10 Rundom Bits & Bytes

C> BLAST

Hello !!!!!!!!!!!!!!!!

I'm friendly virus #l.

Can you get rid of me?

I'm friendly virus 62.

Meet my 81 friend yet?

Bye !!!!!!!!!!!!!! Bye

PASSWORD PROLOG, Version 4.26, [Cl Copyright 1986, CowLit, Inc.

AUTOMATIC PHONE TRACE IS NOW ACTIVATED.

IF YOU ARE NOT AN AUTHORIZED USER, PRESS ESCAPE TO LEAVE THE SYSTEM!

ALL TRESPASSERS WILL BE PROSECUTED.

To gain access to the program you requested you must first enter basic system

information and then reply to a series of questions from your security file.

THIS IS YOUR LAST CHANCE TO LEAVE THE NETWORK -- PRESS ESCAPE KEY.

Enter your Network ID . . . .

Fig. 1. Printout of text infected with two different viruses.

Technology Watch - Personal Authentication Devices

Back in the September issue of Computers & Security [Vol. 5, Nr. 31 we presented two personal authentication devices for mainframe use, al- though these had been developed for use with microcomputers. Now we have PadPath (tm) (United Software Security) that is designed to work with SKK’S security software, ACF2. It pro- vides the systems security officer with a means of extending password protection by the use of per- sonal authentication devices (PADS).

The PadPath software contains a series of drivers so that any of a series of PADS may be implemented. Three of the devices (more to be added later) that can be used with this security software add-on to release 4.1 of ACF~ in an IBM

MVS / TSO environment include: * LazerLock United Software Security, Inc. * SecurID Security Dynamics, Inc. * Confidante Atalla Corporation.

Each of the PADS has a unique way of identify- ing its owner as an authorized user. The Lazer- Lock (tm) is a hand-held unit (15.5 X 4.4 X 1.8 cm) based on the proprietary technology devel- oped by United Software Security, Inc. as shown in Fig. 2. The user is prompted for identification by a flashing target on the screen which is unintel- ligible to the human eye. The lock is held against the target on the screen and a randomly generated “key” is displayed on the lock’s LCD screen. Enter- ing the key by using the keyboard, the user pro-

Random Bits & Bvtes 11

Fig. 2. The LazerLock.

ceeds through the sign-on procedure. Confidante (tm) is a small (9 X 55 X 90 mm)

12-key calculator device developed by Atalla Cor- poration. The unit is initialized with a unique data value called a key by the service provider/host. When the user accesses the host, a random num- ber is generated and displayed to the user. The user enters a PIN to enable the terminal and then enters the random number. The resulting identifi- cation value is displayed on the terminal and the host then verifies the value and authenticates the

user. Another PAD available with uss’s software is

SecurID (tm), credit card in size (1.5 X 52 X 84 mm), developed by Security Dynamics and shown in Fig. 3. The card contains an internally powered microprocessor that generates a new, unpredict- able passcode every 60 seconds. The passcode appears on the LCD on the face of the card and each card generates a unique pattern. At the pro- tected host, the Access Control Module is perma- nently synchronized with every SecurID card en- abled on the system. No card-reading hardware is required at the terminal since the user enters the displayed passcode by using the keyboard in the sign-on process.

Evaluating and Controlling PADS

PadPath comes with a questionnaire facility, If used, the system will ask each PAD user up to nine

Fig. 3. The SecurID.

questions concerning the PAD devices. Among the questions are such topics as ease-of-use, conveni- ence and perceived security. The stored answers can be retrieved by the security administrator. Also a data table is created by this module which can be used with SAS or other software for analy- sis.

The security software package contains a built- in inventory control program. Reports are availa- ble to notify the security administrator of when devices were issued, who has them and when PADS

should be recalled for battery check or replace- ment.

Additional Features

PadPath security software also permits the admin- istrator to define, by user ID, either one or two additional passwords that must be entered after ACF log-on access is granted. This provides for having multiple users present when ultra secure data is to be run.

Another feature is the ability to challenge a user after ACF~ log-on with a random number. Applying correct numeric operation or set of oper- ations to the displayed number yields access. For example, the user may respond to the display of a random number by entering “ *4 + 2 - 6,” “/1000/4/26A2” or any set of operators defined by the user and stored by the host.