Computer Knowledge Newsletter – July 1998 Issue

In This Issue:

Virus News

Win98 HPS Virus. You may hear about a “new” Win98 virus called HPS. The press was touting it as the first Windows 98 virus, released even before Windows 98. Not to fear; the virus is not known in the wild and is really nothing more than an updated Windows 95 virus; indeed, the HPS virus will run just fine under Windows 95. So, HPS is not much of a worry; but, keep those anti-virus programs up to date as the threat has not stopped.

CCIH Virus. First found in the wild in June in Taiwan, the CCIH virus infects Portable Executable (PE) files by installing itself into memory where it then infects EXE files as they are opened. The virus stores itself into unused area within PE files (such areas are normal in PE files). The virus is flexible enough to either store its entire length in a single area (if one sufficiently large is found) or, if necessary, it will split itself up into several areas. The virus has some bugs and now and again will render a PE file unusable after infection.

On the trigger date (so far the 26th of April or 26th of any month depending on the variant) the virus attempts to overwrite any Flash-RAM BIOS it finds with garbage. This may or may not work with any particular system as some Flash BIOSes are protected with a DIP switch and others may not use the same access ports as the virus. The virus then uses direct disk access calls to overwrite the MBR and boot sectors on all installed hard drives.

As always, please keep your anti-virus programs up to date.

Death Threat Hoax. Not exactly a virus, but a death threat spam affected some users in early July. The E-mail message, which comes from an America Online return address, reads as follows: “Hello, my name is Andy. I know where you live and I know where your kids sleep. If you dont [sic] call me within 24 hours im [sic] going to kill your kids.” It lists a phone number and adds: “P.S. This is NOT a joke.”

The account the message was sent from has been disconnected and the matter is under investigation by authorities.

General Security

Survival Guide. The Sans Institute (http://www.sans.org/Web Link) has just issued a survival guide relating to hacker attacks. The guide was compiled by computer security professionals from over 50 companies and organizations. The guide is not free (and Computer Knowledge has not looked at it) but the announcement makes it sound like an interesting 44-page work. At a minimum, the Sans Institute has a free monthly E-mail digest on security issues you might want to sign up for.

Internet Commerce Cracked. Vendors have been scrambling to fix a hole discovered in the encryption code used on secure web sites. Discovered by the folks at Lucent Technologies (Bell Labs), the bug, in theory, would allow a hacker to access any of the information presumed secure on any of the web sites that indicate they are secure in your browser. (Note, that the bug was discovered in a lab under controlled conditions and has not been observed being used on the internet so don’t panic just yet.)

Basically, the technique used to find the bug was to send messages with known errors to servers and then to observe the error messages. One of the primary keys to making decryption easier is to have known plaintext. Since the error messages were known, the code breaker was given important information toward breaking the code for all messages. (Again, don’t panic. Using this method requires about a million special messages to be sent along with a connection to the internet that allows screening of other traffic; one good reason this works in the lab, but would be difficult on the internet.)

Server software makers have developed patches against this hole and no browser updates are needed.

If you want the gory details, see the RSA web site:

http://www.rsa.com/rsalabs/pkcs1/index.htmlWeb Link

56-bit DES Cracked. The 56-bit Data Encryption Standard, long thought to be a basic minimum length to avoid easy cracking (the US only allows 40-bit to be exported) as been cracked in a 3-day effort by a regular personal computer with custom chips added (39-days was the prior record). The cracked message was part of a contest run by RSA and the winner received $10,000. The plaintext message read: It’s time for those 128-, 192-, and 256-bit keys.

Word98 Mac File Security Problem. MacWeek reports that Word98 documents can contain hidden data from a user’s hard disk. Basically, the Macintosh Operating System does not clear a sector when a file is deleted and Word98 does not clear a sector before saving to it. Because of the way files are saved, any data remaining in the sector (but not originally part of the Word document) will be attached to the Word document. This might be anything: important or junk. If that Word document is then shared with another person, the spurious information is sent right along with it and can be accessed by the receiving person.

Be aware of the problem, consider using an overwriting delete program for important files, and/or consider storing Word98 files on their own volume to keep junk from being attached to them.

MS Internet Info Server Bug. Users of Microsoft’s Internet Information Server 4.0, Remote Data Services 1.5, and Visual Studio 6.0 development tool packages should check the Microsoft site for a bulletin regarding the possibility of a user gaining access to data stored in Microsoft SQL Server and Access databases. The bug may also bring the server down or affect its performance. See:

http://www.microsoft.com/security/bulletins/ms98-004.htmWeb Link

Netscape Java Security Hole. Java, a method of transmitting executable code attached to a web page, is supposed to operate according to strict security rules that allow certain Java code pieces (objects) to only access certain system operations. In effect, Java code is supposed to run in a sandbox and not be allowed access to the computer it’s running on; at least not access that would be harmful to that computer. The security flaw just found would allow a malicious class loader (Java code that puts Java units together) to confuse the main Java virtual machine running the code into thinking some objects are different than they really are, giving them privileges they should not have; effectively disabling the whole security mechanism.

Netscape has patched their beta release of Communicator 4.5 and will be posting a patched revision of the 4.0x browser in a few weeks. The hole is hard to access and it’s unlikely any apps have been released that take advantage of it.

Information of Interest

Y2K. We’ve mentioned the Year2000 problem many times here and it continues to be a potential problem if not kept after. But, on the bright side, it would appear that it is being kept after by many who matter. Recent tests by various stock exchange companies, as one example, passed a simulated Y2K changeover without a single lost bit or fouled up transaction. Expect problems since there is so much bad code out there it simply won’t be possible to fix everything in time; but, in all probability the world won’t end or the nation’s economy collapse on 1/1/2000 as some continue to predict. (Would you believe some Americans are stockpiling food and water, buying guns and ammunition, and heading for the hills because of a predicted economic collapse? — They are.)

And, to keep you on your toes, here are some of the related Y2K problems that won’t take place on exactly 1/1/2000:

  • April 9, 1999 and September 9, 1999 both can be represented as 9999 in internal records (4/9/99 is the 99th day of 1999 and 9/9/99 speaks for itself). In many languages, 9999 signals an end-of-file which can cause problems if the file is not supposed to end.
  • February 29, 2000 exists. If software does not recognize the 400-year exception it will ignore that date.
  • January 10, 2000 requires seven digits (1/10/2000) and October 10, 2000 requires eight digits (10/10/2000). A program may not have left enough space in the datafile for these longer dates.

Finally, another Y2K page you might want to visit is maintained by Mitre:

[Link 404]

Screen Names May Not Shield You. Many users make up screen names thinking that they can hide behind those names when posting to on-line services. Hiding behind these names, some users have posted misinformation and attacks on businesses and other users. This may not be enough an longer.

In Canada, ISPs (including America Online, CompuServe, and PSINet) have been served with court orders forcing them to reveal the names of members who posted messages that allegedly disparaged the Canadian waste recycling firm Philip Services Corporation. The case is making its way through a US court before the US companies will have to comply.

We’ve told you before this sort of thing was coming. If upheld in the US court you can expect it to suddenly blossom since the majority of internet users are still in the US. (A more recent US case has caused AOL to release the real identity of a user accused of defaming a different company.)

HD-Rosetta. Archival storage may be taking another step with the HD-Rosetta product from Norsam Technologies (http://www.norsam.comWeb Link). Unlike most archival storage where the information is converted to a digital representation, HD-Rosetta uses an ion beam to etch full page images at 300dpi resolution onto a metal disk; touted to survive most any calamity. And, because the archive is an actual image of the hardcopy (or microfilm or other media) software to access the data is not a concern in the future. Any high-powered microscope will be able to recover an image if necessary. Currently a 2-inch disk can store about 90,000 8.5×11-inch images when etched with a 50-nanometer ion beam. The company is shooting for 350,000 images by reducing the spot size to 25-nanometers.

Spammer Pays. The Seattle Times reports that one Washington-state user has successfully collected $200 from a spammer under a new state law that outlaws unsolicited commercial E-mail with false header information (and most spam contains false header information). After spending a bit of research time to isolate the company responsible for the E-mail the user sent them a copy of the law and a bill. Unwilling to test the law, the company paid $200 (the user could have claimed up to $500 but thought $200 would be enough) and has vowed in the future to only use E-mail lists where people have given permission to have commercial E-mail sent to them. A victory for the good guys!

In closing: Keep cool in the heat wave that is hitting much of the US.