Custom Page
Read Me First
System Security
***PC Security
***Watchdog/Paranoia
***Active Response
***Insecure Education
***Designing Weapons
Security
***Terrorist Article
Intelligence
***Public Secrets
***Relating Trivia
Tech Transfer
***Mining Technology
***Tech Links
The Future of Aggression
Community Archeology
Resume/Experiences
Clients
***Part D Slides
Thoughts
Personal Computer Security
SECURE BOUNDED EXECUTION ALLOWS A PROFESSIONAL MICRO USER
TO RACK UP ALL HIS TOP SECRET DATA
JUST LIKE ON A MAINFRAME
COMPUTER
V-PHAGE SYSTEMS MANAGER'S GUIDE
by: APPLICATION CONFIGURED COMPUTERS, INC.
Baldwin, NY and Columbus, OH
for
Thomas V. Sobczak, Consultants
PRELIMINARY FOR RESEARCH AND EVALUATION
(Stand-alone and Network enterprise systems)
READ THIS MANUAL THOROUGHLY BEFORE ATTEMPTING TO BEGIN THE V-
PHAGE PROCESS. SECURITY IS NOT A HIT OR MISS PROCESS. AS SYSTEM
MANAGER YOU CAN OPTIMIZE V-PHAGE EFFECTIVENESS BY TAKING
ADVANTAGE OF THE FEATURES AND OPTIONS EXPLAINED HEREIN. V-PHAGE
SCRAMBLES EXECUTABLE FILES -- BE SURE BACKUP EXISTS BEFORE ADDING
PROGRAMS TO A SECURE LEVEL OF PRIVILEGE WITHIN THE V-PHAGE UNIVERSE
OF PROTECTED PROGRAMS.
V-PHAGE SECURITY OVERVIEW
INHERENT WITHIN V-PHAGE ARE THE FOLLOWING FEATURES NOT TYPICAL TO
A DESKTOP MICROCOMPUTER.
1. ACCESS LIMITATION EQUAL TO MAINFRAME SECURITY SYSTEMS
* ENCRYPTED ID AND PASSWORD
* SCRAMBLED EXECUTABLE PROGRAMS
* BOUNDED EXECUTION BY LEVEL OF AUTHORIZATION
* SPECIFIC AUTHORIZATION TO A LEVEL
* ONLY ONE SUPER USER, THE SYSTEM MANAGER
2. EXECUTION OF APPLICATION PROGRAMS IS ASSOCIATED WITH THE
COMBINATION OF SPECIFIC LEVELS UTILIZED AND BY INDIVIDUALS WITH A
VERIFIED NEED TO KNOW. UNAUTHORIZED DISK BROWSING IN OTHER LEVELS
IS IMPOSSIBLE.
3. THE ALGORITHM, WHICH SECURES THE V-PHAGE, WARRANTEES KEY
ENTRY DATA SECURITY AT A LEVEL EQUIVALENT TO THE NATIONAL SECURITY
AGENCY DATA ENCRYPTION STANDARD (DES)
4. CHANGE DETECTION OF EVERY CHATACTERISTIC IMPLEMENTED BY DOS
ASSURES THAT ALL UNANTICIPATED CHANGE WILL BE LOGGED AND AVAILABLE
TO THE SYSTEM MANAGER AS FREQUENTLY AS HE CHOOSES TO VIEW/PRINT
THE LOGGED INFORMATION.
5. AUDIT TRAILS OF EVERY ACTIVITY FROM LOGON TO LOGOFF ARE
MAINTAINED. UNSUCCESSFUL ATTEMPTS ARE NOTED BY TERMINAL AND
ID/PASSWORD USED. COUNTS OF REJECTED LOG ONS ARE KEPT.
6. HIDDEN LOGS MUST MATCH TO ASSURE SYSTEM ENFORCEMENT OF V-
PHAGE SECURITY POLICY.
7. SCRAMBLED FILES CANNOT BY PROCESSED ON ANY OTHER
COMPUTING DEVICE, INCLUDING THOSE OPERATING UNDER ANOTHER COPY OF
V-PHAGE. THE INSTAL (purposefully misspelled) START-UP ROUTINE GENERATES
A UNIQUE KEY FOR THE SPECIFIC SYSTEM UPON WHICH V-PHAGE IS INSTALLED.
8. DETECTION CAN BE PROCESSED AT ANY TIME INCLUDING AFTER AN
EXIT TO THE O/S. V-PHAGE DETECTION IS A FULL TIME CAPABILITY AVAILABLE
FROM STARTUP TO POWER DOWN.
9. V-PHAGE IS UNFORGIVING IN THE INTEREST OF SECURITY. SLOPPY
KEYING WILL CAUSE AN EXIT IN THE SAME MANNER AS WRONG ID AND
PASSWORD.
10. CRITICAL MANAGER OPTIONS ARE ADDITIONALLY PASSWORD
PROTECTED TO ASSURE THAT A FAILURE TO LOG OUT OF SUPER PRIVILEGE
DOES NOT MAKE V-PHAGE SUSPECT.
INDEX OF CONTENTS
COVER
i V-PHAGE SECURITY OVERVIEW
ii INDEX
iv DISCLAIMER
1 INTRODUCTION
2 HOW TO USE THIS MANUAL
2 KEYBOARD CHARACTERISTICS
3 INITIAL INSTALLATION
5 BEGINNING TO USE THE V-PHAGE SECURITY SYSTEM
10 STRUCTURING SECURITY IN A V-PHAGE/DOS ENVIRONMENT
16 A LOOK AT THE MANAGER SCREEN OPTIONS
16 RUN DETEKT
16 INSTALLATION (DETEKT OUTSIDE V-PHAGE)
16 FILE OPTIONS
17 CHECK OPTIONS
18 QUIT (DETEKT OPTION)
18 CLOSING THE LOOPHOLES (SAVEZONE/NEWZONE)
19 HOW TO RUN DETEKT OUTSIDE THE V-PHAGE SHELL
21 COMMAND LINE SHORTCUTS (DETEKT IN DOS)
22 LOGGING DETEKT DIFFERENCES
22 CONCLUSION CONCERNING THE RUN DETEKT OPTION
24 RUN SAVEZONE
26 ADD NEW USER (V-PHAGE)
29 CHANGE USER (V-PHAGE)
30 DELETE USER (V-PHAGE)
31 LIST USERS (V-PHAGE)
32 PRINT USERS (V-PHAGE)
33 RUN PROGRAMS (V-PHAGE)
34 FILE ACCESS (V-PHAGE)
34 TOGGLE DRIVE
35 TOGGLE LEVEL
36 ADD FILES
37 DELETE FILES
38 EXIT TO O/S (FROM V-PHAGE)
39 QUIT (V-PHAGE)
40 V-PHAGE HIDDEN SUB-DIRECTORIES AND HIDSDEN FILES
41 AUDIT REPORTS AND TECHNIQUES
41 PRINTED AUDIT MESSAGES
41 AUDIT MESSAGES DISPLAYED TO SCREEN
41 DETEKT AUDIT LOG SAMPLE
42 V-PHAGE SYSTEM USE AUDIT LOG SAMPLE
44 DISCRETIONARY ACCESS CONTROL
46 LIST OF INTERNET MOST FREQUENT PASSWORDS
48 ENCRYPTION DEFINITIONS
49 DISCUSSION OF V-PHAGE ENCRYPTION PHILOSOPHY
50 DETECTION THE BEST PROTECTION
50 DEFINITIONS
52 HOW VIRUS WORKS
52 IS DETECTION NECESSARY
55 VIRUS FORMATS
59 RULES FOR SAFE COMPUTER USAGE
62 RECOVERY FROM THE LOSS OF ONE OR A FEW FILES
63 RECOVERY FROM THE LOSS OF THE ENTIRE SYSTEM
DISCLAIMER
Sobczak, Consultants and ACC, Inc. makes no representation or warrantees with
respect to the contents or use of V-PHAGE software and associated documentation.
WE SPECIFICALLY DISCLAIM ANY EXPRESS OR IMPLIED WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR ANY PARTICULAR PURPOSE.
We warrant that the program will perform in substantial compliance with the
associated documentation. If you report a significant defect, in writing, to ACC, Inc.
and ACC, Inc. is unable to correct it within 120 days, you may return the software
and associated documentation along with a bill of sale and your purchase price will
be refunded. You agree that the only remedy available to you is a refund of the
validated purchase price of the program.
IN NO EVENT WILL SOBCZAK OR ACC, INC. BE LIABLE TO YOU FOR DAMAGES,
INCLUDING ANY LOSS OF PROFITS, LOST SAVINGS, OR OTHER INCIDENTAL OR
CONSEQUENTIAL DAMAGES ARISING OUT OF YOUR USE OR INABILITY TO USE
V-PHAGE, EVEN IF WE HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH
DAMAGES, OR FOR ANY CLAIM BY ANY OTHER PARTY.
INTRODUCTION
Welcome to a new way of securing your computer using the V-PHAGE security system to
accomplish secure bounded execution of your software assets.
The V-PHAGE system consists of four major components, the V-PHAGE.EXE shell,
PASSWORD.EXE, the change detector program -- DETEKT.EXE and the file scrambling
routine PROT.EXE. They are resident on the floppy disk which accompanies this manual.
The V-PHAGE shell controls the execution of the other component parts thereby reducing
the overhead lost to V-PHAGE operations during normal program execution.
The PASSWORD program is the key to establishing access level privilege, stating which
programs and files may be accessed by each level and performing the maintenance
normal to the security process in your organization.
The DETEKT program builds the structure for change analysis of software executables and
data that you use frequently and therefore want analyzed daily. We call these SPECIAL
FILES. You can as easily monitor changes to all files on the default drive/server and/or all
files on all disk drives/servers in your system.
PROT processes in conjunction with the password program. Every time you select a file
to a level it is scrambled so as to be both unique and execution prohibited outside of this
specific V-PHAGE security shell.
As you will see in later sections the installation of V-PHAGE is designed to make your
encryption key unique from that of any other purchaser of the V-PHAGE product and its
planned enhancements.
HOW TO USE THIS MANUAL
V-PHAGE is a complex system of security and protections designed for the Microsoft
based computer and network. The manual is written in a step by step format. As with any
manual, we have tried to define every possible situation. We therefore respectfully suggest
that you keep the manual at hand and reference its contents as you begin the V-PHAGE
process. If we have ommitted anything you consider important to you use of V-PHAGE
please feel free to write or call our technical support center.
KEYBOARD CHARACTERISTICS
The V-PHAGE security system accomplishes most of its manipulative functions using six
keys. In the System Manager's menu the END key puts you at QUIT. The RETURN key
tells the V-PHAGE that the highlighted command is to be executed. If you make a mistake
and enter a selection in error, simply press the ESC key to go back to the Managers menu.
HOME brings you to the top of the menu. You may step through the menu using the UP
and DOWN arrows. Typing is as normal.
PLEASE NOTE that you must wait for the instruction to appear before you can type your
input. The slight hesitation is caused by the fact that V-PHAGE is logging all your actions.
If you try to out pace the directions displayed you will find that you are requested to repeat
your input. V-PHAGE will lock-up the terminal/computer if the intrernal security criteria,
placed there to protect your programs and data, sense an attempt at unauthorized activity.
When the terminal locks-up you must reboot by physically shutting down the machine and
then restarting it, i.e., turn it off, wait twenty seconds and then turn the machine back on.
The control keys normal to the O/S have been disabled. You cannot warm boot, i.e.,
control-alt-del. The control - whatever and Shift print screen also do not function. You must
follow the V-PHAGE instructions. These instructions assure the security of your operation.
The delete key allows you to correct typing errors in ID and PASSWORD entry. The screen
looks a bit strange as characters are added rather than deleted.
ID: XXXXXXXX was typed. Now you want to remove it because the telephone made
you forget where you were. To remove all you hit back space four times. One for each
letter/number you entered in you ID. You now see:
ID: XXXXXXXXXXXX
When you input the ID again you see a still longer chain of X's.
ID: XXXXXXXXXXXXXXXXXXXXXX
Our goal is not to confuse you, but to confuse the person who looking
over your shoulder who may fancy him/herself an amateur cryptologist.
INITIAL INSTALLATION
Place the V-PHAGE floopy disk which accompanies this manual in Disk Drive A:. Be sure
that the drive door is properly closed and locked in its normal closed position. (Put the disk
in the A:\ Drive the way you normally do.)
Type DIR A: in order to verify that this floppy disk has not been corrupted. The directory
must read as follows:
INSTAL.EXE 33136
DETEKT.EXE 83824
PASSWORD.EXE 106400
PROT.EXE 14633
V-PHAGE.EXE 8938
NEWZONE.EXE 17792
SAVEZONE.EXE 17744
Be sure these programs and file sizes match those on on your floppy disk prior to typing
A:INSTAL
(note that the install command has but one "l". This is a purposeful omission. The
computer will take a few seconds before it displays:
ACC, INC
V-PHAGE
SECURE BOUNDED EXECUTION
INSTALLATION PROGRAM
Press any key to continue...
on the video monitor. When you press any key, the screen blanks and
returns with the question:
Drive to install V-PHAGE on:
V-PHAGE must be installed upon your hard disk drive. If you have more
than one hard disk drive than you should choose the hard disk from which your computer
starts. When the start-up process completes, a prompt is displayed at the left side of the
screen with a flashing white line to its right. If the prompt says C: then your default (start-
up) drive is C:. Type c and press the RETURN key. (The RETURN and Left bent arrow
keys are synonymous with what this manual calls RETURN). Now you will see:
Drive to install V-PHAGE on: c
Creating Directories
Once again the screen will blank and return with a question. Let's take a monment to
understand what is happening. V-PHAGE is a secure system. As such, it hides directories
and files from anyone who might use them to steal the programs and knowledge you are
trying to protect. Further V-PHAGE encypts the passwords, ID's and files to minimize any
mis-use. The questions you are about to answer work in concert with an algorithm
(formula) to make this copy of V-PHAGE uniquely different from any othe copy in use. The
first question:
Mother's Maiden Name?
Type in your answer i.e., Smith, Jones or Knowski. Certain of the
characters you enter will be chosen, converted to ASCII code format, and used to create
your unique encryption. The logic of unique encryption is important in that if someone
steals your backup copies of data and programs, and if he/she has V-PHAGE, he will be
unable to execute your programs. They will never know your unique encryption.
Next you will be asked to input:
Favorite Color?
It is quite alright to enter "lemon-yellow blue". The answers are not saved. Again they are
the basis for your unique security encryption. The final two questions you must answer
are:
Political Party?
and
Favorite Animal?
When you press RETURN to indicate the animal of your choice, the V-PHAGE will instantly
create your unique encryption key.
As a part of the process you will see four files copied, one at a time.
Favorite Animal? plattypusasourus
1 file copied
1 file copied
1 file copied
1 file copied
You have completed the installation of V-PHAGE to your computing system. The Prompt
will reappear at the left side of your video display. The flashing white line (cursor) will be
immediately to its right. Type C:\V-PHAGE\V-PHAGE to begin your process of
customization of users, the programs which they might use and the process of change
detection.
BEGINNING TO USE THE V-PHAGE SECURITY SYSTEM
The first screen you see is the V-PHAGE logo.
ACC, INC
V-PHAGE
SECURE BOUNDED EXECUTION
Press any key...
Press any key to begin.
The next screen is the menu screen. It gives you the option to LOGON or QUIT.
****MENU*****
* *
* LOGON *
* *
* QUIT *
* *
****************
If you choose to quit, for whatever reason, you will be required to power down (SHUT OFF
THE COMPUTER) prior to a restart.
Press the RETURN key while the LOGON option is highlighted.
Wait for the display ID: to appear on your video display.
ID:
When the display appears type in capitals FCD. The result of your input will appear as X's
in order to protect the security of your ID.
ID: XXXXXXXX
The V-PHAGE ID/PASSWORD logic is character independent. This means that each
position has 255 ASCII options. If you fail to follow this procedure the ID: will reappear. If'
in error, you clip two keys the ID: will reappear. V-PHAGE is very particular in the interest
of securing your computer. Should you mis-enter the ID twice you will be removed from
the system and be forced to shutdown and restart. While this may seem cumbersome,
ACC Inc research has determined that most aggressors play the ID repeat game when
seeking unauthorized entry. If the security program does not count attempts and force an
exit, those trying to steal your resources are free to repeat their attempts forever. V-
PHAGE believes two chances at ID entry are sufficient.
When you enter the proper ID you will next see the display PASSWORD:
PASSWORD:
Wait for the prompt to appear. If it seems slow, be patient, as every action is logged for
future analysis. Type ACC and press RETURN. Agin your input will be hidden.
PASSWORD: XXXX
Capital letters are required in both cases otherwise your input, although alphabetically
proper, will be rejected. If your PASSWORD is incorrect for any reason you will be
terminated and forced to restart. V-PHAGE prevents someone who guesses your ID or
sees a part of your entry from continuing the guessing game.
NOTE: EVERY ID IN YOUR SYSTEM MUST BE DIFFERENT. IF YOU CHOOSE AN ID
WHEN ADDING NEW USERS THAT EXISTS YOU WILL BE NOTIFIED THAT THE
CHOICE IS UNACCEPTABLE.
ID: XXXXXXXX
ID not acceptable
ID:
IF YOU CHOOSE CERTAIN COMMON TERMS AS THE ID THEY WILL BE REJECTED.
ACC INC HAS LEARNED FROM THE 250 ID/PASSWORD COMBINATIONS OF THE
INTERNET INTERDICTION. WE SUGGEST THAT YOU FOLLOW THE EXCELLENT
INSTRUCTIONS IN THE NATIONAL COMPUTER SECURITY CENTER ACCESS
CONTROL STANDARD AVAILABLE FROM NSA/NCSC, FORT MEADE, MD 20755.
Proper first time use ID/PASSWORD (FCD/ACC) allows you into the third screen, the
MANAGERS SCREEN. Notice that the managers screen allows you to:
MANAGER
A -- RUN DETEKT
B -- RUN SAVEZONE
C -- ADD NEW USER
D -- CHANGE USER
E -- DELETE USER
F -- LIST USER
G -- PRINT USER
H -- RUN PROGRAMS
I -- FILE MAINTENANCE
J -- EXIT TO DOS
K -- QUIT
Using the DOWN arrow move to the CHANGE USER line.
MANAGER
A --
B --
C --
D -- CHANGE USER
E --
When it is highlighted press RETURN. The prompt ID will appear.
ID:
When it is displayed type, in capitals, FCD.
ID: XXXXXX
The ID prompt will reappear.
ID:
Type the new ID that you have chosen for yourself.
REMEMBER!!!!! Choose an ID which is UNIQUE to you but not representative of your job,
avocation or family. Enter your choice and press the RETURN key.
ID: XXXXXXXXX
When PASSWORD appears, repeat the process, i.e. type a unique password.
PASSWORD: XXXXX
Success will be rewarded by the display LEVEL.
LEVEL:
If you enter the level zero (0) you will be told that the privilege may not be deleted.
LEVEL: 0
(THIS IS NOT ALLOWED TO CHANGE)
THERE IS ONLY ONE HIGHEST PRIVILEGE LEVEL ALLOWED BY V-PHAGE AND THE
SYSTEM MANAGER IS THE ONLY ONE WITH THAT PRIVILEGE.
Next the display NAME: will appear.
NAME:
Type your name.
NAME: Serenity Safely
NAME is a requirement of V-PHAGE for later audit reporting purposes. At this point you
have unique privilege to manage V-PHAGE. No one but you can enter the system as a
manager.
DEPT:
The final entry requested is the Department (DEPT) code. In many corporations data is
shared within the corporation across the enterprise. In others it is compartmentalized. V-
PHAGE allows the user the best of both worlds. You have the option to structure your
corporation/agency in the manner you find most ameniable to your operations. During an
Audit of data use one might compare department to level to determine if unauthorized
sharing or inappropriate use has occurred.
DEPT: SALES
V-PHAGE is only as secure as your ability to keep your ID and PASSWORD secret
from all others.
HOLD IT!! Secure bounded execution becomes reality when you use the O/S command
EDLIN to delete the existing AUTOEXEC.BAT and create the new file:
PATH C:\
TIMER /S
C:\V-PHAGE.EXE
Now turn off your machine. Restarting the machine will cause the modified
AUTOEXEC.BAT to execute, thereby achieving the V-PHAGE initial screen. You must
enter your new ID as it was entered when you made the change which selected the
replacement for FCD/ACC.
Remember to wait for the display requesting your ID to appear. Next enter the new
PASSWORD when you see the request, PASSWORD. You will now see the MANAGERS
SCREEN.
MANAGER
A -- RUN DETEKT
B -- RUN SAVEZONE
C -- ADD NEW USER
D -- CHANGE USER
E -- DELETE USER
F -- LIST USER
G -- PRINT USER
H -- RUN PROGRAMS
I -- FILE MAINTENANCE
J -- EXIT TO DOS
K -- QUIT
STRUCTURING SECURITY IN A V-PHAGE/O/S ENVIRONMENT
The MANAGERS SCREEN provides you all the options you need to structure your system
security. The task is twofold, i.e., identifying the users authorized to access specific
programs at specific levels and identifying the programs at each level. Users are limited
to a single level but programs can reside at multiple levels. WE RECOMMEND THAT THE
SYSTEM MANAGER BUILD A PAPER MODEL AS REFERENCE DURING THE
STRUCTURING PROCESS. REMEMBER TO PROPERLY DISPOSE OF THE PAPER
MODEL WHEN YOU HAVE FINISHED SET UP PROCESS.
ADDING USERS FOR THE FIRST TIME
Use the DOWN arrow to reach the ADD NEW USER.
MANAGER
A --
B --
C -- ADD NEW USER
D --
When it is highlighted press RETURN. Wait for the display to show ID:.
ID:
Type the ID chosen for this user and press RETURN. The screen will repeat the ID you
have entered exactly as you input it with the comment Y/N?.
ID: SERENITY (Y/N?)
If the ID is exactly as you wish type Y. If you are dissatisfied for any reason type N. N
repeats the process.
When you type Y and press RETURN the request PASSWORD will appear.
PASSWORD:
enter the password of your choice. BE UNIQUE. USE TERMS OR RANDOM STRINGS
WHICH ARE NOT TYPICAL TO ANYTHING ASSOCIATED WITH THE ASSIGNED USER.
After you enter the PASSWORD the display will say "again".
again
Repeat the chosen PASSWORD at the prompt. If you are successful the display will say
LEVEL. If you err the PASSWORD process will repeat, but only once before it exits you
to the Managers screen forcing a repetition of this ADD.
LEVEL:
At the LEVEL prompt choose from 1 - 16. Level 0 is limited to the super privilege. The 0
will cause the message
LEVEL: 0
"ONLY ONE SYSTEM MANAGER"
to appear. Be careful not to repeat level 0 requests as V-PHAGE
will cause an exit which requires a restart. We took this precaution based upon experience
with undocumented features in some operating system environments which could lock-up
the server and cause an unscheduled branch into the operating system bypassing the
internal security system.
The final display will ask for the new users NAME.
NAME:
This feature is beneficial to you as system Manager when tracking auditable actions by ID,
Terminal used and programs executed. When the name is entered and you press the
RETURN key you will be returned to the top of the MANAGERS MENU. Repeat the
process for each user that you wish to register.
As you continue be aware that V-PHAGE is tracking your activities. You may not repeat
an ID or a PASSWORD. Should you repeat inadvertantly, V-PHAGE will advise you "ID
not acceptable".
ID: XXXXXXXX
ID not acceptable
After all users are entered at the chosen level you should begin to choose the programs
accessible by each level. BE ADVISED -- If you attempt to execute the RUN PROGRAMS
command from a legal access but no programs are assigned you will see the comment
ask your Manager to authorize application programs
You will then be exited from the system. The logic for this harsh measure is too limit
vunerability, i.e., if you do not have something to process you should not be an active user.
PROGRAM ACCESS BY ASSIGNED LEVEL OF PRIVILEGE
The next task to properly implement V-PHAGE is that of identifying the programs to be
assigned at each level.
BE CAREFUL TO HAVE BACKUP COPIES OF EVERY PROGRAM BEING SELECTED.
V-PHAGE SCRAMBLES EACH FILE WHEN IT ASSIGNS THAT FILE TO A LEVEL
THEREFORE THE EXECUTABLE CANNOT BE PROCESSED IF YOU START YOUR
MACHINE USING AN DOS FLOPPY DISK IN THE A: DRIVE.
The security system scrambles files to assure that is not kind to software pirates.
Experience shows that an in-house thief can steal/has stolen backup disks to obtain vital
information concerning operations. Scrambling minimizes the loss because the executable
and associated files are useless without your specific copy of the V-PHAGE, the hidden
control files, ID file and the Password file. When you installed V-PHAGE everything but
the shell script was hidden. A thief will not find them without a sector by sector review of
the full backup. A 30 MB hard drive can require as many as 74 floppy disks for a backup,
a thief would need the patience of JOB to locate hidden files. The law of deminishing gain
applies. He must locate, decrypt, dissamble, unscramble, assemble and recompile. It is
not worth the effort.
Let's begin. Move the DOWN arrow to FILE ACCESS.
MANAGER
A --
B --
C --
D --
E --
F --
G --
H --
I -- FILE ACCESS
J --
Press RETURN to achieve the menu which says:
TOGGLE DRIVE
TOGGLE LEVEL
ADD
DELETE
QUIT
This option allows the addition of executables and BAT files to a LEVEL.
WE RECOMMEND THAT YOU DECIDE WHICH PROGRAMS ARE ASSIGNED TO EACH
LEVEL BEFORE YOU BEGIN THE PROCESS OF ADDING PROGRAMS. BE SURE TO
MAKE BACKUP COPIES OF THE PROGRAMS TO BE ASSIGNED OR HAVE THE
ORIGINAL SOURCE DISKS STORED AS RECOMMENDED LATER IN THIS MANUAL.
WHEN A PROGRAM IS ADDED TO ANY LEVEL IT IS SCRAMBLED TO PREVENT
FUTURE EXECUTION OUTSIDE OF THE V-PHAGE SECURITY SYSTEM.
TOGGLE DRIVE will show the default hard drive. As system Manager you know how many
hard drives you have in your system. If more than one exists you can move from drive to
drive by pressing the RETURN key when DRIVE is highlighted. If only one drive is present
DO NOT press the RETURN key, rather use the DOWN arrow to move to TOGGLE
LEVEL. Should you press the RETURN key V-PHAGE will verify the number of drives
available on ypur system.
Toggle Drive C
Toggle LEVEL 0
Add
Delete
Quit
Now press RETURN. Notice the level changes to the next higher digit after a few seconds
of blank screen.
Toggle Drive c
Toggle LEVEL 1
Add
Delete
Quit
During this time the hidden level access file is created. Notice the highlight has remained
at the Level position. Repeat the above, i.e., press RETURN key each time you finish
adding the programs chosen for that level to increase the level by one. When you have
arrived at the level of your choice move the highlight to ADD. The fifteen (15) levels must
be stepped through in ascending order, i.e., one, two, three, etc.
T
T
Add
D
Q
Press RETURN. The contents of the Root Directory will appear in an upper half window.
A lower half window is blank. You must navigate down the DOS path structure to the
program you wish to designate. To do this you need to use the arrow keys and the
RETURN key.
**********************************************************************
* io.sys ms-dos.sys command.com config.sys ansi.sys *
* \wp \123 \dbms \cad \ai \case *
* *
* *
**************************LEVEL 0***********************************
* *
* *
* *
* *
***********************************************************************
Let's suppose your root contains the directories WP, 123, dbms, cad, ai and case. To
place a program from the WP directory in LEVEL 2 you must first follow the toggle
instruction to achieve LEVEL 2. Next using the DOWN arrow move to highlight ADD. Press
return. The root will appear as it does above. Move the arrows to highlight WP and press
RETURN. The WP directory subdirectories and programs are listed on your screen.
********************************************************************
* wp.exe convert.exe sort.com merge.exe list.com *
* find.exe *
* *
* *
******************LEVEL 2*** ***********************************
* *
* *
* *
* *
********************************************************************
If you wanted to bound two programs called CONVERT.EXE and WP.EXE you would first
choose CONVERT.EXE by moving the arrows to highlight it. Now Press RETURN. In a
few seconds the name CONVERT.EXE will appear in the lower window. The upper window
will return to the root directory. Bounding secures the execution to the level chosen. Only
those authorized to the LEVEL may access them.
Again Travel using the keys to the WP directory and press RETURN. Highlight the
program WP.EXE and press RETURN. It too will appear in the lower window.
The logic of the path enforces an audit on the execution which is logged for later analysis
should that be required. Additionally it requires you as the System Manager be assured
that you select the proper program. When level 1 is complete you then move on to level
2. And then level 3. You have sixteen levels available to you (0 - 15). Upon successful
completion of the assignment of programs to each level move the highlight to QUIT to
return to the Manager's Screen.
You are now ready to proceed. Distribute the ID's and associated PASSWORDS to the
designated owner. Accomplish this task privately so as to assure the appropriate level of
confidentiality. If a user leaves delete his/her ID/PASSWORD. Issue a new
ID/PASSWORD to the replacement in that position.
NEVER REPEAT/REUSE EITHER ID OR PASSWORD AS THIS IS POTENTIAL FOR A
SECURITY BREACH ( THE OLD ID/PASSWORD ) ACTIVE IN YOUR SYSTEM.
A LOOK AT THE MANAGER SCREEN OPTIONS
A --RUN DETEKT
Our reason for the development of this program is to provide the typical computer user
early warning against a virus attack or defective software. DETEKT provides a
bounding of the problem, allowing your computer security contingency plan to respond
prior to program execution. Should you not have a computer security contingency plan,
consider following the orderly process suggested at the completion of these operational
instructions. The DETEKT tool executed after the entry of any software or data to your
system from any outside source, including trusted computer software. Use DETEKT as
the cornerstone of your software quality program. It reduces the potential for major
problems. DETEKT BOUNDS THE PROBLEM AREA TO MINIMIZE THE POSSIBILITY
FOR CORRUPTION.
The introductory screen tells you that the program File Corruption Detection has begun.
Press the return key again.
You will now see three choices displayed across the top of the screen. They are FILE,
CHECK and QUIT.
FILE OPTIONS
Under the FILE choice five options are listed (DRIVE SELECTION, ADD FILES, DELETE
FILE, PRINT AUDIT and CHANGE NAME ).
DRIVE SELECTION allows you to choose drives A: through I: the drive must physically
exist and be configured into the computer system. In the case of floppy disk drives the
drive door must be properly closed with a formated disk mounted in the drive. If you utilize
a hard drive choose drive C:.
Using the Arrow keys drop down one level to ADD FILES. Press the return key. Notice
that the upper window now shows are Directories and Files in the root directory. The
Cursor shell now highlights the first item (left most,top most). Were you to choose this item
simply press the return key. The chosen file name will appear in the lower window.
DETEKT has calculated both a checksum and CRC for file name, file size, path, date
stamp, time stamp and file attributes. The CRC/Checksum is added to the control file.
The cursor is back in its original position. Use the arrows to move to the next file you wish
protected. For your protection, the cursor always returns to its home position and creates
a unique traceable path. In this way path derviations, which substitute a duplicate named
program, will not be allowed to distort your original intent.
Should you choose a directory, DETEKT will display the programs in that directory.
DETEKT can drop down to the lowest subdirectory on your drive. Choose the file to be
protected by moving the arrow keys to your selection. Press return to invoke DETEKT.
NOTE: In order to assure that the proper path is chosen and encoded in the DETEKT file
tracking scheme you must begin from the root directory each time. This method is a bit
more time consuming but it provides your system with the maximum unique protection
available. The ADD FILES logic within DETEKT is a balance between user friendliness
and encryption effectiveness.
When you are satisfied that the appropriate files are protected press the ESCape key
to return to the choices.
The DELETE FILE option helps those who make mistakes to remove them. Choose
the file to be unprotected by moving the arrows. Press the return key and the file will be
highlighed with an asterik. When all files to be unprotected are so highlighted press
ESCape. They will be removed from the lower window. The ESCape key will return you
to the option choices.
At this point you have created a set of controls for the files. Those files are specially
identified so if corruption, willful or negligient occurs you will be notified at the next
DETEKT execution. The control file is in the hidden subdirectory in encrypted form on
drive C:.
The option to PRINT AUDIT allows the system manager to print for analysis purposes
a report from YYMMDD to YYMMDD. When you choose this option simpley follow the
instruction prompts. enter the start date as YEAR-MONTH-DAY and press RETURN. Then
when the second prompt appears enter finish date as YEAR-MONTH-DAY. and press
RETURN. BE SURE YOUR PRINTER IS ON LINE, TURNED ON, HAS PAPER LOADED
AND IS READY TO GO. If your printer is not ready DETEKT will wait for you to make the
printer ready. ESCape will cancel the PRINT AUDIT command.
The CHANGE NAME option allows you to specify the name which will appear in the
heading block of the Audit Report. Move the highlight to the option and press RETURN.
Follow the instructions on the screen.
CHECK OPTIONS
The CHECK command requires you to move the right arrow one position. The options
available are SPECIAL FILES, DISK FILES, ALL FILES, UPDATE DISK AND UPDATE
ALL. Move the highlight down to SPECIAL FILES and press the return key. A window
opens in the center of your screen as all the SPECIAL FILES you chose are verified and
validated. This is probably the most use command in the schema.
DETEKT is designed to afford full disk protection. Move the bounded cursor to the
middle line, UPDATE DISK. This command causes DETEKT to build a disk control file.
First DETEKT verifies itself then it proceeds to establish controls for every file on the drive
currently specified. The command UPDATE ALL will create a control for every file on every
installed and active (loaded and on-line) drive from A: through I:. The initial processing of
a fully loaded 32MB drive takes approximately 25 minutes. A 362k floppy requires
approximately one minute.
The command DISK FILES performs a validation of the full current disk against the
control file created by the ALL FILES process. Verification requires about 5 minutes for the
32MB drive described above. We recommend that DISK FILES be invoked immediately
after any new software is added. The UPDATE ALL examines all disks installed and
active (loaded and on-line) from A: through I:
The ESCape key returns you to the highest command level.
QUIT OPTION
To exit DETEKT move the right arrow to QUIT mode. Questions concerning hard copy
logs will be asked based upon the actions you initiated. If you processed any CHECK
function you will be asked "Do you want a report of current activity?(Y/N)". If you answer
Y you obtain a report of this processing. You then are asked, "Do you want a complete
change history?(Y/N)". If you choose Y a full report is printed. If you choose N you exit to
the REMINDER screen. If you press the ESCape key you return to the MANAGER"S
SCREEN.
CLOSING CORRUPTION LOOPHOLES (SAVEZONE)
Corruption which enters your system in data files can be executed when that file,i.e.,a
spreadsheet or word processor file or text is called. This corruption is limited to two
specific parts of your system, the BOOT track (track 0) and the FILE ALLOCATION TABLE
(FAT). SAVEZONE allows you to backup both areas on a clean, formatted floppy disk.
Should you experience a disk problem you need only shut down the system, wait thirty (30)
seconds and reboot using you original DOS boot disk. When the reboot is complete mount
the SAVEZONE FLOPPY DISK in drive A: and type the command NEWZONE. The
damaged BOOT track and FAT will be replaced. Your system is as it was prior to the
attack.
Be sure to copy the offending file to a floppy disk prior to deleting the file from your
computer system. In this way a computer security professional can analyze the culprit.
Upon deleting the corrupt file process DETEKT using the Command CHECK and the sub-
command ALL FILES. This will assure that the corruption is no longer present.
HOW TO RUN DETEKT OUTSIDE OF V-PHAGE
DETEKT is normally placed in the V-PHAGE directory and executed from the V-PHAGE
system path in order that it is accessible to the System Manager at any time. You will
notice that you can use DETEKT to check for changes in itself. This protection mechanism
assures detection of corruption.
When DETEKT is invoked two work windows will appear a upper and a lower. The
upper window is the selection or pick window where those files you wish DETEKT to
validate will appear and/or you can select additional files for review. The lower window will
always contain the selected files.
At the top of these two screens are your menu controls which are as follows, FILE,
CHECK, or QUIT.
FILE SELECTIONS ARE:
Drive Select
Allows you to select between drives A- I if they are installed and available for use. A
floppy disk drive will not be selected if the drive door is open or if a disk is missing from the
drive.
Add File
Allows you to select any file from the drive or sub-directory selected. Once the desired
drive and directory has been selected, the up/down arrows are used to move the highlight
bar about to select the file. Press return and the file will appear in the lower window to
indicate the file has been added.
Delete File
Allows you to delete selected files from the selected drive or sub-directory. Up/down
arrows can be used to move the highlight bar to the file you wish to delete. Once file has
been highlighted press the return key to select the file. Selected will have an asterisk (*)
to the right of the file name. Press the escape key to complete the operation.
Print Audit
Allows you to print the audit trail hidden upon this disk from any date to any date.
Change Name
Allows the user to place a name in the audit report heading.
CHECK SELECTIONS ARE:
Special Files
Using this selection only allows selected files to be checked. Should you happen to
delete a file which appears in the TO BE CHECKED lower window and not remove it, i.e.,
not practice proper maintenance of your files, you will be told NO LONGER EXISTS next
to the file name. You must press the RETURN key to continue the CHECKing process.
DETEKT assures that you recognize that a difference has been detected.
Disk Files
Using this selection allows files on selected drives with .COM, .EXE, .SYS, .OBJ, and
.BAT extensions to be checked. Message NO FILES HAVE BEEN CHANGED SINCE
LAST UPDATE appears if your disk control file matches the hidden control file for that
drive.
All Files
Using this selection causes all files on every drive in use to be verified
Update Disk
Permits the update of the control file which was created during the setup exercise
explained in the detail above.
Update All
Causes all files on every drive in use to be updated.
QUIT (exiting the program)
Allows the user to exit from the program. Upon leaving the program <RETURN> you will
receive a final warning:
REMEMBER TO PERFORM DAILY BACKUP ROUTINE
FOR OPTIMUM DATA AND FILE INTEGRITY
This is a very important procedure. Press the return key to get back into the DOS
system.
WARNING MESSAGES:
POSSIBLE INFECTION !!
This warning message will appear during file checking if any one of the following is true.
File size has been altered.
File date/time has been altered.
File checksum has been altered.
File CRC has been altered
New unvalidated file has been added
WARNING THE ABOVE FILE HAS BEEN ALTERED!!
DO YOU WISH TO UPDATE CONTROL FILE?
These messages will follow a possible infection warning. The user will be asked if the
file is ok to update. Answering * YES * (i.e., typing "Y") to this question will update the
control file to the current status of the file that has been identified as changed. Answering
* NO * (i.e., typing "N")to this question leaves the control settings for that file just the way
they were before the user was alerted to the possible infection. When a warning
message is encountered an action must be taken by the user to avoid possible
problems.
COMMAND LINE SHORTCUTS
(MAY BE USED ONLY AFTER YOU EXIT TO DOS)
Many times users seek the friendliness of checking their status during an application's
progress. DETEKT allows you to RETURN the DOS shell and execute from the command
line without the detailed step by step process described above.
COMMAND ACTION
DETEKT/CD (drive) VALIDATES ALL FILES IN THE CONTROL
FILE WHICH YOU ESTABLISHED DURING
SETUP FOR THE ENTIRE DRIVE.
IF YOU DO NOT SPECIFY A DRIVE THE
CURRENT DRIVE IS THE DEFAULT DRIVE.
DETEKT/CA VALIDATES ALL FILES ON EVERY WORKING
DRIVE.
DETEKT/UD UPDATES ALL FILES ON THE CURRENT
DRIVE.
DETEKT/UA VALIDATES ALL FILES ON EVERY DRIVE
AVAILABLE TO THE COMPUTER SYSTEM.
DETEKT/S UPDATES THE SPECIAL FILES SELECTED
DURING THE SETUP PROCESS.
DETEKT <PATH> <FILENAME> will validate the specific program on the specific path
you have chosen. DETEKT IS VERY PRECISE. You must carefully and accurately define
the command line parameters.
If you make a mistake or if the file does not exist you will be informed:
<PATH> <FILENAME> HAS NOT BEEN FOUND!
When the proper path and filename is RETURNed you will be notified by the initial
comment:
CHECKING <PATH> <FILENAME> , at completion, you should see:
<PATH> <FILENAME> HAS NOT BEEN ALTERED
If changes to the control file were noted you will receive the error message telling you
precisely what has been detected as different. You will be given the opportunity to accept
the changes. ACCEPT THE CHANGE ONLY IF YOU KNOW WHAT CAUSED THE
CHANGE. DO NOT GAMBLE WITH YOUR MACHINE'S SOFTWARE INTEGRITY.
WHEN IN DOUBT BE PRUDENT.
LOGGING DETEKTED DIFFERENCES (VIDEO AND PRINTED COPY)
V-PHAGE allows the user to see all detected differences at one time in one place.
Should differences be found, they will be written to a file named OSERROR.TXT in the
\root of the disk being evaluated. Some users copy this file to a security sub-directory with
the name changed to dif<mmddy>.doc. In this way they can combine results to determine
if trends and/or patterns exist which require further investigation. To delete those historical
disk files Type the command PRINT OSERROR.TXT and produce hardcopy for review,
analysis and historical purposes or copy the files to a floppy disk for storage.
CONCLUSION CONCERNING THE RUN DETEKT OPTION
DETEKT IDENTIFIES A DIFFERENCE in the software residing on your disk drives
since the last time it was analyzed, LOCATES THE DIFFERENCE, and provides a warning
of a possible infection or software bug. DETEKT should be part of a well planned backup
routine to be fully effective. Use SAVEZONE as suggested to keep your risk level at
minimum. Once in operation, DETEKT minimizes the user's exposure to the risks
associated with unidentified change.
B -- RUN SAVEZONE
Savezone backs up the hard disk boot track and file allocation table (FAT). ACC, Inc.
recommends that it be executed prior to shut down each day, at minimum. SAVEZONE
protects the programs within the V-PHAGE/DOS from permanent damage by the class of
VIRUS and Trojan Horse which corrupt by manipulating or destroying the boot track and/or
FAT. When your press RETURN at the highlighted SAVEZONE choice you will see:
Executing Format in Drive A:
Insert Disk and strike Enter when ready
You will now see the normal DOS format cycle occur by head by cylinder. At
completion you will see:
Format Complete
then the screen will display a running dialog of the actions taking
place.
Creating newzone.exe
autoexec.bat
The backup floppy disk is now ready. You will have the opportunity to choose the
drive to be backed up.
Drive to Backup ?
Enter the letter of the hard drive to be backed up and, again, press RETURN.
Drive to Backup ? C or c (case is irrelevant)
The screen will blank as the following actions are accomplished. The Boot Track and
File Allocation Table (FAT) are copied to the Disk in Drive A:. At completion of this
processing the MANAGER'S MENU will reappear. Identify the disk in Drive A: as the boot
track backup and store it in a safe place.
The message:
Please remove disk from drive A: and store in a safe place.
is a documented reminder.
Processing NEWZONE
(The tool to replace your damaged boot track and FAT)
1. Reboot the computer using the backed up disk placed in drive A:.
2. Type the command NEWZONE and press the return key
3. When the system is restore to its pre-attack state, copy the corrupt file to a floppy
disk for later analysis by a software security professional.
4. Delete the corrupt file from your disk
5. Use DETEKT to validate the entire disk, i.e., process RUN DETEKT and take those
actions appropriate to the results produced.
6. Return to your normal routine
C -- ADD NEW USER
Use the DOWN arrow to reach the ADD NEW USER. When it is highlighted press
RETURN.
MANAGER
A --
B --
C -- ADD NEW USER
D --
Wait for the display to show ID: the short wait is required so that the audit trail is
maintained. If you type any characters you will be asked to repeat them. Have patience,
enforced security is worth thw wait.
ID:
Type the ID chosen for this user and press RETURN.
ID: XXXXX
The screen will repeat the ID you have entered exactly as you input it with the comment
Y/N?.
ID SERENITY (Y/N?)
If the ID is exactly as you wish type Y. If you are dissatisfied for any reason type N. N
repeats the process.
When you type Y and press RETURN the request PASSWORD will appear.
PASSWORD:
enter the password of your choice.
BE UNIQUE. USE TERMS OR RANDOM STRINGS WHICH ARE NOT TYPICAL TO
ANYTHING ASSOCIATED WITH THE ASSIGNED USER. DO NOT USE ANY OF THE
PASSWORDS LISTED IN THE COMMON PASSWORD SECTION WHICH APPEARS
LATER IN THIS MANUAL.
After you enter the PASSWORD the display will say
"again".
Repeat the chosen PASSWORD at the prompt. If you are successful the display will say
LEVEL. If you err the PASSWORD process will repeat. Do not anticipate and type before
requested to do so. V-PHAGE is logging your activities. The log takes precedence. You
will be required to retype your entry.
LEVEL:
At the LEVEL prompt choose from 1 - 15. It is a waste of time to input 0. The 0 will cause
the message
"ONLY ONE SYSTEM MANAGER"
to appear. Be careful not to repeat level 0 requests as V-PHAGE
will cause an exit which requires a restart. We took this precaution based upon experience
with hacker comments concerning some operating system undocumented features which
could lock-up the server and cause an unauthorized entry into the operating system.
The next display will ask for the new users NAME.
NAME:
Again this feature is beneficial to you as system Manager when tracking auditable actions
by ID, Terminal used and programs executed.
DEPT:
The final entry requested is the Department (DEPT) code. In many corporations data is
shared within the corporation across the enterprise. In others it is compartmentalized. V-
PHAGE allows the user the best of both worlds. You have the option to structure your
corporation/agency in the manner you find most ameniable to your operations. During an
Audit of data use one might compare department to level to determine if unauthorized
sharing or inappropriate use has occurred.
DEPT: SALES
When the department is entered you will be returned to the top of the MANAGERS MENU.
Repeat the process for each user that you wish to register.
As you continue be aware that V-PHAGE is tracking your activities. You may not repeat
an ID or a PASSWORD. Should you repeat inadvertantly, V-PHAGE will advise you
ID not acceptable
After all users are entered at the chosen level you can begin to choose the programs
accessible by each level.
BE ADVISED -- If you attempt to execute the RUN PROGRAMS command from a legal
access but no programs are assigned you will see the comment
ask your Manager to authorize application programs
You will then be exited from the system. The logic for this harsh measure is simple
security, i.e., if you do not have something to process you should not be an active user.
A system Manager can accomplish any function in his manager's menu and all executions
allowed of programs chosen at every level. Individual users added to the V-PHAGE may
function solely in their assigned level. Attempts to by pass V-PHAGE will cause the
computer to cease to function. Restart is required to continue.
D -- CHANGE USER
Using the DOWN arrow move to the CHANGE USER line. When it is highlighted press
RETURN.
MANAGER
A --
B --
C --
D -- CHANGE USER
E --
The prompt ID will appear. When it is displayed type the ID which you wish to change. The
ID prompt will reappear. Type the new ID that you have chosen to replace that now in use.
ID: XXXXXXXX
REMEMBER!!!!! Choose an ID which is UNIQUE to you but not representative of your job,
avocation or family.
enter your choice and press the RETURN key. When PASSWORD appears, repeat the
process, i.e. type a unique password.
PASSWORD: XXXXX
Upon success you will be rewarded by the display LEVEL. If you enter the level zero (0)
you will be told that the privilege may not be deleted.
LEVEL: <all but 0 accepted>
THERE IS ONLY ONE HIGHEST PRIVILEGE LEVEL ALLOWED BY V-PHAGE AND
YOU, AS SYSTEM MANAGER, ARE IT. V-PHAGE WILL DISALLOW ANY ATTEMPT TO
CREATE A SECOND SUPER PRIVILEGE.
Next the display NAME: will appear. Type the a name of the individual assigned this ID and
PASSWORD.
NAME: Constance Complainer
NAME is a requirement of V-PHAGE for later audit reporting purposes.
E -- DELETE USER
To DELETE a user move the highlight to DELETE USER and press RETURN.
MANAGER
A --
B --
C --
D --
E -- DELETE USER
F --
The display will ask for the ID: to be deleted. Type the ID you wish to remove.
ID: TalKAtive
The next prompt will ask for PASSWORD: Type the password and press RETURN.
PASSWORD: PrograMMer
You will now see the record to be deleted on your screen with the question "DELETE Y/N
?".
TalKAtive PrograMMer 1 EDP Jess Wright DELETE Y/N ?
If you type Y the item is deleted. If you type N the item is rewritten to the appropriate
hidden files and you return to the MANAGER'S SCREEN.
If you try to delete an ID which does not exist the V-PHAGE will allow you two tries and
then print
unknown ID
and return to the MANAGER'S MENU.
You may not delete the LEVEL 0. If you attempt to do so you will upon entering the level
0 ID receive on the screen the message
Secure Level -- Deletion Prohibited
and be returned to the MANAGER'S SCREEN.
Successes, deletions and attempted deletions are logged into the secure hidden audit file.
Read the section concerning audits and reporting of activities later in this manual.
F -- LIST USERS
Periodically you will need to verify who has some level of privilege in the V-PHAGE. Move
the highlight to the line LIST USERS. Press RETURN.
MANAGER
A --
B --
C --
D --
E --
F -- LIST USERS
G --
The V-PHAGE will ask you for your password.
PASSWORD:
If you provide the proper PASSWORD you will see the listing.
FCD 0 TOM TERIFFIC MGMT
REST 3 SERENITY SAFELY ACCT
TalKAtive 1 JESS WRIGHT EDP
If you are wrong for whatever reason the attempt will be logged and you will be returned
to the managers menu. Shutdown is a security measure to assure that you, the system
Manager, haven't walked away from you terminal and an unauthorized person replaced
you. A second mistake ( two in a row) exits you from the system. You must restart your
computer to reenter V-PHAGE to try again.
G -- PRINT USERS
WARNING !!! PRINTOUTS OF ID AND PASSWORD FILE INFORMATION MUST BE
KEPT TO A MINIMUM. IT IS BEST TO NEVER LET IT HAPPEN.
Move the highlight to the PRINT USER option using the DOWN arrow.
MANAGER
A --
B --
C --
D --
E --
F --
G -- PRINT USERS
Press RETURN. You will be asked for your PASSWORD.
PASSWORD:
An erroneous input will cause an escape to the managers screen.
When V-PHAGE has accepted and logged the correct password it will next ask for your
department
DEPT:
The proper entry will allow the report to print.
ID/PASSWORD HARDCOPY
!!!! KEEP THIS DOCUMENT SECURE !!!!!
FCD ACC 0 Tom Terrific MGMT
REST NIGHTLY 3 Serenity Safely ACTG
HOLY DEVIL 2 Ida Gomez EDP
This action, like all others, is posted into the audit log.
H -- RUN PROGRAMS
The DERUN shell creates a boundary so that the programs which users process are inside
the shell. The user has no access to DOS unless you the system Manager so authorize.
He is limited to those programs which appear in his level. Users when they input their
ID/PASSWORD are shelled directly into a menu of those programs which you the system
Manager established. Attempts to circumvent the system meet with termination and
require a restart. As system Manager you have the privilege to control the structure and
freedom of the user. You pick and choose what can be processed at what level of privilege
subject to the directions of your management.
All programs which are entered into a privilege level are affected by PROT a unique
methodolgy which scrambles the program code so that the window of vunerability for an
attaching VIRUS and other code corruption is minimized. The scrambled programs cannot
execute on their own, should they be stolen. Since users are limited to execution - only,
thieves have to carry out backups of executables and data. They then must decompile,
disassemble, unscramble, analyze, restructure and finally assemble in order to use their
ill gotten gain. We recommend to you that you assure yourself that you have backup
copies before you add the programs to any level. This protects you from a frustrated
individual who damages or destroys that which he/she is prohibited from achieving.
*******************LEVEL 3*************************************
* WP *
* INVOICING *
* ORDERS *
* A/R *
* *
*******************************************************************
RUN PROGRAMS allows you to run all those programs chosen for your personal super
privilege level as well as any program chosen at any level. At completion of program
execution you return to the level menu chosen. You may execute a second program within
the level. Should you choose to change levels you must return to the MANAGERS MENU.
You exit by choosing ESCape. You return to the MANAGER'S MENU.
I -- FILE ACCESS
The FILE ACCESS option of the MANAGERS MENU provides the system Manager the
ability to establish the composition of what
executable program code is available to each level of privilege. The FILE ACCESS
privilege properly structured allows a reduction in the amount of grapevine material
available to browsers and reduces the awareness of all except those with a need to know.
MANAGER
A --
B --
C --
D --
E --
F --
G --
H --
I -- FILE ACCESS
J
Press RETURN to achieve the menu which says:
TOGGLE DRIVE
TOGGLE LEVEL
ADD
DELETE
QUIT
This is the most complex of all the options. The ADD option is purposefully so to assure
security at the proper level.
WE RECOMMEND THAT YOU DECIDE WHICH PROGRAMS ARE ASSIGNED TO EACH
LEVEL BEFORE YOU BEGIN THE PROCESS OF ADDING PROGRAMS. BE SURE TO
MAKE BACKUP COPIES OF THE PROGRAMS TO BE ASSIGNED OR HAVE THE
ORIGINAL SOURCE DISKS STORED AS RECOMMENDED LATER IN THIS MANUAL.
WHEN A PROGRAM IS ADDED TO ANY LEVEL IT IS SCRAMBLED TO PREVENT
FUTURE EXECUTION OUTSIDE OF THE V-PHAGE SECURITY SYSTEM.
TOGGLE DRIVE will show the default hard drive. As system Manager you know how many
hard drives you have in your system. If more than one exists, you can move from drive to
drive by pressing the RETURN key when the Toggle Drive is highlighted. If only one drive
is present DO NOT press the RETURN key, rather use the DOWN arrow to move to
TOGGLE LEVEL. Should you out of a sense of curiosity decide to press the RETURN key
your video screen will go blank for several seconds. If you look at you computer you will
note that the lights telling you of activity on your disk drives are working. When you
depressed the RETURN key you caused the V-PHAGE to seek out other hard disk drives.
Toggle Drive C
Toggle LEVEL 0
Add
Delete
Quit
Now press RETURN. Notice the level changes to the next higher digit after a few seconds
of blank screen.
Toggle Drive C
Toggle LEVEL 1
Add
Delete
Quit
During this time the level access hidden file is created. Notice the highlight has remained
at the Level position. Repeat the above, i.e., press return each time you finish adding the
programs chosen for that level to increase the level by one. When you have arrived at the
level of your choice move the highlight to ADD.
T
T
Add
D
Q
Press RETURN. The contents of the Root Directory will appear in an upper half window.
A lower half window is blank. You must navigate down the DOS path structure to the
program you wish to designate. To do this you need to use the arrow keys and the
RETURN key.
**********************************************************************
* io.sys ms-dos.sys command.com config.sys ansi.sys *
* \wp \123 \dbms \cad \ai \case *
* *
* *
**************************LEVEL 0***********************************
* *
* *
* *
* *
***********************************************************************
Let's suppose your root contains the directories WP, 123, DBMS, CAD, AI and CASE. To
place a program from the WP directory in LEVEL 2 you must first follow the toggle
instruction to achieve LEVEL 2. Next using the DOWN arrow move to highlight ADD. Press
return. The root will appear as it does above. Move the arrows to highlight WP and press
RETURN. The WP directory subdirectories and programs are listed on your screen.
********************************************************************
* wp.exe convert.exe sort.com merge.exe list.com *
* find.exe *
* *
* *
********************LEVEL 2**************************************
* *
* *
* *
* *
********************************************************************
If you wanted to assign two programs called CONVERT.EXE and WP.EXE you would first
choose CONVERT.EXE by moving the arrows to highlight it.
NOTE: THE PROGRAM ADDED WILL BE SCRAMBLED. IT MAY ONLY BE EXECUTED
FROM THE V-PHAGE SHELL. SCRAMBLING IS FOREVER.
Now Press RETURN. In a few seconds the name CONVERT.EXE will appear in the lower
window. The upper window will return to the root directory.
Again Travel using the keys to the WP directory and press RETURN. Highlight the
program WP.EXE and press RETURN. It too will appear in the lower window.
The logic of the path enforces an audit on the execution which is logged for later analysis
should that be required. Additionally it requires you as the System Manager to be assured
that you select the proper program. When level 1 is complete you then move on to level
2. And then level 3. You have sixteen levels available to you (0 - 15). Upon successful
completion of the assignment of programs to each level move the highlight to QUIT to
return to the Manager's Screen.
DELETE FILES
TOGGLE DRIVE will show the default hard drive. Toggle LEVEL shows you the privilege
level beginning with your own, i.e., level 0.
Toggle Drive C
Toggle LEVEL 0
Add
Delete
Quit
Now press RETURN. Notice the level changes to the next higher digit after a few seconds
of blank screen.
Toggle Drive C
Toggle LEVEL 1
Add
Delete
Quit
When you have arrived at the level of your choice move the highlight to DELETE.
T
T
A
Delete
Q
Press RETURN. The contents of the LEVEL chosen will display. The programs will be
listed one to a line.
WP
123
INVOICING
ORDERS
Use your down arrow to locate the program you want to delete. Press the RETURN key
and an asterik will mark the file for deletion
WP
123
* INVOCING
ORDERS
When you have marked all files to be deleted press ESC (ape) and it will be deleted.
WP
123
ORDERS
J -- EXIT TO O/S
As system Manager there may be times when someone must enter the operating system.
You have the only key to allow this to happen. When you move the DOWN arrow to this
option and press RETURN you exit the protection of V-PHAGE. Should you wish to reenter
V-PHAGE you must turn off your machine and reboot. Failure to begin "fresh" will
compromise your equipment security.
In 99.99% of the cases there is no reason to exit V-PHAGE. It is up to you to minimize
the window of vuneralability created by the act of leaving the secure bounded execution
provide by V-PHAGE.
Should you choose to EXIT TO DOS press the RETURN key when the command is
highlighted or press "E". The result is the same. You will now see
PASSWORD:
displayed. Enter your password and press the return key. Next you will
see the question
Would you like a Security Log Printout? [Y/N]
If you choose Y (Yes) the V-PHAGE will request printout parameters consisting of a start
date and an end date.
Start Date (yymmdd): 891125
End Date (yymmdd): 900108
After the second date is entered the printout will begin. Be sure the printer is turned "on"
and has sufficient paper properly installed. If the printer if "off" the report will be scrolled
to RAM to execute when the printer is activated. You will be exited to DOS as the report
is being printed.
If you press "N" (NO) or any other key you will be exited to DOS immediately.
K -- QUIT
QUIT TERMINATES THE PROCESSING and forces a restart when you return.
Upon choosing to Quit the V-PHAGE offers you the opportunity to produce a hard copy
audit report of the user/manager actions from the date you specify to the date you specify.
Should you choose to QUIT press the RETURN key when the command is highlighted or
press "Q". The result is the same. You will now see
PASSWORD:
displayed. Enter your password and press the return key. Next you will
see the question
Would you like a Security Log Printout? [Y/N]
If you choose Y (Yes) the V-PHAGE will request printout parameters consisting of a start
date and an end date.
Start Date (yymmdd): 891125
End Date (yymmdd): 900108
After the second date is entered the printout will begin. Be sure the printer is turned "on"
and has sufficient paper properly installed. If the printer if "off" the report will be scrolled
to RAM to execute when the printer is activated. You will be exited to LOGON MENU as
the report is being printed.
If you press "N" (NO) or any other key you will be exited to the LOGON MENU
immediately. You must now use the down arrow to move to highlight QUIT. When you
highlight QUIT press the RETURN key. You are now locked out of the system you must
restart your computer by shutting off power and then turning power on again.
V-PHAGE HIDDEN SUBDIRECTORY AND HIDDEN FILES WHICH SECURE YOUR
COMPUTER
When the INSTAL program was executed three separate and distinct hidden directories,
three ID/password control files, two change detection control files and two log files were
created and in part encrypted. The files and logs were placed into their appropriate hidden
directories. All are monitored for unauthorized change, i.e., change from outside the V-
PHAGE control path as designated from the MANAGER'S MENU.
The logs contain built-in, hidden elsewhere, counters which will physically show you that
a difference exists. If a log is modified, the log will show the date, time and type of
modification. The absence of such an entry will be reflected in an unbalanced count status.
As you structure the access by level additional level access control tables will be created
as hidden files. Each level causes a distinct, unique file to be created and hidden. As the
contents of levels are expanded and/or reduced the updasted files will be polled and all
changes logged for future review and audit.
ANY ACT WHICH ALTERS ANY CHARACTERISTIC OF AN EXECUTABLE (SUBJECT)
OR A DESIGNATED FILE (OBJECT) IS AUTOMATICALLY LOGGED FOR LATER
REVIEW AND AUDIT.
AUDIT REPORTS AND TECHNIQUES
V-PHAGE attempts to capture all the information available concerning user access and
program changes in order to facilitate a mainframe level of security upon a Micro computer
and its associated networks. During the ALPHA testing the change detection program
located logical calls in the BIOS which had no physical equivalents or basis in fact.
AUDIT MESSAGES
(Filename) Was Deleted From (Level).
User (owner) (ID) (dept) exited Program.
Audit Trail Printed From (start date) to (end date).
(Filename) Executed By (owner) (id) (dept).
List Of Users Printed To Screen.
UserList Attempted.
List Of Users Printed.
Printing Of Users Attempted.
DETEKT.EXE Executed.
User (owner) (ID) (dept) Added To User List.
User (owner) (ID) (dept) Has Been Changed To (owner) (id) (dept). System Manager
(owner) (id) (dept) Has Been Changed To (owner) (id) (dept).
Invalid Attempt To Change System Manager ID.
User (owner) (ID) (dept) Deleted From User List.
Attempt Deletion Of User (owner) (ID) (dept).
Program Exited To DOS Without Security Log Printout.
Attempted Exit To DOS.
Program Exited Without Security Printout.
Attempted Exit Of Program.
Invalid Logon Attempt.
Invalid Logon Attempt With (id).
Successful Logon By (owner) (id) (dept).
ERROR MESSAGES DISPLAYED TO SCREEN
Ask your Manager to authorize application programs.
Prohibited Priveledge Level.
Unknown ID
Level Secure-Deletion Prohibited
ACCESS DENIED
DETEKT AUDIT LOG SAMPLE
DATE:11/06/1989 TIME:10:12 AM
File C:\IO.SYS Was Added To The Special Files List.
File C:\ANSI.SYS Was Added To The Special Files List.
File C:\AUTOEXEC.BAT Was Added To The Special Files List.
File C:\COMMAND.COM Was Added To The Special Files List.
File C:\CONFIG.SYS Was Added To The Special Files List.
File C:\V-PHAGE\PASSWORD.EXE Was Added To The Special Files List.
File C:\V-PHAGE\DETEKT.EXE Was Added To The Special Files List.
File C:\V-PHAGE\V-PHAGE.EXE Was Added To The Special Files List.
File C:\V-PHAGE\PROT.EXE Was Added To The Special Files List.
DATE:11/06/1989 TIME:10:38 AM
Update preformed on drive C.
V-PHAGE SYSTEM USE AUDIT LOG SAMPLE
DATE:11/06/1989 TIME:10:09 AM
Successful Logon By FCD
DATE:11/06/1989 TIME:10:10 AM
DETEKT.EXE Executed
DATE:11/06/1989 TIME:10:40 AM
C:\PRO\WP\WPP.EXE Was Added To Level: 1
DATE:11/06/1989 TIME:10:42 AM
User tom sobczak tom Added To User List.
DATE:11/06/1989 TIME:10:42 AM
List Of Users Printed To Screen.
DATE:11/06/1989 TIME:10:42 AM
List Of Users Printed.
DATE:11/06/1989 TIME:10:43 AM
Audit Trail Printed From 891105 To 891107.
DATE:11/06/1989 TIME:2:15 PM
Successful Logon By FCD
DATE:11/06/1989 TIME:2:16 PM
Program Exited To DOS Without Security Log Printount.
DISCRETIONARY ACCESS CONTROL
The concept of Trusted Computer System Criteria was introduced by the National
Computer Security Center as part of what Department of Defense Computer Security
Experts call the Rainbow series of standards. Any secure computer system requires the
enforcement of the concept of Discrestionary Access Control (DAC). As in any organization
there are many ways to attain the stated goal of auditable secure operation. Before you
can implement DAC you must establish the control objective against which to compare
your attempts to produce your company's Trusted System.
NCSC ststes "The security policy is a statement of intent with regard to control over access
to, dissemination of, and modification of information. The security policy must be precisely
defined and implemented for each system that is used to process sensitive information.
The security policy must reflect the laws,regulations, and general policies from which it is
derived."
The basis for V-PHAGE is that an individual user, or program acting upon a user's behalf
(V-PHAGE's Password component) is allowed to specify explicitly the types of access other
users may have to the information and executables under the user's control. DAC is
definitely not a substitute for mandatory audit controls. The purpose of V-PHAGE is to
provide for a finer granularity of control within the overall mandates of your organizations
mandatory audit policy. Both discretionary and mandatory controls should be used in
concert to implement the application of rules for the handling of multiple categories or types
of information, such as marketing, sales, inventory, production control, etc.
V-PHAGE defines DAC as a means of restricting access based upon the identity of topics
and/or organizational sub-sets to which they belong. V-PHAGE controls are discretionary
in the sense that as system Manager responsible for security, you and only you, are
capable of granting authorization to a user to access any file via the level scenario you
implement.
The V-PHAGE concept modelled after the NCSC standard is relatively straight forward in
that the access control matrix contains the names of users on the rows and levels of
access on the columns. The hidden LEVEL"X" files combined with the hidden USER
privilege files create a documentable representation which states --Joe Jones (Sales) may
access only Level 3 (Order entry).
As V-PHAGE is oriented to the micro computer environment the access mode within level
is consistent, i.e., execute an authorized application, read within the application, write
within the application and delete within the application. Access permission is specifically
identified by a unique user ID and a unique user password entered in combination as
specified by V-PHAGE input standards. Access is to specifically defined groups of
application executables. Once established by the system Manager it is impossible to
circumvent V-PHAGE. The penalty for attempts at circumvention is denial of access to the
entire system and the requirement to restart the system from a power on state. As the
system Manager, you govern the state of least privilege, i.e., you select exactly what each
user is entitled to execute. You set the limits as mandated by management in a manner
where every action is part of a systematic and consistant audit trail.
The concept of named users by ID and password guarantees the mechanism which
assures DAC. Each file within a level is an object (a passive entity which contains or
receives information. Ownership is specifically assigned to a level. The audit trail assures
that the activities of each user are quantifiable in the tracing of their unique actions which
define specific file ownership. The V-PHAGE system Manager must be aware that it is
difficult to meet the precise DAC criteria in an operating system which does not lend itself
to computer security. Each executable is a subject, .ie., an active entity that causes
information to flow among objects (files) within the system Manager established level.
A Trojan Horse as conceived by the creators of the DAC specification cannot occur. Each
user is locked out from transfer outside his level. Input of a Trojan Horse into V-PHAGE
can occur only through you the Systems Manager. As developed V-PHAGE possesses
the attributes of a NCSC B-1 security level. It can never achieve the totality of the concept
of a Trusted Computer Base (TCB) as it is hardware independent. V-PHAGE achieves the
nearest posture to TCB attainable upon in a non-manufacturer specific machine
environment.
V-PHAGE achieves the Confinement property of a Bell-LaPadula security model by its
default limitation of function within authorized level which allows an executable to access
a file only if the security level of the executable dominates the security level of the file. V-
PHAGE overcomes the fundamental flaw in DAC as a result of the level limitation and in
combination with its inherent unrelenting audit logic.
Implementing a complete DAC system requires retaining the information that is
represented by an access control model in some form. V-PHAGE has user ID's
represented on the rows and levels protected represented on the columns for a pictorial
depiction of such a model. The access at points of intersection is consistant with that
described above. As DOS is unprotected V-PHAGE establishes levels as the equivalent
of NCSC specified profiles, Scrambled executables at each level created at the time when
the executable is chosen for that level (a poor man's protection bit) and by encrypted
passwords which cannot be duplicated and be acceptable (and which cannot be
acceptable if they are listed below.)
LIST OF INTERNET MOST FREQUENT PASSWORDS
aaa cornelius guntis noxious simon academia couscous hack
nutrition simple aerobics creation hamlet nyquist singer
airplane creosote handily oceanography single albany
cretin happening ocelot smile albatross daemon harmony olivetti
smiles albert dancer harold olivia smooch alex
daniel harvey oracle smother alexander danny
hebrides orca snatch algebra dave heinlein orwell
snoopy aliases december hello osiris soap alphabet
defoe help outlaw socrates ama deluge herbert oxford
sossina amorphous desperate hiawatha pacific sparrows
analog develop hibernia painless spit anchor dieter
honey pakistan spring andromache digital horse
pam springer animals discovery horus papers squires
answer disney hutchins password strangle anthropogenic
imbroglio patricia stratford anvils drought imperial
penguin stuttgart anything duncan include peoria
subway aria eager ingres percolate success ariadne
easie inna persimmon summer arrow edges
innocuous persona super arthur dog edinburgh irishman pete
superstage athena edwin isis peter support
atmosphere edwina japan philip supported aztecs
egghead jessica phoenix surfer azure eiderdown jester pierre
suzanne bacchus eileen jixian pizza swearer bailey
einstein johnny plover symmetry banana elephant joseph
plymouth tangerine bananas elizabeth joshua polynomial
tape bandit ellen judith pondering target banks
emerald juggle pork tarragon barber engine
julia poster taylor baritone engineer kathleen praise
telephone bass enterprise kermit precious
temptation bassoon enzyme kernel prelude thailand batman
ersatz kirkland prince tiger beater establish knight
princeton toggle beauty estate ladle protect tomato
beethoven euclid lambda protozoa topography beloved
evelyn lamination pumpkin tortoise benz extension larkin
puneet toyota beowulf fairway larry puppet trails
berkeley felicia lazarus rabbit trivial berliner fender
lebesgue rachmaninoff trombone beryl fermat lee
rainbow tubas beverly fidelity leland raindrop tuttle bicameral
finite leroy raleigh umesh bob fishers lewis random
unhappy brenda flakes light rascal unicorn brian
float lisa really unknown bridget flower
louis rebecca urchin broadway flowers lynne
remote utility bumbling foolproof macintosh rick vasant
burgess football mack ripple vertigo campanile foresight
maggot robotics vicky cantor format magic rochester
village cardinal forsythe malcolm rolex virginia carmen
fourier mark romano warren arolina fred markus
ronald water caroline friend marty rosebud weenie
cascades frighten marvin rosemary whatnot castle fun
master roses whiting cat fungible maurice ruben whitney
cayuga gabriel mellon rules will celtics
gardner merlin ruth william cerulean garfield mets
sal williamsburg change gauss michael saxon
willie charles george michelle scamper winston charming
gertrude mike scheme wisconsin charon ginger
minimum scott wizard chester glacier minsky scotty
wombat cigar gnu moguls secret woodwind classic
golfer moose sensor wormwood clusters gorgeous morley
serenity yaco coffee gorges mozart sharks yang
coke gosling nancy sharon yellowstone collins
gouge napoleon sheffield yosemite commrades graham
nepenthe sheldon zap computer gryphon ness shiva
zimmerman condo guest network shivers cookie guitar
newton shuttle cooper gumption nex
ENCRYPTION DEFINITIONS
Substitution: The basis for Cryptography. Replaces every occurrance of a symbol
with a different representative symbol.
One-time Key or Pad: An encryption key composed of random symbols and never
re-used. The sender and receiver must have the same key to encrypt and decrypt the
message.
Public-Key Cryptosystem: Dual key encryption. One key is private and the other
is public. The publicly known key is used for encryption to an individual; the private key is
used for decryption. This is also called a trap-door one-way function. The best known
method is RSA named for its creators, Rivest, Shamir, and Adleman.
DES (Data Encryption Standard): DES is a standard validated by the NSA which
works on one 8-byte (64-bit) block at a time. The encryption process is controlled by a
user-supplied 56-bit key. It is a standard algorithm which is worked backward for
decryption.
Encryption is the science (art?) of making a message or program incomprehensible
to all but a chosen few. It is the art of keeping secrets secret.
DISCUSSION OF V-PHAGE ENCRYPTION PHILOSOPHY
V-PHAGE is not a NCSC specified Data Encryption Standard (DES) product. It is near
impossible to produce a secure DES without a hardware chip. NCSC's DES is private key
system i.e. it has one key for encryption and the same key is used for decryption. The
method is complex, since it is used to encrypt large files. It uses both substitution and
transposition. All the security of the DES system depends upon the secrecy of the
encrytion key. There are disadvantages to DES for a simple password system. The
encryption key would have to be in the program and hence accessible to a knowledgable
programmer, or it would have to be in ROM. This means every system would have the
same keyword.
V-phage uses a simpler private key system that uses both substitution and transposition.
The key length is much smaller since the only specific items which tend to be targets for
corruptors are encoded, i.e., names, passwords, dates and ID's. It would probably be
possible to determine the Keyword with a time consuming amount of effort. If this ever
happens the system Manager can re-execute theINSTAL program. The keyword would
be changed.
The V-PHAGE keyword is not in the program and the actual keyword is unknown to the
system Manager. In fact, if the system Manager answers the four questions asked during
the instal process in the same manner the keyword would be different. Every installation
will have a different key word. Our methodology is such that we protect against an
unscrupulous person who might obtain a copy of a V-PHAGE system disk and try to
duplicate the process based on the knowledge of how a system Manager thinks.
The major weakness of any password system is not in the encryption techniques but
in the user giving out his ID and password. It is up to the system Manager to educate the
users of V-PHAGE in the basics of security. V-PHAGE is solely a software directed
process. While ACC, Inc believes it is beyond any similar process available to micro
computer users, we would be remiss if we gave anyone the impression that V-PHAGE
security is beyond the capabilities of a dedicated aggressor. V-PHAGE limits the windows
of vunerability as best possible in the DOS environment. V-PHAGE has anticipated many
of the tricks and techniques which cause larger device computer security to fail. It is
excellent for that which it is, a DOS security system.
YOU CANNOT EMPHASIZE ENOUGH TO EACH USER IN YOUR ORGANIZATION
THAT HIS PASSWORD IS PRIVATE AND SHOULD NOT BE SHARED WITH ANYONE.
DETECTION THE BEST PROTECTION
DEFINITIONS:
Corrupt code is a premeditated bug in a software routine. It may or may not equate to the
definitions below. It is malicious.
A computer virus is a software attack the "infects" computer systems much the same way
as a biological virus infects humans. In actuality, a virus is a small computer program that
appears harmless but, as part of its operation, "reproduces" by making copies of itself and
inserting them into "uninfected" programs. This insertion process takes only a fraction of
a second, a normally undetectable delay. The infected program will subsequently
execute the virus code during its normal processing. The virus may cause damage to
programs and data, or it may be relatively harmless.
There are four basic types of "malicious" software to be concerned about.
Trapdoors -- Operating system and application safeguards usually prevent
unauthorized personnel from accessing or modifying programs. During software
development, however, these built-in security measures are usually bypassed.
Programmers often create entry points into a program for debugging and/or insertion of
new code at a later date. These entry points (trapdoors) are usually eliminated in the final
stages of program development, but they are sometimes overlooked, accidentally or
intentionally. A perfect example of a trapdoor was dramatized in the movie War Games,
where the teen-age hacker enters the special password "Joshua" and gains unrestricted
access to a mainframe computer in NORAD head-
quarters. Such a mechanism in a computer's operating system can grant an attacker
unlimited and virtually undetectable access to any system resource after presenting a
relatively trivial control sequence or password.
Logic Bombs -- A logic bomb is a program or code fragment which triggers an
unauthorized, malicious act when some predefined condition occurs. The most common
type is the time bomb, which is programmed to trigger an unauthorized or damaging act
long after the bomb is "set." For example, a logic bomb may check the system date each
day until; it encounters the specified trigger date and then executes code that carries out
its hidden mission. Because of the built-in delay, a logic bomb virus is particularly
dangerous because it can infect numerous generations of backup copies of data and
software before its existence is discovered.
Worms -- Worms were originally developed by systems programmers to tap
unused network resources to run large computer programs. The worm would search
the network for idle computing resources and use them to execute a program in small
segments. Built-in mechanisms would be responsible for maintaining the worm, finding free
machines, and replicating the program. Worms can tie up all the computing resources on
a network and essentially shut it down. A worm is normally activated very time the
system is booted up.
Trojan Horses -- A Trojan Horse is a program that looks "normal" but
contains harmful code within it. Usually a production program is changed by adding extra,
unauthorized instructions that will be executed in a privileged mode and thus have access
to otherwise unavailable files. This is the most commonly used method for program-based
frauds and sabotage.
HOW VIRUS WORKS:
A computer virus infects by attaching itself to an executable file (those with a .COM or
.EXE extension, as well as the boot track). In the process of attaching, a virus will alter the
file's HEADER so that the virus runs FIRST when the program is run. Then, depending on
the parameters defined in its creation, the virus will either REPLICATE, making copies of
itself and attaching to all executable files it can find, or become destructive, altering FAT
tables (which can render a hard disk useless), erasing files, or any of a myriad of other consequences.
The actions of a virus are initiated by a TRIGGER. The trigger can be the number of times
a given program is run, the date or time, etc. When the virus "sees" the proper trigger, it
will initiate its programmed action.(For example - the date reaches May 2nd, and the virus
erases your hard disk.)
Viruses infect very quickly. An entire hard drive can be infected in several seconds; a
network in less than thirty. The fact that a virus can infect the boot track (for those less
technically knowledgeable, the boot track is the area on a hard or floppy disk that tells the
computer where data on that disk is located; sort of a "table of contents" for your computer;
without it, no disk can "run".) makes it possible for a virus to infect backups of data files -
which are information only and not executable. This means that after a hard drive is
completely erased, and programs reinstalled from virus-free master disks, the virus can
reinfect as soon as the critical data files are copied back onto the drive. Also, since the
boot track is created when a floppy disk is formatted, it is possible for a BLANK,
FORMATTED DISKETTE to contain a virus.
IS DETECTION NECESSARY ?
Much has been written and communicated regarding the true magnitude of the computer
virus problem. Several schools of thought exist, but there are two that are the most
prominent:
1. Viruses are a very real threat, and preventative measures should be taken to avoid
the possibility of infection which leads to data loss.
2. Viruses have been blown out of proportion by the press and organizations seeking
to make a profit from the widespread, exaggerated media coverage. The best protection
is to back up your data on a regular basis, and use good common sense in computing;
know your program sources, deal with reputable BBSes, etc.
Both schools of thought have their basis in fact. While viral infection leading to data loss
has certainly been documented - military system break-ins, a court case in Texas, and the
recent Arpanet incident come to mind (although the Arpanet "virus" was not written to be
self-replicating, and therefore was not a TRUE virus. It was a WORM.), it is also true that
few actual viruses have been reported, and even fewer have resulted in destructive data
loss.
SOBCZAK, CONSULTANTS has done extensive research, which includes in-house
analysis of viruses, communication with Federal Government computer experts, Industry
knowledgeable experts, University Faculty and Graduate staff and selected members of
the Hacker/Phreaker Community. Additionally we challenged programmers to prevent
confusing 'bugs' and poor code as well as poorly written instructions,documentation and
flow charts from VIRUS. In reverse Sobczak met with and interviewed media specialists
from free lance contributors to columnists to reporters and TV personalities to clarify and
resolve these divergent schools of thought. The following conclusions are the result of
these efforts.
1. Viruses are more widespread than is presently believed - or reported.
Reports of computer virus infections are few, and even computer programmers with
contacts across the country have difficulty finding actual viruses. The reasons for this are
many and varied, but two stand out:
A- VIRUSES DO NOT ALWAYS MAKE THEIR PRESENCE KNOWN.
Some malicious code puts a message on the screen (one said "arf arf gotcha!") to
announce the fact that they have done some damage; presumably this is the virus creator's
way of "rubbing it in". Other viruses have been seen, however, that simply do damage
without any announcement whatsoever; indeed, some have been found that simply erase
themselves, along with an entire hard disk, leaving no trace. This introduces the possibility
that a virus can exist in a computer system, reproduce, and do its damage without ever
alerting anyone to its presence.
B- BUSINESSES MAY NOT REPORT VIRUSES FOR FEAR OF BAD PUBLICITY.
For example, finding out your bank has a virus could conceivably cause some
consternation. Businesses could be more devastated by bad publicity and its
repercussions than by the actual viral damage. IBM is rumored to have lost 42 % of its
stored data at Boca Raton to the CHRISTMAS.EXEC Virus. No one at IBM will confirm
this except the 'off the record' snitches.
Unfortunately, these two factors influence the accuracy of available statistics on the viral
problem.
2. Viruses can infect the boot track sector of a hard or floppy disk, rendering backups
dangerous or useless. This fact influences the school of thought regarding regular backups
as a means of reducing data loss caused by a virus.
If a virus is discovered in a computer system, the usual way in which it is eliminated is by
erasing all programs on the system and reinstalling them from uninfected master disks
(those that come directly from the software manufacturer). Then, critical data, such as
word-processed documents, spreadsheets, records, etc. are reloaded from the backups.
The process of reloading can reintroduce the virus onto the "cleaned up" system if the
backups are infected. Available statistics indicate that this happens in three out of four viral
infections.
3. The nature of mass media hype is that it can, and often does, become a self-fulfilling
prophecy.
An example is the product-tampering poisonings which occurred several years ago. The
media reported, in blazing headlines, that a certain over-the-counter medicine had been
poisoned as an attempt at blackmail. Suddenly, similar cases of tampering began to
appear all over the U.S. This lead to multimillion dollar investments by consumer goods
manufacturers in "tamper-proof" packaging, so sales of such goods would not diminish as
a result of the negative publicity and general fear.
While it certainly remains to be seen as to how the virus publicity will affect this area, it is
logical to assume that the publicity may lead to more viruses, as more individuals create
and distribute them, "inspired" by newspaper articles and T.V shows on the subject.
So the question remains - IS PROTECTION NECESSARY? This question may be
considered in the same train of thought as purchasing an insurance policy. An individual
may ask of oneself - do I need insurance? Will my house be broken into? Will I be hit by
a car? Will my teeth need fillings?
All of these questions ask one to speculate on one's own future. No one knows what the
future holds. However, if a method exists that can prevent the occurrence of a catastrophic
event, such as critical data loss, than perhaps it is at least worth "looking into". Computer
virus detection software represents such a method. ACC remains the cost effective
alternative by our non-traditional exploitation of unanticipated gatreways and our
understanding of the hacker mentality and the tools available to neutralize aggression.
VIRUS FORMATS
Unscrupulous individuals create new Virus as quickly and in some cases more quickly than
cures can be put in place. Noted experts agree that Virus can not be prevented or
protected against until they have appeared and been identified. V-PHAGE by its mandate
detects change to executables and selected files. Detectection preceeds identification
because one must know that he has some thing to identify. To protect executables and
files so as to prevent corruption you must first detect any change to the operational stste
of your computing system. The hundreds of commercial and public domaine products
which proport to solve the Virus problem do a definite disservice to the user community.
They create a false and unwarranted sense of security.
V-PHAGE offers a method to logically and systematically control the utilization of a DOS
based computing device by providing mainframe type access controls plus ID and
password methodologies not typical to DOS which are supplemented by encryption and
file scrambling. This front line organizational security limits the potential for viral problems.
V-PHAGE provides the extra security of change detection which, unlike the products which
seek the "impossible dream", actually logs any change whether it be authorized or not as
it affects both the user and the files (objects) being used. V-PHAGE helps a security
professional and auditor responsible for the safety of data asserts to recognize that a
condition exists which requires human intervention and decision.
In order that the System Manager be aware of Virus we have defined the configuration of
the initial data strings (headers) for a sample of the most commonly used Virus:
BOOT TRACK VIRUS HEADER RECORDS
The BRAIN VIRUS appears:
8CC88ED88ED0BC00F0FBA0067CA2097C8B0E077C890E0A7CE85700
The STONED VIRUS appears:
1E5080FC02721780FC0473120AD2750E33C08ED8A03F04A8017503E80700
The YALE VIRUS appears:
BB40008EDBA11300F7E32DE0078EC00E1F81FF56347504FF0EF87D
The BOUNCING BALL VIRUS appears:
8ED8A113042D0200A31304B106D3E02DC0078EC0BE007C8BFEB90001
The DEN ZUK VIRUS appears:
FA8CC88ED88ED0BC00F0FBB8787C50C3
The FALLING LETTERS VIRUS appears:
31C0CD13B80202B90627BA0001BB00208EC3BB0001CD139A00010020
The ASHAR VIRUS APPEARS:
8CC88ED88ED0BC00F0FBA0067CA2097C8B0E077C890E0A7CE85900
PROGRAM VIRUS HEADER SAMPLES
17XX FAMILY TYPE (COM)
F6872A0101740F8DB74D01BC
1701 VIRUS (COM)
FA8BECE800005B81EB31012EF6872A0101740F8DB74D01BC820631343124464C75F8
1704-B VIRUS (COM)
FA8BECE800005B81EB31012EF6872A0101740F8DB74D01BC850631343124464C75F8
17Y4 VIRUS (COM)
FA8BCDE800005B81EB31012EF6872A0101740F8DB74D01BC850631343124464C75F8
APRIL 1 VIRUS (EXE)
2EA31700BB17000E1FB4DECD21B42ACD2181FA0104742281F9BC077506E8C504
APRIL 1 VIRUS (COM)
89263401B419CD2104412EA265032EA2B103BF6703578BF2807C013A750D8A042E
A265032EA2B103
1813 VIRUS (COM & EXE)
8ED0BC000750B8C50050CBFC062E8C0631002E8C0639002E8C063D002E8C06410
08CC0
648 VIRUS (COM)
FC8BF281C60A00BF0001B90300F3A48BF2B430CD213C007503E9C701
DATACRIME 1 (1280) VIRUS (COM & EXE)
8B36010183EE038BC63D00007503E90201
DATACRIME (1168) VIRUS (COM & EXE)
8B36010183EE038BC63D00007503E9FE00
LEGHIGH VIRUS (COMMAND.COM ONLY)
505380FC4B740880FC4E7403E977018BDA807F013A75058A07EB07
1704-C VIRUS (COM)
F6872A0101740F8DB74D01BC850631343124464C77F8
405 VIRUS (COM & EXE)
B8000026A2490226A24B0226A28B0250B419CD2126A24902B4470401
3066 VIRUS (COM & EXE)
E87106E82806B419CD2189B451018184510184088C8C5301
2086 VIRUS (COM & EXE)
8ED0BC200950B8230250CBFC062E8C062C002E8C0634002E8C0638002E8C063C0
08CC0
DATACRIME II VIRUS (COM & EXE)
5E81EE030183FE00742A2E8A9403018DBC2901
ICELANDIC I VIRUS (COM & EXE)
8CDB4B8EDBB04DA20000A103002D8000A3030003D8438EC333F633FF0E1FB9D007
ICELANDIC II (EXE & COM)
26C6067F03FFB452CD212E8C066D02268B47FE8EC026030603004040
FRIDAY THE 13TH (COM)
1E8BECC746100001E80000582DD700B104D3E88CCB03C32D100050
SYSLOCK VIRUS (COM & EXE)
D1E98AE18AC13306140031044646E2F25E5958C3
2930 VIRUS (COM & EXE)
E82906E8E005B419CD218884E300E8CE048A95E2000E1F7509
405 VERSION VIRUS (COM & EXE)
26A2490226A24B0226A2
CASCADE 1 VIRUS (COM & EXE)
31343124464C75F8
CASCADE 2 VIRUS (COM & EXE)
31343124464C77F8
FU MANCHU VIRUS (COM & EXE)
FCB4E1CD2180FCE17316
ITALIAN VIRUS (COM & EXE)
C7064C00D07C8C0E4E00
NEW ZEALAND 1 (COM & EXE)
B801020E07BB0002B901
NEW ZEALAND 2 (COM & EXE)
B801020E07BB000233C9
PENTAGON VIRUS (COM & EXE)
8ED8FBBD447C817606
SARATOGA VIRUS (COM & EXE)
2EC60679020290505351
SARATOGA 2 VIRUS (COM & EXE)
2EC60687020A90505351
SURIV101 VIRUS (COM & EXE)
81F9C407721B81FA0104
SURIV201 VIRUS (COM & EXE)
81F9C407722881FA0104
SURIV300 VIRUS (COM & EXE)
FCB4E0CD2180FCE07316
TRACEBACK VIRUS (COM & EXE)
89B45101818451018408
VIENNA 1 VIRUS (COM & EXE)
8BF283C60A90BF0001B9
VIENNA 2 VIRUS (COM & EXE)
8BF281C60A00BF0001B9
RULES FOR SAFE COMPUTER USAGE
Let us begin by defining some terms. There are two computer program elements that
need definition if you are to accept the need for a micro-computer based system of backup
and recovery.
First is a Trojan Horse program. This sort of program, like its historical
namesake, has two functions. On the "outside" it does something to encourage the user
to run it. Typically, Trojan Horse programs may be games, small support programs, such
as directory listers, or even, in one case already on record, commercial software
packages.
On the "inside" however, the program does something unfriendly to the computer
on which it runs. Some Trojan Horse programs delete files, some reset clocks, some
mark disk areas as unusable and some change the operating system of the computer.
The most destructive of them cause other programs to change their nature, usually by
adding instructions to those programs that make them Trojan Horse programs as well.
These added instructions are often called computer viruses.
A computer virus is a portion of a program that does not run alone, but requires
another program to support it. In this sense it is like a biological virus, requiring a cell for
a host in order to allow it to work. Since it does not run alone, it does not appear in any
directory and is never directly executed. It moves from program to program by making
each program to which it is attached (infected so to speak) a Trojan Horse program for
further software infection. A virus may be programmed to appear to do nothing for a long
time (remain dormant), and then, when some trigger event occurs, do whatever it is
programmed to do. The movement of a virus program element from machine to machine
occurs when a Trojan Horse program is run on that machine.
If a corrupt program element infects your machine, then not only will the
company's office machines be affected, but the home machines that many staff
members now have will also have their files affected by the very same corruption, and at
the same time. If you are preparing a paper for publication, writing or working on a
spreadsheet, or preparing some important correspondence, you may well find that your
machine readable copies of that material will become unusable both at home and at the
office.
This security plan discusses some evasive action that you can take to prepare for the
return of your machine to working order. What we recommend is no more than good
housekeeping and is a practice that each of us should do anyhow, with or without the
threat of some mysterious computer virus. We know that DETEKT will do its job BUT !!
we are not sure that your drives are maintained, you electricity spike free, and your safe
software habits in place prior to adding DETEKTion to your way of doing business.
That which we explain in the next few paragraphs applies to users who have
machines with either a floppy disk drive and a hard disk drive or have two floppy disk
drives on their computers. If you cannot verify and validate your software consider
beginning again as follows:
Step one: Locate the original source disks for the operating system you are now using
on your computer. This may no longer be the system delivered with your machine, you
may well have had an upgrade. DO NOT PUT THESE DISKS INTO YOUR FLOPPY
DRIVE YET. Secure a few dozen write-lock tabs and put one on each of the delivery
system disks. (When you hold a disk upright the right side of the disk has a 1/4" square
notch cut into the black paper jacket. The write-lock tabs are black or aluminum colored
gummed paper tags about 3/4" X 1/2" that can be stuck over the edge of the disk
covering the front and back of this notch. When that tab is in place it is not possible for
the computer to write information onto a floppy disk.)
Only after you have write-locked these disks should you put the disk into the computer and
compare the system on that disk with the system you are using. STOP AND READ THE
NEXT SENTENCE! The simple act of executing the DIR command on an unlocked disk
is enough to infect that disk with a virus if your system is already infected and if the disk
is not write-locked. There is a very small probability that your system is already infected.
We recommend that you compare the date and size of the file COMMAND.COM on your
original source disks and on your working disk or disks to see that they are the same.
USE DETEKT with your original disks to assure a clean control audit trail.The results
should look like this:
------------------------------------
C> dir a:\command.com
Volume in drive A is MS330PP01
Directory of A:\
COMMAND COM 25276 8-31-89 12:00a
1 File(s) 5120 bytes free
C> dir c:\command.com
Volume in drive C has no label
Directory of C:\
COMMAND COM 25276 8-31-89 12:00a
139 File(s) 4556512 bytes free
------------------------------------
Note that both copies of COMMAND.COM have the same date and time of creation
(midnight on July 24th 1987) and both are the same size (25,276 bytes). The numbers
for your machine may well differ from the example depending upon your DOS version, but
both should be the same. When those disks have been found, put them away in a safe
place. We recommend that they be put in a secure storage box not too near your
computer.
Step two: There are a small number of software packages that you would be lost
without. In my case they include a word processor, a DBMS system, Modem software,
DOS utilities, and a data compression system among hundreds which are commercially
available and could be in your possession. These packages may well be purchased
commercial software, shareware, and freeware. In each case you should have an original
source delivery disk for each of these packages. Find those disks, WRITE LOCK THEM,
and use DETEKT to compare them with the copies you are now using. Put them in the
same secure storage box in a safe place.
Step three: Using the backup procedure of your choice, perform a backup of the
system files on your computer. If we was using a dual floppy based system, we would
simply make copies of my working disks. If we were using a computer with a floppy and
a hard disk, we would use backup-restore, or Fastback or some other package to back
up the directories C:\WP, C:\DIA, C:\UTIL, C:\COMM and C:\DOS. (Of course these
directories have different names on your system.) Write lock these backup disks. Label
them with today's date. Using the DETEKT compare the disks you have just backed up
with the disks you are using to ensure that the backup "took". Put the backup disks in the
safe secure box. This will tie up half a dozen disks, but with disks now costing $0.25
each, you will probably find the $2 investment worth while.
Step four: (This applies to those users who use hard disk based computers.) Prepare
a backup procedure that will permit incremental backups. This will entail backing up the
entire system once, and then periodically backing up those files that have changed since
the last backup.
Perform such incremental backups regularly. After several such incremental
backups, the size of the backup set will become quite large. At that time, put the backup
set away in a safe place and begin with another set of disks for a full system backup
followed by several increments. When the second set is full, put them away and return
to the first set. This will afford a very secure set of backup files. We suggest that 50
disks makes a good backup set. Thus 100 disks would be used for the double backup
group. We believe that most users would need to do a full backup monthly, requiring
about 1/2 hour of manipulation and should do incremental backups about twice per
week, requiring less than 5 minutes.
(It is a very good idea to periodically test the backup system with a DETEKT verification
of what you have backed up.)
Step five: Go back to your normal computer based work knowing you are secure.
Recovery from the loss of one or a few files:
Sooner or later you will lose some files. They will disappear without apparent
cause and you will blame the problem on a virus. It is our experience that in cases like
this no virus is involved, the loss of files will be due to an operator error. If you have been
doing incremental backups, then the simplest corrective action is to use the recover
feature of the backup system that you are using and simply restore the latest copy of
the lost file(s) to the hard disk. If you have been conscientious in your backup practice,
then the loss of work will entail just a few minutes or, at most, a few hours of rework.
Recovery from the loss of the entire system:
It may happen that the entire hard disk seems to be lost. This is serious but, in
most cases, is likely not the result of a virus. Most failures of the hard disk are due to
hardware problems caused by a combination of abuse, overuse and poor maintenance
habits. The best solution is to repair the hardware if the technical people judge that that
is the problem, and then, after reformatting the hard disk, restore the system from your
latest backup. Almost without fail, this will result in a complete return to a normal system.
Really bad news, the restore does not work:
This may well be the point of DETEKT. If a virus has been planted in your system
and has been set to trigger on some event, then, if you are not using DETEKT the only
way to recover is to rebuild the system from scratch using the write locked set of disks
located in that safe secure box. If these disks are not write locked, and if you mount them
onto an infected system, then the disks will be infected in turn and you may well be unable
to restore from a clean, uninfected source without returning to the system vendor for a
fresh copy of each of your executable programs. This means you ignored the warning
DETEKT provides to bound your damage. On the assumption that you first build your
system again from scratch, you may restore all of the data files from your backup set. (A
data file is one that does not have the extension .com, .exe, or .sys.) Non-executable
files should not be able to carry a virus either between systems or over the backup
process.
Final thoughts:
There is no reason to ever boot the system from a foreign disk whose history you
are not prepared to trust. (For example, booting from a copy protected version of Lotus
1-2-3 is as secure as the Lotus corporation can make it but booting a downloaded disk
called SURPRISE!! can kill your operation.)
There is no reason why a disk used to transport data between machines should
have a copy of the files io.sys, msdos.sys, ibmio.sys, ibmdos.sys or command.com on
it. Check you transport disks and delete those files which are unnecessary prior to copying
any file into your hard drive. Use the DOS ATTRIBUTE command to remove all attribute
modifications to assure that an attack is not hidden from view.
No executable file on a PC system, to date, has been infected by the transport of
data files to the system. Only executable files (including device drivers and the operating
system itself) can be used as Trojan Horse programs. Beware, systems have been
corrupted by BOOT sector VIRUS and FAT scramblers executed from data called by word
processor and spreadsheets. We strongly urge the use of the V-PHAGE programs
SAVEZONE.EXE and NEWZONE.EXE by the System Manager to minimize the effects of
this problem for V-PHAGE users.
We hope that you enjoy your future computing adventures safe in the knowledge
that your equipment will be corruption free as long as you follow these instructions. The
team of you and V-PHAGE will work every time.
To learn how Thomas V. Sobczak and TVSConsultants
can increase your potential for profit:
Call 516.623.6295
E-mail tvsconsult@netzero.net
Write PO Box 0433, Baldwin, NY 11510-0433