XRAYSROK%SBCCVM.BITNET@VMA.CC.CMU.EDU (Steve) (09/27/89)
Maybe I just don't understand, but I personally think the "Tiger Team" idea put forth (by David Gursky) on this list is a little ridiculous because: 1) Most viruses are not spread by someone sneaking in at night and against your wishes copying something onto your computer. Rather, they are usually spread voluntarily (but unknowingly) by the user exposing the computer to foreign contaminated disks or programs. If I always (almost always anyway) operate within a closed system, how is letting someone *tamper* with my computer going to help me? I'd feel much safer just scanning for known viruses, which brings up the next point. 2) What corporation (or employee for that matter) is willing to take the risk of letting someone (outsiders or corporation employees) *tamper* with the computers which the company (and the employee) depends upon, especially when proper operating procedures (regular backups, etc.) will offer you very good protection? 3) Can you guarantee that the "Team" will not do damage? No, you cannot. And if they are introducing live viruses, we already know that no one can guarantee that the viruses will be benign in every situation (as has been discussed many times by others on this list), or that they will not get away. Acknowledge-To: <XRAYSROK@SBCCVM>
XRJDM%SCFVM.BITNET@VMA.CC.CMU.EDU (Joe McMahon) (09/27/89)
Dave Gursky asked about the tiger team approach. It depends on several things: - - Is the computer in question a computer which belongs to the installation, or one which belongs to the person? - - Is the virus completely self-limiting (i.e., if the date becomes anything other that the date of infection, the virus removes itself? - - Is the company willing to risk destroying this user's files and possibly wasting large amounts of time and money to replace them? Apple's statement on Mac viruses is that you should never trust a once-infected file, even if it is "cleaned up". I tend to side with that approach. I know that if I had been following procedures, and some expletive-deleted from Security futzed around with my machine behind my back, I'd be angry. Especially if it trashed my files. --- Joe M.
ignatz@att.att.com (09/28/89)
In article <0002.8909261721.AA06193@ge.sei.cmu.edu> dmg@retina.mitre.org (David Gursky) writes: ... >Suppose a company has stringent rules about protecting desktop >computers from viruses. How do you go about ensuring the rules are >being followed? One thought I had was the user of "Tiger Teams". And goes on to describe a "Tiger Team" which would prowl the halls after-hours, looking for unsecured desktop machines which it could then infect with an "approved" virus, preparatory to an upleasant visit by the PC Police the next day. Presumably, the purpose of actually infecting the machine is to provide an object lesson to the unhappy employee careless enough to not lock the system. This, however, is Not A Good Idea, for many reasons. First, you've disrupted the productivity of a probably useful employee for at least half a day, or more, while his/her machine is zoned out. Next, you're tying up one or more people comprising the "Tiger Team"; as proposed, worse, they're having to put in non-prime hours performing what is essentially an overhead (read "costs money, makes none") task; you're setting up the kind of confrontational situation that can cause stressful relations between employees; and it's not necessary. Not to mention that there are other security holes that are unaddressed, such as terminals left logged into multi-user systems which nevertheless can be used to corrupt or destroy company data and programs. Also, how about desktop or cubicle multi-user and/or multi-tasking systems, such as small Unix/Xenix boxes, VAX/VMS workstations, etc.? Look at finding access to these, and then corrupting them, and you'll start to see that this is a form of sanctioned cracking which is beneficial to none, and detrimental to all. More useful, and actually used in many client sites I've been assigned to, is to simply have the guard--who must make rounds anyway--also made responsible for checking certain criteria for computer equipment. Such things as locked access when applicable, no media left lying about unattended, login-protected terminals (whether remote timesharing, desktop multi-task/user, etc.) logged off whenever unattended, etc. would be grounds for a report by the guard. At the same time, the unsafe condition would be corrected as well as possible by the guard--media collected and secured, accounts either logged off or reported to system operators for deactivation, unlocked single-user desktop machines either locked in the office, if possible, or the power supply secured, etc. The same desired benefits are obtained: the employee is made amply aware of his/her faux pas, and security is maintained. Anyone who's ever worked in a security environment is aware of these and other methods; they're actually used, as I mentioned before. The military does make use of "Tiger Teams" that attempt to penetrate security and leave proof of their success. Usually, however, they are employed in an environment where they're attempting to subvert or circumvent active security measures, such as the deck guard on a nuke sub that's docked, or access to a presumably secured and monitored area.
TBC101@PSUVM.BITNET (Thomas B. Collins, Jr.) (10/01/89)
Another thought on the Tiger Teams... It doesn't make much sense to me. If I don't add any new software to my system at work, I'm not going to worry about viruses. Say I get my new system, put all the software on it, and run a few virus scanners that turn up nothing. I then run all applications from my hard drive, and don't use any floppy disks. It wouldn't make sense for me to check my hard drive every day for viruses, because they don't just pop up from nowhere. If I did add software to my system, I would check it for viruses before adding it. I think it would make more sense for the Tiger Teams to come in in the middle of the day, ask you to please save your work, and then run a virus checker on your system. If anything is found, you are "cited" as letting a virus into your system. If you're clean, you go back to work, and the Tiger Team moves on. - ------- Tom "Shark" Collins Since ICS is comprised of 2 people, my views tbc101@psuvm.psu.edu are the opinion of at least 50% of the company.
okay@tafs.mitre.org (Okay S J) (10/03/89)
In VIRUS-L V2NO208 "Thomas B. Collins, Jr." <TBC101@PSUVM.BITNET> writes: >Say I get my new system, put all the software on >it, and run a few virus scanners that turn up nothing. I then run all >applications from my hard drive, and don't use any floppy disks. It >wouldn't make sense for me to check my hard drive every day for viruses, >because they don't just pop up from nowhere. You're discounting the fact that your machine could be on a network. Having an infected machine on a network where one transfers files between machines can be just as bad as sticking a floppy in the machine. One shot does not cure all >If I did add software to my system, I would check it for viruses before >adding it. I think it would make more sense for the Tiger Teams to come >in in the middle of the day, ask you to please save your work, and then >run a virus checker on your system. It would cause too much of a loss of productivity and interruption of the work routine. Night is better if you're going to do it. Plus the public embarrasment of having ones machine checked. Seriously, its kind of like any test for drugs or AIDS or anything like that. Its not so much as to whether you are infected, but just the idea that it was done. After all, why have a test done if there isn't some suspicion...This at least would be the view of most people around those who had their machines tested. 'Did you hear George got busted by the Tiger Team last week?---They didn't find anything, but you never know....' >If anything is found, you are "cited" as letting a virus into your system. >If you're clean, you go back to work, and the Tiger Team moves on. What exactly does 'cited' mean? Disciplined?, public marked as a electronic leper in the company? fired? --Now that we've established how they would operate, what should be the penalties for those 'caught'? Stephen Okay Technical Aide, The MITRE Corporation x6737 OKAY@TAFS.MITRE.ORG/m20836@mwvm.mitre.org 'Geez...I actually have to use a disclaimer now, I must be getting important!' Disclaimer:Its mine, mine, mine, mine, mine !!!!!!!!!!!!!!
V2002A@TEMPLEVM.BITNET (Andy Wing) (10/06/89)
Hi,
I think that your average non-sophisticated user would be
offended by computer support personnel checking their personal
machine for "infection". An alternative would be to have the
Tiger Teams simply state that they are doing "regular preventative
maintenance". People shouldn't have problems with that. The end
user doesn't need to know the gruesome details of a PM call.
Actually Tiger Team duties should be assigned to a companys
regular maintenance people (with a software expert supervising
them of course). I guess the best anti-virus protection is one
that is both transparent to the end user and in the hands of a
well trained support staff.
The original Tiger Team idea would work best if slightly
modified. Every football team has both an offence and a defense.
Right now the anti-viral defense really has no one to practice
against. I think what we need is a group of developers that will
try to "bust" Gatekeeper/Flushot/etc. These people would be
in close contact with the anti-viral developers. The Tiger Team
would document their methods and only use benign infections.
I guess my real concern is that anti-virus developers take
a reactive stance instead of an active one. If I were a anti-virus
developer, I would want to encounter a new infection method under
controlled, documented conditions. This way anti-viral SW would
be guarded against bypass methods already thought up by the Tiger
Teams.
Also, do any anti-viral programs use the 'bad block' method
to protect themselves? I think that idea holds some promise.
Andy Wing V2002A@TEMPLEVM.BITNET