[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [NTSEC] SKIPJACK / NT4.0 (SP3?) (fwd)




-----BEGIN PGP SIGNED MESSAGE-----

Since I've had so many people either ask what s/w was installed on this box, 
or else claim that "J.A. must be on crack! :-)", here is the breakdown...

NT4.0; SP3; Every post SP3 hotfix through the third week of December; NT4.0 
Server Resource Kit; I.E. 3.02 with Java VM pkg installed; PGP 5.0 
Commercial; Adobe Photoshop 4.0 with a couple of special filter plugins; 
Adobe Illustrator 4.something, no addons; Adobe Premier with no addons; 
Micrographics Webtricity; Front Page 97 with assorted HotFixes; Outlook 97 
with assorted HotFixes; TCL/TK; J++; Java 1.something with SDK; WordPerfect 
Suite 7.something.  Obviously, this is on a Web Authoring station, so there 
is absolutely no reason for any of the above programs to be playing around 
with Skipjack...  Never the less...  I brought up a testbed system over the 
Xmas break, using the same install packages that I used to build the 
workstation in question.  No sign of ANY ciphers: Skipjack or anything else!  
Which makes sense.  The question now is just how in the h%@#& did it get here 
in the first place?  And why are my others ciphers explicitly disabled for 
SSL?  This is a really disturbing finding.  I am more concerned that Skipjack 
was *silently* installed than anything else: I have plans to completely 
reinstall all of the software from scratch on this particular box, and then 
enable full key ACL logging in an attempt to find out how it got there.

I am VERY concerned about this!  The ONLY way I can conceive of this machine 
having this configuration is if it was silently downloaded to the machine 
during a W3 session.  And it would NOT likely have been an SSL session: We do 
absolutely NO on-line transactions here. If Skipjack is being silently, I 
want to know by whom, and for what purpose.   OK, maybe I'm just paranoid, or 
smoking crack, but I spent several years in the late '80's working in COMSEC, 
and the scenario which first comes to mind is not too far-fetched (at least 
for me) to be believable...


It is most definitely an SSL 3 supported cipher but unless you have the
token or such,
then it is not going to be used for anything, and then only if you try to
connect 
to a Skipjack (ie. fortezza) site.  I doubt you have the code as it is
classified and available (at this time) only in hardware.  Don't sweat it,
it looks like it's just a hook or .....

What environment/flavor of stuff are you running?
I can help you with this if you want to contact me off the list.


At 11:45 AM 12/26/97 -0500, Ray Arachelian wrote:
>Now this is interesting! :)  (Either that or JA is smoking crack... - no
>idea on JA's reputation capital though...)
>
>=====================================Kaos=Keraunos=Kybernetos==============
>.+.^.+.|  Ray Arachelian    |Prying open my 3rd eye.  So good to see |./|\.
>..\|/..|[email protected]|you once again. I thought you were      |/\|/\
><--*-->| ------------------ |hiding, and you thought that I had run  |\/|\/
>../|\..| "A toast to Odin,  |away chasing the tail of dogma. I opened|.\|/.
>.+.v.+.|God of screwdrivers"|my eye and there we were....            |.....
>======================= http://www.sundernet.com ==========================
>
>---------- Forwarded message ----------
>Date: Wed, 24 Dec 1997 01:29:07 -0600
>From: "J.A. Terranson" <[email protected]>
>To: 'NT Security Listserv' <[email protected]>
>Subject: [NTSEC] SKIPJACK / NT4.0 (SP3?)
>
>-----BEGIN PGP SIGNED MESSAGE-----
>
>I was rooting around in the registry tonight, (looking to repair my own 
>stupidity!),
>and guess what I saw?  SKIPJACK is installed, and ENABLED!  I have NOT
>(now would I EVER) installed it voluntarily, and Micro$loth only advertises 
>the
>"standard" ciphers (which I also found).
>
>Is anyone else aware of this?  Is it safe to delete the key (and code? 
>Hopefully
>this is DLL driven: I'm still looking!).
>
>Also, anyone know what it was put there for?  It's certainly not what I
would 
>
>consider an SSL issue!
>
>J.A. Terranson
>[email protected]
>A small fading light in a vast and obscure universe...
>
>PROTECT YOUR RIGHT TO PRIVACY - ENCRYPT!
>PGP/DSS: 0x12896749  FP: 63F2 1777 BC38 AC1E 3359 
>                                             0B0E C6C0 ED6B 1289 6749
>PGP/RSA: 0x9D85DF05 FP: 810C 25E9 7DD3 C157 
>                                             3081 A202 DDFD 4245
>If Government wants us to behave, it should set a better example!
>
>
>-----BEGIN PGP SIGNATURE-----
>Version: PGP for Personal Privacy 5.0
>Charset: noconv
>
>iQEVAwUBNKC5wqAMF5Wdhd8FAQFsDQgAkietW1awMFDE9ZY5d9B+Zc0cGuGxlPC+
>XzVy6+RleDngUecSAf8MbZZlTDDyN69liKG2Of0n+pZnlJSbKZWZiG0cRN592bbL
>xCF/cwgNdJi1/HTA/mDZ7fpRT1phCMi/b2U3XXyV3QG2fv+Z8M5o4LjykYT+u4Lt
>aEkfedFZKjkURO+artvGFnISfVxAMwpW0TfdbxE2Izw8iSjX2w+4aT0ub+Ck3OA4
>X3Bek8ZPhbmsf9lIfBSe38ZPMZGrk7VwTPaMo7JiU5MM58OmCMaodKlwyxfsptKf
>khLnbWJbwHrlbW2yXL7nh7Ttnxv1WJ6BHaaJhxX/5EWSU4xAc/FjaQ==
>=jsvV
>-----END PGP SIGNATURE-----
>
>Attachment Converted: "F:\GDW\Mail\[NTSEC] SKIPJACK  NT4.0 (SP3)"


-----BEGIN PGP SIGNATURE-----
Version: PGP for Personal Privacy 5.0
Charset: noconv

iQEVAwUBNKRqWaAMF5Wdhd8FAQEoawf+PlZlxSUBhsO1Pj37arRPt0YDIiCX0e5K
UzKIOyIk82Q3s2py5LQmqUv8hrqIY2NxTcn2DaNYm4yS2UOgKDfgfJbswmWdRlYZ
UHOt+ROiUn5P7qJqMThKHxE2EnQKhhtyiRJaUYgilGbgKCAAs/YYtP5uu7XOfd3l
u9TNmZwz6GCUv3+QrGXBi3g5+KQkzNZ/4cJLn+LYV5dGBzbGAsnSaAjQ+Kai0Xs9
tNTLZjM2wWvUDU7BNUYu/mHyY+ltiURgaqUSQpz9VV3y6SOlyh/Oef2JMtZtYkVc
K8EkebhEQNQ4uECxChyGYsmiuDmnt8yCYeX3moCcu+szHebQ/YyPeA==
=KIsG
-----END PGP SIGNATURE-----