cmcdonal@wsmr-emh03.army.mil (Chris McDonald ASQNC-TWS-R-SO) (04/10/91)
The US Army has a site license for ProComm, version 2.4. Many of us use this software to connect our personal computers to a variety of hosts here at White Sands and elsewhere. Recently ISC personnel discovered that a particular feature of ProComm, which serves a perfectly legitimate purpose, can pose a security hazard. We contacted the vendor who advised us that it is not possible to disable the legitimate feature. In fact, denying this feature would hamper some of you from doing your jobs. We do not wish to describe the specific security problem, lest someone for whatever reason decides to take advantage of it. On the other hand, we do want to ensure that you and your information have sufficient protection against unauthorized disclosure. For your own protection please COMPLETELY EXIT from ProComm whenever you complete a terminal session. This means returning to the MS-DOS prompt.
w8sdz@WSMR-SIMTEL20.ARMY.MIL (Keith Petersen) (04/11/91)
Chris McDonald ASQNC-TWS-R-SO <cmcdonal@wsmr-emh03.army.mil> writes in a recent posting about security concerns with ProComm. This security problem exists in all modem programs, including nearly all versions of Kermit, which have the option of logging terminal sessions. In fact, there are very few programs that *don't* have that feature. This is really an access control issue. The same security concerns exist for text editors. If the user is composing a text file and leaves the computer without exiting the editor... well, you see what I mean. I think the message should be reposted and entitled "Warning to modem program users". It should be pointed out that this problem exists on any computer, not just MS-DOS computers. An example: A Unix host running Kermit to access a dial-out port. The person initiating the call has the option in Unix Kermit to log the entire terminal session to a file. The log contains only incoming text, so passwords which are not echoed will not be logged. Keith -- Keith Petersen Internet: w8sdz@WSMR-SIMTEL20.Army.Mil or w8sdz@vela.acs.oakland.edu Uucp: uunet!wsmr-simtel20.army.mil!w8sdz BITNET: w8sdz@OAKLAND
dandrews@bilver.uucp (Dave Andrews) (04/11/91)
In article <W8SDZ.12676193677.BABYL@WSMR-SIMTEL20.ARMY.MIL> cmcdonal@wsmr-emh03.army.mil (Chris McDonald ASQNC-TWS-R-SO) writes: >Recently ISC personnel discovered that a particular feature of ProComm [2.4], >which serves a perfectly legitimate purpose, can pose a security hazard. > ... We do not wish to describe the specific security problem, Though curiosity rages uncontrollably within me, I see the sense to keeping mum, besides which I've upgraded all my PCs to PCP 2.0. Do you know if Procomm Plus version 2 contains the same "feature"? Thanks, David Andrews tarpit!bilver!dandrews
Conrad.Bullock@comp.vuw.ac.nz (Conrad Bullock) (04/12/91)
In article <1991Apr11.122944.5139@bilver.uucp>, dandrews@bilver.uucp (Dave Andrews) writes: |> In article <W8SDZ.12676193677.BABYL@WSMR-SIMTEL20.ARMY.MIL> |> cmcdonal@wsmr-emh03.army.mil (Chris McDonald ASQNC-TWS-R-SO) writes: |> >Recently ISC personnel discovered that a particular feature of |> ProComm [2.4], |> >which serves a perfectly legitimate purpose, can pose a security |> hazard. |> > ... We do not wish to describe the specific security problem, |> |> Though curiosity rages uncontrollably within me, I see the sense to |> keeping mum, besides which I've upgraded all my PCs to PCP 2.0. Do |> you know if Procomm Plus version 2 contains the same "feature"? At a guess, I'd say the scroll-back buffer is what they're talking about... -- Conrad Bullock | Domain: conrad@comp.vuw.ac.nz Victoria University of Wellington, | or: conrad@cavebbs.gen.nz New Zealand. | Fidonet: 3:771/130 | BBS: The Cave BBS +64 4 643429
ts@uwasa.fi (Timo Salmi) (04/12/91)
In article <1991Apr11.122944.5139@bilver.uucp> dandrews@bilver.uucp (Dave Andrews) writes: : >Though curiosity rages uncontrollably within me, I see the sense to >keeping mum, besides which I've upgraded all my PCs to PCP 2.0. Do >you know if Procomm Plus version 2 contains the same "feature"? : 1) It's not a Procomm feature, but a telecommunication feature. 2) Please let me present a pledge to stop this discussion right now. ................................................................... Prof. Timo Salmi Moderating at garbo.uwasa.fi anonymous ftp archives 128.214.12.37 School of Business Studies, University of Vaasa, SF-65101, Finland Internet: ts@chyde.uwasa.fi Funet: gado::salmi Bitnet: salmi@finfun
jrc@brainiac.mn.org (Jeffrey Comstock) (04/16/91)
In article <1991Apr12.002356.24990@comp.vuw.ac.nz> Conrad.Bullock@comp.vuw.ac.nz (Conrad Bullock) writes: > >In article <1991Apr11.122944.5139@bilver.uucp>, dandrews@bilver.uucp >(Dave Andrews) writes: >|> In article <W8SDZ.12676193677.BABYL@WSMR-SIMTEL20.ARMY.MIL> >|> cmcdonal@wsmr-emh03.army.mil (Chris McDonald ASQNC-TWS-R-SO) writes: >|> >Recently ISC personnel discovered that a particular feature of >|> ProComm [2.4], >|> >which serves a perfectly legitimate purpose, can pose a security >|> hazard. >|> > ... We do not wish to describe the specific security problem, >|> >|> Though curiosity rages uncontrollably within me, I see the sense to >|> keeping mum, besides which I've upgraded all my PCs to PCP 2.0. Do >|> you know if Procomm Plus version 2 contains the same "feature"? > >At a guess, I'd say the scroll-back buffer is what they're talking about... Could be the log-to-disk function too.... -- Jeffrey R. Comstock
rschmidt@copper.ucs.indiana.edu (roy schmidt) (04/19/91)
In article <1991Apr16.010424.22198@brainiac.mn.org> jrc@brainiac.mn.org (Jeffrey Comstock) writes: >In article <1991Apr12.002356.24990@comp.vuw.ac.nz> Conrad.Bullock@comp.vuw.ac.nz (Conrad Bullock) writes: >> >>In article <1991Apr11.122944.5139@bilver.uucp>, dandrews@bilver.uucp >>(Dave Andrews) writes: >>|> In article <W8SDZ.12676193677.BABYL@WSMR-SIMTEL20.ARMY.MIL> >>|> cmcdonal@wsmr-emh03.army.mil (Chris McDonald ASQNC-TWS-R-SO) writes: This is ridiculous! Chris McDonald by now must be regretting that he/she posted such a dumb note. 1. For security purposes, any of you folks in the DoD who are reading this should remember the series that has ensued as a lesson. Any time you discover what may be a security problem, don't advertise your problem to the world (note that even Timo Salmi of Finland responded at one point.) Call your security people, and let them take care of it. If you feel you *must* send out something or bust, then compose a memo for local consumption, and then eat it and call your security people! 2. Why continue speculating on this problem? Let's drop this whole thing and move back to the business for which this group was formed: squandering government money! :-) Roy Schmidt, Capt, USAF (Retired) Former security-obsessed officer -- -------------------------------------------------------------------------- Roy Schmidt | #include <disclaimer.h> Indiana University | /* They are _my_ thoughts, and you can't Graduate School of Business | have them, so there! */
shaunc@gold.gvg.tek.com (Shaun Case) (04/20/91)
In article <1991Apr19.030846.24013@bronze.ucs.indiana.edu> rschmidt@copper.ucs.indiana.edu (roy schmidt) writes: >This is ridiculous! Chris McDonald by now must be regretting that >he/she posted such a dumb note. I don't think it was dumb. >1. For security purposes, any of you folks in the DoD who are reading >this should remember the series that has ensued as a lesson. Any time >you discover what may be a security problem, don't advertise your >problem to the world (note that even Timo Salmi of Finland responded at >one point.) Call your security people, and let them take care of it. >If you feel you *must* send out something or bust, then compose a memo >for local consumption, and then eat it and call your security people! I disagree completely. The free flow of information should NEVER be impeded, _especially_ not by the US military. Are you trying to tell me that a feature of Procomm (arguably the worst PC term program next to Bitcom) is a national security issue? Give me a break. >2. Why continue speculating on this problem? Let's drop this whole >thing and move back to the business for which this group was formed: >squandering government money! :-) Ah, my 30% taxes at work. I do prefer this to a number of alternatives. :) >Roy Schmidt, Capt, USAF (Retired) >Former security-obsessed officer Shaun Case, hacker (unretired) Current anti-security-obsessed taxpayer