Date: 22 Feb 1994 09:05:17 -0700 (MST) From: Chris McDonald Subject: Product Test # 72, ultraSHIELD (MACINTOSH) To: orvis@icdc.llnl.gov Content-transfer-encoding: 7BIT [To]: cmcdonal@wsmr-emh34.army.mil Apparently-To: orvis@icdc.llnl.gov ****************************************************************************** PT-72 February 1994 ****************************************************************************** 1. Product Description: ultraSECURE is a commercial software product that provides access controls, audit trails, file encryption and other features for the Macintosh environment. ultraSECURE is compatible with System 6, System 7, AppleShare, and FileShare. This product test addresses version 1.454. 2. Product Acquisition: The product is available from usrEZ Software, Inc., 18881 Von Karman Avenue, Tower 17, Suite 1270, Irvine, CA 92715. The telephone number is (714) 756-5140; the fax number is (714) 756-8810. The price for a single copy can range from $165-$265 depending upon the source. The vendor does offer site licenses and other discounts for enterprise purchases. 3. Product Tester: Chris Mc Donald, Computer Systems Analyst, Directorate of Information Management, White Sands Missile Range, NM 88002-5506, DSN 258-7548, DDN cmcdonal@wsmr-emh34.army.mil. 4. Product Test: a. I obtained an evaluation copy from the vendor in late 1993 after "MacWorld" magazine had awarded ultraSECURE its 1993 Editors' Choice Award. Testing occurred on a Mac IIcx with System 7. It was interesting that, when I requested the evaluation copy, I was informed that over 600 evaluation copies were in circulation. While I have no idea what those other 600 reviewers were doing, I quickly understood why the vendor representative was initially hesitant to send out yet another copy. b. Some of the features which ultraSECURE provides include: (1) Hard drive access protection through the use of a password. (2) Discretionary access protection for system and sub-system folders. (3) Encryption of applications, files, folders/subfolders using either a proprietary algorithm, the Data Encryption Standard (DES), or double DES. (4) Disk and file erasure which claims to implement National Security Agency and Department of Defense standards for sanitization. (5) Discretionary copy, delete, modification, and renaming of files and folders. (6) Discretionary group access privileges. (7) Screen blanker with both automatic and manual activation. (8) Extensive audit trail or activity logs. (9) Limits on incorrect password attempts. (10) Automatic password aging. (11) Modifiable warning banner which appears upon initial startup, each restart, and each logoff, logon of the system. b. The product has an easy to use autoinstall routine to facilitate installation. The extensive User Guide is also a valuable asset, although its size might initially seem imposing. During the autoinstall procedures one creates a new administrator's name and password. One may also choose to create additional users and to configure available option settings. My suggestion, however, would be to save this latter activity until you as the administrator feel comfortable in navigating through the screen options and have had the opportunity to review the User Guide in some detail. c. The final steps in the installation routine are to "protect" the disk upon which you have installed the program. This activates the password protection access control. One is asked to verify the administrator's name and password before the program protects the disk. This is a reasonable precaution since under normal circumstances only the administrator can remove disk protection. I performed several installations and deinstallations with no difficulties. d. ultraSecure has so many features and options that it is difficult to know where to begin and where to end. The following represents only a modest attempt to summarize the test results and to provide the reader with as much information as possible on the product. (1) User Privileges. The system administrator and those to whom the administrator has granted "supervisor" status can determine the privileges of those users who are subordinate. Those privileges include: access to floppy disk drives; the ability to erase and to initialize floppy disks and SCSI hard disks; restrictions on desktop arrangement; control over the programmer's switch; restrictions on file/folder creation, deletion and name changes. I tested all these features which functioned as documented either to allow or to permit the respective activity. (2) Logon Options. The system administrator can establish "guest" entry without requiring a user name or password. Documentation suggests that guest actions can be "severely limited using folder access controls". For most environments logon failure warning options will be of extreme interest. The system administrator can determine the number of failures allowed; select an alarm sound for the failures; and insert a pause period after each logon failure. During the "pause" or "time out period" all user inputs are ignored. I tested all these features which functioned as documented. The "pause" option might be frustrating to the legitimate user who makes a simple typing mistake. On the other hand, it does have the effect of delaying and probably irritating an attacker. (3) Password Options. The system administrator can determine minimum password length from four to thirty-one characters; can control case sensitivity; and can implement automatic password aging. I tested all these features which functioned as documented. 2 (4) Timer Options. The system administrator can define three independent timers: screen saver, user logoff, and system shutdown. The screen saver feature operates either on a defined period of inactivity in minutes or on the positioning of the mouse. One can choose "shrink to black" or "instant black" for the effect. The logoff timer operates in a similar fashion. The shutdown feature operate on idle minutes. I tested all these timers which functioned as documented. (5) Audit Options. The system administrator can record eight different event types: power on; power off; restart; logon; logoff; application use; document use; and desk accessory use. There is a separate record for logon failures. For failures the system administrator can record user name and specify the number of failed attempts which must occur before the initiation of a record. The administrator can set limits on the size of these audit records and where the audit files will be stored. I tested all these features which performed as documented. With all audit options turned on, I found that the volume of information can be overwhelming. Having created two different users with different authorizations and privileges, I generated 16 pages of audit record information in approximately forty minutes. The records captured each event type along with the user's name, the time, the date, and the name of the application, where appropriate. (6) File Erase Options. The system administrator can define automatic erasure and sanitization. The options include setting the number of erase passes; chosing the files to be erased upon deletion; and establishing key(s) to skip erasure. I verified the functionality of the options. Attempts to retrieve information, which had been overwritten with 1's and 0's, were unsuccessful. However, I am not qualified to state that the method of operation does in fact implement the DoD magnetic remanence criteria for sanitization. (7) Access Privilege Options from the Finder. The system administrator can define privileges on individual folders for owner, group and everyone. Those include the ability to see folders, to see files within folders, and to make changes. I verified only the functionality of the options. (8) viruCIDE Option. This option searches only for known viruses in the Desktop files on Macintosh disks, such as WDEF. I verified the limited capabilities of the option. The documentation suggests that one combine "viruCIDE with some other anti-viral product such as Apple Computer Inc.'s Virus Rx". I thought this curious since to my knowledge Apple has ceased support of Virus Rx. If one were interested in a freeware program, I would consider Disinfectant and GateKeeper/GateKeeper Aid more appropriate choices. (9) ultraKEY Option. ultraKEYs are "trap doors" to allow entry into a system protected by ultraSECURE. With such a KEY one can bypass user name and password authentication, and automatically logon as the system administrator. ultraKEYs are specially coded blocks of information stored on floppy disks. The documentation has a lengthy discussion on the creation and protection of ultraKEYs. 3 (10) appSECURE Option. Within the ultraSECURE program one will find a desk accessory to provide copy protection and password protection on applications. The copy protection option is only available when one installs ultraSECURE; the password protection option is always available. The documen- tation contains a warning that it is "imperative that copy protection be removed from all copy protected applications prior to removal of ultraSECURE". Should one fail to heed this advice, one will find that copy protected applications no longer function. (11) Encryption Option. The program offers a proprietary algorithm ultraCRYPT, DES, and double DES. I verified the functionality of the options. Since I am not qualified to evaluate either the correctness or the strength of the program's DES implementation, I would refer readers to an evaluation by Bruce Schneier which appeared in the February 1993 edition of "MacWorld". Mr. Schneier rates the implementation very highly. (12) Drive Access Control Option. With protection installed during the installation process I was unable to circumvent the password protection. The two test procedures used were booting from a floppy disk, and holding down the option-shift-control-delete keys when booting. I have reviewed several open source publications which suggest an experienced user with a sector editor, such as those found in Norton Utilities and MacTools, should be able to defeat the protection. While no software protection mechanism may be totally effective, ultraSECURE does provide an attractive range of access control options to successfully deter in my opinion the vast majority of attackers. (13) Banner Option. The system administrator has the ability to display a warning banner prior to the logon window. The default text is from the Mark Rasch article in the May/June 1993 "InfoSECURITY NEWS" which many Computer Emergency Response Teams (CERTs) have adopted. I verified the option performed as documented. Since the warning banner represents yet another delay before a user can do any work, and since my experience is that individuals over time do not read or pay any attention to verbiage which appears every time they logon, the warning banner option will satisfy the lawyers and those who have an inherent distrust in their authorized users. I remain unconvinced that banners will deter attackers. 5. Product Advantages: a. ultraSECURE offers a wealth of protection options at a competitive price. b. Basic installation and deinstallation of the program is generally simple for the medium to experienced user. c. The product has established a reputation for quality. 6. Product Disadvantages: a. Configuration of the program requires some thought and a careful 4 reading of the manual for maximum effectiveness. This is not a program where one can install it and throw away the manual. b. Government users will require a waiver under FIPS 46-1 to protect unclassified sensitive information using the product's software DES implementation. Such users may also require additional information on the erasure/sanitization routine for applications involving classified national defense information. c. Management of the program depends upon competent system administrators. Training of a sufficient number of administrators within a large enterprise may represent the hidden costs in an acquisition decision. 7. Comments: ultraSECURE literally offers mainframe controls on a Macintosh platform. Since there are environments where such protection would be overkill, it would appear prudent to conduct a comprehensive risk assessment prior to any acquisition decision. It should be noted that the vendor offers two other programs for users with varying security requirements: ultraSHIELD and cypherPAD. One might be well-advised to investigate these and other products in any selection process. [The opinions expressed in this evaluation are those of the author, and should not be taken as representing official Department of Army positions or a commercial endorsement.] FOR FURTHER INFORMATION PRODUCT TEST NUMBER DATE PRODUCT PT-9 November 1993 DISINFECTANT PT-10 November 1993 VIREX PT-13 July 1991 MACSAFE II PT-20 November 1993 SYMANTEC ANTIVIRUS FOR MACINTOSH (SAM) PT-29 March 1991 SECURE DELETE PT-30 December 1993 DETECTIVE/VIRUSBLOCKADE PT-32 November 1992 MACTOOLS PT-33 April 1991 FORT KNOX PT-37 August 1991 VIPER PT-38 July 1991 EMPOWER II PT-44 June 1993 RIVAL PT-46 August 1992 CITADEL PT-49 October 1992 LOCKDISK PT-53 December 1993 GATEKEEPER PT-56 October 1992 NIGHTWATCH II PT-57 in process NORTON UTILITIES FOR MACINTOSH PT-63 August 1993 TRASHGUARD PT-66 in process SAFELOCK PT-71 August 1993 MacRx 5