DEFMTH7.CVP   920115
 
                      "Desert Storm" viral myths
 
The recent spate of reports of a virus which shut down Iraq's air
defence system during "Desert Shield/Storm" seems to have started with
the series "Triumph Without Victory: The Unreported History of the
Persian Gulf War" by U. S. News and World Report.  The articles are
being rerun in many papers (as well, apparently, as CNN and ABC
Nightline), and the article on the virus run in my local paper is
specifically credited to USN&WR.  The bare bones of the article are that
a French printer was to be smuggled into Iraq through Jordan, that US
agents intercepted the printer, replaced a microchip in the printer with
one reprogrammed by the NSA, that a virus on the reprogrammed chip
invaded the air defence network to which the printer was connected and
erased information on display screens when "windows" were opened for
additional information on aircraft.
 
The first question is: could a chip in a printer send a virus?  Doesn't
a printer just accept data?
 
Both parallel/Centronics and serial RS-232 ports are bidirectional. 
(Cabling is not always, and I well remember having to deal, in the early
days of PCs, with serial ports which had been used as printer ports, and
could not be used as modem ports because the "return" pin had been
sheared off, a common  practice to "fix" balky printers.)  However, the
"information" which comes back over the line is concerned strictly with
whether or not the printer is ready to accept more data.  It is never
accepted as a program by the "host".
 
The case of "network" printers, is somewhat more complex.  There are two
possible cases: network printer servers and "network printers (such as
the Mac Laserwriters): and they are quite distinct.  The print server
(on, say, DECnet) is actually a networked computer acting as a print
server; accepting files from other network sources and spooling them to
a printer. True, this computer/printer combo is often referred to simply
as a printer,  but it would not, in any case, be able to submit programs
to other hosts on  the net.  The Mac case is substantially different,
since the Mac laser printers are attached as "peers".  Mac Laserwriters,
at least, do have the ability to submit programs to other computers on
the network, and one Mac virus uses the Laserwriter as a vector. 
However, it is unlikely that the Iraqi air defence system was Mac based,
and few other systems see printers as peers.
 
Second question: if it *was* possible to send some kind of program from
the printer to the computer system/network, was it a virus?
 
Given the scenario, of a new printer coming into an existing system, any
damaging program would pretty much have had to have been a virus.  In a
situation like that, the first thing to do when the system malfunctions
after a new piece of equipment has been added is to take out the new
part.  Unless the "chip" could send out a program which could survive,
in the network or system, by itself, the removal of the printer would
solve the problem.
 
Third question:  could a virus, installed on a chip, and entered into
the air defence computer system, have done what it was credited with?
 
Coming from the popular press, "chip" could mean pretty much anything,
so my initial reaction that the program couldn't be large enough to do
much damage means little.  However, the programming task involved would
be substantial.  The program would first have to run on the
printer/server/peripheral, in order to get itself transferred to the
host.  The article mentions that a peripheral was used in order to
circumvent normal security measures, but all systems have internal
security measures as well in order to prevent a printer from "bringing
down" the net.  The program would have to be able to run/compile or be
interpreted on the host, and would thus have to know what the host was,
and how it was configured.  The program would then have to know exactly
what the air defence software was, and how it was set up to display the
information.  It would also have to be sophisticated enough in avoiding
detection that it could masquerade as a "bug" in the software, and
persistent enough that it could avoid elimination by the reloading of
software which would immediately take place in such a situation.
 
The Infoworld AF/91 prank article has been mentioned as the "source" for
the USN&WR virus article.  There was, however,  another article, quite
seriously presented in a French military aerospace magazine in February
(which possibly prompted the Infoworld joke.)  This earlier article
stated that a virus had been developed which would prevent Exocet
missiles, which the French had sold to Iraq, from impacting on French
ships in the area.  The author used a mix of technobabble and unrelated
facts, somehow inferring from the downloading of weather data at the
last minute before launch, the programmability of targets on certain
missiles and the radio destruct sequences used in testing that such a
"virus" was possible.
 
It has also been rumoured, and by sources who should know, that the US
military has sent out an RFP on the use of computer viri as computer
weapons.  Although I have not seen the request, I *do* believe it went
out, and we have confirmation in the report of a contract being awarded
for further study in that area.  I *don't* believe in the USN&WR report.
 
copyright Robert M. Slade, 1992   DEFMTH7.CVP   920115

==============                      _________________________
Vancouver      ROBERTS@decus.ca    |    |     |\^/|     |    | swiped
Institute for  Robert_Slade@sfu.ca |    |  _|\|   |/|_  |    | from
Research into  rslade@cue.bc.ca    |    |  >         <  |    | Alan
User           p1@CyberStore.ca    |    |   >_./|\._<   |    | Tai
Security       Canada V7K 2G6      |____|_______^_______|____|