Re: Re: Highlighting Security Issues

["Marcus J. Ranum" <mjr () ranum com>]

firewalladmin () bellsouth net wrote:
> This kind of program/tool would probably find it's heaviest use by skilled hackers and unethical systems 
> administrators who surgically plant/run it against a select few. Imagine a scenerio where a foreign government 
> persuads a disgruntled sysadmin (either through social engineering or for monetary reward) to "frame" a higher level 
> government official in such a way as to remove him form his job? Your thoughts?

Some say this has already happened. ;)

I think it's quite plausible and not even very difficult. Here, in fact, is a recipe
for building it:
        1) determine target's O/S platform
        2) acquire the same thing or as close as you can get
        3) tripwire the disk
        4) surf/download/collect porn/Email to Al Qaeda to your heart's content
        5) re-baseline the tripwire database
        6) make a semi-skilled effort at cleaning some of it up
                a) record the file data PRIOR to cleanup
                b) record the transactions (rmdir, whatever) used to cleanup
        7) extract out the diffs AND the deleted files and roll them into an overlay patch
        8) overlay the patch on the target's machine using your
                trojan horse
        9) issue the cleanup transactions on the target machine; so tools like
                encase will find the "deleted files" in the free blocks
        10) have your tool overwrite itself with obscene mpeg data, or whatever. :)

You wouldn't even need a sysadmin to do the job if you could trojan or 'bot a
target in the victim's network. But if you had administrator level access it'd be a
cakewalk.

Part of the beauty of this scheme is that the target's immediate reaction
(being innocent) is going to be angry denial and protestation of innocence.
Of course the system, when analyzed, would (appear to) show that the target
had invested some effort in trying to configure the system to wipe itself
if examined, etc. One could build a very pretty wilderness of mirrors - and
it only has to hold together long enough to ruin a career.

I had a dinner discussion with some of my "friends in weird places" the other day
about the lack of effective use of professional-grade disinformation in American
politics. :) They think I'm sick too but agreed it'd work all too well.
It may happen eventually so we all need to be on the lookout for it.
Consider the effect on the upcoming election if someone very
close to Kerry or Bush was "outed" as having a computer full of confidential
documents belonging to the other party - which had obviously been "stolen"..
If this happened RIGHT BEFORE THE VOTE, it could have a dynamic impact.
The "discovery" would have to be carefully timed, because the American
Public's attention span is so damned short... One could easily put the
whammy on an estranged spouse by jiggering their system to make it
look as if they had been reading up on how to dispose of a corpse
(Why did you google for "corpse smelling dog" Mr Ranum? Why were
you trying to buy a gallon of lye and ship it to Mr Albert Fegg, at a
mailing service address that you set up online with your credit card?)

I am partly being silly with these scenarios, but in case someone thinks
this is good material for humor: it's not. In some parts of the world this
kind of disinformation attack could easily be made lethal to the target.

mjr.
(PS - have I convinced any of the list's readers that I am not a
good person to piss off? I hope not...)    ;) 

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards