Full Disclosure mailing list archives

Trust vs Spoof in Advisories

From: David Kennedy CISSP <david.kennedy () acm org>
Date: Thu, 19 Dec 2002 16:15:19 -0500

-----BEGIN PGP SIGNED MESSAGE-----

At 11:55 AM 12/19/02 -0500, iDEFENSE Labs wrote:


*** PGP Signature Status: good
*** Signer: iDEFENSE Labs <labs () idefense com> (Invalid)
*** Signed: 12/19/02 11:44:08 AM
*** Verified: 12/19/02 3:58:01 PM
*** BEGIN PGP VERIFIED MESSAGE ***

iDEFENSE Security Advisory 12.19.02:
http://www.idefense.com/advisory/12.19.02.txt
Multiple Security Vulnerabilities in Common Unix Printing System
(CUPS) December 19, 2002


the headers from this message include:

Received: from NETSYS.COM (localhost [127.0.0.1])
        by netsys.com (8.11.6/8.11.6) with ESMTP id gBJHNeD01441;
        Thu, 19 Dec 2002 12:23:42 -0500 (EST)
Received: from idsrv10.idefense.com (user242.idefense.com
[63.117.254.242] (may be forged))
        by netsys.com (8.11.6/8.11.6) with ESMTP id gBJGvED28763
        for <full-disclosure () lists netsys com>; Thu, 19 Dec 2002 11:57:14
- -0500 (EST)

nslookup 63.117.254.242
Canonical name: user242.idefense.com
Aliases:
 242.254.117.63.in-addr.arpa
Addresses:
 63.117.254.242


Maybe it's just me, but if I'd had a spoofed advisory posted widely
lately, and I had a "real" advisory I wanted people to pay attention
to, I'd send it from an IP that resolved cleanly and I'd sign it with
a PGP key that was signed by more than one person who's key is signed
only by himself.

Otherwise the cautious would spend a lot of time checking IP's and
PGP keys and still not know for sure if the advisory was spoofed or
not.

At least there's a URL for the advisory.  I guess this follows the
Microsoft model.  Their last advisory had a bad PGP signature, but
when you complain to them about it, they just refer you to their
website.


-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Security 7.0.3
Comment: hacker=cybercriminal--the definition changed; get over it

iQCVAwUBPgI2qfGfiIQsciJtAQFwIQQA5CuI2NHV67e8ULkG9QXUWg8WvSHACC18
SkS9XDreQxLuhP2dBOCxVVnI1EzV6L75QfghYGdvlmECes8UhqQpofRdS3SGUpy1
VbwvbRx2Ihsu2g+4z9lGRtum7QuakfhJXIWmBnxLHsswHWJd3HW/8/NTQ5golP77
ixeD60jLZpw=
=htPn
-----END PGP SIGNATURE-----

-- 
Regards,

David Kennedy CISSP                         /"\
Director of Research Services,              \ / ASCII Ribbon Campaign
TruSecure Corp. http://www.trusecure.com     X  Against HTML Mail
Protect what you connect;                   / \
Look both ways before crossing the Net.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

iDEFENSE Security Advisory 12.19.02: Multiple Security Vulnerabilities in Common Unix Printing System (CUPS) iDEFENSE Labs (Dec 19)
- Trust vs Spoof in Advisories David Kennedy CISSP (Dec 19)
- <Possible follow-ups>
- Re: iDEFENSE Security Advisory 12.19.02: Multiple Security Vulnerabilities in Common Unix Printing System (CUPS) Joe Testa (Dec 21)
- Re: iDEFENSE Security Advisory 12.19.02: Multiple Security Vulnerabilities in Common Unix Printing System (CUPS) zen-parse (Dec 21)