what's the big risk with sa-update --nogpg?

[ji...@jidanni.org]

So what's the worst thing that could happen to me with sa-update
--nogpg? Just a little more spam getting through? Ha!

> If you would just follow instructions, you wouldn't need --nogpg

Yes, well, let's just say things didn't work out, and we want to use
--nogpg just for that risky feel. Like smoking cigarettes or
something. So what's the worst thing that could happen, our mailbox
getting cancer?

Re: what's the big risk with sa-update --nogpg?

[Benny Pedersen <me...@junc.org>]

On Fri, December 26, 2008 22:44, jidanni@jidanni.org wrote:
> So what's the worst thing that could happen, our mailbox
> getting cancer?

cheers

-- 
Benny Pedersen
Need more webspace ? http://www.servage.net/?coupon=cust37098

Re: what's the big risk with sa-update --nogpg?

[mouss <mo...@netoyen.net>]

jidanni@jidanni.org a écrit :
> So what's the worst thing that could happen to me with sa-update
> --nogpg? Just a little more spam getting through? Ha!
> 
>> If you would just follow instructions, you wouldn't need --nogpg
> 
> Yes, well, let's just say things didn't work out, and we want to use
> --nogpg just for that risky feel. Like smoking cigarettes or
> something. So what's the worst thing that could happen, our mailbox
> getting cancer?

not clear whether you are asking for information or whether this is
ironic. I'll assume the former.

If your DNS is poisoned, you may get updates from another server. if
there is a vulnerability in SA that can be triggered by specific rules,
then you just opened your server to such attacks.

you may say that attackers could own a channel server. but:
- it is reasonable to assume that channel servers are "reasonably well run"
- channels are used by a lot of people. so an attack on the channels
will be detected sooner than an attack on your server
...


Ok, that may look theoritical. but since it is easy to use sa-update
without --nogpg, there is no point to use --nogpg.

(The 403 problems you had have nothing to do with gpg.)

PS. backscatter with
	support@dss.dounsix.local
    		Unrouteable address
has started again. I now blocked .orcon.net.nz (I am too lazy to find a
"more appropriate" way). If a list admin could find the guilty member
and remove him...

Re: what's the big risk with sa-update --nogpg?

[Jake Maul <ja...@gmail.com>]

The point of the GPG sig check is to verify the authenticity of the
source of the rules you're downloading. To get in the frame of mind as
to what it means to skip this, consider what it would mean to have an
unknown (obviously malicious) person masquerade as your wife/husband
for a while. What might happen? If it goes undetected, there's
probably very little you wouldn't reveal to them, little you wouldn't
do for them, and they could do almost anything to you.

Let's see... worst case scenario...

Someone poisons the DNS caches near you (given the fairly recently
announced huge vulnerability here, it would be a good idea
security-wise to consider this "trivial"). Alternatively, someone
cracks one of the channel servers directly, or fools them into
accepting illicit rules. Your sa-update downloads the bad rules
(either from the right server that has been compromised, or from the
wrong server altogether). You're not checking the GPG key, so it
happily downloads and installs the tainted rules. These rules do a few
things:

1) They deliberately score all emails with big negative scores, thus
destroying your spam filtering completely until you sort it out. This
might be a bit too detectable for them, so instead maybe they settle
for altering the scores on all the stock rules, making all sorts of
things wrong. Either way, your filtering is going to be bad for a
while. Really bad. Maybe they invert all the scores... scoring spam
low and ham high.

2) Since you're basically downloading code that SA will run, let's say
they've discovered a vulnerability in SA or Perl that allows them to
run arbitrary perl code from these rules. They do so, and the
arbitrary code they run downloads a rootkit and opens a reverse shell
on a random port. The attacker connects to it and is logged in as root
on your SA server. They use this hole to listen in on all traffic
flowing through this box and in a short while have acquired all sorts
of private information. They exploit any IP-based trust relationships
it has with your other workstations/servers. Your whole network (or at
least the part containing the SA server) is rootkitted, botnetted, and
initiates mass spamming and worm propagation to the Internet. A few
systems are completely destroyed (formatted, registries corrupted,
whatever). In short, your entire IT infrastructure is completely hosed
because you weren't checking the authenticity of code you were
downloading and running on a regular basis.

Okay, so (2) is a bit far-fetched. There's nothing there that isn't
doable by anyone who cared enough to do it though.


This might be fun to do on a honeypot machine, but it's not something
I'd do willingly on any machine I was actually using for a legitimate
purpose. Downloading and running unknown/untrusted code is just... a
bad idea. :)

Jake

On Fri, Dec 26, 2008 at 2:44 PM,  <ji...@jidanni.org> wrote:
> So what's the worst thing that could happen to me with sa-update
> --nogpg? Just a little more spam getting through? Ha!
>
>> If you would just follow instructions, you wouldn't need --nogpg
>
> Yes, well, let's just say things didn't work out, and we want to use
> --nogpg just for that risky feel. Like smoking cigarettes or
> something. So what's the worst thing that could happen, our mailbox
> getting cancer?
>