[1101] in bugtraq
Re: snooper watchers
daemon@ATHENA.MIT.EDU (Dr. Frederick B. Cohen)
Sun Feb 26 01:20:56 1995
From: fc@all.net (Dr. Frederick B. Cohen)
To: newsham@aloha.net (Timothy Newsham)
Date: Sun, 26 Feb 1995 00:13:01 -0500 (EST)
Cc: bugtraq@fc.net
In-Reply-To: <m0riUFF-000uJkC@hookomo> from "Timothy Newsham" at Feb 25, 95 11:41:44 am
>
> > If I turn the paranoid mode up a notch or two here..
> > What is to stop someone from mounting another filesystem over the top of
> > your tripwire database and crontab entries. Replace the mount and df
> > commands to not show the new mount point. Now you continue to believe
> > that you are a happy camper, all safe and secure.
...
>
> Btw an easier attack is to just modify the script that regularly runs
> tripwire, usually run from cron.
...
>
> Tim N.
>
This whole set of issues has been researched in some depth and
partially solved - partially proven unsolvable. See "Defense in Depth
Against Computer Viruses" and "Program Evolution for Operating System
Security" - both in the IFIP-TC11 Journal Computers and Security -
I won't bother to tell you who the author was - FC
