>1) I read an article about the hacker group, Hacking For Girliez, and their
>attack on the Route66 ISP. The article stated that the hacker, upon
>entering one of R66's servers saw that they had tripwire, but knew how to
>get around it. Apparently that was true because they went undetected for
>some time. My question is, does anyone know more about this, and if so,
>does that then make TripWire obsolete already since the exploit is certain
>to have been spread by now?
There are two ways around Tripwire and it's ilk:
1) Stupid admin leaves the hases (only) on the same system, thereby
making them useless. Attacker sees this and modifies the hashes
to match the modified files.
2) Kernel-level mod/module to make the files look normal when Tripwire
comes around, but not otherwise. The one I've seen would give a different
version depending on whether the file was being read vs. exec'd.
>2) According to the documentation, depending on the hash algorithm
>throughput will vary. Depending on system of cours, MD5 was measured at
>16.1MB/sec while SHA/SHS was measured at 13.1MB/sec. Are these measurements
>throughput from the drive into memory, or from memory to the NIC? And what
>type of performance hit are you really taking after investing in a U2W SCSI
>system that has a claimed throughput of 80MB/sec?
You make it sound like a disk-level driver. Traditional Tripwire usage doesn't
work like that. It's run once every how ever often you want. How fast it can
go
depends totally on your hardware and load at the time.
Ryan
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
