Document Type: 
Document Number (FOIA) /ESDN (CREST): 
Release Decision: 
Original Classification: 
Document Page Count: 
Document Creation Date: 
December 23, 2016
Document Release Date: 
July 8, 2013
Sequence Number: 
Case Number: 
Publication Date: 
August 26, 1988
Content Type: 
PDF icon CIA-RDP91-01355R000300100002-4.pdf1.57 MB
Declassified in Part - Sanitized Copy Approved for Release 2013/07/08: CIA-RDP91-01355R000300100002-4 . I lie 40 Next 18 Page(s) In Document Denied e Declassified in Part - Sanitized Copy Approved for Release 2013/07/08: CIA-RDP91-01355R000300100002-4 STAT ? Declassified in Part - Sanitized Copy Approved for Release 2013/07/08 :CIA-RDP91-01355R000300100002-4 - latingbil2a A ri-ide #1. Or HACKERS, HIGH?TECH BANDITS, AND DISASTERS COST BUSINESS BILLIONS?AND AS onald Gene Burleson resented au- thority. He denounced federal in- come taxes as unconstitutional and boasted that he hadn't paid any since 1970. The pudgy, 40-year-old pro- grammer also complained that his salary at USPA & IRA Co., a Fort Worth securi- ties trading firm, was too low. He often had heated arguments with superiors. "He was so fanatical about everything," says former co-worker Patricia Hayden. But she adds: "He could do anything with a computer." Evidently he could. Two days? after USPA fired him in 1985, the company al- leges, Burleson entered its headquarters and planted a program that once each month would wipe out all records of sales commissions. USPA discovered the break-in two days later. But it lost 168,000 records before disabling the pro- gram. Burleson is now awaiting trial on charges of "harmful access to a comput- er," a felony in Texas. If convicted, he faces up to 10 years in jail. vunurr SHUTDOWN. The Burleson caper is just one in a string of recent events that point to the alarming vulnerability of computer systems?and the business- es and government agencies that rely on them. Hackers have invaded sophisticat- ed data networks?even those at the Pentagon. Accidents, such as the May 8 fire at an Illinois Bell switching station outside Chicago, have disrupted commu- nications in entire towns for weeks at a time. But experts agree that the No. 1 threat, which accounts for at least 80% of security breaches, is internal: "The real problem is errors, omissions, or well-thought-out acts by individuals who have authorized access to data," says Lawrence L. Wills, who's in charge of selling data security software for IBM. Whether the fault lies with a disgrun- tled employee, a hacker, simple human ineptitude, or a natural disaster, dis- abling a vital computer and communica- tions system can be as easy as cutting a critical power line or 'typing a few com- mands on a keyboard. The threat is elo- quently simple: Computer networks and the information they handle are assets a company can't do without. But often they aren't adequately protected, and the consequences of that exposure can be disastrous. Without computers, "we cannot run our plants, we cannot sched- ule, we cannot bill or collect money for our product, we can't design our prod- uct," says G. N. Simonds, executive di- rector of management information sys- tems at Chrysler Corp. "In essence, we . "?? ' ? JflIREs ovotehlt fs.ii _.?5,,A.M.;47pezreti1.;tiP?E.4tonsWErtia611;14W41:frE}Lt::::. itataglip?i01;t:els::slastilathrs.t.iwi}.11; . ?oursroaRioof nom, 6STri2aor-?: T. Declassified in Part - Sanitized Copy Approved for Release 2013/07/08: CIA-RDP91-01355R00050-6-1-06002-4 Declassified in Part - Sanitized Copy Approved for Release 2013/07/08 :-CIA-RDP91 01355R0 SECURE ? --- PCs PROLIFERATE, THE PROBLEM CAN ONLY GROW WORSE very quickly shut the company down." The potential for trouble is even greater in the service industries that now dominate the economy. Every work- day, U.S. computer networks transmit close to $1 trillion among financial insti- tutions, an amount equal to 2570 of the gross national product. When a software problem fouled up record-keeping in Bank of New York's government securi- ties trading operations in 1985, other banks temporarily stopped trading with it The Fed had to lend the bank $24 billion to keep operating until the prob- lem was fixed. An airline the size of American Airlines Inc. could lose as much as $34,000 in booking fees each hour its reservation system is down. Little wonder that businesses are wor- ried?and reacting. To protect its vast reservations system in Tulsa, American built a $34 million underground facility with foot-thick concrete walls and a 42- inch-thick ceiling. Anyone who scales the barbed wire faces a security system that includes a retina scanner, a James Bond- ian device that detects unauthorized per- sonnel by the unfamiliar pattern of blood vessels in their eyeballs. Indeed, a booming industry has developed to help protect computers, ranging from scores of consultants to sellers of hardware and software impediments to intruders. 'HELL OF A MESS.' Despite such defenses, however, systems remain vulnerable. High-tech thieves steal $3 billion to $5 billion annually in the U.S. alone, according to consul- .'" tants at accounting firm Ernst & Whinney in./44.t Cleveland. ' And computer ?crime '14 pays well: In an average stickup, securi- ty experts say, a bank robber grabs $5,000. By contrast, the average elec- tronic heist nets $500,000. In electronic funds networks, "you have $15,000-a- year clerks transferring $25 million a day," says Ronald Hale, research man- ager at the Bank Administration Insti- tute in Chicago. For some, the tempta- tion is too great In early July, a group of insiders wired $54 million from the London office of Union Bank of -1-4-71 WIRETAPS / ELECTRONIC: ? : f" r - ? ? EAVESDROPPING - It's easier therimest companies think:. for outsiders to fai the teleamtmuni: ? . . ? anions lines that conned their cam..., ' puterc.Advanced cryptographic tech-. niques can scramble messages, and ? special enclosures can contain the; . . . ? emissions that eledronic'eavesdropi? ? . persintercept and deitode. , ? . . I THE ENEMY WITHIN: ? . , EMPLOYEE ? ? TAMPERING - The 1411o. 1 security throat is employ- ? ees, whose theft, sabotage, or inept': tude can cause havoc Employees ? , should have access only to the sys-' - ? ? tents and data needed to do their . ? ? jobs. Lock up machines that do criliad ? frisks. Change passwords frequently. BUSINESS WEEK/ALIGLIST 198S51 Declassified in Part - Sanitized Copy Approved for Release 2013/07/08: CIA-RDP91-01355R000300100002-4 Declassified in Part - Sanitized Copy Approved for Release 2013/07/08: CIA-RDP91-01355R000300100002-4 fljbj 10 1 -r Switzerland to another Swiss bank, com- plete with the correct authorization codes. A malfunction in the second bank's computer delayed the transac- tion, and auditors discovered it and froze the funds before they could be collected. First National Bank of Chicago foiled a $70 million embezzlement scheme last May only because the two employees who masterminded it made a dumb mis- take: They tried to overdraw on the ac- counts they were stealing from. Often, even hackers depend on inside help. A band of teenage pro- grammers, calling them- selves "phrackers," has been giving fits to Pa- cific Bell and other phone companies with a simple con game. Pos- ing as fellow employees, ti they call phone compa- ny representatives and cajole them into releas- ing computer pass- words. Says one 17- year-old phracker: "It workssurprisingly well." Inside the phone company computer, phrackers cause may- hem by disconnecting service to customers or changing work orders. Now changes in com- puter technology are making mischief easier. Increasingly, minicom- puters and personal computers are being spread through offices and networked togeth- er. Such "distributed processing" multiplies the potential points of access. "When comput- erization was central- ized, the computers were in one room behind ocked doors," says Edwin B. Heinlein, a computer se- curity consultant in San Rafael, Calif. "Now it's a hell of a mess." With 33 million desktop machines in use, hun- dreds of thousands of individuals have acquired the technical skill to "penetrate most systems," says Gerald E. Mitchell, director of data security at Ins Financial Services Inc. in Minneapolis. Using international phone links, a group of West German hackers took re- peated strolls through NASA computers last summer, as well as through several 13.5. military networks. NASA spent three months changing passwords and clearing out "trap door" programs that the intruders had planted to give them access. Another German hacker spent nearly two years cruising through un- classified data in U.S. Defense Dept and other research computers around the world until he was stopped last year. And 'last May, Nasa's Jet Propulsion Laboratory in Pasadena, Calif., was in- vaded by hackers yet to be identified. Even companies with good security have run into a new and insidious prob- lem: the computer virus. Like micro- organisms, these replicate and spread. They're tiny bits of software, often though the company plays down the inci- dent, last December a virus-like program infiltrated mires 145-country electronic mail network, forcing the entire system to be shut down. When such incidents occur, the victim company often has failed to employ some surprisingly simple measures. Ex- perts say, for instance, that companies should outlaw such mundane passwords as a birthday or a spouse's name. NASA concedes that it was using "inappropri- ate" passwords that were easy to guess. limes Wills urges com- panies to remind work- ers not to log on to a computer and then leave it unattended, nor share passwords with co-workers. He is also a proponent of written computer security poli- cies, complete with secu- rity clearances. NEED TO KNOW. tam has five classes of data, cbi n, from unclassified, with no restrictions, to "reg- istered IBM confiden- tial," available only to employees with a prede- termined need to know. After last year's inci- dent, which began when a West German law stu- dent sent a self-replicat- ing Christmas greeting into a European aca- demic research network, mr4 tightened controls over its electronic net- works. It's crucial, say ex- perts, to treat computer security as a manage- ment, not a technology, problem. For example, programs running on Marine Midland Bank's central computer are "encapsulated" so that employees can use only what's needed to perform their jobs?and can't browse through the system. Physical barriers are important, too, and there are lots of new ones. Electron- ic card keys, or "smart cards," with em- bedded microchip memories and proces- sors, are starting to be used as I. D. cards for workers. They can be pro- grammed with volumes of personal data and authorization codes that are hard to fake. Some smart cards change pass- words every 60 seconds. But even such cards have a flaw: They can be stolen. More secure, some experts think, are biometric devices, which identify people according to physical quirks. Machines' ?tia???,t ? - AS RELIANCE GROWS OiCCOMPUTERSYSTEDIS4Z?c AND ELECTRONK:11E1WOR ? U.S. arENDITUIS OM COAITUTEA STSTEFAYOFFKE MACHINES ? '?-???? ? ? ? IIKIDENtt Of ?t: COmPUTTE AND AUTOMATED MUER MACHINE ?ADD AND THEFT quickly written, that hide in larger pro- grams and then pounce unpredictably. Some simply deliver a surprise message on the screen. Others can wipe out every shred of information in a computer. What especially worries corporate computer managers is that somehow these destructive programs could mi- grate to mainframe computers and do serious damage to the most sensitive corporate data. Says Jeffrey M. Hoff- man, a computer specialist at Atlantic Richfield Co.: "The PC world is the light- ly protected gateway to the host com- puter world." Although most large com- puter systems employ mechanisms that isolate computer code, reducing the op- portunity for a virus to spread, the threat exists?even for Big Blue. Al- 52 BUSINESS WEEK/AUGUST 1,1988 Declassified in Part - Sanitized Copy Approved for Release 2013/07/08: CIA-RDP91-01355R000300100002-4 COVER STORY Declassified in Part - Sanitized Copy Approved for Release 2013/07/08: EIA-RDP91-01355R000300100002-4 L411 IMW Dcall VUILC LI flections, hand prints, even typing habits. Still, common sense may be the best protec- tion?and less intrusive. For example, USPA could have thwarted Donald Gene Burleson by thinking faster. The company procrastinated before changing its computer passwords, a crucial mistake: As a computer security offi- cer, Burleson was one of three people at the company who knew ev- eryone's password. COVER-UP. A similar mistake caught up with Wollongong Group, a software company in Palo Alto, Calif. Ming Jyh Hsieh, a 38-year-old Taiwanese ?gr?ho worked as a customer support representative, was fired in late 198% Two months later, Wol- longong noticed that someone was logging on to its computers at night via modem. Some files had been copied or damaged. After tracing the calls to Hsieh's nearby home, police seized her personal computer, along with disks containing N'ol- longong's proprietary software, estimated to be worth millions of dol- lars. She was arrested, charged with illegal ac- cess to computers, and if convicted faces up to five years in prison. Wollongong had crip- pled Hsieh's access code but the company sus- pects that she somehow obtained another work- er's. Since the incident, Wollongong periodically changes passwords and account numbers. "Any company that doesn't is asking to be kicked," says Norman Lom- bino, Wollongong's marketing communi- cations manager. One advantage for computer crooks is that their victims often keep quiet, notes consultant Robert H. Courtney Jr. Sta- tistics are hard to come by. But experts estimate that only 20% to 50% of com- puter crimes are ever reported. Particu- larly for banks, a successful fraud is a public relations disaster. Burleson's - ? ar-45.1.--;------az e?.,.4.-a?Sts0.7ar ?tf:te-- -: 2:1\-- a4"1/4;--, 5t7,? s-ew-:???-tf itist:re . re,.3.. ":40fizTtrz.--,:::,::Ptc. is: 41.1i ....t. , .,..- ,..%.--:-_,. riA-....p... .7-4.**--;----- ---It...,.;:-.-.3:---?1,-? .t. tt. ---c--".---; v in t-ree -4.???44., 0,-, .ce.r --1-i,-;-rigi-ftg."4-1474r17-ter-4-7-rTala at- ct. car as I I` ? ..t? ? IBM 'S WIWI" (ILBOVIErtECOMMENDS ,STIFFJECURIMPOLICIES?BUT EWE& 'MINN RELTRONK MAIL NETWORKTOOR ? NIT LAST,TEAIE. KIUMIMUSTS IIRATIDOW' ? AND ZOVILE LOOSED A TIENIGW?VIRUS bee MAC USERS LAST SPENT, , ;Yr ???'es2.l ?Si& break-in at USPA might never have come to light had he not sued for back pay? thus encouraging a countersuit. "No one wants to display their managerial short- comings," says Courtney. In one ex- treme case, Courtney says, an insurance company executive used his PC to scan claim records needed to commit a $13 million fraud. The company found out and fired him. But to avoid a scandal, it gave him a lavish going-away party. &lunging uiz problem into the open may be the only way to improve security, however. Take viruses. These wily pro- grams most often find their way into corporate computer systems when an employee inadver- tently introduces them. Computer enthusiasts from New York'to New Delhi use electronic bul- letin boards on commu- nications networks such as The Source to "chat" by computer. One of their favorite pastimes is swapping pro- grams?any one of which can include a vi- rus that attaches itself to other programs in a computer. No one knows how many viruses have been planted. But John D. McAfee, a virus expert at InterPath Corp, a se- curity consulting firm in Santa Clara, Calif., says there have already been 250,000 outbreaks. He estimates that 40 of the nation's largest in- dustrial companies have been infected. PAKISTANI FLU. World- wide computer net- works take viruses on some remarkable jour- neys. Recently, The Providence Journal- Bulletin was infected by the Pakistani Brain?two years after that program began cir- culating. Nobody knows how it got to Rhode Is- land. But before it was through, it had infected 100 of the paper's per- sonal computer hard disks. Basit Farooq Alvi, a 19-year-old pro- grammer from Punjab province, says he wrote the virus not to destroy data but as a warning to would-be software pirates. The virus would interfere only with bootlegged copies of his package, a program for physicians. Other programmers, howev- er, have given it a pernicious twist: Now versions of the brain often carry instruc- tions to wipe out data files. And some of these versions have spread to Israel, Eu- rope, and the U.S. Even a well-meant virus can have un- fortunate side effects. Richard R. Bran- COVER STORY BUSINESS WEEK/AUGUST 1, 1988 53 Declassified in Part - Sanitized Copy Approved for Release 2013/07/08: CIA-RDP91-01355R000300100002-4 NJ . . Declassified ? ? in Part - Sanitized Copy Approvec AkwA -wnw?_-..,trwymtr, 7.),:fr9.1,;4;?*?eat'W:t1.1, taaaasTa.,4:tiate -I...L:4 ? dow, the 24-year-old publisher of a Mon- treal computer magazine, and co-worker Pierre M. Zovile created a benign virus to dramatize the pervasiveness of soft- ware piracy. Point proved: In two months, Brandow says, illegal copying had transferred the virus to 350,000 Macintoshes around the world. When the internal clocks on these machines hit last Mar. 2, the first birthday of the Mac II computer, each machine displayed Brandow's "universal message of peace to all Macintosh users." 'SAFE SEX.' It was a nice thought. But Marc Canter, president of a small Chica- go software publisher, says that Zovile's virus wasn't innocuous. It caused Can- ter's computer to crash and infected disks that he supplied to software pro- iducer Aldus Corp. in Seattle. For three days, Aldus unwittingly transferred the virus onto copies of its Freehand illus- tration program on its assembly lines. Aldus pulled back the tainted disks, but not before some got to customers. As with many computer security prob- lems, the chief weapon against viruses is employee awareness, says Arco's Hoff- man. After a virus invaded Macs at Ar- co's Dallas office, then spread to another Arco office in Anchorage, the company told employees not to use software of questionable origin. "It's the PC equiva- lent of safe sex," says Hoffman. There also are more than a dozen "vaccine" programs, including Interfer- on, a package that Robert J. Woodhead, an Ithaca (N.Y.) author of computer games, offers free. Woodhead says each virus has a unique pattern, which his software can identify. It then erases the virus. Another method, in use at Lehigh University's computer labs since a virus struck there last winter, is to test suspi- cious software by setting the computer clock to Christmas, New Year's, or April Fools' Day?dates on which many virus- es are set to detonate. Viruses have caused such consterna- tion that Congress is mulling tougher federal laws. A House bill introduced on July 19 would make it a federal crime to insert a malicious virus into a computer. Basic computer-crime laws are already on the books in 48 states, and business and industry leaders are looking for gov- ernment agencies to set guidelines for security standards. Under the Computer Security Act of 1987, the National Bu- reau of Standards is charged with doing that But agency budget cuts are expect- ed to slow the process, industry officials say. In Japan, meantime, the govern- ment gives a tax break to companies purchasing facilities and hardware to guard their systems. Even without such incentives, U. S. companies are spending huge sums on computer chastity belts. They can be anything from software to control ac- cess to the mainframe, costing $35,000 a copy, to hardware that scrambles data so it can't be understood if a phone line is tapped. In 1982 only 10% of IBM main- frames had data security software, ac- cording to a survey by market research- er Computer Intelligence. Now the figure is 35%. To foil hackers, many companies are installing dial-back systems on comput- ers. These ensure that an incoming call is from an authorized number. A large mainframe may have hundreds of "ports" for remote computers?with call-back units costing $600 to $700 per port. Additional encryption hardware can cost $1,200 per communications line. With the most to lose, banks are a big market for such equipment. They dis- guise data by encrypting it. and many use message-authentication techniques to ensure that what is received over phone lines matches what was sent. "mem MELTDOWN. In the wake of the Chicago fire, there's also new interest in "disaster recovery"?restoring opera- tions after fires, floods, earthquakes, or sabotage. For years, companies have shipped computer tapes with sensitive records to vaults such as that run by Data Mountain Inc. in Phoenix, where gun-toting guards watch over a 2,000- square-foot room chiseled out of rock. But the phone company blaze in the Chicago suburb of Hinsdale lent a new urgency to such planning. "The story has gotten out to Europe, Asia, and Aus- tralia," says Dave Haeckel, a principal with Arthur Andersen & Co., a Big Eight accounting firm that does comput- er consulting. That's been a boon for disaster recovery specialists such as Comdisco Inc. "I've never seen anything like this," says Raymond Hipp, president of Comdisco Disaster, which collects fees of $100 million annually from 1,000 customers to maintain backup systems. Comdisco says it can restore computer service in 24 hours. Such a promise may be worthless if 54 BUSINESS WEEK/AUGUST 1. 1988 Declassified in Part - Sanitized Copy Approved for Release 2013/07/08: CIA-RDP91-01355R000300100002-4 COVER STORY Declassified in Part - Sanitized Copy Approved for Release 2013/07/08: CIA-RDP91 phone lines have melted, as they did in scenario dccurred. The automated phone Hinsdale. "Nobody had really focused on switching facility was unstaffed and the lack of redundancy in the Bell oper- lacked the kind of fire-suppression sys- ating companies' networks," notes Hipp. tern used in computer centers. There Local phone companies relay computer was no alarm at the local fire station, signals to a long-distance carrier such as because Illinois Bell feared that the fire American Telephone & Telegraph Co. or department couldn't put out a computer a data network such as Tymnet, which fire without causing excessive damage. relays the signal to a local phone compa- The result:: Thousands of homes and ny that picks it up for the customer. businesses, including headquarters of- Without that last link, the most sophisti? fices of McDonald's Corp. and Motorola cated computer network may be useless. Corp., were cut off. Large businesses Most of the time, phone company restored communications with emergen- backup systems route calls around trou- cy microwave radio systems. But seven ble spots. But in Hinsdale, a worst-case local businesses have filed lawsuits to -01 355 R000300100002-4 recover losses caused by the outage. Computer customers, as well, want better security features from hardware and software suppliers. Many companies are considering making AT&T'S Unix software?or its derivatives?a standard to smooth the connections between dif- ferent brands of machines. But since Unix was designed to make it easy for computers to share files and programs, it's also susceptible to break-ins, says Judith S. Hurwitz, editor of Unix in the Office, a newsletter. For instance, phrackers in California, after cracking the password system on A GERMAN HACKERS' CLUB THAT PROMOTES CREATIVE CHAOS West German computer hack- er Bernd Fix holds the eco- nomic equivalent of a nucle- ar bomb in his head. The University of Heidelberg astrophysics student claims it took him only 20 hours to write a virus that could destroy all information in a mainframe computer?erasing tens of thousands of liages in minutes. In the wrong hands, it could cripple companies, the IRS, even the Pentagon. Fix has no such plans: He says he wrote the program as an intellectual exercise?"for the experience of doing it" He has since en- crypted it so that it can't be used by others. Welcome to the oddball world of hacking, German style. Fix, 26, is a member of the Hamburg-based Chaos Computer Club, a group of 300 hackers who, says Her- wart "Wau" Holland, the club's founder and leader, are a far cry from the teenage thrill-seekers who prowl U.S.. computer networks. Despite the club's name, Holland, 36, says it's against electronic mischief. His goal is more se- rious: increasing the flow of public information. In West Germany, environmental and scientific data, census fig- ures, and government reports are costly and difficult to get. " t's not a very democratic system," Holland says. Not until Chaos gets involved. Holland's weekly newsletter, circula- tion 3,000, and his "Hacker's Bible," 25,000 copies sold, are filled with tips on breaking into computer systems around the world. "We believe we have the right of access to information, and we take it," says Holland. During the Chernobyl nuclear disaster, he says, German officials "fed the public a lot of false [reassuring) statements." By purloining hidden data, "we made sure the press was well informed"?a claim that German reporters confirm. FORBIDDEN nm. Chaos members, who meet weekly, hold an annual conven- tion, and pay dues of $66 a year, revel in showing up West Germany's obsti- nate bureaucracies. In 1989, Chaos un- covered a security hole in the videotex system that the German telephone au- thority, the Deutsche Bundespost, was building. When the agency ignored club warnings that messages in a cus- the Bundespost now say the break-in was a fluke. The incident fits with Holland's goal "of changing structures in society. Ev- erything in Germany is so overly orga- nized." He adds: "Some people throw bombs. It's more effective to find the absurdities and make people laugh." Like hackers everywhere, however, Chaos members can't resist a chal- lenge. And that sometimes means treading near the edge of West Ger- man law, which prohibits manipulating or destroying data, both for- eign and domestic, or break- ing into "extra secure" sys- tems, which are undefined. Holland denies that the club was behind a NASA break-in last year. Chaos members may have done it, he con- cedes, though none has con- fessed. But he adds: "We do not encourage illegal acts." That's an assertion that critics often discount, given the club's key role in promot- tfX hacking?and its record of never having expelled any- one for unsportsmanlike con- duct. Still, Holland, who trad- ed his blue jeans for blue suits when he started a type- setting business 18 months ago, knows that hacking can hurt.Three years ago, fellow enthusasts stole his password to a German data network and published it in the tabloid BiId Zeitung. Soon glee- ful computer fanatics had racked up $1,500 in charges to Holland's account. "I was broke at the time, and this inci- dent made an impression on a lot of hackers who knew me," he says. Nonetheless, there's still the matter of all that closely held government in- formation. And until it's more public, Chaos most likely will fill the void. By Gail Schares in Heidelberg NOLLANDI "WE HAVE TIM RIGHT OF ACCESS TO INFORMATION" tomer's private electronic mailbox weren't secure, Chaos members set out to prove the point .They logged on to computers at Hamburger Sparkasse, a savings bank, and programmed them to make thousands of videotex calls to Chaos headquarters on one weekend. After only two days of this, the bank owed the Bundespost 875,000 in tele phone charges. Uncaught, Chaos re vealed its stunt on Nov. 19, the birth- day of Bundespost Minister Christian Schwartz-Schilling. Both the bank and COVER STORY BUSINESS WEEK/AUGUST 1. 198555 Declassified in Part - Sanitized Copy Approved for Release 2013/07/08 CIA-RDP91-01355R000300100002-4 . . Declassified in Part - Sanitized Copy Approved for Release 2013/07/08: CIA-RDP91-01355R000300100002-4 2 ??? r one Unix computer last year, used the same approach to unlock Unix-based systems at phone companies all over the country. Now AT&T is making Unix more secure. Similarly, Digital Equipment Corp. says it has patched software holes that let West German Chaos Club mem- bers break into its VAX computers. HIGH-TECH HIJACKING. Concern over computer security will mount as compa- nies do more electronic transactions. In the $55 billion textile business, for in- stance, sales data, new orders, shipment information, inventory receipts, and in- voices are beginning to flow directly from one company's computer to anoth- er's via a pipeline called Electronic Data Interchange. Other companies, such as auto parts makers, are using EDI to send items directly to customers, bypassing warehouses. The potential for fraud and theft is huge. "There have always been attempts to divert products," says Peter Browne, president of Profile Analysis, a Ridgefield (Conn.) consulting firm. "Now it can be done electronically." Corporations are left in a bind: They need to expand computerized informa- tion and transaction-processing systems to compete. But the more they do, the greater their risk. "Our society must do something to control the problem," says Ernest A. Conrads, director of corporate security at Westinghouse Electric Corp. "If not, our information system can't grow the way technology will allow us to." In the long run, that could have more profound economic consequences than all the hackers, viruses, and disas- ter-induced computer failures combined. By Katherine M. Hefner in New York, with Geoff Lewis in New York, Kevin Kelly in Dallas, Maria Shao in San Francisco, Chuck Hawkins in Toronto, Paul Anglo- in Boston, and bureau reports HOW UNCLE SAM'S CLOAK-AND-DATA BOYS ARE FIGHTING BACK Breaking into computer systems might be a lark for hackers. But penetration of government com- puters?particularly military sys- tems?is a deadly serious matter for the National Security Agency (NSA) and for counterintelligence agents at the Federal Bureau of Investigation. After all, who's to say whether a break-in is a hacker's harmless prank or an at- tempt by Soviet spies to steal defense secrets? The supersecret NSA, an arm of the Pentagon that for many years didn't even exist official- ly, has a double-edged mission. It gathers elec- tronic intelligence from the Soviet bloc by inter- cepting and decoding telecommunications traf- fic, including signals sent from spy satellites. And- to prevent foreign na- tions from doing the same to the U.S., the NSA spends untold mil- lions devising sophisticat- .ed cryptographic codes and trustworthy computer systems. Protecting government computer systems is becoming increasingly tax- ing. Intelligence organizations, the mil- itary, and other federal agencies now operate more than 100,000 computer sites?most with multiple computers and communications links. Many thou- sands of additional computers used by defense contractors and high-tech man- ufacturers hold data that the Adminis- tration doesn't want leaked. The Soviets leave no stone unturned in their hunt for the tiniest morsels of information. Even a routine electronic mail message between a defense sup- plier and a bank might provide an im- portant clue. That's why the Soviet missions in Washington, New York, and San Francisco bristle with anten- nae. They pick up phone conversations and data transmissions relayed by cel- lular radio and microwave links. In Cuba, a giant KGB-operated dish pulls in signals beamed down from satellites to any point in the lower 48 states. And Soviet snoop ships monitor both coasts ALL MAIM SOVIET INSASST IN WASHINGTON from just outside U.S. territorial wa- ters. One intelligence expert estimates that the Soviets listen in on more than half of all U.S. telecommunications traffic, one way or another. SPOOK-PROOF. Because almost any transmission runs a high risk of being intercepted, Washington goes to great lengths to protect its secrets. Its most secure lines are fiber-optic cables bur- ied deep below the surface and sealed in gas-filled pipes. There are no connec- tions to outside phones, so no hacker can gain access. If a spy cuts a pipe to tap the cable, the drop in gas pressure instantly sounds an alarm. ?But buried cables are of no use in communicating with ships or planes. So the NSA has developed elaborate cryp- tographic ciphers for turning English into digital gibberish. These codes are so convoluted that any given string of characters, such as this sentence, would never yield two identical series of encoded characters. The cipher is changed frequently, so that the digital code for an "e" in one word might mean "k" in the next To decode such a mes- ? sage, you need the key: the starting cipher plus the formula for switching to the next variant. For computers that handle the most sensitive infor- mation, crypto keys are created in pairs, then de- livered by courier to the two computer sites. So even if the key for the link between the Penta- gon and a particular base is copied, it won't help de- code traffic between any other points. Still, nothing offers to- tal protection. Just as pri- vate-sector computer crime is usually traced to employees, the NSA'S worst fear is that turncoats will sell crypto- graphic secrets. Crypto details are so secret that even the names used to classify them are classified. That's why federal officials say that former Navy radiomen Jerry A. Whitworth and John A. Walker Jr., who for years passed top-secret crypto materials to the KGB, did more harm than any other spies in decades. Officials estimate that the Kremlin used its ill-gotten gain to de- code 1 million military messages. That could make it the computer crime of the century?so far. By Otis Pori in New York 56 BUSINESS WEEK/AUGUST 1, 1988 Declassified in Part - Sanitized Copy Approved for Release 2013/07/08: CIA-RDP91-01355R000300100002-4 COVER STORM A I 1 -I-/--' Declassified in Part - Sanitized Copy Approved for Release 2013/07/08: CIA-RDP91-01355R000300100002-4 Every year 15 winter approaches, people brace themselves for the flu season. They take precautions that will help them stay healthy, Or at least minimize the symp- toms: lots of fluids, large doses of vitamin C and sometimes flu shots. If you're human?like most of us art?they're pretty good deterrents. If you're 2 computer?like most of us aren't?you've got a problem. Unless, however, you're 2 computer user?like most of US arc?in which case you may face exposure to the latest PC ailment as well: software viruses. None of us probably ever thought of flu viruses affecting machinery, but this year that's changed. In the last few months, the personal computer community has lapsed into its own flu season that knows not the bounds of winter or cold weather. The talk of viruses has been rampant, with cases reported across the United States, in Canada, Israel. Germany and Great Britain. In reality, though, few viruses have actually been found. The media hype surrounding viruses has tended to distort the situation. Nonetheless, the warning is Clear: we all need to be aware of the potential damage 2 "virus" can MSC and ? implement appropriate safeguards against the problem. A virus is a Small program that indeed operates much the same as the common flu virus. In the right environment, it can be highly contagious, moving rapidly from PC to PC. It can spread in many different ways, but typically it is embed- ded in an innocent program such as a disk utility. When the utility is run, the virus program searches for target pro- grams. When it finds them, it embeds itself and waits for some predetermined event such as a date, time or operation. When the system triggers that particular even:, the virus attacks and erases whatever data it can find. The real danger is twofold: the virus remains hidden until it strikes and it is designed to spread before it acts. Viruses are not new to the computer industry. In 1980, researchers at the Xerox Palo Alto Research Center (PARC) devised a virus-type program designed to spread through 1 network looking for idle machines that could help solve large problems. The program eventually got away from them, invading central processing units and locking up even the active workstations on the network. The researchers ultimately regained control by writing 2 "Vaccine" program that erased all traces of the virus. In September, 1984, Dr. Frederick Cohen of the University of Cincinnati warned about the threat of computer viruses in a paper presented 10 2 computer conference in Toronto, Canada. According to Dr. Cohen, most mainframe computer systems can generally be subverted by a virus in the space of an hour. His paper drew wider attention in March. 1985, when Scientific American published a letter from two Ital- ian programmers in its "Computer Recreation" column The letter gave a virtual blueprint for a virus that could attack personal computers. TIME BOMBS Last fall in Israel. a virus spread widely Over a two-month period, the apparent expression of a political protest. The virus contained a "time bomb" designed to go off Friday. May 13. 1988, on the 40th anniversary of the last clays of Palestine; the State of Israel was established on May 14. 1948. Fortunately, a Raw in the virus led to its early discov- ery in December. The flaw caused the virus to repeatedly infect target pmgrarns until they grew so large that they filled all available storage space. The virus itself Caused the infected computer system to slow to one-fifth its normal speed and to randomly display garbage on the screen. Another virus Was discovered last December at Lehigh University in Pennsylvania. Dubbed the Lehigh Virus, the prcigram WIS designed to infect all Command.Com files on whatever peripherals it found. Whenever an internal com- mand ('lype, Copy. Delete, etc) Was executed, the program immediately looked for other Comrnand.Coms to infect. When it found one, the original virus implemented 2 counter. When the counter reached four, the original virus deleted everything it could. It didn't just execute a normal DEL to erase a directory entry, however?it totally erased the file- allocation table, boot tracks, directory and more. Lehigh stu- dents lost several hundred diskettes' worth of information before the MIS department discovered the Cause. The ease with which viruses can spread through networks is causing major concern among computer professionals. It was a rapidly spreading virus known as the "Christmas Virus" that caused IBM to shut its network down for several hours last year. The work of 2 West German student, the program was designed 10 look like a computerized Christ- mas card. When run, it would move undetected into 2 user's files and send copies of itself to everyone with whom the user had exchanged messages. Originating at the European link of Bitnet. the world's largest academic network, the program eventually spread to five continents, including into IBM's own Massive network, flooding its systems with the Christmas Virus. While the program was not destructive, it did Cause significant system degradation, eventually requir- ing a system shutdown in order to remove all traces of it. Virus infections haven't been limited to the IBM world. In February, 1 virus was discovered in a HyperCard Suck (HyperCard is 2 freeform database application for the Macintosh, with its information arranged into stacks) on the CompuServe network. The virus. written by the Canadian magazine MACMAG. was programmed to send a message of world peace on March 2, 1988, the first anniversary of the Macintosh II computer. After CompuServe alerted its users of the virus, there were reports of it in Italy, Belgium and France, as well as in most areas of the U.S. This particular virus also became the first known virus to infect commercial software. A contractor for Aldus Corpora- tion apparently came into contact with infected software while traveling in Canada. Running the software just once on his system was enough to spread the virus to his hard disk. At the time, he was working on training software for Aldus; the virus infected the disk he sent them as well. From there, it spread through Aldus. eventually getting onto the disk duplicating equipment used for its FrecHand program. IMPLICATIONS FOR NETWORKS Though viruses have a limited effect on single-user machines. they Can Cause quite serious problems for a net- work. Imagine, for instance, 2 network administrator plac- ing the latest version of a handy utility he has used for years in a general-access directory. Various "power" users then Was the utility. As the virus goes out and copies itself to all the Command.Com files it can find, its counter is Mi- med. triggering the virus to erase everything it can access. When the complaint Calls start coming in, the last thing the administrator will look to is the utility he's been using for years. At first. users are likely to be suspect; as the virus continues to spread. attention will shift to the next most common element, the network server Software A ?111US ORIGINATING IN WEST GERMANY AND BEARING CHRISTMAS GREETINGS EVENTUALLY SPREAD TO FIVE CONTINENTS. !usir;iarti Declassified in Part - Sanitized Copy Approved for Release 2013107108: CIA-RDP91-01355R000300100002-4 . , ? Ar 4-,, le Declassified in Part - Sanitized Copy Approved for Release 2013/07/08: CIA-RDP91-01355R000300100002-4 Russ GREENBERG HAS DARED ANYONE WHO WRITES VIRUSES WI TRY TO DESTROY HIS BULLETIN BOARD SYSTEM, SOME HAVE TRIED ?NONE SUCCESSFULLY. 42 One symptom that should help identify a virus to network administrator is the manner in which data corrup- tion occurs. Most viruses do not appear to be written with networks in mind, so when the damage is done; it is usually limited to the floppy and hard disk drives on a single user's machine. According to Russ Greenberg, an authority on viruses, most of them directly access the Pe hardware when they corrupt data. When 2 PC is connected to a net- work, it is addressed through software added to DOS. When a virus does its work through DOS. all devices connected to that PC are corrupted. As noted, to date no virus has been encountered that was specifically written for PC networks. What can be dont to keep 2 virus off of a network? The initial tendency is to suggest banning all public domain software and unauthorized programs. It's an unrealistic approach, however, because, as we saw with the Aldus virus, it is possible for 2 virus to infect virtually any type of software without being detected. On a network with many users requiring full access, a software ban would also be dif- ficult to enforce. Every user has favorite utilities, SO trying to ban outside programs could force at least some users "underground." and outside programs might still be used anyway. A better route would be to publish guidelines for the use of outside programs. A program of network security awareness is another effective measure. It requires getting everyone involved, because network security is only as good as its weakest link. In a large network, you may want to designate an indi- vidual in each department to be responsible for security in that area. NETWORK SECURITY Even with well-planned security guidelines, 2 virus (or an unhappy employee) can still corrupt your data. The ultimate resort is to use backups. Horror stories abound about com- panies losing thousands of dollars worth of data, yet the. fact remains that many users and administrators alike 'don't worry about backup until they actually encounter the prob- lem of restoring lost data. You can never back up your system often enough. Even after your data is safely backed up onto a tape or cartridge, verify that it is indeed there. If you don't have a regular backup program, develop one (see sidebarj and stick to it. Although the hope is that you never experience 2 virus destroying your system's data, the recent flurry of symp- toms have served to increase our awareness of the threat. Now, as We move from single-user machines to networks capable of storing gigabytes of data, we need to adopt the measures that can and will protect the integrity of our data. Mainframe computer systems have had such safeguards for years. By adopting Similar guidelines and taking reasonable measures. We can protect Our systems from most threats and still enjoy the freedom of sharing data with others. Rick Bunzel is Manager of Core Course Development at 3Com Corporation. FIVE GUIDELINES FOR KEEPING YOUR NETWORK HEALTHY I. Write-protect boot diskettes. Many viruses attack COM- mand.Com files and a simple way to protect boot diskettes is to make Sure 2 program can't Write to it. The write- protect tab on a diskette is a physical device, so it is difficult to bypass. 2. Do not give network users more network aCCeSS than they require. A local area network gives us plenty of data access, and when a virus is triggered it can potentially delete or corrupt every directory that 1 user can write to or delete files from. All users should review their sharenarnes and links and ask themselves: Do I need to have Read/Write/Create access? Do I need to maintain that net- work directory link? Can I link to network directories as the need arises? 3. Maintain at least several generations of backup tapes. Due to their nature, it is possible for a Vials to hide in your 'system for several weeks or more before it is discovered. Before you restore a tape, you will want to go back to your last reliable backup and start restoring from there. And last but not least, archive tapes on a regular basis. Tape is cheap in comparison to the cost of rebuilding data from scratch. 4. Do not use new programs (or updated versions) unless they have been in the public domain for at least four weeks. On most bulletin board systems. users can check the mes- sage board to sec if anyone has commented on a particular program. Most bulletin boards also contain a file Called 'The Dirty Dozen:' This file alerts users about programs that are known to be a "%On'. (programs that 2C1 instantly to corrupt data) and potential viruses. 5. All programs should be tested with utilities such as CHK4BOMB or BOMBSQUAD. These public domain utili- ties ermine code for potentially dangerous disk activity such as a command to format a disk or to delete a directory. STEPS THE BULLETIN BOARDS ARE TAKING TO AVOID AN EPIDEMIC The electronic bulletin board systems (BBS) industry is concerned about the potential damage that viruses or "Trojan" programs could Cause, and so BBS operators have been aggressively policing themselves. Two operators in particular have gone to great lengths to stop foul play. Russ Greenberg, the operator of a bulletin board in New York, has written 2 program called Flu-Shot that counters viruses. Since December of last year an estimated 25,000 users have added the program to their systems. Greenberg challenges anyone who writes viruses or hidden bomb pro- grams to upload any program they want in an effort to ? destroy his bulletin board system. So far, a few have tried, without success. This year, Greenberg has released three versions of Flu-Shot. The current version, Flu-Shot +, has become a shareware program with 2 slight twist. Normally, SturCW2te authors ask the user to send them 2 contribution if they like and use the author's program. Greenberg is willing to donate users' contributions to their favorite charity. Eric Newhouse. System Operator of the CrestBBS, authored the current "Dirty Dozen Upload Program Alert List." Distributed Via bulletin boards across the country. the "Dirty Dozen" was originally created by a BBS system oper- ator named Tom Neff, who kept it as 2 simple list. It has evolved over three years 10 become a comprehensive docu- ment that lists pirate programs (copyrighted programs dis- tributed without the author's knowledge) as well as Trojan and virus programs. The listing also includes instructions on how to handle a program that has corrupted data and glossary of commonly used BBS terms. Russ Greenberg can be contacted at (212)889-6431; Eric Newhouse can be reached at GrestBBS at (213)471-2518. ?Rick Runic! Declassified in Part - Sanitized Copy Approved for Release 2013/07/08 : CIA-RDP91-01355R000300100002-4 Declassified in Part - Sanitized Copy Approved for Release 2013/07/08 : CIA-RDP91-013g5R0003001000Z2-4 ? Bulletin Computer Viruses Can be Hazardous In recent months, a great deal of interest and cons cern has been generated by the appearance of sev- eral computer viruses in both IBM PC's and Ap- ple Macintoshes. Such programs have two primary characteristics: I) They spread themselves from machine to machine using self-reproducing code, infecting other systems and stashing away code into as many "carriers" as possible. 2) They exhibit the "symptoms" intended by the author of the virus. This could be any number of things, even the erasure of one's disk on a specific date. Viruses have been designed to attack mainframes, minicomputers and desktop microcomputers, and they aren't partial to any particular brand name. One of the more recent mainframe incidents was a virus that invaded IBM's mail system and brought it to its knees for a couple of days. IBM PC users have experienced viruses for several years, most commonly through the COMMAND.COM file. Viruses are not all meant to be damaging. The pro- grammer may just want to prove he can do it and have the satisfaction of some notoriety. The Mac- intosh community got their first taste this winter. The "MacMag virus" was put on a national bulle- tin board system hidden in a HyperCard stack. It displayed a "universal message of peace" on one's computer on March 2, then removed itself Most viruses spread via public bulletin board sys- tems and are hidden in public domain programs. "Sexy Lathes," distributed at MacWorld Expo in San Francisco, erased whatever hard disk or flop- py disk it was on when it was launched! Virus Hunting When your computer begins to do things out of the ordinary, or when it stops being able to do things it has always done in the past, a virus may be involved. However, corrupted system files can also lead to similar symptoms. When problems occur, they are much more likely to be the result of non-virus diffic-ulties. When you have excluded normal problem areas, you should look into the possibility that your system has been infected by a virus. Use a general disk editor to look for invisible files. Unless you have an application that creates them, every such file is suspect. Also, a general check of all the files in your system for resources that don't belong in those files is well worth the effort. A virus might infect any and all applica- tions, system files, or COMMAND.COM and AUTOEXEC.BAT files. A virus might corrupt any file on an infected volume or system, includ- ing system files, documents; applications, etc. Some viruses insidiously alter numeric values within spreadsheets just slightly. The use of networks can easily enhance the spread of a virus. Different scenarios are possible, with the simplest being a public domain area on a serv- er from which everyone gets public information. Also, shared applications residing on a server could become infected, which would then infect every machine on which they were run. Vaccination The following precautions help prevent problems: Write-protect your master diskettes, This prevents a virus from spreading to your original disks. Disk locking mechanisms are typically hardware based?viruses can't infect locked disks! Protect your networks. Network administrators should not allow just anyone to put software on the server. Applications on a network server should come only from known good masters. Be wary of public domain software. It should be checked quite thoroughly on an isolated system for any infections before being used on produc- tion systems. This also protects one from "Trojan Horse" programs such as "Sexy Ladies." Quarantine infected systems. If a system is identi- fied as infected with a virus, immediately isolate (quarantine) it from other systems. This means disconnecting it from any network and not allow- ing anyone to take any files from the exposed sys- tem to another system. Once the system has been "disinfected," the files can be copied or moved. ItiticroSystems Technology - 13- July 1988 Declassified in Part - Sanitized Copy Approved for Release 2013/07/08: CIA-RDP91-01355R000300100002-4 11-Declassified in Part - Sanitized Copy Approved for Release 2013/07/08: CIA-RDP91-01355R000300100002-4 Ar -1-ic le IP/ Computer viruses?Your PC could be at risk! A PC coordinator 'swat team" is being formed to deal, on a company- wide basis, with problems related to computer 'viruses." Computer "viruses" are so-called because they behave like viruses that invade the human body: they are mis- chief-making programs that get into computers, propagate arid spread?in some cases "lethally," wiping out entire contents of hard disks. Computers can be exposed to "vinises" in a variety of ways: from freeware or shareware downloadable from bulletin boards, from software acquired from friends, or from share- ware ordered by mail. Following are some suggestions offered by security experts: V Don't download executable programs for use at work. Avoid the the following known contaminated public bulletin board PC programs: ARC (not the GE version) ARCS IS ARC600 DISCSCAN.F.XE DOSKNOWS.EXE EGABTR FILER.EXE LIST60 QNIDNI110.EXE QNID M 1 1 0A.ARC QUIKRILS.COM SECRF.T.RAS STRIPES.EXE VDER.CONI Use only site licensed software and software that comes in factory sealed containers from reputable dealers. V Never run your system from the original program disks. Always make a backup of the software and put the originals in a safe place. If you have to reinstall software, you want to guaran- tee that it is not infected. V Do not use public domain soft- ware. V Do not accept copied or pirated software. V Never allow an unfamiliar disk to be put on your system. V Back up your data files often, for disaster recovery. All applications, including operating system files, must be deleted to remove viruses. A Macintosh virus called SCORES has been found within Apple and a num- ber of government agencies in Wash- ington. To determine if your Macin- tosh has been infected, follow these procedures: I. Open the system folder and locate the notepad file and scrapbook Md.' 2. Examine the icons used on these files and check that they resemble the small Macintoshes seen on the system and finder icons. 3.1f they do not, and instead re- semble the standard Macintosh doc- ument icon (an upright piece of paper with the upper right corner folded forward), your computer is infected. If your Macintosh computer is infected, a program is available that will attempt to eradicate the virus from any infected files. A program named Varcinewill alert you if a virus tries to attack yip-lir computer. ? If you have questions or feedback on com- puter "viruses,." please contact your local PC coordinator. Declassified in Part - Sanitized Copy Approved for Release 2013/07/08: CIA-RDP91-01355R000300100002-4 Declassified in Part - Sanitized Copy Approved 'for-Release 2013/07/08: CIA-RDP91-01355R000300100002-4 ff,;, ? o You Kiztho Where Your Software's Been . by Mark Hiatt There's been a lot of talk lately about "The Computer Virus Problem." The news- papers and TV networks have carried stories about "infec- tions" and the problems that result when trying to clean an "infected" system. However, there is just as much talk that the whole virus scare is like an urban legend (like the poodle in the micro- wave)... hard to pin down as a fact. But whether the threat is real or imagined, it is better to be informed about these thin s... just in case. So, what is a computer virus (also referred to as a Trojan Horse)? Usually, it is a piece of "The newspapers and TV networks have carried stories about large mainframe systems becoming infected?' code within a program that has nothing to do with the program itself. It copies itself onto other programs or system files and often "sleeps" until a certain date or event occurs. Because it copies itself onto other files, it can easily jump from disk to . 4. " disk. If you use more than one computer, say one at work and a similar machine at home, you could carry an infected disk from one to the other and spread the problem around the office. The name "Virus" stems from this contagious quality in the program. Just as a child picks up a cold at school and brings it home, where a parent gets it and takes it to the of- fice?a computer virus can be caught from a disk a friend gives you or from a local BBS and spread to machines in your 011 S,.,40 froarrovr: ' ? te ? user's group, workplace and beyond. A computer virus may be relatively benign. rising up now and again to flash a nasty pic- ture or cause your machine to beep. That's not serious, just an annoyance (unless you're show- ing the boss your latest spread- sheet figures). However, a virus can also be vicious?lurking on your system for just the right situation, waiting to erase the files on your hard disk?and that can be several megabytes of data. On GEnie's RoundTables, the sysops go over every upload before it is made available to subscribers to make sure you won't find a virus in the files you download. .. How at risk are you? It der pends on several factors. Do (aver) Declassified in Part - Sanitized Copy Approved for Release 2013/07/08: CIA-RDP91-01355R000300100002-4 Si S: ? Declassified in Part - Sanitized Copy Approved for Release 2013/07/08 : CIA-RDP91-01355R000300100002-4 (Continued from page 3) you trade or share software with friends? Do you log onto several local BBS systems? If you do, do you download a lot of files? Do you put these files directly on your hard disk, if you own one? You may be at risk if you answer yes to any of these ques- tions. Another big factor is the type of computer you own and the software available for it. But what do you do if you don't write programs, can't read ,programming languages and 'wouldn't know a core-dump from the city dump? There is probably an anti-virus program on GEnie in your computer's RT library. Many of these are very thorough and are either free or shareware. Charles Strom, of the IBM RT recommends "Flushot" (FSP-12.Arc), CHK4BOMB and STRINGS to owners of IBM (and compatible) com- puters, and assures IBMers that the paranoia is not warranted by what the IBM sysops have seen so far. Still, Charles says that you can search their soft- "GEnie sysops go over every upload before they are made available to subscribers." ware library for the keywords "Trojan" (as in Trojan Horse) or "Virus?' These will turn up dozens of files dealing with protection. David Kozinn (also an IBM sysop) adds that many pro- grammers are taking the threat into account, by including virus- checking routines in their pro- grams. If something tries to attach itself to one of these new programs, it's detected. Over at the Apple II Library, check into "Apple.Rx" from ProSel's Glen Bredon. It's a shareware program that Tom Weishaar, Apple II Manager recommends. If you own a Macintosh, try "Vaccine" from CESoftware's Don Brown. It's a free file you place in your System folder and forget about?until it finds something questionable. Then "Never put a disk in your machine unless you're sure of where it's been." you can quit what you're doing and have a look, or ignore the warning and proceed at your own risk. Bart Barton says that a search of the Library will turn up other anti-virus programs as well. What do you do if you're infected? In most cases, simply destroying the affected software will do the trick (you do still have the originals, right?). Of course, you'll want to stop sharing or trading software, and it would be a good idea to let your friends know, so they can check for themselves. Once you've restored everything from the originals, you should be alright again. But be careful not to contaminate your original disks, othenvise you'll just end up making multiple copies of the virus. What can you do to make sure you're not at risk? We can learn a lesson from Dr. Ruth Westheimer here?stay mono- gamous and use protection! Don't share software with just anyone, and never put a disk in your machine unless you're sure of where it's been! Rx for Computer Viruses Several anti-virus programs are available on GEnie. These can be found in the machine-specific RoundTables. Below is a list of programs you can download from the RT libraries which provide virus-checking routines. However, files are frequently updated, if you have trouble finding these, try searching the RT libraries under the keyword TROJAN or VIRUS. Roundtable IBM Apple 11 Macintosh Atari Amiga File Name Flushot (FSP-12, Arc) CHK4BOMB STRINGS Apple.Rx Vaccine Protect.Acc Trojan_Horse_Warning Declassified in Part - Sanitized Copy Approved for Release 2013/07/08: CIA-RDP91-01355R000300100002-4 Ar.6.4.-ti&reff....t-Piecr-4,44-0,freervw Declassified in Part - Sanitized Copy Approved for Release 2013/07/08 : CIA-RDP91-01355R000300100002-4 ' JUNE 2.8. .r:; FIRST LOOKSTAT Confronting the Growing Threat of Harmful Computer Software Viruses cANAtiy BY JIM SEYMOUR AND JONATHAN MATZKIN Now you see it: now you don't. Or maybe you never really saw it at all. That will-o'-the-wisp nature of computer viruses, and the in- credible difficulty of proving their role in the loss or destruc- tion of data, have made tracking them down, defeating them. and protecting against them in- credibly difficult. It is so easy to lose data in a computer system?any comput- er, from a PC to a Cray super- computer?that often, over the last few months, what was al- most certainly operator error, or magnetic media wear, or power-line fluctuations, or any of a hundred other quite normal if no less frus- trating events, has been misidentified as the work of computer viruses. But that is not the whole story. The skeptics insist that the computer virus alarms heard this spring arc over- stated. That skepticism has been fed by wild and un- confirmed reports, impossib e to track down, of such infec- tions as one that supposed y brought the Unix systems of a telecommunications giant o their knees, or a "PLO" virus aimed at shutting down the Is- raeli defense computer system. VACCINES BLOCK itly.licrietir:T: Yo-iktEftsigaranggi . It isn't surprising that these stories should have persuaded the skeptics that viruses are cru- el jokes, this year's brand of black humor. But the skeptics are wrong. Computer viruses, written specifically to destroy programs and data residing in personal computers, are real and have been widely distributed: Many PC users have lost important work, at substantial cost. Viruses nisi. The bad news: they can rep- resent a clearand present danger to the programs and data stored on your computer's disks. But there's good news: you can avoid viruses through reason- able measures, and counterviral products arc available to help detect viruses lurking on your disks and to protect against fu- tune infections. Kenneth VanWyk knows computer viruses are real, be- cause he's been lighting them. A Senior Consultant at Lehigh (continues on page 34) Why It's Time to Talk About Viruses Over the last three months, the computer-virus story has ripped through the computer commu- nity like a prairie fire Reports at program- and data-killing vi- ruses have made for sensational reading in daily papers, busi- ness magazines, and some com- puter publications. Many of those stories have been grotesquely exaggerated, %tole others have gone to the oppkisitc extreme, denying the existence of viruses or branding them as bizarre hackers' jokes. At PC Muearine we, too. tha% e worried about computer nruses. We have had our own encounters with them. But too mans of the stories we have been and heard were self-cvi- deal} false. Too few facts sup- ported claims of viral disasters. We have investigated every report we have found of com- puter virus infections. We have talked with those who believe they have suffered through those infections, with those who have beaten them back, and with those who have created programs to detect and, some- times, defeat viruses. And we have learned the chilling truth: computer viruses are very real threats. We have satisfied ourselves of their exis- tence, of their very real damage, and of the importance of alert- ing computer users. Even though we acknowl- edge that turning the light of publicity on those who take pleasure in destroying the work of others will inevitably encour- age some of these vandals, we cannot turn away from a respon- sibility to warn our readers. And to help them counter that risk. Because this has got to stop. In the words of Don Brown, whose efforts to stop the SCORES virus on the Macin- tosh have been a beacon for oth- ers. "The whole thrust of the personal computer has been bringing control of the comput- er to the user. Viruses steal that control away, and replace it with fear, uncertainty, and doubt. Why would anyone want to take such a gigantic step backwards?" Why, indeed? ?The Editors .:11:11ANDS4N PROFESSIONAL WRITE 2J) Software Publishing adds document conversion, font support 38 REFERENCE FILE A pop-up database 38 PIPELINE The first P5/2 clones are announced by Tandy and Dell 40 QUICKSHARE, LAWN( Two ways to make PCs and Macs work together 43 PACESETTER 386 Easy upgrade for AT machines 46 PAGEVIEW Page preview for Microsoft Word documents 56 PC MAGAZINE ? JUNE 28.] 988 33 Declassified in Part - Sanitized Copy Approved for Release 2013/07/08: CIA-RDP91-01355R000300100002-4 /eclassified in Part - Sanitized Copy Approved for Release 2013/07/08 CIA-RDP91-01355R000300100002-4 Virus is downloaded via modem and hidden in a free ? ? When virus is executed. it performs the utility function and inserts instructions into COMMAND.00M on the hard disk. disk. And the university has also begun using "notchless" floppy disks and encouraging the use of write-protect tabs as protective measures. "If you don't take precau- tions. you're just asking fora di- saster to happen." Van Wyk says. And. chillingly. "Given how easy it is to write even a simple computer virus like this one. I think we have seen only the tip of the iceberg . .." The virus that infected disks SCORES. yet another strain, on its Macintoshes. "Once the epidemic was recognized, panic set in here." Simpson says. "A lot of people lost data to these viruses. We still don't feel we have a com- plete understanding of what happened at Miami." If you boot a PC from a flop- py disk containing BRAIN, the virus copies itself onto any disk for which you subsequently ask DOS to show a DIRectory. The 11111111111111111111111 Virus copies itself onto floppies when a DOS DWI Is executed, VACCINES BLOCK ANY ATTEMPT 'TO ALTER SYSTEM FILES typiCal vaccine Nodal g;illtarri;Pi tv cflFge 'S'-aOOMMM4D.ccM end ,cr1.1/.41tkideti *tamales. .17* also issuei a warning (Reimer knows the :kV virus luresenr v? COMMANO.COsf Virus is not apparent on infected floppies and will travel through, an organization. Viruses (continued from page J.1) University's Computing Cen- ter, VanWyk has seen hundreds of IBM PC users' floppy disks erased by a runaway virus launched by a computer vandal. "This thing was discovered about two Jays before Thanks- giving break last fall." Van- Wyk recalls. "If some students had not discovered it then, and people had gone home for the break, it could have gotten a lot worse. Because if students had taken infected floppy disks home with them it could have gone a lot farther . . . to their home machines. and from there, with Mom and Dad into their offices." Lehigh has developed its own "vaccine," a program that checks the COMMAND.COM file at boot-up and, if it finds the virus, writes over that part of the saw about those programs, si only that they were-',,, etary trade-secret Program'. With a wealth of program talent 0 call on. the co was able to stamp out the vat in a matter of days. EDS won't he specific alma what they're doing to prelim ,- future infections, noting. "We )3/4 (continues on When system reads floppies, virus in RAM deletes files and copies virus code into hidden files. 11111111111111111111111 When corrupted floppy Is read, virus loads Instructions into RAM. ?????,.. ,a ? How One Virus Destroys and Moves On Virus programs have taken many forms and some are innocuous, but here's a typical destructive virus. The author alters a popular public4omflin or shareware program offered one public bulletin board to Include the virus code. The host program runs as expected after It's downloaded, but the virus sets often a different path, targeting the system flies on a hard disk. Most vaccine programs are designed to prevent changes to the system flies. They'll also flash a warning that the active program is attempting to make such changes, a sign that this Is a program you want to erase immediately. at Lehigh was typical of simple viral code. About 300 bytes of assembler, it looked for the COMMAND.COM file present in DOS and attached itself to it. It was then spread by duplica- tion of that disk, or insertion of that disk into a PC with a boota- ble hard disk. Later, the virus began its dirty work, erasing the disk. Then Miami University was hit by another virus. BRAIN. Joe Simpson, Assistant Manag- er of Academic Computing Ser- vices at Miami, had to deal si- multaneously with BRAIN on the university's PCs and strain that infected hundreds of disks at Miami University was relatively benign. SCORES, the most widely distributed Macintosh virus, is much more pernicious. It ? looks for specific program- ming "signatures." It has ap- peared at many academic and business computing centers, from NASA to the huge Texas computer firm EDS (a subsid- iary of General Motors). -At EDS. two dozen Macs were quickly infected with SCORES. The programs it was affecting were first developed at EDS: the company won't talk Since data loss occurs. Infected floppies may load ID discovery of virus. but tracking virus to original system may no longer be possible. PC MAGAZINE348 JUNE2 8,198 8 DrAP.0,7arnAvio, tn-n-iftSanitized Copy 'Approved for Release 2013/07/08 : CIA-RDP91-01355R000300100002-4 ia Declassified in Part - Sanitized Copy Approved for Release 20-13/67103 : -CIA-RDP91-01355R0663901001002-4 IS at it 'c Si Viruses (continued from page 34) have security and other mea- sures in effect: we wouldn't want to go into those. One of the things we sell a customer is our ability to secure our customers' data, so we're very. very cau- tious with that." Exactly. Which is why few businesses that have been at- tacked by viruses will even ac- knowledge the problem. let alone say how (hey countered it?or what they've done to pro- tect against future infections. Would you leave your mon- ey in a bank that had its comput- er syclem corrupted by outside software? Moreover, no company wants to become, through fool- ish claims of invulnerability. The Big Test?the number-one target of those loosing these vi- ruses on the world. Harold Highland. Editor in Chief of Compmers et Security magazine and a recognized ex- pert. says it well: "My recom- mendation to a corporate entity would he to deny it immediate- I) . I have advised industry that if anything like this happens. and you can kill it by denying it. kill it. "Even the government agencies will deny it. If you go back to the invasion of NASA's physics space network. last September when they were pen- etrated 11) the Hamburg Chaos Club, and the club announced thai the had planted viruses. the NASA director of data secu- rit) admitted that there was a ' penetration and the planting of Viruses. "But within one week the ? in came back that. yes. there "a' a penetration. but there are ni '!ruses, And since then it has been denied that there is a vi- als " What to do? One corporate answer has been to ban shareware, trees( arc . or other programs that base been downloaded from bulletin hoards. That's the new cumpan) policy at a Fonune Sit multinational petroleum corn- N?' 1 he company has had ? 01 reports of viral infec- tion( PC-using emplo)? ? though it ha. not vet been How Vaccine Plograins Wolk;: ? ..,c? ? ? - - Virus progrihis `replicate them - many different' levels Some.' 'selves, Run'one and it Will In-", Oentimoit techniques include the feet otherprograms on your sys.:. 'following.' - . ? .tern: Share one ? of those Origrams with friends and the KEEPING VIRUSES OUT virus will infect their systeMs: ' Approved Program Licit If it did nothing else, a virus Block any program not on the would still slow your work. list. Naturally, this doesn't stop Each infected file grows, some- you from accidentally approv- times repeatedly, so it loads ing an infected program. ? slower. But most viruses in:: Known Virus Check: Scan elude added malicious features.' all executable files for known After they've infected your viruses. ? whole system, or on a given Suspicious Text Search: 'date, they May reformat your Display all text strings in a pm- hard diSk, corrupt data files, or gram. If you see "Art, ad, simply cause constant. small GOTCHA!", don't run it! - problems. ? ? Suspicious Code Search: , Antivirus programs attempt Check for suspicious corn- to foil viruses by keeping ;hem mends such as low-level disk out olyour system, preventing " them from replicating if they do -?Approved TSR List: Want ? ,get in, and blocking their' ?nal if.anyprop,ram not on the list at- ' cious tricks. A good antivirus: minors to:terminateand Stay'res; , will also proteit against "Teo- ' ? Jan Horse" programs--these ? are like Viruses without the abil- PREVENTING . ? ity to replicate. And it will pro- REPLICATION :.tect you from accidentally darn- Write-protectian:' Prevent aging your data.' writing to protected files. This Antivirus programs work on should be more than merely set- tta 4-4;irat., 5442 Alt ReadrOtily ?.=1.(4 Signatiire Cheek: Take at' .:tlignaltire,',of al I, approttS 'programs Ind tornpare the Prot,- .*gram With the signature:a Run-Time Signature. -Check: Whenever DOS load's p' program', cheek it 'against the' signature. Block it if it doesn't BLOCKING MALICIOUS: TRICKS Disk Access Lockout: A-1 - law access only through DOS. file functions. This will prevent reformatting and erasure of the file Allocation Table. ? TAT Copy: Save a copy of, the File Allocation Table in case a virus manages to damage it. Various 1.4tinformat" programs already proiHde this protection. CMOS Copy: Saves copy of the CMOS information just in case a virus does manage to .damage it. ? . Hard Disk Lack: Tempo- rarily block all access to the 'hard disk while testing suspect software. Easiest to do on AT- class machines. ?Neil J. Rubenking able to confirm that viruses were, in fact, responsible for the incidents, To forestall the threat, and to calm the nerves of skittish exec- utives. the company issued a formal policy banning down- loaded software. called "vaccine*' programs. (See antivirus program reviews. page 36.) Few individual PC owners will want to deny themselves the wealth of useful software available from bulletin boards. and while write-proofing your Finally, you should consider one of ? the various vaccine programs. They can go a long way towards protecting your disks as well as your peace of mind. In academic computing set- tings?long the target of such vandalism, though rarely so ma- liciously and destructively as we have seen this spring?that kind of ban won't stand up. So colleges and universities have been trying to get facult) and students to use write-protected floppy disks, and to install so- bootahle floppies may be a good ste), its inconvenient and hard- ly a complete answer. Common-sense measZres. such as not loading new public- domain and shareware pro- grams from unknown sources. certainly help. Most user-group disk librarians arc now inoculat- ing library disks against viral in- fections: if your group isn't on guard against viruses. find out why it isn't. And stop using li- brary disks until you are satis- fied that adequate security is in place. Finally, you should consider one of the I..arious vaccine pro- grams. They can go a long way towards protecting your disks as well as your peace of mind. But none are complete answers, and none guarantee that you won't fall victim to the next round of cleverness in this escalating germ warfare. Lehigh's Kenneth VanWyk again: "If you as a user recog- nize the vulnerabilities of the antivirus package you're using and don't rel) on it 100 per cent. then there is certainly a place for these antivirus programs. The problem comes in when a user says. 'Oh. I'm running XYZ an- tivirus software?nothing can happen tome.' A sense of invulnerability can he a very dangerous thiny. these days in computing. PC MAGAZINE ? JUNE2R.l9ttt: Declassified in Part - Sanitized Copy Approved for Release 2013/07/08: CIA-RDP91-01355R000300100002-4 Declassified in Part - Sanitized --. a f44,--? ReAnnroved for lease 2013/07/08 2013/07/08 : C IA-R D P91-01355 R000300100002-4 ? Antivirus Programs Fight Data Loss Fit HANDS. ON _ BY NEIL J. RUBENKING FLUSHOT PLUS Antivirus programs are aggra-. vating by nature because they. can prevent you from doing per- fectly normal tasks like format- ting a floppy disk. Flushot Plus, from Software Concepts.De-.. sign, provides flexibility to off:. set the annoyance. You can tell it to allow low-level disk acCesi.: only until the end of the next program. That sviillet you run FORMAT without interruption;, forexample: You can also turn' its protection oh and off easily. Flushot. Plus is shareware., but it has more features than many commercial programs These include .approved TSR list, write-protection. sead-pna;.; .tection, signature check ,;.ruti time signature check, disk ac7.. cess lockout, FAT copy, and.. CMOS copy. r.. :- ? . The FLUSHOT.DAT daut' table lists the types of files you Want tcr.writi-protect or read- protect, along with any excep- tions to the type. For example, you could write-protect all. .COM files except those in the "DEVELOP" . subd irectory.. ? The table also lists your ap- proved TSRs and any files you want signiture-checked. You're advised to hide this data. file under a different name to avoid "smart viruses" targeted to damage it. . VACCINE, VERSION 1.2. FoundationWare's Vaccine pro: vides a six-part protection pror.. ' I )Installation and Check-, Up: Checks out your hard disk arrangement and adds useful. commands to your AUTOEJC- EC.BAT. and CONFIG.SYS ? files. Makes listed executable: files read-only.: dteei:Signatukcheek..:`, e.t.3)kuntime Qualls; , . . . once: Runtime signature check ?;'? .\53c4)Survellkuice:Disk: lOckoii 4 t.';'?C" ,- : 5) Bomb Shelter: Hard disk ? - ; ? 6) Critical Disk: FAT Copy, and CMOS copy. If a virus dims damage your system.; reboot; with the Critical disk hands restoration-. . ?quj ??ine proteeis all filesi with yOut chosen extensions. ; This is handy,' since well infect an'overlay;, die ccom 6:1;.;EXE! rilefile' Thi RuntjmemoduIe that Dos .16als;. ..for'eXeCirtionY..but :Only: gated files.getcheelced at boot-uptit.?...program-Theprograrn is sample ? - ? grams, handling critical disks, and managing.soft ware up- dates. This vaccine is strict, but it will protect your system.. MACE VACCINE Mace Vaccine, from Paul Mace Software,' offers two levels of. 'pretection. At level I, ? it gives , write-protection to system files,' the boot sector; and the partition table.-ILalso guards against .coinmon tricks that disable the .root :directory/Protection level :! access loaout.. Maceyaieine is best itsed with theMaCe Utilities,which in- Ikd#Y!T Copy and restore - ? ' seder festal _ - Please select 'coal fly ass...sect level . 0 Sea 'lest ciegree of sss .. IKE ii?Tt e . Creaiest iesree ofssssss nee ISlas i safe) Systro WY- -6 Dish Delves: i?-? a.. 2 f NOS Delves 4:r.5.25 Nati' 1.0riv ? ".5,25 9601..110.100.6 I. liere Drives. x21204906 Bytes total .2 1291336 Bytes. free .'" 816791 Bytes iiit?1 4.-.1129148 Bytes free- 1992316 Bytes tote! .9.1SISSIII Wes-fret 9910116 Bytes test -299903)6- Bytes, free- Path to-DOS File..: CCPRiCNI3053% "1,"".0'"f ? 7..v!.. - ToundationWares Viccine