address you unsub must correspond to your From: line) Issues of CuD can also be found in the Usenet comp.society.cu-digest news group; on CompuServe in DL0 and DL4 of the IBMBBS SIG, DL1 of LAWSIG, and DL1 of TELECOM; on GEnie in the PF*NPC RT libraries and in the VIRUS/SECURITY library; from America Online in the PC Telecom forum under "computing newsletters;" On Delphi in the General Discussion database of the Internet SIG; on RIPCO BBS (312) 528-5020 (and via Ripco on internet); and on Rune Stone BBS (IIRGWHQ) (860)-585-9638. CuD is also available via Fidonet File Request from 1:11/70; unlisted nodes and points welcome. In ITALY: ZERO! BBS: +39-11-6507540 In LUXEMBOURG: ComNet BBS: +352-466893 UNITED STATES: etext.archive.umich.edu (192.131.22.8) in /pub/CuD/CuD ftp.eff.org (192.88.144.4) in /pub/Publications/CuD/ aql.gatech.edu (128.61.10.53) in /pub/eff/cud/ world.std.com in /src/wuarchive/doc/EFF/Publications/CuD/ wuarchive.wustl.edu in /doc/EFF/Publications/CuD/ EUROPE: nic.funet.fi in pub/doc/CuD/CuD/ (Finland) ftp.warwick.ac.uk in pub/cud/ (United Kingdom) The most recent issues of CuD can be obtained from the Cu Digest WWW site at: URL: http://www.soci.niu.edu/~cudigest/ COMPUTER UNDERGROUND DIGEST is an open forum dedicated to sharing information among computerists and to the presentation and debate of diverse views. CuD material may be reprinted for non-profit as long as the source is cited. Authors hold a presumptive copyright, and they should be contacted for reprint permission. It is assumed that non-personal mail to the moderators may be reprinted unless otherwise specified. Readers are encouraged to submit reasoned articles relating to computer culture and communication. Articles are preferred to short responses. Please avoid quoting previous posts unless absolutely necessary. DISCLAIMER: The views represented herein do not necessarily represent the views of the moderators. Digest contributors assume all responsibility for ensuring that articles submitted do not violate copyright protections. ------------------------------ End of Computer Underground Digest #9.24 ************************************