Point of view regarding LISA 2002

Shawn K. Quinn skquinn@speakeasy.net
Tue Oct 1 21:00:02 2002


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Tuesday October 1 2002 12:30, Anthony E. Greene wrote:
> On 01-Oct-2002/18:11 +0200, markus_kampkoetter=20
<markus_kampkoetter@t-online.de> wrote:
> >i do not agree with you. at least you will know for sure who sent
> > the virus to you ;))) and worms cannot use cryptotechnology easily.
> > (one day later)
> >or can they? is it possible to write a script that automatically
> > encrypts to all the keys on ones keyring and sends itself to the
> > corresponding addresses? even if, it never will be able to sign.
>
> How about a worm that does this when run:
>
>  1. Read the userids of the keys on the public keyring. Make note
>     of the userid of the first key.
>
>  2. Create a separate secring and pubring using the userid from the
>     first key on the original public keyring.
>
>  3. Upload this key to multiple keyservers.
>
>  4. Send itself as an encrypted attachment to each recipient on the
>     original pubring. Sign the message with the newly created key.

Sounds pretty devious, but this will probably take up a noticable amount=20
of CPU and (in the case of boxes with a proper /dev/random) the effect=20
on the entropy pool might well be noticed.

> If the recipient is configured to automatically fetch keys as needed,
> and is reading mail online, they may not realize that the key used to
> verify the sig was just fetched.=20

They will if the signature is untrusted and it should not be. KMail=20
makes the distinction painfully obvious; other MUA's with PGP/GnuPG=20
encryption probably do as well.

> People generally do not pay that much attention to key IDs. Even if
> they notice the fetching operation, they might not that that it was
> significant. The attachment would look legitimate and the recipient
> might run the executable, thinking that it is safe because it was
> signed and encrypted from someone they know.i

I know KMail at least does not let you encrypt attachments easily; they=20
have to be encrypted by hand and attached that way. The potential for=20
this kind of worm may well be part of the reason for this.

- --=20
Shawn K. Quinn
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.0 (GNU/Linux)

iD8DBQE9mfDjQVXDBVmaIp0RAh1LAJ9qqDUYRAdakuUXjujGuiRS2j1T9ACgrWtF
YxEspr4NCnNV0wGWTX69j4M=3D
=3D73BZ
-----END PGP SIGNATURE-----