Computer Knowledge Newsletter – August 1999 Issue

In This Issue:

E-mail Threat Notification. Some readers have requested threat notification via E-mail and so far I’ve resisted; except for the Melissa event a few months back. I think I’ve come up with a useful compromise however and have implemented it. I’ve set up a page on the web site designed to highlight the current major threats (emphasize major). On that page I’ve placed a form that allows you to register the page with NetMind, a service that monitors web pages and notifies you via E-mail when they change. So, if a major threat comes up I’ll be adding it to that special page in advance of its being talked about in the newsletter. When that page changes due to the addition those who have signed up for an E-mail notice will get one. If you prefer not to get an E-mail notice you can simply check the page now and again by bookmarking it. Or, you can just wait until the middle of the month for the next newsletter. Check out:

[Update: Page taken down. You can sign up at anti-virus sites for this same service.]

[Note: I’ve had the page up and myself registered with NetMind as a test and just before mailing this newsletter got an alert, despite the fact the page had not changed. I have had no response from NetMind about this false alarm. Be advised that nothing is perfect and you may receive false alarms.]

Virus News

VBS/Monopoly. There appears to be much discussion about this Visual Basic Script E-mail worm. A knockoff of Melissa the worm is distributed as an attachment to a message with the subject “Bill Gates joke” and a teaser asking you to click on the attachment (MONOPOLY.VBS). If you do the worm attempts to send itself to everyone in your Outlook address book (and it sends info about your system to specific programmed addresses). It also writes out a picture of a Monopoly board with Bill Gates in the center. The strange thing about this beast is that despite all the discussion there is no record of it being in the wild!

W97M.Marker. A common macro virus with an interesting payload. Basically, the virus takes the user information stored when you registered Word97 (Tools|Options|UserInformation) and sends it to a specific FTP site. It does this once only and keeps track of this by adding an item to your registry. Depending on what information you have on your system it could be useful to crackers. While infecting, the virus creates a file of the form HSF????.SYS where “????” is a random number.

BO2K update. Bug fixes and new plugins are now available for BO2K (see last month’s newsletter for the BO2K announcement). Some of the plugins include:

  • Butt Trumpet 2000. The plugin sends E-mail via the host’s IP address.
  • Triple DES encryption. Secures a BO2K connection end-to-end.
  • VidStream. Sends a streaming video of the server computer’s screen. Also gives remote keyboard and mouse control.
  • Scripting language. As the name implies, provides for scripts that can perform timed actions without the need for connection.

General Security

Y2K Fix Backdoor. First, you had to worry about the Y2K problem. Now, if you’ve hired a contractor to fix the problem, you might have to worry about the fix!

Despite the news about various web page defacements and other break-ins, the majority of company compromises happen from within. And, Y2K fixes present a unique opportunity for someone to compromise your system. Since those who are fixing Y2K problems have to get into all parts of the computer system to check things out and repair them, those people have to have access to most everything. This presents them with an opportunity to install trapdoors into systems so that at any time in the future they can access your system and do most anything they want to.

There is no single fix for this kind of potential problem. Basically, you have to either trust the person doing the work or have the work done in teams with different people checking each team’s work. Good configuration control of your internal software also helps as it can make changes easier to spot and analyze.

This is not something to panic about; just be aware of the potential and make certain work done on your systems is being independently checked; something you should be doing with any system changes anyhow.

DIRT. PC World Online recently reported about a law-enforcement program called DIRT (Data Interception by Remote Transmission).

DIRT is similar to Back Orifice (DIRT’s author claims Back Orifice was written as a DIRT knock-off). It’s a small program that, once installed in your computer, monitors all activity (including the keyboard), logs it, and then transmits that log to law-enforcement officials the next time you attach to the internet. DIRT is also supposed to be able to allow law-enforcement to control your computer remotely. At a minimum it works as an FTP server so files can be read from and loaded onto an infected computer.

DIRT was designed to help catch child porn distributors but it’s reported to now be in use against terrorists, drug dealers, money launderers, and spies. It’s been around since 1998 at least.

DIRT must be run on the target computer before it can do its work. That usually happens via E-mail where the target is mailed an unrelated program with DIRT installed as a Trojan within.

Before DIRT can even be presented to a target, a wiretap search warrant must be issued. As you can imagine, however, privacy groups are outraged about DIRT; saying that it goes well beyond just monitoring communications by allowing law enforcement to snoop through the entire hard drive.

Then, there is the other group that thinks the story is complete fabrication and that no such program exists.

More: [Link 404]

Office97 Hole. A security problem with data access software called Jet in Office97 can allow malicious code to enter your computer. The hole allows the planting of viruses, deletion of data, and files to be read. Microsoft has confirmed the bug.

Versions of Jet prior to 4.0 contain the bug. To find out if you have a computer with the security hole use the Windows “Find” command. Search for a file named “ODBCJT32.DLL” (it will likely be in the Windows System directory). Right click on the file, select properties, and then click on the “Version” tab. If the version number is lower than 4.0 the file should be updated.

Microsoft is making an update available on their web site. Jet is used in a number of Microsoft products and interacts with a number of applications. So, they want to take the time to develop a proper patch before posting it.

Office 2000 uses Jet 4.0 and is not affected by this security hole.

More: [Link 404]

Lost E-mail. Infoworld (9 Aug 99) reports that a flaw in Network Associates Inc.’s Groupshield for Exchange anti-virus product can cause messages from Microsoft’s Mail connectors to be lost. Supposedly, NAI support acknowledges the bug as known and suggests the workaround is to disable virus checking for external mail connectors, including internet mail, MS Mail, and cc:Mail. Of course, this defeats the purpose of the product!

One company is reported to have lost so many messages that some who need to communicate with the company have resorted to fax; avoiding E-mail entirely.

If you use Groupshield, you might want to check into this to make certain all your mail is coming through.

As this issue was going to press, Network Associates responded to this article in public newsgroups. Their message says, in part:

NAI believes the claims made in this article are not only inaccurate, but technically impossible. Despite supporting more than 30,000 site installations of GroupShield during major virus outbreaks such as Melissa and Explore.zip, we have not had a single customer report such a problem. Unfortunately, InfoWorld decided that these allegations were newsworthy. …the only known GroupShield issue related to message delivery was concerning the product’s ‘VirusLocking’ feature. This additional security feature is designed to ensure that unscanned messages are never delivered to end user machines during high-volume virus outbreaks…It was a known issue of the 4.02 product that in some cases messages being locked for scanning by the VirusLock feature were being locked for too long…This delay in the virus locking feature was a known issue in GroupShield Exchange version 4.02. It was fixed in version 4.03 which has been shipping for almost two months and is the prevalent version at customer sites.

Items of Interest

Web Browsing Hazardous. Did you know that browsing the web can be dangerous to your health? It apparently can, but perhaps not in the way you think.

We all know about “bad” web sites (however you define “bad”), but did you know that the actual process of browsing may be harmful? The problem is in posture and how you control the browser. If you lean back while surfing you pull away from the mouse and put pressure on the wrists and elbows. Further, people use the mouse more than they should. If you constantly press on the mouse button to scroll down a page you are straining the fingers (hint: to move to the end of a page quickly press the Control-End key combination–it gets there faster and gives your hand a needed break from the mouse). Finally, take your hand off the mouse when a page is loading to give it a rest.

Oh yes, you might want to sit up straight and not lean on the arm not working the mouse.

UCITA. The Uniform Computer Information Transactions Act (UCITA) has reared its ugly head again and users should pay attention. The National Conference of Commissioners on Uniform State Laws has recently approved the UCITA drafts. None of the objections of software users were incorporated; it was a total win.

Why should you care? Basically, because UCITA, as written, completely validates shrink-wrap and click-wrap licenses and makes them a legal document. That makes violation of license terms a crime. More importantly, UCITA puts virtually no limits on what can be in those agreements. Any terms the software makers want to impose will be binding if you want to use the software.

Further, UCITA allows the terms to change over time and requires users to be bound by the new terms. So, if a software maker wants to change their license from a purchase to a yearly lease while you are using the software they likely will be able to do this legally and without recourse other than your finding new software to use. (Of course, any software maker who actually did this would likely face the unbridled wrath of their customers; but it’s of some interest that it’s even possible.)

And finally, the real kicker: UCITA allows software vendors to enforce the licenses by a variety of methods, including remote disabling of the software. That’s right, the law will allow software makers to write backdoors that will allow those makers to monitor your use of the software remotely and disable it should they find that use to violate the license.

UCITA is not law yet, it’s only a recommendation of the commissioners. But, generally, state legislatures tend to pass the commissioners’ recommendations without question so that there is a set of uniform laws across the country from state to state.

I can’t say what you as an individual can do or how this will affect users outside the United States, but it’s an issue worth following:

[Link 404]

(I don’t know how long this link will remain valid.)

A full copy of the draft can be found at:

[Link 404]

Another site to use to follow this issue would be:

http://www.badsoftware.com/Web Link

In closing: Hungry? I’ve started adding recipes I cook to the personal web site. Check: http://tomsdomain.com/recipes/Web Link. Enjoy.

And, if you receive a message that tells you to pass it on to everyone you know please do yourself and everyone else and DON’T. It’s so rare any such message is a real alert of some kind that you’re just wasting bandwidth and other people’s time by passing it on.