Computer Security.txt

                            COMPUTER SECURITY
                            -----------------

                      Notes of the presentation to 
                 The Institution of Production Engineers
                            March 21, 1990 by

                     E.A.Bedwell, E.D.P. Specialist
                     ORTECH International (NRC/IRAP)
                 2395 Speakman Dr., Mississauga L5K 1B3               
                        (416) 822-4111, Ext. 261


The writer wishes to thank the Institution of Production Engineers and
it's President for the invitation to make this presentation, and to
express sincere appreciation to David Stang, Ph.D., Director of Research,
National Computer Security Association, for his contribution both to this
paper and to computer security in general.  And I would be very remiss if
I neglected to mention the professional secretarial assistance provided by
Jane  Templeman, who makes our whole team tick like the NRC official time
clock - the one that gives the CBC time signal.

This document is, hopefully, written softly:  after all, it might be
easier to digest if I have to eat my words.  I do not profess to be "the
expert" in the field of computer security; an expert is someone who knows
more and more about less and less until s/he knows absolutely everything
about nothing.  I hope never to stop learning, which means (thankfully)
I'll never be an expert.

               INDEX                                             PAGE
               -----                                             ----
          1.   Definition/Scope of "COMPUTER SECURITY"            2
          2.   Why Should You Be Concerned?                       2
          3.   Types of Security Breaches                         3
          4.   Reasons for Exposure                               7
          5.   General Security Rules (all computer systems)      8
          6.   Viruses:                                           9
                         6.1  History                             9
                         6.2  Effect                             10
                         6.3  Why do people do it?               10
                         6.4  Symptoms                           10
                         6.5  Concerns                           11
                         6.6  Known Virus Software (1)           11
                         6.7  Quick Guide to Virus Names (1)     12
                         6.8  Table of Virus Effects             16
                         6.9  Virus Detector/Antidote software   19
                         6.10  Trojan Horses                     20
          7.   PC Rules of Thumb                                 22
          8.   Easy Tricks for PC Security                       23
          9.   So You're Infected (Cure)                         24
          10.  Summary:  What Can You Do?                        25
          11.  Security Policy:  Points for Consideration        26
          12.  To run SCAN (included on this diskette)           29

(1)  David Stang, Ph.D, "Network Security in the Federal Government,",
     January, 1990, p.168-169 (updated by E.A.Bedwell, March, 1990)










                                    - 2 -
Tonight's topic is "Computer Security," a subject near and dear to my
heart after catching fraud a few times, and cracking system security a
few times.  The only unfortunate part of this evening is that I have
enough material to cover an intensive 2 or 3 day seminar and I only have
something over an hour, so in addition to extensive notes from this
presentation, I've put an article on viruses, and a PC virus detector
program on diskette for you.


1.   SCOPE OF COMPUTER SECURITY

Computer security relates to any potential loss of information or your
ability to operate, regardless of the source of the problem.  Of course,
all the publicity about computer security is going to the virus
situation.  I don't want to dissuade anyone from their concerns about
viruses, because it's definitely a growing problem, and if you get hit,
you'll be sorry you ever laid eyes on a computer.  But, current estimates
indicate that viruses represent only 3% of all the computer problems now
occurring.  Of course, if you're one of the 3%, like CNIB or Barclay's
Bank Canada were last fall, you'll feel like you're the only one on
earth.  The difference between viruses and other computer security issues
is apparently one of control:  I hope to convince you that you have as
much control over viruses and as little control over the other 97% of
problems as to make them equal threats to the safety of your computer.

I'm going to get to viruses later, their prevention, detection and cure,
but I'd like first like to cover the other major problems that affect
computer security - the other 97% - and I'd like to start with reasons
why you should be concerned about security.


2.   WHY SHOULD YOU BE CONCERNED?

Your data is a valuable asset, just like premises, equipment, raw
materials and inventory.  Because so much of modern business depends on
computers - financial systems, engineering design, medical diagnosis,
production and safety control - the destructive potential is greater
every year.  There has been more than one company that's suffered great
losses, and even gone under because of the loss of things like their
accounts receivable records:  no one is going to pay you if you don't
send them a bill, and if they get word of your inability to invoice them,
their darned unlikely to volunteer payment - so you're in a financial
mess.  The same goes for your design information, production data, the
consequences if safety control systems malfunction, or even the simple
loss of your customer list.

Another reason why you should be concerned is, too often, people don't
think about computer security until it's too late.  There's a saying in
my industry that, "He who laughs last probably made a backup."  Another
saying is, "Experience is something you don't get until just after you
needed it the most."  Well, if it means the life of your company, or the
loss of potentially millions of dollars, or even just the information on
your home computer, it might be wise to get at least some basic knowledge
before the disaster strikes.











                                  - 3 -

3.   TYPES OF SECURITY BREACHES

Now that the 'why' is out of the way, let's break down the 97% of
problems.  These are not in a specific order, but just as they came to
me.  Nor have I attempted to attach percentages to each type of risk,
because very few computer crimes are actually reported, so any figures
that anyone could estimate would not be realistic:


FRAUD/THEFT
By far the biggest problem is fraud or theft.  Some examples of this are:

     CHAOS - 1987 - Hamburg  ->  NASA data bank info sold to USSR

     Foreign exchange              }    famous because of big $
     Electronic Funds Transfer     }    amounts, and because of the
     Insider Trading               }    publicity they've received

     Most common:  Cookie jar technique - e.g., interest, income tax
                   (aka 'Salami' technique - take a little and no one
                   will notice)

Specific examples I've caught were in Payroll (no crash on < or =),
Accounts Payable (dummy companies), Purchasing (failed reasonableness
test), and Accounts Receivable (failed balance routine).  These were all
thefts of money.

Another example of theft which is very interesting is the 28-year-old
Canadian who was arrested at UNISYS in Pittsburgh on Dec. 13/89 - what he
is alleged to have stolen was NCR's trade secrets - to the tune of
US$68M, which comes under a different Canadian law from monetary theft.



MALICIOUS DAMAGE / VANDALISM
The next major type of computer security breach is the disgruntled
employee syndrome.  Their favourite is the logic bomb or time bomb:  on a
certain date or condition after they leave the company, something's going
to happen, such as at the health centre in LA where all prescriptions
suddenly multiplied by 2.  That's really serious, even compared to the
logic bomb that superzaps all your files off the face of the earth,
because someone could die.  At least with a superzap, you can recover if
you've been backing up and have a disaster recovery plan in effect.  Pure
physical vandalism occurs more often at educational institutions, but is
still a serious threat.  I wouldn't let me near your machine if I was
angry with you - my vandalism would be difficult to detect (and expensive
to repair).  A simple application of a magnetized screwdriver ......



LACK OF SECURITY PLANNING IN SYSTEM DESIGN STAGE
One of the biggest logic bombs that's going to occur is on January 1/2000.

Do you know how many computer systems use a 2 digit number for the year? 
Do you know how much work it's going to be to adapt systems to recognize
00 as being greater than 99?  My grandmother was born in 1886, and most
systems show her birth year as 99.  If she lives to the year 1999, I
wonder if they'll start sending her the baby bonus.  This time bomb is not
malicious damage, it's pure lack of planning at the system design stage. 






                                  - 4 -

(Lack of Security Planning - continued)

Things like balance checks and reasonableness tests are not built into the
system from the beginning, and it's not easy to put them in later.  Users
must participate at the system design stage, because only they know what's
reasonable and what can be balanced.  Don't expect a computer technician
to know everything there is to know about your job.




DISTORTED SENSE OF HUMOUR
Then there's the practical joker - the one who thinks it's funny to break
into the system to see what he can change, or create some dumb message to
appear on your screen.  That's what happened at IBM when the infamous
Christmas tree appeared 2 years ago (1987).  The joke was three-fold  -
first it analyzed your ...