Antivirus software will ignore FBI spyware: solutions
Some interesting tips (bottome of this message) for detecting FBI/SS snoopware that NAI/McAfee is now assisting the FBI in installing. I especially like the idea of "type hundreds of random key strokes and see which files increase in size." (Or just look for any file size changes, as most of us type tens of thousands of keystrokes per day.) The mathematical side of most encryption is vastly stronger than the "crypto hygiene" side. There's a reason "code rooms" and "crypto shacks" on military ships and bases have lots of hoops to jump through, with locked boxes, double-keyed switches, controlled access, etc. Most users of PGP take no steps to secure key materials. (I plead guilty, too.) Most of us are used to immediate access, and we want crypto integrated with our mail. The notion of going to a locked safe, taking out the laptop or removable hard drive, ensuring an "air gap" between the decoding system and the Net, and checking for keyloggers and hostile code, and so on, is foreign to most of us. The "dongle" idea (e.g., Dallas Semiconductor buttons, etc.) has been around for a long time. Here's a new twist: the Apple iPod music player. I just got one. A 4.6 GB hard disk (Toshiba 1.8"). Hooks up via Firewire/IEEE 1394, with the link recharging the battery and auto-linking. The disk can also be mounted as a standard Firewire disk. Meaning, it could be used to store key material and even be used for PGP scratch operations. The increased security comes from its small size (easy to lock up) and because I usually have it with me when I am away from home. This makes "sneak and peek" searches and plants of malicious code less useful. Not a complete solution. Crypto hygiene and all. Here's the article:
Path: sjcpnn01.usenetserver.com!e420r-sjo4.usenetserver.com!sjcppf01!usenetserver.com!hub1.nntpserver.com!headwall.stanford.edu!newsfeed.stanford.edu!sn-xit-01!sn-post-01!supernews.com!news.supernews.com!not-for-mail From: Rastus P. Riley <an11211@hushmaildot.com> Newsgroups: misc.survivalism Subject: Re: Antivirus software will ignore FBI spyware: solutions Date: Mon, 26 Nov 2001 12:37:27 -0800 Organization: Posted via Supernews, http://www.supernews.com Message-ID: <1m950usq1saskrs1g0ajmdi5h3e49fcd8b@4ax.com>
On 25 Nov 2001 21:48:28 GMT, phatmike@isomorphic.net (phatmike) wrote:
According to the Washington Post, "At least one antivirus software company, McAfee Corp., contacted the FBI on Wednesday to ensure its software wouldn't inadvertently detect the bureau's snooping software and alert a criminal suspect."
http://www.washingtonpost.com/wp-dyn/articles/A1436-2001Nov22.html
1. Use a secure type of OS with login screen for every session a. Log out after every use b. If house invaded, Feds need to have initial login password to insert trojan.
2. Use In/Out firewall a. Zone Alarm Pro b. Monitors in/out traffic 1. If trojan tries to send data, then firewall will highlight it.
3. Always check for small programs by last accessed date. a. Uncheck hidden files b. Look for files that increase in size by testing with 300 random keystrokes.
4. Use Proxies, don't run attatchments, don't use Outbreak Express.
Hope this helps,
-Rastus
On Mon, 26 Nov 2001, Tim May wrote:
Some interesting tips (bottome of this message) for detecting FBI/SS snoopware that NAI/McAfee is now assisting the FBI in installing.
According to a rebutal posted to Declan's list, McAfee.com (not the same as McAfee) is claiming that neither it nor Network Associates is assisting the FBI. Regardless, the tips Tim mentions are certainly ones to practice. (Just because an anti-virus company isn't cooperating with the FBI on this doesn't mean its software will detect Magic Lantern. McAfee's position on this should be irrelevant.) -MW-
Great and wonderful except: 1. If such spyware has already been installed on your system you can't trust your os therefore: a. It may use your OS to hide the key capture log, so you won't be able to just watch files. Think of a kernel patch that removes all references to a specific file, not just sets it to be hidden. b. It may use your OS to hide that the OS was altered if you decide to use a debugger by patching the debugger also, and when say "Finder" looks at the System file, it's really looking at the inactive original one, rather than the one that was patched. (or it could be an extension that hides itself and the capture file from the OS, etc.) 2. Any hard drive you can access so can they. "They" can patch your disk: a. I'm not sure about newer MacOS's, but I remember that older MacOS's, those on 68k boxes stored driver code for the disk on one of the blocks on the drive, so even if your OS wasn't booted with the spyware, simply mounting that drive would load the driver, and anything that goes with it. I had the experience of having such a driver getting corrupted back when I used a Mac. I recall I had to use special software to mount the disk without the old driver - actualy to just zap the old driver off the disk and replace it. b. If the malware is on your hard drive, it can propagate like a virus to your iPod. Sanitize your OS, only to have it come back when you hook up said iPod. 3. Newer G3+ Mac's use open boot prom or some such which lives in eeprom. Such things can be patched at that layer and can propagate on bootup. Booting off a read only disk (CDROM, etc) wouldn't help in this case. 4. If you live in a crowded area, your iPod can be lifted off you in a false mugging, or break in, pick pocketting while you're at a restaurant, movie, etc. 5. Watching for files that change daily is a fool's task for the reasons mentioned above, and the Sysiphean task it presents. Better get the equivalent of Cops or Tripwire to do the work for you, but they too can be tampered with. 6. If McAffee bent over to the Feds, you can be sure that so will the makers of Zone Alarm and other firewalls. 7. Remember, they don't need to capture all your keystrokes. Just the ones you use as passphrases. And they don't need to copy your whole hard drive, though they easily could when you're out of the house. Just your secret key file and your passphrase. 8. If you shut off your computer when you leave your house, it makes their job that much easier. If you leave it on, they could note what's open and put it back to the same spot. 9. If you use a login screen, etc, Or they could simply run something that would take a snapshot of your desktop, shutdown your Mac, install the malware/copy your files, then and boot off of a floppy that displays the screen you left up, plus a Type 1 Bomb (MacOS equivalent of blue screen of death), and eject the floppy thus - making it look like your Mac crashed, or, simply go down to the basement and trip your circuit breakers making it look like you've had a power failure (even UPS's run out at some point.) 10. Ordered any new copies of a bit of software? Maybe they have a deal with FedEx, UPS, the Mailman. Maybe what you're getting is the upgrade and then some. How can you tell that copy of SmallTalk doesn't carry an extra bit of code just for you? How can you tell that the latest patch to MacOS you've just downloaded really came from Apple? Sure DNS said it was from ftp.apple.com but how do you know that the router upstream from your internet provider didn't route your packets via ftp.fbi.gov? Once they have physical access, you're fucked. Remote access is almost as dangerous as them having physical access, however it can work in your favor as they won't be as familiar with your environment, and thus are far more likely to expose the malware to you. Sure, all of these things are more or less preventable, except for physical access, and a lot of these come down to trust and reputation. But reputation and trust are also rubber hose-able (if there is such a word.) :) You can trust your best friend until you find out otherwise. You can trust your bank until you find out otherwise. You can trust your software provider until you find out otherwise. But by the time you've found out, if you've found out at all, you've already been fucked. ----------------------Kaos-Keraunos-Kybernetos--------------------------- + ^ + :Surveillance cameras|Passwords are like underwear. You don't /|\ \|/ :aren't security. A |share them, you don't hang them on your/\|/\ <--*-->:camera won't stop a |monitor, or under your keyboard, you \/|\/ /|\ :masked killer, but |don't email them, or put them on a web \|/ + v + :will violate privacy|site, and you must change them very often. --------_sunder_@_sunder_._net_------- http://www.sunder.net ------------ On Mon, 26 Nov 2001, Tim May wrote:
Some interesting tips (bottome of this message) for detecting FBI/SS snoopware that NAI/McAfee is now assisting the FBI in installing.
I especially like the idea of "type hundreds of random key strokes and see which files increase in size." (Or just look for any file size changes, as most of us type tens of thousands of keystrokes per day.)
The mathematical side of most encryption is vastly stronger than the "crypto hygiene" side. There's a reason "code rooms" and "crypto shacks" on military ships and bases have lots of hoops to jump through, with locked boxes, double-keyed switches, controlled access, etc.
Most users of PGP take no steps to secure key materials. (I plead guilty, too.) Most of us are used to immediate access, and we want crypto integrated with our mail. The notion of going to a locked safe, taking out the laptop or removable hard drive, ensuring an "air gap" between the decoding system and the Net, and checking for keyloggers and hostile code, and so on, is foreign to most of us.
The "dongle" idea (e.g., Dallas Semiconductor buttons, etc.) has been around for a long time. Here's a new twist: the Apple iPod music player. I just got one. A 4.6 GB hard disk (Toshiba 1.8"). Hooks up via Firewire/IEEE 1394, with the link recharging the battery and auto-linking. The disk can also be mounted as a standard Firewire disk. Meaning, it could be used to store key material and even be used for PGP scratch operations. The increased security comes from its small size (easy to lock up) and because I usually have it with me when I am away from home. This makes "sneak and peek" searches and plants of malicious code less useful. Not a complete solution. Crypto hygiene and all.
Here's the article:
Path: sjcpnn01.usenetserver.com!e420r-sjo4.usenetserver.com!sjcppf01!usenetserver.com!hub1.nntpserver.com!headwall.stanford.edu!newsfeed.stanford.edu!sn-xit-01!sn-post-01!supernews.com!news.supernews.com!not-for-mail From: Rastus P. Riley <an11211@hushmaildot.com> Newsgroups: misc.survivalism Subject: Re: Antivirus software will ignore FBI spyware: solutions Date: Mon, 26 Nov 2001 12:37:27 -0800 Organization: Posted via Supernews, http://www.supernews.com Message-ID: <1m950usq1saskrs1g0ajmdi5h3e49fcd8b@4ax.com>
On 25 Nov 2001 21:48:28 GMT, phatmike@isomorphic.net (phatmike) wrote:
According to the Washington Post, "At least one antivirus software company, McAfee Corp., contacted the FBI on Wednesday to ensure its software wouldn't inadvertently detect the bureau's snooping software and alert a criminal suspect."
http://www.washingtonpost.com/wp-dyn/articles/A1436-2001Nov22.html
1. Use a secure type of OS with login screen for every session a. Log out after every use b. If house invaded, Feds need to have initial login password to insert trojan.
2. Use In/Out firewall a. Zone Alarm Pro b. Monitors in/out traffic 1. If trojan tries to send data, then firewall will highlight it.
3. Always check for small programs by last accessed date. a. Uncheck hidden files b. Look for files that increase in size by testing with 300 random keystrokes.
4. Use Proxies, don't run attatchments, don't use Outbreak Express.
Hope this helps,
-Rastus
While it's of little help to M$ lusers, those of us in the *nix world can use CDROM based filesystems for all but the user data. Yes, you may be compromised, but it won't change any code (which is definitely *not* to say that you aren't in danger from loss of passphrases, etc.) - at least on sensitive machines. I have been using this technique of FreeBSD systems for a little under two years now (yes, you need to build several copies of your root system :). -- Yours, J.A. Terranson sysadmin@mfn.org If Governments really want us to behave like civilized human beings, they should give serious consideration towards setting a better example: Ruling by force, rather than consensus; the unrestrained application of unjust laws (which the victim-populations were never allowed input on in the first place); the State policy of justice only for the rich and elected; the intentional abuse and occassionally destruction of entire populations merely to distract an already apathetic and numb electorate... This type of demogoguery must surely wipe out the fascist United States as surely as it wiped out the fascist Union of Soviet Socialist Republics. The views expressed here are mine, and NOT those of my employers, associates, or others. Besides, if it *were* the opinion of all of those people, I doubt there would be a problem to bitch about in the first place... --------------------------------------------------------------------
on Mon, Nov 26, 2001 at 01:12:53PM -0800, Tim May (tcmay@got.net) wrote:
Some interesting tips (bottome of this message) for detecting FBI/SS snoopware that NAI/McAfee is now assisting the FBI in installing.
I especially like the idea of "type hundreds of random key strokes and see which files increase in size." (Or just look for any file size changes, as most of us type tens of thousands of keystrokes per day.)
Defeat: create a log buffer file of fixed size, logged activity changes its contents, but not the size of the file. E.g.: a filesystem image file under GNU/Linux. Techniques could be used to maintain a constant global MD5 checksum to defeat other detection attempts. Manipulating file create/modify times is trivial under most OSs.
Most users of PGP take no steps to secure key materials. (I plead guilty, too.) Most of us are used to immediate access, and we want crypto integrated with our mail. The notion of going to a locked safe, taking out the laptop or removable hard drive, ensuring an "air gap" between the decoding system and the Net, and checking for keyloggers and hostile code, and so on, is foreign to most of us.
These measures can be taken for specific, high-security, messages. Risk profiles are not isomorphic in all circumstances.
The "dongle" idea (e.g., Dallas Semiconductor buttons, etc.) has been around for a long time.
Many of which are woefully poorly designed. Zimmerman at ALS spoke of one in which the key was stored in cleartext within the dongle, don't recall the specific device.
Here's a new twist: the Apple iPod music player. I just got one. A 4.6 GB hard disk (Toshiba 1.8"). Hooks up via Firewire/IEEE 1394, with the link recharging the battery and auto-linking. The disk can also be mounted as a standard Firewire disk. Meaning, it could be used to store key material and even be used for PGP scratch operations. The increased security comes from its small size (easy to lock up) and because I usually have it with me when I am away from home. This makes "sneak and peek" searches and plants of malicious code less useful. Not a complete solution. Crypto hygiene and all.
The iPod's definitely an attractive target for portable computing, it's also fairly robust (I bounced the demo off the hardwood floor of Apple's Palo Alto store from about 4-5 ft.). It appears you're just using it for storage purposes. Note that this still requires trusting the environment to which the iPod is attached. Various handhelds, particularly running an advanced OS (e.g.: GNU/Linux), would be similarly attractive devices, readily kept on ones person at most times, and support encrypted filesystems or files. Peace. -- Karsten M. Self <kmself@ix.netcom.com> http://kmself.home.netcom.com/ What part of "Gestalt" don't you understand? Home of the brave http://gestalt-system.sourceforge.net/ Land of the free Free Dmitry! Boycott Adobe! Repeal the DMCA! http://www.freesklyarov.org Geek for Hire http://kmself.home.netcom.com/resume.html [demime 0.97c removed an attachment of type application/pgp-signature]
participants (5)
-
Karsten M. Self
-
measl@mfn.org
-
Meyer Wolfsheim
-
Sunder
-
Tim May