Re: Virus attacks on PGP
At 2:46 PM 11/24/95, Thomas E Zerucha wrote: ....
I don't know if I mentioned, but I keep PGP and my keys on pcmcia memory cards that aren't in the system at the same time as a network or modem card. Moreover I can also simply use the DOS version (I use linux to communicate) - It would require quite an effort to create a virus that would work and pass data across the required OS problems and not break with the twice a week kernel-level changes :). .... Yes it would be hard. When you choose your own protection as above an opponent would have to mount a significant effort just to get your stuff. .... It takes quite an effort to create a complex virus to do this. It reminds me of the Glomar Challenger that was used to recover the remains of a russian sub (my memory is somewhat faulty). Such a virus would require a great investment in time and money. What target would be worth it? Many otherwise feasible things aren't economically pracitcal.
Yes, but if your particular habits became widespread, an intelligence agency could amortize the virus effort across many victims. Here is just one such complicated virus: Sit in the OS watching for PGP to be launched. Patch PGP on the way in. The patch writes to disk the location and password for the secure key ring. Concurrently the virus watches for there to be IP service and sends the disk information as a UDP. Alternatively the virus waits for idle time, (screen saver time) and dials an 800 number having turned off the modem speaker. But don't send the same data twice! There is a significant hazard for the virus producer here if someone finds the code and learns the 800 number. I am sure that the Telco would help locate the physical phone to which the 800 number led. UDP provides more ways to pigeon drop the secret so as to protect the reader of that data. Perhaps you can send the UDP to the NY-Times (or to your favorite enemy) over a line that you are tapping. The NYT will discard it and no one is the wiser. The virus is then anonymous.
On Fri, 24 Nov 1995, Norman Hardy wrote:
At 2:46 PM 11/24/95, Thomas E Zerucha wrote: ....
It takes quite an effort to create a complex virus to do this. It reminds me of the Glomar Challenger that was used to recover the remains of a russian sub (my memory is somewhat faulty). Such a virus would require a great investment in time and money. What target would be worth it? Many otherwise feasible things aren't economically pracitcal.
Yes, but if your particular habits became widespread, an intelligence agency could amortize the virus effort across many victims.
Here is just one such complicated virus: Sit in the OS watching for PGP to be launched. Patch PGP on the way in. The patch writes to disk the location and password for the secure key ring. Concurrently the virus watches for there to be IP service and sends the disk information as a UDP.
The virus is starting to get large and noticeable. First, I alternate between a.out and ELF (and DOS .EXE). It doesn't have to patch pgp, just look for it to be loaded and teh secring file accessed. Then record keystrokes. This would also work with a hardware implementation if the secring passphrase is external (as opposed to an external keypad). This is what can be done when PGP is used for communication. For other info, I can isolate a computer (no modem, unroutable IP addresses, etc). Of course our firewall is a socks server and doesn't forward UDP. Maybe a socksified, SSL virus? My computer is attatched that way far more than via modem. And maybe I should just nuke (or modularize) UDP? You can do interesting things with kernel source.
Alternatively the virus waits for idle time, (screen saver time) and dials an 800 number having turned off the modem speaker. But don't send the same data twice!
That woudl be interesting - even with the speaker "off" the power surge causes clicking and other signs. Not to mention that the interrupt count would start moving (of course the virus could replace the entire OS and would only have to find 300K chunks to hide in). Were they that interested, they could place a surveillence device over my desk (I don't know if they can pick up the scan on LCDs like they can on monitors - I am suprised they didn't put the kybosh to the FCC emission rules). Maybe I can move my desk, or my pgp station inside our EMI testing faraday cage :). zerucha@shell.portal.com -or- 2015509 on MCI Mail finger zerucha@jobe.portal.com for PGP key
participants (2)
-
norm@netcom.com -
Thomas E Zerucha