Published October 27th, 2004 by Jim O'Halloran
The Importance of Verifying Identity
Two incidents in the last couple of days has prompted me to make a some comments on the importance of verifying identity. Its critically important that administrators verify their packages. In a class I teach we spend quite a bit of time on it, then reinforce the point later in the course. Why? Because of the recent PostNuke incident.
This morning the developers of the free software content management system PostNuke posted a security announcement saying that a vulnerability in the paFileDB download management software allowed an attacker to put up a hacked version of PostNuke for download. That version was live on the PostNuke download site between Sunday at 23:50 GMT and Tuesday at 08:30 GMT.
When they attacked the PostNuke Site attackers were able to switch the genuine PostNuke for their own version. Of couse the attackers version of PostNuke contained additional back doors, etc that weren’t in the original, thus leading to more compromosed systems.
Worse still though is how easily this could have been prevented! The PostNuke team offers up MD5 sums for each of their packages. This is great because it offers the end user a way to verify that the package they downloaded is bit for bit identical to the one PostNuke is offering. With only a slight chance of error, we can be sure our package is the same as theirs.
What this doesn’t tell us though is WHO created the package. Anyone can create a new genuine looking package and generate corresponding MD5 sums. In fact I done exactly that in the past.
Unless you know with certanty that the original author created the package, and it hasn’t been tampered with since, then we can’t trust the package. IT’s THAT SIMPLE! The good news is there’s already a fix! GPG signatures.
If I sign a package with my private key, the rest of the world can verify both that it hasn’t been tampered with, AND that I actually created it. RPM’s can include digital signatures, and for tarballs we can greate a detached signature. It only takes a second to verify signatures, but if you take the time you can be sure of a packages authenticity. As the PostNuke incident clearly demonstrates, downloading a package from the author’s web site doesn’t guarentee it is genuine, and as I said earlier, if you don’t know who created the package with any certainty, you’ve already lost the battle.
The PostNuke team are doing their entire user base a major disservice by not even offering digital signatures for their packages. Not everyone will use signatures, but anyone who cares about security needs them in order to trust their packages. By not providing signatures in the first place, they’re not even giving end users a fair chance of defending themselves against this sort of attack.
The flip side of this is making sure your end users are aware of signatures if you do use them. The ‘Fedora-Redhat’ Fake Security Alert incident highlights this.
I just received an email from the ‘Redhat Security Team’ telling me that I needed to download some tar file from fedora-redhat.com.
Now the real RedHat Security and Updates people use digital signatures on their email. The fake alert could not possibly have had a valid signature. This should immediately raise a red flag with anyone receiving the bulletin, because a faked bulletin can’t contain a faked signature that actually validates.
Some mailers don’t make it easy to check signatures on email. If you’re not using one of those, then you’ve basically got two options, check it the hard way, or switch to one that does. Theres even a GPG plugins for Microsoft Outlook and Outlook Express, so there’s really no excuse for not doing it.
Of course, lets assume that we didn’t check the GPG signature on the message and went ahead and downloaded the fake update anyway. Well, then you should be aware that RedHat distributes all updates as RPM’s and signs them with their keys. So again, check the signature of the packages!
Its a key security concept. If you know exactly what is installed on your machine, and where it came from then you’ve got a good defence against trojans, back doors and similar attacks. In order to know where it came from though, you MUST have some sort of signature. MD5 sums alone can not verify the identity of the package creator. Verifying Identity is key.