Point of view regarding LISA 2002
Shawn K. Quinn
Tue Oct 1 21:00:02 2002
-----BEGIN PGP SIGNED MESSAGE-----
On Tuesday October 1 2002 12:30, Anthony E. Greene wrote:
> On 01-Oct-2002/18:11 +0200, markus_kampkoetter=20
> >i do not agree with you. at least you will know for sure who sent
> > the virus to you ;))) and worms cannot use cryptotechnology easily.
> > (one day later)
> >or can they? is it possible to write a script that automatically
> > encrypts to all the keys on ones keyring and sends itself to the
> > corresponding addresses? even if, it never will be able to sign.
> How about a worm that does this when run:
> 1. Read the userids of the keys on the public keyring. Make note
> of the userid of the first key.
> 2. Create a separate secring and pubring using the userid from the
> first key on the original public keyring.
> 3. Upload this key to multiple keyservers.
> 4. Send itself as an encrypted attachment to each recipient on the
> original pubring. Sign the message with the newly created key.
Sounds pretty devious, but this will probably take up a noticable amount=20
of CPU and (in the case of boxes with a proper /dev/random) the effect=20
on the entropy pool might well be noticed.
> If the recipient is configured to automatically fetch keys as needed,
> and is reading mail online, they may not realize that the key used to
> verify the sig was just fetched.=20
They will if the signature is untrusted and it should not be. KMail=20
makes the distinction painfully obvious; other MUA's with PGP/GnuPG=20
encryption probably do as well.
> People generally do not pay that much attention to key IDs. Even if
> they notice the fetching operation, they might not that that it was
> significant. The attachment would look legitimate and the recipient
> might run the executable, thinking that it is safe because it was
> signed and encrypted from someone they know.i
I know KMail at least does not let you encrypt attachments easily; they=20
have to be encrypted by hand and attached that way. The potential for=20
this kind of worm may well be part of the reason for this.
Shawn K. Quinn
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.0 (GNU/Linux)
-----END PGP SIGNATURE-----