Slashdot Mirror
Caligula Virus Exposes PGP Flaw (?)
lc writes "There is some kind of macro virus
floating around that steals PGP keys off a user's computer and
uploads them to a remote FTP site. " So a macro
virus is a flaw in PGP? Neat. Methinks if you've got macro
virus's running rampant in your machine, you've got bigger
problems. Like Word for example.
If "they" really think this will
stop people who know what they are
doing using PGP, and complying with the
fscking shit american government...
Anyone who really needs PGP should really
know better than to use microsoft stuff...
Too bad the flack for NA
rolled over and slammed
Obic and friends. By bringing
this out to the open, it
demonstrates a significant
issue. Namecalling ("Call
them scum.") and refusing
traffic to codebreakers.org
site is about as effective
as sticking one's head in
the sand. Gee, wouldn't
it be more likely that a
cracker using this exploit
choose a different domain?
Obic and friends are merely
a symptom of a much larger
problem. Superficial and
shallow solutions such as
what Cohen (Sandia Labs)
and Viveros offered ("secure
passphrase" my arse) just
gloss over the issues.
Did you read the article? If you don't have Word, you got nothing to worry about. Hell, I don't even have Windoze. Go Caligula!
WARNING!
Do not read any slashdot comments with the words
"good times" in the subject box!
These comments are known to contain the "good times" slashdot virus. If you read the comment, your monitor will explode!
Phil
don't stick your finger in my PGP key!
Who cares about macro viruses (or in this case, little more than an actual macro)? Take a look at the beanhive java virus they have. Anyone know how this works?
Maybe PGP should start recognizing keys of type gif, gzip, wav, etc. ;}
This passcode-protection is not nearly as strong as the encryption going into PGP messages themselve
Where are you getting this? PGP messages and PGP private keyrings are both protected by 128-bit IDEA.
I done tech writing as a contractor and written computer books. I know what employees make. Trade mag writers are the worst-paid in the industry - because of the economics, the pay is comparable to other small circulation magazines, whereas in most any other arena, tech writing is a lucrative game (whereas writing in general is not, unless you're "big"). Online mags, I would guess, are worse still. Is it any wonder they can't get good people?
Wouldn't the same thing happen under linux if I downloaded and ran some program that had some malicious code hidden in it that did the same thing? How would linux protect me in a way that windows wouldn't? well, for one thing, if you logged in as yourself, the program wouldn't compromise the files of others.. such as your little sister or root.. If fact, if you create a special account ('sandbox' maybe) to try out downloaded software, a lot of damage is prevented. Or maybe an account used exclusively for pgp? Mail whatever you want pgp'd to that account, log in, encrypt/decrypt, mail back and log out.. If you're paranoid, surely that is the way to go.. NTFS could do this job to.. But ctrl-alt-del, logoff(wait), ctrl-alt-del, login(wait) instead of ctrl-F2 is even more hassle..
In the DOS days, when PGP 1.0 was first around Phil's fear was more that a TSR virus would be written that would not just steal your private key but it would monitor the keyboard when you typed in the passphrase. (probably wouldn't have made much difference since Bass-O-Matic wasn't very secure to begin with. but.)
If you have a good pass phrase (that's a big if since you're probably only going to use printable characters instead of the full spectrum of bits) your private key is as secure as any message you would send encrypted with PGP.
First of all Linux is truely a multi-user environment as the previous AC pointed out.
:)
Secondly downloading and executing a executable is not quite the same thing as viewing a document now is it?
Executing program's you downloaded is allways a risk and thanks to M$ vieuwing documents with their stupid office suite is now equally dangerous.
>How would linux protect me in a way that windows wouldn't?
It doesn't run that buggy and insecure M$ Office crap (at least not without WINE
Therefore, there is a big disparity in practice between the difficulty of brute forcing an IDEA session key and the difficulty of brute forcing an (actual user's) IDEA PGP passphrase.
Rename ftp! Call it secureftp or something. No macro or trojan script/program can find a program that doesn't exist.
you were warned...
why don't you go read about how beanhive works from one of the major av companies?
www.avp.ch has a desc of what it can do.
or you could mail the guy who wrote and ask him.
The flaw is that the association between keys is not encrypted. For example, if your secret keyring has your real name, and keys for the other nyms that you use, they can connect those nyms to you with no trouble at all.
This was brought up on the Cypherpunks list a few years ago, but no one thought it was a great problem. (But the same thing was used to have an excuse to jail Carl Johnson.)
And if you use a crappy passphrase, they can just throw a dictionary attack at it.
This is going to be a problem on any computer,
:)
:(
someone could write a virus or stick in some
malicious code or whatever on any OS... its harder
on some, but the possibility exists. Also, if
someone has physical access to your 'puter your
stuffed.
Only way to be really safe is something like those
Java keyrings which you always carry with you,
you know, the ones with a computer and about 6kb
of memory, or better yet, implants
mmm cyborgs...
forgot p/word
Francisco, pfh@yoyo.cc.monash.edu.au
That option gives you only protection to macro virus, and not all of them anyway. Long time that new Office Virus use classes to remain undetectable to Antivuirus and that so called "macro protection"
I suggest to you to visit "www.codebreakers.org" to find out more and test it yourself.
"64 digit character set...10^38 character combos"
"(at least) 10^25 different phrases..."
Not really... The actual count is more like 1.3*10^23, because of the redundancy of information in english text. However, as you pointed out, if you build a smart passphrase which goes beyond that you increase your 'true' bitcount more.
Nonetheless, the POINT here is that the virus sends it to a random malicious code author, NOT the NSA.
Anybody think a twink like that (no offense meant twink!) is going to be able to crack this? A show of hands...? Anyone...? Beuhler...?
hmmm, care to think first?
It isn't really a point that this is a word
macro, a trojan'd anything doing something
to another program, doesn't make that a flaw
in the target program. this guys post was funny
as hell, read between the lines.
My word (no pun intended.)
Gee whiz steven, this is horrible news.
In fact, it reminds me of a solaris -exploit-
discovered by *censored* that entailed linking
the passwd file to a file in your home directory.
Once this was completed, you simply mailed root
and requested that he chown -R your tree. You'll
not be surprised to hear that once all had been
"exploited" as such, you were left with rw- premissions. Its dangerous techniques, and 'flaws'
like this that really weigh heavy on the administrators repertoire.
-----BEGIN PGP SIGNED MESSAGE-----
;)
Q FG1os9nji1YAoLh6
Hash: SHA1
Hello all you disgruntled PGP users, Im sure you
know who I am (author of Caligula). at any rate
Ive been watching your conversation and have
a few things to say about it; It is very unfortunate
how the media misconstrues information. I wrote
caligula as a proof-of-concept-virus. that is; it
proved that even strong encryption programs
can be exploited and even in some cases
cracked due to the enviornment they are run
under (micro$oft windoze) and due to the
neglegence of it's users. Since the OS which
NAI's verion of PGP runs under is windoze, and
they have not taken precautions against the
vulnerabilities of the OS it could be argued
that windows versions of PGP are "flawed".
this is a "which came first the chicken or the
egg" situation however. Fred Cohens and NAI's
reponses to Caligula are quite disturbing, I
didnt write the virus to actually gain PGP keys
and exploit them, but it was necessary to code
this virus in order to prove it was possible, and
quite easy to do at that (if you can code somthing
like this in VBA you can do it in an language).
Would you rather I had written it to bring peoples
attention to this risk or would you rather of me
not and let someone else do it (on a real "inside
job" situation)? Attacking myself or codebreakers.org
for bringing a very realistic risk to the medias attention
is asinine and entirly missing the point. Which is more
productive? making fruitless DoS attacks on cb.org
(and breaking the law in the process, which fred cohen has
already done i might add) or trying to find realistic solutions
to the realistic threat i brought to your attention? Food
for thought I supose. Flame if you like
Opic [CodeBreakers]
-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.0.2
iQA/AwUBNrsU9Ly9KdeUgzuxEQKpUgCguqGSihWb8Vf2t0w
2uh/SgT3AlASeQrp3Lp6XEkR
=oIC5
-----END PGP SIGNATURE-----
PGP depends on two "keys", one is called a private key and the other a public key. Your public key is supposed to be given out to everyone, even posted on public "key-rings". Think of it as sort of a business card of sorts.
:) Keeping your public and private keys on the same machine is like etching your PIN number into your bank card!
Your private key is supposed to be kept safe and not given out to anyone. It is NOT supposed to even be kept on the same machine. PGP documentation recommends moving it to a floppy disk and locking the disk in a safe, then swallowing the key
Now this program (Caligula) looks for and gathers the private keys. My question is what are they still doing on the machine? Obviously there are alot of people who don't realize the implications of this.
Even if a private key is compromised it is protected by a "passcode". This passcode-protection is not nearly as strong as the encryption going into PGP messages themselves and it is possible to break it. Once broken the intruder will now be in possesion of your public AND private keys and will be able to send messages appearing to come from you and decrypt messages sent to you.
This virus is not indicative of a flaw in PGP, it is an example of how even the best protection scheme can be compromised by unintelligent things done by us. Ever written down a password on your monitor base to remember it? Duh....
Anonymous Coward asked:
.foo/bar). That way, there is no easy way for a Trojan to locate the file to transfer it.
But would there be *anyway* possible that this sort of thing could happen on Linux...(pardon my ignorance)!
The way PGP and GPG are currently set up, yes. You could run a trojan horse that transmits the file, or a hole in the browser's security could be used.
However, since we're in the wonderful world of Open Source, I can think of two ways of fixing your system so you aren't vulnerable. One way would be to edit the source so that the default directory and filename for your secure key are different (both from the source and from anyone else, this won't help if we all put our rings in
The other way is to modify PGP or GPG to read the secure ring as root (assuming it's setuid root). You then make your secure ring owned by root:root. Then you can't read your own ring, except through PGP or GPG.
----
Open mind, insert foot.
Tim Moore wrote:
How is having a secure passphrase a "superficial and shallow solution?"
It's superficial and shallow because once they have your file it is subject to brute force attacks. A well funded cracker (say, the NSA) could break through fairly quickly, particularly if you use an easy to guess passphrase.
What do you suggest that NAI do about this? Is there even any theoretical way to prevent against this type of attack (other than a passphrase on the private key)?
Yes, there are two ways. The first is to never use a default location or filename to store your secure key. That way a trojan can't pick out your file blind, but would have to analyze your system to locate the secure key.
The second is to modify your system so that only root can read the secure key, and run PGP (or GPG) as setuid root. That way they need a root exploit to even look at your keyfile. This obviously won't work on a Windows system, since Winows is its own root exploit. Combining the two methods can greatly enhance the security of the encryption system.
----
Open mind, insert foot.
If your PGP key is readable by you, then any process run by you (or run by a process run by you, and so on) can read it. If you ran a properly-written trojan shell script (trivially, could be anything) then it could seek out and reveal your key.
Unless, of course, your key weren't on a mounted drive. But sooner or later it would have to be, if only for a while, wouldn't it?
Mind the Gap
You don't have to do the various capitalization and punctuation combinations. Just use a normal dictionary search, and you'll likely find several people who don't have any capital letters or punctuation in their passwords.
10 PRINT CHR$(205.5+RND(1)); : GOTO 10
A daemon version of gpg could run as root, having everyone's private keys only available to it.
If 'ya can't trust root...
Hmm...
If 'ya don't trust root to hold your data, you can't trust it held in your own home directory any more (Well, maybe unless you run CFS... but even then root could still catch your password when you log in).
Posted by Steven Engelhardt:
.fetchmailrc) exist on the machine. If they exist, and one of them has a user's password in it, the file is silently uploaded to an ftp site on the Internet.
A new of breed of macro virus that steals UNIX passwords has been reported in the wild. But experts disagree about its impact on Internet security.
DES is the defacto standard for encryption on UNIX-based systems and is widely thought of as invincible. But the new Caesar virus may shake that reputation. It's the latest of a new class of what some experts call espionage-enabled viruses. These are viruses designed to steal information from a user's computer.
Caesar gets into a PC from an infected Microsoft Word document. The macro virus then checks to see if any plain text files (especially a
"If they gather a lot of keys, they could forge signatures, gain unauthorized access to systems, and read private documents," said Frad Cohin, an information security expert with Sandia Labs. Cohin recently posted one of the first reports of Caesar on an Internet security mailing list.
"It demonstrates a serious hole in how password-based security works, and could damage the belief system that underlies the trust in passwords," he said.
*sigh* I love clueless people.
--
Steven Engelhardt
"A few orders of magnitude" is a whole lot.
Example: a simple phrase, some mixed case, and punctuation. No matter how simple it is, if you brute-force it, you have to scan all the possibilities. Even using dictionary look-ups, you're still looking at combinations of words and punctuation.
For instance, if you wanted to brute-force my PGP-key, with, say, a 64-digit character set, you would have to look through at least roughly 10^38 character combinations.
Assuming you made a lot of assumptions about dictionary words, capitalization, and punctuation, you'd still be looking at (at least) 10^25 different phrases, and there's no guarantee you'll find it that way.
Each lookup will take some time to compare, unless you really hack PGP. And by then, it would have been easier to make a fake key to impersonate me, or threaten me at gunpoint, or make a fake identity, or accomplish cold fusion, or just about anything else.
pb Reply or e-mail; don't vaguely moderate.
A "flaw in PGP"? This is just another macro virus that has some displeasing side effects. We're just seeing more evidence of that old truism, "If you can run code on a Windows machine, the computer's toast." (Paraphrasing from a statement I saw WRT Back Orifice.) I like the proposed idea of sending randomly generated PGP keys to the virus's delivery point. (Random as in cat < /dev/random %gt; mykeys.pgp.)
--Phil (I'll give you my public key if you ask, but you have to ask first.)
355/113 -- Not the famous irrational number PI, but an incredible simulation!
Is Word. Pure and simple, MS has known about the SERIOUS security problems caused by Word for YEARS, and chooses to do nothing about it.
Further more, if Windows had a real security model, they would be much more able to fix the problem. As it is, they really have two choices, remove the mis-feature entirely, or open a dialog warning every time a Word macro tries to access the drive (or at LEAST the net).
At least under the Unix security model, a program can look to see if a file is world readable. In Windows, every file is world readable. Unix security isn't perfect (what security is?), but at least it tries!
I would have to say that the solution to the problem is to follow the users guide to PGP (you know that big text document that came in the distribution that said "Never store your secret key on the same system as PGP.") If you secure your key with a large, near random, passphrase; store it on non-writable, unmounted media in a secure location (where secure and attached to a computer are mutually exclusive (more so for a computer on a network)); and then still don't trust the security of the encryption (it's only 128 bits, if you want real security ship a CD with a one-time pad to the remote location via secured carrier) I don't think you would be that vulnerable.
You're not paranoid if they're really out to get you.
According to Opic, "PGP claims to be a strong program, but it's not, because of the operating system it's running under. And those vulnerabilities are available to anyone who knows anything about programming."
What?? All programmers are going around breaking into my computer?
Ban programming! The logical consequence of programming is the end of security! Get those evil hackers to stop now!
Daniel
Hurry up and jump on the individualist bandwagon!
I cannot help but to admire the way some of our more technologically clueless media personas enjoy spreading their ignorance to the masses.
The "Caligula" virus does not exploit any flaws in PGP. It doesn't even exploit flaws in operating systems. Its behaviour mimics that of a user (since it is a macro - a collection of user commands). If a user can upload their PGP key to an ftp server, so can any macro on any operating system.
This is yet another simple case of some clueless person "enlightening" others to the realities of the technological world.
I cannot stand to watch persons in positions of relative trust spew this ignorant drivel at anyone who is willing to listen. It is wrong. Those who write articles about technology should at least have an understanding of the technology they're talking about, especially when they make derogatory comments such as these.
Technology is not to be feared. These pompous fools who choose to spread technically inaccurate information should be beaten, or at least have their hard discs erased, for causing such paranoia among common people.
This opens up a whole new world of possibility. I'm sure this is being done regularly, but:
Seems like it would be easy to assassinate the character of a computer program or company using trojans, virii, bombs, and worms. For instance, what would happen if a Word macro started uploading directory structures to some very, very large software company? (This is exactly what MS did with the one of the MS-W95 betas-- not as a Word macro, but as part of the MSN dialup.)
What would happen if this macro also had logic to upload particular files? For instance, if it were designed to download a file based on registration ID, and upload files specified therein?
I AM NOT ADVOCATING THIS! I do not like or agree with any destructive use of computers. However, it seems like a simple and efficient means of character assassination. Assuming people even cared.
I just wonder if we'll see this sort of thing.
Hey! Everyone stop using Windows NOW!
As demonstrated with BO, your passwords can be stolen, and worse things can happen!
Everyone delete your Windows! Believe us!
Someone else has physical access to your computer, and they copy your private keyring to floppy disk. Oh no, this is a flaw in PGP!
:)
This is just FUD for PGP. If code is executed on your computer, then it has access to everything you have access to, including your private keys. Geez, why do I bother getting so worked up over something so silly?
Jason.
PGP private keys are encrypted with a passphrase. Granted, passphrases aren't the most secure thing in the world. Even so, PGP has the benefit of modern crypto research and should be a lot harder to crack than Unix passwords.
Citizens Against Plate Tectonics
So now our friends in Redmond are not only screwing up their own programs, but other peoples too!
Ever use PGP? You have to have access to your private key to decrypt, and to sign. Where'd you get that garbage about keeping public and private keys on separate machines?
,agic decoder ring?
Maybe you also don't know that the private key ring is encrypted by a pass phrase, as several others have posted. If you choose reasonably well, you're safe nough.
Where'd you get your so-called knowledge -- a box of cornflakes came with a
--
Infuriate left and right
I don't understand where the flaw in PGP comes in.
Correct me if I'm wrong, but if I recall, you can throw your private keyring anywhere you want, and as long as your passphrase isn't something idiotic like your name, your data is completely safe.
As far as these virus writers go, they are by no means idiots. The FTP upload is a fairly elegant idea, and of course they have to deny that the virus got out on purpose.
\
["These people are not your friends. If everyone screams at them and says 'you are scum,' they'll stop," said Cohen. He also recommended that administrators configure their firewalls to refuse traffic to the codebreakers.org site.]
Hmmm.. The second option seems more practical.. but what the heck. What's everybody doing the day after refund day. We could all scream together..
:)
1) The passphrase encryption, if chosen correctly
is gonna stop just about anyone from touching your
keys. DES was broken in 23 hours by a TON (A TON) of computing power. IIRC PGP uses IDEA @ 128 bits to encrypt your private keys. This will take far more time than the Universe has to offer.
2) UNIX / Linux vs Windows. Get over it. Macros run as YOU. They have the same permissions as YOU. If YOU can read your keys, so can any macros that YOU run.
Obviously I don't have a copy of the program, but it seems to me that it probably uses the Windows registry to find PGP and/or checks certain directories that are likely to contain .pgp files. I doubt that it scans the whole hard drive to find them, since that would slow things down too much.
If that's how it works, simply use the DOS version of PGP and put it in an obscure location (not containing the string PGP).
D
>Do not read any slashdot comments with the words >"good times" in the subject box!
"By opening this software diskette envelope you are agreeing to the End User License contained within it. If you do no agree to the End User License, please return the package immediately."
"Sorry, sir, we don't accept opened software packages for return..."
-> I dislike sigs...
the keystrokes for your password, allowing them
to effectivly become you. (i wonder if there is
something like this already in windows)
In order to become more secure, you have to have
secure protocols using encryption. a read-only
disk is a start, a seperate computer only for pgp
(or gpg) is another. (but it is troublesome)
--
Four years in jail
No Trial, No Bail
New worlds are not born in the vacuum of abstract
ideas, but in the fight for daily bread --Rudolf Rocke
"Caligula was never supposed to get out," he told InternetNews Radio. "It was a proof-of-concept virus. No one in our group actually spreads viruses. We only make them available to the programming underground and that's about it."
What a fscking jackass.
Sending data by a trusted courier carrying a tamper-proof suitcase is useless if you leave the keys to your office on the door. Nothing new to this.
It is high time that people begin to understand that security on the Net is often more likely to be breached on the host (with trojans, viruses...) than by intercepting some communication.
Sadly, nearly all efforts for end-user products seem to have been directed to security of the communication link (pgp, SSL) but have neglected securing the hosts. That leaves users with a false impression of security.
This little macro virus shows one problem: current environments (OSs) do not have the facilities you'd need to implement really secure systems. Unless you want to run Trusted Solaris or similar. We need a safe place to store private keys, like a smartcard. Selecting a good passphrase is terribly difficult.
I would think that the private keys are encrypted with something a bit stronger then des. A 56 bit DES key can be found in about 4 days assuming the key is the absolute last key in the keyspace (100% keyspace searched). EFF's Deep Crack hardware proved that last June. About 2 weeks ago, EFF and Distributed.net teamed up to blast through a 56bit key in well under 24 hours. Obviously DES would not be sufficient for even the least important encryption.
This virus is not indicative of a flaw in PGP, it is an example of how even the best protection scheme can be compromised by unintelligent things done by us.
amen!
the virus does not compromise pgp, because to do so it would have to crack public-key encryption. the virus does compromise the ways in which people use pgp, which is completely different from cracking the program!
this is actually a common problem with cryptographic technology - people don't realize that a strong cryptosystem won't help if it's not used intelligently.
My other car is a cons.
Sure, if someone ported all of word including it's macro language to linux it could very easily happen. Basically any macro language could do the same thing. The real point is that word shouldn't have that crappy macro language. Almost no one uses it and it lets little kids think they are 3r33t by "coding" viruses in word.
-matt
37 is supposed to be the most picked between 1 and 50.
-matt
What do you call 20 programmers at the bottom of the ocean? A good start.
-matt
AS stated by the creator - running under a flawed os such as Windows makes PGP vulnerable
Actually being readable by a Word process makes the key vulnerable. Thus PGP should refuse to run if Word is installed on the machine in question
:-)
Here's what I got:
...
Thanks for your message.
The headline was misleading
we've changed it.
Brian
At 11:02 AM 2/4/99 , you wrote:
>Don't you think Word is the one to
>blame in this case? The Virus attacks
>WORD after all....
No Kidding it was misleading! Geez!
Thus the hashing down of passphrases to a 128 bit value. Quite easy to figure out how many characters you need to get 128 bits of cryptographically secure pseudo-randomness from uppercase, lowercase characters and numbers, or whatever you use. The new version of PGP 6.0 for Windoze even gives you a handy little filling bar that tells you when your passphrase is long enough to generate a cryptographically secure 128 bit hashvalue. If you want to, you're welcome to try to bruteforce/dictionary/whatever attack my PGP secret key. Don't think you'd have any luck this runthrough of the universe. :)
*(In a lead-bound book clutched in the dead arms of a german naval officer floating belly up in the atlantic. Ain't life a bitch?)
The guy was about to chuck the thing overboard, which was SOP when you're nazi-mobile was sinking and an allied ship was a hundred yards off the starboard bow. The poor yutz died before he got that far, and held onto it with a proverbial death-grip as he pitched over the side.
You would need a lot of `leisure' to brute-force a 128-bit IDEA key.
Realistically, with any crypto systems, you have to assume that someone will get your ciphertext, and make sure you're safe even if they do. PGP does this.