2
Computers & Security, 7 (1988) 471-472 Special Feature Viruses: Should We Quit Talking About Them? Bernard P. Zajac, Jr. T oday, the computer industry is split again, this time on what to do about computer viruses. The opinion that "computer viruses will go away if only the media would quit talking about them" has surfaced. You may recall when computer hacking first made the papers sometime ago, that was the popular position; just quit talking about it and it will go away. Today, you don't hear that much about hacking, yet we still have it and we have it in a new form--viruses! Recently, I asked the president of a large U.S. software retail chain if he knew what, if any, precautions major software manufacturers were doing to safeguard against vi- ruses. He is a major distributor and I thought he would know. Surpris- ingly, he quickly deferred the que- stion to an associate who said there really wasn't a problem and that the media should leave it alone and the problem would go away. Later, I posed the same question (~)1988, Bernard P. Zajac, Jr. Opinions expressed herein are those of the author and do not necessarily reflect those of ABC Rail Corporation. to Eugene Volokh, vice president ofVESOFT, a security software supplier for Hewlett-Packard computers in Los Angeles, Cali- fornia. He said VESOFT has very tight security; their computer is in a secured location with very few people having contact with it. Commenting on the concern that it is possible to get a virus from vendor software Volokh said, "I don't think people have to be afraid of vendors. Typically, I don't think that that's going to be a major problem (viruses in vendor software), because for someone to infiltrate a vendor or even for a vendor employee to put that (a virus) in there with his job on the line.., that's something that's not a major problem." I disagree with Volokh. A virus has been distributed by a vendor, though the vendor has recalled the software and corrected the prob- lem. It can happen; the question becomes which vendor will be next? I do agree that infiltrating a ven- dor is highly unlikely, since physi- cal security generally is tight at vendor locations. Lotus Corpora- tion recently was the cover story for Security magazine spotlighting the physical security at their cor- porate headquarters. However, employees are another issue. Recent studies have shown that computer crime/abuse is, for the most part, committed by employees [1]. Revenge/retaliation towards a corporation is the primary motive 80% of the time [2]. An employee inserting a virus is possible and is likely. Volokh said that if you get a virus from a vendor you have recourse, "You just sue them." True, but it will be after the fact. Suing won't help you replace an empty hard disk or shorten the time for a reload. I'm sure before long we will see some litigation in this area. I asked Volokh if he, as an ac- knowledged security and operation expert on Hewlett-Packard's HP3000 computer line, thought we should just quit talking about vi- ruses and they would go away. He said, 'Tm of the opinion that, as a general rule, you have to give people information about these things (viruses)." He pointed out that, "Someone who doesn't know about viruses cannot defend against them." At age 13, when most young "computer wizards" were break- ing into computers, Volokh developed a system to keep hackers out: SECURITY/3000. Develop- ing SECURITY/3000 at that age made him the youngest commer- cial security software developer in the United States. Today at 20, he is considered an expert on the Hewlett-Packard 3000 computer line, both its operation and security. I asked Volokh if he thought a virus could be introduced into the HP3000 and how. He said, "I think 0167-4048/88/$3.50 © 1988, Elsevier Science Publishers Ltd. 471

Viruses: Should we quit talking about them?

Embed Size (px)

Citation preview

Page 1: Viruses: Should we quit talking about them?

Computers & Security, 7 (1988) 471-472

Special Feature

Viruses: Should We Quit Talking About Them? Bernard P. Zajac, Jr.

T oday, the computer industry is split again, this time on

what to do about computer viruses. The opinion that "computer viruses will go away if only the media would quit talking about them" has surfaced. You may recall when computer hacking first made the papers sometime ago, that was the popular position; just quit talking about it and it will go away. Today, you don't hear that much about hacking, yet we still have it and we have it in a new form--viruses!

Recently, I asked the president of a large U.S. software retail chain if he knew what, if any, precautions major software manufacturers were doing to safeguard against vi- ruses. He is a major distributor and I thought he would know. Surpris- ingly, he quickly deferred the que- stion to an associate who said there really wasn't a problem and that the media should leave it alone and the problem would go away.

Later, I posed the same question

(~)1988, Bernard P. Zajac, Jr. Opinions expressed herein are those of the author and do not necessarily reflect those of ABC Rail Corporation.

to Eugene Volokh, vice president ofVESOFT, a security software supplier for Hewlett-Packard computers in Los Angeles, Cali- fornia. He said VESOFT has very tight security; their computer is in a secured location with very few people having contact with it.

Commenting on the concern that it is possible to get a virus from vendor software Volokh said, "I don't think people have to be afraid of vendors. Typically, I • don't think that that's going to be a major problem (viruses in vendor software), because for someone to infiltrate a vendor or even for a vendor employee to put that (a virus) in there with his job on the l i ne . . , that's something that's not a major problem."

I disagree with Volokh. A virus has been distributed by a vendor, though the vendor has recalled the software and corrected the prob- lem. It can happen; the question becomes which vendor will be next?

I do agree that infiltrating a ven- dor is highly unlikely, since physi- cal security generally is tight at vendor locations. Lotus Corpora- tion recently was the cover story for Security magazine spotlighting

the physical security at their cor- porate headquarters. However, employees are another issue. Recent studies have shown that computer crime/abuse is, for the most part, committed by employees [1]. Revenge/retaliation towards a corporation is the primary motive 80% of the time [2]. An employee inserting a virus is possible and is likely.

Volokh said that if you get a virus from a vendor you have recourse, "You just sue them." True, but it will be after the fact. Suing won't help you replace an empty hard disk or shorten the time for a reload. I'm sure before long we will see some litigation in this area.

I asked Volokh if he, as an ac- knowledged security and operation expert on Hewlett-Packard's HP3000 computer line, thought we should just quit talking about vi- ruses and they would go away. He said, ' T m of the opinion that, as a general rule, you have to give people information about these things (viruses)." He pointed out that, "Someone who doesn't know about viruses cannot defend against them."

At age 13, when most young "computer wizards" were break- ing into computers, Volokh developed a system to keep hackers out: SECURITY/3000. Develop- ing SECURITY/3000 at that age made him the youngest commer- cial security software developer in the United States. Today at 20, he is considered an expert on the Hewlett-Packard 3000 computer line, both its operation and security.

I asked Volokh if he thought a virus could be introduced into the HP3000 and how. He said, "I think

0167-4048/88/$3.50 © 1988, Elsevier Science Publishers Ltd. 471

Page 2: Viruses: Should we quit talking about them?

B.P. Zajac, Jr./Viruses

the most likely way a virus could get into the 3000, is by some tapes that are made available f rom a number o f users; most likely from the contributed library." The con- tributed library is a collection o f programs that are submitted to the international users group ( INTEREX) and distributed via a swap tape. The tape is free to con- tributors and to non-contributors for a fee. The tape includes both object and source code. So it is possible to check the source code and then recompile the program, but I wonder how many HP shops do this?

Encryption is being used more and more since the advent o f vi- ruses, both in communications networks and on computers them- selves to protect information. VESOFT was recently asked to break an encryption scheme that a disgruntled ex-employee used to encrypt his companies source files and then left. Volokh was able to break the scheme and restore the files. As a result o f this, I asked him what he thought ofencrypt ion in the business environment.

"Theoretically, encryption is a good thing." He said. However , he went on, "People get all keen on encryption in cases where it is completely and utterly un- necessary. This guy encrypted source code. Why do you want, at a company that does not supply software to third parties, it's not afraid that someone will steal and use it somewhere else, why do you want to encrypt it?

Volokh thought that encryption, for most companies, should be

limited to just private memos. However, he reiterated that i f the person left or forgot his key- - the information was essentially gone. Said Volokh, " In a way it's funny, it (encryption) looks like it gives you security, but in reality we have found, practically speaking, it's a major security threat!"

I agree, for the most part, with Volokh's stance on file encryption; sometimes it is overdone. However, in some environments, such as PC-based payroll informa- tion, you need a secured system and encryption gives you that. With many systems, there is a password/key management system to prevent one person being the sole possessor o f a key. In other PC systems there is a master key program available for use by the security administrator. With this program he can decrypt any pro- gram on the system without knowing the original encryption key.

Protecting source code is very important, even to companies not in the software business. It takes a lot o f time and money to develop any type o f software, be it for sate or in-house use. Additionally, the program might be o f interest to a competitor, it might be your model for product breakeven point analysis. And people do steal soft- ware. Just recently, the U.S. Attorney's oftice in Chicago ar- rested an 18-year-old for stealing more than $1 million in software.

I believe it will be a long, long time before we see an end to vi- ruses, regardless o f whether or not we quit talking about them. As

professionals, we must inform each other, via journals, o f the "new and improved" viruses and hacks. The hackers keep each other in- formed and so must we.

References [1] J. O'Donoghue, Strategies found to

be effective in the control of com- puter crime in the Forbes 500 cor- porations, A C M Secur. Audit Control Rev., 5(1) 4.

[2] J. O'Donoghue, Strategies found to be effective in the control of com- puter crime in the Forbes 500 cor- porations, A C M Secur. Audit Control Rev., 5(1) 7.

Bernard P. gajac, Jr. is the database/data security manager of the ABEX Corporation of Chicago where he is responsible for physical and internal security of its databases, investigation of computer abuse and database design. Prior to joining ABEX, he was a police systems analyst for the Illinois Criminal Justice Authority where he worked on the Authority's Police Information Manage- ment System. At the authority he also reviewed and tested data encryption/decryption equipment. He had almost 15 years of data processing experience and was in law enforcement for five years. He has spoken and pub- lished articles in the United States and Europe on computer crime, computer security and police systems.

472


VIRUSES AND ANTI-VIRUSES

VIRUSES AND ANTI-VIRUSES

Education
Viruses VIRUSES Viruses are small packages of genes€¦ · VIRUSES Viruses measured in nanometers (nm). Require electron microscopy. Viruses are small packages of genes Consist of

Viruses VIRUSES Viruses are small packages of genes€¦ · VIRUSES Viruses measured in nanometers (nm). Require electron microscopy. Viruses are small packages of genes Consist of

Documents
Jeaden · The way to get started is to quit talking and get doing! - Walt Disney Longbeach Competitions Waverley Competitions CVI Competitions RSSS Competitions Jeaden Concert Rivergum

Jeaden · The way to get started is to quit talking and get doing! - Walt Disney Longbeach Competitions Waverley Competitions CVI Competitions RSSS Competitions Jeaden Concert Rivergum

Documents
to QUIT smoking - Alabama Department of Public Health · 2020-04-25 · Power to Quit is inside you The Quit Tobacco Today! Effects of SECONDHAND SMOKE Quit Tobacco Today! 1-800-QUIT-NOW

to QUIT smoking - Alabama Department of Public Health · 2020-04-25 · Power to Quit is inside you The Quit Tobacco Today! Effects of SECONDHAND SMOKE Quit Tobacco Today! 1-800-QUIT-NOW

Documents
to quit or not to quit

to quit or not to quit

Education
Don’T Quit

Don’T Quit

Entertainment & Humor
quit because

quit because

Documents
Mozzi quit

Mozzi quit

Technology
Quit Talking, Start Doing! Motivate Yourself When No One Else Can Get Over Procrastination and Boost Productivity towards Success (Productivity Tips, Getting Things Done, Habit Hacks)

Quit Talking, Start Doing! Motivate Yourself When No One Else Can Get Over Procrastination and Boost Productivity towards Success (Productivity Tips, Getting Things Done, Habit Hacks)

Self Improvement
Viruses Virology - study of viruses Virologist – scientist that studies Viruses

Viruses Virology - study of viruses Virologist – scientist that studies Viruses

Documents
to QUIT smoking - Alabama Department of Public Health · 2020. 4. 25. · Power to Quit is inside you The Quit Tobacco Today! Effects of SECONDHAND SMOKE Quit Tobacco Today! 1-800-QUIT-NOW

to QUIT smoking - Alabama Department of Public Health · 2020. 4. 25. · Power to Quit is inside you The Quit Tobacco Today! Effects of SECONDHAND SMOKE Quit Tobacco Today! 1-800-QUIT-NOW

Documents
Computer viruses and anti viruses

Computer viruses and anti viruses

Education
Don't quit!

Don't quit!

Spiritual
Walt Disney The Man Who Shaped Generations. “The way to get started is to quit talking and start doing.” Walter Elias Disney

Walt Disney The Man Who Shaped Generations. “The way to get started is to quit talking and start doing.” Walter Elias Disney

Documents
HEALTH BITESto quit smoking soon. The Quit Coach. is a free interactive site that can help you quit smoking and stay stopped. Visit . Free Quit Pack . Get a free Quit Pack by calling

HEALTH BITESto quit smoking soon. The Quit Coach. is a free interactive site that can help you quit smoking and stay stopped. Visit . Free Quit Pack . Get a free Quit Pack by calling

Documents
Customize Your Quit - Help Them Quit · 2018. 6. 6. · Customize Your Quit 3 / Customize Your Quit \ 4 I’m ready to take the first step to stop smoking. My quit-smoking plan starts

Customize Your Quit - Help Them Quit · 2018. 6. 6. · Customize Your Quit 3 / Customize Your Quit \ 4 I’m ready to take the first step to stop smoking. My quit-smoking plan starts

Documents
juriesandconditions/viruses/ juriesandconditions/viruses

juriesandconditions/viruses/ juriesandconditions/viruses

Documents
{ The Human Genome The way to get started is to quit talking and begin doing -Walt Disney

{ The Human Genome The way to get started is to quit talking and begin doing -Walt Disney

Documents
Don't Quit the Quit Resource Guide - University of North

Don't Quit the Quit Resource Guide - University of North

Documents
Don't Quit

Don't Quit

Self Improvement
I QUIT!!!!

I QUIT!!!!

Documents
EFFECTIVELY REACHING THE MEDICAID POPULATION WITH …€¦ · QUIT HELP BY PHONE IN-PERSON QUIT HELP ONLINE QUIT HELP PREGNANT AND TRYING TO QUIT? VERMONT DEPARTMENT OF HEALTH 1-800-QUIT-NOW

EFFECTIVELY REACHING THE MEDICAID POPULATION WITH …€¦ · QUIT HELP BY PHONE IN-PERSON QUIT HELP ONLINE QUIT HELP PREGNANT AND TRYING TO QUIT? VERMONT DEPARTMENT OF HEALTH 1-800-QUIT-NOW

Documents
Smoking quit

Smoking quit

Documents
To quit or not to quit - IESE Blog Networkblog.iese.edu/reiche/files/2010/08/To-quit-or-not-to-quit.pdf · To Quit or Not to Quit: ... Abstract Adopting an inductive case study approach,

To quit or not to quit - IESE Blog Networkblog.iese.edu/reiche/files/2010/08/To-quit-or-not-to-quit.pdf · To Quit or Not to Quit: ... Abstract Adopting an inductive case study approach,

Documents
5 Ways to Make Your Best Employees Quit (Yes, Quit!)

5 Ways to Make Your Best Employees Quit (Yes, Quit!)

Career
Quit India

Quit India

Documents
1 Quit Your Own Way - Quit Smoking | Health Care Professionals | Help Them Quit · 2018-06-06 · Quit Your Own Way Quit Your Own Way 10 / \ 11 One step at a time It is important

1 Quit Your Own Way - Quit Smoking | Health Care Professionals | Help Them Quit · 2018-06-06 · Quit Your Own Way Quit Your Own Way 10 / \ 11 One step at a time It is important

Documents
Viruses in the sea - eebweb.arizona.edu · Viruses in the sea - eebweb.arizona.edu ... viruses

Viruses in the sea - eebweb.arizona.edu · Viruses in the sea - eebweb.arizona.edu ... viruses

Documents
Quit - chemed.study

Quit - chemed.study

Documents
Quit Tobacco

Quit Tobacco

Documents