copyright | disclaimer | privacy | contact  
Australia's Leading Computer Emergency Response Team
 
Search this site

 
On this site

 > HOME
 > About AusCERT
 > Membership
 > Contact Us
 > PKI Services
 > Publications
 > Sec. Bulletins
 > Conferences
 > News & Media
 > Services
 > Web Log
 > Site Map
 > Site Help
 > Member login





 

AL-96.01 -- Forged Security Information - Verifying AUSCERT Information

Date: 29 May 1996

Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----

=============================================================================
AL-96.01                        AUSCERT Alert
	     Forged Security Information - Verifying AUSCERT Information
                                29 May 1996
- -----------------------------------------------------------------------------

AUSCERT has received reports of forged messages, containing false
computer security information, being distributed on the Internet.  
Before applying any patches, fixes, or workarounds obtained from
the Internet, or in fact anywhere else, the contents and origin of
that information should be verified.

All information released from AUSCERT (including this Alert) contains
a Digital Signature.  This signature can be used to verify the
origin and contents of the message.  This not only applies to
Advisories and Alerts, but also to all official electronic mail
correspondence from AUSCERT.

- -----------------------------------------------------------------------------

1.  Description

    AUSCERT has received reports of forged messages claiming to
    contain security patch information being distributed via
    electronic mail, news, and other distribution mechanisms.
    AUSCERT takes this opportunity to warn constituents of the
    dangers of forged electronic mail, news or messages, and the
    measures AUSCERT has in place to verify the authenticity of
    any message claiming to come from AUSCERT.  These techniques
    are also used by many other incident response teams and software
    producers.

    The standard protocol used to distribute electronic mail
    throughout the Internet is Simple Mail Transfer Protocol (SMTP).
    SMTP was not designed for secure transfer of electronic mail.
    It is easy to forge electronic mail header information, including
    the "From" address.  Users should never trust electronic mail
    header information as authentication of the author of the
    message.  Similar issues regarding authenticity may be applied
    to news articles.

    Users should always be cautious and verify the authenticity of
    a message before applying the instructions given in that message.
    This includes patch information, software installation commands,
    and vulnerability workarounds.

    One method of ensuring the authenticity of messages is to use
    a secure cryptographic method.  Using these techniques, a sender
    can "digitally sign" a message allowing the recipient to verify
    its authenticity.  Currently there are a number of packages
    which have the ability to "digitally sign" messages.  These
    packages generally also have information encryption capabilities.

    AUSCERT has chosen to use Pretty Good Privacy (PGP) as its
    standard package for digital signatures and encryption.  PGP
    has been chosen because it currently uses technology that is
    believed to be secure, is widely distributed, and is well supported
    by the Internet community.

    Many Advisories contain information on available patches.  The
    contents of these patches should be verified by checking the
    supplied MD5 checksums listed in the Advisory against those
    created from the retrieved patches.  Note that the listed MD5
    checksums can only be trusted if they are protected by a
    verifiable digital signature.

    Administrators should be wary of trusting checksums created by
    sum(1) to verify the contents of patches.  Software is available
    to modify files without altering the  checksum created by sum(1).

2.  Impact

    System administrators or users may be misled into performing
    inappropriate actions such as installing programs containing
    security vulnerabilities, allowing intruders to gain privileged
    access.

3.  Workarounds/Solution

    All information released by AUSCERT will be Digitally Signed.  This
    signature should always be checked to validate the authenticity of
    the information.

    AUSCERT currently uses the Pretty Good Privacy (PGP) system.  By
    installing and configuring PGP, and obtaining the AUSCERT Public Key,
    users may verify that the information they receive has been released by
    AUSCERT.

    A tutorial on PGP is beyond the scope of this Alert, however, there is a 
    large selection of PGP resources available on the Internet.  


    3.1  PGP resources

    PGP source code, binaries for major architectures, documentation, and
    numerous PGP tools are available from:

	ftp://ftp.pgp.net/pub/pgp/

    In particular, the PGP Frequently Asked Question lists (FAQs) 
    are available from:

	ftp://ftp.pgp.net/pub/pgp/doc/pgpfaq.txt.gz
	ftp://ftp.pgp.net/pub/pgp/doc/pgp263i-faq.txt.gz

    Web users may also find the following page useful:

	http://www.yahoo.com/Computers_and_Internet/Security_and_Encryption/
					PGP___Pretty_Good_Privacy/

    A version of MD5 may be obtained from:

	ftp://ftp.auscert.org.au/pub/mirrors/cert.org/tools/md5/


    3.2  Obtaining and Installing AUSCERT's PGP Public Key

    The AUSCERT PGP Public Key is available from:

	ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key

    Users which have access to the "finger" utility may also use:

	% finger pgp@ftp.auscert.org.au

    Experienced PGP users may also obtain the AUSCERT Public Key from any 
    public PGP keyserver.

    Fetch AUSCERT's PGP Public Key and save it to a file

        % finger pgp@ftp.auscert.org.au > auscert.pgp

    Read this file for further instructions on verifying the authenticity
    of the key.

    After verifying the authenticity of the key, install the public 
    key into your keyring.

        % pgp auscert.pgp


    3.3  Example of verifying a message using PGP

    The following example shows how to use AUSCERT's Public Key to
    verify the contents and authenticity of a message.  This example
    assumes PGP has been correctly installed and configured.  It
    also assumes that AUSCERT's Public Key has previously been
    added to your keyring.  It serves only as a guide for PGP
    running under the UNIX operating system.

    To verify a message (such as this one), save it to a file (such as
    alert.txt), and type:

        % pgp alert.txt

    You should see the following line (Note that the date will change):

        Good signature from user "AUSCERT <auscert@auscert.org.au>".
        Signature made 1996/05/28 10:41 GMT

    If the following text is seen, this may represent a modified message:

        WARNING: Bad signature, doesn't match file contents!
        Bad signature from user "AUSCERT <auscert@auscert.org.au>".
        Signature made 1996/05/28 10:41 GMT

    Reasons for a message having a "Bad signature" range from the message
    being accidentally changed to it being an intentional forgery.  It is
    possible for messages to be unintentionally altered (for example, by
    some mail forwarders).

    All AUSCERT Advisories and Alerts are made available on the AUSCERT
    ftp server.  If the signature for an Advisory or Alert fails to verify,
    you should fetch a new copy of the document from

        ftp://ftp.auscert.org.au/pub/auscert/advisory/

    Users who believe they have received forged mail, apparently sent from
    AUSCERT, should immediately contact AUSCERT with the details.

4.  Additional Measures and Information

    If any user is unsure of the authenticity of information claiming
    to be released by AUSCERT, then AUSCERT may be contacted by
    sending electronic mail to the address below or by calling the
    Hotline.  AUSCERT requests that after-hours calls to the Hotline
    be reserved for emergency situations only.

    If you wish to send sensitive information to AUSCERT, we advise
    that e-mail be encrypted.  This can be done using PGP and
    AUSCERT's PGP Public Key.  Please check your PGP documentation
    for more details.  Users which do not have PGP installed and
    wish to send sensitive information should contact AUSCERT to
    arrange a secure method of transfer.

    Many other individuals and organisations also digitally sign
    their documents.  This includes other incident response teams
    and software developers.  Users should get into the habit of
    verifying digital signatures on security critical documents or
    code, whenever it is an available option.

    The CERT Coordination Centre has written a document on Email
    Forgery.  This document can be retrieved from:

	ftp://ftp.auscert.org.au/pub/cert/tech_tips/email_spoofing

- -----------------------------------------------------------------------------

The AUSCERT team have made every effort to ensure that the information
contained in this document is accurate.  However, the decision to use the
information described is the responsibility of each user or organization.
The appropriateness of this document for an organization or individual system
should be considered before application in conjunction with local policies
and procedures.  AUSCERT takes no responsibility for the consequences of
applying the contents of this document.

If you believe that your system has been compromised, contact AUSCERT or your
representative in FIRST (Forum of Incident Response and Security Teams).

AUSCERT is located at The University of Queensland within the Prentice Centre.
AUSCERT is a full member of the Forum of Incident Response and Security Teams
(FIRST).

AUSCERT maintains an anonymous FTP service which is found on:
ftp://ftp.auscert.org.au.  This archive contains past SERT and AUSCERT
Advisories, and other computer security information.

AUSCERT also maintains a World Wide Web service which is found on:
http://www.auscert.org.au.

Internet Email: auscert@auscert.org.au
Facsimile:	(07) 3365 4477
Telephone:	(07) 3365 4417 (International: +61 7 3365 4417)
		AUSCERT personnel answer during Queensland business hours
		which are GMT+10:00 (AEST).
		On call after hours for emergencies.

Postal:
Australian Computer Emergency Response Team
c/- Prentice Centre
The University of Queensland
Brisbane
Qld.  4072.
AUSTRALIA

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2i
Comment: Finger pgp@ftp.auscert.org.au to retrieve AUSCERT's public key

iQCVAwUBMaw+Zyh9+71yA2DNAQE0YAP5ARHffwa7NUHvPg0gS6wWhptUmV1iChO/
RWQeXSXPyGTg/CA9rmJIa8CIj7aBt+q3c9Eg0aU2xGsL3eOEqWi3EkIw6U/CFruI
/Hfi4VK+9yxBbcmOfT2qcuwe6PwVyPhmB9ICTxaRpG5L/HVFYh1eTki4hTDCatlO
A760HBU1KTw=
=zr50
-----END PGP SIGNATURE-----