---- A LETTER FROM THE COMPUTER SYSTEMS LABORATORY ------- MAY 1992 COMPUTER VIRUSES: WHAT CAN USERS DO TO PROTECT THEIR COMPUTER SYSTEMS Although computer viruses have been around for a long time, the widely publicized Michelangelo and Friday the 13th viruses, which threatened computers worldwide this past March, refocused attention on the problem of computer viruses. Fortunately, intense media coverage coupled with the use of anti-viral software limited the loss of data and information to a few isolated incidents. One beneficial result of these recent virus episodes is an increased awareness among government, industry, academia, and personal computer users of the dangers posed by computer viruses. Faced with the realization that viruses will continue to proliferate in networks and systems for the foreseeable future, users recognize the importance of taking preventive measures to avert a virus attack or to limit its damage. What Can Be Done Personal computer users can attain some degree of protection against the threat of computer viruses by frequent and consistent use of the following cost-effective measures: o Back up data onto floppy disks and store in a protected place; o Use only licensed copies of vendor software; o Purchase software from known, reputable sources; o Install only software which is clearly required; o Minimize software sharing within the organization; o Prohibit users from using software or disks from their home systems; o Use a special isolated system for downloading public-domain software and shareware so that it may be tested by anti-viral software prior to release for use by others; o Use the latest anti-viral software available to test your hard disk and floppy disks on a regular basis; o Do not leave a personal computer running but unattended; and o Lock your computer with a hardware lock, if possible. At day's end, shut down and lock your computer, then lock your office door. CSL Resources Can Help o Computer Security Bulletin Board System (BBS). We maintain an electronic BBS on computer security which provides a wealth of information on viruses including publications, papers, software reviews, and VIRUS-L, a moderated mailing list with approximately 1600 direct subscribers worldwide. The mailing list is dedicated to information about computer viruses on personal computers, including Macintosh, PC, Amiga, and Apple, as well as others. VIRUS-L is an e-mail forum for Internet users that generally includes useful information such as references to repositories of anti-virus software, publications, and other items. Accessing the BBS requires a standard ASCII terminal or personal computer with serial communications capability. The terminal must be set for the following communications parameters: modem baud rate 2400, 1200, or 300 - dial (301) 948-5717; modem baud rate 9600 - dial (301) 948-5140. Data bits: 8/with no parity or 7/even parity. Stop bits: 1. To access the BBS via the Internet, use the telnet command, for example: type 'telnet csrc.nist.gov' or 'telnet 129.6.54.11'. The log in account is 'bbs'; the password is 'bbs'(lower case). After the "CONNECT" message is displayed, the system begins a log-in dialogue. Use your real name when you log on. The BBS provides you with on-line help and various menu choices. Virus information can be obtained from the Files section of the board in either the Research, Resources, or Publications Directories. A personal computer user may download any file without restriction. The BBS is available 24 hours a day. Each user has a maximum time limit of 70 minutes a day, 60 minutes on one call. o CSL Bulletin on Computer Virus Attacks, August 1990, discusses computer viruses and related threats and presents some effective preventive measures. Call CSL Publications at (301) 975-2821 for a complimentary copy of this bulletin. o NIST Special Publication 500-166, Computer Viruses and Related Threats: A Management Guide, gives general guidance for managers of computer systems and networks on addressing the vulnerabilities most likely to be exploited by computer viruses and related software. Order from the Government Printing Office, (202) 783-3238, order number SN003-003-02955-6, price $2.50. FEDERAL INFORMATION PROCESSING STANDARDS (FIPS) ACTIVITIES Twelve FIPS Withdrawn The Federal Register of March 10, 1992, announced the withdrawal of 12 FIPS. The Secretary of Commerce approved the withdrawal of the FIPS because the technical specifications which they adopt are obsolete and are no longer supported by industry. The 12 standards dealt with information interchange by means of magnetic tape and flexible disk cartridges. For a copy of the Federal Register listing the withdrawn FIPS, call our FIPS office at (301) 975-2816. CSL Selects Test Method and Establishes Trial Validation Service for FIPS 160, Programming Language C CSL selected the Perennial ANSI C Validation Suite as the test method to be used for testing C compilers for conformance to FIPS 160, Programming Language C. Established in January 1992, the trial validation service will be used to verify the accuracy and completeness of the C validation procedures. The trial service will continue through September 1992. To assess the suitability of the test method and validation procedures, we are seeking the views of industry, the public, and local governments. Address your written comments to: National Institute of Standards and Technology, Computer Systems Laboratory, ATTN: C Test Service, Building 225, Room A266, Gaithersburg, MD 20899. The comment deadline is September 30, 1992. For more information, contact Kathryn Miles on (301) 975-3156. Nine New Telecommunications FIPS Issued On April 2, 1992, the Secretary of Commerce approved nine new standards on modems for data communications use on telephone-type circuits, to be published as FIPS 162-170. The new family of FIPS replaces FIPS 133, 134-1, 135, and 136 (formerly designated Federal Standards 1005A, 1006A, 1007 and 1008). The newly approved standards adopt selected portions of CCITT (International Telegraph and Telephone Consultative Committee) modem recommendations: V.22, V.22bis, V.26, V.26bis, V.27bis, V.27ter, V.29, V.32, V.33, V.42, and V.42bis. Effective September 15, 1992, the standards will facilitate interoperability between telecommunication facilities and systems of the federal government. You may purchase copies of the new FIPS, including the technical specifications, from the National Technical Information Service (see address below). For further information, contact Robert M. Fenichel, National Communications System, 701 South Court House Road, Arlington, VA 22204-2198, telephone (301) 692-2124. UPDATE ON NEW PUBLICATIONS CSL publishes the results of studies, investigations, and research. The reports listed below may be ordered from the following sources as indicated for each: *Superintendent of Documents U.S. Government Printing Office (GPO) Washington, DC 20402 Telephone (202) 783-3238 *National Technical Information Service (NTIS) 5285 Port Royal Road Springfield, VA 22161 Telephone (703) 487-4650 Guide to Schema and Schema Extensibility By Bruce K. Rosen and Isabella des Fontaines NIST Spec. Pub. 500-197 November 1991 SN003-003-03126-7 $2.25 Order from GPO This guide assists users in understanding the concepts behind databases and data dictionary schemas and schema extensibility. It discusses the Information Resource Dictionary System (IRDS) standard and the use of extensible schemas in performing the functions of information resource management (IRM) and data administration. Monitoring and Reporting Techniques for Error Rate and Error Distribution in Optical Disk Systems By Fernando L. Podio NIST Spec. Pub. 500-198 October 1991 SN003-003-03125-9 $5.00 Order from GPO This report constitutes the proceedings of the workshop on Monitoring and Reporting Techniques for Error Rate and Error Distribution in Optical Disk Systems held on August 5, 1991, in Colorado Springs, Colorado. The 3480 Type Tape Cartridge: Potential Data Storage Risks, and Care and Handling Procedures to Minimize Risks By Mark P. Williamson NIST Spec. Pub. 500-199 November 1991 SN003-003-03127-5 $3.50 Order from GPO This publication summarizes reasonable procedures for the care and handling of the 3480 type media in order to minimize potential risks. The report informs data managers of the potential chemical, mechanical, and magnetic failure mechanisms association with the 3480 type media and presents the experiences and recommendations of major 3480 type technology users and manufacturers. Development of a Testing Methodology to Predict Optical Disk Life Expectancy Values By Fernando L. Podio NIST Spec. Pub. 500-200 December 1991 SN003-003-03134-8 $5.00 Order from GPO This publication illustrates the development of a testing methodology that can be applied to predict optical disk life expectancy values. The report describes test results which were used with a mathematical prediction model to develop the testing methodology. Recommendations to implement a testing methodology for life expectancy predictions are also given. Reference Model for Frameworks of Software Engineering Environments Prepared Jointly by NIST and the European Computer Manufacturers Association (ECMA) NIST Spec. Pub. 500-201 December 1991 SN003-003-03135-6 $5.50 Order from GPO This document describes a reference model for software engineering environment (SEE) frameworks. An SSE deals with information about the software under development, project resources, and organization policy, standards and guidelines on the production of software. An SSE reference model provides a basis for determining interfaces between environment components in order to create consistent interface standards. Stable Implementation Agreements for Open Systems Interconnection Protocols, Version 5, Edition 1, December 1991 Tim Boland, Workshop Chairman NIST Spec. Pub. 500-202 December 1991 SN903-015-00000-4 $59.00 subscription Order from GPO This document records stable implementation agreements on Open System Interconnection (OSI) protocols developed by organizations that participate in the OSI Implementors Workshop (OIW). These stable agreements are the basis for the Government OSI Profile (GOSIP), for industry profiles, and for conformance tests being developed by the Corporation for Open Systems. Working Implementation Agreements for Open Systems Interconnection Protocols Tim Boland, Editor NISTIR 4507 March 1991 PB92-126523 $43.00 paper Order from NTIS $19.00 microfiche This document presents the output of the OSI Implementors Workshop (OIW) of December 1990. Government Network Management Profile (GNMP): Public Review Version of Proposed FIPS By R. Aronoff, K. Brady, M. Chernick, J. Fox, K. Hsing, K. Mills, and F. Nielsen NISTIR 4651 January 1992 PB92-149871 $19.00 paper Order from NTIS $ 9.00 microfiche The GNMP will be the standard reference for all federal agencies to use when acquiring Network Management (NM) functions and services for computer and communications systems and networks. This document specifies the initial proposed version of the GNMP. On the Interchangeability of SGML and ODA By Charles K. Nicholas and Lawrence A. Welsch NISTIR 4681 January 1992 PB92-149830 $17.00 paper Order from NTIS $ 9.00 microfiche This report describes the Standard Generalized Markup Language (SGML) and the Office Document Architecture (ODA), two incompatible standards for the markup and interchange of electronic documents. It evaluates the Office Document Language (ODL) as a bridge between the two standards and describes a translation program that converts SGML documents to ODA and back. Technology Integration Workshop: Selected Papers Henry Tom, Editor NISTIR 4703 October 1991 PB92-158278 $26.00 paper Order from NTIS $12.50 microfiche This report contains selected summaries of technical presentations and demonstrations given at the NIST Geographic Information Systems (GIS) Standards Laboratory's Technology Integration Workshop on August 23-24, 1990. Requirements and Recommendations for STEP Conformance Testing Sharon J. Kemmerer, Editor NISTIR 4743 January 1992 PB92-158294 $17.00 paper Order from NTIS $ 9.00 microfiche This document describes a plan to develop a Conformance Testing Service for STEP (STandard for the Exchange of Product model data). The testing service is an integral part of a DoD- sponsored project, the National PDES Testbed at NIST. Sample Statements of Work for Federal Computer Security Services: For Use In-House or Contracting Out Dennis M. Gilbert, Project Leader Nickilyn Lynch, Editor NISTIR 4749 December 1991 PB92-148261 $19.00 paper Order from NTIS $12.50 microfiche This document presents a set of Statements of Work (SOWs) describing significant computer security activities. It assists federal agencies and government contractors in the acquisition of computer security services by standardizing the description of typical services available from within or outside of the organization. Massively Parallel Implementation of Character Recognition Systems By M.D. Garris, C.L. Wilson, J.L. Blue, G.T. Candela, P. Grother, S. Janet, and R.A. Wilkinson NISTIR 4750 January 1992 PB92-149863 $17.00 paper Order from NTIS $ 9.00 microfiche This report describes the implementation of a massively parallel character recognition system which is designed to study the recognition of handprinted text in a loosely constrained environment. The NIST handprint database is used to provide test data for the recognition system. UPCOMING TECHNICAL CONFERENCES Applications Portability Profile (APP)/Open Systems Environment (OSE) Workshop This workshop is designed as a user's forum to discuss the latest developments in the APP/OSE. Dates: May 14, 1992 November 10, 1992 Place: NIST, Gaithersburg, MD Contact: Marty Gray (301) 975-3276 FTS 879-3276 Hypermedia Lecture Series This lecture series provides a forum where current research on hypertext and multimedia can be presented and discussed. Date: May 15, 1992, Gary Marchionini, "Evaluation of Hypertext" Time: 2:00 p.m.-3:30 p.m. Place: NIST Green Auditorium Contact: Judi Moline (301) 975-3351 FTS 879-3351 Lecture Series on High Integrity Systems This lecture series addresses problems and solutions for developing and operating high integrity systems. The series targets managers and technical staff who acquire or develop computer software systems. Date: May 18, 1992 - Paul Strassmann Director of Defense Information Department of Defense Corporate Information Management "Economic Justification of Risky Investments in Information Technology" Time: 2:00 p.m. - 3:30 p.m. Place: NIST Red Auditorium Contact: Dolores Wallace (301) 975-3340 FTS 879-3340 North American ISDN Users' Forum (NIUF) The NIUF addresses many concerns over a broad range of Integrated Services Digital Network (ISDN) issues and seeks to reach consensus on ISDN Implementation Agreements. Participants include ISDN users, implementors, and service providers. Dates: June 2-5, 1992, NIST October 27-30, 1992, NIST November 16-20, 1992, Transcontinental ISDN Project 1992 Contact: Dawn Hoffman (301) 975-2937 FTS 879-2937 OSI Implementors Workshop (OIW) This workshop is part of a continuing series to develop implementation specifications from international standard design specifications for computer network protocols. Sponsors: NIST and the IEEE Computer Society Dates: June 8-12, 1992 September 21-25, 1992 December 14-18, 1992 Place: NIST, Gaithersburg, MD Contact: Brenda Gray (301) 975-3664 FTS 879-3664 COMPASS '92 This conference provides a forum on issues of education in computer science, formal methods, system certification, and assurance of high-integrity systems. Sponsors: NIST, IEEE Aerospace and Electronic Systems Society, and the IEEE National Capital Area Council Date: June 15-18, 1992 Place: NIST, Gaithersburg, MD Contact: Laura Ippolito (301) 975-5248 FTS 879-5248 Department of Defense Electronic Data Interchange Conference (EDI) This conference will provide DoD EDI participants with a forum to present their programs, exchange ideas, and to learn about DoD's program for expanding the use of EDI. The conference targets military services, defense agencies, and industry. Sponsor: NIST and the DoD Executive Agent for EC/EDI Dates: June 23-26, 1992 Place: NIST, Gaithersburg, MD Contact: Cheryl Blake (703) 274-5156 15th National Computer Security Conference The theme of this year's conference is "Information Systems Security: Building Blocks to the Future." The major emphasis will be the use of resources to provide security to networked and distributed systems. Sponsors: NIST and NSA's National Computer Security Center Dates: October 13-16, 1992 Place: Baltimore Convention Center, Inner Harbour, Baltimore, MD Contacts: Irene Gilbert (301) 975-3360 Dennis Gilbert (301) 975-3872