Interesting People mailing list archives
IP: New attack on PGP keys with a Word Macro from RISKS
From: Dave Farber <farber () cis upenn edu>
Date: Wed, 03 Feb 1999 03:51:54 -0500
Date: Fri, 29 Jan 1999 23:11:40 -0800 (PST) From: Fred Cohen <fc () all net> I just got a look at a Word file (CALIG.DOC) that contains user IDs and passwords to pornographic sites. In addition to these pointers, it has a Trojan Horse that finds the user's private PGP key ring and ftp's it to: 209.201.88.110 (codebreakers.org) user anonymous password itsme@ directory incoming binary mode stored name: NewSecRingFile[0-9][0-9][0-9][0-9] This Trojan does its job in visual basic and - except for the initial notice (if enabled) that macros are present - gives no indication of this function that it performs. I figure the best defense against this is to: 1) Have thousands of users ftp phony files to that IP address and filename on a regular basis, thus making it impossible to get any real PGP keys - preferably send valid-looking PGP keys so they have to waste a lot of time cracking them. 2) Cut off all service for ftp with 209.201.88.110 (codebreakers.org) - either at the ISP, at your gateway, or at the borders to your country. 3) Prosecute for possession of access devices - with international cooperation between authorities. 4) Tell your people that this has been done so they will stop looking at pornography listing files fat chance this will work). At any rate, I hope that you will take prudent precautions within your organization against this potential attack on the security of your private keys. Fred Cohen & Associates: http://all.net - fc () all net - tel/fax:925-454-0171 Fred Cohen at Sandia National Laboratories at tel:925-294-2087 fax:925-294-1225 [Much-too-long disclaimer omitted, separating the two roles. PGN]
Current thread:
- IP: New attack on PGP keys with a Word Macro from RISKS Dave Farber (Feb 03)