From: Thomas E Zerucha <zerucha@shell.portal.com>
To: Laszlo Vecsey <master@internexus.net>
Message Hash: df09ee420847a2989c317d1d10ad4c5a1756608494194ae8cca708beaffe54a7
Message ID: <Pine.SUN.3.90.951124143054.15604C-100000@jobe.shell.portal.com>
Reply To: <Pine.LNX.3.91.951124152257.5757A-100000@micro.internexus.net>
UTC Datetime: 1995-11-24 22:58:50 UTC
Raw Date: Sat, 25 Nov 1995 06:58:50 +0800
From: Thomas E Zerucha <zerucha@shell.portal.com>
Date: Sat, 25 Nov 1995 06:58:50 +0800
To: Laszlo Vecsey <master@internexus.net>
Subject: Re: Virus attacks on PGP
In-Reply-To: <Pine.LNX.3.91.951124152257.5757A-100000@micro.internexus.net>
Message-ID: <Pine.SUN.3.90.951124143054.15604C-100000@jobe.shell.portal.com>
MIME-Version: 1.0
Content-Type: text/plain
On Fri, 24 Nov 1995, Laszlo Vecsey wrote:
> > > Where can one get PGP burnt into cdrom? Or the equiptment to do it
> >
> > If you can wait a while, TERENA (UKERNA, SURFnet, etc) are producing a PGP CD
> > at the start of next year ...
>
> Would PGP on CD-ROM truely gaurantee a corrupt/virus free executable? A
> virus already running in memory could tamper with what it's doing,
> perhaps extracting the necessary keys and dumping them to a log file.
> This would be especially dangerous on a UNIX system where many people
> might be using PGP, thinking it is secure.
>
> I think the only way to be safe is to actually boot up off of the CD-ROM,
> and hope that the hardware in your computer physically hasn't been
> tampered with :)
>
My original post mentioned two things, the other was to cross-compile the
sources. Maybe do it on 3 different systems (e.g. Sun, HP and DEC), and
compare the binaries, then burn a CD. A virus would have to be very
versatile to infect multiple platforms and insert code for another.
It would also be silly for a virus to just dump keys when PGP runs, it
would be far easier to look for any occurance of secring.pgp, and mail
it, and/or monitor when it was opened and record keystrokes. And log files
must go somewhere.
I don't know if I mentioned, but I keep PGP and my keys on pcmcia memory
cards that aren't in the system at the same time as a network or modem
card. Moreover I can also simply use the DOS version (I use linux to
communicate) - It would require quite an effort to create a virus that
would work and pass data across the required OS problems and not break
with the twice a week kernel-level changes :).
ViaCrypt also has a PCMCIA implementation of pgp, and it should be fairly
easy to implement in an ASIC, or small embedded micro. That would be
much harder to compromise. Of course anything so useful commercially
woudl be the subject of our legal system.
It takes quite an effort to create a complex virus to do this. It
reminds me of the Glomar Challenger that was used to recover the remains
of a russian sub (my memory is somewhat faulty). Such a virus would
require a great investment in time and money. What target would be worth it?
Many otherwise feasible things aren't economically pracitcal.
zerucha@shell.portal.com -or- 2015509 on MCI Mail
finger zerucha@jobe.portal.com for PGP key
Return to November 1995
Return to “Thomas E Zerucha <zerucha@shell.portal.com>”