Information Security: Subcommittee Questions Concerning the Melissa Computer Virus

Published by the Government Accountability Office on 1999-06-18.

Below is a raw (and likely hideous) rendition of the original report. (PDF)

      united states
GAO   General Accounthg OflRce
      Washington, D.C. 20648

      Accounting and Information
      Management Division


      June l&1999
      The Honorable ConstanceA. Morella
      Subcommittee on Technology
      Committee on Science
      House of Representatives
      Subject: Information Securitvz SubcommitteeQuestionsConcerning the Me?issa
      Dear Madam Chairwoman:
      In response to your May 24,1999,request,this letter provides answers to questions
      relating to our April l&1999, testimony on the immediate effects of the Melissavirus
      and variations of it as well as its broader implications.’As we noted in our testimony,
      although the Melissavirus did not reportedly permanent@damagesystemsand did
      not compromise sensitivegovernment data, it has shown us just how quickly
      computer viruses can spread andjust how vulnerable federal information systemsare
      to computer attacks. The questionsand our responsesfollow.
      1. Since almost 2 months have passedsince we iirst becameaware of the Mel&t
         V&us, do we now know how much damagewas done and what federal agencies
         were affected by Melissa?
      The Melissa “F’requentlyAsked Questions”electronic document found at the CER’I’
      Coordination Center (http~~cert.org/tech_tips/Melissa_FAQ.hb             states that
      more than 300 organizationswere affected, covering more than 100,000individual
      hosts. These data, however, are not specific to federal agencies.As we stated in our
      testimony, it is critical that the federal governmentestablishreporting me&ax&us
      that facilitate analysesof viruses and other forms of computer attacks and their

                          The Melissa Cornputer Virus Demow&%.es Uw        Need for Sm
      Protection Over SF-~~I           ve Da&   (GAOfI’-AIMD-99-146, April X1,19!%).

                                 GAO/AI&ID-99-220R Response to Questions on the MelissaVii

2. It appearsfrom all the testimony that in terms of the actual viruses themselves,;.
   will always be a step behind the hackers and wWulpropagato~~ of malicious
   code.Are there any safeguardsyou know of that can sniff out a virus before
   having seenit before,i.e., are there, or is there the possibilify for, progpamsthat
   can determine whether or not a program is a virus independentof being told so La

Antivirus tools are readily availablefrom severalcommercial vendors. These tools
perform three basic functions: virus detection,identBcation, or removal. The
majority do not look for a virus unlessand until the virus has been % identSed ant
its characteristicsare known The ability to be proactive rather than pea&M&hat is,
to defend againsta virus that has never been seenbefore-is the basis of current
antivirus research.SteveWhite’spaper “Open Problemsin Computer Virus Research
outlines researchareasfor antivirus tools (httpYAvww.av.ibm.com2n&deTM.aW
3. You mention that unknown system vulnerabilities could lead to viz& infections *
   the future. What are some of the things on our computers that we s&p& do not
   see as dangerous,but are instead opportunities for belligerent virus ~~O~EUWTM%.
   Could Java Applets and Internet cookies be used as a means of vi& infections?
JavaApple& and Internet cookies’have many security issues associatedwith them.
The risk is basedon whether the applet actually only does what it is supposedto do;
or that the systemthat wants to set a cookie is actually only setting a cookie. Some
securily analystssimply state that no user should accept either an applet or a cookL
from an unknown source. However,knowing the source of the applet or cookie CL&
meansthat the user knows the source,not whether the applet is malicious or that +’
cookie being set is the only action being taken. Also, as with all security issues,the
environment is very dynamic.For example,on Princeton Universuy’s Secure Interm
Computingweb page,there is an announcementof a very recent Java security
problem (httpYwww.cs.princeton.edu&ip/Histozy.htnQ.The dynamic nature of L
problem meansthat all those involved in computing must be diligent in their securit

To respond to these questions,we gathereddata at The Federal Computer Incident
ResponseCapability (FedCIRC,httpflwww.fedcirc.gov~, the CEFZTCoordination

“A programwritten in the Javaprogramminglanguageto run within a.web ~XTXVWK
compatible with the Java platform, such as NetscapeNavigator (TM).
“A “cookie” is small piece of information to help make the communic&ion between an
intemet site’s computer server and the browser more efficient.

Page2                       GAO/A.IIVID-QQ-‘220R
                                             Responseto Questions on the MelissaV

     Center (httpAvww.cert o@, Princeton Univetity’s office of Computingand
     Information  Technology (ClT, h~~~prince~n.edLE/ciffidex;sht        Princeton
     Univetity’s SecureInternet Programming(SIP) Laboratory(ht$@bww.cs.p-ce-
     edr.&i& the Department of Energy’sComputerIncident Advixxy Capability (CJAC,
     https//ciacM.gov/), and the World Wide Web Consortium(W3C,httpSimvmw3. .
     org/Secti@& We conducted our work in June 1999.If you have any questions
     regarding this letter, please contact me at (202)512-6416.
     Sincerely yours,

,/ Director, Computer and Information



     Page3                   GAOMkID-QQ-220RResponseto Questionson the hblissa Virus
Ordering Information

The first copy of each GAO report and testimony is free.
Additional copies are $2 each. Orders should be sent to the
following address, accompanied by a check or money order
made out to the Superintendent of Documents, when
necessary. VISA and MasterCard credit cards are accepted, also-
Orders for 100 or more copies to be mailed to a singie address
are discounted 25 percent.

Orders by maih

U.S. General Accounting   Office
P.O. Box 37050
Washington, DC 20013
or visit:
Room 1100
700 4th St. NW (corner of 4th and G Sts. NW)
U.S. General Accounting Office
Washington, DC
Orders may also be placed by calling (202) 512-6000
or by using fax number (202) 512-6061, or TDD (202) 512-2537.

Each day, GAO issues a Iist of newly available reports and
testimony. To receive facsimile copies of the daily Iist or any
list from the past 30 days, please cali (202) 512-6000 using a
touchtone phone. A recorded menu will provide information on
how to obtain these Lifts.
For information on how to access GAO reports on the INTERNET,
send an e-mail message with “info” in the body to:

or visit GAO’s World Wide Web Home Page at:

United States
General Accounting Office
Washington, D.C. 20548-0001

Official Business
Penal@ for Private Use $300
Address Correction Requested

                                        ,:          ‘.
                                  .    .i;                          ‘.
                               ‘. “l...?(                _
                                 :,,,, :,,     ::        --