computer security.txt

1000 HOWTOs for various needs [WINDOWS]

                            COMPUTER SECURITY
                            -----------------

                      Notes of the presentation to 
                 The Institution of Production Engineers
                            March 21, 1990 by

                     E.A.Bedwell, E.D.P. Specialist
                     ORTECH International (NRC/IRAP)
                 2395 Speakman Dr., Mississauga L5K 1B3               
                        (416) 822-4111, Ext. 261


The writer wishes to thank the Institution of Production Engineers and
it's President for the invitation to make this presentation, and to
express sincere appreciation to David Stang, Ph.D., Director of Research,
National Computer Security Association, for his contribution both to this
paper and to computer security in general.  And I would be very remiss if
I neglected to mention the professional secretarial assistance provided by
Jane  Templeman, who makes our whole team tick like the NRC official time
clock - the one that gives the CBC time signal.

This document is, hopefully, written softly:  after all, it might be
easier to digest if I have to eat my words.  I do not profess to be "the
expert" in the field of computer security; an expert is someone who knows
more and more about less and less until s/he knows absolutely everything
about nothing.  I hope never to stop learning, which means (thankfully)
I'll never be an expert.

               INDEX                                             PAGE
               -----                                             ----
          1.   Definition/Scope of "COMPUTER SECURITY"            2
          2.   Why Should You Be Concerned?                       2
          3.   Types of Security Breaches                         3
          4.   Reasons for Exposure                               7
          5.   General Security Rules (all computer systems)      8
          6.   Viruses:                                           9
                         6.1  History                             9
                         6.2  Effect                             10
                         6.3  Why do people do it?               10
                         6.4  Symptoms                           10
                         6.5  Concerns                           11
                         6.6  Known Virus Software (1)           11
                         6.7  Quick Guide to Virus Names (1)     12
                         6.8  Table of Virus Effects             16
                         6.9  Virus Detector/Antidote software   19
                         6.10  Trojan Horses                     20
          7.   PC Rules of Thumb                                 22
          8.   Easy Tricks for PC Security                       23
          9.   So You're Infected (Cure)                         24
          10.  Summary:  What Can You Do?                        25
          11.  Security Policy:  Points for Consideration        26
          12.  To run SCAN (included on this diskette)           29

(1)  David Stang, Ph.D, "Network Security in the Federal Government,",
     January, 1990, p.168-169 (updated by E.A.Bedwell, March, 1990)










                                    - 2 -
Tonight's topic is "Computer Security," a subject near and dear to my
heart after catching fraud a few times, and cracking system security a
few times.  The only unfortunate part of this evening is that I have
enough material to cover an intensive 2 or 3 day seminar and I only have
something over an hour, so in addition to extensive notes from this
presentation, I've put an article on viruses, and a PC virus detector
program on diskette for you.


1.   SCOPE OF COMPUTER SECURITY

Computer security relates to any potential loss of information or your
ability to operate, regardless of the source of the problem.  Of course,
all the publicity about computer security is going to the virus
situation.  I don't want to dissuade anyone from their concerns about
viruses, because it's definitely a growing problem, and if you get hit,
you'll be sorry you ever laid eyes on a computer.  But, current estimates
indicate that viruses represent only 3% of all the computer problems now
occurring.  Of course, if you're one of the 3%, like CNIB or Barclay's
Bank Canada were last fall, you'll feel like you're the only one on
earth.  The difference between viruses and other computer security issues
is apparently one of control:  I hope to convince you that you have as
much control over viruses and as little control over the other 97% of
problems as to make them equal threats to the safety of your computer.

I'm going to get to viruses later, their prevention, detection and cure,
but I'd like first like to cover the other major problems that affect
computer security - the other 97% - and I'd like to start with reasons
why you should be concerned about security.


2.   WHY SHOULD YOU BE CONCERNED?

Your data is a valuable asset, just like premises, equipment, raw
materials and inventory.  Because so much of modern business depends on
computers - financial systems, engineering design, medical diagnosis,
production and safety control - the destructive potential is greater
every year.  There has been more than one company that's suffered great
losses, and even gone under because of the loss of things like their
accounts receivable records:  no one is going to pay you if you don't
send them a bill, and if they get word of your inability to invoice them,
their darned unlikely to volunteer payment - so you're in a financial
mess.  The same goes for your design information, production data, the
consequences if safety control systems malfunction, or even the simple
loss of your customer list.

Another reason why you should be concerned is, too often, people don't
think about computer security until it's too late.  There's a saying in
my industry that, "He who laughs last probably made a backup."  Another
saying is, "Experience is something you don't get until just after you
needed it the most."  Well, if it means the life of your company, or the
loss of potentially millions of dollars, or even just the information on
your home computer, it might be wise to get at least some basic knowledge
before the disaster strikes.











                                  - 3 -

3.   TYPES OF SECURITY BREACHES

Now that the 'why' is out of the way, let's break down the 97% of
problems.  These are not in a specific order, but just as they came to
me.  Nor have I attempted to attach percentages to each type of risk,
because very few computer crimes are actually reported, so any figures
that anyone could estimate would not be realistic:


FRAUD/THEFT
By far the biggest problem is fraud or theft.  Some examples of this are:

     CHAOS - 1987 - Hamburg  ->  NASA data bank info sold to USSR

     Foreign exchange              }    famous because of big $
     Electronic Funds Transfer     }    amounts, and because of the
     Insider Trading               }    publicity they've received

     Most common:  Cookie jar technique - e.g., interest, income tax
                   (aka 'Salami' technique - take a little and no one
                   will notice)

Specific examples I've caught were in Payroll (no crash on < or =),
Accounts Payable (dummy companies), Purchasing (failed reasonableness
test), and Accounts Receivable (failed balance routine).  These were all
thefts of money.

Another example of theft which is very interesting is the 28-year-old
Canadian who was arrested at UNISYS in Pittsburgh on Dec. 13/89 - what he
is alleged to have stolen was NCR's trade secrets - to the tune of
US$68M, which comes under a different Canadian law from monetary theft.



MALICIOUS DAMAGE / VANDALISM
The next major type of computer security breach is the disgruntled
employee syndrome.  Their favourite is the logic bomb or time bomb:  on a
certain date or condition after they leave the company, something's going
to happen, such as at the health centre in LA where all prescriptions
suddenly multiplied by 2.  That's really serious, even compared to the
logic bomb that superzaps all your files off the face of the earth,
because someone could die.  At least with a superzap, you can recover if
you've been backing up and have a disaster recovery plan in effect.  Pure
physical vandalism occurs more often at educational institutions, but is
still a serious threat.  I wouldn't let me near your machine if I was
angry with you - my vandalism would be difficult to detect (and expensive
to repair).  A simple application of a magnetized screwdriver ......



LACK OF SECURITY PLANNING IN SYSTEM DESIGN STAGE
One of the biggest logic bombs that's going to occur is on January 1/2000.

Do you know how many computer systems use a 2 digit number for the year? 
Do you know how much work it's going to be to adapt systems to recognize
00 as being greater than 99?  My grandmother was born in 1886, and most
systems show her birth year as 99.  If she lives to the year 1999, I
wonder if they'll start sending her the baby bonus.  This time bomb is not
malicious damage, it's pure lack of planning at the system design stage. 






                                  - 4 -

(Lack of Security Planning - continued)

Things like balance checks and reasonableness tests are not built into the
system from the beginning, and it's not easy to put them in later.  Users
must participate at the system design stage, because only they know what's
reasonable and what can be balanced.  Don't expect a computer technician
to know everything there is to know about your job.




DISTORTED SENSE OF HUMOUR
Then there's the practical joker - the one who thinks it's funny to break
into the system to see what he can change, or create some dumb message to
appear on your screen.  That's what happened at IBM when the infamous
Christmas tree appeared 2 years ago (1987).  The joke was three-fold  -
first it analyzed your electronic mail distribution lists and reproduced
itself to send to everyone you normally send messages to - this clogged
the system up with people reading more messages than normal.  The second
part was a little more technical - everyone who read the message caused a
separate load of the offending program to take up space in memory, unlike
most systems where two or more people who are doing the same thing are
sharing one load of the software.  This clogged memory up so that nothing
else could run.  There was one more part to this:  there were delay timers
built into the program so it deliberately ran very slowly.  The result was
that the largest computer network in the world was shut down for 4 hours. 
Someone must have had a great need for a power trip.



MISTAKE
Next, there's fumble fingers:  you know, the one who keys the formula in
as 600 grams instead of 60 grams, or the estimated production time of 2
hours instead of 2 days.  Or the one who almost took me into court when
he blamed "the computer" for a mistake.  Without going into details about
that incident, I can say that going through the grilling by several
lawyers in a preliminary investigation was not the high point of my
career.  What saved the situation (for me and the organization) was audit
trailing:  every time a transaction was entered, the system recorded the
terminal i.d., the user i.d., the date and the time.  It also saved a copy
of the record as it existed prior to the transaction taking place.  A more
common mistake, though, is to unlatch a diskette door before the light
goes out.  Few people realize that the FAT (file attributes table) is the
last thing written on a disk, and you can corrupt the FAT by removing the
disk too early.


"EVERYONE DOES IT" SYNDROME
Then there's everyone's favourite:  copying software.  Believe it or not,
in Canada, that falls under the Copyright law, not under theft, but it
has been successfully prosecuted.  Even if you reverse engineer it and
make some minor changes, it will come under the "look and feel" test of
the Copyright law - if it looks and feels the same as the original, you
can be prosecuted.  Copying software is illegal, and your company as the
registered owner could be held liable if it is detected.








                                  - 5 -

ILLEGAL ACCESS
Many major computer crimes are perpetrated by illegal access:  the 14-
year old who broke into NASA from his basement computer room is just one
example.  There is password software on all larger machines, and it's not
difficult to put it on PCs.  On the larger machines, one of the major
problems is not changing the standard passwords that are set when the
machine is delivered:  the standard user-level password may be USER, the
standard operator password may be OPERATOR, and the standard field repair
person's password may be REPAIR, and so on.  Guess how I've cracked
security a couple of times.  In a 1988 article by Dr. Cliff Stoll in
"Computers and Security,", he reported that in 10 months of systematic
testing on computers attached to the US Defense Data Network (Milnet),
access was gained in 13% of the attempts simply by guessing at passwords!

There should be some rules applied to passwords:  not less than 7 or 8
characters,  must be changed at least every 60 days,  don't use common
things like names (another way I've broken security), don't share it
under any circumstances and, for heaven's sake, don't post it on the
front of your machine or leave it where someone can find it.  It's your
personal PIN - just like the money machine - and the information you're
dealing with is worth money.  Some of the most difficult passwords to
break (take it from me) are "two words reversed" (e.g., boardwall,
hornshoe, cuptea), or foreign language words (e.g., coupdegrace,
millegrazie, caliente).  Nonsense is good, too:  geebleurql is nice. 

If you're installing password security on a PC, consider whether you
should have it so tight that there is no recourse to the DOS level or no
ability to boot from the A: drive.  You'd need really good password
software (or a good technician on staff) if you have both of these
facilities - otherwise you can lock yourself out - but it's my preference
(especially for the guy who's wiped his root directory twice).


PHYSICAL SECURITY
Finally, another area that affects computer security or your ability to
carry on computer operations, and one that is often overlooked, is simple
physical security:  keys, thermal shock, vibration, dirt, water, fire,
visibility of information, steady power supply, discharge of static
electricity, magnetic fields, are all relevant to security.  We have one
man in our network who should have (a) cabling bolted to his computer and
the floor, (b) a key to his unit, and (c) dust protectors (as well as
password access only without recourse to the DOS level).  

When it comes to thermal shock, if you work in an area where the heat is
reduced on winter weekends, I strongly recommend you leave your unit
running over the weekend - just lock the keyboard.  If the air
conditioning is shut down, turn your unit off, and don't turn it on until
the temperature is  23C or less.  And please don't leave your machine
sitting in the sun, or in front of an open window to attract dust.  The
internal temperature raises within 20 mins. or so to >30C, and the effects
of thermal shock are such that it can, first, rock memory chips out of
their sockets, and, worse, misalign the read heads on your disk drive so
that nothing can be read.











                                  - 6 -

(Physical Security - continued)

Vibration, too, is a source of problems, especially for drives.  The read
heads actually float over the surface of drives, not on them the way a
record player needle does, and the space tolerance between is measured in
Angstroms (metric version of microinches).  Vibration can cause the head
to hit the drive, and you can say goodbye to whatever was written there.

If you're in a particularly sensitive field, and your information is what
might be called top secret to your company, you might also want to look
at two protection devices:  one is encryption, and the other is Tempest
hardware or shielding.  Encryption involves translating your data using
algorithms to something unreadable, and de-coding it when you need it.  It
uses a "key" to choose the algorithm - dont' lose the key!  It comes in a
few forms:  software controlled encryption, hardware based encryption, or
a combination of the two.  Most encryptors work with standard algorithms,
but defense departments and other high-security installations prefer
random algorithms.    Tempest hardware, or shielding, protects against
sniffing of signals. ( Signal emanation surveillance is called
"sniffing.")  I don't have a computer here to demonstrate this, but if
you take an old battery-operated transistor radio and set the dial to the
bottom of the AM band around 520, try passing it within a foot of your
computer.  Your ear might not pick up the individual signals, but I assure
you there's equipment that does.  That's why the US Army was blasting rock
music around the Vatican Embassy when Noriega was there - to mask signals.

More important to the average user, though, is avoidance of electro-
magnetic fields (such as ringing phones near a disk or disk drive), and
having an automatic disk head 'parker' that moves the heads to a safe zone
every few seconds.  That way, something like a brief power failure is less
likely to cause a "head crash" on the disk.

Simple visibility of information is a risk.  Recently I went to a bank
with a court order in hand to give me access to an account.  The clerk
simply turned the terminal toward me and, if I'd wanted to bother, I could
have had the account numbers of two other people with identical names. 
There is screen saving software that will blank your screen after an
inactivity duration you choose, and personnel should be made conscious
that unauthorized viewing of information is a security risk.  And watch
what your staff throw out on paper, too.

When it comes to fire and water, there are two basic rules that everyone
can follow:  first, don't smoke around the PC, and second, don't feed the
PC coffee and donuts.  You might be able to save a keyboard or some parts
with a bath in distilled water, possibly followed by drying with a warm
hair dryer, but there's no guarantee.  I prefer pure isopropyl alcohol -
without the hairdryer so I don't get fried in the process.  Don't blast a
computer with a fire extinguisher if you can avoid it.  If you do have a
fire or a flood, though, you'd better have a tested disaster recovery
plan, and your backups stored off-site.


All of these issues are reasonably within your control:  fraud, theft,
disgruntled employees, practical jokers, fumble fingers, software copying
and physical security, at least as much as the infamous viruses that are
around, but let's take a look at why you're at risk.