Invalid signature on SANS alert (was Re: [svlug] FW: Fwd: ALERT - A DANGEROUS NEW WORM IS SPREADING ON THEINTERNET)

Karsten M. Self kmself at ix.netcom.com
Fri Mar 23 11:23:02 PST 2001


on Fri, Mar 23, 2001 at 01:07:21PM -0500, mike rock (mrock at stewartsigns.com) wrote:
> 
> Just apeared on one of the other lugs that I subscribe to,,
> 
> Michael C. Rock
> 
> From: "The SANS Institute" <securityalert at sans.org>
> To: "William Morris (SD102811)" <bill_morris at ncsu.edu>
> Subject: ALERT -  A DANGEROUS NEW WORM IS SPREADING ON THE INTERNET
> Date: Fri, 23 Mar 2001 10:43:05 -0500
> X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2314.1300
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1

Note that, at least for me, the signature on this alert is invalid.
While this doesn't mean the message isn't legit -- I've seen the same
alert in several places, and a PGP/GPG signature hash is very fragile, a
single character delta will invalidate it -- it would be helpful for
those who are forwarding signed material to:

  - Verify the signature on the document prior to forwarding it.
  - Use a method for forwarding the message which preserves the signed
    data unchanged.  MIME attachments are probably justified in this
    case.
  - Point to a canonical or central source for the information.
  - Mention specifically what _your_ initial source of contact was (what
    LUG, I wonder).

It's also generally a very *bad* idea to forward content you've seen
posted to another mailing list / weblog / website without at least
taking cursory attempts to verify the source material.  If _you_ don't
have the time to verify an alert, you're compounding the problem for
each of your recipients.  In short, the rule is:  verify, or don't
forward.  You're otherwise largely in the same class as chain letter and
Internet hoax dupes.

In the case of the current alert, a quick check of the SANS website
(itself subject to spoofing, DNS hacks, or MitM attacks), shows:

    http://www.sans.org/y2k/032301-0915.htm
    http://www.sans.org/y2k/lion.htm

Cheers.

-- 
Karsten M. Self <kmself at ix.netcom.com>    http://kmself.home.netcom.com/
 What part of "Gestalt" don't you understand?       There is no K5 cabal
  http://gestalt-system.sourceforge.net/         http://www.kuro5hin.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 232 bytes
Desc: not available
Url : http://lists.svlug.org/archives/svlug/attachments/20010323/f27b69b4/attachment.bin


More information about the svlug mailing list