[lug] i got hacked
Peter Hutnick
peter-lists at hutnick.com
Fri Apr 19 11:28:44 MDT 2002
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Friday 19 April 2002 10:30 am, Sexton, George wrote:
> I don't think its quite that easy. The tripwire database is signed.
Root can't update the database?
I haven't used tripwire, but I have used AIDE, and it was critical to keep the
DB on physically RO media. If someone roots the box and the DB is on a
physically RW device mounted RO he could simply install his rootkit, remount
RW, update the DB, then remount RO.
I feel it is equally important to keep the binary that checks the checksums on
a RO device.
Could you explain just a little bit how tripwire gets around this? I imagine
it could be done with public key signing, with the private key on separate
media (say, a floppy). But this doesn't get around the problem of the binary
being replaced with a version that lies, and you still need RO media, just
not as frequently.
- -Peter
- --
/"\ ASCII Ribbon campaign against HTML e-mail
\ /
X Get my PGP key at http://hutnick.com/pgp
/ \ 6128 5651 6F23 EC17 6EBD 737D 960A 20E6 76CA 8A59
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE8wFPNlgog5nbKilkRArKbAJ4vnDYeiGMC4P7XzWOjjE/T8kbZ/QCgsDSy
xxr74n95z8WpFUEC3ZT6180=
=YDoz
-----END PGP SIGNATURE-----
More information about the LUG
mailing list