Caligula Virus Exposes PGP Flaw(?)

lc writes "There is some kind of macro virus floating around that steals PGP keys off a user's computer and uploads them to a remote FTP site. " So a macro virus is a flaw in PGP? Neat. Methinks if you've got macro virus's running rampant in your machine, you've got bigger problems. Like Word for example.

NOT a flaw in PGP

[Anonymous Coward]

PGP depends on two "keys", one is called a private key and the other a public key. Your public key is supposed to be given out to everyone, even posted on public "key-rings". Think of it as sort of a business card of sorts.

Your private key is supposed to be kept safe and not given out to anyone. It is NOT supposed to even be kept on the same machine. PGP documentation recommends moving it to a floppy disk and locking the disk in a safe, then swallowing the key :) Keeping your public and private keys on the same machine is like etching your PIN number into your bank card!

Now this program (Caligula) looks for and gathers the private keys. My question is what are they still doing on the machine? Obviously there are alot of people who don't realize the implications of this.

Even if a private key is compromised it is protected by a "passcode". This passcode-protection is not nearly as strong as the encryption going into PGP messages themselves and it is possible to break it. Once broken the intruder will now be in possesion of your public AND private keys and will be able to send messages appearing to come from you and decrypt messages sent to you.

This virus is not indicative of a flaw in PGP, it is an example of how even the best protection scheme can be compromised by unintelligent things done by us. Ever written down a password on your monitor base to remember it? Duh....

Re: Flaw in PGP?

[Gleef]

Anonymous Coward asked:

But would there be *anyway* possible that this sort of thing could happen on Linux...(pardon my ignorance)!

The way PGP and GPG are currently set up, yes. You could run a trojan horse that transmits the file, or a hole in the browser's security could be used.

However, since we're in the wonderful world of Open Source, I can think of two ways of fixing your system so you aren't vulnerable. One way would be to edit the source so that the default directory and filename for your secure key are different (both from the source and from anyone else, this won't help if we all put our rings in .foo/bar). That way, there is no easy way for a Trojan to locate the file to transfer it.

The other way is to modify PGP or GPG to read the secure ring as root (assuming it's setuid root). You then make your secure ring owned by root:root. Then you can't read your own ring, except through PGP or GPG.

Preventing against this attack

[Gleef]

Tim Moore wrote:

How is having a secure passphrase a "superficial and shallow solution?"

It's superficial and shallow because once they have your file it is subject to brute force attacks. A well funded cracker (say, the NSA) could break through fairly quickly, particularly if you use an easy to guess passphrase.


What do you suggest that NAI do about this? Is there even any theoretical way to prevent against this type of attack (other than a passphrase on the private key)?

Yes, there are two ways. The first is to never use a default location or filename to store your secure key. That way a trojan can't pick out your file blind, but would have to analyze your system to locate the secure key.

The second is to modify your system so that only root can read the secure key, and run PGP (or GPG) as setuid root. That way they need a root exploit to even look at your keyfile. This obviously won't work on a Windows system, since Winows is its own root exploit. Combining the two methods can greatly enhance the security of the encryption system.

Of course...

[Eric S. Smith]

But would there be *anyway* possible that this sort of thing could happen on Linux

If your PGP key is readable by you, then any process run by you (or run by a process run by you, and so on) can read it. If you ran a properly-written trojan shell script (trivially, could be anything) then it could seek out and reveal your key.

Unless, of course, your key weren't on a mounted drive. But sooner or later it would have to be, if only for a while, wouldn't it?

Passphrase no security

[Trepidity]

You don't have to do the various capitalization and punctuation combinations. Just use a normal dictionary search, and you'll likely find several people who don't have any capital letters or punctuation in their passwords.

gpgd?

[cduffy]

A daemon version of gpg could run as root, having everyone's private keys only available to it.

If 'ya can't trust root...

Trusting root

[cduffy]

Hmm...

If 'ya don't trust root to hold your data, you can't trust it held in your own home directory any more (Well, maybe unless you run CFS... but even then root could still catch your password when you log in).

Caesar Virus Exposes UNIX Password Flaw

[gavinhall]

Posted by Steven Engelhardt:

A new of breed of macro virus that steals UNIX passwords has been reported in the wild. But experts disagree about its impact on Internet security.

DES is the defacto standard for encryption on UNIX-based systems and is widely thought of as invincible. But the new Caesar virus may shake that reputation. It's the latest of a new class of what some experts call espionage-enabled viruses. These are viruses designed to steal information from a user's computer.

Caesar gets into a PC from an infected Microsoft Word document. The macro virus then checks to see if any plain text files (especially a .fetchmailrc) exist on the machine. If they exist, and one of them has a user's password in it, the file is silently uploaded to an ftp site on the Internet.

"If they gather a lot of keys, they could forge signatures, gain unauthorized access to systems, and read private documents," said Frad Cohin, an information security expert with Sandia Labs. Cohin recently posted one of the first reports of Caesar on an Internet security mailing list.

"It demonstrates a serious hole in how password-based security works, and could damage the belief system that underlies the trust in passwords," he said.



*sigh* I love clueless people.
--
Steven Engelhardt

Passphrase no security

[pb]

"A few orders of magnitude" is a whole lot.

Example: a simple phrase, some mixed case, and punctuation. No matter how simple it is, if you brute-force it, you have to scan all the possibilities. Even using dictionary look-ups, you're still looking at combinations of words and punctuation.

For instance, if you wanted to brute-force my PGP-key, with, say, a 64-digit character set, you would have to look through at least roughly 10^38 character combinations.

Assuming you made a lot of assumptions about dictionary words, capitalization, and punctuation, you'd still be looking at (at least) 10^25 different phrases, and there's no guarantee you'll find it that way.

Each lookup will take some time to compare, unless you really hack PGP. And by then, it would have been easier to make a fake key to impersonate me, or threaten me at gunpoint, or make a fake identity, or accomplish cold fusion, or just about anything else.

Flaw in PGP?

[Phil Gregory]

A "flaw in PGP"? This is just another macro virus that has some displeasing side effects. We're just seeing more evidence of that old truism, "If you can run code on a Windows machine, the computer's toast." (Paraphrasing from a statement I saw WRT Back Orifice.) I like the proposed idea of sending randomly generated PGP keys to the virus's delivery point. (Random as in cat < /dev/random %gt; mykeys.pgp.)


--Phil (I'll give you my public key if you ask, but you have to ask first.)

The real problem

[sjames]

Is Word. Pure and simple, MS has known about the SERIOUS security problems caused by Word for YEARS, and chooses to do nothing about it.

Further more, if Windows had a real security model, they would be much more able to fix the problem. As it is, they really have two choices, remove the mis-feature entirely, or open a dialog warning every time a Word macro tries to access the drive (or at LEAST the net).

At least under the Unix security model, a program can look to see if a file is world readable. In Windows, every file is world readable. Unix security isn't perfect (what security is?), but at least it tries!

Bad Idea

[Christopher Craig]

You list two ways of "securing" PGP, the first being to write the secure key to a semi-random location and the second being to make it not readable to a normal user and have a suid binary. Leaving aside the obvious complaints about suid binaries for things that shouldn't be suid, niether of these helps at all. They just mean that in order to get the key the trojan needs to run the PGP binary (with the suid solution it might be able to find a hole and get other people's too). Big deal.

I would have to say that the solution to the problem is to follow the users guide to PGP (you know that big text document that came in the distribution that said "Never store your secret key on the same system as PGP.") If you secure your key with a large, near random, passphrase; store it on non-writable, unmounted media in a secure location (where secure and attached to a computer are mutually exclusive (more so for a computer on a network)); and then still don't trust the security of the encryption (it's only 128 bits, if you want real security ship a CD with a one-time pad to the remote location via secured carrier) I don't think you would be that vulnerable.

You're not paranoid if they're really out to get you.

Waiting for the anti-emulation herd..

[Daniel]

According to Opic, "PGP claims to be a strong program, but it's not, because of the operating system it's running under. And those vulnerabilities are available to anyone who knows anything about programming."



What?? All programmers are going around breaking into my computer?

Ban programming! The logical consequence of programming is the end of security! Get those evil hackers to stop now!



Daniel

The Technically Ignorant

[Liquid E.]

I cannot help but to admire the way some of our more technologically clueless media personas enjoy spreading their ignorance to the masses.

The "Caligula" virus does not exploit any flaws in PGP. It doesn't even exploit flaws in operating systems. Its behaviour mimics that of a user (since it is a macro - a collection of user commands). If a user can upload their PGP key to an ftp server, so can any macro on any operating system.

This is yet another simple case of some clueless person "enlightening" others to the realities of the technological world.

I cannot stand to watch persons in positions of relative trust spew this ignorant drivel at anyone who is willing to listen. It is wrong. Those who write articles about technology should at least have an understanding of the technology they're talking about, especially when they make derogatory comments such as these.

Technology is not to be feared. These pompous fools who choose to spread technically inaccurate information should be beaten, or at least have their hard discs erased, for causing such paranoia among common people.

Assassination

[tony@work]

This opens up a whole new world of possibility. I'm sure this is being done regularly, but:

Seems like it would be easy to assassinate the character of a computer program or company using trojans, virii, bombs, and worms. For instance, what would happen if a Word macro started uploading directory structures to some very, very large software company? (This is exactly what MS did with the one of the MS-W95 betas-- not as a Word macro, but as part of the MSN dialup.)

What would happen if this macro also had logic to upload particular files? For instance, if it were designed to download a file based on registration ID, and upload files specified therein?

I AM NOT ADVOCATING THIS! I do not like or agree with any destructive use of computers. However, it seems like a simple and efficient means of character assassination. Assuming people even cared.

I just wonder if we'll see this sort of thing.

Back Orifice Exposes Windows Flaw

[John Zero]

Hey! Everyone stop using Windows NOW!

As demonstrated with BO, your passwords can be stolen, and worse things can happen!

Everyone delete your Windows! Believe us!

PGP Flaw?!

[Tack]

Someone else has physical access to your computer, and they copy your private keyring to floppy disk. Oh no, this is a flaw in PGP!

This is just FUD for PGP. If code is executed on your computer, then it has access to everything you have access to, including your private keys. Geez, why do I bother getting so worked up over something so silly? :)

Jason.

So? Private keys arew encrypted

[drig]

PGP private keys are encrypted with a passphrase. Granted, passphrases aren't the most secure thing in the world. Even so, PGP has the benefit of modern crypto research and should be a lot harder to crack than Unix passwords.

Who taught you what you dont't know?

[A nonymous Coward]

Ever use PGP? You have to have access to your private key to decrypt, and to sign. Where'd you get that garbage about keeping public and private keys on separate machines?

Maybe you also don't know that the private key ring is encrypted by a pass phrase, as several others have posted. If you choose reasonably well, you're safe nough.

Where'd you get your so-called knowledge -- a box of cornflakes came with a ,agic decoder ring?

--

Flaw in PGP?

[D-Fly]

I don't understand where the flaw in PGP comes in.

Correct me if I'm wrong, but if I recall, you can throw your private keyring anywhere you want, and as long as your passphrase isn't something idiotic like your name, your data is completely safe.

As far as these virus writers go, they are by no means idiots. The FTP upload is a fairly elegant idea, and of course they have to deny that the virus got out on purpose.

Two suggestions from Fred Cohen:

[foofboy]

["These people are not your friends. If everyone screams at them and says 'you are scum,' they'll stop," said Cohen. He also recommended that administrators configure their firewalls to refuse traffic to the codebreakers.org site.]

Hmmm.. The second option seems more practical.. but what the heck. What's everybody doing the day after refund day. We could all scream together..

:)

Guess what?

[Ageless]

1) The passphrase encryption, if chosen correctly
is gonna stop just about anyone from touching your
keys. DES was broken in 23 hours by a TON (A TON) of computing power. IIRC PGP uses IDEA @ 128 bits to encrypt your private keys. This will take far more time than the Universe has to offer.
2) UNIX / Linux vs Windows. Get over it. Macros run as YOU. They have the same permissions as YOU. If YOU can read your keys, so can any macros that YOU run.

A possible way to defeat this

[daviddennis]

Obviously I don't have a copy of the program, but it seems to me that it probably uses the Windows registry to find PGP and/or checks certain directories that are likely to contain .pgp files. I doubt that it scans the whole hard drive to find them, since that would slow things down too much.

If that's how it works, simply use the DOS version of PGP and put it in an obscure location (not containing the string PGP).

D

good times

[Mr Foobar]

>Do not read any slashdot comments with the words >"good times" in the subject box!

"By opening this software diskette envelope you are agreeing to the End User License contained within it. If you do no agree to the End User License, please return the package immediately."
"Sorry, sir, we don't accept opened software packages for return..."

Back Orifice a threat more so then macro virus

[deathcubek]

BO can allow someone to steal your keys and take
the keystrokes for your password, allowing them
to effectivly become you. (i wonder if there is
something like this already in windows)

In order to become more secure, you have to have
secure protocols using encryption. a read-only
disk is a start, a seperate computer only for pgp
(or gpg) is another. (but it is troublesome)
--
Four years in jail
No Trial, No Bail

sigh

[Stiletto]

"Caligula was never supposed to get out," he told InternetNews Radio. "It was a proof-of-concept virus. No one in our group actually spreads viruses. We only make them available to the programming underground and that's about it."


What a fscking jackass.

a very old truth

[Submarine]

Sending data by a trusted courier carrying a tamper-proof suitcase is useless if you leave the keys to your office on the door. Nothing new to this.

It is high time that people begin to understand that security on the Net is often more likely to be breached on the host (with trojans, viruses...) than by intercepting some communication.

Sadly, nearly all efforts for end-user products seem to have been directed to security of the communication link (pgp, SSL) but have neglected securing the hosts. That leaves users with a false impression of security.

There is a problem, though

[ge]

This little macro virus shows one problem: current environments (OSs) do not have the facilities you'd need to implement really secure systems. Unless you want to run Trusted Solaris or similar. We need a safe place to store private keys, like a smartcard. Selecting a good passphrase is terribly difficult.

DES Encrypted?

[Tas]

I would think that the private keys are encrypted with something a bit stronger then des. A 56 bit DES key can be found in about 4 days assuming the key is the absolute last key in the keyspace (100% keyspace searched). EFF's Deep Crack hardware proved that last June. About 2 weeks ago, EFF and Distributed.net teamed up to blast through a 56bit key in well under 24 hours. Obviously DES would not be sufficient for even the least important encryption.

exactly!

[r]

This virus is not indicative of a flaw in PGP, it is an example of how even the best protection scheme can be compromised by unintelligent things done by us.

amen!

the virus does not compromise pgp, because to do so it would have to crack public-key encryption. the virus does compromise the ways in which people use pgp, which is completely different from cracking the program!

this is actually a common problem with cryptographic technology - people don't realize that a strong cryptosystem won't help if it's not used intelligently.

Flaw in PGP?

[dirty]

Sure, if someone ported all of word including it's macro language to linux it could very easily happen. Basically any macro language could do the same thing. The real point is that word shouldn't have that crappy macro language. Almost no one uses it and it lets little kids think they are 3r33t by "coding" viruses in word.

NOT a flaw in PGP

[dirty]

37 is supposed to be the most picked between 1 and 50.

Better yet

[dirty]

What do you call 20 programmers at the bottom of the ocean? A good start.

Sure it's a PGP bug !

[Eivind]

AS stated by the creator - running under a flawed os such as Windows makes PGP vulnerable

Actually being readable by a Word process makes the key vulnerable. Thus PGP should refuse to run if Word is installed on the machine in question

:-)

I sent them an email

[Gocho]

Here's what I got:

Thanks for your message.

The headline was misleading ...
we've changed it.

Brian

At 11:02 AM 2/4/99 , you wrote:
>Don't you think Word is the one to
>blame in this case? The Virus attacks
>WORD after all....

No Kidding it was misleading! Geez!

NOT a flaw in PGP

[Fnkmaster]

Thus the hashing down of passphrases to a 128 bit value. Quite easy to figure out how many characters you need to get 128 bits of cryptographically secure pseudo-randomness from uppercase, lowercase characters and numbers, or whatever you use. The new version of PGP 6.0 for Windoze even gives you a handy little filling bar that tells you when your passphrase is long enough to generate a cryptographically secure 128 bit hashvalue. If you want to, you're welcome to try to bruteforce/dictionary/whatever attack my PGP secret key. Don't think you'd have any luck this runthrough of the universe. :)

Hey, smarty-pants.

[I-man]

Check your ninth-grade history notes before you make holier-than-thou smartass comments. The german code was broken because we found a copy of the key*. So there :\~

*(In a lead-bound book clutched in the dead arms of a german naval officer floating belly up in the atlantic. Ain't life a bitch?)

Didn't go down that way.

[I-man]

The guy was about to chuck the thing overboard, which was SOP when you're nazi-mobile was sinking and an allied ship was a hundred yards off the starboard bow. The poor yutz died before he got that far, and held onto it with a proverbial death-grip as he pitched over the side.

Passphrase no security

[jwise]

You would need a lot of `leisure' to brute-force a 128-bit IDEA key.

Realistically, with any crypto systems, you have to assume that someone will get your ciphertext, and make sure you're safe even if they do. PGP does this.