DEFMTH7.CVP 920115 "Desert Storm" viral myths The recent spate of reports of a virus which shut down Iraq's air defence system during "Desert Shield/Storm" seems to have started with the series "Triumph Without Victory: The Unreported History of the Persian Gulf War" by U. S. News and World Report. The articles are being rerun in many papers (as well, apparently, as CNN and ABC Nightline), and the article on the virus run in my local paper is specifically credited to USN&WR. The bare bones of the article are that a French printer was to be smuggled into Iraq through Jordan, that US agents intercepted the printer, replaced a microchip in the printer with one reprogrammed by the NSA, that a virus on the reprogrammed chip invaded the air defence network to which the printer was connected and erased information on display screens when "windows" were opened for additional information on aircraft. The first question is: could a chip in a printer send a virus? Doesn't a printer just accept data? Both parallel/Centronics and serial RS-232 ports are bidirectional. (Cabling is not always, and I well remember having to deal, in the early days of PCs, with serial ports which had been used as printer ports, and could not be used as modem ports because the "return" pin had been sheared off, a common practice to "fix" balky printers.) However, the "information" which comes back over the line is concerned strictly with whether or not the printer is ready to accept more data. It is never accepted as a program by the "host". The case of "network" printers, is somewhat more complex. There are two possible cases: network printer servers and "network printers (such as the Mac Laserwriters): and they are quite distinct. The print server (on, say, DECnet) is actually a networked computer acting as a print server; accepting files from other network sources and spooling them to a printer. True, this computer/printer combo is often referred to simply as a printer, but it would not, in any case, be able to submit programs to other hosts on the net. The Mac case is substantially different, since the Mac laser printers are attached as "peers". Mac Laserwriters, at least, do have the ability to submit programs to other computers on the network, and one Mac virus uses the Laserwriter as a vector. However, it is unlikely that the Iraqi air defence system was Mac based, and few other systems see printers as peers. Second question: if it *was* possible to send some kind of program from the printer to the computer system/network, was it a virus? Given the scenario, of a new printer coming into an existing system, any damaging program would pretty much have had to have been a virus. In a situation like that, the first thing to do when the system malfunctions after a new piece of equipment has been added is to take out the new part. Unless the "chip" could send out a program which could survive, in the network or system, by itself, the removal of the printer would solve the problem. Third question: could a virus, installed on a chip, and entered into the air defence computer system, have done what it was credited with? Coming from the popular press, "chip" could mean pretty much anything, so my initial reaction that the program couldn't be large enough to do much damage means little. However, the programming task involved would be substantial. The program would first have to run on the printer/server/peripheral, in order to get itself transferred to the host. The article mentions that a peripheral was used in order to circumvent normal security measures, but all systems have internal security measures as well in order to prevent a printer from "bringing down" the net. The program would have to be able to run/compile or be interpreted on the host, and would thus have to know what the host was, and how it was configured. The program would then have to know exactly what the air defence software was, and how it was set up to display the information. It would also have to be sophisticated enough in avoiding detection that it could masquerade as a "bug" in the software, and persistent enough that it could avoid elimination by the reloading of software which would immediately take place in such a situation. The Infoworld AF/91 prank article has been mentioned as the "source" for the USN&WR virus article. There was, however, another article, quite seriously presented in a French military aerospace magazine in February (which possibly prompted the Infoworld joke.) This earlier article stated that a virus had been developed which would prevent Exocet missiles, which the French had sold to Iraq, from impacting on French ships in the area. The author used a mix of technobabble and unrelated facts, somehow inferring from the downloading of weather data at the last minute before launch, the programmability of targets on certain missiles and the radio destruct sequences used in testing that such a "virus" was possible. It has also been rumoured, and by sources who should know, that the US military has sent out an RFP on the use of computer viri as computer weapons. Although I have not seen the request, I *do* believe it went out, and we have confirmation in the report of a contract being awarded for further study in that area. I *don't* believe in the USN&WR report. copyright Robert M. Slade, 1992 DEFMTH7.CVP 920115 ============== _________________________ Vancouver ROBERTS@decus.ca | | |\^/| | | swiped Institute for Robert_Slade@sfu.ca | | _|\| |/|_ | | from Research into rslade@cue.bc.ca | | > < | | Alan User p1@CyberStore.ca | | >_./|\._< | | Tai Security Canada V7K 2G6 |____|_______^_______|____|