Slashdot Mirror
Trojanized, Info-Stealing PuTTY Version Lurking Online
One of the best first steps in setting up a Windows machine is to install PuTTY on it, so you have a highly evolved secure shell at your command. An anonymous reader writes, though, with a note of caution if you're installing PuTTY from a source other than the project's own official page. A malicious version with information-stealing abilities has been found in the wild. According to the article:
Compiled from source, this malicious version is apparently capable of stealing the credentials needed to connect to those servers. "Data that is sent through SSH connections may be sensitive and is often considered a gold mine for a malicious actor. Attackers can ultimately use this sensitive information to get the highest level of privileges on a computer or server, (known as 'root' access) which can give them complete control over the targeted system," the researchers explained.
The Symantec report linked above also shows that (at least for this iteration) the malware version is easy to spot, by hitting the "About" information for the app.
I stayed through the beta bullshit. I stayed through Bennett. Autoplaying audio advertisement, and what the fuck ever you're letting through that's running my machine to a crawl with javascript: these are the final straw. Fuck you, I'm done.
Any sort of COM port access.
Any sort of SSH access.
Any sort of SSH tunnelling access.
I work in IT, PuTTY is one of the first things I install in every workplace - not "just because" but I'll be damned if I'm going to SSH into a remote server's management module without it or try to use some junky HTTP/Java monstrosity to achieve what one command can achieve on the CLI.
Hell, I've diagnosed mail servers using it by telnetting to the mail port and issuing commands direct for a setting that some Exchange "experts" denied would ever affect anything - when you can show them the entire mail transaction live rather than some convoluted log that purports to tell you everything that happens on the email sending with a junky bounce error, it kinda hurts.
Sure, a lot of stuff is HTTP-managed nowadays but wait until Chrome removes Java and see if the other browsers follow suit. Because then you'll be back on the CLI quite quickly.
The last Cisco switch I installed came only with some absolutely worthless piece of software that only works if you have version X of IE etc. But SSH was a one-tick enable and I could do everything else from there.
The infected client contains "Unidentified build, Nov 29 2013 21:41:02" on the about PuTTY page while the official has "Release 0.63". Cisco has a good article here: http://blogs.cisco.com/securit... by Robert Semans, Brandon Enright, James Sheppard, and Matt Healy.
No it's not. MD5 has been broken for years now and needs to die. PLEASE STOP RECOMMENDING MD5 ALREADY.
http://www.kb.cert.org/vuls/id/836068
http://en.wikipedia.org/wiki/MD5
MobaXterm is pretty nice as a SSH/Telnet/X11/mosh/tunnel client. It doesn't do anything you can't do with Cygwin in that regard but it's less work to get set up.
While that seems like sound reasoning, I have found that in practically every case it is a recipe for disaster to think that way.
Most high-quality software packages and libraries, at the highest levels, come from very spartan websites.
The Flash junkies will argue this point with me for years, and it's nice to have flashy web design as part of a broad-spectrum marketing strategy, but it's all just fluff that gives too many problems a chance to creep in undetected.
...what sibling said. Anything can be trojanized, and it's turtles all the way down if you're proposing that by simply using a different application (or suite/kernel/VM/whatever thereof).
In all seriousness, PuTTY is a quick and dirty way of getting a working SSH shell on a Windows box. For the greybeards (like myself), it's also a quick and kick-ass means of plugging an old laptop into a serial port on the back of a Sun/HPUX/IBM-PPC box.
It's a self-contained executable that you can keep on a geek stick. No dependencies, no lengthy installation bullshit like Cygwin, no muss, no fuss. It just works.
In fact, I still keep a copy on my phone just in case, in spite of the fact that I typically use a MacBook Pro nowadays (OSX has a working *nix shell that I can open Terminal with and SSH from all day long, tab the hell out of, have customized nine ways from Sunday for local Git coloring, pre-hooks, branch awareness, etc). That said, I use PuTTY when I find myself stuck with a 'doze box (usually when having to show a 'doze user something on a *nix box from his machine), or when I find myself in a datacenter with only a shitty old laptop and no other useful means of getting some RS-232 love (because let's face it, HyperTerminal sucks donkey balls).
Quo usque tandem abutere, Nimbus, patientia nostra?
Cygwin works well until you get other programs that use it. You either have to install them within your Cygwin install folder (and hope they are able to cope with Cygwin updates you make, e.g. to Cygwin 2) or suffer DLL hell. Look at the Cygwin FAQ for ".DLL" - if you're not familiar with those errors already, you haven't used Cygwin very much. Now consider across a bunch of workstations on a network.
"Want say tunneling to a Windows service? If you use Windows only as a client...."
Don't. Use a proper tool. PuTTY is a client, not a server. This is like saying that ssh-client is no good at being sshd,.. of course not. But that's not what we're talking about.
And the fact is that for every SSH server set up (properly), you probably have 10-100 clients joining to it or you wouldn't bother setting it up. And one of the main points of things like SSH servers is cross-compile farms and remote access. And almost all the universities that offer such services recommend PuTTY if you're on Windows (because they've dealt with the Cygwin issues, I assure you, and decided it's not worth the hassle).
Opinion, of course. So's yours. Just because it's contrary doesn't make it more or less valid.
However, PuTTY is widely used and recommended for everything from talking to your Arduino's over a serial port to logging into your University server... go take a look. Cygwin - if and when it comes up - is not mentioned in nearly as many places for such simple actions.
Cygwin is, in fact, overkill for the majority of users who just want to use SSH, telnet or serial services from Windows. If they wanted Linux, generally they end up installing it in preference to Cygwin.
Simon publishes MD5, SHA1, SHA256 and SHA512 sums for all official binaries.
General Relativity: Space-time tells matter where to go; Matter tells space-time what shape to be.
That said, I use PuTTY when I find myself stuck with a 'doze box (usually when having to show a 'doze user something on a *nix box from his machine), or when I find myself in a datacenter with only a shitty old laptop and no other useful means of getting some RS-232 love (because let's face it, HyperTerminal sucks donkey balls).
I use a free program called mRemote v1.50 as it integrates Putty, RDP, VNC, Citrix, etc. into one console. It's a good tool as you can organize your connections using folders. As a network architect, it's nice to be able to connect to network devices by site. It has a few bugs, such as screwing up the sort order, but nothing major.
There is a newer version out called mRemoteNG 1.72. The last update was from the end of 2013 and it looks like the project is on hold for whatever reason.
It does what I need it to do and that's all I ask of any tool...
http://en.wikipedia.org/wiki/W...
It isn't that unheard of.
APK likes to ask for responses to the same things over and over. Maybe he just likes the responses?
Because it would provide no extra security.
Certs and digital signatures cannot vouch for the person who made them. All they say is: After running my verification algorithm, I have determined that a key that is mathematically equivalent to this public cert was used to sign this file.
Notice that the algorithm, the key, the signature, nor can the file in question is actually verified in this statement. From the user's perspective, they *assume* the algorithm is secure and trustworthy. The user *assumes* that the person who made the cert and signatures is trustworthy. The user *assumes* that the file was not tampered with such to exploit a bug in the verification algorithm that they use. Etc. Etc. Etc.
To those of you who say: "It's not the job of the algorithm to do that, it's the user's job. (User in this case being the system administrator.)", I say this: Most people don't do this. Yes it is their job, but most do not nor even know that they should. They see the word secure and trust and the vast majority of them turn their brains off. Just like when they are smacked with a wall of text, some cryptic error message, or any other popup that tries it's hardest to get their attention and make them think about what they are doing. As a result all certs and signatures do for most people is create more annoying messages, add yet another dialog box to click through, and ultimately more blind trust and false assurances.
In the case of the article, even if they had a cert and signature system in place already, a new user who downloads putty (or any other software for that matter) would not know whether or not to trust it's developer, much less the origin of the software download. If they saw two different signatures some people might question it, but most would assume both match, or that there was an error or a typo. (Of course any malware author worth his job is going to try his hardest to make any reference to the legitimate version very hard to find or out right eliminate said reference to help mislead the potential victim. Or make it such that if found out, the blame goes to the legitimate developer.)
There is no way for them to find out if that signature is valid either, assuming they trust the signature. If the developer lives on the other side of the world, they can't walk up to them and ask, any attempt to use the net is a folly as that's using an insecure channel to verify an insecure transmission. They could attempt to find someone else near them who could vouch for the signature, but then is that person trustworthy? If they are how do you contact them? Most people don't have many people to trust, and it's not like the ones they do trust would be able to vouch for some random download. Basicly unless someone they know also uses the same download, they don't have anyone to trust. (That also assumes that person is also not a victim of mistrust, and that they did get a ligit copy of the software that has not been modified.)
Basically long story short all digital signatures do is: Take more work that should be the user's job anyway (even though that task is extremely difficult, if not outright impossible for them to do successfully), do that work for them (while not giving them the ability to inspect that work in many instances, even if they do, you would need to be a cryptologist to verifiy it; most people are not), then give the false assurances that what it just "verified" is safe to use. (Despite the aforementioned issues, thus misleading the user.) It's complexity without benefit, (complexity is bad, as it makes things harder to verify) and most of the people in this scenario who will have this problem are people who blindly trust a binary blob OS with encryption algorithms they can't examine without an expert in cryptology and x86 machine assembly code, or would have to download another random software's source code, and have it verified by an expert in programming, x86 machine assembly code, and cryptology. (Verify the source code, compiler, and generated object, and executable.)