Doctor, doctor, give Me the news…

I’ve got a bad case of … EDI VIRUS BLUES?

The other day – on, yes, the EDI-L Yahoo Group – I read a post about how an Information Security department of a company was worried about the concepts of viruses and hackers gaining access through the EDI system and the documents we trade via EDI.  Most of the replies were, as you would suspect, “is your infosec group smoking crack..?!?” or something to the same thought..

But it does beg the question – how susceptible to a virus attack, a trojan horse, a hack or some other kind of attack are we through our EDI processes?  There are no virus scanners and other system tools to scan the data as it’s coming into the system via our AS2 or bisync communications sessions.  There’s not much to stop the virus or hack or trojan from getting into the system, now is there…?

Sure, you may have a firewall set-up and the data must pass through the firewall, but you’ve basically given it permission to travel through that wall, anyway, simply by virtue of the fact that you’ve given permission to the connection that the data (virus laden or otherwise!) is traveling along.

But that’s about the place when their concept of the attack falls flat…

Look at the way the data is transmitted – more or less as text – viewable as either the hex format or the text format.  And then your translator will go and take those characters and put them, based upon your mapping specs, into your system and populate the various files and data fields that you’ve mapped them to.  That traffic cop of EDI translation is directing the data flow into your system(s) to create orders, receive orders, and so on.

And it’s truly your translator and your map that will end up acting as the virus defense line – by virtue of the fact that the data that they could be sending (that virus code!)  will fail in the translation and never make it into your back-end system.  Even if they use one of the simplest hacks – a buffer overflow – you’re still pretty much safe – simply by virtue of the fact that they can send all the characters and data that they want in the element, but you’re only looking at 10 characters.  Or 12 characters.  Or however long that data field is.

The other thing to remember about these files that we trade back and forth, however, is that they’re treated and send (basically) as a text document.  Nearly all virus programs and worms and trojan horses are programs… They’re EXECUTABLE files.  They’re sent as screen-savers or zip files or whatever – but, at their root – they’re an executable file – a program.  This concept was brought up in the thread on the group, too.  And of course, the doomsday nay-sayers kept on about how you could get the malicious code into your system.

The best counter example to this, however, was the concept that I could create a wonderfully wicked virus – something that would truly erase all of your files on the hard-drive, recreate your “Favorites” (for Internet Explorer) with porn sites all about farm animals, recreate the Unabomber’s manifesto (as written by you, of course) and change all of your image files to naked images of the gender you least want to see naked…  And they’ll all be over 400 lbs of fleshy beauty.  Oh, yes, and your computer will blast – not just play – show tunes and 20s-flapper jazz at full volume…  Yeah, now that’s a VIRUS!!!

But the truth is, I could create this showstopper virus and send you the code – as a .txt file that you could open and view in Notepad or Word (or whatever writing program you use).  But will it cause any harm to your system..?  Nope…  Will those aforementioned show tunes and nudie shots render your system a disaster area..?  Nope.  All because it’s a set of instructions, but they’re not presented in a way that the computer will actually process them and follow them.  They’re nothing more than words – letters, numbers, symbols – characters – that you can view.

EDI documents are the same thing – they’re just characters that you (or your system) reads and populates into those certain fields and files.  They don’t do anything other than that.  It won’t open your ports, start the modem in a receive mode or anything else that could compromise your system.  It won’t go digging into your financial data and give access to any of the credit card data you’ve got stored or give the hacker the keys to your checking account.  They’re just text – readable collections of characters. 

So, go ahead.  I dare you.  I double dare you.  I triple-ripple, double-dog dare you.  Create a virus to be sent via EDI.  And see how many systems you infect.

One of the other things to consider – even if it WAS possible to create a virus and send it via EDI – would it be truly worth it..?  One of the bombs that often shows up on the battlegrounds of the Apple Mac vs. Windows PC wars is how safe the Macs are from viruses and attacks.  And it’s not that they’re truly safer or more secure.  Instead, it’s the law of “supply & demand”.  You’ve got hundreds of thousands of Windows PCs out there in the world.  Millions.  But only a few thousand Macs (by comparison).  So, where are you likely to get the most “bang for your buck” when creating a virus, hack or trojan horse?  By infecting 10% of the population?  Or is it by doing the 90% of the population?  That’s right – it’s the 90% group you’re going after…  You’ve got the most chances for your seeds of evil to dig in and root and create the mayhem and carnage you’re hoping for.

EDI provides that same kind of safety, as well.  There has to be so much forethought and planning on the part of the hacker – he’d have to create a document format in a document you trade AND he’d have to create the map with the specific communications parameters (qualifer, ID, network, etc.) and all of it in a format that your system would allow to translate AND move into your production fields and files. 

Sorry – ain’t never gonna happen….

But, what’s YOUR take on the chances of virus attacks in EDI..?

Author: Craig Dunham – EDI Coordinator
Read more about Craig here: http://editalk.com/contributors/