Path: utzoo!attcan!uunet!aplcen!uakari.primate.wisc.edu!zaphod.mps.ohio-state.edu!sunybcs!dsinc!netnews.upenn.edu!vax1.cc.lehigh.edu!cert.sei.cmu.edu!krvw From: CAH0@gte.com (Chuck Hoffman) Newsgroups: comp.virus Subject: Re: Mainframe attacks Message-ID: <0008.9007031335.AA01457@ubu.cert.sei.cmu.edu> Date: 3 Jul 90 12:36:40 GMT Sender: Virus Discussion List Lines: 73 Approved: krvw@sei.cmu.edu Emily H. Lonsford of Mitre writes: "Is that what CA is telling you? I just looked in my April 1990 'Information Systems Security Products and Services Catalog', a government publication, and CA is not in the list of vendors in the evaluation process." Her question relates to my comment that Computer Associates is "in the process" of raising the rating of ACF2 and Top Secret from C2 to B1, which will make hacking more difficult. What CA is telling all of us is in the form of product announcements for CA-ACF2 and CA-Top Secret. I have the ones for the MVS versions of these products. There probably are also announcements for the VM versions, but I haven't seen them. The announcements are dated February 15, 1990, but I just got them in the mail recently. The announcements are almost identical to each other, so I will quote parts of the CA-ACF2 MVS text: "CA-ACF2 MVS Release 5.2 PTFs permit security operation following the Department of Defense Trusted Computer System Evaluation Criteria (DOD 5200.28-STD) for a Mandatory Access Control (MAC) security system at the B1 level." "Available 3rd Quarter 1990 - Beta Test" "In August 1989, CA filed proposals with the NCSC to have CA-ACF2 MVS, CA-ACF2 VM, CA-TOP SECRET MVS and CA-TOP SECRET VM formally evaluated to ensure full compliance with the Department of Defense Trusted Computer Systems Evaluation Criteria (DOD5200.28-STD) at a B1 level. Although CA cannot guarantee that CA-ACF2 MVS will receive a B1 rating nor is it possible for CA to provide a specific date for when a formal evaluation will be completed, CA has worked successfully with the NCSC on numerous occasions and completed several evaluations." That's what they're saying. Evaluate it for yourself. Personally, I will believe it when I see it. The announcement is sort of like telling people 's p oint about the rating's not applying to an individual site's implementation is well taken. The rating is for the PRODUCT, not for your installation. For instance, if you give security privileges to large numbers of people, you couldn't expect to call your installation "secure" even if the product has a B1 rating. And who knows what your system modifications might do? Emily writes about the first copy of ACF2 being written at London Life in Ontario. I can add that copy #2 went to Linda Vetter's installation at GM; Linda was one of the chair people of the security committee at SHARE, and later became a Vice President at SKK. Copy #3 came here, to GTE Laboratories, in 1978. It was installed personally by Barry Schraeger, Eb Klemmons, and Scott Kruger, the original "SKK." Several releases, and years, later, I was having some difficulty getting an answer to a technical question from SKK Tech Support. By then, they had a "Level 1" and "Level 2" structure which was getting in the way. Finally, in frustration, I said "Look, this product was installed on our system by Barry, Scott, and Eb. Now it doesn't work, and it's impacting our business. I want the installers back out here on site." We got INSTANT attention. Since we deinstalled the IBM systems last December, we probably have the distinction of being the longest running ACF2 site to remove the product, too. I expect lively discussion at the CA Security and Audit conference in Orlando this coming week. Unfortunately for me, the session concerning new features is scheduled opposite one I will be giving (on granting privileges to systems programmers!). I thank Emily for her comments. Those certainly were interesting times. - -Chuck - - Chuck Hoffman, GTE Laboratories, Inc. cah0@bunny.gte.com Telephone (U.S.A.) 617-466-2131 GTE VoiceNet: 679-2131 GTE Telemail: C.HOFFMAN