In This Issue:
- Bootable Disk
- Remote Explorer
- Palm III Key
- Government Cyber Corps
- TCP Wrappers Trojan
- Encryption Cracks Increasingly Easy
- Excel CALL Security Hole
- April 1 Bug Not a Joke
It wasn’t an error, there was no December newsletter last year. The season, some medical needs in the family (all turned out OK, thank you), and the need to completely revise and reformat three different web sites put the newsletter on the back-burner I’m afraid. I’m still working on one of the sites but it hopefully will be under control by next month.
Now, on to the news…
Bootable Disk. I was reminded after the last newsletter that there is a second component to keeping your anti-virus program up to date. It’s not enough (in most cases) to get and install the update; you also have to create a new boot floppy disk to use in case a virus is found and you must reboot clean to, perhaps, get rid of a boot virus. Should that need arise it’s very important to have a clean floppy boot disk with the latest anti-virus information on it (because viruses hide in memory as well as on the disk the best way to get rid of them is to have a way to boot into a clean state so the anti-virus program can find the virus in storage without having to contend with interference from the virus in memory).
At least one anti-virus program sends a new boot disk with their update; most require you to create one. Please make certain you do so!
Remote Explorer. You may have heard about this virus which attacks Windows NT systems and was in the news for infecting MCI. While the reports have been extensive, it appears the virus is not. That does not mean you should not be vigilant; just don’t panic. What makes it unique is that it’s the first NT virus able to run as a service (a background process that runs even if nobody is logged on).
Remote Explorer attacks Windows NT systems (server and workstation) and spreads through the network environment. Other Windows systems can host infected files, but they will not activate on those systems. The virus is not particularly subtle. When infecting a file it compresses the file. It appears to pick a directory at random and infects/compresses files it can and encrypts files it can’t. It also encrypts text and HTML files it finds.
It’s a big virus (125K or so) and estimates are it contains some 50,000 lines of source code written in C. It uses a DLL and if you delete the DLL the virus will recreate it. It is memory resident and uses domain administrator security privileges. This allows it to move across the network (resulting in some people also calling it a worm).
A simple detection method for the current version of this virus would be to open the Services applet in the NT Control Panel. If “Remote Explorer” is listed as a service, you’ve got it.
By the time you read this anti-virus programs for NT will have posted a detection/repair fix for this virus. If you are running an NT system, get the update.
The truth is that ANY computer that has an infrared port can be used in this fashion and have been able to do so for years. Basically, the same software that allows these devices to become a universal TV controller can also be used for car locks.
The hype is that while it’s possible, it does not appear to have happened. But, if someone is aiming their laptop at your car door, you might be a little bit suspicious.
Government Cyber Corps. Look out, the Government has awakened to the threat of computer cracking and plans to do something about it. That’s not necessarily bad but in his announcement, President Clinton started much of his discussion with: “Open borders and revolutions in technology have spread the message and the gifts of freedom, but have also given new opportunities to freedom’s enemies.” I hate it when government employees talk about our hard-won freedoms in this way as it’s an easy step from there to curtailing them (which is right now just something to watch for). So far, his programs, dubbed “Cyber Corps,” included specific initiatives for:
- Research to detect intruders.
- Actual intruder detection networks.
- Information centers for industry and government to work together.
- Funding for more government workers in the computer security field.
It’s interesting (and a bit ironic) that Clinton’s talk came just the day after the web site of the US Information Agency was cracked; the second time in six months.
On the positive side, Clinton did attempt to put the whole matter into perspective:
I have tried as hard as I can to create the right frame of mind in America for dealing with this…. For too long the problem has been that not enough has been done to recognize the threat and deal with it. And we in government, frankly, weren’t as well-organized as we should have been for too long.
I do not want the pendulum to swing the other way now, and for people to believe that every incident they read about in a novel or every incident they see in a thrilling movie is about to happen to them within the next 24 hours….
Computer security is an important matter that should be taken quite seriously by all parties. Just make certain it’s not implemented with a heavy government foot.
TCP Wrappers Trojan. A UNIX security program called TCP Wrappers was recently replaced by a Trojan version by crackers breaking into the main site housing the program. Some 52 sites downloaded the bad code from the original server and these sites have all been notified, but since the original site and 52 notified sites have mirrors, there is no way of knowing if all bad copies were found, as some may have been downloaded before the bad code was replaced.
The Trojan version essentially added a backdoor into the UNIX computer it was installed on, making everything on that computer available to anyone who knew how to enter the back door. The software even helps by sending the attacker E-mail when the software is installed.
The bad version was only available for approximately 24 hours in the 20 January 1999 period. If you downloaded TCP Wrappers in the week or so surrounding that date you probably should check further and make certain the version you have is a good version.
Encryption Cracks Increasingly Easy. As part of a masters thesis, a Duke University graduate student found that the encryption used to protect most private information on the internet (40-bit key) could be cracked fairly easily in an average of 3.75 hours using, in their case, a graphics computer called PixelFlow. The interesting thing is that this computer was not designed for cracking encryption.
Using brute force with a 40-bit key one would have to try 2 to the 40th power combinations to find all possible keys (that’s 1,099,511,627,776 different combinations). A UNIX password, on the other hand, has 5,132,188,731,375,620 possible combinations of letters, numbers or symbols. But, even that is usually not an impossible task since you don’t have to try all possibilities; just likely possibilities. Few people use really secure passwords.
So, if you want to keep your passwords and other encrypted materials more secure, make your passwords truly random and use the longest key allowed. As time marches on, encryption cracking is just going to get easier and easier.
Excel CALL Security Hole. Early in January, Finjan, Inc. created something of a panic by reporting a security threat that can “expose your private files or data to theft or irreparable damage.” The threat involves the Microsoft Excel CALL function.
Under certain circumstances a user’s browser can be told to accept a spreadsheet files from the web. Control is then passed to the received file. Excel then starts and the CALL function used to deliver malicious code.
While touted as the end of computing as we know it, the announcement turned out to be technically accurate but much less of a threat than advertised (indeed, Microsoft had already pointed out the problem some time back).
Just make certain applications don’t automatically run from the browser (something you should have already set if you read this newsletter for any length of time) and you’ll be fine.
Information of Interest
April 1 Bug Not a Joke. On 1 April 2001 some Windows applications may not know what time it is and think it’s an hour earlier. Programs sensitive to the clock (e.g., datebooks and the like) may record incorrect entries. The problem is located in the file MSVCRT.DLL which checks the start of daylight savings time. 1 April 2001 falls on a Sunday and fools the algorithm in that file, leading to a one-week delay in starting daylight savings time.
The problem is that many applications install their own copy of the DLL and use it instead of a system copy (I found four copies on my system, others have reported up to 10 copies).
Basically, the fix will be to replace the bad copy of the DLL, and this will have to be provided by the various software vendors. Do a search of your system, find all copies of MSVCRT.DLL and contact those vendors to see when they plan to replace the file and how you can get the replacement. (Don’t be surprised if you get “Huh???” as a response! But, keep after them.)
In closing: Keep alert – we’re at eleven months and counting down.