PGP Manipulation
reported by: sil
(ARCHIVE: http://web.archive.org/web/20010603171111/http://www.antioffline.com/framingpgp.html)

This document should be used for informational purposes only. The information contained within this document is part of the Framing Private Ryan paper written by J. Oquendo

The entire document may carry on for a few weeks documenting types of attacks that can occur on a criminal level. No illegal thoughts were in mind when creating this paper, it was simply meant to open eyes and ears. Should you find this document or any other document here offensive, you can simply go elsewhere and not continue on with reading this document and papers on this site.


Gathering someone's PGP signature is such an easy task and has become so minor one should question whether or not information can be forged by anyone on the fly without the need of expensive equipment and also without the need for attempting to crack someone's PGP key to be able to sign a document as the person your going to forge.

Typical example, and I shall use my own former signature, for this is to simply copy and paste the signature on a file.

From: J. Oquendo sil@antioffline.com
Subject: PGP Test
Date: October, 24 2000 2:39:37 PM EDT
To: sil@antioffline.com
CC:


-----BEGIN PGP SIGNED MESSAGE-----
This is a test of integrity.

sil@antioffline.com

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.3 for non-commercial use

iQEVAwUBOa1U5CLUtNYLY2+xAQGghAf/XLn6YFWkZI86KnWCLhIhWiM1LTgPz/V8
BjrBvS8Z4uaI0v2mC1353UJw3xx1mBK6RDF2ovqsY1/TIn1K1U7YaqLW8ZfNL1kI
v0Rz0DT7vXnAmBqKvWVud9NBCRXXwoCQ7+44FWKjRp9Ug/p0H/gEvVjQcfRD8WnL
KZ9z/PzGZeHHTlEONKgPINDKdqMuEVk1Dybl9HXXb5jPj0Fr3eu93y+/HZym9rRk
jCZZBu/01tzKrpsxqVQEN5Z1exC4gFwfLmHcp5w+qSzqX/h2KkXuALnhrqbZ/7U9
T1lZK5qZ+uYk2vKkvo/+cRqlKQt20Um0zwyAARmI7laEW6qwCkjtkA==
=PO+3
-----END PGP SIGNATURE-----


This is a valid signature which identifies me as the sender in theory and it can easily be copied by anyone who comes across any email that I send. (Obviously) But how many people actually use PGP when verifying someones signature.

Now supposing someone wanted to use my signature in effort to maybe cause a rift between a friend or so.

Using nothing but typical tools anyone can save this same message if I sent it to them and abuse it. Using nothing more than a Linux based workstation lets see the havoc.

1 # hostname antioffline.com
2 # adduser sil
3 # sed s/"This is a test of integrity"/You will die soon"/ savedmail >> badmail
4 # chmod 777 badmail ; mv badmail /anywhere ; su sil
5 $ mail -s Die someone@veryimportant.com < /anywhere/badmail
6 $ pgp -w /anywhere/badmail
7 $ exit
8 $ userdel sil

What we see on Line 1 is a hostname changed to reflect to my site followed by someone me as a user in Line 2. Line 3 is the replacement of the words which were originally e-mailed to reflect something negative.

Line 4 changes the permissions on the file and moves it to a predefined directory, followed by the user assuming the identity of sil. Line 5 the attacker sends out the changed e-mail to someone@veryimportant.com who was possibly an employer, a politician, or other.

Line 6 PGP wipes it from the disk which means it will not be retrievable followed by the user exiting from the created account in Line 7 and the deletion of the account in Line 8.

While this isn't high tech anyone unfamiliar with checking addressing can be victim to attacks such as these with quick ease and very little effort. There is little that can be done to prevent these issues from arising on a wide scale simply because administrators on a wide scale do not take the preventive measures to filter out what information can be sent from where on what network.

Addressing too can be circumvented by using tools such as HailStorm which can sniff and modify packets allowing someone to capture data and resend that data with spoofed addresses, checksums, you name it.

So whats one to do to prevent a situation such as this from creating disaster for someone? Well for one a sender can PGP sign all of their messages but it may not be sufficient in most cases since not everyone uses PGP, which would make things difficult.

If a user needs to sign a message to show its credibility they would typically sign a message with a signature which can easily be checked with PGP, but again if someone is not validating signatures when they receive a mail, an attacker can ruin someone's life this way.

But I would never fall for that. Would be the typical words anyone can use but the truth is everyone falls victim to mistakes and errors in life and there is little consolation to someone who's life has been ruined by digital crimes.

J. Oquendo

"Fortune was not so completely unfriendly to him that she did not leave him some brief reminder of the force of his intelligence." -- Niccolo Machiavelli Art of War 1516