The TALPA molehill [LWN.net]

The TALPA molehill

Posted Aug 13, 2008 16:14 UTC (Wed) by mattmelton (guest, #34842)
In reply to: The TALPA molehill by jhohm
Parent article: The TALPA molehill

Not at all - we used SSH and SCP/SFTP. An ARPjacking isnt merely a NIC in promiscuous mode.
The tools used against us were replacement daemons running on another host that was
periodically emitting our MAC/IP association.

What would have helped would have been a certificate policy - "has someone changed/updated the
SSH certificate/server/encryption?". When faced with that question, we should have stopped and
phoned one another. Regrettably one of us chose to accept the new certificate and thus sending
our password to the fake daemon.

In terms of how unavoidable these novel and targeted attacks on general purpose hardware are,
I think I have shown a fair example. Whether or not it mandates a kernel level mechanism that
doesn't already exist is the topic for discussion.

As food for thought, only a few weeks ago Metasploit was compromised in the same way -
checkout Moore's statement: http://www.haloscan.com/comments/alexeck/964311044981251862

to post comments

The TALPA molehill

Posted Aug 19, 2008 19:38 UTC (Tue) by job (guest, #670) [Link] (1 responses)

If you accept changed host keys you might as well run unencrypted traffic. No malware scanner
can help you there. You can be victim to any number of other tricks, including DNS spoofing.

The TALPA molehill

Posted Aug 24, 2008 16:35 UTC (Sun) by mattmelton (guest, #34842) [Link]

Of course. And I know the painful side of this. The problem here is rather than having an illusion of security (as it often is with poor inadequate software), lack the proposed file-access mechanisms is providing me with no information. For me, no information is probably as bad as having the wrong information - if configured so, virus scanners do well to inform network admins.