Trojan Found in libpcap and tcpdump 486
msolnik writes "Members of The Houston Linux Users Group discovered that the newest sources of libpcap and tcpdump available from tcpdump.org were contaminated with trojan code. HLUG has notified the maintainers of tcpdump.org. See our reports here or here."
Eventually, this would happen (Score:5, Insightful)
Code is constantly audited, checked and corrected. If your closed source software has backdoors or trojans...well....who knows but on Open Source is easyly detected.
This is dreadful (Score:-1, Insightful)
Is it really too much trouble to do an MD4?
It's the one problem with the open-source community - there's no-one to pay me to pay my staff for the lost man-hours caused by this.
MD5 checksums (Score:4, Insightful)
Re:This is dreadful (Score:1, Insightful)
Doesn't the money come from the money you`ve saved by not having to pay for any software? What did your business plan mention about this? Just a blank page, right? Try it out and see what happens? Well, it's your money!
That's not a problem, that's a feature (Score:2, Insightful)
But then again, you had to pay no-one for the man hours you saved by using the open-source code.
Re:MD5 checksums (Score:5, Insightful)
One too many? (Score:4, Insightful)
There was dsniff, BitchX, OpenSSH etc. and today tcpdump and libpcap?
Does anyone else think that someone has found a security hole in a popular unix daemon and is having some fun with it before notifying the authors. Or maybe there is a *VERY NASTY* exploit circulating privately?
At least that's what I think.
Re:This is dreadful (Score:5, Insightful)
Did Microsoft pay you for lost man-hours when your staff battled Nimda or Code Red? Didn't think so.
Re:prison (Score:2, Insightful)
It is also true that only because this is an open sorce project was such code found. People seem to forget that there is no realy eficient way of checking closed software for sevurity holes. Ontop of that companies are more than likly to place back doors in programs as actual features that are not mentioned in documentation, or only glazed over. My exaple for this was in a Busines programe that I wourk with had the "option for you to enter a code into one of the text fields if you set the computers date to a specific date and then you would be able to edit all records, thus by pasing the simple code that it uses. I fould out about the feature when the was a problem with some of the records and since the files are encoed I wasn't going to search through them in any easy way so I cantacted the programes distributor and they told me of this feature. Just think how meany othe progs out there have stuff like that.
Re:This is dreadful (Score:1, Insightful)
It would be best not to download the author's public key from the same place you get the source, or else you might as well be fucked. "Gee! It checks out alright, it must have come from my vendor!" Not necessarily.
Don't jump to conclusions (Score:5, Insightful)
It's possible that this guy has something to do with it, but it's more likely that his machine is owned by the same person who managed to put the trojan out there.
Re:One too many? (Score:5, Insightful)
Re:Eventually, this would happen (Score:4, Insightful)
Have you ever changed the date of a file? It's quite easy.
Re:Seems (Score:5, Insightful)
Re:Eventually, this would happen (Score:2, Insightful)
The same that applies to somebody breaking into a open source code repository applies to a closed source repository.
If the trojaned code is inserted after the aditing and goes into a production/distribution state, then the consumer/user has NO WAYS to detect the problem.
You are talking about the same Microsoft that wants to take to court independant researchers that detect security flaws in MS products?
Or the same Microsoft that hides security problems on their products?
And...Have you ever used CVS?
Re:This is dreadful (Score:5, Insightful)
Re:Seems (Score:2, Insightful)
In the end, it still comes down to whether or not you (can) trust the author/host.
Uncommented trojan (Score:5, Insightful)
Even (or especially) free software developers should use more descriptive variable names and comment their code well. It makes the code much more readable for analysis, both security or quality reviews.
Well, ok, crackers probably want to obfuscate their code with
I'd recommend the rule: "One comment per statement, except when really unnecessary." Many people think it's silly, but those people haven't had to read a lot of other people's code.
Hmm, I wonder why they used port 1963...author's birth year? Nah, that would be too old for a typical cracker.
Re:This is dreadful (Score:5, Insightful)
"It's the one problem with the open-source community - there's no-one to pay me to pay my staff for the lost man-hours caused by this. "
And this is different from Closed Source how ?
Doesn't the money come from the money you`ve saved by not having to pay for any software? What did your business plan mention about this? Just a blank page, right? Try it out and see what happens? Well, it's your money!
Same place it will come from if you use Closed Source software, using Open Source products does not mean zero cost IT, it means lower cost IT. If your company did plan for these things, then it will make no difference what products you are using.
DEMAND PGP SIGNATURES!!!! (Score:5, Insightful)
The reason this is a problem is that nebulous shrug of an answer to the question "Who are you trusting to provide this code which you execute?" It could be an anonymous PGP/GPG key, but to violate people's trust would mean that trusted token is no longer trusted, and thus it would identify the other risks out there.
Imagine the tcpdump distributions were signed by an anonymous key. We could look over the code, and decide to trust that key. Later, people would be able to tacitly trust that key to sign tcpdump tarballs. One day, the tcpdump code will fail to match the signature: it will be caught before being executed, and the trojan will be discovered quickly. Later, another trojan will appear, but the signature will match. A few people will be bit, but the key will be exposed and others will be able to quickly identify their risk.
At the VERY LEAST, use MD5 sums on the files like FreeBSD ports!
Re:Glad I use Gentoo (Score:4, Insightful)
$ nc -vvv 212.146.0.34 1963
mars.raketti.net [212.146.0.34] 1963 (?) open
M sent 0, rcvd 1
The program connects to 212.146.0.34 (mars.raketti.net) on port 1963 and reads one of three one byte status codes:
A - program exits
D - forks and spawns a shell and does the needed file descriptor manipulation to redirect it to the existing connection to 212.146.0.34.
M - closes connection, sleeps 3600 seconds, and then reconnects
maybe someone should contact the machine administrator before more people get owned.
How is this fair? (Score:5, Insightful)
All the replying posts pointing out that it's a phone company/ISP and it's almost certainly nothing to do with this chap are at 2 or below, meaning that many people won't see them and this individual's name is now besmirched.
And, by the way, this happens all the bl**dy time on
Yeah, I know it's off-topic. Just wanted to rant about something that irritates me. Return to your normally-scheduled bits and pieces.
Re:Seems (Score:1, Insightful)
Normally a md5 checksum is stored in a different server... or at least it should be,
Recent incidents that I know of (Score:2, Insightful)
fragroute, dsniff, fragrouter [securityfocus.com]
BitchX [slashdot.org]
This message [immunitysec.com] says Recently there have been a spat of well publicized attacks against what I would consider to be the backbone of the open source movement - it's source code distribution system. Hackers have been penetrating people who download, say, OpenSSH and then compile it to use on their systems by trojaning OpenSSH itself. This strikes at the very HEART of Open Source by making the act of installing the software a weakness. Because Open Source has no one distribution point, there are many places for someone to verify if they want to install software securely. Because there are no vendors, the sites people download software from are usually not provided with a dedicated security staff.
This is serious, guys and gals. Use the source, Luke - but what if I can't trust the source any more? Open Source has to find a method to get around this problem; see this post [google.com].
Re:DEMAND PGP SIGNATURES!!!! (Score:5, Insightful)
And for god's sake, keep your private signing key encrypted in your gpg keyring, or offline.
Re:as soon as this evening... (Score:3, Insightful)
Sigh (Score:2, Insightful)
The fact that someone so ineptly trojaned the source, not even bothering to generate a new md5sum, suggests that it's someone out to make it obvious looking. Someone who has a reason to discredit open source. Someone like a former script kiddie employed by microsoft...
Never mind that russian crackers were wondering round MS servers for MONTHS back in 2000...
Re:as soon as this evening... (Score:3, Insightful)
Re:as soon as this evening... (Score:5, Insightful)
1. Just grab the source and build it. This is no better than grabbing a binary and running it, as far as security goes.
2. Grab the source, check the MD5 sum, and then build it. This is no better than grabbing the binary, checking the binary's MD5 sum, and then running it.
3. Grab the source, diff it against the previous source you were running, and at least glance at the diffs to see if anything looks suspicious. This is the only way that using source gives you more security than using the binary.
People using source for security who are in category 1 or 2 are just fooling themselves.
www.tcpdump.org (Score:3, Insightful)
Re:as soon as this evening... (Score:3, Insightful)
The right way to do things is for the person who makes the release package (e.g., the tarball, or the rpm, or whatever) to digitally sign it. They should do the signing on a machine other than the web server or FTP server. Ideally, they do the signing on their development machine, which is safetly tucked away on a network that crackers can't get to.
Re:as soon as this evening... (Score:3, Insightful)
J
Re:as soon as this evening... (Score:2, Insightful)
Re:Eventually, this would happen (Score:5, Insightful)
The difference is that with Open Source you have an additional means of detecting the corruption - not only by its effects (as with the binary), but by reading the source.
Bruce
Re:Eventually, this would happen (Score:5, Insightful)
Bruce
Re:Eventually, this would happen (Score:3, Insightful)
How quickly the world forgets how things like the original Back Orifice were distributed... Too funny to read 'This couldn't happen with closed source!'
Re:Eventually, this would happen (Score:2, Insightful)
Centralized and De-centralized PGP server for OSS (Score:2, Insightful)
Maybe somebody has already posted this idea as a project on sourceforge..
There have been too many of these incidents lately, and it's giving OSS a bad odor. We must be carefull. Telling the rest of the world closed binaries are infected often as well does not help. The damage is already done.
This is my idea to prevent most of these jokers tricks.
In stead of placing the checksums next to the source on the same server we nead to place it some where safe. A number of centralized servers with a sole purpose to serve these sums, in several locations, on preferably differend operating systems. This combined with the use of eg PGP.
All distro's, for those who have not already, must apply a simple program ala portage and apt that checks against multiple PGP-key servers before the build commenses.
Now, how to make sure the admin of the project is the one signing the source on his machine.............
Re:Eventually, this would happen (Score:3, Insightful)
With in a few months of the code being open sourced, the back door was found. It stayed in closed source code for six years. Whether or not Borland could have done things to find it is irrelevant - they didn't and I bet many other vendors work the same way.
it was a rumour.
I guess it's easier to accuse me of spreading rumors then to enter "Borland database backdoor" into google and get stuff like a ZDNet article detailing the history of the bug [com.com] or the CERT vulnerability note. [cert.org]
WarGames was one of the most accurate theatrical portrayals of hacking ever.
I'm not sure whethor to mod this +5 Funny or -1 Clueless. I really hope you were joking.
Why? He didn't fly through a 3d-cyberspace, nor did he jump through 5 layers of military-grade security in a couple minutes. He didn't have access to anything and everything controlled by computer.
He snagged the password to the teacher's computer off a Post-it note, and dug up information on the programmer of WOPR to take guesses at what the password might be, both of which are real hacking tools. He used hardware that existed and that he could realistically own. He wardialed, a habit of real hackers. I can't think of any other movie that comes close.
There are minor plot-neccessary exaggerations -- no, WOPR wouldn't have an outside line to it, and yes, the cops would have been at the door long before he got in -- but they don't mar the fact that it was fundamentally right.
...And later moderators can't fix it! (Score:3, Insightful)
All the replying posts pointing out that it's a phone company/ISP and it's almost certainly nothing to do with this chap are at 2 or below, meaning that many people won't see them and this individual's name is now besmirched.
The sad part of this is the fact that we (people who have moderator points to give away) can't really fix the problem even after we're told about it. I could go back and mod down the misleading post, but then some metamoderator would see that I modded down what appears at face value to be an "interesting" post and I would be the one who was bitch-slapped for abusing my moderator points. All we can really do is mod up the replies, making the whole thread +5 in order to dilute the bad moderation.
Re:Glad I use Gentoo (Score:2, Insightful)
Such as, what if a cracker got into my machine and set up (amongst other things) a patched version of md5sum, that knew which files had been altered, and what their orignal md5sums were, so I couldn't rely on that for my security? This paranoia went as far as worrying about whether it would be possible for someone to alter gcc, such that not only would it add malware functions to anything I compiled, but also to work out when it was being used to compile a compiler, and install this same such functionality into that. I spent ages trying to convince myself that that would be far too complex to do, maybe even impossible * , but at the same time tried to work out ways to bootstrap a C compiler that I could believe was indeed utterly trojan-free.
<sigh> I expect there's a word for that, and I'm sure it's not one I want to hear :P
* -I'm sure that it could be made to use certain cues, such as filenames, etc, to decide that it was compiling part of a specific compiler, such as another copy of gcc, and only do the modification on that. But I'm sure you can't write an algorithm to detect that a piece of code constitutes a compiler, let alone part of one (because of course, gcc only works on one source file at a time, not whole projects).