lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
From: david.kennedy at acm.org (David Kennedy CISSP)
Subject: Trust vs Spoof in Advisories

-----BEGIN PGP SIGNED MESSAGE-----

At 11:55 AM 12/19/02 -0500, iDEFENSE Labs wrote:
>
>*** PGP Signature Status: good
>*** Signer: iDEFENSE Labs <labs@...fense.com> (Invalid)
>*** Signed: 12/19/02 11:44:08 AM
>*** Verified: 12/19/02 3:58:01 PM
>*** BEGIN PGP VERIFIED MESSAGE ***
>
>iDEFENSE Security Advisory 12.19.02:
>http://www.idefense.com/advisory/12.19.02.txt
>Multiple Security Vulnerabilities in Common Unix Printing System
>(CUPS) December 19, 2002

the headers from this message include:

Received: from NETSYS.COM (localhost [127.0.0.1])
	by netsys.com (8.11.6/8.11.6) with ESMTP id gBJHNeD01441;
	Thu, 19 Dec 2002 12:23:42 -0500 (EST)
Received: from idsrv10.idefense.com (user242.idefense.com
[63.117.254.242] (may be forged))
	by netsys.com (8.11.6/8.11.6) with ESMTP id gBJGvED28763
	for <full-disclosure@...ts.netsys.com>; Thu, 19 Dec 2002 11:57:14
- -0500 (EST)

>nslookup 63.117.254.242
>Canonical name: user242.idefense.com
>Aliases:
>  242.254.117.63.in-addr.arpa
>Addresses:
>  63.117.254.242

Maybe it's just me, but if I'd had a spoofed advisory posted widely
lately, and I had a "real" advisory I wanted people to pay attention
to, I'd send it from an IP that resolved cleanly and I'd sign it with
a PGP key that was signed by more than one person who's key is signed
only by himself.

Otherwise the cautious would spend a lot of time checking IP's and
PGP keys and still not know for sure if the advisory was spoofed or
not.

At least there's a URL for the advisory.  I guess this follows the
Microsoft model.  Their last advisory had a bad PGP signature, but
when you complain to them about it, they just refer you to their
website.


-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Security 7.0.3
Comment: hacker=cybercriminal--the definition changed; get over it

iQCVAwUBPgI2qfGfiIQsciJtAQFwIQQA5CuI2NHV67e8ULkG9QXUWg8WvSHACC18
SkS9XDreQxLuhP2dBOCxVVnI1EzV6L75QfghYGdvlmECes8UhqQpofRdS3SGUpy1
VbwvbRx2Ihsu2g+4z9lGRtum7QuakfhJXIWmBnxLHsswHWJd3HW/8/NTQ5golP77
ixeD60jLZpw=
=htPn
-----END PGP SIGNATURE-----

-- 
Regards,

David Kennedy CISSP                         /"\
Director of Research Services,              \ / ASCII Ribbon Campaign
TruSecure Corp. http://www.trusecure.com     X  Against HTML Mail
Protect what you connect;                   / \
Look both ways before crossing the Net.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ