Vol. 11, No. 4, Page 22

meet the challenge. User hostility and failure

to consistently comply with the system’s rules

weighed against its deployment. The spectre

of terrorism was also ever-present - a ‘live

and well’ verifier was needed to ensure that

severedfingers could not fool the system!

It takes a brave man to demonstrate a new

system undergoing trials to a large

professional audience. Ian Cameron of British Telecom did just that by using ‘Phoneline’ - a

joint venture between BT and the Royal Bank of Scotland plc. A voice verification system combined with a password and a PIN number entitles the user to undertake a series of

account transactions and requests by

telephone. The system chooses words at random to counter tape-recording of a

legitimate user by an imposter.

The presentations concluded with a video film about EyeDentification System 7.5, a

retinal scanner and its use within a US state penitentiary. The blood vessel pattern of the

eye is the most distinctive and individual biometric feature. Retinal scanning can thus

provide access control at the highest security

levels. Health and safety questions related to retinal scanning are never far from the surface. However, a method that has gained official

acceptance in Sweden, West Germany and the ever stringent United States would appear

to be beyond reproach.

The consensus among delegates and speakers was that biometric systems offered enormous potential; there was much work still to be done; and that the United Kingdom (in particular) required official standards.

This worthwhile and enjoyable day was a brave departure on the part of the organizers into a relatively new and often misunderstood area of security. I for one, came away with a basic understanding of the methods involved, the available and emerging technology, the suitable applications in the real world, and the advantages and disadvantages inherent to biometric systems.

Ed ward Wilding

Biometrics Seminar Reference Manual

(f35 inclusive). Available from Elsevier

Seminars, Mayfield House, 256 Banbury Road, Oxford OX2 7DH.

BOOK REVIEW

Title: The Complete Computer Virus Handbook, Issue 1, October 1988

Author: David Frost

Publisher: Price Waterhouse, LBUS, 1

London Bridge Street, LONDON (Tel: 01-407-8989).

Price: f 15 (including post and packaging)

This handbook is the result of work carried

out on viruses by Price Waterhouse during

1988. Further editions are planned.

There are three main sections to the book.

The main text (20 pages), an appendix describing the various viruses that are thought

to be prevalent (9 pages, one virus per page), and an appendix detailing evaluations of the anti-virus products that are currently available

(28 pages). There is no index, and a short list

of only 13 references at the back of the book.

The content contains a clear explanation

of the possible ways in which viruses can be

detected and neutralized. Much care has been taken to define all the terms used within

the book, and given some of the rubbish about

viruses appearing in the press recently, this is

very valuable.

The anti-virus programs discussed in the

book are classified into 3 types. Class 1 : infection prevention designed to stop replication, and prevent the initial outbreak. Class 2 : infection detection designed to spot virus attacks. Class 3 : infection identification of specific types of virus.

COMPUTER FRAUD &

SECURITY BULLETIN

01989 Ekevier Science Publkhers Ltd., Engiand./89/$0.00 + 2.20 No part of this publication may be re roduced, stored in a retrieval system, or transmitted by any form or b an means, electronic, mechanical, p publishers. (Readers in the U.S.A ’

otocopying, recording or otherwise, without the prior permission oft L .-please see special regulation listed on back cover.)

Vol. 11, No. 4, Page 23

The book does not make clear which of the comments about anti-programs relates to actual testing with viruses, and which comments are based on the various manufacturers’ literature. Of the 28 anti-virus products mentioned in the book, I only have detailed knowledge of ‘Vaccine’ from Sophos (it is the subject of a forthcoming technical evaluation). The entry for Vaccine states that it can not check the boot sector, the File Allocation Table, the root directory, hidden files, or MS-DOS interrupts. Vaccine can check all these!

Discussion of the details of the various viruses contains the caveat: “These details have been obtained from press reports and, where possible, by evaluating the virus program itself”. The book would gain in stature if specific details of the viruses available for testing were provided, along with details of which anti-virus programs they have been tested against.

A methodology is proposed which aims to help to reduce the risk of exposure to computer viruses. After severe paraphrasing this boils down to : take regular backups, don’t boot the computer from an unknown floppy disc, test software for the presence of a virus, don’t use programs downloaded from bulletin boards, educate the computer users, and do all tests on an isolated computer. I can’t fault such advice.

I commend the lack of plugs for Price Waterhouse in the book. It must have been tempting to scatter details of the various Price Waterhouse services throughout the text, but this has been sensibly constrained to a single clearly marked page.

The book comprises A5 pages inserted in a ring binder, but the small size of the rings prevents the pages being turned properly. This proved near impossible to use, so I removed the sheets from the binder, whereupon they promptly fell all over the floor. A better ring binder would seem a good idea in future editions.

Title : Online Auditing Using Microcomputers.

Author: Jerry Fitzgerald.

Publisher: Jerry Fitzgerald & Associates, 506 Barkentine Lane, Redwood City, CA 94065, USA.

Price: US$27.95 (USji5.00 additional for international airmail).

Jerry Fitzgerald’s Online Auditing Using

Microcomputers) comes with a disk that contains some 28 audit and/or security

programs that make it a worthwhile addition to anyone’s utility program file. The author has

reviewed more than 300 public domain software programs and selected this handy

collection.

Although this 44-page volume is directed toward the auditor there are many programs that can be used for data integrity and other security purposes. Written in simple language for the non-technical microcomputer user, the book contains some unusual programs.

BADSECT enables the user to identify bad

sectors on either a floppy or hard disk. Although these sectors are not normally readable under conventional DOS methods, the program also permits the user to ‘restore’

these sectors so that they can be read more easily.

CMP can be used to compare two files on different or the same disk for identifying added, changed or deleted sections in one file. This is a useful program to determine if any

modifications were made during the file copy procedure.

COMPARE performs a line-by-line comparison of two ASCII source files. When a difference is detected, seven lines of code from each file are displayed.

DPROTECT is used to ‘write protect’ one

or more floppy disk drives and simultaneously

protect all hard disk drives from illegal or

COMPUTER FRAUD &

SECURITY BULLETIN

(31989 Elsevier Science Publishers Ltd., Engiand./89/$0.00 + 2.20 No part of this publication may be re reduced, an

IL means, electronic, mechanical, p R

stored in a retrieval system, or transmitted by any form orb otocopying, recording or otherwise, without the prior permission oft L

pu hshers. (Readem in the U.S.A. -please see special regulations listed on back cover.)