Bugtraq mailing list archives

Re: your mail

From: cklaus () shadow net (Christopher Klaus)
Date: Mon, 16 May 94 18:48:01 EDT


Steven C. Blair wrote :
|| 
|| John MacDonald says:
        ***^*****
      Macdonald
|| 
||    There is one advantage in doing this sort of thing.  There is
||    a powerful security advantage in having many off-site copies
||    of the ls-lR+hash file.  It is *really* hard for to cracker
||    to spoof a change to an existing file
|| 
|| If folks would quit using writable directories in their hierarchies then the
|| problem goes away. There are few to NO compelling reasons with my years of
|| experience that justify writable directories in anonymous FTP. You're just
|| asking for trouble, with a  big "T".
|| 
|| If you must justify having a writable directory that is FTp reachable from an
|| external network, either use a seperate login with a one-time passwd that is
|| changed mutually by both parties on your sites' end, or learn the
|| intricacies(sp?) of WU-FTPD which can prevent a lot of problems.

That is a separate issue.

Having checksums, and making it difficult to hide the existance
of a change by maintaining external copies of the expected
value of the checksum is a valuable tool for discovering that
a breach has occurred.

Getting the permissions right can prevent many types of such
breaches.


Not only do some sites have FTP writable directories, but many of the FTP sites
have other security vulnerabilities, that allow an intruder get in.  So, even
if the admin set up FTP correctly, it wont help much if an intruder has root
on the FTP machine.  

If FTP clients had automatical checksum checker that could compare with the
FTP server, people would be able to easily test if the checksums have been
messed with or not.  The intruder would need to modify all the copies kept
on archie, etc.  By having this checksum ability, this will stop breaches or
trojans that get entered into the public AFTER the author has released his
program.  This will not stop breaches or trojans that get implemented into
the author's own version and then gets distributed.  Atleast then, we would
know where the trojan was 1st introduced.




-- 
Christopher William Klaus  <cklaus () shadow net>  <iss () shadow net>
Internet Security Systems, Inc.   
2209 Summit Place Drive,Dunwoody 
GA 30350-2430. (404)998-5871.

Current thread:

Re: trojans on ftp sites der Mouse (May 14)
- Re: trojans on ftp sites Peter Deutsch (May 14)
- <Possible follow-ups>
- Re: trojans on ftp sites Paul Robinson (May 14)
  - Re: your mail Christopher Klaus (May 14)
- Re: trojans on ftp sites smb () research att com (May 14)
  - Re: your mail John Macdonald (May 16)
    - Re: your mail Steven C. Blair (May 16)
    - Re: your mail John Macdonald (May 16)
    - Re: your mail Christopher Klaus (May 16)
    - Re: your mail Adam Shostack (May 16)
    - Checksums in FTP servers. Scott Northrop (May 16)
- Re: trojans on ftp sites Gene Spafford (May 15)
- Re: trojans on ftp sites Ariel Faigon (May 17)