[lug] i got hacked
Sexton, George
gsexton at mhsoftware.com
Fri Apr 19 13:39:58 MDT 2002
I haven't really dug into it. My understanding (and this is gleaned more
from a general understanding of cryptography than reading the code) is that
they generate a public key and private key, and sign the database. They are
probably using SHA-1 and DSA to sign it. Since the private key is encrypted
with the password (presumably using a symmetric cipher) it should not be
possible to update the database.
There are a lot of other ways to fake it so that if you don't look closely
it would be missed. Just send the same report day after day. You would have
to be pretty alert to notice that new things were not showing up as they
should.
-----Original Message-----
From: lug-admin at lug.boulder.co.us [mailto:lug-admin at lug.boulder.co.us]On
Behalf Of Peter Hutnick
Sent: 19 April, 2002 11:29 AM
To: lug at lug.boulder.co.us; Sexton, George
Subject: Re: [lug] i got hacked
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Friday 19 April 2002 10:30 am, Sexton, George wrote:
> I don't think its quite that easy. The tripwire database is signed.
Root can't update the database?
I haven't used tripwire, but I have used AIDE, and it was critical to keep
the
DB on physically RO media. If someone roots the box and the DB is on a
physically RW device mounted RO he could simply install his rootkit, remount
RW, update the DB, then remount RO.
I feel it is equally important to keep the binary that checks the checksums
on
a RO device.
Could you explain just a little bit how tripwire gets around this? I
imagine
it could be done with public key signing, with the private key on separate
media (say, a floppy). But this doesn't get around the problem of the
binary
being replaced with a version that lies, and you still need RO media, just
not as frequently.
- -Peter
- --
/"\ ASCII Ribbon campaign against HTML e-mail
\ /
X Get my PGP key at http://hutnick.com/pgp
/ \ 6128 5651 6F23 EC17 6EBD 737D 960A 20E6 76CA 8A59
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE8wFPNlgog5nbKilkRArKbAJ4vnDYeiGMC4P7XzWOjjE/T8kbZ/QCgsDSy
xxr74n95z8WpFUEC3ZT6180=
=YDoz
-----END PGP SIGNATURE-----
_______________________________________________
Web Page: http://lug.boulder.co.us
Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
More information about the LUG
mailing list