PASS TO SITE/FACILITY/COMMAND INFORMATION SYSTEM SECURITY OFFICER
(ISSO), SPECIAL SECURITY OFFICER (SSO), INFORMATION RESOURCE MANAGER
(IRM) AND AUTOMATED DATA PROCESSOR (ADP) COORDINATORS 
SUBJECT: MALICIOUS CODE CONTAMINATION OF VENDOR PACKAGED HARDWARE AND
SOFTWARE (AUTOMATED SYSTEM SECURITY INCIDENT SUPPORT TEAM (ASSIST)
BULLETIN 93-15).
1.  ASSIST REGULARLY RECEIVES REPORTS FROM DOD ELEMENTS THAT HAVE
RECEIVED MS-DOS AND MACINTOSH BASED COMPUTER HARDWARE/SOFTWARE
CONTAMINATED WITH MALICIOUS CODE.  EVEN THOUGH THERE HAS BEEN A HIGH
PROBABILITY AND ASSURANCE THAT VENDORS HAVE BEEN THE SOURCE OF THE
CONTAMINATION IN MOST OF THESE CASES, ESTABLISHING THAT FACT HAS BEEN
EXTREMELY DIFFICULT.  VENDORS CANNOT BE HELD ACCOUNTABLE BECAUSE MANY
DOD SITES DO NOT HAVE ADEQUATE, STANDARDIZED PROCEDURES IN PLACE TO
SCAN NEW PRODUCTS FOR MALICIOUS CODE.  AS A RESULT, THE REPORTING
ELEMENTS CANNOT BE ELIMINATED AS THE SOURCE OF THE CONTAMINATION, AND
VENDORS CANNOT BE POSITIVELY IDENTIFIED AS THE SOURCE.
2.  FACTORY DELIVERED EQUIPMENT AND SHRINK WRAPPED SOFTWARE CANNOT BE
TRUSTED TO BE FREE OF MALICIOUS CODE.  VENDORS FREQUENTLY REACQUIRE
PRODUCTS AFTER CUSTOMERS HAVE EVALUATED, LEASED, OR RETURNED THE
ITEMS.  THESE RETURNED PRODUCTS ARE OFTEN REPACKAGED AND SENT OUT
AGAIN AFTER BEING EXPOSED TO A VARIETY OF COMMERCIAL/RESIDENTIAL
ENVIRONMENTS.  NEW PRODUCTS CAN ALSO BE CONTAMINATED WHILE IN
PRODUCTION AT CONTROLLED FACILITIES.
3.  ASSIST RECOMMENDS THAT DOD ELEMENTS INCLUDE A CLAUSE IN
PROCUREMENT CONTRACTS FOR COMPUTER HARDWARE/SOFTWARE THAT DESIGNATES
THE VENDOR AS BEING RESPONSIBLE FOR THE SANITIZATION COSTS OR
REPLACEMENT OF NEW PRODUCTS THAT ARE CONTAMINATED WITH MALICIOUS CODE
WHEN DELIVERED.  IN ORDER TO ESTABLISH THE SOURCE OF CONTAMINATIONS,
DOD SITES NEED TO HAVE SOUND PROCEDURES IN PLACE TO SCAN NEW PRODUCTS
FOR MALICIOUS CODE.
4.  RECOMMENDED PROCEDURES:
A.  EACH DOD SITE SHOULD ESTABLISH A FORMAL, WRITTEN PROCEDURE FOR
THE INITIAL SCANNING OF ALL INCOMING HARDWARE/SOFTWARE PRODUCTS FOR
MALICIOUS CODE BY SPECIFIED PERSONNEL (E.G TERMINAL AREA SECURITY
OFFICERS).  THE PERSONNEL RESPONSIBLE FOR PERFORMING THE SCANS MUST
MAINTAIN THE MOST CURRENT VERSION OF THE MALICIOUS CODE DETECTION
PROGRAM IN USE AT THE SITE.
B.  THE INITIAL SCAN SHOULD BE PERFORMED ON EACH INDIVIDUAL ITEM
DELIVERED BEFORE THE PRODUCT IS RELEASED FOR GENERAL USE. 
WHENHARDWARE SYSTEMS ARE INVOLVED, THE SCANNING SHOULD BE PERFORMED
BEFORE ANY SOFTWARE IS INSTALLED BY SITE PERSONNEL.C.  SCANNING OF
DISKS AND MEMORY CONTAINED IN NEW HARDWARE SHOULD BE PERFORMED USING
A TRUSTED COPY OF THE DETECTION SOFTWARE THAT IS LOCATED ON A WRITE
PROTECTED DISKETTE.  SOFTWARE SHOULD BE SCANNED ON A STANDALONE
SYSTEM THAT HAS BEEN SCANNED ITSELF IMMEDIATELY BEFORE THE NEW
PRODUCT IS ANALYZED.
D.  IF MALICIOUS CODE IS DETECTED ON A PRODUCT, A DETAILED ANALYSIS
MUST BE PERFORMED TO ENSURE THAT THE INCIDENT WAS NOT A FALSE
POSITIVE.  IF A DOD SITE LACKS THE EXPERTISE OR RESOURCES TO PERFORM
SUCH AN ANALYSIS, ASSIST CAN PERFORM THE DETAILED ANALYSIS AND
EXPERTLY VERIFY THE INCIDENT IN THE EVENT A CLAIM IS MADE FOR
RESTITUTION FROM A VENDOR.  DO NOT RETURN THE PRODUCT TO THE VENDOR
FOR THEIR ANALYSIS UNDER ANY CIRCUMSTANCES UNTIL DOD PERSONNEL HAVE
VERIFIED THE CONTAMINATION.
E.  NOTIFY ASSIST WHENEVER MALICIOUS CODE IS IDENTIFIED ON A SYSTEM.
AN INCIDENT THAT MAY SEEM INSIGNIFICANT AT A LOCAL LEVEL MAY BE PART
OF A MORE SEVERE PROBLEM IN AN EXPANDED COMMUNITY, AND MULTIPLE
REPORTS MAY HELP IDENTIFY THE SOURCE OF THE PROBLEM.  IF A DOD SITE
NEEDS HELP FROM ASSIST TO VERIFY A CONTAMINATION INCIDENT, ASSIST
REQUESTS THE SITE MAKE AVAILABLE THE SUSPECT ITEMS THAT HAVE BEEN
HANDLED ACCORDING TO THE PROCEDURES LISTED ABOVE.  IF POSSIBLE, LEAVE
REMAINING ITEMS PACKAGED UNTIL QUALIFIED PERSONNEL CAN ANALYZE THOSE
ITEMS AS WELL.  EXPERT ANALYSIS OF PRODUCTS TAKEN DIRECTLY FROM
FACTORY PACKAGING WILL STRENGTHEN A POSSIBLE CLAIM AGAINST A VENDOR.
5.  POINT OF CONTACT:  ASSIST POINT OF CONTACT FOR THIS MATTER IS
PETE HAMMES, COMM (703) 696-1924/5/6 OR DSN 226-1924/5/6.  ASSIST CAN
BE REACHED 24 HOURS PER DAY, COMMERCIAL PAGER (800) SKY-PAGE
(800-759-7243), PIN NUMBER 2133937.  WHEN CALLING THE PAGER SERVICE,
FOLLOW THE AUTOMATED VOICE INSTRUCTIONS AND ENTER THE CALL BACK
NUMBER AFTER THE PROMPT.  THE ASSIST DUTY OFFICER WILL CALL YOU BACK
WITHIN 30 MINUTES.  IF FASTER SERVICE IS REQUIRED, PREFIX YOUR
TELEPHONE NUMBER WITH "999", AND THE ASSIST DUTY OFFICER WILL CALL
BACK WITHIN 5 MINUTES.  ASSIST CAN ALSO BE REACHED VIA E-MAIL AT
"DOD-CERT(AT-SIGN)DDN-CONUS.DDN.MIL", BY DIALING INTO THE ASSIST
ELECTRONIC BULLETIN BOARD AT (703) 696-8726, DSN 226, AND LEAVING A
MESSAGE FOR THE SYSOP, OR BY LEAVING A VOICE MAIL MESSAGE FOR THE
ASSIST TEAM AT (703) 696-1904 (SELECT '9').
BT