[lug] i got hacked
Peter Hutnick
peter-lists at hutnick.com
Fri Apr 19 13:51:49 MDT 2002
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Friday 19 April 2002 01:39 pm, Sexton, George wrote:
> I haven't really dug into it. My understanding (and this is gleaned more
> from a general understanding of cryptography than reading the code) is that
> they generate a public key and private key, and sign the database. They are
> probably using SHA-1 and DSA to sign it. Since the private key is encrypted
> with the password (presumably using a symmetric cipher) it should not be
> possible to update the database.
That makes sense, but then the whole system is only as strong as that
password.
Consider that to get to this point we are talking about someone who has rooted
to box. They potentially see all you email, all the files you have stored on
that system. (All the files stored on systems you have key based SSH access
to . . .) So you'd better have a damn fine password on that thing, 'cause
Joe Blackhat is probably going to learn your wifes pet name and try it. And
rot 13 it and try it, etc.
Seems more straightforward to me to just keep the DB (or at least the key) on
a floppy.
Also, this doesn't address the issue of a trojaned tripwire binary that just
tells you whatever you were told before the break in. (By reading the log or
your mailspool).
> There are a lot of other ways to fake it so that if you don't look closely
> it would be missed. Just send the same report day after day. You would have
> to be pretty alert to notice that new things were not showing up as they
> should.
I always diffed the current report against the previous one. Seems like
something as fancy as tripwire would have that built in.
- -Peter
- --
/"\ ASCII Ribbon campaign against HTML e-mail
\ /
X Get my PGP key at http://hutnick.com/pgp
/ \ 6128 5651 6F23 EC17 6EBD 737D 960A 20E6 76CA 8A59
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE8wHVVlgog5nbKilkRAjYjAJwKg6a/9jmijSRqbxrXiv8Ogco7fgCdEapf
f5WnLEcT0vbC3ddbkabPS9E=
=5Cp7
-----END PGP SIGNATURE-----
More information about the LUG
mailing list