From: Chris McDonald IM-CM-S (1/10/94) To: orvis@icdc.llnl.gov Mail*Link¨ SMTP Information Systems Securit # 94-01 Contents: Viral Detection Results A Remembrance of the Wily Hacker Standards versus Productivity 1. I have recently completed quick-and-dirty testing of 10 anti-viral tools against a test suite of 2,030 malicious programs. This was a modified suite of available samples within my collection which represent 95% of the common viruses identified in VSUM and 93% of the "in the wild" viruses identified in the Dec 93 WildList compiled by Joe Wells. Please note that there are many factors in the evaluation of a tool. The number of malicious programs identified is only 1 of several criteria which may be important in any acquisition decision. It is my intention to update the respective product test report for the following programs. TOTAL SAMPLES FOR THE TEST: 2,030 a. VDS (version 3.0c) 1585 (Virus) 77 (Suspicious) b. F-PROT (version 2.10c) 2019 (Infected) 10 (Suspicious) c. IBM AntiVirus/DOS 1807 (Infected or Probably Infected) (version 1.4) d. Thunderbyte (version 6.09) 1976 (Infected) e. VirHunt (version 4.0B) 1531 (Infected) f. Norton AntiVirus (version 1800 (Infected) 3.0 with updates thru Dec 93) g. Central Point Anti-Virus 1751 (Infected) (version 2.1 with latest update) h. AVP (version 1.07) 1740 (Infected) i. Viruscan (version 109) 1921 (Infected) j. ViruSafe (version 5.3) 1738 (Infected) Detection of the common or in the wild samples appeared good for all the programs. Several programs still have difficulty in identifying MtE and TPE creations. 2. The inaugural issue of "The ISSA Journal", published by the Information Systems Security Association, arrived last week (Volume 1, Issue 1, December 1993). It contains a reprint of the 1988 ACM article "Stalking the Wily Hacker" along with a brief update by Cliff Stoll as an introduction. I would strongly recommend the article for re-reading for a variety of reasons. First, in the last three years I have listened to representatives from the National Security Agency, from the FBI, and from the Secret Service present grossly inaccurate accounts of material which Cliff gathered. In two separate cases NSA and FBI representatives came to White Sands, incorrectly quoted material from "The Cuckoo's Egg" during their presentations, and seemed completely oblivious to the fact that White Sands appeared in the book. The "experts" appear to be in need of enlightened audiences to keep them honest since I cannot believe that my experiences have been unique. Second, there seems to be a lack of appreciation on what it was that Cliff actually documented. The intrusions which he monitored were rarely "high-tech". The safeguards which he suggested were hardly "high-tech". Yet in my opinion government channels in particular seem intent on mandating technical solutions to information system security issues. 3. Harry DeMaio continues to express great ideas in his latest article in the "Information Systems Security Journal" (Vol 2, No 4). Mr. DeMaio addresses "Information Protection Standards in the 1990s" in these terms: "All of this has convinced me that the standards process deserves some prime real estate in one of the lower rings of Dante's Inferno. It is the perfect milieu for a masochist, and my sympathy and admiration are great for those who live full time in this arena". While the Journal's articles can be turgid at times, Mr. DeMaio continues to excell. ------------------ RFC822 Header Follows ------------------ Received: by quickmail.llnl.gov with SMTP;10 Jan 1994 08:10:58 -0800 Return-path: cmcdonal@wsmr-emh34.army.MIL Received: from icdc.llnl.gov by icdc.llnl.gov (PMDF #3384 ) id <01H7IE4TYBSG96WCW4@icdc.llnl.gov>; Mon, 10 Jan 1994 08:09:55 PST Received: from pierce.llnl.gov by icdc.llnl.gov (PMDF #3384 ) id <01H7IE4DGT3496WCW3@icdc.llnl.gov>; Mon, 10 Jan 1994 08:09:36 PST Received: by pierce.llnl.gov (4.1/LLNL-1.18/llnl.gov-05.92) id AA13839; Mon, 10 Jan 94 08:10:36 PST Received: from wsmr-emh34.army.mil by pierce.llnl.gov (4.1/LLNL-1.18/llnl.gov-05.92) id AA13809; Mon, 10 Jan 94 08:10:25 PST Date: 10 Jan 1994 08:39:31 -0700 (MST) From: Chris McDonald IM-CM-S Subject: Information Systems Security Update, # 94-01 Resent-to: BILL_ORVIS@QUICKMAIL.llnl.GOV To: orvis@icdc.llnl.gov Resent-message-id: <01H7IE4U19VM96WCW4@icdc.llnl.gov> Message-id: <9401101610.AA13809@pierce.llnl.gov> X-Envelope-to: BILL_ORVIS@QUICKMAIL.llnl.gov X-VMS-To: IN%"orvis@icdc.llnl.gov" Content-transfer-encoding: 7BIT [To]: cmcdonal@wsmr-emh34.army.mil [Cc]: krvw@agarne.ims.disa.mil Apparently-To: orvis@icdc.llnl.gov ======================================================================