Vol. 11, No. 7, Page 13

hastily pushed out of the back door but will be met by the full force of the law.

Let us not look on the pessimistic side. The culprits have been arrested and charges

are being contemplated. lt is likely that a prosecution will follow. Have you, even at this late stage, surrendered all control over the enquiry?

Well, the public agencies are the final arbiters of whether they should be prosecuted or not but there is no reason why you cannot make your feelings felt about what should happen. As I stated above, your cooperation is essential. Not only that, your own course of action may affect the decision. to prosecute. If, for example, the person arrested is an employee, and you propose to dismiss and sue that person for the misslng money, that may meet the justice of the case without criminal proceedings.

After saying that, it is rare for a decision to be made not to prosecute after arrest. That decision would tend to be made much earlier in the investigation. After that, the public agency would only continue to be involved if proceedings are going to result or, for example, to gather intelligence or to deter others.

The Reprise

No-one would say that it is easy to respond to computer crime when it happens. For that reason, planning ahead is essential. This article, I hope, has persuaded you to include in that plan three courses of action. Firstly, the creation of a line of communication between yourself and your local police force before such a crime occurs. Secondly,the establishment of a set of criteria to determine whether to involve a public agency and when. Thirdly, the determination of the level of control you propose to exercise. These provisions may not prevent computer crime occurring but they will ensure that you are ready when it does.

Mark Tan&n Serious Fraud Office, UK

TECHNICAL EVALUATION

VACCINE

Product: “Vaccine”

Author, Developer, Vendor: Sophos Ltd, Haddenham, Aylesbury, Bucks HP1 7 8JD, UK; tel: 0844-292392.

Availability: IBM PC/XT/AT, PS/2, or close compatible running MS-DOS or PC-DOS from v2.00 upwards.

Version evaluated: 2.01 (serial number 10351423157).

Price: f 195.00, one-off.

Hardware used: ITT XTHA (a PC compatible)

with a 4.77MHz 8088 processor, one 3.5 inch (720K) drive, two 5.25 inch (36OK) drives, and a 30 Mbyte Western Digital Hardcard, running under MS-DOS ~3.30.

Vaccine is a software package for ensuring that programs and/or data have not been altered in any way. lt aims to detect effects caused by malicious programs.

It is not my intention in this article to describe the various types of malicious computer program that are known to exist (viruses, Trojan horses, logic bombs etc.). Vaccine does not care what has caused a change, it simply reports that some part of a disk (and/or memory) has been altered. It is

up to the user to decide whether to act upon this report, or to ignore it because the change was introduced purposefully.

Vaccine uses a cryptographic algorithm, coupled with a key, to calculate a cryptographic checksum for blocks of data. This data can either be a file, named sectors on a disk, or specified parts of memory. For obvious reasons, this cryptographic checksum has been called a “fingerprint” by the

COMPUTER FRAUD & SECURITY BULLETIN

a1989 Elsevier Science Publishers Ltd., England./89/$0.00 + 2.20 No part of this publication ma be re roducd, stod in a retrieval s bf any means, electronic, mechanics photocopying, recording or o x

stc~, or hansmitted by any form or er~sc, without the pnor rmission

o the publishers. (Readxs in the U.S.A.- please see special fegulatiom listed on back cover. p”

Vol. 11, No. 7, Page 14

developers of Vaccine. Either the algorithm defined in International Standard 8731 Part 2

(ISO), or a Sophos proprietary algorithm (SPA), can be used to calculate fingerprints. The IS0 algorithm is public knowledge. Details of the SPA algorithm have not been disclosed, so I cannot comment on tts strength (or otherwise). Previous technical evaluations

have discussed the use of proprietary algorithms at some length.

The DES (Data Encryption Standard) algorithm is used to encrypt the fingerprints,

and prevent them being altered. The user entered password (see below) is used to provide a key for this encyrption.

Vaccine comes with an A5 boxedmanual (81 pages, no index), and one floppy disk. I received a 5.25 inch disk for evaluation, but 3.5 inch disks are also available. The disk contains 4 files: VACCINE.EXE, DIAGNOSE.EXE, FILEMAC.EXE and CHNGBW.EXE. The program FfLEMAC.EXE is used whenever a fingerprint needs to be explicitly calculated and displayed (as 16 hex characters). CHNGBW is a utility which can be used to configure Vaccine for a colour or

monochrome screen. I intend to concentrate on the main two components, VACCINE and DIAGNOSE.

In normal use, VACClNE.EXE is executed

first to specify and calculate the fingerprints.

The user must specify a password, and a

phrase used to personalize his copy of

DIAGNOSE. This phrase helps to prevent

anyone introducing a fake DIAGNOSE

program. An error is reported if the password

is less than eight characters long, but if you

insist on a short password, then at the second

attempt this is permitted.

After this initial setup, Vaccine can be

tailored in any desired manner, using its

internal editor, to calculate fingerprints for any

file, disk sector or area of memory. The

editor’s command set is reminiscent of

Wordstar.

Three default options are available for immediate use. The shortest of these default

options calculates fingerprints for the table of MS-DOS interrupts held in memory, the

bootstrap sector on the disk, the special MS-DOS files AUTOEXEC.BAT and

COMMAND.COM, and any system files (*.SYS) in the root directory. The medium length default option adds all directly executable files (those whose extensions are

.COM or .EXE) to the short default option specification. The longest default option adds overlay files (‘.OVL) and batchfiles (‘.BAT) to the medium default option specification.

All relevant data is stored within the file DIAGNOSE.EXE to be used when the fingerprints are checked. The user specified phrase and password are presumably protected by DES encryption, as I can find no trace of either within the altered parts of this

file. Every time that your computer is booted, DIAGNOSE should be executed to check that all the specified fingerprints are correct. This produces a security report stating what has

been checked, and the alterations that have been found (if any). Options are available which permit the user to specify that the fingerprints should only be checked on certain days of the week, or on a specified percentage of reboots.

It is recommended that all checks are performed by executing DIAGNOSE from the normal MS-DOS startup file (AUTOEXEC.BAT), and to prevent a malevolent program interfering with the checking process, the files described above should be stored on a write protected floppy disk which is only intrbduced to the computer when Vaccine checks are carried out. This means storing a special floppy for use when the computer is booted.

Given that the IS0 and DES algorithms are being used, I doubt that the fingerprint

process could be cryptographically compromised. It could however be circumvented if the files were readily available. As the Vaccine manual makes clear, using

COMPUTER FRAUD & SECURITY BULLETIN

Q1989 Ekevkr Scknce Poblkhers Ltd., England./89/$0.00 + 2.20 No part of this publication ma be re odud, stomd in a retrieval s stem, or bansmitted by any fo? pr b{ any means, electronic, mec~anic~photocopyining, recording or o&nvise, without the pnor perm~sslon o the publishers. (Readers in the U.&i.- please set special regulations listed on back cover.)

Vol. 11, No.7, Page 15

only the hard disk offers a lower level of security than storing the Vaccine files on a separate floppy disk

On the computer used for testing (see

details above), the short default option represented a total of 29.8 Kbytes. The SPA algorithm required 9.6 seconds to calculate the

fingerprints, and 32 seconds to update DIAGNOSEEXE, which in turn required 14.7 seconds to check the fingerprints. When the IS0 algorithm was used 26.8 seconds were required to calculate the fingerprints, and 26.1 seconds to check them. The time to update the file DlAGNOSE.EXE remained the same.

When the medium default option was used, this represented a total of 4.6 Mbytes of data. The SPA algorithm required 19 minutes 40 seconds to calculate the fingerprints, and

20 minutes to check the fingerprints. The IS0 algorithm required a staggering 49 minutes to calculate the fingerprints, and I admit to not

waiting to test how long it took to check the

fingerprints. The update time remained at just over 30 seconds.

From the timings quoted above, it is relatively easy to calculate that on my computer, the SPA algorithm runs at 234

Kbytes per minute, and the IS0 algorithm at 97 Kbytes per minute. On top of any overhead due to encryption, there is a 30 second file update overhead when VACCINE.EXE is executed. The documentation states that SPA

runs approximately twice as fast as ISO, but the above figures show that the ratio is actually close to 2.5.

I suppose that these figures neatly sum up the dilemma facing anyone using this type of program to prevent unwanted damage. It is vital to use a strong encryption algorithm to calculate the fingerprints. lf you don’t do this (and keep the encryption key secret), then a malicious program could ensure that a change to a file was not detected when the fingerprint(s) were checked. Any halfway decent encryption algorithm is going to take a finite time to execute. To ensure that all

programs have not been altered, then on any hard disk system the total amount of data to be checked will always amount to a few Megabytes, which necessitates a reasonable amount of time to check that the fingerprints have not changed.

Any encryption algorithm that can operate on Megabytes of data in a few seconds using only a PC is almost by definition a weak algorithm.

I believe that it is therefore necessary to take two steps to use Vaccine to its full capability. First, a fast computer is desirable, my humble PC is simply too slow. The times quoted above would be reduced by about a factor of 3 if an 80286 processor (IBM AT etc.) was used, and would further be reduced at higher clock speeds. Secondly it is important to spend a lot of time customizing the system so that only the important files and memory areas are fingerprinted. The aim is to minimize the fingerprint check time, whilst ensuring that no important file is omitted.

Given these two conditions Vaccine offers

a defence against alterations of programs, areas of memory, and/or fixed data files by viruses. It won’t stop any alteration taking place, but it will warn you of the change. Any data file that is regularly updated is not protected, as it is diffiiult in the short term to

tell whether or not any change has been caused by normal operation.

Minor niggles are few and far between, as I found Vaccine easy to use. However the manual could usefully contain a few menu examples to aid the newcomer to such a

product, and the lack of an index makes searching for information somewhat difficult. When DIAGNOSE is executed, it takes about 10 seconds to tell me that the password I typed in is not correct. I believe that this is because it has to decrypt the fingerprints in order to tell that the password was not correct, but it’s still frustrating. Whilst DIAGNOSE is

executing, it only tells you what is being checked when inspection is complete. It could usefully display a description, and then add a

COMPUTER FRAUD 8, SECURITY BULLETIN

01989 Ekevier Science Publkbers Ltd., En$aod.189/$0.00 + 220 No part of this publication ma be me odd, stod in a mtricval s stc~, or transmitted by any form or b{ any means. electronic, medanic~photocopying, recording or o&c rwse, without the pnor pemission o the publishen. (Readers in the U.S.A.- please see special regulations listed on back cover.)

Vol. 11, No. 7, Page 16

status message after the checks are complete. This is especially relevant for large files.

In view of my comments on speed of

execution, an estimate of the amount of time

that any option will take to execute would be a

useful extra facility. Similarly I believe that the

default options should include hidden files to

ensure that the MS-DOS system files are

always checked. As most viruses which attach

themselves to individual files attack the front of

the file, an option allowing the user to test only

a stated number of bytes at the start of each

file would permit more files to be checked

during a given period of time. The default

options are set for drive C, whilst with three

floppy disks, my hard disk is drive D. tt would

seem useful to make the default options relate

to the first hard disk, rather than specifying

drive C.

Vaccine will not prevent viruses getting

into a computer system. No matter what various salesmen may tell you, nothing will

prevent that, other than scrupulous

observance of computer hygiene rules. Given

correct implementation, Vaccine should detect

the intrusion caused by the introduction of a

virus. The rest is up to you.

Keith Jackson

BUILT-IN SECURITY

In recent years much has been said about the special data protection and data security problems associated with workplace computers (PCs) at seminars, congresses, and in publications.

Two aspects have been common to all

criticisms:

(1) The user is provided with considerable

power over information processing: more precisely, he or she is handed this power on a silver platter on the desktop something which, twenty years ago, every

(2)

organizational/data processing director dreamed about for the computing centre;

The user is operator, programmer, and systems programmer all at once: commonly used operating systems provide no options for monitoring or controlling activities.

The conclusion to be drawn from this is that when PC users are allowed to use their computers in an unmonitored and

unlimited fashion results will not always meet with expectations.

Restriction of user rights

The author is aware of a whole series of cases in which security-conscious companies have therefore decided to make only strictly limited use of PCs, if indeed they use them at all. One fairly popular organizatiial model is to create a central networking point for computers which is responsible for software maintenance. Thus, each PC no longer has its own floppy disk drive but is centrally supplied with tested and cleared software.

Another method of preventing unauthorized access to PCs and stored data has been employed by the Tandon

Corporation. This company has developed PCs with “driveout” hard disks, thus fulfilling several security requirements not catered for by PCs of conventional design. My office has

had the opportunity to test in detail the Tandon Plus 286 with two removable 30-MByte hard disks and one 5’/4-inch floppy. From the point of view of access and data security, the following came to light:

Easy backup

If one of the 30-MByte hard disks (Data Pat) is adequate for normal work, the second disk is used for backup purposes. The contents of one disk are copied onto the other

in a matter of minutes. As each hard disk can be driven out individually, the back up disk is ready for security archiving immediately after

COMPUTER FRAUD 81 SECURITY BULLETIN