In This Issue:
Virus News
Two different viruses have started to circulate. So far neither appears to have spread far, but be certain your anti-virus software is up-to-date and able to find these.
Spanska.4250
Dr. Solomon’s (http://www.drsolomon.com) reports that Spanska.4250 is a memory resident polymorphic virus, infecting COM and EXE files. The virus uses stealth to conceal the increase in size of infected files. Some EXE programs fail to run when infected.
If a program infected with Spanska.4250 is run within the first 16 seconds of the 30th minute of any hour (using the system clock) the virus triggers. It displays one of a set of animated text messages, dedicated to a girl named Elvira.
This is one of a number of Spanska variants; but is the only variant which goes memory resident.
Baboon
Dr. Solomon’s (http://www.drsolomon.com) reports that Baboon is a pure boot sector virus which infects the boot sector of floppy disks and the partition sector MBR (Master Boot Record) of hard disks. The virus is caught by booting, or attempting to boot, off an infected floppy disk. It then installs itself in the partition sector.
The Baboon virus has a payload which triggers on the 11th September. On this date the virus overwrites the hard disk MBR (Master Boot Record) and the first 9 sectors of the active (bootable) partition. As well as triggering on the 11th of September the virus can also trigger randomly (albeit infrequently) upon bootup.
To help prevent future infections by pure boot sector viruses Computer Knowledge recommends companies change the CMOS settings of their PCs so they boot from drive C: rather than drive A: by default. This is done using the Setup utility in the BIOS.
General Security
Have you looked around and watched what has been happening on the personal and business security front; particularly with regard to encryption and its availability? If not, you should. Jim Bidzos, President of RSA Data Security, Inc. has prepared an information paper on the bill currently in front of Congress. It’s presented in total below. Remember that RSA sells security products, but this does not necessarily void the points made in the article. The availability of secure encryption is something that everyone should be concerned about. (More information on the subject, including a “Frequently Asked Questions about Cryptography” primer, as well as free personal encryption software with no government access, can be found at www.rsa.com.)
The Encryption Debate: Too Much at Stake to Rush to Legislation
Recently, the debate over encryption has intensified. FBI Director Louis Freeh, in his September 3rd testimony before a subcommittee of the Senate Judiciary Committee, sought legislation that would require “key recovery” techniques in all encryption products made and used in the US. The proposed legislation discussed at the hearing is S909, the McCain-Kerry bill, would require that all encryption products manufactured, sold, or used in the US provide on-demand government access with a properly authorized court order.
No one wants to see the FBI stymied in its efforts to do its public safety job. But unfortunately, the debate in the Senate seems to suggest that those opposed to S909 are ignorant of national security concerns, or, worse, willing to put national security at risk for commercial interests. This situation may cause lawmakers to overlook the important issues currently missing from the debate: a clear picture of the potential implications of the legislation the FBI seeks, and identification of safeguards against abuse of a key recovery system.
This debate centers around the use and export of strong encryption (currently, US companies may not freely export products with strong encryption) for use by businesses and individuals to ensure privacy and confidentiality of information in a digital world. Strong encryption is essential in order to conduct business securely and to guard against many forms of espionage, attacks, computer break-ins and theft of information. Strong encryption prevents crime.
However, the same encryption is also seen as a threat to law enforcement and national security concerns. They see it hindering, and possibly preventing them from successfully safeguarding the public from criminals who will use encryption to conceal their activities.
Inside the US, advanced, strong, unescrowed encryption is in use in tens of millions of products, including every browser sold by Netscape and Microsoft, and numerous other products. The international community quickly moved to adopt and deploy encryption, with companies springing up in Germany, South Africa, Ireland, Belgium, Switzerland, and Singapore to exploit opportunities created by US export policy.
Criticism of S909 comes from three groups. First, from privacy advocates and technologists who fear an unmanageable key recovery system that would invite abuse from within and outside the government, and significantly weaken the infrastructure on which we all will depend. The second group is the computer industry, which fears that a law requiring products to include US government access will make them unable to compete in a world where roughly 60% of their revenues come from outside the US, where their foreign competitors are not so bound. Third, US companies operating internationally are concerned that foreign governments with key recovery – we assume no foreign government will let the US government hold the keys – will use it to steal intellectual property or other valuable business secrets and pass it on to their own industry. (Using government intelligence to help state-owned industries win business from US companies is a well-established practice in France and elsewhere.) Let’s take a closer look at the first two arguments.
In the cyber society we are rapidly moving towards, everything about us will be stored digitally. Contrary to assertions by the FBI (which says it only wants to maintain wiretap capabilities as they have existed since 1968), the proposal for key recovery is not the digital equivalent of putting alligator clips on phone wires. It is more like giving the government the keys to our entire personal and professional lives. Keys that are difficult to control and track. And while the FBI says that access will only be by authorized court order, they have not addressed how controls and audit will prevent abuse in the form of non-intrusive, surreptitious use of these valuable keys. The far-reaching implications of such an unprecedented government capability must be analyzed and debated further for the protection of all. Would you allow local and federal law enforcement to have and store a copy of the key to your home and your filing cabinets? It is interesting to note that the encryption issue is a rare case where both the National Rifle Association and the Civil Liberties Union are on the same side, opposed to any law that restricts an individual’s use of encryption.
Industry has legitimate and serious concerns about the effect S909 will have on their ability to compete in a global marketplace. The FBI’s plan is to require key recovery in products built, sold, or used in the US. Clearly, their hope is that the US market, thus regulated, will sway the international market. But if other countries – as Germany already has – choose not to control the export of encryption or require key recovery, how will US industry compete? Even Director Freeh admits that given a choice of government key recovery and non-government key recovery products, corporations and individuals will choose the latter. Having failed in its attempts to gain international consensus on key recovery, the administration, as must the Congress, accept this threat to our dominance of the high-tech industry as reality. The threat is simply that US competitiveness will become a casualty of the crypto-wars, as we struggle to comply with a law no one fully understands, and foreign suppliers step in to meet the demand. With hundreds of thousands of important, well-paying jobs in an industry we currently lead at stake, economic well-being must be considered more carefully as part of the national security formula.
The chorus of voices supporting an end to government control of encryption has grown in recent years. It includes millions of individuals, most of industry; numerous industry groups including the Software Publisher’s Association and the Business Software Alliance; a majority of the US House of Representatives (1); a Federal Judge (2), and the California Legislature (3). These are organizations and people who have studied this problem closely. Their position is supported by numerous studies, including one done by the National Research Council, which urges relaxation of export controls and a “go slow” policy on key recovery, which it called unproved.
(1) More than half of the members of the House are co-sponsors of the SAFE bill – Security and Freedom Through Encryption – HR695, authored by Rep. Bob Goodlatte, D-Va., which would prohibit domestic US government controls on encryption. However, during the week of September 8, the House Intelligence Committee modified the SAFE Bill to look more like McCain-Kerry. [CK: The bill passed out of committee back in its original form.]
(2) On August 26, 1997, the Hon. Marilyn Hall Patel ruled against export control of encryption, saying in part “the encryption regulations are an unconstitutional prior restraint in violation of the First Amendment.”
(3) California Senate Joint Resolution 29 gained final passage September 5, 1997, when the state Assembly passed, by a vote of 79-0, a resolution calling for the enactment of the SAFE bill.
There is a fourth group that should be interested, but seems not to be. That is the Congress itself. Will Congress (and the Judicial Branch as well) be exempt, and be able to purchase non-key-recovery products? Or will the Attorney General and FBI Director have access to all their most sensitive communications?
With so much at stake, we can only hope that the Senate will be willing to look more closely at and hear more voices on this critical issue before turning S909 into law. If you have an opinion on this issue, your representatives in Congress should hear from you. It’s the only vote you’ll get.
Without trying to sound paranoid, if you consider this debate academic, please think again. The initial reaction is “I’ve got nothing to hide; I don’t do anything wrong.” That may be true, but take a second look at who you are entrusting that data to. Look closely at who had access to what at the White House in recent years and how that information was (mis)used. Then, ask yourself if you or your business can afford to be compromised by these same folks. Insight Magazine reports that the current court that judges the validity of secret taps of the kind required to get at a backdoor in a security program has yet to turn down a request (and, oh yes, this court meets in secret!).
General Information
Let’s all hope that none of the gentle readers of this newsletter will run afoul of the law, but if you happen to and your computer is involved, here are some of the things you might expect to happen in the name of gathering evidence.
- Law enforcement will assume the worst; in the case of computers this means that they assume you have installed a simple way to erase all data from storage. Therefore, if you are at your computer the first thing they will do is find a way to remove you from the area of the computer.
- Next they will shut the system down. For standalone computers this will likely mean unplugging the computer. For networked devices they will probably command an ordered shutdown (largely because network servers tend to keep lots of information in memory cache and an ordered shutdown will write this out to disk). The concern is to preserve evidence and prevent any automatic processes from erasing information. Individual situations may vary.
- Next, they will likely gather as much of the hardware and software as they can find and cart it off to another location to work on it. It’s important that you realize this because even if you are innocent and there is no data of interest to them on your computer, you will still not have access to any part of it until the evidence gathering process is complete; and even then if the investigator is not particularly competent or careful the gathering process may damage data. (The very careful [or very paranoid] among you might conclude from this that having an off-site backup stored where nobody else knows where it is might be a good thing.)
- During evidence gathering you can expect authorities to first make a bit-stream backup of everything. The image backup is necessary in case you have installed traps in the computer software, they activate, and the computer must be returned to its original state for another try at getting to your data. This process might be made harder if you happen to encrypt your data (and do NOT store a written copy of the password anywhere near the computer!). The encryption threat is one reason why the government has suddenly turned the spotlight on it (see related article in the General Security section of this newsletter).
To protect yourself in these circumstances, you need to keep a complete inventory of your computer hardware/software stored in an off-site location (this is a good general thing to do, it helps you if your equipment is stolen). Compare this list with the receipt you get for equipment taken and again with equipment returned after any investigation. If possible, supervise the process of gathering your hardware/software and take your own notes saying what happened and what is being taken (it’s unlikely you’ll be allowed to do this, but try anyhow). Finally, make certain that the investigators take precautions that protect your data (assuming you have nothing to hide). For example, most patrol cars have a powerful radio in the trunk. Point out to the investigators how the emissions from such a device can damage data stored in a computer and that they should avoid sitting the computer on top of the radio.
Nobody likes to become involved with the law in a criminal investigation, but now and again it could happen, even by accident, and if your computer is involved you may not see it again for awhile (and when you do see it there is no guarantee any of your data will still be available and in good form). It’s important that you try to find a way of minimizing the damage to your business should the worst happen.