-----BEGIN PGP SIGNED MESSAGE----- ============================================================================= AL-96.01 AUSCERT Alert Forged Security Information - Verifying AUSCERT Information 29 May 1996 - ----------------------------------------------------------------------------- AUSCERT has received reports of forged messages, containing false computer security information, being distributed on the Internet. Before applying any patches, fixes, or workarounds obtained from the Internet, or in fact anywhere else, the contents and origin of that information should be verified. All information released from AUSCERT (including this Alert) contains a Digital Signature. This signature can be used to verify the origin and contents of the message. This not only applies to Advisories and Alerts, but also to all official electronic mail correspondence from AUSCERT. - ----------------------------------------------------------------------------- 1. Description AUSCERT has received reports of forged messages claiming to contain security patch information being distributed via electronic mail, news, and other distribution mechanisms. AUSCERT takes this opportunity to warn constituents of the dangers of forged electronic mail, news or messages, and the measures AUSCERT has in place to verify the authenticity of any message claiming to come from AUSCERT. These techniques are also used by many other incident response teams and software producers. The standard protocol used to distribute electronic mail throughout the Internet is Simple Mail Transfer Protocol (SMTP). SMTP was not designed for secure transfer of electronic mail. It is easy to forge electronic mail header information, including the "From" address. Users should never trust electronic mail header information as authentication of the author of the message. Similar issues regarding authenticity may be applied to news articles. Users should always be cautious and verify the authenticity of a message before applying the instructions given in that message. This includes patch information, software installation commands, and vulnerability workarounds. One method of ensuring the authenticity of messages is to use a secure cryptographic method. Using these techniques, a sender can "digitally sign" a message allowing the recipient to verify its authenticity. Currently there are a number of packages which have the ability to "digitally sign" messages. These packages generally also have information encryption capabilities. AUSCERT has chosen to use Pretty Good Privacy (PGP) as its standard package for digital signatures and encryption. PGP has been chosen because it currently uses technology that is believed to be secure, is widely distributed, and is well supported by the Internet community. Many Advisories contain information on available patches. The contents of these patches should be verified by checking the supplied MD5 checksums listed in the Advisory against those created from the retrieved patches. Note that the listed MD5 checksums can only be trusted if they are protected by a verifiable digital signature. Administrators should be wary of trusting checksums created by sum(1) to verify the contents of patches. Software is available to modify files without altering the checksum created by sum(1). 2. Impact System administrators or users may be misled into performing inappropriate actions such as installing programs containing security vulnerabilities, allowing intruders to gain privileged access. 3. Workarounds/Solution All information released by AUSCERT will be Digitally Signed. This signature should always be checked to validate the authenticity of the information. AUSCERT currently uses the Pretty Good Privacy (PGP) system. By installing and configuring PGP, and obtaining the AUSCERT Public Key, users may verify that the information they receive has been released by AUSCERT. A tutorial on PGP is beyond the scope of this Alert, however, there is a large selection of PGP resources available on the Internet. 3.1 PGP resources PGP source code, binaries for major architectures, documentation, and numerous PGP tools are available from: ftp://ftp.pgp.net/pub/pgp/ In particular, the PGP Frequently Asked Question lists (FAQs) are available from: ftp://ftp.pgp.net/pub/pgp/doc/pgpfaq.txt.gz ftp://ftp.pgp.net/pub/pgp/doc/pgp263i-faq.txt.gz Web users may also find the following page useful: http://www.yahoo.com/Computers_and_Internet/Security_and_Encryption/ PGP___Pretty_Good_Privacy/ A version of MD5 may be obtained from: ftp://ftp.auscert.org.au/pub/mirrors/cert.org/tools/md5/ 3.2 Obtaining and Installing AUSCERT's PGP Public Key The AUSCERT PGP Public Key is available from: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key Users which have access to the "finger" utility may also use: % finger pgp@ftp.auscert.org.au Experienced PGP users may also obtain the AUSCERT Public Key from any public PGP keyserver. Fetch AUSCERT's PGP Public Key and save it to a file % finger pgp@ftp.auscert.org.au > auscert.pgp Read this file for further instructions on verifying the authenticity of the key. After verifying the authenticity of the key, install the public key into your keyring. % pgp auscert.pgp 3.3 Example of verifying a message using PGP The following example shows how to use AUSCERT's Public Key to verify the contents and authenticity of a message. This example assumes PGP has been correctly installed and configured. It also assumes that AUSCERT's Public Key has previously been added to your keyring. It serves only as a guide for PGP running under the UNIX operating system. To verify a message (such as this one), save it to a file (such as alert.txt), and type: % pgp alert.txt You should see the following line (Note that the date will change): Good signature from user "AUSCERT ". Signature made 1996/05/28 10:41 GMT If the following text is seen, this may represent a modified message: WARNING: Bad signature, doesn't match file contents! Bad signature from user "AUSCERT ". Signature made 1996/05/28 10:41 GMT Reasons for a message having a "Bad signature" range from the message being accidentally changed to it being an intentional forgery. It is possible for messages to be unintentionally altered (for example, by some mail forwarders). All AUSCERT Advisories and Alerts are made available on the AUSCERT ftp server. If the signature for an Advisory or Alert fails to verify, you should fetch a new copy of the document from ftp://ftp.auscert.org.au/pub/auscert/advisory/ Users who believe they have received forged mail, apparently sent from AUSCERT, should immediately contact AUSCERT with the details. 4. Additional Measures and Information If any user is unsure of the authenticity of information claiming to be released by AUSCERT, then AUSCERT may be contacted by sending electronic mail to the address below or by calling the Hotline. AUSCERT requests that after-hours calls to the Hotline be reserved for emergency situations only. If you wish to send sensitive information to AUSCERT, we advise that e-mail be encrypted. This can be done using PGP and AUSCERT's PGP Public Key. Please check your PGP documentation for more details. Users which do not have PGP installed and wish to send sensitive information should contact AUSCERT to arrange a secure method of transfer. Many other individuals and organisations also digitally sign their documents. This includes other incident response teams and software developers. Users should get into the habit of verifying digital signatures on security critical documents or code, whenever it is an available option. The CERT Coordination Centre has written a document on Email Forgery. This document can be retrieved from: ftp://ftp.auscert.org.au/pub/cert/tech_tips/email_spoofing - ----------------------------------------------------------------------------- The AUSCERT team have made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organization. The appropriateness of this document for an organization or individual system should be considered before application in conjunction with local policies and procedures. AUSCERT takes no responsibility for the consequences of applying the contents of this document. If you believe that your system has been compromised, contact AUSCERT or your representative in FIRST (Forum of Incident Response and Security Teams). AUSCERT is located at The University of Queensland within the Prentice Centre. AUSCERT is a full member of the Forum of Incident Response and Security Teams (FIRST). AUSCERT maintains an anonymous FTP service which is found on: ftp://ftp.auscert.org.au. This archive contains past SERT and AUSCERT Advisories, and other computer security information. AUSCERT also maintains a World Wide Web service which is found on: http://www.auscert.org.au. Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 4477 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AUSCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for emergencies. Postal: Australian Computer Emergency Response Team c/- Prentice Centre The University of Queensland Brisbane Qld. 4072. AUSTRALIA -----BEGIN PGP SIGNATURE----- Version: 2.6.2i Comment: Finger pgp@ftp.auscert.org.au to retrieve AUSCERT's public key iQCVAwUBMaw+Zyh9+71yA2DNAQE0YAP5ARHffwa7NUHvPg0gS6wWhptUmV1iChO/ RWQeXSXPyGTg/CA9rmJIa8CIj7aBt+q3c9Eg0aU2xGsL3eOEqWi3EkIw6U/CFruI /Hfi4VK+9yxBbcmOfT2qcuwe6PwVyPhmB9ICTxaRpG5L/HVFYh1eTki4hTDCatlO A760HBU1KTw= =zr50 -----END PGP SIGNATURE-----