1997-01-28 - Re: Passphrase Online…

Header Data

From: Bill Stewart <stewarts@ix.netcom.com>
To: harka@nycmetro.com
Message Hash: 8441a09c7ad446182dafa0f7304aaa980f70b028a6fff6b0a63e9b1f61626b31
Message ID: <3.0.1.32.19970127091008.0063c918@popd.ix.netcom.com>
Reply To: <199701271426.GAA23780@toad.com>
UTC Datetime: 1997-01-28 08:32:00 UTC
Raw Date: Tue, 28 Jan 1997 00:32:00 -0800 (PST)

Raw message

From: Bill Stewart <stewarts@ix.netcom.com>
Date: Tue, 28 Jan 1997 00:32:00 -0800 (PST)
To: harka@nycmetro.com
Subject: Re: Passphrase Online...
In-Reply-To: <199701271426.GAA23780@toad.com>
Message-ID: <3.0.1.32.19970127091008.0063c918@popd.ix.netcom.com>
MIME-Version: 1.0
Content-Type: text/plain


>>If I am connected to the Internet via a SLIP/PPP connection and I
>>type my passphrase while being online (for example, in Private
>>Idaho, after getting my mail), could that passphrase be compromised?
>>If so, how would that be done?

You're much safer if you're using an operating system instead of a
kluge like Windows...  On the other hand, operating systems make it
easier to run applications like telnet servers that allow someone
else to connect to your system while you're on line.
Some different ways you could be at risk include
- someone sends you a keystroke-sniffer program and tricks your machine
into running it - so it grabs your passphrase from PI or PGP and
sends it in later
- someone sends you a keystroke-sniffer program and tricks _you_
into running it, whether they use email, web, etc.
- someone logs into your system, guesses that the root password is
"trustno1", and modifies your copy of PGP to save keystrokes.
(On MSDOS, of course, you don't _need_ a root password.)
- someone sets up a web page with an evil ActiveX script that
convinces your Internet Explorer to download a new copy of PGP.
- someone sends you email with an attachment named 
..\..\..\windows\pgp.exe and your mail system is dumb enough to accept 
the pathname.
- somebody sends you email with an MS-Word/Excel/PPT attachment that,
instead of having a dumb Concept macro virus, has a macro that
does something useful like replace your copy of PGP, and you don't
have any innoculation on your MS-Word.
- any of the above, where the "pgp" program is replaced with one that's
almost identical but uses non-random numbers instead of good randoms,
and maybe also leaks out your secret key or passphrase.
- any of the above, where your email program is modified to add
Cc: janet@kremvax.su on outgoing smtp.

> Still paranoid?  Good!


#			Thanks;  Bill
# Bill Stewart, +1-415-442-2215 stewarts@ix.netcom.com
# You can get PGP outside the US at ftp.ox.ac.uk/pub/crypto/pgp
#     (If this is a mailing list, please Cc: me on replies.  Thanks.)






Thread