Date: 11 Feb 1994 15:01:58 -0500 From: "Kenneth R. van Wyk" Subject: Final copy - public release - ASSIST Bulletin 94-02b Sender: first-request@csrc.ncsl.nist.GOV To: first-teams@first.ORG Cc: Automated Systems Security Incident Support Team Reply-to: "Kenneth R. van Wyk" Organization: FIRST, the Forum of Incident Response & Security Teams Content-transfer-encoding: 7BIT Sub-Organization: FIRST Secretariat X-Sequence: first-teams.0175 -----BEGIN PRIVACY-ENHANCED MESSAGE----- Proc-Type: 4,MIC-CLEAR Content-Domain: RFC822 Originator-Certificate: MIICqjCCAhMCARAwDQYJKoZIhvcNAQECBQAwgYYxC zAJBgNVBAYTAlVTMSswKQYDVQQKEyJEZWZlbnNlIEluZm9ybWF0aW9uIFN5c3Rlb XMgQWdlbmN5MTAwLgYDVQQLEydDZW50ZXIgZm9yIEluZm9ybWF0aW9uIFN5c3Rlb XMgU2VjdXJpdHkxGDAWBgNVBAsTD0NvdW50ZXJtZWFzdXJlczAeFw05MzEyMDkxM zAwNDRaFw05NTEyMDkxMzAwNDRaMIG4MQswCQYDVQQGEwJVUzErMCkGA1UEChMiR GVmZW5zZSBJbmZvcm1hdGlvbiBTeXN0ZW1zIEFnZW5jeTEwMC4GA1UECxMnQ2Vud GVyIGZvciBJbmZvcm1hdGlvbiBTeXN0ZW1zIFNlY3VyaXR5MRgwFgYDVQQLEw9Db 3VudGVybWVhc3VyZXMxEzARBgNVBAsTCk9wZXJhdGlvbnMxGzAZBgNVBAMTEktlb m5ldGggUi4gdmFuIFd5azCBmjAKBgRVCAEBAgIEAAOBiwAwgYcCgYEA87an/VaSD dGo6vyWxeuYagddw7CFtKmrgvExfmcie7QUd7Nd63b31AK6tBeu4LLTsaKXR8d9O yzu+MWQFPS0QkfAa501U3AhSGmdJK8I1sIyGHnIXtiDI6dWDR7d/kFfFCFi1Skbv b5wQzZzwSg5xGJgZLunVwtKkP2dxV8hC+cCAQMwDQYJKoZIhvcNAQECBQADgYEAG B808ZN0Egrl+/A7tXicIVtm9OEMsWVc+P36oh9Ql/IZHc0C5tt4ZrXyeWSXIKlnR cEIHkJqXlBs3/THCZzZqFCJG1rki7kxKNrmmqB2+/bnfK2ZUBjVnW3cHeoEnv/VI MaNWjcrdc+DQpP8pXojfTvxnTuawSOSvyhs13RUC0s= Issuer-Certificate: MIICNTCCAZ4CARswDQYJKoZIhvcNAQECBQAwRDELMAkGA 1UEBhMCVVMxCzAJBgNVBAgTAk1EMSgwJgYDVQQKEx9UcnVzdGVkIEluZm9ybWF0a W9uIFN5c3RlbXMgUENBMB4XDTkzMTExMDIxMjIxNloXDTk0MDIxODIxMjIxNlowg YYxCzAJBgNVBAYTAlVTMSswKQYDVQQKEyJEZWZlbnNlIEluZm9ybWF0aW9uIFN5c 3RlbXMgQWdlbmN5MTAwLgYDVQQLEydDZW50ZXIgZm9yIEluZm9ybWF0aW9uIFN5c 3RlbXMgU2VjdXJpdHkxGDAWBgNVBAsTD0NvdW50ZXJtZWFzdXJlczCBmjAKBgRVC AEBAgIEAAOBiwAwgYcCgYEA19l6BN7iTGYEU61qJETIjBh3iAeHzoL8sZ5KwFRZD S/a1KnYlD1zJHR/KeQCOBWW2HzX43TFLCNGU7UD9i6m8AymLe5IJf/bGh0Rne7Jd Q1GAOLw7/J4hE57IMbGETZpzeU1D9IYxiERRNio/oa422lUlS9JZHLA5jaPNcUrX P8CAQMwDQYJKoZIhvcNAQECBQADgYEAtk4EYPgH0//H896t95E+4m8zWRxwyAULr a5wWThZ1TNjwdDQ3HbYC2IhXUA2N2Vzic5SWBFI6BRmEjWQrrgUNi4a26zZc6jiS 3OebUYo75t1kkzyRaEf0o3DPnkvo0FQziUJaFpu6Z1/+ZoGu4UURwr/jaA+g1oZC 6kDyRnygWc= Issuer-Certificate: MIIB8jCCAVsCAQEwDQYJKoZIhvcNAQECBQAwRDELMAkGA 1UEBhMCVVMxCzAJBgNVBAgTAk1EMSgwJgYDVQQKEx9UcnVzdGVkIEluZm9ybWF0a W9uIFN5c3RlbXMgUENBMB4XDTkzMDUyODE3MTEyN1oXDTk1MDUyODE3MTEyN1owR DELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAk1EMSgwJgYDVQQKEx9UcnVzdGVkIEluZ m9ybWF0aW9uIFN5c3RlbXMgUENBMIGaMAoGBFUIAQECAgQAA4GLADCBhwKBgQDbL xaRlS3u54yyRgVDI5dcE9nlasL8fJqOGlyo7xH2FZnr3kUfsFj7OGiYsr6UbvqwK nyfMIRUrXDUa64leGmft3SK27psDUHOynRSCc40d/HrDf810U5tnTamBKUIMqivK 4GoL0tMRA1eX6hALAvLLgK1HbnwZAo6GqQGW8CIJQIBAzANBgkqhkiG9w0BAQIFA AOBgQDBp5aC6oV6IuFi8JCctq57bew604HHNllgjjp7zdXafq6jctRg2g91k/yFW h19bJC/tNrb0WVwuZOs5L/FToPMNIIHzaW/YSROBmyhTDYaKHZGj0P1+iNjMbHt9 dm1QEHGIfKgBwFidItnOa74DfkXdijlPRnr/+E2Ib6PM+hEfQ== MIC-Info: RSA-MD5,RSA,HXhalSpfZ5WLYJThaiVXxwVcEPEajF7V9wVRPzuyL3R UBc9ylM49PUNQo5QTY3Ba2sLiwWLujTrvmDVlF3mFMWsvxYT78VAAOgUTyIzpMFY gTrc7NwFRKjWskAlc7X5PE6NrABfIf2ktYoeSUZ2Lrqm87rGpKm3Su0abclBIVpk = <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Automated Systems Security Incident Support Team _____ ___ ___ _____ ___ _____ | / /\ / \ / \ | / \ | | / Integritas / \ \___ \___ | \___ | | < et /____\ \ \ | \ | | \ Celeritas / \ \___/ \___/ __|__ \___/ | |_____\ <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Bulletin 94-02B Release date: 11 February 1994, 1500 EST Subject: Actions to be taken by DoD systems affected by the recent MILNET/Internet intrusions detailed in ASSIST Bulletin 94-02. SUMMARY: ASSIST has received numerous calls from persons requesting additional information about which systems were affected by recent large scale network sniffer incidents, and what actions must be taken to correct problems. These points were addressed in ASSIST Bulletin 94-02, but various interpretations of the information has resulted in some confusion. This bulletin attempts to clarify the confusion. Additional ASSIST Bulletins will be released as more information becomes available. BACKGROUND: ASSIST Bulletin 94-02 described a recent network security event that affects every MILNET host that accepts remote network connections (FTP, telnet, and rlogin). The event has been ongoing since at least mid-December. The compromise of account information occurred using network eavesdropping software ("packet sniffers") operating on major Internet backbones, as well as at least one MILNET system. IMPORTANT: SINCE THESE PACKET SNIFFERS DO NOT SPECIFICALLY TARGET INFORMATION FROM UNIX SYSTEMS, ALL SYSTEMS ON THE NETWORK ARE POTENTIALLY VULNERABLE TO THE EAVESDROPPING, REGARDLESS OF SYSTEM TYPE. The packet sniffers compromise any FTP, rlogin, or telnet packet regardless of the type of operating system (e.g., UNIX, VMS, MVS, PC, Macintosh) the packet was sent from or to. IMPORTANT: A SYSTEM DOES NOT HAVE TO BE COMPROMISED ITSELF TO BE AFFECTED BY THIS INCIDENT; IT SIMPLY HAD TO TRANSMIT ONE OF THE TARGETED PACKETS THROUGH A COMPROMISED NETWORK HOST. Thus, any system on the network can have its usernames and passwords compromised when accepting an FTP, telnet, or rlogin session from a remote system. Additionally, all MILNET sites should verify that their computer systems have not had the sniffer software installed on them. The particular sniffer software used in this incident only runs on UNIX systems that have the /dev/nit device; refer to ASSIST Bulletin 94-02 for additional information on how to detect the presence of a sniffer on a UNIX computer. IMPACT: All connected network sites that use the network to access remote systems are at risk from this attack. All user account and password information derived from FTP, telnet, and rlogin sessions and passing through the same network as a compromised host could be disclosed. ASSIST continues to operate on a 24 hour basis in support of the numerous requests for assistance. IMMEDIATE ACTIONS REQUIRED: A. ALL PASSWORDS ON ALL MILNET SYSTEMS THAT HAVE NOT YET BEEN CHANGED AS DIRECTED IN ASSIST BULLETIN 94-02 MUST BE CHANGED IMMEDIATELY. Systems that have not changed their passwords are in considerable risk of intrusion. B. Check all UNIX systems on the MILNET for the sniffer program as described in ASSIST Bulletin 94-02. ASSIST is an element of the Defense Information Systems Agency (DISA), Center for Information Systems Security (CISS), that provides service to the entire DoD community. If you have any questions about ASSIST or computer security issues, contact ASSIST using one of the methods listed below. If you would like to be included in the distribution list for these bulletins, send your MILNET (Internet) e-mail address to assist-request@assist.ims.disa.mil. Back issues of ASSIST bulletins, and other security related information, is available on the ASSIST bbs (see below), and through anonymous FTP from assist.ims.disa.mil (IP address 137.130.234.30). Note: assist.ims.disa.mil will only accept anonymous FTP connections from MILNET addresses. ASSIST contact information: PHONE: 703-756-7974, DSN 289, 24 hrs/day during the immediate handling of this incident. Afterwards, duty hours will return to 06:30 to 17:00 Monday through Friday. During off duty hours, weekends, and holidays, ASSIST can be reached via pager at 800-SKY-PAGE (800-759-7243) PIN 2133937. Your page will be answered within 30 minutes, however if a quicker response is required, prefix your phone number with "999" ELECTRONIC MAIL: assist@assist.ims.disa.mil. ASSIST BBS: 703-756-7993/4, DSN 289, leave a message for the "sysop". Privacy Enhanced Mail (PEM): ASSIST uses PEM, a public key encryption tool, to digitally sign all bulletins that are distributed through e-mail. The section of seemingly random characters between the "BEGIN PRIVACY-ENHANCED MESSAGE" and "BEGIN ASSIST BULLETIN" contains machine-readable digital signature information generated by PEM, not corrupted data. PEM software for UNIX systems is available from Trusted Information Systems (TIS) at no cost, and can be obtained via anonymous FTP from ftp.tis.com (IP 192.94.214.100). Note: The TIS software is just one of several implementations of PEM currently available and additional versions are likely to be offered from other sources in the near future. -----END PRIVACY-ENHANCED MESSAGE-----