VIRUS-L Digest Monday, 14 Nov 1988 Volume 1 : Issue 7 Today's Topics: Removal of Details on the Recent Virus at Purdue flushot: which version is bad Hiring the mischevous hacker Sendmail security hole (UNIX) --------------------------------------------------------------------------- Date: Sat, 12 Nov 88 13:55:06 CST From: Bill Goffe Subject: Removal of Details on the Recent Virus at Purdue In yesterday's (11/11) NEW YORK TIMES, p. 12, there is an article titled "U.S. is Moving to Restrict Access To Facts About Computer Virus." It describes how the National Computer Security Center, a division of the National Security Agency, requested that Purdue University remove detailed information on the recent virus from university computers. The university complied. The article goes on to describe the debate over this action (rather considerable, as you might imagine). The article leaves open the possibility that sother sites may have received similiar requests. Two questions: (1) what was the NCSC concerned about? (2) have others been contacted? Bill Goffe b234wlg @ utarlvm1 ------------------------------ Date: 14-NOV-1988 17:26:37 GMT Subject: flushot: which version is bad From: Doug Moncur Function: Microsystems Adviser Surface mail: Computing Service, University of York, York YO1 5DD Phone: uk: 0904-430000x3815 or direct dial: 0904-433815 international: +44-904-430000x3815 or +44-904-433815 Fax: 0904-432767 (uk) or +44-904-432767 (int'l) Telecom Gold: 87:YQQ361 can I have an update on which version(s) of flushot are known/ suspected of being bad ? with my customary efficiency I've flushed all the flushot messages 3 or 4 days before someone comes in with a possible virus problem - -Doug ------------------------------ Date: Mon, 14 Nov 88 15:08 EST From: X-=*REB*=-X Subject: Hiring the mischevous hacker >Well, I finally heard it the other night -- Ted Koppel, who I happen to >think is one of the best interviewers in the popular media, had a program >on the internet events, and (Wozniak's inane remarks aside) Koppel said >something to the effect that if the culprit was not convicted he would >certainly going to have a career in computer security. > >NUTS !!!! > >[stuff deleted] >We do not hire murders as >police chiefs, and we do not hire embezzelers to guard the cash drawer. >Whether the scope of damage was beyond that invisioned, I have NO USE >WHATSOEVER for anyone who even considers to initiate such a program in >which there is even the most remote possibility of damaging other's in >data, stealing their private information, or denying them the use of >their resources. Yes, but some people see these folks as intelligent people who have simply been turning to the dark side of the force. I think it's better to put them on the side of good than to let them perpetuate their crimes/annoyances. I think the feeling is along the lines of "They know too much already and we'd better have them on our side." Or, in other words, "If he can do it, he can help us prevent others from doing it (or similar things) again." Sure, none of this prevents the person from continuing his activities on the inside. Obviously, those who hire such people feel confident that there is no risk of it continuing. Richard Baum ________________________________________________________________ /InterNet:kREBaum@Vax1.CC.Lehigh.EDU BitNet: RB00@Lehigh.Bitnet ", / SlowNet: 508 E 4th St Suite #1, Bethlehem, PA 18015 215-867-8433", /NJ Slownet: 861 Washington Avenue Westwood, NJ 07675 201-666-9207 ", - ----------------------------------------------------------------------- Was it over when the Germans bombed Pearl Harbor? (On Sept 7 of course!) ------------------------------ Date: Mon, 14 Nov 1988 16:13:19 EST From: George Young Subject: Sendmail security hole (UNIX) The sure way to determine if your sendmail is subject to this security hole is to try it yourself. It is frighteningly easy. On questionable unix machine 'phubar' do [machine responses prefixed by ">"]: telnet phubar 25 >Trying... >Connected to ll-vlsi.arpa. >Escape character is '^]'. >220 phubar Sendmail 5.51/3.2.sst.ll ready at Mon, 14 Nov 88 12:26:21 EST helo phubar >250 phubar.cc.hehigh.edu Hello phubar, pleased to meet you debug >500 Debug set If the respose to the 'debug' command is 'Debug set', you are wide open! The response should be something like 'Command unrecognized' if you are safe. End the telnet session with 'quit'. I would disable sendmail until you get it fixed. Even if you didn't get hit by the recent virus, there are now thousands of curious hackers out there just itching to try out this newly publicized security hole. There are various fixes available on the net, but basically what you need to do is with adb or emacs or whatever editor you use for binary files, change the string 'debug' to something else -- 'showq' is suggested, since that is a valid SMTP command. Good luck. George Young, Rm. B-141 young@ll-vlsi.arpa MIT Lincoln Laboratory young@vlsi.ll.mit.edu 244 Wood St. Lexington, Massachusetts 02173 (617) 981-2756 ------------------------------ End of VIRUS-L Digest ********************* Downloaded From P-80 International Information Systems 304-744-2253