From real@freenet.edmonton.ab.ca Sun Feb 22 15:47:38 1998
Newsgroups: alt.2600.moderated
Subject: RCMP
From: real@freenet.edmonton.ab.ca ()
Date: 22 Feb 1998 23:47:38 GMT


http://www.rcmp-grc.gc.ca/html/bull45-e.htm

Information Technology Security Bulletin 45

IT SECURITY BRANCH, RCMP

January 1998 -- NUMBER 45

* The Macro Virus Cap
* Cellular Telephone and Personal Communication Service Security 
Concerns
* Windows NT Security Checklist 




The battle against macro viruses continues. A macro virus that 
was first detected in the spring of 1997 has quickly become 
widespread in government departments that use Microsoft(R) 
Word(tm). The virus consists of one large macro called CAP which 
is called from nine other specific macros inconspicuously named 
AutoExec, AutoOpen, FileSave, FileSaveAs, FileTemplates, Tools 
Macro, FileClose, FileOpen and AutoClose.

While it has been suggested that the virus has no damaging 
payload or trigger, it does in fact remove some legitimate system 
macros that are defined in the global template file. The actual 
damage then is primarily in the amount of time lost in recovering 
from these incidents. One department has reported 2,368 incidents 
of this virus to the RCMP Security Evaluation and Inspection Team 
(SEIT) for only the first nine months of the year. The time spent 
in restoring the original system macros can be significant and 
costly. This downtime is further impacted by the inability of 
antivirus products to detect and repair the virus damage.

The virus itself has been well researched and documented. 
According to various international anti-virus groups, the CAP 
macro contains the following text:

C.A.P:Un virus social.. y ahora digital.. 

j4cKyQw3rTy (jqw3rty@hotmail.com).

Venezuela, Maracay, Dic 1996.

P.D. Que haces gochito ? Nunca seras Simon Bolivar.. Bolsa !

However, this text is never displayed on a screen or inserted 
into a document. The CAP macro virus spreads via Word documents 
by firstly copying the set of 10 macros mentioned above into
the user鱷 template. The virus then browses the Word menu items 
for custom macros intercepting up to five of these additional 
macros and placing inside them a pointer to the main CAP macro. 
In addition, any system macros previously defined in a global 
template before the infection are deleted. The virus also removes 
the menu items "Tools/ Macro" and "Tools/Customize". The
"File/Templates" menu item is present after infection but does 
not work.

The virus uses information from the macro description field found 
at the bottom of Tool/Macro box to recognize its own main macros. 
These have "F%" at the beginning of a description (FileOpen
has F%O, FileClose - F%C, FileSave and FileSaveAs - F%SA). System 
administrators can manually check for these descriptions. 

The CAP macro virus can be effectively removed in two steps:

1.Run a recent antivirus scanner (which has been updated to 
detect and repair the CAP damage). This procedure will remove the 
virus and all related (infected) macros. 

2.Rename the global template (NORMAL.DOT) to some other unique 
(.DOT) name. The next time Word is started, it will automatically 
create a new global template file. This second step is necessary 
to get rid of the menu customization created by the virus and to 
put in place a new NORMAL.DOT file.

It is then a matter of using the Tools/Macro (Organizer option) 
to copy the required macros from the renamed template file, 
thereby preserving all the department鱷 required custom macros.

Departments are reminded and encouraged to report their virus 
incidents to SEIT. This facilitates the ability to track the 
spread of incidents and to share virus recovery techniques. For 
further information contact David Black of the RCMP IT Security 
Branch at 613-993-6579, or send an E-mail to dblack@seit.com.



Cellular Telephones

The Advanced Mobile Phone System (AMPS) is the original standard 
for the North American cellular telephone system. The system 
allows two service providers. In Canada, the "A" side is allotted 
to the non-hardwired carrier (Cantel), while the "B" side is 
assigned to the wired service provider (Bell Mobility). The 
cellular telephone system, unlike the old radio telephone system, 
reuses the same set of assigned frequencies over and over again. 
The reuse is accomplished by first dividing the assigned 
frequencies into groups. Each of these groups is then assigned to 
a specific cell site. When all groups have been used, the first 
group of frequencies is assigned as far as possible 
geographically from the original group assignment. The geographic
separation ensures that the cell sites do not interfere with each 
other鱷 traffic. The frequency designations are as follows: the 
base station or forward channel frequencies range from 869 MHz
to 894 MHz. These are the channels that allow the cell site to 
talk to the mobile. The mobile cellular channels or reverse 
channels range from 824 MHz to 849 MHz.

Currently, most cellular telephone traffic is in analog or plain 
language format, and scanners can readily be modified to monitor 
these frequencies. An eavesdropper utilizing two scanners set 45
MHz apart will be able to intercept both sides of an ongoing 
conversation. Since the cellular telephone is simply a radio 
transceiver that receives and broadcasts radio signals, users are
unaware if their calls are being monitored. The AMPS control 
channels use frequency-shift keying (FSK) to transmit the user鱷 
mobile identification number (MIN), electronic serial number 
(ESN) and number assignment module (NAM) information. The voice 
channels, however, have been using the analog format, making them 
vulnerable to interception. The recent introduction of digital
cellular telephones, primarily using time-division multiple 
access (TDMA), has allowed service providers to triple the 
bandwidth of the AMPS network. Scanners cannot demodulate voice
channel information transmitted in digital format.

Digital cellular telephones operate in a dual-mode capacity. The 
cellular telephone must be able to communicate with the cell site 
in both analog and digital formats; however, the method of
communications is transparent to the user. A user could therefore 
expect a measure of voice privacy inherent with digital 
communications while conducting a conversation on a digital 
cellular telephone, but actually be communicating in analog. The 
mobile communication format is dictated by the cell site. Each 
cell site may have only a limited number of TDMA-capable 
channels, and if these channels are all in use then the mobile 
will be required to communicate in analog. An estimated 95 
percent of all cellular calls are still transmitted in analog 
format. The digital cellular telephone does not encrypt its voice 
channel information. Devices capable of converting the
digital mode to analog are currently available, but expensive.

Personal Communication Service

The first personal communication service (PCS) system marketed in 
Canada was Microcell鱷 "Fido", with a very limited infrastructure 
providing service in Quebec City, Montreal, Ottawa, Toronto and 
Vancouver. Fido uses the global system for mobile communications 
standard at 1900 MHz, or GSM-1900. Clearnet鱷 PCS service uses a 
code-division multiple access (CDMA) format. PCS is a fully 
digital network offering advanced options such as call 
forwarding, call waiting and multi-party calling. The telephone 
set uses smart card technology to store user information. The 
voice channel on the GSM-1900 system is digitized and encrypted, 
with the encryption key stored on the smart card.

The service area for PCS is very limited compared to the cellular 
network. To overcome this problem, Microcell has entered into an 
agreement with Bell Mobility to use the cellular network
where Fido service does not exist. As a result of this decision, 
Fido must now become a dual-mode telephone, as is Clearnet鱷 PCS. 
Dual mode refers to the capability of functioning on both
the GSM-1900 and the AMPS systems. The caller has then lost the 
security advantages of the GSM-1900 system and reverted to the 
analog AMPS system. 

Some telephone models will have a light-emitting diode (LED) 
display on the unit to indicate the status of the call, whether 
"secure" in digital-encrypted PCS mode or in "non-secure" or 
plain-language AMPS format. The method of communication with the 
mobile telephone will be determined by the service provider鱷 PCS 
network. If the security indication is missed by the user, a 
sensitive call believed to be broadcast in encrypted-digital PCS 
may actually have been switched by the service provider to the 
AMPS network without the knowledge of the caller. A switch from 
PCS to AMPS may also occur during the conversation and will also 
change the security status of the call without the knowledge of 
the user. The dual-mode function eliminates the security 
advantages of PCS and opens the door to the cellular network 
vulnerabilities.

The RCMP Counter Technical Intrusion Section recommends that 
sensitive information not be discussed on a cellular telephone, 
including digital cellular telephones, due to the uncertainty of
the broadcast format. If it is necessary to transmit sensitive 
information over the airwaves, the use of a STU III cellular in 
encrypted mode is recommended. However, this only enables secure
communication with a second STU III cellular or land line which 
is also in encrypted mode.



As with most operating systems, Windows NT has been designed with 
a myriad of security features which may be activated or 
de-activated in accordance with the organization鱷 security 
requirements and the sensitivity level of the information 
processed. To ensure that Windows NT is implemented in compliance 
with the security policy developed by Information Technology
Security (ITS) personnel, system administrators must become 
knowledgeable about the security features and carefully plan the 
implementation. This, on the surface, may appear to be a simple
task but in practice requires significant effort and technical 
expertise. The administrators must fully understand the Windows 
NT security architecture and also remain aware of all known 
security vulnerabilities.

A test Windows NT LAN was established by the RCMP Security 
Evaluation and Inspection Team (SEIT) to assist departments in 
implementing Windows NT servers with adequate security features. 
This LAN, consisting of one Windows NT version 4.0 server and 
several Windows NT and Windows 95 clients, was set up to review 
the various security-related features of the operating system. In 
addition, SEIT reviewed the Microsoft documentation, industry 
publications, the Windows NT implementation and guidance books, 
and also researched Internet resources, to compile a Windows NT 
security checklist. This checklist, when completed, will provide
information that will assist Windows NT system administrators in 
adequately securing their Windows NT networks. 

The Windows NT operating system provides a number of security 
features including the ability to uniquely identify each user, 
clear memory immediately after it is freed by a process, disallow 
the recovery of information in disk clusters which have been 
allocated from another user, allow administrators to track 
security-related activities of all users in the system, and 
shield the security log from all but administrative users. These 
features, when properly configured and implemented, provide 
substantial safeguards to protect the confidentiality, integrity 
and availability concerns of the data and the network. However, 
there are some potentially vulnerable areas which must be 
addressed by system administrators. Operating systems are dynamic 
entities requiring frequent updates. From time to time, operating 
system security vulnerabilities are uncovered and heavily 
publicized. It is essential that system administrators remain 
aware of maintenance and security issues and immediately apply 
approved fixes to identified security vulnerabilities.

Some of the concerns that should be considered when configuring a 
Windows NT network are listed below. A more detailed list will be 
provided in the Windows NT security checklist.

File Systems 

Windows NT supports both the New Technology File System (NTFS) 
and the File Access Table (FAT) file systems. SEIT recommends 
that, when installing Windows NT, NTFS be implemented. NTFS is 
the only file system capable of utilizing all the security 
features built into Windows NT. The FAT file system does not 
support Windows NT access control lists. Implementing FAT
instead of NTFS prevents system administrators from assigning 
either file or directory level security restrictions necessary to 
achieve the National Computer Security Center (NCSC)鱷 C2
security level. Windows NT system disks formatted using the FAT 
file system do support the use of filenames up to 255 characters 
long. However, the FAT file system provides only limited means
to recover from system faults. The majority of third party disk 
repair tools that are able to repair damage to FAT file systems 
support only the 8 + 3 filename convention. Files which utilize 
the longer naming convention are often viewed as damaged files, 
and treated accordingly. 

Logging

The system logging capability is not automatically enabled when 
installing Windows NT. Enabling both system and security 
auditing/logging can inform system administrators of actions that 
pose security risks and possibly help detect security breaches. 
Windows NT saves the logs in the %SystemRoot%\System32\Config 
directory on the disk. Hackers or malicious users often cover
their tracks by modifying the log files after they have 
compromised a system. Therefore, only a limited number of trusted 
individuals should have full rights to these log files. 

Disk Space Quotas

Windows NT does not have the capability of assigning disk space 
quotas to system users. This provides an opportunity for users or 
perpetrators to launch a denial-of-service attack against an
NT system by filling the file system. Third-party utilities are 
available to enforce disk space quotas.

Boot Procedure

Many Windows NT installations are run on Intel-based hardware. 
Most Intel-based hardware lacks strong boot protection so that 
anyone who has physical access to the system can reboot that
system from any bootable device, including a floppy drive. An 
effective way to counter this type of attack is to combine good 
physical security of the server with the use of strong encryption 
on system and data files.

File Access Controls

Administrators must be aware that the default permissions for all 
new file shares give Full Control rights to the Everyone 
placeholder. Users have full control of any file in any share 
unless steps are taken by the share operator to reduce the 
potential risk. Share operators should be instructed to modify 
the permissions on all file shares immediately after they are 
created.

Last Signon Notification

By default, Windows NT 4.0, at the client or server level, 
displays the name of the last person who logged on to the system. 
This may pose a security threat, especially if a user's password 
can be guessed from the account name or the login environment. 
The display of the last user logged-on can be disabled by 
changing a registry key setting.

Information Resources

New security vulnerabilities are periodically discovered and 
reported. Many general computer security announcements originate 
from both the Computer Emergency Response Team (CERT) mailing 
list (URL http://www.cert.org) and the Forum of Incident Response 
and Security Teams (FIRST) mailing list (URL 
-http://www.first.org); these constitute excellent information 
resources for tracking operating system vulnerabilities. NT 
security mailing lists are another Internet resource. To 
subscribe to the NTSECURITY mailing list, send the text 
"Subscribe NTSECURITY" in an E-mail message to 
NTSecurity-Request@iss.net. To subscribe to the NTBUGTRAQ mailing 
list, send the text "Subscribe NTBUGTRAQ firstname lastname" or 
"Subscribe NTBUGTRAQ Anonymous" in an E-mail message to 
listserv@listserv.ntbugtraq.com. These lists have no official
connection to Microsoft.


The Information Technology Security Bulletin is published 3 times 
a year by the Technical Publications Section of the RCMP. 

Managing Editor: Loretta Parsons
Editor: Jean Perreault

Any part of this bulletin may be reproduced and used in another
publication, providing the source is acknowledged (Information
Technology Security Bulletin, RCMP IT Security Branch).

For information concerning other IT security publications,
contact:

Technical Publications Section
Technical Operations Directorate
Royal Canadian Mounted Police
1426 St.Joseph Boulevard
Gloucester, Ontario
K1A 0R2
Tel.: 613-990-0678
      613-993-8798
      613-993-8797
Fax:  613-993-2107
Electronic Bulletin Board : 613-941-6344,
                            613-993-6536

Internet address: techpubs@seit.com 
Visit the IT Security Branch web site:
http://www.rcmp-grc.gc.ca/html/itsb-e.htm

Copyright RCMP/GRC 1998








--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Graham-John Bullers                      Moderator of alt.2600.moderated   
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    email : <real@freenet.edmonton.ab.ca> : <ab756@freenet.toronto.on.ca>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
         http://www.freenet.edmonton.ab.ca/~real/index.html
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~