Re: Linuxfromscratch.org

[Tom <tom@lemuria.org>]

On Thu, Jul 24, 2003 at 02:52:02PM -0400, Dean Anderson wrote:
> Regarding the "useful" damage, if the trojan accepts another pre-defined
> password, then you don't need an outbound connection to tell you the
> passwords.  However, there has been some recent discussion of using
> charactistics of packets to trigger finite state machines. One example I
> read recently of (don't remember the source), was using a FSM in a
> firewall to remotely open holes for authorized users in a manner that
> would be hard to detect with a sniffer.  Sending a certain sequence could
> communicate the port numbers and IP addresses to open.

Actually, the current state of the art is embedding arbitrary commands 
in regular traffic. Opening ports is just one possibility, and usually
unnecessary if you have what is essentially a remote shell.
I've seen working implementations of that. They use encryption and changing 
start/end patterns. You can embed your commands in HTTP requests, or
spam mail, or hidden in the IP flags of a ping series. Good luck with
the IDS.

Which goes to show that you can't have security unless the system
itself is secure. No amount of firewalling, filtering or IDS will
protect a weak system. That's why we need SELinux. (how's that for
getting back on-topic? :) )

-- 
http://web.lemuria.org/pubkey.html
pub  1024D/2D7A04F5 2002-05-16 Tom Vogt <tom@lemuria.org>
     Key fingerprint = C731 64D1 4BCF 4C20 48A4  29B2 BF01 9FA1 2D7A 04F5

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.