Vulnerability Development mailing list archives
Re: ssh trojaned
From: "Nick Lange" <nicklange () wi rr com>
Date: Mon, 5 Aug 2002 12:51:24 -0500
I'm not so sure I buy that. After the initial insertion into the mirrored network, how many times is the file updated? I can't imagine terribly frequently except for when a new release is offered and hence another entry into the network. So this leads to lack of trusting in two situations: new entries, or entries modified after insertion. New entries eventually have to be given implicit trust at some point, [for example, on top of the new entry in the system of mirrors, the webpage being updated stating there's a new release, the checksums involved, not to mention an e-mail signed by the author - the probability of some third party falsifying all three items is much lower than the corruption of any one of them individually( well at least in openssh's case where the main distribution site and the e-mail acct are on different machines ). Once again, eventually you have to make a trust decision before installing any foreign code that you have not inspected yourself, but automated tools can increase the probability that poisoned files inserted into a network of mirrors are caught. Granted most mirrors are synced via rsync, but perhaps the mirroring software can be tuned to not update the accepted file suffix of a file signature except for at specified intervals; so whereas the poisoned file will propogate through the network of mirrors, the signature will not; furthermore, if this yet-to-exist tool operates on a more frequent interval than the signature updating sync'ing does, then the poisoned files can be caught fairly quickly. Nick ----- Original Message ----- From: <loki_ () softhome net> To: "Nick Lange" <nicklange () wi rr com> Cc: <vuln-dev () securityfocus com> Sent: Monday, August 05, 2002 10:51 AM Subject: Re: ssh trojaned
Hi, On Mon, Aug 05, 2002 at 09:02:38AM -0500, Nick Lange wrote:From: "Nick Lange" <nicklange () wi rr com> To: <vuln-dev () securityfocus com> Subject: Re: Re: ssh trojaned Date: Mon, 5 Aug 2002 09:02:38 -0500 X-Mailer: Microsoft Outlook Express 5.50.4807.1700^^^^^^^^^^^^^^^^^^^^^^^^^ Warning: You are using software from Microsoft.or perhaps, if I am mirror A have a watchdog script compare my md5 sum
to
every other md5 sum accross the mirrors, and take some action should the ratio of unmatching MD5's falls below a certain percentage...that would not work because a smart attackor would serve the correct file and hash to the watchdog scripts, iss.com, and so on and serve the trojaned file to presumedly unsuspecting victims only. iirc, the trojaned version of epic was served to specific ip ranges only. --loki
Current thread:
- ssh trojaned Steve Wright (Aug 01)
- Re: ssh trojaned Ron DuFresne (Aug 02)
- Re: ssh trojaned Dan Cuthbert (Aug 02)
- <Possible follow-ups>
- Re: ssh trojaned Eirik Seim (Aug 02)
- RE: ssh trojaned Fabrizio Siciliano (Aug 02)
- RE: ssh trojaned Rory Savage (Aug 02)
- Re: Re: ssh trojaned wozz (Aug 02)
- RE: Re: ssh trojaned Joe Harrison (Aug 03)
- Re: Re: ssh trojaned Nick Lange (Aug 05)
- Re: ssh trojaned loki_ (Aug 05)
- Re: ssh trojaned Nick Lange (Aug 05)
- Re: ssh trojaned Joakim Andersson (Aug 05)
- Re: ssh trojaned Clemens 'Gullevek' Schwaighofer (Aug 06)
- Re: ssh trojaned Andreas Krennmair (Aug 06)
- Re: ssh trojaned Alex Lambert (Aug 06)
- Message not available
- Re: ssh trojaned Clemens 'Gullevek' Schwaighofer (Aug 07)
- Re: ssh trojaned Ron DuFresne (Aug 02)
- Re: Re: ssh trojaned Jonas Anden (Aug 05)
- Re: Re: ssh trojaned Tan Wee Yeh (Aug 05)
- Re: Re: ssh trojaned Thomas Cannon (Aug 05)