Re: New York Times article

• To: "Donald E. Eastlake 3rd" <dee@cybercash.com>
• Subject: Re: New York Times article
• From: Christopher Osborn <cosborn@BBN.COM>
• Date: Thu, 5 Oct 1995 15:49:30 -0400 (EDT)
• Cc: Chris Garrigues <cwg@DeepEddy.Com>, www-security@ns2.rutgers.edu
• In-Reply-To: <Pine.SUN.3.91.951012104035.425A-100000@cybercash.com>

On Thu, 12 Oct 1995, Donald E. Eastlake 3rd wrote:

> What is has to do with NetScape is (1) these guys had already de-compiled
> NetScape so they knew just where to patch it to screw up its security and (2)
> the news media is very sensitive to anything mentioning NetScape right now. 

[deleted text]

> > 
> > I'd also thought that we all knew better than to run NFS on any host that's
> > visible to the outside world.  I hated having to follow a page one story to
> > the third section to figure out that it was content-free.
> > 
> > I really don't see what NFS has to do with netscape security (as implied by
> > the article).
> > 
> > Chris
> 
> =====================================================================
> Donald E. Eastlake 3rd     +1 508-287-4877(tel)     dee@cybercash.com

This really has not to much to do with netscape security. You can "patch"
any program that is run via nfs(or at any time has travelled over a
network) to do whatever you want using the same methods. The attack the UC
Berkley folks are describing is combination between the "man in the
middle" or "hijack" attack and a trojan horse both which have been known
about and exploited for a while. 

The point is that the consequence of a hacker stealing credit card numbers
over a lan with a rogue netscape pales in comparison to somebody
substituting a rogue software compiler that makes secret backdoors on any
machine the companies software is run on. Network security NOT Netscape
security is the real issue here. 


Whats the solution?

These types of attacks can happen in any non-authenticated non-encrypted
network. It matter how well you trust your internal network and the people
on it. A simple method to prevent the insertion of a trojan is to have a
md5 signature(I am sure that some one will point out that the sig could
also be trojaned). Full session encryption(see SSH-1.2) is also an 
answer.  




+======================================================================+
Christopher Osborn        			cosborn@bbn.com
WWW/BBS Site Engineer				EMail ^^  for Public Key
BBN, INC.                                       http://www.bbndomain.com/
BBN Domain Corporation
My opinions may or may not reflect the views of my employer. 

• Re: New York Times article
• From: "Donald E. Eastlake 3rd" <dee@cybercash.com>

• Previous: Re: New York Times article
• Next: Re: New York Times article
• Index(es):
  • Index
  • Thread