The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 6 Issue 31

Wednesday 24 February 1988

Contents

o Risks of Advertising Messages Appended to Telex Messages
Bruce N. Baker
o "Viruses? Don't Worry!"
Joseph M. Beckman
o Held at Mouse-Point; Virus-Information Centres
Dave Horsfall
o Computer Viruses -- a catalog
Dave Curry
o Another RISK of viruses
David Purdue
o Virus security hole
Kevin Driscoll
o Re: More info on Compuserve Macinvirus
Henry Spencer
o Code-altering viruses
William Smith
o Self Fulfilling Prophecies, the Chaos Computer Club,...
Frederick Korz
o Viruses and secure systems
Kian-Tat Lim
o Info on RISKS (comp.risks)

Risks of Advertising Messages Appended to Telex Messages

Bruce N. Baker <BNBaker@KL.SRI.COM>
Wed 24 Feb 88 10:39:50-PST
I recently sent a TELEX message to Copenhagen.  The recipient responded by
writing on the message he received from me and returning it by normal post.
I thus found that the TELEX carrier had appended text to my original message,
which struck me as unprofessional and unethical.  The appended text reads:

     FOR 1988 HOROSCOPE FORECASTS
     CALL USA 62200 CODE 9150

Has anyone else noticed any such appendages to TELEX messages?  (If you also
find out my horoscope for Sagittarius, please let me know what the stars
portend for me.)
                                           Bruce N. Baker, SRI International

   [Hmm.  Sagittarius is depicted as a centaur (HALF-HORSE) shooting an arrow.
   The question is whether this was a Trojan half-horse (since it attached a
   second half to the message -- BUT POSSIBLY EVEN CHANGING THE FIRST HALF?) 
   or a sleazy advertising campaign on the part of TELEX...  Well, buses and
   taxis routinely carry advertising.  TELEXes cannot be too far behind!  
   Or perhaps this is like the Wells Fargo case of RISKS-6.27?  PGN]


"Viruses? Don't Worry!" (!!)

"Joseph M. Beckman" <Beckman@DOCKMASTER.ARPA>
Wed, 24 Feb 88 13:09 EST
Some excerpts from T.R. Reid's "Personal Computing" column in the 15 Feb
1988 Washington Post:

  "...such programs [computer viruses] are rarely a threat in the personal
  computer world.  And they are fairly easy to defend against."

  "...These cases [NASA, IBM xmas tree] involved networks of work stations
  or even bigger computers.  That's the first key point to recognize about
  the computer virus reports--they don't involve personal computers."

  "If you never "feed" your machine anything but programs from established
  software houses, your machine will be immune."

  "If you like to call up bulletin boards to download programs...there is
  a chance that your hard disk could be infected by a virus program.  The
  possibility is so unlikely that you really needn't worry much."

  "In sum, my answer to personal computer users concerned about computer
  virus is:  Don't Worry."

Rebuttal of the points mentioned is left to the humor of the reader.  Joseph


Held at Mouse-Point; Virus-Information Centres

Dave Horsfall <munnari!stcns3.stc.oz.au!dave@uunet.UU.NET>
Mon, 22 Feb 88 14:20:59 est
Here are two contributions from "Computing Australia", 1st Feb 1988.

1) From the back page (the "laugh" page):

``From the 'If he had another brain it would be lonely' department.

  A US auditing firm was training a group of taxation accountants in the
  use of a Macintosh word processor.  The demonstrator directed his students
  to "Point and click with the mouse."  One student raised his hand and
  announced nothing was happening.  On checking, the instructor found he was
  clicking the mouse button and pointing at a screen icon -- with his
  forefinger!  No doubt the student's progess report would have carried
  the notation that he was a dis-a-pointer.''

The RISK?  Sometimes, instructions are interpreted literally...  Although
I can imagine the semantic confusion that could arise should a mouse ever
be teamed up with a touch-sensitive screen!


2) Elsewhere in the same issue (a "serious" page):

``Virus centre too risky: Canberra.

  "Great risks" would arise from the setting up of a national information
  security research centre to fight software viruses, according to
  Technology Minister Senator John Button's Canberra spokesman.  Queensland's
  computer security expert Dr Bill Caelli has called for government funding
  for such a centre.  He said the proposed centre could develop tools to
  analyse software packages to ensure they were virus-free and did no more
  than they were supposed to.

  Button's spokesman said "In general, the Government's attitude is `Let the
  user beware'.  We don't want to reject all calls out of hand but are not
  planning any further regulation.  There could be great risks: if the centre
  or its tools validated a program and it turned out to have a bug [virus?],
  it could face litigation.''

That last bit worries me - we can't even verify programs at the SOURCE level,
so, short of brute-force emulation, what hope have we got at verifying them
at the machine-code level?

Dave Horsfall (VK2KFU)      ACS:  dave@stcns3.stc.OZ.AU
Alcatel-STC Australia       ARPA: dave%stcns3.stc.OZ.AU@uunet.UU.NET
11th Floor, 5 Blue St       UUCP: {enea,hplabs,mcvax,uunet,ukc}!\
North Sydney NSW 2060 AUSTRALIA    munnari!stcns3.stc.OZ.AU!dave

             [There are unconfirmed reports that some of the "virus-killer"
             programs themselves contain Trojan horses.  CAVEAT EMPTOR.  PGN]


Computer Viruses -- a catalog

Dave Curry <davy@intrepid.ecn.purdue.edu>
Tue, 23 Feb 88 11:03:48 EST
Information Week, 2/22/88 has an article about computer viruses and another
about computer security.  Both of the articles are pretty worthless, being
full of sensationalist statements and very little fact.  But, they did put
the following in:

   PC expert Eric Newhouse lists known contaminated programs that should be
   avoided on public bulletin boards.  If you have a copy of one of these
   programs, consider it suspect even though some run fine.  When no extension
   is listed, the program has appeared with many extensions.

    Arc         List60
    Arc513.         QMDM110.Exe
    Arc600          QMDM110A.Arc
    Balktalk        Quikbbs.Com
    Discscan.Exe        Secret.Bas
    Dosknows.Exe        Stripes.Exe
    Egabtr          Vdir.Com
    Filer.Exe

(The rather weird capitalization scheme is theirs, not mine.)
Dave Curry, Purdue University


Another RISK of viruses

David Purdue <munnari!csadfa.oz.au!davidp@uunet.UU.NET>
Fri, 19 Feb 88 16:02:11 est
A club based in Canberra offerred someone $100 to write a program for the
Amiga that would do some timetabling for a conference that the club holds
annually.  When the conference rolled around, the program was not ready
and the timetabling was done by hand, and there were many mistakes made.

A meeting was held recently, some three weeks after the conference. At this
meeting the programmer pointed out that although he didn't have a working
product, he had done a lot of work for the club, and asked for his $100.
He was asked why the program wasn't ready in time.  He replied, "It's not
my fault.  The program was hit by a virus which scrubbed my disk, and I
didn't have a backup."

The Risk?  Well, it may be true that a virus scrubbed his disk; but there
was no mention of it until the meeting.  With the proliferation of viruses,
and the big fuss that the media are making of them (that includes computing
industry newspapers, the major press and discussions on the net), it seems
to me that programmers now have a real handy excuse for not meeting their
commitments.
                        DavidP

Mr. David Purdue           Phone ISD: +61 62 68 8165    Fax: +61 62 470702
Dept. Computer Science         Telex: ADFADM AA62030
University College      ACSNET/CSNET: davidp@csadfa.oz
Aust. Defence Force Academy     ARPA: davidp%csadfa.oz@uunet.uu.net
Canberra. ACT. 2600.           JANET: davidp@oz.csadfa
AUSTRALIA             Other Gateways: see CACM 29(10) Oct. 1986
    UUCP: {uunet,hplabs,ubc-vision,nttlab,mcvax,ukc}!munnari!csadfa.oz!davidp


Virus security hole

Kevin Driscoll <umn-cs!altura.driscoll@rutgers.edu>
Mon, 22 Feb 88 10:48:30 CST
   In theory, Larry Nathan's example of exporting classified information from
a secure area should not be possible because all outgoing information from a
secure area is suspect and is sanitized.  However, human nature being what it
is, the outgoing scrutiny is probably not done as thoroughly as it should and
data can escape this way.  Another approach can subvert even the best outgoing
screening process.  This is the use of covert channels, sometimes called
"banging on the walls".
   The method is to use some communications channel that is not considered an
"output" from the secure area.  For example, the virus could cause a disk head
positioner to travel its maximum excursion at its maximum velocity, then
modulate the frequency of reversals according to the classified data to be
transmitted.  The data can be received by recording the vibrations caused by
the disk drive.  This method subverts most of the top secret TEMPEST secure
installations that I have seen.
   The common risk here is that security plans generally assume that the only
dangers are physical entry, TEMPEST leakage, or information leaving via the
area's normal output channels.  Completely ignored is the possibility of data
ENTERING the area as being a security threat.
   I have just recently reminded our system operators about the possible
dangers of a virus exploiting covert channels and the care that must be taken
to ensure that our UNsecure systems are not infected, which could be a threat
to our secure systems.  Of course, safe software practices should be when
sharing software among systems with differing classifications, even if the
systems are entirely in-house.
   A group here at Honeywell SRC is working on the thornier problem of
preventing such attacks on single multilevel secure systems (class A1+
trusted computer).

  Another virus subject that has been discussed, is the trustworthiness of
software held in archives on the net.  What should not be overlooked is that
even if a given archive can be trusted, the intervening path may not be.
Software can be infected en route.  Many of these routes pass through
universities, which can be the most hazardous software environment in the
world.


Re: More info on Compuserve Macinvirus [RISKS-6.27]

<mnetor!utzoo!henry@uunet.UU.NET>
Sat, 20 Feb 88 04:22:03 EST
> '... People here in Canada and over in Europe see this for what
> it is, a message of peace.  It's you people in the United States who see
> it as something dark and nasty.' [Henry, are we really that paranoid down
> here?]

The "message of peace" business is pure self-serving excrement.  (I may
possibly be biased here, since I have a low opinion of a lot of the lip
service given to "peace" nowadays.)  It's no better than a cute prank.
However, I'm not too impressed by the paranoids either.  (No, there is
no particular concentration of paranoids in particular nations that I'm
aware of.)  This actually goes back to the old question of whether it is
better to expose security problems or keep them secret.  One's attitude
on that issue determines whether one thinks the MacMag incident was a
harmless prank that may alert people to a real problem, or an evil act
that opens up horrible vistas.  Personally I side with the former point
of view:  this particular incident was childish but harmless -- note that
the people involved hired a professional programmer, whose duties presumably
included making *sure* that it was harmless -- and anyone who believes
that the Bad Guys hadn't thought of it already is dreaming.

The one risk I do see coming out of this is the possibility of it inspiring
others to implement and spread "harmless" viruses that may not be so well
built and may inadvertently cause damage.  But these are still rather
less likely to make trouble than the truly malicious ones, and maybe it
will help wake people up.

Henry Spencer @ U of Toronto Zoology {allegra,ihnp4,decvax,pyramid}!utzoo!henry


Code-altering viruses (RISKS-6.29)

William Smith <wsmith@m.cs.uiuc.edu>
Sat, 20 Feb 88 08:26:47 cst
> ... the inevitability of viruses that target specific software products. ...

Although detecting such a virus would be difficult, once detected, recovery 
from the virus should not be difficult.  After making a copy of the
distribution software onto a hard disk or another floppy, the original
program disk or tape should never see the computer again (unless the copies 
are damaged or lost).  It is probably also a good idea for the original copy
never to be put into the computer write-enabled.

Once a damaged copy of a program is found, the online copies of it are 
deleted and replaced from a secure copy after the virus has been removed.  

The problem with most viruses is that their target is often the operating
system.  This first step, deleting the online copies is not possible because
the computer won't reboot after that.  That might point to a solution: The
computer needs an "immune system" that can be booted from, say a read-only
floppy or tape, and may then be used to safely replace any corrupted system or
user files from archive copies of the software.  Probably, since most
executables are not supposed to modified, the immune system simply could go
through each of the distribution disks and do a binary compare of each program
with the archive.  If a program has changed, it is replaced with a clean copy.
The primary feature of an immune system is that it never executes any external
non-ROM code so that it is impossible for it to be attacked by a trojan horse
(assuming the ROMs can be trusted).

Bill Smith    wsmith@a.cs.uiuc.edu   ihnp4!uiucdcs!wsmith


Self Fulfilling Prophecies, the Chaos Computer Club, & RISKS 6.27

Frederick Korz <korz@heathcliff.columbia.edu>
Sun, 21 Feb 88 18:49:12 EST
   Carl J. Lydick's contribution to RISKS volume 6.27 demonstrates the
potent power of rumors and allegations.  The Chaos Computer Club's
announcement that they were going to trigger their Trojan horses in the
Space Physics Analysis Network further illustrates the power of rumor
_backed by plausibility_.  They didn't have to do anything.  The sky didn't
have to fall.  Nervous managers did the damage for the C.C.C.  because they
felt the announcement/threat plausible.  The prophecy was fulfilled.

   A similar effect occurs in response to a rumor, even when the rumor's
threat is implausible or provably incorrect.  In the past, I was a naval
officer assigned to a submarine.  When you are at sea and the nearest
supermarket is hundreds of miles away, toilet paper becomes a precious
commodity.  The ship never left port without an adequate supply yet, if one
let it `be known' that we were `running out of toilet paper,' a two month
supply would be exhausted in two days!!! People would irrationally grab a roll
or two and hide it.  This is in spite of the fact that we (1) started with an
adequate supply and (2) a submarine is small enough to verify or invalidate
the rumor in less than one hour.  Rumor starting and quelling were both useful
skills.

   This behavior also appears frequently in western newspaper reports of
eastern European countries.  The rumor starts that there is going to be a
shortage of X, there is a run (well perhaps a line) on the markets for X, X
is sold out, and the prophecy is fulfilled.

   There are three levels of rumor - the impossible, the plausible but
improbable, and the possible and likely.  The first can be ignored.  The
second may be ignored after evaluating the risk inherent. The third requires
serious investment of time and effort in evaluating the risks and then further
resources to develop counter plans or contingency measures.  The malicious
rumor promulgated by the Chaos Computer Club was clearly of the third form.
Their announcement was, in short, a form of terrorism.

   I don't know what level of access the C.C.C. obtained to SPAN.  Perhaps the
system managers' fears were well founded and their actions were reasonable
reactions to the perceived threat.  I do know that the specter of security
(Trojan horses here) can be raised over their heads again and again until they
are so weary of it that they don't respond.  That would be a most debilitated
condition - all `care-ed' out.  To cope with the threat one hopes SPAN is in
the meantime analyzing the situation for alternate responses and cleansing
their systems.

Frederick M. Korz, Graduate Student, Columbia University, N.Y.C, N.Y.


Viruses and secure systems (Re: RISKS-6.29) [Fiction anticipates fact]

Kian-Tat Lim <elroy!lim%cit-vax.Caltech.Edu@ames.arc.nasa.gov>
20 Feb 88 07:52:53 GMT
A very similar scenario (and the first time I ever saw viruses mentioned)
occurs in the science-fiction novel "The Adolescence of P-1" by an author
whose name I have forgotten.  Given some suspension of disbelief (unreasonably
good AI capabilities), an entertaining and thought-provoking farce about
computers and security.

-- Kian-Tat Lim (ktl@wagvax.caltech.edu, GEnie: K.LIM1)

Please report problems with the web pages to the maintainer

Top