Custom Page

Read Me First System Security ***PC Security ***Watchdog/Paranoia ***Active Response ***Insecure Education ***Designing Weapons Security ***Terrorist Article Intelligence ***Public Secrets ***Relating Trivia Tech Transfer ***Mining Technology ***Tech Links The Future of Aggression Community Archeology Resume/Experiences Clients ***Part D Slides Thoughts

Personal Computer Security

   SECURE BOUNDED EXECUTION ALLOWS A PROFESSIONAL MICRO USER
               TO RACK UP ALL HIS TOP SECRET DATA
                    JUST LIKE ON A MAINFRAME
                        COMPUTER      
                               
                               
                V-PHAGE SYSTEMS MANAGER'S GUIDE
                               
                               
           by: APPLICATION CONFIGURED COMPUTERS, INC.
                  Baldwin, NY and Columbus, OH
                              for
                 Thomas V. Sobczak, Consultants


            PRELIMINARY FOR RESEARCH AND EVALUATION
          (Stand-alone and Network enterprise systems)


READ THIS MANUAL THOROUGHLY BEFORE ATTEMPTING TO BEGIN THE V-
PHAGE PROCESS.  SECURITY IS NOT A HIT OR MISS PROCESS.  AS SYSTEM
MANAGER YOU CAN OPTIMIZE V-PHAGE EFFECTIVENESS BY TAKING
ADVANTAGE OF THE FEATURES AND OPTIONS EXPLAINED HEREIN.  V-PHAGE
SCRAMBLES EXECUTABLE FILES -- BE SURE BACKUP EXISTS BEFORE ADDING
PROGRAMS TO A SECURE LEVEL OF PRIVILEGE WITHIN THE V-PHAGE UNIVERSE
OF PROTECTED PROGRAMS.


V-PHAGE SECURITY OVERVIEW

INHERENT WITHIN V-PHAGE ARE THE FOLLOWING FEATURES NOT TYPICAL TO
A DESKTOP MICROCOMPUTER.

          1. ACCESS LIMITATION EQUAL TO MAINFRAME SECURITY SYSTEMS
             * ENCRYPTED ID AND PASSWORD
             * SCRAMBLED EXECUTABLE PROGRAMS
             * BOUNDED EXECUTION BY LEVEL OF AUTHORIZATION
             * SPECIFIC AUTHORIZATION TO A LEVEL
             * ONLY ONE SUPER USER, THE SYSTEM MANAGER

          2. EXECUTION OF APPLICATION PROGRAMS IS ASSOCIATED WITH THE
COMBINATION OF SPECIFIC LEVELS UTILIZED AND BY INDIVIDUALS WITH A
VERIFIED NEED TO KNOW.  UNAUTHORIZED DISK BROWSING IN OTHER LEVELS
IS IMPOSSIBLE.

          3. THE ALGORITHM, WHICH SECURES THE V-PHAGE, WARRANTEES KEY
ENTRY DATA SECURITY AT A LEVEL EQUIVALENT TO THE NATIONAL SECURITY
AGENCY DATA ENCRYPTION STANDARD (DES)

     4. CHANGE DETECTION OF EVERY CHATACTERISTIC IMPLEMENTED BY DOS
ASSURES THAT ALL UNANTICIPATED CHANGE WILL BE LOGGED AND AVAILABLE
TO THE SYSTEM MANAGER AS FREQUENTLY AS HE CHOOSES TO VIEW/PRINT
THE LOGGED INFORMATION.

     5. AUDIT TRAILS OF EVERY ACTIVITY FROM LOGON TO LOGOFF ARE
MAINTAINED. UNSUCCESSFUL ATTEMPTS ARE NOTED BY TERMINAL AND
ID/PASSWORD USED. COUNTS OF REJECTED LOG ONS ARE KEPT.

           6. HIDDEN LOGS MUST MATCH TO ASSURE SYSTEM ENFORCEMENT OF V-
PHAGE SECURITY POLICY.

     7. SCRAMBLED FILES CANNOT BY PROCESSED ON ANY OTHER
COMPUTING DEVICE, INCLUDING THOSE OPERATING UNDER ANOTHER COPY OF
V-PHAGE.  THE INSTAL (purposefully misspelled)  START-UP ROUTINE GENERATES
A UNIQUE KEY FOR THE SPECIFIC SYSTEM UPON WHICH V-PHAGE IS INSTALLED.

     8. DETECTION CAN BE PROCESSED AT ANY TIME INCLUDING AFTER AN
EXIT TO THE O/S. V-PHAGE DETECTION IS A FULL TIME CAPABILITY AVAILABLE
FROM STARTUP TO POWER DOWN.

           9. V-PHAGE IS UNFORGIVING IN THE INTEREST OF SECURITY.  SLOPPY
KEYING WILL CAUSE AN EXIT IN THE SAME MANNER AS WRONG ID AND
PASSWORD.

     10. CRITICAL MANAGER OPTIONS ARE ADDITIONALLY PASSWORD
PROTECTED TO ASSURE THAT A FAILURE TO LOG OUT OF SUPER PRIVILEGE
DOES NOT MAKE V-PHAGE SUSPECT.


INDEX OF CONTENTS

            COVER
  i         V-PHAGE SECURITY OVERVIEW
 ii         INDEX
 iv         DISCLAIMER

  1         INTRODUCTION
  2         HOW TO USE THIS MANUAL
  2         KEYBOARD CHARACTERISTICS
  3         INITIAL INSTALLATION
  5         BEGINNING TO USE THE V-PHAGE SECURITY SYSTEM
 10        STRUCTURING SECURITY IN A V-PHAGE/DOS ENVIRONMENT
 16        A LOOK AT THE MANAGER SCREEN OPTIONS
 16        RUN DETEKT
 16        INSTALLATION (DETEKT OUTSIDE V-PHAGE)
 16        FILE OPTIONS
 17        CHECK OPTIONS
 18        QUIT (DETEKT OPTION)
 18        CLOSING THE LOOPHOLES (SAVEZONE/NEWZONE)
 19        HOW TO RUN DETEKT OUTSIDE THE V-PHAGE SHELL
 21        COMMAND LINE SHORTCUTS (DETEKT IN DOS)
 22        LOGGING DETEKT DIFFERENCES
 22        CONCLUSION CONCERNING THE RUN DETEKT OPTION
 24        RUN SAVEZONE
 26        ADD NEW USER (V-PHAGE)
 29        CHANGE USER (V-PHAGE)
 30        DELETE USER (V-PHAGE)
 31        LIST USERS (V-PHAGE)
 32        PRINT USERS (V-PHAGE)
 33        RUN PROGRAMS (V-PHAGE)
 34        FILE ACCESS (V-PHAGE)
 34        TOGGLE DRIVE
 35        TOGGLE LEVEL
 36        ADD FILES
 37        DELETE FILES
 38        EXIT TO O/S (FROM V-PHAGE)
 39        QUIT (V-PHAGE)
 40        V-PHAGE HIDDEN SUB-DIRECTORIES AND HIDSDEN FILES                    
 41         AUDIT REPORTS AND TECHNIQUES
 41         PRINTED AUDIT MESSAGES
 41         AUDIT MESSAGES DISPLAYED TO SCREEN
 41         DETEKT AUDIT LOG SAMPLE
 42         V-PHAGE SYSTEM USE AUDIT LOG SAMPLE
 44         DISCRETIONARY ACCESS CONTROL
 46         LIST OF INTERNET MOST FREQUENT PASSWORDS
 48         ENCRYPTION DEFINITIONS
 49         DISCUSSION OF V-PHAGE ENCRYPTION PHILOSOPHY
 50         DETECTION THE BEST PROTECTION
 50         DEFINITIONS
 52         HOW VIRUS WORKS
 52         IS DETECTION NECESSARY
 55         VIRUS FORMATS
 59         RULES FOR SAFE COMPUTER USAGE
 62         RECOVERY FROM THE LOSS OF ONE OR A FEW FILES
 63         RECOVERY FROM THE LOSS OF THE ENTIRE SYSTEM

DISCLAIMER


Sobczak, Consultants and ACC, Inc. makes no representation or warrantees with
respect to the contents or use of V-PHAGE software and associated documentation.


WE SPECIFICALLY DISCLAIM ANY EXPRESS OR IMPLIED WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR ANY PARTICULAR PURPOSE.

We warrant that the program will perform in substantial compliance with the
associated documentation. If you report a significant defect, in writing, to ACC, Inc.
and ACC, Inc. is unable to correct it within 120 days, you may return the software
and associated documentation along with a bill of sale and your purchase price will
be refunded. You agree that the only remedy available to you is a refund of the
validated purchase price of the program.

IN NO EVENT WILL SOBCZAK OR ACC, INC. BE LIABLE TO YOU FOR DAMAGES,
INCLUDING ANY LOSS OF PROFITS, LOST SAVINGS, OR OTHER INCIDENTAL OR
CONSEQUENTIAL DAMAGES ARISING OUT OF YOUR USE OR INABILITY TO USE
V-PHAGE, EVEN IF WE HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH
DAMAGES, OR FOR ANY CLAIM BY ANY OTHER PARTY.
 

INTRODUCTION


Welcome to a new way of securing your computer using the V-PHAGE security system to
accomplish secure bounded execution of your software assets.

The V-PHAGE system consists of four major components, the  V-PHAGE.EXE shell,
PASSWORD.EXE, the change detector program -- DETEKT.EXE and the file scrambling
routine PROT.EXE.  They are resident on the floppy disk which accompanies this manual.

The V-PHAGE shell controls the execution of the other component parts thereby reducing
the overhead lost to V-PHAGE operations during normal program execution. 

The PASSWORD program is the key to establishing access level privilege, stating which
programs and files may be accessed by each level and performing the maintenance
normal to the security process in your organization.

The DETEKT program builds the structure for change analysis of software executables and
data that you use frequently and therefore want analyzed daily.  We call these SPECIAL
FILES.  You can as easily monitor changes to all files on the default drive/server and/or all
files on all disk drives/servers in your system. 

PROT processes in conjunction with the password program.  Every time you select a file
to a level it is scrambled so as to be both unique and execution prohibited outside of this
specific V-PHAGE security shell. 

As you will see in later sections the installation of V-PHAGE is designed to make your
encryption key unique from that of any other purchaser of the V-PHAGE product and its
planned enhancements.

HOW TO USE THIS MANUAL

V-PHAGE is a complex system of security and protections designed for the Microsoft
based computer and network.  The manual is written in a step by step format.  As with any
manual, we have tried to define every possible situation.  We therefore respectfully suggest
that you keep the manual at hand and reference its contents as you begin the V-PHAGE
process.  If we have ommitted anything you consider important to you use of V-PHAGE
please feel free to write or call our technical support center. 

KEYBOARD CHARACTERISTICS

The V-PHAGE security system accomplishes most of its manipulative functions using six
keys.  In the System Manager's menu the END key puts you at QUIT. The RETURN key
tells the V-PHAGE that the highlighted command is to be executed.  If you make a mistake
and enter a selection in error, simply press the ESC key to go back to the Managers menu.
HOME brings you to the top of the menu. You may step through the menu using the UP
and DOWN arrows. Typing is as normal.

PLEASE NOTE that you must wait for the instruction to appear before you can type your
input. The slight hesitation is caused by the fact that V-PHAGE is logging all your actions.
If you try to out pace the directions displayed you will find that you are requested to repeat
your input.  V-PHAGE will lock-up the terminal/computer if the intrernal security criteria,
placed there to protect your programs and data, sense an attempt at unauthorized activity.
When the terminal locks-up you must reboot by physically shutting down the machine and
then restarting it, i.e., turn it off, wait twenty seconds and then turn the machine back on.

The control keys normal to the O/S have been disabled. You cannot warm boot, i.e.,
control-alt-del. The control - whatever and Shift print screen also do not function. You must
follow the V-PHAGE instructions.  These instructions assure the security of your operation.

The delete key allows you to correct typing errors in ID and PASSWORD entry. The screen
looks a bit strange as characters are added rather than deleted.

      ID: XXXXXXXX  was typed. Now you want to remove it because the telephone made
you forget where you were. To remove all you hit back space four times. One for each
letter/number you entered in you ID. You now see:

      ID: XXXXXXXXXXXX

                       When you input the ID again you see a still longer chain of X's.

       ID: XXXXXXXXXXXXXXXXXXXXXX

                                 Our goal is not to confuse you, but to confuse the person who looking
over your shoulder who may fancy him/herself an amateur cryptologist.


INITIAL INSTALLATION

Place the V-PHAGE floopy disk which accompanies this manual in Disk Drive A:. Be sure
that the drive door is properly closed and locked in its normal closed position. (Put the disk
in the A:\ Drive the way you normally do.) 

Type DIR A: in order to verify that this floppy disk has not been corrupted. The directory
must read as follows:

         INSTAL.EXE           33136
         DETEKT.EXE      83824
       PASSWORD.EXE     106400
           PROT.EXE           14633
        V-PHAGE.EXE        8938
        NEWZONE.EXE      17792
       SAVEZONE.EXE      17744

Be sure these programs and file sizes match those on on your floppy disk prior to typing

                         A:INSTAL

(note that the install command has but one "l". This is a purposeful omission.  The
computer will take a few seconds before it displays:

                            ACC, INC
                               
                           V-PHAGE 
                               
                    SECURE BOUNDED EXECUTION
                               
                      INSTALLATION PROGRAM

Press any key to continue...

                              on the video monitor.  When you press any key, the screen blanks and
returns with the question:

Drive to install V-PHAGE on:
              
                              V-PHAGE must be installed upon your hard disk drive. If you have more
than one hard disk drive than you should choose the hard disk from which your computer
starts. When the start-up process completes, a prompt is displayed at the left side of the
screen with a flashing white line to its right. If the prompt says C: then your default (start-
up) drive is C:. Type c and press the RETURN key. (The RETURN and Left bent arrow
keys are synonymous with what this manual calls RETURN). Now you will see:
 
Drive to install V-PHAGE on: c
                      Creating Directories

 Once again the screen will blank and return with a question. Let's take a monment to
understand what is happening. V-PHAGE is a secure system. As such, it hides directories
and files from anyone who might use them to steal the programs and knowledge you are
trying to protect. Further V-PHAGE encypts the passwords, ID's and files to minimize any
mis-use. The questions you are about to answer work in concert with an algorithm
(formula) to make this copy of V-PHAGE uniquely different from any othe copy in use.  The
first question:

                      Mother's Maiden Name?

                                 Type in your answer i.e., Smith, Jones or Knowski.  Certain of the
characters you enter will be chosen, converted to ASCII code format, and used to create
your unique encryption.  The logic of unique encryption is important in that if someone
steals your backup copies of data and programs, and if he/she has V-PHAGE, he will be
unable to execute your programs.  They will never know your unique encryption.

Next you will be asked to input:

                         Favorite Color?

It is quite alright to enter "lemon-yellow blue".  The answers are not saved. Again they are
the basis for your unique security encryption.  The final two questions you must answer
are:

                        Political Party?
                              and
                       Favorite Animal?

When you press RETURN to indicate the animal of your choice, the V-PHAGE will instantly
create your unique encryption key.

As a part of the process you will see four files copied, one at a time.

              Favorite Animal? plattypusasourus
                 1 file copied
                 1 file copied
                 1 file copied
                 1 file copied

You have completed the installation of V-PHAGE to your computing system. The Prompt
will reappear at the left side of your video display. The flashing white line (cursor) will be
immediately to its right.  Type C:\V-PHAGE\V-PHAGE to begin your process of
customization of users, the programs which they might use and the process of change
detection.         


BEGINNING TO USE THE V-PHAGE SECURITY SYSTEM

The first screen you see is the V-PHAGE logo. 

                            ACC, INC
                               
                           V-PHAGE 
                               
                    SECURE BOUNDED EXECUTION

     Press any key...

Press any key to begin.

The next screen is the menu screen.  It gives you the option to LOGON or QUIT. 

                       ****MENU*****
                       *                    *
                       * LOGON      *
                       *                    *
                       * QUIT          *
                       *                    *
                       ****************

If you choose to quit, for whatever reason, you will be required to power down (SHUT OFF
THE COMPUTER) prior to a restart.

Press the RETURN key  while the LOGON option is highlighted.
Wait for the display ID: to appear on your video display. 

                      ID:

When the display appears type in capitals FCD. The result of your input will appear as X's
in order to protect the security of your ID.

                      ID: XXXXXXXX

The V-PHAGE ID/PASSWORD logic is character independent. This means that each
position has 255 ASCII options.  If you fail to follow this procedure the ID: will reappear. If'
in error, you clip two keys the ID: will reappear. V-PHAGE is very particular in the interest
of securing your computer.  Should you mis-enter the ID twice you will be removed from
the system and be forced to shutdown and restart. While this may seem cumbersome,
ACC Inc research has determined that most aggressors play the ID repeat game when
seeking unauthorized entry.  If the security program does not count attempts and force an
exit, those trying to steal your resources are free to repeat their attempts forever. V-
PHAGE believes two chances at ID entry are sufficient.

When you enter the proper ID you will next see the display PASSWORD: 

                      PASSWORD:

Wait for the prompt to appear. If it seems slow, be patient, as every action is logged for
future analysis. Type ACC and press RETURN.  Agin your input will be hidden.

                      PASSWORD: XXXX

Capital letters are required in both cases otherwise your input, although alphabetically
proper, will be rejected.  If your PASSWORD is incorrect for any reason you will be
terminated and forced to restart. V-PHAGE prevents someone who guesses your ID or
sees a part of your entry from continuing the guessing game.

NOTE: EVERY ID IN YOUR SYSTEM MUST BE DIFFERENT. IF YOU CHOOSE AN ID
WHEN ADDING NEW USERS THAT EXISTS YOU WILL BE NOTIFIED THAT THE
CHOICE IS UNACCEPTABLE.

                       ID: XXXXXXXX
              ID not acceptable
                       ID:

IF YOU CHOOSE CERTAIN COMMON TERMS AS THE ID THEY WILL BE REJECTED.
ACC INC HAS LEARNED FROM THE 250 ID/PASSWORD COMBINATIONS OF THE
INTERNET INTERDICTION.  WE SUGGEST THAT YOU FOLLOW THE EXCELLENT
INSTRUCTIONS IN THE NATIONAL COMPUTER SECURITY CENTER ACCESS
CONTROL STANDARD AVAILABLE FROM NSA/NCSC, FORT MEADE, MD 20755.

Proper first time use ID/PASSWORD (FCD/ACC) allows you into the third screen, the
MANAGERS SCREEN.  Notice that the managers screen allows you to:

             MANAGER

         A -- RUN DETEKT
         B -- RUN SAVEZONE
         C -- ADD NEW USER
         D -- CHANGE USER
         E -- DELETE USER
         F -- LIST USER
         G -- PRINT USER
         H -- RUN PROGRAMS
         I -- FILE MAINTENANCE
         J -- EXIT TO DOS
         K -- QUIT

Using the DOWN arrow move to the CHANGE USER line.

              MANAGER

          A --
          B --
          C --
          D -- CHANGE USER
          E --

When it is highlighted press RETURN.  The prompt ID will appear.

                      ID:

When it is displayed type, in capitals, FCD. 

                      ID: XXXXXX

The  ID prompt will reappear.

                      ID:

Type the new ID that you have chosen for yourself.

REMEMBER!!!!!   Choose an ID which is UNIQUE to you but not representative of your job,
avocation or family.  Enter your choice and press the RETURN key. 

                       ID: XXXXXXXXX

When PASSWORD appears, repeat the process, i.e. type a unique password. 

                  PASSWORD: XXXXX

Success will be rewarded by the display LEVEL. 

                     LEVEL:

If you enter the level zero (0) you will be told that the privilege may not be deleted. 

                     LEVEL: 0
          (THIS IS NOT ALLOWED TO CHANGE)

THERE IS ONLY ONE HIGHEST PRIVILEGE LEVEL ALLOWED BY V-PHAGE AND THE
SYSTEM MANAGER IS THE ONLY ONE WITH THAT PRIVILEGE.

Next the display NAME: will appear.
 
                   NAME:

Type your name. 

                   NAME: Serenity Safely

NAME is a requirement of V-PHAGE for later audit reporting purposes.  At this point you
have unique privilege to manage V-PHAGE.  No one but you can enter the system as a
manager.

                  DEPT:

The final entry requested is the Department (DEPT) code.  In many corporations data is
shared within the corporation across the enterprise.  In others it is compartmentalized. V-
PHAGE allows the user the best of both worlds. You have the option to structure your
corporation/agency in the manner you find most ameniable to your operations.  During an
Audit of data use one might compare department to level to determine if unauthorized
sharing or inappropriate use has occurred. 

                  DEPT: SALES

V-PHAGE is only as secure as your ability to keep your ID and PASSWORD secret
from all others.

HOLD IT!!  Secure bounded execution becomes reality when you use the O/S command
EDLIN to delete the existing AUTOEXEC.BAT and create the new file:

                     PATH C:\
                     TIMER /S
                     C:\V-PHAGE.EXE

Now turn off your machine. Restarting the machine will cause the modified
AUTOEXEC.BAT to execute, thereby achieving the V-PHAGE initial screen. You must
enter your new ID as it was entered when you made the change which selected the
replacement for FCD/ACC.

Remember to wait for the display requesting your ID to appear. Next enter the new
PASSWORD when you see the request, PASSWORD.  You will now see the MANAGERS
SCREEN. 


             MANAGER

         A -- RUN DETEKT
         B -- RUN SAVEZONE
         C -- ADD NEW USER
         D -- CHANGE USER
         E -- DELETE USER
         F -- LIST USER
         G -- PRINT USER
         H -- RUN PROGRAMS
         I -- FILE MAINTENANCE
         J -- EXIT TO DOS
         K -- QUIT

STRUCTURING SECURITY IN A V-PHAGE/O/S ENVIRONMENT

The MANAGERS SCREEN provides you all the options you need to structure your system
security. The task is twofold, i.e., identifying  the users authorized to access specific
programs at specific levels and identifying the programs at each level.  Users are limited
to a single level but programs can reside at multiple levels.  WE RECOMMEND THAT THE
SYSTEM MANAGER BUILD A PAPER MODEL AS REFERENCE DURING THE
STRUCTURING PROCESS. REMEMBER TO PROPERLY DISPOSE OF THE PAPER
MODEL WHEN YOU HAVE FINISHED SET UP PROCESS.

ADDING USERS FOR THE FIRST TIME

Use the DOWN arrow to reach the ADD NEW USER.

                    MANAGER

                A --
                B --
                C -- ADD NEW USER
                D --

When it is highlighted press RETURN.  Wait for the display to show ID:.

                     ID:

Type the ID chosen for this user and press RETURN. The screen will repeat the ID you
have entered exactly as you input it with the comment Y/N?. 

                     ID: SERENITY (Y/N?)

If the ID is exactly as you wish type Y.  If you are dissatisfied for any reason type N. N
repeats the process.

When you type Y and press RETURN the request PASSWORD will appear.

                   PASSWORD:


enter the password of your choice.  BE UNIQUE. USE TERMS OR RANDOM STRINGS
WHICH ARE NOT TYPICAL TO ANYTHING ASSOCIATED WITH THE ASSIGNED USER.
After you enter the PASSWORD the display will say "again".

again

Repeat the chosen PASSWORD at the prompt.  If you are successful the display will say
LEVEL.  If you err the PASSWORD process will repeat, but only once before it exits you
to the Managers screen forcing a repetition of this ADD. 

                     LEVEL:

At the LEVEL prompt choose from 1 - 16. Level 0 is limited to the super privilege. The 0
will cause the message

                     LEVEL: 0
                            "ONLY ONE SYSTEM MANAGER" 
                   
                                       to appear.  Be careful not to repeat level 0 requests as V-PHAGE
will cause an exit which requires a restart.  We took this precaution based upon experience
with undocumented features in some operating system environments which could lock-up
the server and cause an unscheduled branch into the operating system bypassing the
internal security system.

The final display will ask for the new users NAME.

                     NAME:

This feature is beneficial to you as system Manager when tracking auditable actions by ID,
Terminal used and programs executed.  When the name is entered and you press the
RETURN key you will be returned to the top of the MANAGERS MENU.  Repeat the
process for each user that you wish to register. 

As you continue be aware that V-PHAGE is tracking your activities.  You may not repeat
an ID or a PASSWORD.  Should you repeat inadvertantly, V-PHAGE will advise you "ID
not acceptable". 

                      ID: XXXXXXXX
               ID not acceptable

After all users are entered at the chosen level you should begin to choose the programs
accessible by each level.  BE ADVISED -- If you attempt to execute the RUN PROGRAMS
command from a legal access but no programs are assigned you will see the comment

   ask your Manager to authorize application programs 

You will then be exited from the system. The logic for this harsh measure is too limit
vunerability, i.e., if you do not have something to process you should not be an active user.

PROGRAM ACCESS BY ASSIGNED LEVEL OF PRIVILEGE

The next task to properly implement V-PHAGE is that of identifying the programs to be
assigned at each level. 

BE CAREFUL TO HAVE BACKUP COPIES OF EVERY PROGRAM BEING SELECTED.
V-PHAGE SCRAMBLES EACH FILE WHEN IT ASSIGNS THAT FILE TO A LEVEL
THEREFORE THE EXECUTABLE CANNOT BE PROCESSED IF YOU START YOUR
MACHINE USING AN DOS FLOPPY DISK IN THE A: DRIVE.    

The security system scrambles files to assure that is not kind to software pirates.
Experience shows that an in-house thief can steal/has stolen backup disks to obtain vital
information concerning operations. Scrambling minimizes the loss because the executable
and associated files are useless without your specific copy of the V-PHAGE, the hidden
control files, ID file and the Password file.  When you installed V-PHAGE everything but
the shell script was hidden. A thief will not find them without a sector by sector review of
the full backup.  A 30 MB hard drive can require as many as 74 floppy disks for a backup,
a thief would need the patience of JOB to locate hidden files. The law of deminishing gain
applies.  He must locate, decrypt, dissamble, unscramble, assemble and recompile. It is
not worth the effort.


Let's begin.  Move the DOWN arrow to FILE ACCESS.

                         MANAGER

                   A --
                   B --
                   C --
                   D --
                   E --
                   F --
                   G --
                   H --
                   I -- FILE ACCESS
                   J --

Press RETURN to achieve the menu which says:

            TOGGLE DRIVE
            TOGGLE LEVEL
            ADD
            DELETE
            QUIT


This option allows the addition of executables and BAT files to a LEVEL.

WE RECOMMEND THAT YOU DECIDE WHICH PROGRAMS ARE ASSIGNED TO EACH
LEVEL BEFORE YOU BEGIN THE PROCESS OF ADDING PROGRAMS.  BE SURE TO
MAKE BACKUP COPIES OF THE PROGRAMS TO BE ASSIGNED OR HAVE THE
ORIGINAL SOURCE DISKS STORED AS RECOMMENDED LATER IN THIS MANUAL.
WHEN A PROGRAM IS ADDED TO ANY LEVEL IT IS SCRAMBLED TO PREVENT
FUTURE EXECUTION OUTSIDE OF THE V-PHAGE SECURITY SYSTEM.

TOGGLE DRIVE will show the default hard drive. As system Manager you know how many
hard drives you have in your system. If more than one exists you can move from drive to
drive by pressing the RETURN key when DRIVE is highlighted. If only one drive is present
DO NOT press the RETURN key, rather use the DOWN arrow to move to TOGGLE
LEVEL.  Should you press the RETURN key V-PHAGE will verify the number of drives
available on ypur system.

                     Toggle Drive C
                     Toggle LEVEL 0
                     Add
                     Delete
                     Quit
                    
Now press RETURN.  Notice the level changes to the next higher digit after a few seconds
of blank screen. 

                     Toggle Drive c
                     Toggle LEVEL 1
                     Add
                     Delete
                     Quit
                    
During this time the hidden level access file is created.  Notice the highlight has remained
at the Level position.  Repeat the above, i.e., press RETURN key each time you finish
adding the programs chosen for that level to increase the level by one.  When you have
arrived at the level of your choice move the highlight to ADD.  The fifteen (15) levels must
be stepped through in ascending order, i.e., one, two, three, etc.

                     T
                     T
                     Add
                     D
                     Q   


Press RETURN. The contents of the Root Directory will appear in an upper half window.
A lower half window is blank.  You must navigate down the DOS path structure to the
program you wish to designate. To do this you need to use the arrow keys and the
RETURN key.

**********************************************************************  
*  io.sys  ms-dos.sys  command.com  config.sys  ansi.sys      *
*  \wp  \123  \dbms  \cad  \ai  \case                                             *
*                                                                                                       *
*                                                                                                       *
**************************LEVEL 0***********************************
*                                                                                                       *
*                                                                                                       *
*                                                                                                       *
*                                                                                                       *
***********************************************************************

Let's suppose your root contains the directories WP, 123, dbms, cad, ai  and case. To
place a program from the WP directory in LEVEL 2 you must first follow the toggle
instruction to achieve LEVEL 2. Next using the DOWN arrow move to highlight ADD. Press
return. The root will appear as it does above.  Move the arrows to highlight WP and press
RETURN. The WP directory subdirectories and programs are listed on your screen. 

********************************************************************
*   wp.exe  convert.exe   sort.com  merge.exe   list.com      *
*   find.exe                                                                                  *
*                                                                                                   *  
*                                                                                                   *  
******************LEVEL 2***  ***********************************  
*                                                                                                    *  
*                                                                                                    *  
*                                                                                                    *  
*                                                                                                    *  
********************************************************************                          

If you wanted to bound two programs called CONVERT.EXE and WP.EXE you would first
choose CONVERT.EXE by moving the arrows to highlight it. Now Press RETURN.  In a
few seconds the name CONVERT.EXE will appear in the lower window. The upper window
will return to the root directory. Bounding secures the execution to the level chosen. Only
those authorized to the LEVEL may access them.

Again Travel using the keys to the WP directory and press RETURN.  Highlight the
program WP.EXE and press RETURN. It too will appear in the lower window.

The logic of the path enforces an audit on the execution which is logged for later analysis
should that be required.  Additionally it requires you as the System Manager be assured
that you select the proper program.  When level 1 is complete you then move on to level
2. And then level 3.  You have sixteen levels available to you (0 - 15).  Upon successful
completion of the assignment of programs to each level move  the highlight to QUIT to
return to the Manager's Screen.

You are now ready to proceed. Distribute the ID's and associated PASSWORDS to the
designated owner. Accomplish this task privately so as to assure the appropriate level of
confidentiality. If a user leaves delete his/her ID/PASSWORD. Issue a new
ID/PASSWORD to the replacement in that position. 

NEVER REPEAT/REUSE EITHER ID OR PASSWORD AS THIS IS POTENTIAL FOR A
SECURITY BREACH ( THE OLD ID/PASSWORD ) ACTIVE IN YOUR SYSTEM.    

A LOOK AT THE MANAGER SCREEN OPTIONS


A --RUN DETEKT


    Our reason  for the development of this program is to provide the typical computer user
early warning against  a virus attack  or defective software. DETEKT provides a
bounding of the problem, allowing your computer security contingency plan to respond
prior to program execution. Should you not have a computer security contingency plan,
consider following the orderly process suggested at the completion of these  operational
instructions. The DETEKT tool executed after the entry of any software or data to your
system from any outside source, including trusted computer software. Use DETEKT as
the cornerstone of your software quality program.  It reduces the potential for major
problems.  DETEKT BOUNDS THE PROBLEM AREA TO MINIMIZE THE POSSIBILITY
FOR CORRUPTION.

    The introductory screen tells you that the program File Corruption Detection has begun.
Press the return key again.

    You will now see three choices displayed across the top of the screen. They are FILE,
CHECK and QUIT. 

FILE OPTIONS

Under the FILE choice five options are listed (DRIVE SELECTION, ADD FILES, DELETE
FILE, PRINT AUDIT and CHANGE NAME ).
  
    DRIVE SELECTION allows you to choose drives A: through I:  the drive must physically
exist and be configured into the computer system. In the case of floppy disk drives the
drive door must be properly closed with a formated disk mounted in the drive. If you utilize
a hard drive choose drive C:.

    Using the Arrow keys drop down one level to ADD FILES. Press the return key. Notice
that the upper window now shows are Directories and Files in the root directory. The
Cursor shell now highlights the first item (left most,top most).  Were you to choose this item
simply press the return key.  The chosen file name will appear in the lower window.
DETEKT has calculated both a checksum and CRC for file name, file size, path, date
stamp, time stamp and file attributes. The CRC/Checksum is added to the control file. 

The cursor is back in its original position. Use the arrows to move to the next file you wish
protected. For your protection, the cursor always returns to its home position and creates
a unique traceable path.  In this way path derviations, which substitute a duplicate named
program, will not be allowed to distort your original intent.

     Should you choose a directory, DETEKT will display the programs in that directory.
DETEKT can drop down to the lowest subdirectory on your drive.  Choose the file to be
protected by moving the arrow keys to your selection.  Press return to invoke DETEKT.
NOTE: In order to assure that the proper path is chosen and encoded in the DETEKT file
tracking scheme you must begin from the root directory each time. This method is a bit
more time consuming but it provides your system with the maximum unique protection
available.  The ADD FILES logic within DETEKT is a balance between user friendliness
and encryption effectiveness.

      When you are satisfied that the appropriate files are protected press the ESCape key
to return to the choices.

      The DELETE FILE option helps those who make mistakes to remove them. Choose
the file to be unprotected by moving the arrows. Press the return key and the file will be
highlighed with an asterik. When all files to be unprotected are so highlighted press
ESCape. They will be removed from the lower window.  The ESCape key will return you
to the option choices.

       At this point you have created a set of controls for the files. Those files are specially
identified so if corruption, willful or negligient occurs you will be notified at the next
DETEKT execution.  The control file is in the hidden subdirectory in encrypted form on
drive C:.

       The option to PRINT AUDIT allows the system manager to print for analysis purposes
a report from YYMMDD to YYMMDD. When you choose this option simpley follow the
instruction prompts. enter the start date as YEAR-MONTH-DAY and press RETURN. Then
when the second prompt appears enter finish date as YEAR-MONTH-DAY. and press
RETURN. BE SURE YOUR PRINTER IS ON LINE, TURNED ON, HAS PAPER LOADED
AND IS READY TO GO. If your printer is not ready DETEKT will wait for you to make the
printer ready. ESCape will cancel the PRINT AUDIT command.

       The  CHANGE NAME option allows you to specify the name which will appear in the
heading block of the Audit Report. Move the highlight to the option and press RETURN.
Follow the instructions on the screen.

CHECK OPTIONS

       The CHECK command requires you to move the right arrow one position. The options
available are SPECIAL FILES, DISK FILES, ALL FILES, UPDATE DISK AND UPDATE
ALL.  Move the highlight down to SPECIAL FILES and press the return key.  A window
opens in the center of your screen as all the SPECIAL FILES  you chose are verified and
validated.  This is probably the most use command in the schema.

       DETEKT is designed to afford full disk protection. Move the bounded cursor to the
middle line, UPDATE DISK.  This command causes DETEKT to build a disk control file.
First DETEKT verifies itself then it proceeds to establish controls for every file on the drive
currently specified. The command UPDATE ALL will create a control for every file on every
installed and active (loaded and on-line) drive from A: through I:.  The initial processing of
a fully loaded 32MB drive takes approximately 25 minutes.  A 362k floppy requires
approximately one minute.

       The command DISK FILES performs a validation of the full current disk against the
control file created by the ALL FILES process. Verification requires about 5 minutes for the
32MB drive described above.  We recommend that DISK FILES be invoked immediately
after any new software is added.  The UPDATE ALL examines all disks installed and
active (loaded and on-line) from A: through I: 

The ESCape key returns you to the highest command level.  

QUIT OPTION

To exit DETEKT move the right arrow to QUIT mode.  Questions concerning hard copy
logs will be asked based upon the actions you initiated. If you processed any CHECK
function you will be asked "Do you want a report of current activity?(Y/N)".  If you answer
Y you obtain a report of this processing.  You then are asked, "Do you want a complete
change history?(Y/N)".  If you choose Y a full report is printed. If you choose N you exit to
the REMINDER screen.   If you press the ESCape key you return to the MANAGER"S
SCREEN.


CLOSING CORRUPTION LOOPHOLES (SAVEZONE)

    Corruption which enters your system in data files can be executed when that file,i.e.,a
spreadsheet or word processor file or text is called.  This corruption is limited to two
specific parts of your system, the BOOT track (track 0) and the FILE ALLOCATION TABLE
(FAT).  SAVEZONE allows you to backup both areas on a clean, formatted floppy disk.
Should you experience a disk problem you need only shut down the system, wait thirty (30)
seconds and reboot using you original DOS boot disk. When the reboot is complete mount
the SAVEZONE FLOPPY DISK in drive A: and type the command NEWZONE. The
damaged BOOT track and FAT will be replaced. Your system is as it was prior to the
attack.

     Be sure to copy the offending file to a floppy disk prior to deleting the file from your
computer system. In this way a computer security professional can analyze the culprit.
Upon deleting the corrupt file process DETEKT using the Command CHECK and the sub-
command ALL FILES. This will assure that the corruption is no longer present.

  
HOW TO RUN DETEKT OUTSIDE OF V-PHAGE

    DETEKT is normally placed in the V-PHAGE  directory and executed from the V-PHAGE
system path in order that it is accessible to the System Manager at any time.  You will
notice that you can use DETEKT to check for changes in itself.  This protection mechanism
assures detection of corruption.

    When DETEKT is invoked two work windows will appear a upper and a lower.  The
upper window is the selection or pick window where those files you wish DETEKT to
validate will appear and/or you can select additional files for review.  The lower window will
always contain the selected files.

    At the top of these two screens are your menu controls which are as follows, FILE,
CHECK, or QUIT.

          FILE SELECTIONS ARE:

                                 Drive Select

    Allows you to select between drives A- I if they are installed and available for use. A
floppy disk drive will not be selected if the drive door is open or if a disk is missing from the
drive.

                                Add File                        

    Allows you to select any file from the drive or sub-directory selected. Once the desired
drive and directory has been selected, the up/down arrows are used to move the highlight
bar about to  select the file.  Press return and  the file will appear  in the lower window  to
indicate the file has been added.
 
                                 Delete File
 
    Allows  you to  delete selected  files from  the selected drive or sub-directory. Up/down
arrows can be used to move the highlight bar  to the file you wish to delete. Once file has
been  highlighted press the return key to  select the file.  Selected will  have an asterisk (*)
to the right of the file name. Press the escape key to complete the operation.
 
                                 Print Audit

     Allows you to print the audit trail hidden upon this disk from any date to any date.

                                 Change Name

     Allows the user to place a name in the audit report heading.

                 CHECK SELECTIONS ARE:
 
                                   Special Files
 
    Using this selection only allows selected files to be checked. Should you happen to
delete a file which appears in the TO BE CHECKED lower window and not remove it, i.e.,
not practice proper maintenance of your files, you will be told NO LONGER EXISTS next
to the file name. You must press the RETURN key to continue the CHECKing process.
DETEKT assures that you recognize that a difference has been detected.
 
                                   Disk Files
 
   Using this selection allows files on selected drives with .COM, .EXE, .SYS, .OBJ, and
.BAT extensions to be checked.  Message NO FILES HAVE BEEN CHANGED SINCE
LAST UPDATE appears if your disk control file matches the hidden control file for that
drive.
 
                                   All Files

Using this selection causes all files on every drive in use to be verified
             
                                    Update Disk
 
    Permits the update of  the control file which was  created during the setup exercise
explained in the detail above.            
 
                                    Update All

    Causes all files on every drive in use to be updated.
             
                  QUIT (exiting the program) 
     Allows the user to exit from the program. Upon leaving the program <RETURN> you will
receive a final warning:

      REMEMBER TO PERFORM DAILY BACKUP ROUTINE
      FOR OPTIMUM DATA AND FILE INTEGRITY

    This is a very important procedure.  Press the return key to get back into the DOS
system. 
 
 

WARNING MESSAGES:
 
                   POSSIBLE INFECTION !!
 
    This warning message will appear during file checking if any one of the following is true.
 
                   File size has been altered.
                   File date/time has been altered.
                   File checksum has been altered.
                   File CRC has been altered
                   New unvalidated file has been added
 

                   WARNING THE ABOVE FILE HAS BEEN ALTERED!!
                   DO YOU WISH TO UPDATE CONTROL FILE?
 
    These messages will  follow a possible infection  warning. The user will be asked if the
file is ok to update.  Answering    * YES * (i.e., typing "Y") to this question will  update the
control file to the current  status of the file that has been identified as changed.  Answering
* NO * (i.e., typing "N")to this question leaves the control settings for that file just the way
they were before  the user was alerted to the possible infection. When a warning
message  is  encountered an action  must be taken by the user to avoid possible
problems.
 
 

COMMAND LINE SHORTCUTS
         (MAY BE USED ONLY AFTER YOU EXIT TO DOS)

    Many times users seek the friendliness of checking their status during an application's
progress. DETEKT allows you to RETURN the DOS shell and execute from the command
line without the detailed step by step process described above.

      COMMAND                                ACTION
    
      DETEKT/CD (drive)       VALIDATES ALL FILES IN THE CONTROL               
                                                 FILE WHICH YOU ESTABLISHED DURING              
                                                SETUP FOR THE ENTIRE DRIVE.                              
                                                IF YOU DO NOT SPECIFY A DRIVE THE                   
                                                CURRENT DRIVE IS THE DEFAULT DRIVE.

      DETEKT/CA                   VALIDATES ALL FILES ON EVERY WORKING        
                                                DRIVE.

      DETEKT/UD                    UPDATES ALL FILES ON THE CURRENT                
                                                DRIVE.

      DETEKT/UA                    VALIDATES ALL FILES ON EVERY DRIVE               
                                                 AVAILABLE TO THE COMPUTER SYSTEM.

      DETEKT/S                     UPDATES THE SPECIAL FILES SELECTED             
                                               DURING THE SETUP PROCESS.

      DETEKT <PATH> <FILENAME> will validate the specific program on the specific path
you have chosen. DETEKT IS VERY PRECISE. You must carefully and accurately define
the command line parameters.

If you make a mistake or if the file does not exist you will be informed:

     <PATH> <FILENAME> HAS NOT BEEN FOUND!

      When the proper path and filename is RETURNed you will be notified by the initial
comment:
    
       CHECKING  <PATH> <FILENAME> , at completion, you should see:
       <PATH> <FILENAME> HAS NOT BEEN ALTERED

       If changes to the control file were noted you will receive the error message telling you
precisely what has been detected as different. You will be given the opportunity to accept
the changes. ACCEPT THE CHANGE ONLY IF YOU KNOW WHAT CAUSED THE
CHANGE.  DO NOT GAMBLE WITH YOUR MACHINE'S SOFTWARE INTEGRITY.
WHEN IN DOUBT BE PRUDENT.      

LOGGING DETEKTED DIFFERENCES (VIDEO AND PRINTED COPY)

       V-PHAGE allows the user to see all detected differences at one time in one place.
Should differences be found, they will be written to a file named OSERROR.TXT in the
\root of the disk being evaluated.  Some users copy this file to a security sub-directory with
the name changed to dif<mmddy>.doc.  In this way they can combine results to determine
if trends and/or patterns exist which require further investigation. To delete those historical
disk files Type the command PRINT OSERROR.TXT and produce hardcopy for review,
analysis and historical purposes or copy the files to a floppy disk for storage.  
CONCLUSION CONCERNING THE RUN DETEKT OPTION
 
     DETEKT IDENTIFIES A DIFFERENCE in the software residing on your disk drives
since the last time it was analyzed, LOCATES THE DIFFERENCE, and provides a warning
of a possible infection or software bug. DETEKT should be part of a well planned backup
routine to be fully effective.  Use SAVEZONE as suggested to keep your risk level at
minimum.  Once in operation, DETEKT minimizes the user's exposure to the risks
associated with unidentified change.


B -- RUN SAVEZONE

     Savezone backs up the hard disk boot track and file allocation table (FAT).  ACC, Inc.
recommends that it be executed prior to shut down each day, at minimum.  SAVEZONE
protects the programs within the V-PHAGE/DOS from permanent damage by the class of
VIRUS and Trojan Horse which corrupt by manipulating or destroying the boot track and/or
FAT. When your press RETURN at the highlighted SAVEZONE choice you will see:

             Executing Format in Drive A:

             Insert Disk and strike Enter when ready

     You will now see the normal DOS format cycle occur by head by cylinder. At
completion you will see:

                        Format Complete
     
                                        then the screen will display a running dialog of the actions taking
                                        place.
 
                        Creating newzone.exe
                                        autoexec.bat

     The backup floppy disk is now ready. You will have the opportunity to choose the
drive to be backed up.

               Drive to Backup ?
           
     Enter the letter of the hard drive to be backed up and, again, press RETURN.

               Drive to Backup ?  C or c (case is irrelevant)


      The screen will blank as the following actions are accomplished. The Boot Track and
File Allocation Table (FAT) are  copied to the Disk in Drive A:.  At completion of this
processing  the MANAGER'S MENU will reappear.  Identify the disk in Drive A: as the boot
track backup and store it in a safe place.
            
     The message:

             Please remove disk from drive A: and store in a safe place.
                is a documented reminder.


Processing NEWZONE

      (The tool to replace your damaged boot track and FAT)

       1.  Reboot the computer using the backed up disk placed in drive A:.

       2.  Type the command NEWZONE and press the return key

       3.  When the system is restore to its pre-attack state, copy the corrupt file to a floppy
disk for later analysis by a software security professional.

       4.  Delete the corrupt file from your disk      

       5.  Use DETEKT to validate the entire disk, i.e., process RUN DETEKT and take those
actions appropriate to the results produced. 

       6.  Return to your normal routine

C -- ADD NEW USER

Use the DOWN arrow to reach the ADD NEW USER. When it is highlighted press
RETURN. 

                 MANAGER

              A --
              B --
              C -- ADD NEW USER
              D --
 
Wait for the display to show ID: the short wait is required so that the audit trail is
maintained. If you type any characters you will be asked to repeat them.  Have patience,
enforced security is worth thw wait.

                        ID:

Type the ID chosen for this user and press RETURN.

                        ID: XXXXX

The screen will repeat the ID you have entered exactly as you input it with the comment
Y/N?.

                         ID SERENITY (Y/N?)

If the ID is exactly as you wish type Y.  If you are dissatisfied for any reason type N. N
repeats the process.


When you type Y and press RETURN the request PASSWORD will appear.

                       PASSWORD:

enter the password of your choice. 

BE UNIQUE. USE TERMS OR RANDOM STRINGS WHICH ARE NOT TYPICAL TO
ANYTHING ASSOCIATED WITH THE ASSIGNED USER. DO NOT USE ANY OF THE
PASSWORDS LISTED IN THE COMMON PASSWORD SECTION WHICH APPEARS
LATER IN THIS MANUAL.

After you enter the PASSWORD the display will say

"again".

Repeat the chosen PASSWORD at the prompt.  If you are successful the display will say
LEVEL.  If you err the PASSWORD process will repeat.  Do not anticipate and type before
requested to do so. V-PHAGE is logging your activities.  The log takes precedence. You
will be required to retype your entry.

                       LEVEL:

At the LEVEL prompt choose from 1 - 15. It is a waste of time to input 0. The 0 will cause
the message

                      "ONLY ONE SYSTEM MANAGER" 

                                        to appear.  Be  careful not to repeat level 0 requests as V-PHAGE
will cause an exit which requires a restart.  We took this precaution based upon experience
with hacker comments concerning some operating system undocumented  features which
could lock-up the server and cause an unauthorized entry into the operating system.

The next display will ask for the new users NAME.

                        NAME:

Again this feature is beneficial to you as system Manager when tracking auditable actions
by ID, Terminal used and programs executed.   

                        DEPT:

The final entry requested is the Department (DEPT) code.  In many corporations data is
shared within the corporation across the enterprise.  In others it is compartmentalized. V-
PHAGE allows the user the best of both worlds. You have the option to structure your
corporation/agency in the manner you find most ameniable to your operations.  During an
Audit of data use one might compare department to level to determine if unauthorized
sharing or inappropriate use has occurred. 

                        DEPT: SALES

When the department is entered you will be returned to the top of the MANAGERS MENU.
Repeat the process for each user that you wish to register. 


As you continue be aware that V-PHAGE is tracking your activities.  You may not repeat
an ID or a PASSWORD.  Should you repeat inadvertantly, V-PHAGE will advise you      
                          
                          ID not acceptable

After all users are entered at the chosen level you can begin to choose the programs
accessible by each level. 

BE ADVISED -- If you attempt to execute the RUN PROGRAMS command from a legal
access but no programs are assigned you will see the comment

      ask your Manager to authorize application programs 

You will then be exited from the system. The logic for this harsh measure is simple
security, i.e., if you do not have something to process you should not be an active user.

A system Manager can accomplish any function in his manager's menu and all executions
allowed of programs chosen at every level.  Individual users added to the V-PHAGE may
function solely in their assigned level.  Attempts to by pass V-PHAGE will cause the
computer to cease to function.  Restart is required to continue.


D -- CHANGE USER


Using the DOWN arrow move to the CHANGE USER line. When it is highlighted press
RETURN. 

                    MANAGER
    
               A --
               B --
               C --
               D -- CHANGE USER
               E --

The prompt ID will appear. When it is displayed type the ID which you wish to change.  The
ID prompt will reappear. Type the new ID that you have chosen to replace that now in use.

                     ID: XXXXXXXX

REMEMBER!!!!!   Choose an ID which is UNIQUE to you but not representative of your job,
avocation or family. 

enter your choice and press the RETURN key.  When PASSWORD appears, repeat the
process, i.e. type a unique password. 

                    PASSWORD: XXXXX

Upon success you will be rewarded by the display LEVEL.  If you enter the level zero (0)
you will be told that the privilege may not be deleted. 

                    LEVEL: <all but 0 accepted>

THERE IS ONLY ONE HIGHEST PRIVILEGE LEVEL ALLOWED BY V-PHAGE AND
YOU, AS SYSTEM MANAGER, ARE IT.  V-PHAGE WILL DISALLOW ANY ATTEMPT TO
CREATE A SECOND SUPER PRIVILEGE.

Next the display NAME: will appear. Type the a name of the individual assigned this ID and
PASSWORD. 

                    NAME: Constance Complainer

NAME is a requirement of V-PHAGE for later audit reporting purposes.
 

E -- DELETE USER


To DELETE a user move the highlight to DELETE USER and press RETURN. 

                     MANAGER

                 A --
                 B --
                 C --
                 D --
                 E -- DELETE USER
                 F --


The display will ask for the ID: to be deleted.  Type the ID you wish to remove. 

                   ID: TalKAtive

The next prompt will ask for PASSWORD:  Type the password and press RETURN.

             PASSWORD: PrograMMer

You will now see the record to be deleted on your screen with the question "DELETE Y/N
?". 

     TalKAtive   PrograMMer  1  EDP   Jess Wright  DELETE Y/N ?

If you type Y the item is deleted. If you type N the item is rewritten to the appropriate
hidden files and you return to the MANAGER'S SCREEN.

If you try to delete an ID which does not exist the V-PHAGE will allow you two tries and
then print

                       unknown ID
                                                              and return to the MANAGER'S MENU.

You may not delete the LEVEL 0. If you attempt to do so you will upon entering the level
0 ID receive on the screen the message

          Secure Level -- Deletion Prohibited

and be returned to the MANAGER'S SCREEN. 

Successes, deletions and attempted deletions are logged into the secure hidden audit file.
Read the section concerning audits and reporting of activities later in this manual.
F -- LIST USERS

Periodically you will need to verify who has some level of privilege in the V-PHAGE.  Move
the highlight to the line LIST USERS. Press RETURN. 

                     MANAGER
                
                 A --
                 B --
                 C --
                 D --
                 E --
                 F -- LIST USERS
                 G --    

The V-PHAGE will ask you for your password.

                  PASSWORD:

If you provide the proper PASSWORD you will see the listing.

       FCD        0    TOM TERIFFIC            MGMT
      REST       3    SERENITY SAFELY   ACCT
   TalKAtive    1    JESS WRIGHT            EDP

If you are wrong for whatever reason the attempt will be logged and you will be returned
to the managers menu.  Shutdown is a security measure to assure that you, the system
Manager, haven't walked away from you terminal and an unauthorized person replaced
you.  A second mistake ( two in a row) exits you from the system. You must restart your
computer to reenter V-PHAGE to try again.

G -- PRINT USERS

WARNING !!!  PRINTOUTS OF ID AND PASSWORD FILE INFORMATION MUST BE
KEPT TO A MINIMUM. IT IS BEST TO NEVER LET IT HAPPEN.

Move the highlight to the PRINT USER option using the DOWN arrow. 
                    MANAGER

                 A --
                 B --
                 C --
                 D --
                 E --
                 F --
                 G -- PRINT USERS

Press RETURN.  You will be asked for your PASSWORD. 

                    PASSWORD:

An erroneous input will cause an escape to the managers screen.
When V-PHAGE has accepted and logged the correct password it will next ask for your
department

                   DEPT:


The proper entry will allow the report to print.

                   ID/PASSWORD HARDCOPY
           !!!! KEEP THIS DOCUMENT SECURE !!!!!

FCD       ACC                0       Tom Terrific             MGMT
REST     NIGHTLY         3       Serenity Safely       ACTG
HOLY     DEVIL              2       Ida Gomez              EDP

This action, like all others, is posted into the audit log. 

H -- RUN PROGRAMS

The DERUN shell creates a boundary so that the programs which users process are inside
the shell.  The user has no access to DOS unless you the system Manager so authorize.
He is limited to those programs which appear in his level. Users when they input their
ID/PASSWORD are shelled directly into a menu of those programs which you the system
Manager established.  Attempts to circumvent the system meet with termination and
require a restart. As system Manager you have the privilege to control the structure and
freedom of the user. You pick and choose what can be processed at what level of privilege
subject to the directions of your management.

All programs which are entered into a privilege level are affected by PROT a unique
methodolgy which scrambles the program code so that the window of vunerability for an
attaching VIRUS and other code corruption is minimized.  The scrambled programs cannot
execute on their own, should they be stolen. Since users are limited to execution - only,
thieves have to carry out backups of executables and data.  They then must decompile,
disassemble, unscramble, analyze, restructure and finally assemble in order to use their
ill gotten gain. We recommend to you that you assure yourself that you have backup
copies before you add the programs to any level. This protects you from a frustrated
individual who damages or destroys that which he/she is prohibited from achieving.

*******************LEVEL 3*************************************
*  WP                                                                                         *
*  INVOICING                                                                            *
*  ORDERS                                                                               *
*  A/R                                                                                          *
*                                                                                                  *  
*******************************************************************                                             

RUN PROGRAMS allows you to run all those programs chosen for your personal super
privilege level as well as any program chosen at any level. At completion of program
execution you return to the level menu chosen. You may execute a second program within
the level. Should you choose to change levels you must return to the MANAGERS MENU.
You exit by choosing ESCape.  You return to the MANAGER'S MENU.


I -- FILE ACCESS

The FILE ACCESS option of the MANAGERS MENU provides the system Manager the
ability to establish the composition of what
executable program code is available to each level of privilege.  The FILE ACCESS
privilege properly structured allows a reduction in the amount of grapevine material
available to browsers and reduces the awareness of all except those with a need to know.

                         MANAGER

                   A --
                   B --
                   C --
                   D --
                   E --
                   F --
                   G --
                   H --
                   I -- FILE ACCESS
                   J

Press RETURN to achieve the menu which says:

            TOGGLE DRIVE
            TOGGLE LEVEL
            ADD
            DELETE
            QUIT


This is the most complex of all the options.  The ADD option is purposefully so to assure
security at the proper level. 


WE RECOMMEND THAT YOU DECIDE WHICH PROGRAMS ARE ASSIGNED TO EACH
LEVEL BEFORE YOU BEGIN THE PROCESS OF ADDING PROGRAMS.  BE SURE TO
MAKE BACKUP COPIES OF THE PROGRAMS TO BE ASSIGNED OR HAVE THE
ORIGINAL SOURCE DISKS STORED AS RECOMMENDED LATER IN THIS MANUAL.
WHEN A PROGRAM IS ADDED TO ANY LEVEL IT IS SCRAMBLED TO PREVENT
FUTURE EXECUTION OUTSIDE OF THE V-PHAGE SECURITY SYSTEM.


TOGGLE DRIVE will show the default hard drive. As system Manager you know how many
hard drives you have in your system. If more than one exists, you can move from drive to
drive by pressing the RETURN key when the Toggle Drive is highlighted. If only one drive
is present DO NOT press the RETURN key, rather use the DOWN arrow to move to
TOGGLE LEVEL.  Should you out of a sense of curiosity decide to press the RETURN key
your video screen will go blank for several seconds. If you look at you computer you will
note that the lights telling you of activity on your disk drives are working. When you
depressed the RETURN key you caused the V-PHAGE to seek out other hard disk drives.


                     Toggle Drive C
                     Toggle LEVEL 0
                     Add
                     Delete
                     Quit
                    

Now press RETURN.  Notice the level changes to the next higher digit after a few seconds
of blank screen. 

                     Toggle Drive C
                     Toggle LEVEL 1
                     Add
                     Delete
                     Quit
                    
During this time the level access hidden file is created.  Notice the highlight has remained
at the Level position.  Repeat the above, i.e., press return each time you finish adding the
programs chosen for that level to increase the level by one.  When you have arrived at the
level of your choice move the highlight to ADD. 

                     T
                     T
                     Add
                     D
                     Q   

Press RETURN. The contents of the Root Directory will appear in an upper half window.
A lower half window is blank.  You must navigate down the DOS path structure to the
program you wish to designate. To do this you need to use the arrow keys and the
RETURN key.


**********************************************************************  
*  io.sys  ms-dos.sys  command.com  config.sys  ansi.sys      *
*  \wp  \123  \dbms  \cad  \ai  \case                                             *
*                                                                                                       *
*                                                                                                       *
**************************LEVEL 0***********************************
*                                                                                                        *
*                                                                                                        *
*                                                                                                        *
*                                                                                                        *
***********************************************************************

Let's suppose your root contains the directories WP, 123, DBMS, CAD, AI and CASE. To
place a program from the WP directory in LEVEL 2 you must first follow the toggle
instruction to achieve LEVEL 2. Next using the DOWN arrow move to highlight ADD. Press
return. The root will appear as it does above.  Move the arrows to highlight WP and press
RETURN. The WP directory subdirectories and programs are listed on your screen. 


********************************************************************
*   wp.exe  convert.exe   sort.com  merge.exe   list.com       *
*   find.exe                                                                                  *
*                                                                                                   *  
*                                                                                                   *  
********************LEVEL 2**************************************  
*                                                                                                   *  
*                                                                                                   *  
*                                                                                                   *  
*                                                                                                   *  
********************************************************************                          

If you wanted to assign two programs called CONVERT.EXE and WP.EXE you would first
choose CONVERT.EXE by moving the arrows to highlight it.

NOTE: THE PROGRAM ADDED WILL BE SCRAMBLED.  IT MAY ONLY BE EXECUTED
FROM THE V-PHAGE SHELL.  SCRAMBLING IS FOREVER.

Now Press RETURN.  In a few seconds the name CONVERT.EXE will appear in the lower
window. The upper window will return to the root directory.

Again Travel using the keys to the WP directory and press RETURN.  Highlight the
program WP.EXE and press RETURN. It too will appear in the lower window.

The logic of the path enforces an audit on the execution which is logged for later analysis
should that be required.  Additionally it requires you as the System Manager to be assured
that you select the proper program.  When level 1 is complete you then move on to level
2. And then level 3.  You have sixteen levels available to you (0 - 15).  Upon successful
completion of the assignment of programs to each level move  the highlight to QUIT to
return to the Manager's Screen.
  

DELETE FILES 

TOGGLE DRIVE will show the default hard drive.  Toggle LEVEL shows you the privilege
level beginning with your own, i.e., level 0.
                    Toggle Drive C
                    Toggle LEVEL 0
                    Add
                    Delete
                    Quit

Now press RETURN.  Notice the level changes to the next higher digit after a few seconds
of blank screen. 

                    Toggle Drive C
                    Toggle LEVEL 1
                    Add
                    Delete
                    Quit


When you have arrived at the level of your choice move the highlight to DELETE. 

                    T
                    T
                    A
                    Delete
                    Q


Press RETURN. The contents of the LEVEL chosen will display. The programs will be
listed one to a line.

                 WP
                 123
                 INVOICING
                 ORDERS

Use your down arrow to locate the program you want to delete.  Press the RETURN key
and an asterik will mark the file for deletion

                 WP
                 123
                 * INVOCING
                 ORDERS


When you have marked all files to be deleted press ESC (ape) and it will be deleted.
 
                 WP
                 123
                 ORDERS


J -- EXIT TO O/S            

As system Manager there may be times when someone must enter the operating system.
You have the only key to allow this to happen.  When you move the DOWN arrow to this
option and press RETURN you exit the protection of V-PHAGE. Should you wish to reenter
V-PHAGE you must turn off your machine and reboot. Failure to begin "fresh" will
compromise your equipment security. 

In 99.99% of the cases there is no reason to exit V-PHAGE.  It is up to you to minimize
the window of vuneralability created by the act of leaving the secure bounded execution
provide by V-PHAGE.

Should you choose to EXIT TO DOS press the RETURN key when the command is
highlighted or press "E".  The result is the same. You will now see

              PASSWORD:

                         displayed.  Enter your password and press the return key.  Next you will
see the question

      Would you like a Security Log Printout? [Y/N]

If you choose Y (Yes) the V-PHAGE will request printout parameters consisting of a start
date and an end date.

       Start Date (yymmdd):  891125
        End Date (yymmdd):  900108
 
After the second date is entered the printout will begin. Be sure the printer is turned "on"
and has sufficient paper properly installed.  If the printer if "off" the report will be scrolled
to RAM to execute when the printer is activated. You will be exited to DOS as the report
is being printed.

If you press "N" (NO) or any other key you will be exited to DOS immediately.


K -- QUIT

QUIT TERMINATES THE PROCESSING and forces a restart when you return.              
                     
Upon choosing to Quit the V-PHAGE offers you the opportunity to produce a hard copy
audit report of the user/manager actions from the date you specify to the date you specify.

Should you choose to QUIT press the RETURN key when the command is highlighted or
press "Q".  The result is the same. You will now see

           PASSWORD:

                         displayed.  Enter your password and press the return key.  Next you will
see the question

      Would you like a Security Log Printout? [Y/N]

If you choose Y (Yes) the V-PHAGE will request printout parameters consisting of a start
date and an end date.

       Start Date (yymmdd):  891125
        End Date (yymmdd):  900108

After the second date is entered the printout will begin. Be sure the printer is turned "on"
and has sufficient paper properly installed.  If the printer if "off" the report will be scrolled
to RAM to execute when the printer is activated. You will be exited to LOGON MENU as
the report is being printed.

If you press "N" (NO) or any other key you will be exited to the LOGON MENU
immediately.  You must now use the down arrow to move to highlight QUIT.  When you
highlight QUIT press the RETURN key.  You are now locked out of the system you must
restart your computer by shutting off power and then turning power on again.


V-PHAGE HIDDEN SUBDIRECTORY AND HIDDEN FILES WHICH SECURE YOUR
COMPUTER

When the INSTAL program was executed three separate and distinct hidden directories,
three ID/password control files, two change detection control files  and two log files were
created and in part encrypted.  The files and logs were placed into their appropriate hidden
directories.  All are monitored for unauthorized change, i.e., change from outside the V-
PHAGE control path as designated from the MANAGER'S MENU.

The logs contain built-in, hidden elsewhere, counters which will physically show you that
a difference exists. If a log is modified, the log will show the date, time and type of
modification. The absence of such an entry will be reflected in an unbalanced count status.

As you structure the access by level additional level access control tables will be created
as hidden files.  Each level causes a distinct, unique file to be created and hidden. As the
contents of levels are expanded and/or reduced the updasted files will be polled and all
changes logged for future review and audit.

ANY ACT WHICH ALTERS ANY CHARACTERISTIC OF AN EXECUTABLE (SUBJECT)
OR A DESIGNATED FILE (OBJECT) IS AUTOMATICALLY LOGGED FOR LATER
REVIEW AND AUDIT.
 


AUDIT REPORTS AND TECHNIQUES
   
V-PHAGE attempts to capture all the information available concerning user access and
program changes in order to facilitate a mainframe level of security upon a Micro computer
and its associated networks.  During the ALPHA testing the change detection program
located logical calls in the BIOS which had no physical equivalents or basis in fact.

     AUDIT MESSAGES
 
(Filename) Was Deleted From (Level).
User (owner) (ID) (dept) exited Program.
Audit Trail Printed From (start date) to (end  date).
(Filename) Executed By (owner) (id) (dept).
List Of Users Printed To Screen.
UserList Attempted.
List Of Users Printed.
Printing Of Users Attempted.
DETEKT.EXE Executed.
User (owner) (ID) (dept) Added To User List.
User (owner) (ID) (dept) Has Been Changed To (owner) (id) (dept). System Manager
(owner) (id) (dept) Has Been Changed To (owner)                                              (id) (dept).
Invalid Attempt To Change System Manager ID.
User (owner) (ID) (dept) Deleted From User List.
Attempt Deletion Of User (owner) (ID) (dept).
Program Exited To DOS Without Security Log Printout.
Attempted Exit To DOS.
Program Exited Without Security Printout.
Attempted Exit Of Program.
Invalid Logon Attempt.
Invalid Logon Attempt With (id).
Successful Logon By (owner) (id) (dept).
 
ERROR MESSAGES DISPLAYED TO SCREEN
 
Ask your Manager to authorize application programs.
Prohibited Priveledge Level.
Unknown ID
Level Secure-Deletion Prohibited
ACCESS DENIED

DETEKT AUDIT LOG SAMPLE

                        DATE:11/06/1989    TIME:10:12 AM                        
File C:\IO.SYS Was Added To The Special Files List.
File C:\ANSI.SYS Was Added To The Special Files List.
File C:\AUTOEXEC.BAT Was Added To The Special Files List.
File C:\COMMAND.COM Was Added To The Special Files List.
File C:\CONFIG.SYS Was Added To The Special Files List.
File C:\V-PHAGE\PASSWORD.EXE Was Added To The Special Files List.
File C:\V-PHAGE\DETEKT.EXE Was Added To The Special Files List.
File C:\V-PHAGE\V-PHAGE.EXE Was Added To The Special Files List.
File C:\V-PHAGE\PROT.EXE Was Added To The Special Files List.

                         DATE:11/06/1989    TIME:10:38 AM                        
Update preformed on drive C.


V-PHAGE SYSTEM USE AUDIT LOG SAMPLE


                         DATE:11/06/1989    TIME:10:09 AM                        
Successful Logon By  FCD 
 
                        DATE:11/06/1989    TIME:10:10 AM                        
DETEKT.EXE Executed
 
                        DATE:11/06/1989    TIME:10:40 AM                        
C:\PRO\WP\WPP.EXE Was Added To Level: 1
 
                        DATE:11/06/1989    TIME:10:42 AM                        
User tom sobczak tom  Added To User List.
 
                        DATE:11/06/1989    TIME:10:42 AM                        
List Of Users Printed To Screen.
 
                        DATE:11/06/1989    TIME:10:42 AM                        
List Of Users Printed.
 
                        DATE:11/06/1989    TIME:10:43 AM                        
Audit Trail Printed From 891105 To 891107.
 
                        DATE:11/06/1989    TIME:2:15 PM                         
Successful Logon By  FCD 
 
                        DATE:11/06/1989    TIME:2:16 PM                         
Program Exited To DOS Without Security Log Printount.

DISCRETIONARY ACCESS CONTROL
        
The concept of Trusted Computer System Criteria was introduced by the National
Computer Security Center as part of what Department of Defense Computer Security
Experts call the Rainbow series of standards.  Any secure computer system requires the
enforcement of the concept of Discrestionary Access Control (DAC). As in any organization
there are many ways to attain the stated goal of auditable secure operation.  Before you
can implement DAC you must establish the control objective against which to compare
your attempts to produce your company's Trusted System.

NCSC ststes "The security policy is a statement of intent with regard to control over access
to, dissemination of, and modification of information. The security policy must be precisely
defined and implemented for each system that is used to process sensitive information.
The security policy must reflect the laws,regulations, and general policies from which it is
derived."

The basis for V-PHAGE is that an individual user, or program acting upon a user's behalf
(V-PHAGE's Password component) is allowed to specify explicitly the types of access other
users may have to the information and executables under the user's control.  DAC is
definitely not a substitute for mandatory audit controls.  The purpose of V-PHAGE is to
provide for a finer granularity of control within the overall mandates of your organizations
mandatory audit policy. Both discretionary and mandatory controls should be used in
concert to implement the application of rules for the handling of multiple categories or types
of information, such as marketing, sales, inventory, production control, etc.

V-PHAGE defines DAC as a means of restricting access based upon the identity of topics
and/or organizational sub-sets to which they belong.  V-PHAGE controls are discretionary
in the sense that as system Manager responsible for security, you and only you, are
capable of granting authorization to a user to access any file via the level scenario you
implement.

The V-PHAGE concept modelled after the NCSC standard is relatively straight forward in
that the access control matrix contains the names of users on the rows and levels of
access on the columns. The hidden LEVEL"X" files combined with the hidden USER
privilege files create a documentable representation which states --Joe Jones (Sales) may
access only Level 3 (Order entry).

As V-PHAGE is oriented to the micro computer environment the access mode within level
is consistent, i.e., execute an authorized application, read within the application, write
within the application and delete within the application.  Access permission is specifically
identified by a unique user ID and a unique user password entered in combination as
specified by V-PHAGE input standards.  Access is to specifically defined groups of
application executables.  Once established by the system Manager it is impossible to
circumvent V-PHAGE. The penalty for attempts at circumvention is denial of access to the
entire system and the requirement to restart the system from a power on state.  As the
system Manager, you govern the state of least privilege, i.e., you select exactly what each
user is entitled to execute. You set the limits as mandated by management in a manner
where every action is part of a systematic and consistant audit trail.

The concept of named users by ID and password guarantees the mechanism which
assures DAC.  Each file within a level is an object (a passive entity which contains or
receives information.  Ownership is specifically assigned to a level.  The audit trail assures
that the activities of each user are quantifiable in the tracing of their unique actions which
define specific file ownership.  The V-PHAGE system Manager must be aware that it is
difficult to meet the precise DAC criteria in an operating system which does not lend itself
to computer security.  Each executable is a subject, .ie., an active entity that causes
information to flow among objects (files) within the system Manager established level.

A Trojan Horse as conceived by the creators of the DAC specification cannot occur. Each
user is locked out from transfer outside his level. Input of a Trojan Horse into V-PHAGE
can occur only through you the Systems Manager.  As developed V-PHAGE possesses
the attributes of a NCSC B-1 security level. It can never achieve the totality of the concept
of a Trusted Computer Base (TCB) as it is hardware independent. V-PHAGE achieves the
nearest posture to TCB attainable upon in a non-manufacturer specific machine
environment.

V-PHAGE achieves the Confinement property of a Bell-LaPadula security model by its
default limitation of function within authorized level which allows an executable to access
a file only if the security level of the executable dominates the security level of the file. V-
PHAGE overcomes the fundamental flaw in DAC as a result of the level limitation and in
combination with its inherent unrelenting audit logic.

Implementing a complete DAC system requires retaining the information that is
represented by an access control model in some form. V-PHAGE has user ID's
represented on the rows and levels protected represented on the columns for a pictorial
depiction of such a model. The access at points of intersection is consistant with that
described above. As DOS is unprotected V-PHAGE establishes levels as the equivalent
of NCSC specified profiles, Scrambled executables at each level created at the time when
the executable is chosen for that level (a poor man's protection bit) and by encrypted
passwords which cannot be duplicated and be acceptable (and which cannot be
acceptable if they are listed below.)


LIST OF INTERNET MOST FREQUENT PASSWORDS

aaa        cornelius     guntis    noxious   simon     academia   couscous    hack
nutrition simple    aerobics  creation   hamlet      nyquist     singer
     airplane  creosote  handily    oceanography single          albany
     cretin    happening ocelot     smile       albatross   daemon    harmony   olivetti
     smiles     albert      dancer      harold    olivia    smooch    alex
      daniel      harvey      oracle    smother   alexander danny
      hebrides    orca        snatch    algebra   dave      heinlein   orwell
        snoopy      aliases   december  hello     osiris    soap         alphabet
     defoe     help      outlaw    socrates  ama          deluge      herbert   oxford
     sossina   amorphous desperate    hiawatha    pacific   sparrows
     analog    develop   hibernia     painless    spit      anchor    dieter
     honey     pakistan     spring      andromache          digital   horse
     pam          springer    animals   discovery horus     papers    squires
        answer      disney    hutchins  password  strangle  anthropogenic
               imbroglio patricia  stratford anvils    drought      imperial
     penguin   stuttgart anything  duncan    include      peoria
          subway    aria      eager     ingres    percolate    success     ariadne
     easie     inna      persimmon summer       arrow       edges    
innocuous persona   super     arthur       dog         edinburgh irishman  pete
          superstage  athena     edwin       isis      peter     support
     atmosphere  edwina     japan       philip    supported aztecs
     egghead    jessica     phoenix     surfer    azure     eiderdown jester     pierre
        suzanne     bacchus   eileen    jixian    pizza      swearer     bailey    
einstein  johnny    plover    symmetry   banana      elephant    joseph
     plymouth  tangerine bananas    elizabeth        joshua      polynomial
          tape      bandit     ellen       judith      pondering target    banks
     emerald    juggle      pork        tarragon  barber    engine
     julia      poster      taylor      baritone  engineer  kathleen  praise
      telephone        bass        enterprise          kermit    precious 
temptation   bassoon     enzyme    kernel    prelude   thailand   batman
        ersatz      kirkland  prince    tiger     beater      establish       knight
          princeton toggle    beauty    estate      ladle      protect     tomato
     beethoven euclid    lambda      protozoa        topography  beloved
     evelyn    lamination   pumpkin        tortoise    benz      extension larkin
      puneet     toyota     beowulf     fairway   larry     puppet     trails
       berkeley        felicia     lazarus   rabbit    trivial    berliner   fender
        lebesgue    rachmaninoff        trombone   beryl      fermat     lee       
rainbow   tubas     beverly    fidelity   leland     raindrop    tuttle    bicameral
     finite     leroy      raleigh    umesh       bob       fishers   lewis      random
       unhappy    brenda      flakes    light     rascal     unicorn    brian
        float       lisa      really    unknown    bridget    flower
        louis       rebecca   urchin    broadway   flowers    lynne
        remote      utility   bumbling  foolproof  macintosh        rick vasant
burgess   football  mack       ripple    vertigo     campanile   foresight
     maggot    robotics   vicky     cantor      format      magic     rochester
     village    cardinal  forsythe    malcolm     rolex     virginia  carmen
      fourier   mark             romano      warren    arolina   fred       markus
       ronald     water       caroline  friend    marty      rosebud   weenie
        cascades    frighten  marvin    rosemary   whatnot   castle      fun
          master    roses     whiting   cat        fungible    maurice     ruben     whitney
     cayuga    gabriel    mellon      rules       will      celtics
     gardner   merlin     ruth             william     cerulean  garfield  mets
          sal        williamsburg            change    gauss     michael    saxon
      willie      charles     george    michelle  scamper    winston   charming
        gertrude    mike      scheme    wisconsin  charon     ginger   
minimum   scott     wizard    chester    glacier   minsky      scotty
          wombat    cigar     gnu        moguls    secret       woodwind   classic
     golfer    moose      sensor    wormwood    clusters    gorgeous  morley
     serenity   yaco       coffee     gorges      mozart    sharks    yang
           coke       gosling    nancy       sharon    yellowstone          collins
      gouge       napoleon    sheffield yosemite  commrades  graham
      nepenthe    sheldon     zap       computer  gryphon    ness      shiva      
zimmerman condo     guest     network    shivers   cookie      guitar
          newton    shuttle   cooper       gumption       nex

ENCRYPTION DEFINITIONS 
 
         Substitution: The basis for Cryptography.  Replaces every occurrance of a symbol
with a different representative symbol.
 
         One-time Key or Pad:  An encryption key composed of random symbols and never
re-used.  The sender and receiver must have the same key to encrypt and decrypt the
message.
 
         Public-Key Cryptosystem:  Dual key encryption.  One key is private and the other
is public.  The publicly known key is used for encryption to an individual; the private key is
used for decryption.  This is also called a trap-door one-way function.  The best known
method is RSA named for its creators, Rivest, Shamir, and Adleman.
 
         DES (Data Encryption Standard):  DES is a standard validated by the NSA which
works on one 8-byte (64-bit) block at a time.  The encryption process is controlled by a
user-supplied 56-bit key.  It is a standard algorithm which is worked backward for
decryption.

          Encryption is the science (art?) of making a message or program incomprehensible
to all but a chosen few.  It is the art of keeping secrets secret. 


DISCUSSION OF V-PHAGE ENCRYPTION PHILOSOPHY
        
V-PHAGE is not a NCSC specified Data Encryption Standard (DES) product. It is near
impossible to produce a secure DES without a hardware chip. NCSC's DES is private key
system i.e. it has one key for encryption and  the same  key is used for  decryption.  The
method is complex, since  it is used  to encrypt large  files.  It uses both substitution and
transposition.  All the security of the DES system  depends upon the  secrecy of the
encrytion key. There are disadvantages to DES for a simple password system. The
encryption key would have to be in the program and hence accessible to a knowledgable
programmer, or it would have to be  in ROM.  This means every system  would have  the
same keyword.
 
V-phage uses a simpler private key system that uses both substitution and transposition.
The key length is much smaller since the only specific items which tend to be targets for
corruptors are encoded, i.e., names, passwords, dates and  ID's. It would  probably be
possible  to determine the Keyword  with a time consuming amount of effort.  If this ever
happens  the system Manager can re-execute theINSTAL program.  The  keyword would
be changed.

The V-PHAGE keyword is  not in the program and the actual keyword is unknown to the
system Manager. In fact, if the system Manager answers the four questions asked during
the instal process in the same manner the keyword would be different. Every installation
will have a different key word. Our methodology is such that we protect against an
unscrupulous person who might obtain a copy of a V-PHAGE system disk and try to
duplicate the process based on the knowledge of how a system Manager thinks.
 
The  major weakness  of any  password system  is not  in the encryption techniques but
in the  user giving out his ID and password.  It is up to the system Manager to educate the
users of V-PHAGE in the basics of security.  V-PHAGE is solely a software directed
process.  While ACC, Inc believes it is beyond any similar process available to micro
computer users, we would be remiss if we gave anyone the impression that V-PHAGE
security is beyond the capabilities of a dedicated aggressor.  V-PHAGE limits the windows
of vunerability as best possible in the DOS environment.  V-PHAGE has anticipated many
of the tricks and techniques which cause larger device computer security to fail. It is
excellent for that which it is, a DOS security system.
 
YOU CANNOT EMPHASIZE ENOUGH TO EACH USER IN YOUR ORGANIZATION
THAT HIS PASSWORD IS PRIVATE AND SHOULD NOT BE SHARED WITH ANYONE.


DETECTION THE BEST PROTECTION

     DEFINITIONS:

Corrupt code is a premeditated bug in a software routine. It may or may not equate to the
definitions below. It is malicious. 

A computer virus is a software attack the "infects"  computer systems much the same  way
as a biological virus  infects humans.  In actuality,  a virus is a small computer program that
appears harmless but,  as part of its operation, "reproduces" by making copies of itself and
inserting them into "uninfected" programs.  This insertion process takes only a fraction of
a second,  a normally undetectable delay.   The infected program will subsequently
execute the virus code during its normal processing.  The virus may cause damage to
programs and data,  or  it may be  relatively harmless.
 
          There are four basic types of "malicious"  software to be concerned about.
 
                  Trapdoors --  Operating system and application  safeguards usually prevent
unauthorized personnel from accessing or modifying programs.   During software
development,  however,  these built-in security measures are usually bypassed. 
Programmers often create entry points into a program  for debugging and/or insertion of
new code at a later date.   These entry points (trapdoors) are usually eliminated  in the final
stages of program development,  but they are sometimes overlooked,  accidentally or
intentionally.   A perfect example of a trapdoor was dramatized in the movie War  Games,
where the teen-age hacker enters the special password "Joshua" and gains unrestricted
access to a mainframe  computer in NORAD  head-
quarters.   Such a mechanism in a computer's operating  system can grant an attacker
unlimited  and virtually undetectable  access to any system resource after  presenting a
relatively trivial control sequence or password.
 
                  Logic Bombs --  A logic bomb is a program or code fragment which triggers an
unauthorized, malicious act when some predefined condition occurs.  The most common
type is the time bomb, which is programmed to trigger an unauthorized  or damaging act
long after the bomb is "set."  For example, a logic bomb may check the system date each
day until;  it encounters the specified trigger date and then executes code that carries out
its  hidden mission.   Because of the built-in delay,  a logic bomb virus is particularly
dangerous  because it can  infect numerous generations  of backup copies of data and
software before its existence is discovered.
 
                  Worms --  Worms were originally  developed by systems programmers  to tap
unused  network resources to  run  large computer programs.   The worm would  search
the network for  idle computing resources and  use them  to execute  a program in small
segments. Built-in mechanisms would be responsible for maintaining the worm, finding free
machines, and replicating the program.  Worms can tie up all  the computing resources on
a network and essentially shut it down.   A  worm is normally activated very  time the
system is booted up.
 
                   Trojan  Horses --  A Trojan  Horse is a program that looks "normal"  but
contains harmful code within it.  Usually a production program is changed by adding extra,
unauthorized instructions that will be executed in a privileged mode and thus have access
to otherwise unavailable files.  This is the most commonly used method for program-based
frauds and sabotage.
                                   
HOW VIRUS WORKS:
  
A computer virus infects by attaching itself to an executable file (those with a .COM or
.EXE extension, as well as the boot track).  In the process of attaching, a virus will alter the
file's HEADER so that the virus runs FIRST when the program is run.  Then, depending on
the parameters defined in its creation, the virus will either REPLICATE, making copies of
itself and attaching to all executable files it can  find, or become destructive, altering FAT
tables (which can render a hard  disk useless), erasing files, or any of a myriad of other consequences.

The actions of a virus are initiated by a TRIGGER.  The trigger can  be the number of times
a given program is run, the date or time, etc. When the virus "sees" the proper trigger, it
will initiate its programmed action.(For example - the date reaches May 2nd, and the virus
erases  your hard disk.)

Viruses infect very quickly.  An entire hard drive can be infected in several seconds; a
network in less than thirty.  The fact that a virus can infect the boot track (for those less
technically knowledgeable, the boot track is the area on a hard or floppy  disk that tells the
computer where data on that disk is located; sort of a "table of contents" for your computer;
without it, no disk can "run".) makes it possible for a virus to infect backups of data files -
which are information only and not executable.  This means that after a hard drive is
completely erased, and programs reinstalled from virus-free master disks, the virus can
reinfect as soon as the critical data files are  copied back onto the drive.  Also, since the
boot track is created when a floppy disk is formatted, it is possible for a BLANK,
FORMATTED DISKETTE to contain a virus.
 

IS DETECTION NECESSARY ?
 
Much has been written and communicated regarding the true magnitude of the computer
virus problem.  Several schools of thought exist, but there are two that are the most
prominent:
 
     1. Viruses are a very real threat, and preventative measures should be taken to avoid
the possibility of infection which leads to data loss.

     2. Viruses have been blown out of proportion by the press and organizations seeking
to make a profit from the widespread, exaggerated media coverage.  The best protection
is to back up your data on a regular basis, and use good common sense in computing;
know your program sources, deal with reputable BBSes, etc.
 
Both schools of thought have their basis in fact.  While viral infection leading to data loss
has certainly been documented - military system break-ins, a court case in Texas, and the
recent Arpanet incident come to mind (although the Arpanet "virus" was not written to be
self-replicating, and  therefore was not a TRUE virus. It was a WORM.), it is also true that
few actual viruses have  been reported, and even fewer have resulted in destructive data
loss.
 
SOBCZAK, CONSULTANTS has done extensive research, which includes in-house
analysis of viruses, communication with Federal Government computer  experts, Industry
knowledgeable experts, University Faculty and Graduate staff and  selected members of
the Hacker/Phreaker Community.  Additionally we challenged programmers to prevent
confusing 'bugs' and poor code as well as poorly written instructions,documentation and
flow charts from VIRUS.  In reverse Sobczak met with and interviewed media specialists
from free lance contributors to columnists to reporters and TV personalities to clarify and
resolve these divergent schools of thought.  The following conclusions are the result of
these efforts.
 
1.  Viruses are more widespread than is presently believed - or reported.
 
Reports of computer virus infections are few, and even computer programmers  with
contacts across the country have difficulty finding actual viruses.  The  reasons for this are
many and varied, but two stand out:
 
A- VIRUSES DO NOT ALWAYS MAKE THEIR PRESENCE KNOWN.

Some malicious code puts a message on the screen (one said "arf arf gotcha!") to
announce the fact that they have done some damage; presumably this is the virus creator's
way of "rubbing it in".  Other viruses have been seen, however, that simply do damage
without any announcement whatsoever; indeed, some have been found that simply erase
themselves, along with an entire hard disk, leaving no trace.  This introduces the possibility
that a virus can exist in a computer system, reproduce, and do its damage without ever
alerting anyone to its presence.
 
B- BUSINESSES MAY NOT REPORT VIRUSES FOR FEAR OF BAD PUBLICITY.

For example, finding out your bank has a virus could conceivably cause some
consternation.   Businesses could be more devastated by bad publicity and its
repercussions than by the  actual viral damage.  IBM is rumored to have lost 42 %  of its
stored data at Boca Raton to the CHRISTMAS.EXEC Virus. No one at IBM will confirm
this except the 'off the record' snitches.
 
Unfortunately, these two factors influence the accuracy of available statistics on the viral
problem.
 
2.  Viruses can infect the boot track sector of a hard or floppy disk, rendering backups
dangerous or useless. This fact influences the school of thought regarding regular backups
as a means of reducing data loss caused by a virus.
 
If a virus is discovered in a computer system, the usual way in which it is eliminated is by
erasing all programs on the system and reinstalling them from uninfected master disks
(those that come directly from the software manufacturer).  Then, critical data, such as
word-processed documents, spreadsheets, records, etc. are reloaded from the backups.
The process of reloading can reintroduce the virus onto the "cleaned up" system if the
backups are infected. Available statistics indicate that this happens in three out of four viral
infections.
 
3.  The nature of mass media hype is that it can, and often does, become a  self-fulfilling
prophecy.
 
An example is the product-tampering poisonings which occurred several years ago.  The
media reported, in blazing headlines, that a certain over-the-counter medicine had been
poisoned as an attempt at blackmail.  Suddenly, similar cases of tampering began to
appear all over the U.S.  This lead to multimillion dollar investments by consumer goods
manufacturers in "tamper-proof" packaging, so sales of such goods would not diminish as
a result of the negative publicity and general fear.
 
While it certainly remains to be seen as to how the virus publicity will  affect this area, it is
logical to assume that the publicity may lead to more viruses, as more individuals create
and distribute them, "inspired" by newspaper articles and T.V shows on the subject.

So the question remains - IS PROTECTION NECESSARY?  This question may be
considered in the same train of thought as purchasing an insurance policy. An individual
may ask of oneself - do I need insurance?  Will my house be broken into?  Will I be hit by
a car?  Will my teeth need fillings?
 
All of these questions ask one to speculate on one's own future.  No one knows what the
future holds.  However, if a method exists that can prevent the occurrence of a catastrophic
event, such as critical data loss, than perhaps it is at least worth "looking into".  Computer
virus detection software represents such a method.  ACC remains the cost effective
alternative by our non-traditional exploitation of unanticipated gatreways and our
understanding of the hacker mentality and the tools available to neutralize aggression.


VIRUS FORMATS

Unscrupulous individuals create new Virus as quickly and in some cases more quickly than
cures can be put in place.  Noted experts agree that Virus can not be prevented or
protected against until they have appeared and been identified. V-PHAGE by its mandate
detects change to executables and selected files. Detectection preceeds identification
because one must know that he has some thing to identify. To protect executables and
files so as to prevent corruption you must first detect any change to the operational stste
of your computing system.  The hundreds of commercial and public domaine products
which proport to solve the Virus problem do a definite disservice to the user community.
They create a false and unwarranted sense of security. 

V-PHAGE offers a method to logically and systematically control the utilization of a DOS
based computing device by providing mainframe type access controls plus ID and
password methodologies not typical to DOS which are supplemented by encryption and
file scrambling.  This front line organizational security limits the potential for viral problems.
V-PHAGE provides the extra security of change detection which, unlike the products which
seek the "impossible dream", actually logs any change whether it be authorized or not as
it affects both the user and the files (objects) being used.  V-PHAGE helps a security
professional and auditor responsible for the safety of data asserts to recognize that a
condition exists which requires human intervention and decision.

In order that the System Manager be aware of Virus we have defined the configuration of
the initial data strings (headers) for a sample of the most commonly used Virus:

BOOT TRACK VIRUS HEADER RECORDS

The BRAIN VIRUS appears:
8CC88ED88ED0BC00F0FBA0067CA2097C8B0E077C890E0A7CE85700
 
The STONED VIRUS appears:
1E5080FC02721780FC0473120AD2750E33C08ED8A03F04A8017503E80700
 
The YALE VIRUS appears:
BB40008EDBA11300F7E32DE0078EC00E1F81FF56347504FF0EF87D
 
The BOUNCING BALL VIRUS appears:
8ED8A113042D0200A31304B106D3E02DC0078EC0BE007C8BFEB90001
 
The DEN ZUK VIRUS appears:
FA8CC88ED88ED0BC00F0FBB8787C50C3

The FALLING LETTERS VIRUS appears:
31C0CD13B80202B90627BA0001BB00208EC3BB0001CD139A00010020

The ASHAR VIRUS APPEARS:
8CC88ED88ED0BC00F0FBA0067CA2097C8B0E077C890E0A7CE85900

PROGRAM VIRUS HEADER SAMPLES

17XX FAMILY TYPE (COM)
F6872A0101740F8DB74D01BC
 
1701 VIRUS (COM)
FA8BECE800005B81EB31012EF6872A0101740F8DB74D01BC820631343124464C75F8

1704-B VIRUS (COM)
FA8BECE800005B81EB31012EF6872A0101740F8DB74D01BC850631343124464C75F8
 
17Y4 VIRUS (COM)
FA8BCDE800005B81EB31012EF6872A0101740F8DB74D01BC850631343124464C75F8
 
APRIL 1 VIRUS (EXE)
2EA31700BB17000E1FB4DECD21B42ACD2181FA0104742281F9BC077506E8C504
 
APRIL 1 VIRUS (COM)
89263401B419CD2104412EA265032EA2B103BF6703578BF2807C013A750D8A042E
A265032EA2B103
 
1813 VIRUS (COM & EXE)
8ED0BC000750B8C50050CBFC062E8C0631002E8C0639002E8C063D002E8C06410
08CC0

648 VIRUS (COM)
FC8BF281C60A00BF0001B90300F3A48BF2B430CD213C007503E9C701
 
DATACRIME 1 (1280) VIRUS (COM & EXE)
8B36010183EE038BC63D00007503E90201
 
DATACRIME (1168) VIRUS (COM & EXE)
8B36010183EE038BC63D00007503E9FE00
 
LEGHIGH VIRUS (COMMAND.COM ONLY)
505380FC4B740880FC4E7403E977018BDA807F013A75058A07EB07

1704-C VIRUS (COM)
F6872A0101740F8DB74D01BC850631343124464C77F8
 
405 VIRUS (COM & EXE)
B8000026A2490226A24B0226A28B0250B419CD2126A24902B4470401
 
3066 VIRUS (COM & EXE)
E87106E82806B419CD2189B451018184510184088C8C5301
 
2086 VIRUS (COM & EXE)
8ED0BC200950B8230250CBFC062E8C062C002E8C0634002E8C0638002E8C063C0
08CC0
 

DATACRIME II VIRUS (COM & EXE)
5E81EE030183FE00742A2E8A9403018DBC2901

ICELANDIC I VIRUS (COM & EXE)
8CDB4B8EDBB04DA20000A103002D8000A3030003D8438EC333F633FF0E1FB9D007
 
ICELANDIC II (EXE & COM)
26C6067F03FFB452CD212E8C066D02268B47FE8EC026030603004040
 
FRIDAY THE 13TH (COM)
1E8BECC746100001E80000582DD700B104D3E88CCB03C32D100050
 
SYSLOCK VIRUS (COM & EXE)
D1E98AE18AC13306140031044646E2F25E5958C3
 
2930 VIRUS (COM & EXE)
E82906E8E005B419CD218884E300E8CE048A95E2000E1F7509

405 VERSION VIRUS (COM & EXE)
26A2490226A24B0226A2

CASCADE 1 VIRUS (COM & EXE)
31343124464C75F8

CASCADE 2 VIRUS (COM & EXE)
31343124464C77F8
 
FU MANCHU VIRUS (COM & EXE)
FCB4E1CD2180FCE17316

ITALIAN VIRUS (COM & EXE)
C7064C00D07C8C0E4E00

NEW ZEALAND 1 (COM & EXE)
B801020E07BB0002B901

NEW ZEALAND 2 (COM & EXE)
B801020E07BB000233C9

PENTAGON VIRUS (COM & EXE)
8ED8FBBD447C817606

SARATOGA VIRUS (COM & EXE)
2EC60679020290505351

SARATOGA 2 VIRUS (COM & EXE)
2EC60687020A90505351

SURIV101 VIRUS (COM & EXE)
81F9C407721B81FA0104

SURIV201 VIRUS (COM & EXE)
81F9C407722881FA0104

SURIV300 VIRUS (COM & EXE)
FCB4E0CD2180FCE07316

TRACEBACK VIRUS (COM & EXE)
89B45101818451018408

VIENNA 1 VIRUS (COM & EXE)
8BF283C60A90BF0001B9

VIENNA 2 VIRUS (COM & EXE)
8BF281C60A00BF0001B9

RULES FOR SAFE COMPUTER USAGE

     Let us begin by defining some terms.  There are  two  computer program elements that
need definition if you are to accept the need for a micro-computer based system of backup
and recovery.

     First  is  a Trojan Horse program.  This sort of program,  like  its historical
namesake, has two functions.  On the "outside" it does  something to encourage the user
to run it.  Typically, Trojan Horse  programs may be games, small support programs, such
as directory listers, or even, in  one  case already on record, commercial software
packages.
 
     On  the "inside"  however, the program does something unfriendly to the  computer
on  which it runs.  Some Trojan Horse programs delete files,  some  reset clocks,  some
mark disk areas as unusable and some change  the  operating system  of the computer.
The most destructive of them cause  other  programs  to  change their nature, usually by
adding instructions  to  those programs  that  make  them Trojan Horse programs as  well.
These  added instructions are often called computer viruses.

     A computer virus is a portion of a program that does not run  alone, but  requires
another program to support it.  In this sense it is like  a biological  virus,  requiring a cell for
a host in order to allow  it  to work.   Since it does not run alone, it does not appear in any
directory and  is  never directly executed.  It moves from program  to  program  by making
each  program to which it is attached (infected so  to  speak)  a Trojan  Horse  program for
further software infection.  A  virus  may  be programmed to appear to do nothing for a long
time (remain dormant),  and then, when some trigger event occurs, do whatever it is
programmed to do. The  movement of a virus program element from machine to  machine
occurs when a Trojan Horse program is run on that machine.

     If  a corrupt program element infects your machine,  then  not only  will  the
company's office machines be affected, but the  home  machines  that many staff
members now have will also have their  files  affected by the very same corruption, and at
the same time.  If you are  preparing a paper for publication, writing or working on a
spreadsheet, or  preparing some important correspondence, you may well find that your
machine  readable copies of that material will become unusable both at home and at the
office.
 

     This  security plan discusses some evasive action that you can take to prepare  for  the
return of your machine to working order.   What we recommend is no more than good
housekeeping and  is  a practice that each of us should do anyhow, with or without the
threat  of some mysterious computer virus.  We know that DETEKT will do its job BUT !!
we are not sure that your drives are maintained, you electricity spike free, and your safe
software habits in place prior to adding DETEKTion to your way of doing business. 
 
     That which we explain in the next few paragraphs applies to users who have
machines with either a floppy disk drive and a hard disk  drive  or have two floppy disk
drives on their computers. If you cannot verify and validate your software consider
beginning again as follows:


Step one:  Locate the original source disks for the operating system you  are  now using
on your computer.  This may no longer be  the  system delivered  with your machine, you
may well have had an upgrade.   DO  NOT PUT  THESE DISKS INTO YOUR FLOPPY
DRIVE YET.  Secure a few  dozen  write-lock  tabs and put one on each of the delivery
system disks.   (When  you hold  a disk upright the right side of the disk has a 1/4" square
notch cut into the black paper jacket.  The write-lock tabs are black or aluminum  colored
gummed paper tags about 3/4" X 1/2" that can be  stuck  over the  edge  of the disk
covering the front and back of this  notch.   When that tab is in place it is not possible for
the computer to write  information onto a floppy disk.)
 
Only after you have write-locked these disks should you put the disk into the computer and
compare the system on that disk with the system you are using.  STOP AND READ THE
NEXT SENTENCE! The simple act of  executing the DIR command on an unlocked disk
is enough to infect that disk with  a virus  if your system is already infected and if the disk
is  not  write-locked.  There is a very small probability that  your system  is already infected.
We recommend that you compare the  date  and size  of the file COMMAND.COM on your
original source disks and  on  your working  disk or disks to see that they are the same.
USE DETEKT with your original disks to assure a clean control audit trail.The results
should look like this:

                  ------------------------------------
                 C> dir a:\command.com
 
                 Volume in drive A is MS330PP01
                 Directory of  A:\
 
                 COMMAND  COM  25276 8-31-89  12:00a
                 1 File(s)      5120 bytes free
 
                 C> dir c:\command.com
 
                 Volume in drive C has no label
                 Directory of  C:\
 
                 COMMAND  COM  25276 8-31-89  12:00a
                 139 File(s)   4556512 bytes free
                 ------------------------------------
 
     Note that both copies of COMMAND.COM have the same date and time  of creation
(midnight on July 24th 1987) and both are the same size  (25,276 bytes).  The numbers
for your machine may well differ from the example depending upon your DOS version, but
both should be the same.  When those disks have been found, put them away in a safe
place.  We recommend that they be put in a secure storage  box  not too near your
computer.
 
Step  two:  There are a small number of software packages  that  you would  be  lost
without.  In my case they include  a word processor,  a DBMS system, Modem software,
DOS utilities, and a data compression system among hundreds which are commercially
available and could be in your possession.  These packages may well  be  purchased
commercial  software, shareware, and freeware.  In each case you should  have an original
source delivery disk for each of these packages.  Find  those disks,  WRITE LOCK THEM,
and use DETEKT to compare them with the copies you are now  using.  Put  them in the
same secure storage box in a safe place. 
 
Step  three:  Using the backup procedure of your choice,  perform  a backup  of  the
system files on your computer.  If we was  using  a  dual floppy  based system, we would
simply make copies of my working disks.  If we were using  a computer  with a floppy and
a hard disk, we would use  backup-restore,  or Fastback or some other package to back
up the directories C:\WP,  C:\DIA, C:\UTIL, C:\COMM and C:\DOS.  (Of course these
directories have different names  on your system.)  Write lock these backup disks.  Label
them  with today's  date.  Using the DETEKT compare the disks you have  just backed up
with the disks you are using to ensure that the backup  "took". Put  the  backup disks in the
safe secure box.  This will tie up  half  a  dozen disks, but with disks now costing $0.25
each, you will probably find  the $2 investment worth while.
 
Step  four:   (This applies to those users who use hard disk based computers.)   Prepare
a backup procedure that  will  permit  incremental backups.   This will entail backing up the
entire system once,  and  then periodically  backing  up those files that have changed since
the   last backup.
 
     Perform  such  incremental backups regularly.   After  several  such incremental
backups, the size of the backup set will become quite  large. At  that  time, put the backup
set away in a safe place  and  begin  with another set of disks for a full system backup
followed by several  increments.   When  the second set is full, put them away and  return
to  the first  set.  This will afford a very secure set of backup files.  We suggest that 50
disks makes a good backup set.  Thus 100 disks would be used  for the  double backup
group.  We believe that most users would need to  do  a full  backup  monthly, requiring
about  1/2  hour  of manipulation  and  should do incremental backups about  twice  per
week, requiring less than 5 minutes.
 
(It is a very good idea to periodically test the backup system  with a DETEKT verification
of what you have backed up.)
 
Step five:  Go back to your normal computer based work knowing you are secure.
 

Recovery from the loss of one or a few files:
 
     Sooner  or  later  you will lose some files.   They  will  disappear without apparent
cause and you will blame the problem on a virus.  It  is our experience that in cases like
this no virus is involved, the loss  of files will be due to an operator error.  If you have been
doing incremental  backups, then the simplest corrective action is to use  the  recover
feature  of the backup system that you are using and simply  restore  the latest  copy  of
the lost file(s) to the hard disk.  If  you  have  been conscientious in your backup practice,
then the loss of work will  entail just a few minutes or, at most, a few hours of rework.
 
Recovery from the loss of the entire system:

     It  may happen that the entire hard disk seems to be lost.  This  is serious  but, in
most cases, is likely not the result of a  virus.   Most failures  of the hard disk are due to
hardware problems caused by a combination of abuse, overuse and poor maintenance
habits.  The best  solution is to repair the hardware if the technical people judge that that
is the problem,  and then, after reformatting the hard  disk,  restore the system from your
latest backup.  Almost without fail, this will result in a complete return to a normal system.
 
Really bad news, the restore does not work:
 
     This may well be the point of DETEKT.  If a virus has been planted  in  your system
and has been set to trigger on some event,  then, if you are not using DETEKT the only
way to recover is to rebuild the system from scratch using the write locked set of disks
located in that safe secure box.  If these  disks are not write locked, and if you mount them
onto an infected system, then the disks will be infected in turn and you may well be unable
to  restore from  a clean, uninfected source without returning to the  system  vendor for a
fresh copy of each of your executable programs. This means you ignored the warning
DETEKT provides to bound your damage. On the  assumption that you first build your
system again from scratch, you may restore  all of  the data files from your backup set.  (A
data file is one  that  does not  have the extension .com, .exe, or .sys.)  Non-executable
files should  not be able to carry a virus either between systems or over the backup
process.
 

Final thoughts:
 
     There is no reason to ever boot the system from a foreign disk whose history you
are not prepared to trust.  (For example, booting from a copy protected  version of Lotus
1-2-3 is as secure as the  Lotus  corporation can make it but booting a downloaded disk
called SURPRISE!! can kill your operation.)
 
     There  is  no reason why a disk used to transport data  between  machines  should
have a copy of the files  io.sys,  msdos.sys,  ibmio.sys, ibmdos.sys or command.com on
it. Check you transport disks and delete those files which are unnecessary prior to copying
any file into your hard drive. Use the DOS ATTRIBUTE command to remove all attribute
modifications to assure that an attack is not hidden from view.
 
     No executable file on a PC system, to date, has been infected by the transport of
data files to the system.  Only executable files (including device drivers and the operating
system itself) can be used as Trojan Horse programs. Beware, systems have been
corrupted by BOOT sector VIRUS and FAT scramblers executed from data called by word
processor and spreadsheets. We strongly urge the use of the V-PHAGE programs
SAVEZONE.EXE and NEWZONE.EXE by the System Manager to minimize the effects of
this problem for V-PHAGE users.
 
     We hope that you enjoy your future computing adventures safe in the knowledge
that your equipment will be corruption free as long as you follow these instructions. The
team of you and V-PHAGE will work every time.


 

To learn how Thomas V. Sobczak and TVSConsultants
                                   can increase your potential for profit:
          Call       516.623.6295
          E-mail     
tvsconsult@netzero.net
          Write           PO Box 0433, Baldwin, NY 11510-0433