Re: ssh trojaned

From: Nick Lange (nicklangeat_private)
Date: Mon Aug 05 2002 - 10:51:24 PDT

Next message: Thomas Cannon: "Re: Re: ssh trojaned"

Previous message: Blue Boar: "[Fwd: In regards to ... http://online.securityfocus.com/bid/5382]"
In reply to: loki_at_private: "Re: ssh trojaned"
Maybe reply: wozzat_private: "Re: Re: ssh trojaned"
Maybe reply: kevinat_private: "RE: Re: ssh trojaned"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I'm not so sure I buy that.

After the initial insertion into the mirrored network, how many times is the
file updated? I can't imagine terribly frequently except for when a new
release is offered and hence another entry into the network.
So this leads to lack of trusting in two situations: new entries, or entries
modified after insertion. New entries eventually have to be given implicit
trust at some point, [for example, on top of the new entry in the system of
mirrors, the webpage being updated stating there's a new release, the
checksums involved, not to mention an e-mail signed by the author - the
probability of some third party falsifying all three items is much lower
than the corruption of any one of them individually( well at least in
openssh's case where the main distribution site and the e-mail acct are on
different machines ). Once again, eventually you have to make a trust
decision before installing any foreign code that you have not inspected
yourself, but automated tools can increase the probability that poisoned
files inserted into a network of mirrors are caught.
Granted most mirrors are synced via rsync, but perhaps the mirroring
software can be tuned to not update the accepted file suffix of a file
signature except for at specified intervals; so whereas the poisoned file
will propogate through the network of mirrors, the signature will not;
furthermore, if this yet-to-exist tool operates on a more frequent interval
than the signature updating sync'ing does, then the poisoned files can be
caught fairly quickly.
Nick

----- Original Message -----
From: <loki_at_private>
To: "Nick Lange" <nicklangeat_private>
Cc: <vuln-devat_private>
Sent: Monday, August 05, 2002 10:51 AM
Subject: Re: ssh trojaned

> Hi,
>
> On Mon, Aug 05, 2002 at 09:02:38AM -0500, Nick Lange wrote:
> > From: "Nick Lange" <nicklangeat_private>
> > To: <vuln-devat_private>
> > Subject: Re: Re: ssh trojaned
> > Date: Mon, 5 Aug 2002 09:02:38 -0500
> > X-Mailer: Microsoft Outlook Express 5.50.4807.1700
>             ^^^^^^^^^^^^^^^^^^^^^^^^^
>     Warning: You are using software from Microsoft.
>
> > or perhaps, if I am mirror A have a watchdog script compare my md5 sum
to
> > every other md5 sum accross the mirrors, and take some action should the
> > ratio of unmatching MD5's falls below a certain percentage...
>
> that would not work because a smart attackor would serve the correct
> file and hash to the watchdog scripts, iss.com, and so on and
> serve the trojaned file to presumedly unsuspecting victims only.
> iirc, the trojaned version of epic was served to specific ip ranges
> only.
>
> --loki

Next message: Thomas Cannon: "Re: Re: ssh trojaned"
Previous message: Blue Boar: "[Fwd: In regards to ... http://online.securityfocus.com/bid/5382]"
In reply to: loki_at_private: "Re: ssh trojaned"
Maybe reply: wozzat_private: "Re: Re: ssh trojaned"
Maybe reply: kevinat_private: "RE: Re: ssh trojaned"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Aug 05 2002 - 11:49:20 PDT