- Email: [email protected]
Preventing viral infection
October 1989
Computer Fraud & Security Bulletin
the virus is harmless and the file data has not been affected by the hailstorm, merely producing an audio-visual display on the screen. The nVlR virus had its source code published in a book in West Germany in 1988 and as a result a number of budding virus writers have cut their teeth on producing their own variants of the species. The virus causes loss of data and programs, and frequent system crashes. A worm program differs from a virus in the sense that the worm only replicates itself onto systems without causing data or program corruption to the host’s own system. On the other hand, as the worm replicates itself it will slow down the system. Thus, as more and more copies of the worm begin to overload the system or network by occupying otherwise useful storage space, other processing work is being squeezed out as the worms multiply and the system will crash in the end. The Internet worm in November 1988 and the IBM Christmas tree worm in December 1987 have been widely reported in the press. Both were exploiting weaknesses or loopholes in the system to cause the illegal program code to be transmitted via the electronic mail system to invade remote nodes of the networks. The former crashed 6000 DEC VAX computers and Sun workstations running under the Unix operating system and the latter jammed some 350 000 terminals in IBM’s private worldwide electronic mail network.
been invaded. If not, it would plant itself on the file directory and instruct the node to execute the worm program every 15 seconds to attack other nodes in the network, at the exclusion of doing otherwise useful work. At the same time the worm would report its own whereabouts to a node in Australia before moving on. DEC put a call trace on the network and eventually tracked down the source of the worm to the west coast of the USA. All the infected computers had to be cleaned up afterwards with individual service disruptions ranging from two days to a week for each node infected.
Ken Wong Ken Wong continues his investigation into the computer virus phenomenon in our November issue. Orders for the Computer Virus Handbook by Dr Harold Joseph Highland are being taken by: Ann Barnett, Elsevier Advanced Technology, Mayfield House, 256 Banbury Road, Oxford OX2 7DH, UK. Price: f85/$153.
PREVENTING
VIRAL INFECTION
As you are reading this you are already taking the first steps to prevent a virus attack - you are giving the problem serious consideration. Prevention categories:
of attack can be split into two
business controls; and technical In January 1989, a hacker introduced a worm to DEC’s international engineering and maintenance network and affected some 6000 VAX computers worldwide, being 20% of the total of machines in the network. The worm was meant to be a prank to commence in the late afternoon of Friday 13 January and to stop the following Monday morning. Unfortunately an error on the input had meant the worm will only stop in the year 2089! The worm would attack a file called HICOM on a node to check if it has already
01989
Elsevier Science Publishers
Ltd
controls.
Proper consideration of each increases computer security. The usual and most productive route for you to prevent infection, and indeed generally increase your computer security, is first to consider how business controls can help you. You can then augment these with technical controls: it is better to have strength in depth. It is recommended which uses computers
that any organization should formulate a
11
October 1989
Computer Fraud & Security Bulletin
computer security policy relevant to the organization’s business objectives.
Consideration of each yields the following recommendations.
This policy will be in the form of a document. It should give guidelines about:
Do what you can to minimize the chance of a member of staff creating a virus.
why the computers are important to the business; who is responsible for the computers within the organization; the observance of statutory requirements (e.g. data protection legislation);
Do you have good communications with staff so that you know when someone is unhappy at work and possibly in a frame of mind to do damage? Do you deny access to computers by staff who are working out their notice? Do you monitor computer usage and take note of any unusual activity which may indicate a virus or other attack in preparation of progress?
frequency and storage of backups; the use of communications (WAN and LAN); the acquisition of software from third parties; the development of software in-house if appropriate; what should be done to counter risks, including a prioritized list of possible attacks. The policy document is not necessarily long or over-detailed -the most pertinent information can be put down in a couple of pages. However, large organizations may like to elaborate on the various points to give detailed guidelines to staff about the security of their computers. It follows quite naturally that the business controls which you should adopt to counter the threat of virus attack should be formulated in such a way to complement your existing computer security policy. The computer security policy will relate to the main types of control to form an effective whole. But what exactly are the business controls which can be applied? To answer this question we need to recall the requirements of a virus: creation, environment and opportunity.
12
Make the environment for a virus as hostile as possible, consistent,with keeping the business at high efficiency. Do files have default access denied? Do you keep a fingerprint of your system, noting dates and sizes of important files, and check this at regular intervals? Minimize the opportunity for a virus to attack. This is probably the most important, but simple and easy, step you can take. For example, ban the import of software from unauthorized sources. Underline this by adding it to your organization’s staff handbook and codes of practice. Vet new software on an isolated test system before introducing it to a vital production system. Vaccines When countering a possible virus a so-called vaccine may be of use. These fall into two classes: those used before an attack to warn of infection, and those used after an attack has been noticed to disinfect the system. As the number of virus attacks increases, so does the number of vaccines available. So, it is impossible to give a definitive or up-to-date list. Rather, it is recommended that the
01989
Elsevier Science Publishers Ltd
October 1989
Computer Fraud & Security Bulletin
appropriate dealer or consultant be approached for definitive advice.
government realizes the scope of the computer crime threat and begins to spend the money necessary to bring it under control.
Current machines Federal Bureau of Investigation director The fundamental problem with current machines is one of architecture: they all have only discretionary access controls. This means that a properly authorized user can change the access controls on his files. If a user can do this then so can a Trojan horse or virus (Gasser, 1988). The only effective way to limit the effect of a virus is to use a machine which uses mandatory access controls, which the user or Trojan horse cannot alter. This is a complicated area, which is primarily of concern in sensitive government computing. Nonetheless, such machines are being developed and many become available to commercial organizations in due course.
William Sessions summed up the problem in testimony before Congress in May. “We have seen an increase in crimes in
which computer based information is the target,” Sessions testified and went on to say that his agency has the necessary level of expertise to cope with the rise of computer fraud, embezzlement, and theft but needs more personnel and more resource to begin winning the battle. FBI officials in San Francisco, who administer an area that includes Silicon Valley and the heart of the world’s computer and semiconductor industries as well as sensitive sites for defense-related research and development, agree.
Chris Ennis Chris Ennis is a computer security consultant with Deloitte Haskins & Sells. The full text of his book, Computer Viruses - an introduction is available for f4.95 from The Publications Department, Deloitte Haskins & Sells, Melrose House, 42 Dingwall Road, Croydon, CR0 2NE, UK.
COMPUTER CRIME US CRIME FIGHTING Computer criminals are still one step ahead of US law enforcement authorities. At all levels-federal, state, and local-police suffer a lack of manpower and resources to battle an ever-increasing number of criminals using computers. But experts say the tide is turning as the computer expertise of US law enforcement agencies and prosecutors reaches state-of-the-art levels and as
01989
Elsevier Science Publishers Ltd
“We do have very computer-literate agents now,” says Chuck Latting, a spokesman for the San Francisco FBI office. “It took us a while to catch up with the bad guys, but we could always use more.” The experience of Sergeant Dave Flory, the 12-year veteran who heads the High Tech Unit of the San Jose Police Department in San Jose, California, in the heart of Silicon Valley, is typical of activities at the city police level. A computing enthusiast since he bought his first eight-bit Atari personal computer, he is eager to pursue lawbreakers who use computers to commit crimes including trade secret theft and espionage, and he is bursting with ideas of how to apply computer technology to make police work in general more efficient. But he complains that a critical lack of resources hampers police efforts. “Law enforcement is not giving computer crime the attention it should because of neglect, a lack of awareness, and a lack of resources,” says Flory. “The awareness is improving, but the lack of resources is acute.
13
Computer Fraud & Security Bulletin
the virus is harmless and the file data has not been affected by the hailstorm, merely producing an audio-visual display on the screen. The nVlR virus had its source code published in a book in West Germany in 1988 and as a result a number of budding virus writers have cut their teeth on producing their own variants of the species. The virus causes loss of data and programs, and frequent system crashes. A worm program differs from a virus in the sense that the worm only replicates itself onto systems without causing data or program corruption to the host’s own system. On the other hand, as the worm replicates itself it will slow down the system. Thus, as more and more copies of the worm begin to overload the system or network by occupying otherwise useful storage space, other processing work is being squeezed out as the worms multiply and the system will crash in the end. The Internet worm in November 1988 and the IBM Christmas tree worm in December 1987 have been widely reported in the press. Both were exploiting weaknesses or loopholes in the system to cause the illegal program code to be transmitted via the electronic mail system to invade remote nodes of the networks. The former crashed 6000 DEC VAX computers and Sun workstations running under the Unix operating system and the latter jammed some 350 000 terminals in IBM’s private worldwide electronic mail network.
been invaded. If not, it would plant itself on the file directory and instruct the node to execute the worm program every 15 seconds to attack other nodes in the network, at the exclusion of doing otherwise useful work. At the same time the worm would report its own whereabouts to a node in Australia before moving on. DEC put a call trace on the network and eventually tracked down the source of the worm to the west coast of the USA. All the infected computers had to be cleaned up afterwards with individual service disruptions ranging from two days to a week for each node infected.
Ken Wong Ken Wong continues his investigation into the computer virus phenomenon in our November issue. Orders for the Computer Virus Handbook by Dr Harold Joseph Highland are being taken by: Ann Barnett, Elsevier Advanced Technology, Mayfield House, 256 Banbury Road, Oxford OX2 7DH, UK. Price: f85/$153.
PREVENTING
VIRAL INFECTION
As you are reading this you are already taking the first steps to prevent a virus attack - you are giving the problem serious consideration. Prevention categories:
of attack can be split into two
business controls; and technical In January 1989, a hacker introduced a worm to DEC’s international engineering and maintenance network and affected some 6000 VAX computers worldwide, being 20% of the total of machines in the network. The worm was meant to be a prank to commence in the late afternoon of Friday 13 January and to stop the following Monday morning. Unfortunately an error on the input had meant the worm will only stop in the year 2089! The worm would attack a file called HICOM on a node to check if it has already
01989
Elsevier Science Publishers
Ltd
controls.
Proper consideration of each increases computer security. The usual and most productive route for you to prevent infection, and indeed generally increase your computer security, is first to consider how business controls can help you. You can then augment these with technical controls: it is better to have strength in depth. It is recommended which uses computers
that any organization should formulate a
11
October 1989
Computer Fraud & Security Bulletin
computer security policy relevant to the organization’s business objectives.
Consideration of each yields the following recommendations.
This policy will be in the form of a document. It should give guidelines about:
Do what you can to minimize the chance of a member of staff creating a virus.
why the computers are important to the business; who is responsible for the computers within the organization; the observance of statutory requirements (e.g. data protection legislation);
Do you have good communications with staff so that you know when someone is unhappy at work and possibly in a frame of mind to do damage? Do you deny access to computers by staff who are working out their notice? Do you monitor computer usage and take note of any unusual activity which may indicate a virus or other attack in preparation of progress?
frequency and storage of backups; the use of communications (WAN and LAN); the acquisition of software from third parties; the development of software in-house if appropriate; what should be done to counter risks, including a prioritized list of possible attacks. The policy document is not necessarily long or over-detailed -the most pertinent information can be put down in a couple of pages. However, large organizations may like to elaborate on the various points to give detailed guidelines to staff about the security of their computers. It follows quite naturally that the business controls which you should adopt to counter the threat of virus attack should be formulated in such a way to complement your existing computer security policy. The computer security policy will relate to the main types of control to form an effective whole. But what exactly are the business controls which can be applied? To answer this question we need to recall the requirements of a virus: creation, environment and opportunity.
12
Make the environment for a virus as hostile as possible, consistent,with keeping the business at high efficiency. Do files have default access denied? Do you keep a fingerprint of your system, noting dates and sizes of important files, and check this at regular intervals? Minimize the opportunity for a virus to attack. This is probably the most important, but simple and easy, step you can take. For example, ban the import of software from unauthorized sources. Underline this by adding it to your organization’s staff handbook and codes of practice. Vet new software on an isolated test system before introducing it to a vital production system. Vaccines When countering a possible virus a so-called vaccine may be of use. These fall into two classes: those used before an attack to warn of infection, and those used after an attack has been noticed to disinfect the system. As the number of virus attacks increases, so does the number of vaccines available. So, it is impossible to give a definitive or up-to-date list. Rather, it is recommended that the
01989
Elsevier Science Publishers Ltd
October 1989
Computer Fraud & Security Bulletin
appropriate dealer or consultant be approached for definitive advice.
government realizes the scope of the computer crime threat and begins to spend the money necessary to bring it under control.
Current machines Federal Bureau of Investigation director The fundamental problem with current machines is one of architecture: they all have only discretionary access controls. This means that a properly authorized user can change the access controls on his files. If a user can do this then so can a Trojan horse or virus (Gasser, 1988). The only effective way to limit the effect of a virus is to use a machine which uses mandatory access controls, which the user or Trojan horse cannot alter. This is a complicated area, which is primarily of concern in sensitive government computing. Nonetheless, such machines are being developed and many become available to commercial organizations in due course.
William Sessions summed up the problem in testimony before Congress in May. “We have seen an increase in crimes in
which computer based information is the target,” Sessions testified and went on to say that his agency has the necessary level of expertise to cope with the rise of computer fraud, embezzlement, and theft but needs more personnel and more resource to begin winning the battle. FBI officials in San Francisco, who administer an area that includes Silicon Valley and the heart of the world’s computer and semiconductor industries as well as sensitive sites for defense-related research and development, agree.
Chris Ennis Chris Ennis is a computer security consultant with Deloitte Haskins & Sells. The full text of his book, Computer Viruses - an introduction is available for f4.95 from The Publications Department, Deloitte Haskins & Sells, Melrose House, 42 Dingwall Road, Croydon, CR0 2NE, UK.
COMPUTER CRIME US CRIME FIGHTING Computer criminals are still one step ahead of US law enforcement authorities. At all levels-federal, state, and local-police suffer a lack of manpower and resources to battle an ever-increasing number of criminals using computers. But experts say the tide is turning as the computer expertise of US law enforcement agencies and prosecutors reaches state-of-the-art levels and as
01989
Elsevier Science Publishers Ltd
“We do have very computer-literate agents now,” says Chuck Latting, a spokesman for the San Francisco FBI office. “It took us a while to catch up with the bad guys, but we could always use more.” The experience of Sergeant Dave Flory, the 12-year veteran who heads the High Tech Unit of the San Jose Police Department in San Jose, California, in the heart of Silicon Valley, is typical of activities at the city police level. A computing enthusiast since he bought his first eight-bit Atari personal computer, he is eager to pursue lawbreakers who use computers to commit crimes including trade secret theft and espionage, and he is bursting with ideas of how to apply computer technology to make police work in general more efficient. But he complains that a critical lack of resources hampers police efforts. “Law enforcement is not giving computer crime the attention it should because of neglect, a lack of awareness, and a lack of resources,” says Flory. “The awareness is improving, but the lack of resources is acute.
13