Computer Knowledge Newsletter – March 1999 Issue

In This Issue:

Virus News

Happy99 Update. By now, all the major anti-virus programs can handle this worm. You should use them to get rid of it. Last month I gave you manual instructions for removal. One point was left out, however: Windows tends to use the WSOCK32.DLL file and so won’t let you copy or rename it. In order to use the manual technique you may have to exit Windows to DOS mode first.

Virus Finds Encryption Keys. Data Communications reported a story about viruses finding strong encryption keys on user systems ([Link 404]). The story has been picked up by others and you can expect to see more references to it. The problem is that the original paper referenced in the story ([Link 404]) mentions the word “virus” only once and not particularly associated with key stealing by methods described in the paper.

If interested, neither are long so take a look at the story and then read the original paper (the word “virus” is in the conclusion at the end). Make your own determination. If nothing else, you will learn something about what the next method of attack might be relative to stealing private encryption keys.

General Security

Social Engineering. How do most crackers get the passwords they need to break into systems? Some use password dictionaries and guess; but more often you’ll see various so-called “social engineering” techniques.

Social engineering is basically a series of techniques a person can use to trick someone else into revealing sensitive information (such as a logon name and/or password). They range from getting a low-level janitor’s job and searching through garbage (you’d be amazed at what people throw away without shredding it) or going through deskpads and desks looking for passwords on 3M Post-it sheets to pretending to be Information Technology (IT) employees.

This latter is becoming quite common. As one example, a cracker may call some random number in a company. The cracker then asks for someone not at that number. To be polite, the person who answered the phone looks up the correct phone number and then uses the company’s phone system to transfer the call to that number. (This step is critical to help establish the cracker’s credentials since with most internal phone systems the call now appears to be an internal call, not an external call.) [Note: Social engineering is now usually called phishing.]

Once the cracker has the real target on the phone s/he pretends to be from the IT Department. The patter used varies, but usually involves the IT Department finding some problem that will be really fast to fix but something that requires either the user to type in some series of commands and carefully read the responses. Of course, the series of commands is bogus and return error messages instead of expected “responses.” The fake IT person starts to get frustrated as does the target. Finally, the cracker says that the problem can be easily fixed if the target will just give the cracker their logon and password. The excuse used is to get the problem fixed fast, without bothering the person further; and the bait is the statement that the user can easily change their password to assure security.

If the target gives out an ID and password, the game is over. That’s all it takes for the cracker to enter the system and then access further files that will eventually give the cracker the master password files which are then cracked offline to often yield an administrator’s password. Given this, the cracker has full access to the system; even if the user who was tricked did later change their password. The user’s password is no longer needed.

NEVER give your ID/password to anyone who just asks for it over the phone; no matter who you think they are! IT Department personnel don’t need them; they already have full access to the system. And, in the rare case they don’t, expect them to come to you in person (insist on it).

Satellite Hack. Early March brought reports of a British military satellite being hacked into and control of the satellite being given over to the crackers. Don’t believe it. Britain’s Ministry of Defense denies it happened and, frankly, my past experience in the space program (working with advanced space communications systems in the U.S. Air Force) tells me this is a clear hoax. Satellite control links are closed systems (i.e., not connected to the internet) and encrypted as well. This makes taking over a satellite a fairly complex task that requires specialized (and expensive) equipment. (It’s easier to just jam the satellite signal; but that’s easy to trace.)

Satellite providers are taking security quite seriously. Everyone saw the dependence on satellites when the Galaxy IV satellite went out and some 40 million pagers quit working.

Netscape JavaScript Bug. Expect a patch to fix a new bug found in Netscape’s browser JavaScript implementation. The bug allows access to HTML file content, cache, and browsing directories on a user’s system. Version 4.5 for Windows95 and Version 4.08 for NT are affected. The immediate workaround would be to disable JavaScript.

Don’t panic; just be aware (and maybe turn off JavaScript). This is just one of a series of bugs constantly being found in existing browser products. There are no known exploitations of the bug at this time.

DoD Hackers – The Real Story. A CIO Institute bulletin on computer security reports that the news media have the story about DoD foreign intruder penetrations wrong. General media reports say the Department of Defense has been “attacked” up to 100 times a day from multiple foreign sources in an attempt to penetrate DoD systems.

The 100 times a day part is likely correct; the multiple foreign sources part, however, is likely incorrect, particularly for attacks happening after about mid-December of last year.

What happened then? One of a new generation of tools made its debut. The tool, called “nmap,” not only performs scans but can do so using TCP addresses selected by the program operator. This can make the person next door appear to be attacking from any place in the world. Worse, “nmap” is a simple tool, able to be both downloaded and run in something like a quarter hour by amateurs. More experienced people can use these tools via scripts that run automatically and collect the information gathered for later analysis. Expect even more automatic tools in the near future. (Note: “nmap” is a tool that has both good and bad uses; it is NOT a cracker tool, it is a tool being used by crackers.)

This information should not make you sleep better tonight! It should make you take yet another look at all of your network’s vulnerabilities and get them fixed — FAST.

Programs With Ads. A new trend being seen is to place advertising code into evaluation versions of software. The idea is that while you are evaluating the particular program you will be presented with advertising that is partly paying for the production of the evaluation version. That code is usually suppressed when you make your decision and pay for the full version of the program.

The problem is that this advertising has to come from somewhere; some is cached in the program code itself but many times new ads will come over the internet when you are connected. Therein lies the potential opening. When some programs are run they will attempt to establish an outgoing FTP link to the ad server (outgoing FTP because that is almost always is allowed through a firewall under the assumption that if it’s outgoing, it’s under the control of a trusted source).

Not all advertising inserts use FTP. For now, you can identify one by looking for “TSAdBot” (without the quotes) in the registry. If found, look under “Clients” for the program(s) you have on your system making outgoing FTP links.

If you have a program that makes an FTP link and a person who works for the ad-serving agency becomes disenchanted for some reason (or even just has a bad day), these FTP links can be exploited and give that person easy access directly into the machine displaying the ads (and any network resources that person may also have access to).

To be quite safe, only run programs that display ads on machines not connected to a network and/or machines not logged into the internet. Once the ad-displaying code is disabled (should you decide to use the program beyond evaluation) the problem goes away.

Win98 User Info Problem. A couple of bugs relating to user information privacy have surfaced relative to Windows 98. In one, the unique customer ID numbers used by Microsoft to track movement on their web site is vulnerable to other sites through the RegWiz ActiveX control when IE 4.0 is used. Microsoft is investigating this bug.

In a related matter, Microsoft applications Word, Excel, et.al. embed unique identification numbers into documents. These numbers include information about the generating user’s computer and can also be transmitted to Microsoft without user approval.

In combination with the above flaw, it’s now possible this information can also be read by other web sites.

In an effort to correct the situation, Microsoft has committed to have their web site stop receiving these user IDs and will provide a software tool that will allow users to remove the unique numbers already in documents. They will also issue a patch that disables insertion of the ID in the first place.

Of course, it’s up to you to get and install these patches. And, of course, you then need to run the tools on all existing documents you want purged.

Microsoft also asserts Office 2000 will not have the ability to insert unique identifiers into documents.

Items of Interest

Windows 49.7 Day Crash. If you manage to keep a Windows (95/98) computer running without a crash of the operating system for 49.7 days, Microsoft has admitted that the operating system will crash on its own. Apparently there is a bug in a timing routine that shuts the OS down without warning after that period. (Likely it’s a 32-bit millisecond counter as 2^32=49.710269 days when converted from milliseconds.) For some reason not all computers are affected.

Microsoft has posted a patch; however, they state the patch has not been fully tested.

Reaction among users has ranged from “ho-hum” to outright laughing at the thought of the operating system actually operating that long without a crash from other sources.

10,000 Dow. Now that the DOW has touched 10,000, did your financial programs survive?

In closing: Keep warm. It snowed down to 700 feet here recently. First time in 20+ years.