lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Sat, 01 Sep 2007 11:16:22 -0500
From: "John Hammond" <josephhammond@...mail.com>
To: psz@...erved.de, jason@....org
Cc: bugtraq@...urityfocus.com
Subject: Re: Sony: The Return Of The Rootkit

There are many other options outside of the sony key without the rootkit 
problem. One of the best devices that I have read about is from stealth. 
While I have yet to personally evaluate this product as I understand it 
there is no software outside of the standard USB driver needed to recognize 
and use a standard usb key outside of the initial device programming or a 
lockout state.

http://www.gcn.com/print/26_14/44484-1.html





>From: Paul Sebastian Ziegler <psz@...erved.de>
>To: Jason Brooke <jason@....org>
>CC: bugtraq@...urityfocus.com
>Subject: Re: Sony: The Return Of The Rootkit
>Date: Sat, 01 Sep 2007 00:48:49 +0200
>MIME-Version: 1.0
>Received: from outgoing.securityfocus.com ([205.206.231.26]) by 
>bay0-mc10-f20.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.2668); Sat, 
>1 Sep 2007 08:46:28 -0700
>Received: from outgoing.securityfocus.com by outgoing.securityfocus.com     
>      via smtpd (for bay0-mc9-f.bay0.hotmail.com [65.54.245.8]) with ESMTP; 
>Sat, 1 Sep 2007 08:39:16 -0700
>Received: from lists2.securityfocus.com (lists2.securityfocus.com 
>[205.206.231.20])by outgoing2.securityfocus.com (Postfix) with QMQPid 
>92BF0143814; Sat,  1 Sep 2007 08:52:53 -0600 (MDT)
>Received: (qmail 15667 invoked from network); 31 Aug 2007 22:21:09 -0000
>X-Message-Delivery: Vj0zLjQuMDt1cz0wO2k9MDtsPTA7YT0w
>X-Message-Info: 
>JGTYoYF78jEJJSXcFk0NH6H2SWDavuwx7zBAbu09QKc2wfCvlGFYYsunEZhyLfyhQaxxb5avDEAJpQf0p0jr0g==
>Mailing-List: contact bugtraq-help@...urityfocus.com; run by ezmlm
>Precedence: bulk
>List-Id: <bugtraq.list-id.securityfocus.com>
>List-Post: <mailto:bugtraq@...urityfocus.com>
>List-Help: <mailto:bugtraq-help@...urityfocus.com>
>List-Unsubscribe: <mailto:bugtraq-unsubscribe@...urityfocus.com>
>List-Subscribe: <mailto:bugtraq-subscribe@...urityfocus.com>
>Delivered-To: mailing list bugtraq@...urityfocus.com
>Delivered-To: moderator for bugtraq@...urityfocus.com
>User-Agent: Thunderbird 2.0.0.6 (X11/20070809)
>References: <69D384433B57A14D837F7EC9760895F70E2676@....QuarkGroup.local> 
><46D6EBF1.104@...erved.de> <46D88BE9.7090902@....org>
>X-Enigmail-Version: 0.95.2
>Return-Path: 
>bugtraq-return-33484-josephhammond=hotmail.com@...urityfocus.com
>X-OriginalArrivalTime: 01 Sep 2007 15:46:28.0341 (UTC) 
>FILETIME=[428E6A50:01C7ECAF]
>
>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA512
>
> > Also, the article by f-secure that you're having a go at,
>
>I'll have to protest here - I never hit at the original article. As you
>can read in the blog entry (this is also why I posted the link) I think
>that they have done everything alright.
>
> > says "This USB
> > stick with rootkit-like behavior" and openly acknowledges that the
> > purpose of hiding files by the device is probably to try and prevent
> > tampering with the fingerprint authentication.
>
>Which is why I agree with them.
>
> > Their main point is that:
> >
> > "The Sony MicroVault USM-F fingerprint reader software that comes with
> > the USB stick installs a driver that is hiding a directory under
> > "c:\windows\". So, when enumerating files and subdirectories in the
> > Windows directory, the directory and files inside it are not visible
> > through Windows API. If you know the name of the directory, it is e.g.
> > possible to enter the hidden directory using Command Prompt and it is
> > possible to create new hidden files. There are also ways to run files
> > from this directory. Files in this directory are also hidden from some
> > antivirus scanners (as with the Sony BMG DRM case) — depending on the
> > techniques employed by the antivirus software. It is therefore
> > technically possible for malware to use the hidden directory as a hiding
> > place."
>
>That is correct. It could be abused that way. Just like several other
>folders on e.g. Vista could be as well since they share that exact
>functionality. Still that doesn't make it technically a rootkit. It is a
>pretty dumb idea, I totally agree. However AV really shouldn't be fooled
>by something like this anymore. Some still is, but they'll grow out of it.
>
>But just as Tyler Reguly phrased it just a few minutes earlier:
> > There's a number of reasons why this isn't actually a rootkit... The 
>problem with calling everything by the same name is that you degrade the 
>original meaning of the world
>
>This is the problem I was hitting at. And I am not trying to defend Sony.
>
>Many Greetings
>Paul
>
>-----BEGIN PGP SIGNATURE-----
>Version: GnuPG v1.4.7 (GNU/Linux)
>Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
>iD8DBQFG2JrNaHrXRd80sY8RCnG7AKCmDOCpL50LXparVP/B7rYGwHJUBQCfVnYq
>UCgAjhn7CN0ApBMbOc+3WvM=
>=p7Ye
>-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ