RISKS-LIST: RISKS-FORUM Digest Wednesday 24 February 1988 Volume 6 : Issue 31 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: Risks of Advertising Messages Appended to Telex Messages (Bruce N. Baker) "Viruses? Don't Worry!" (Joseph M. Beckman) Held at Mouse-Point; Virus-Information Centres (Dave Horsfall) Computer Viruses -- a catalog (Dave Curry) Another RISK of viruses (David Purdue) Virus security hole (Kevin Driscoll) Re: More info on Compuserve Macinvirus (Henry Spencer) Code-altering viruses (William Smith) Self Fulfilling Prophecies, the Chaos Computer Club,... (Frederick Korz) Viruses and secure systems (Kian-Tat Lim) [Fiction anticipates fact] The RISKS Forum is moderated. Contributions should be relevant, sound, in good taste, objective, coherent, concise, nonrepetitious. Diversity is welcome. Contributions to RISKS@CSL.SRI.COM, Requests to RISKS-Request@CSL.SRI.COM. > > > > > > > > > PLEASE LIST SUBJECT in SUBJECT: LINE. < < < < < < < < < For Vol i issue j, FTP SRI.COM, CD STRIPE:, GET RISKS-i.j. Volume summaries in (i, max j) = (1,46),(2,57),(3,92),(4,97),(5,85). ---------------------------------------------------------------------- Date: Wed 24 Feb 88 10:39:50-PST From: Bruce N. Baker Subject: Risks of Advertising Messages Appended to Telex Messages I recently sent a TELEX message to Copenhagen. The recipient responded by writing on the message he received from me and returning it by normal post. I thus found that the TELEX carrier had appended text to my original message, which struck me as unprofessional and unethical. The appended text reads: FOR 1988 HOROSCOPE FORECASTS CALL USA 62200 CODE 9150 Has anyone else noticed any such appendages to TELEX messages? (If you also find out my horoscope for Sagittarius, please let me know what the stars portend for me.) Bruce N. Baker, SRI International [Hmm. Sagittarius is depicted as a centaur (HALF-HORSE) shooting an arrow. The question is whether this was a Trojan half-horse (since it attached a second half to the message -- BUT POSSIBLY EVEN CHANGING THE FIRST HALF?) or a sleazy advertising campaign on the part of TELEX... Well, buses and taxis routinely carry advertising. TELEXes cannot be too far behind! Or perhaps this is like the Wells Fargo case of RISKS-6.27? PGN] ------------------------------ Date: Wed, 24 Feb 88 13:09 EST From: "Joseph M. Beckman" Subject: "Viruses? Don't Worry!" (!!) Some excerpts from T.R. Reid's "Personal Computing" column in the 15 Feb 1988 Washington Post: "...such programs [computer viruses] are rarely a threat in the personal computer world. And they are fairly easy to defend against." "...These cases [NASA, IBM xmas tree] involved networks of work stations or even bigger computers. That's the first key point to recognize about the computer virus reports--they don't involve personal computers." "If you never "feed" your machine anything but programs from established software houses, your machine will be immune." "If you like to call up bulletin boards to download programs...there is a chance that your hard disk could be infected by a virus program. The possibility is so unlikely that you really needn't worry much." "In sum, my answer to personal computer users concerned about computer virus is: Don't Worry." Rebuttal of the points mentioned is left to the humor of the reader. Joseph ------------------------------ Date: Mon, 22 Feb 88 14:20:59 est From: munnari!stcns3.stc.oz.au!dave@uunet.UU.NET (Dave Horsfall) Subject: Held at Mouse-Point; Virus-Information Centres Here are two contributions from "Computing Australia", 1st Feb 1988. 1) From the back page (the "laugh" page): ``From the 'If he had another brain it would be lonely' department. A US auditing firm was training a group of taxation accountants in the use of a Macintosh word processor. The demonstrator directed his students to "Point and click with the mouse." One student raised his hand and announced nothing was happening. On checking, the instructor found he was clicking the mouse button and pointing at a screen icon -- with his forefinger! No doubt the student's progess report would have carried the notation that he was a dis-a-pointer.'' The RISK? Sometimes, instructions are interpreted literally... Although I can imagine the semantic confusion that could arise should a mouse ever be teamed up with a touch-sensitive screen! 2) Elsewhere in the same issue (a "serious" page): ``Virus centre too risky: Canberra. "Great risks" would arise from the setting up of a national information security research centre to fight software viruses, according to Technology Minister Senator John Button's Canberra spokesman. Queensland's computer security expert Dr Bill Caelli has called for government funding for such a centre. He said the proposed centre could develop tools to analyse software packages to ensure they were virus-free and did no more than they were supposed to. Button's spokesman said "In general, the Government's attitude is `Let the user beware'. We don't want to reject all calls out of hand but are not planning any further regulation. There could be great risks: if the centre or its tools validated a program and it turned out to have a bug [virus?], it could face litigation.'' That last bit worries me - we can't even verify programs at the SOURCE level, so, short of brute-force emulation, what hope have we got at verifying them at the machine-code level? Dave Horsfall (VK2KFU) ACS: dave@stcns3.stc.OZ.AU Alcatel-STC Australia ARPA: dave%stcns3.stc.OZ.AU@uunet.UU.NET 11th Floor, 5 Blue St UUCP: {enea,hplabs,mcvax,uunet,ukc}!\ North Sydney NSW 2060 AUSTRALIA munnari!stcns3.stc.OZ.AU!dave [There are unconfirmed reports that some of the "virus-killer" programs themselves contain Trojan horses. CAVEAT EMPTOR. PGN] ------------------------------ From: davy@intrepid.ecn.purdue.edu (Dave Curry) Subject: Computer Viruses -- a catalog Date: Tue, 23 Feb 88 11:03:48 EST Information Week, 2/22/88 has an article about computer viruses and another about computer security. Both of the articles are pretty worthless, being full of sensationalist statements and very little fact. But, they did put the following in: PC expert Eric Newhouse lists known contaminated programs that should be avoided on public bulletin boards. If you have a copy of one of these programs, consider it suspect even though some run fine. When no extension is listed, the program has appeared with many extensions. Arc List60 Arc513. QMDM110.Exe Arc600 QMDM110A.Arc Balktalk Quikbbs.Com Discscan.Exe Secret.Bas Dosknows.Exe Stripes.Exe Egabtr Vdir.Com Filer.Exe (The rather weird capitalization scheme is theirs, not mine.) Dave Curry, Purdue University ------------------------------ Date: Fri, 19 Feb 88 16:02:11 est From: munnari!csadfa.oz.au!davidp@uunet.UU.NET (David Purdue) Subject: Another RISK of viruses A club based in Canberra offerred someone $100 to write a program for the Amiga that would do some timetabling for a conference that the club holds annually. When the conference rolled around, the program was not ready and the timetabling was done by hand, and there were many mistakes made. A meeting was held recently, some three weeks after the conference. At this meeting the programmer pointed out that although he didn't have a working product, he had done a lot of work for the club, and asked for his $100. He was asked why the program wasn't ready in time. He replied, "It's not my fault. The program was hit by a virus which scrubbed my disk, and I didn't have a backup." The Risk? Well, it may be true that a virus scrubbed his disk; but there was no mention of it until the meeting. With the proliferation of viruses, and the big fuss that the media are making of them (that includes computing industry newspapers, the major press and discussions on the net), it seems to me that programmers now have a real handy excuse for not meeting their commitments. DavidP Mr. David Purdue Phone ISD: +61 62 68 8165 Fax: +61 62 470702 Dept. Computer Science Telex: ADFADM AA62030 University College ACSNET/CSNET: davidp@csadfa.oz Aust. Defence Force Academy ARPA: davidp%csadfa.oz@uunet.uu.net Canberra. ACT. 2600. JANET: davidp@oz.csadfa AUSTRALIA Other Gateways: see CACM 29(10) Oct. 1986 UUCP: {uunet,hplabs,ubc-vision,nttlab,mcvax,ukc}!munnari!csadfa.oz!davidp ------------------------------ Date: Mon, 22 Feb 88 10:48:30 CST From: umn-cs!altura.driscoll@rutgers.edu (Kevin Driscoll) Subject: Virus security hole In theory, Larry Nathan's example of exporting classified information from a secure area should not be possible because all outgoing information from a secure area is suspect and is sanitized. However, human nature being what it is, the outgoing scrutiny is probably not done as thoroughly as it should and data can escape this way. Another approach can subvert even the best outgoing screening process. This is the use of covert channels, sometimes called "banging on the walls". The method is to use some communications channel that is not considered an "output" from the secure area. For example, the virus could cause a disk head positioner to travel its maximum excursion at its maximum velocity, then modulate the frequency of reversals according to the classified data to be transmitted. The data can be received by recording the vibrations caused by the disk drive. This method subverts most of the top secret TEMPEST secure installations that I have seen. The common risk here is that security plans generally assume that the only dangers are physical entry, TEMPEST leakage, or information leaving via the area's normal output channels. Completely ignored is the possibility of data ENTERING the area as being a security threat. I have just recently reminded our system operators about the possible dangers of a virus exploiting covert channels and the care that must be taken to ensure that our UNsecure systems are not infected, which could be a threat to our secure systems. Of course, safe software practices should be when sharing software among systems with differing classifications, even if the systems are entirely in-house. A group here at Honeywell SRC is working on the thornier problem of preventing such attacks on single multilevel secure systems (class A1+ trusted computer). Another virus subject that has been discussed, is the trustworthiness of software held in archives on the net. What should not be overlooked is that even if a given archive can be trusted, the intervening path may not be. Software can be infected en route. Many of these routes pass through universities, which can be the most hazardous software environment in the world. ------------------------------ Date: Sat, 20 Feb 88 04:22:03 EST From: mnetor!utzoo!henry@uunet.UU.NET Subject: Re: More info on Compuserve Macinvirus [RISKS-6.27] > '... People here in Canada and over in Europe see this for what > it is, a message of peace. It's you people in the United States who see > it as something dark and nasty.' [Henry, are we really that paranoid down > here?] The "message of peace" business is pure self-serving excrement. (I may possibly be biased here, since I have a low opinion of a lot of the lip service given to "peace" nowadays.) It's no better than a cute prank. However, I'm not too impressed by the paranoids either. (No, there is no particular concentration of paranoids in particular nations that I'm aware of.) This actually goes back to the old question of whether it is better to expose security problems or keep them secret. One's attitude on that issue determines whether one thinks the MacMag incident was a harmless prank that may alert people to a real problem, or an evil act that opens up horrible vistas. Personally I side with the former point of view: this particular incident was childish but harmless -- note that the people involved hired a professional programmer, whose duties presumably included making *sure* that it was harmless -- and anyone who believes that the Bad Guys hadn't thought of it already is dreaming. The one risk I do see coming out of this is the possibility of it inspiring others to implement and spread "harmless" viruses that may not be so well built and may inadvertently cause damage. But these are still rather less likely to make trouble than the truly malicious ones, and maybe it will help wake people up. Henry Spencer @ U of Toronto Zoology {allegra,ihnp4,decvax,pyramid}!utzoo!henry ------------------------------ Date: Sat, 20 Feb 88 08:26:47 cst From: wsmith@m.cs.uiuc.edu (William Smith) Subject: Code-altering viruses (RISKS-6.29) > ... the inevitability of viruses that target specific software products. ... Although detecting such a virus would be difficult, once detected, recovery from the virus should not be difficult. After making a copy of the distribution software onto a hard disk or another floppy, the original program disk or tape should never see the computer again (unless the copies are damaged or lost). It is probably also a good idea for the original copy never to be put into the computer write-enabled. Once a damaged copy of a program is found, the online copies of it are deleted and replaced from a secure copy after the virus has been removed. The problem with most viruses is that their target is often the operating system. This first step, deleting the online copies is not possible because the computer won't reboot after that. That might point to a solution: The computer needs an "immune system" that can be booted from, say a read-only floppy or tape, and may then be used to safely replace any corrupted system or user files from archive copies of the software. Probably, since most executables are not supposed to modified, the immune system simply could go through each of the distribution disks and do a binary compare of each program with the archive. If a program has changed, it is replaced with a clean copy. The primary feature of an immune system is that it never executes any external non-ROM code so that it is impossible for it to be attacked by a trojan horse (assuming the ROMs can be trusted). Bill Smith wsmith@a.cs.uiuc.edu ihnp4!uiucdcs!wsmith ------------------------------ Date: Sun, 21 Feb 88 18:49:12 EST From: Frederick Korz Subject: Self Fulfilling Prophecies, the Chaos Computer Club, & RISKS 6.27 Carl J. Lydick's contribution to RISKS volume 6.27 demonstrates the potent power of rumors and allegations. The Chaos Computer Club's announcement that they were going to trigger their Trojan horses in the Space Physics Analysis Network further illustrates the power of rumor _backed by plausibility_. They didn't have to do anything. The sky didn't have to fall. Nervous managers did the damage for the C.C.C. because they felt the announcement/threat plausible. The prophecy was fulfilled. A similar effect occurs in response to a rumor, even when the rumor's threat is implausible or provably incorrect. In the past, I was a naval officer assigned to a submarine. When you are at sea and the nearest supermarket is hundreds of miles away, toilet paper becomes a precious commodity. The ship never left port without an adequate supply yet, if one let it `be known' that we were `running out of toilet paper,' a two month supply would be exhausted in two days!!! People would irrationally grab a roll or two and hide it. This is in spite of the fact that we (1) started with an adequate supply and (2) a submarine is small enough to verify or invalidate the rumor in less than one hour. Rumor starting and quelling were both useful skills. This behavior also appears frequently in western newspaper reports of eastern European countries. The rumor starts that there is going to be a shortage of X, there is a run (well perhaps a line) on the markets for X, X is sold out, and the prophecy is fulfilled. There are three levels of rumor - the impossible, the plausible but improbable, and the possible and likely. The first can be ignored. The second may be ignored after evaluating the risk inherent. The third requires serious investment of time and effort in evaluating the risks and then further resources to develop counter plans or contingency measures. The malicious rumor promulgated by the Chaos Computer Club was clearly of the third form. Their announcement was, in short, a form of terrorism. I don't know what level of access the C.C.C. obtained to SPAN. Perhaps the system managers' fears were well founded and their actions were reasonable reactions to the perceived threat. I do know that the specter of security (Trojan horses here) can be raised over their heads again and again until they are so weary of it that they don't respond. That would be a most debilitated condition - all `care-ed' out. To cope with the threat one hopes SPAN is in the meantime analyzing the situation for alternate responses and cleansing their systems. Frederick M. Korz, Graduate Student, Columbia University, N.Y.C, N.Y. ------------------------------ From: elroy!lim%cit-vax.Caltech.Edu@ames.arc.nasa.gov (Kian-Tat Lim) Subject: Viruses and secure systems (Re: RISKS-6.29) [Fiction anticipates fact] Date: 20 Feb 88 07:52:53 GMT Organization: California Institute of Technology A very similar scenario (and the first time I ever saw viruses mentioned) occurs in the science-fiction novel "The Adolescence of P-1" by an author whose name I have forgotten. Given some suspension of disbelief (unreasonably good AI capabilities), an entertaining and thought-provoking farce about computers and security. -- Kian-Tat Lim (ktl@wagvax.caltech.edu, GEnie: K.LIM1) ------------------------------ End of RISKS-FORUM Digest ************************