united states GAO General Accounthg OflRce Washington, D.C. 20648 Accounting and Information Management Division E283021 June l&1999 The Honorable ConstanceA. Morella chairwoman Subcommittee on Technology Committee on Science House of Representatives Subject: Information Securitvz SubcommitteeQuestionsConcerning the Me?issa CommuterViis Dear Madam Chairwoman: In response to your May 24,1999,request,this letter provides answers to questions relating to our April l&1999, testimony on the immediate effects of the Melissavirus and variations of it as well as its broader implications.’As we noted in our testimony, although the Melissavirus did not reportedly permanent@damagesystemsand did not compromise sensitivegovernment data, it has shown us just how quickly computer viruses can spread andjust how vulnerable federal information systemsare to computer attacks. The questionsand our responsesfollow. 1. Since almost 2 months have passedsince we iirst becameaware of the Mel&t V&us, do we now know how much damagewas done and what federal agencies were affected by Melissa? The Melissa “F’requentlyAsked Questions”electronic document found at the CER’I’ Coordination Center (http~~cert.org/tech_tips/Melissa_FAQ.hb states that more than 300 organizationswere affected, covering more than 100,000individual hosts. These data, however, are not specific to federal agencies.As we stated in our testimony, it is critical that the federal governmentestablishreporting me&ax&us that facilitate analysesof viruses and other forms of computer attacks and their impact. The Melissa Cornputer Virus Demow&%.es Uw Need for Sm .. Protection Over SF-~~I ve Da& (GAOfI’-AIMD-99-146, April X1,19!%). GAO/AI&ID-99-220R Response to Questions on the MelissaVii B-283021 2. It appearsfrom all the testimony that in terms of the actual viruses themselves,;. will always be a step behind the hackers and wWulpropagato~~ of malicious code.Are there any safeguardsyou know of that can sniff out a virus before having seenit before,i.e., are there, or is there the possibilify for, progpamsthat can determine whether or not a program is a virus independentof being told so La aprogrammer? Antivirus tools are readily availablefrom severalcommercial vendors. These tools perform three basic functions: virus detection,identBcation, or removal. The majority do not look for a virus unlessand until the virus has been % identSed ant its characteristicsare known The ability to be proactive rather than pea&M&hat is, to defend againsta virus that has never been seenbefore-is the basis of current antivirus research.SteveWhite’spaper “Open Problemsin Computer Virus Research outlines researchareasfor antivirus tools (httpYAvww.av.ibm.com2n&deTM.aW Bookshe~S~entitict~b~e~b~e~h~. 3. You mention that unknown system vulnerabilities could lead to viz& infections * the future. What are some of the things on our computers that we s&p& do not see as dangerous,but are instead opportunities for belligerent virus ~~O~EUWTM%. Could Java Applets and Internet cookies be used as a means of vi& infections? JavaApple& and Internet cookies’have many security issues associatedwith them. The risk is basedon whether the applet actually only does what it is supposedto do; or that the systemthat wants to set a cookie is actually only setting a cookie. Some securily analystssimply state that no user should accept either an applet or a cookL from an unknown source. However,knowing the source of the applet or cookie CL& meansthat the user knows the source,not whether the applet is malicious or that +’ cookie being set is the only action being taken. Also, as with all security issues,the environment is very dynamic.For example,on Princeton Universuy’s Secure Interm Computingweb page,there is an announcementof a very recent Java security problem (httpYwww.cs.princeton.edu&ip/Histozy.htnQ.The dynamic nature of L problem meansthat all those involved in computing must be diligent in their securit efforts. ----- To respond to these questions,we gathereddata at The Federal Computer Incident ResponseCapability (FedCIRC,httpflwww.fedcirc.gov~, the CEFZTCoordination “A programwritten in the Javaprogramminglanguageto run within a.web ~XTXVWK compatible with the Java platform, such as NetscapeNavigator (TM). “A “cookie” is small piece of information to help make the communic&ion between an intemet site’s computer server and the browser more efficient. Page2 GAO/A.IIVID-QQ-‘220R Responseto Questions on the MelissaV E3-283021 Center (httpAvww.cert o@, Princeton Univetity’s office of Computingand Information Technology (ClT, h~~~prince~n.edLE/ciffidex;sht Princeton Univetity’s SecureInternet Programming(SIP) Laboratory(email@example.com- edr.&i& the Department of Energy’sComputerIncident Advixxy Capability (CJAC, https//ciacM.gov/), and the World Wide Web Consortium(W3C,httpSimvmw3. . org/Secti@& We conducted our work in June 1999.If you have any questions regarding this letter, please contact me at (202)512-6416. Sincerely yours, && ,/ Director, Computer and Information TechnologyAssessment - (611160) Page3 GAOMkID-QQ-220RResponseto Questionson the hblissa Virus ,:,-: ./ Ordering Information The first copy of each GAO report and testimony is free. Additional copies are $2 each. Orders should be sent to the following address, accompanied by a check or money order made out to the Superintendent of Documents, when necessary. VISA and MasterCard credit cards are accepted, also- Orders for 100 or more copies to be mailed to a singie address are discounted 25 percent. Orders by maih U.S. General Accounting Office P.O. Box 37050 Washington, DC 20013 or visit: Room 1100 700 4th St. NW (corner of 4th and G Sts. NW) U.S. General Accounting Office Washington, DC Orders may also be placed by calling (202) 512-6000 or by using fax number (202) 512-6061, or TDD (202) 512-2537. Each day, GAO issues a Iist of newly available reports and testimony. To receive facsimile copies of the daily Iist or any list from the past 30 days, please cali (202) 512-6000 using a touchtone phone. A recorded menu will provide information on how to obtain these Lifts. For information on how to access GAO reports on the INTERNET, send an e-mail message with “info” in the body to: firstname.lastname@example.org or visit GAO’s World Wide Web Home Page at: httpV7www.gao.gov United States General Accounting Office Washington, D.C. 20548-0001 Official Business Penal@ for Private Use $300 Address Correction Requested ,: ‘. .I _’. : . .i; ‘. x ‘. “l...?( _ :,,,, :,, :: -- :
Information Security: Subcommittee Questions Concerning the Melissa Computer Virus
Published by the Government Accountability Office on 1999-06-18.
Below is a raw (and likely hideous) rendition of the original report. (PDF)