Firewall Wizards mailing list archives
Re: Re: Highlighting Security Issues
From: "Marcus J. Ranum" <mjr () ranum com>
Date: Fri, 06 Aug 2004 15:50:32 -0400
firewalladmin () bellsouth net wrote:
This kind of program/tool would probably find it's heaviest use by skilled hackers and unethical systems administrators who surgically plant/run it against a select few. Imagine a scenerio where a foreign government persuads a disgruntled sysadmin (either through social engineering or for monetary reward) to "frame" a higher level government official in such a way as to remove him form his job? Your thoughts?
Some say this has already happened. ;) I think it's quite plausible and not even very difficult. Here, in fact, is a recipe for building it: 1) determine target's O/S platform 2) acquire the same thing or as close as you can get 3) tripwire the disk 4) surf/download/collect porn/Email to Al Qaeda to your heart's content 5) re-baseline the tripwire database 6) make a semi-skilled effort at cleaning some of it up a) record the file data PRIOR to cleanup b) record the transactions (rmdir, whatever) used to cleanup 7) extract out the diffs AND the deleted files and roll them into an overlay patch 8) overlay the patch on the target's machine using your trojan horse 9) issue the cleanup transactions on the target machine; so tools like encase will find the "deleted files" in the free blocks 10) have your tool overwrite itself with obscene mpeg data, or whatever. :) You wouldn't even need a sysadmin to do the job if you could trojan or 'bot a target in the victim's network. But if you had administrator level access it'd be a cakewalk. Part of the beauty of this scheme is that the target's immediate reaction (being innocent) is going to be angry denial and protestation of innocence. Of course the system, when analyzed, would (appear to) show that the target had invested some effort in trying to configure the system to wipe itself if examined, etc. One could build a very pretty wilderness of mirrors - and it only has to hold together long enough to ruin a career. I had a dinner discussion with some of my "friends in weird places" the other day about the lack of effective use of professional-grade disinformation in American politics. :) They think I'm sick too but agreed it'd work all too well. It may happen eventually so we all need to be on the lookout for it. Consider the effect on the upcoming election if someone very close to Kerry or Bush was "outed" as having a computer full of confidential documents belonging to the other party - which had obviously been "stolen".. If this happened RIGHT BEFORE THE VOTE, it could have a dynamic impact. The "discovery" would have to be carefully timed, because the American Public's attention span is so damned short... One could easily put the whammy on an estranged spouse by jiggering their system to make it look as if they had been reading up on how to dispose of a corpse (Why did you google for "corpse smelling dog" Mr Ranum? Why were you trying to buy a gallon of lye and ship it to Mr Albert Fegg, at a mailing service address that you set up online with your credit card?) I am partly being silly with these scenarios, but in case someone thinks this is good material for humor: it's not. In some parts of the world this kind of disinformation attack could easily be made lethal to the target. mjr. (PS - have I convinced any of the list's readers that I am not a good person to piss off? I hope not...) ;) _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Highlighting Security Issues, (continued)
- Re: Highlighting Security Issues Victor Williams (Aug 06)
- Re: Re: Highlighting Security Issues Dave Piscitello (Aug 06)
- Re: Re: Highlighting Security Issues firewalladmin (Aug 06)
- Message not available
- Re: Re: Highlighting Security Issues Marcus J. Ranum (Aug 06)
- Re: Re: Highlighting Security Issues Christopher Hicks (Aug 12)
- Re: Re: Highlighting Security Issues Adam Shostack (Aug 12)
- Re: Re: Highlighting Security Issues ArkanoiD (Aug 25)
- Re: Re: Highlighting Security Issues Matt Dunn (Aug 12)
- Low Carb Security Dave Piscitello (Aug 12)
- Message not available
- Message not available
- Re: Re: Highlighting Security Issues Marcus J. Ranum (Aug 06)