Jesus-
I will have to look into your second question, but the first is quite simple and actually gets to the heart of what Tripwire is about:
> 1) I read an article about the hacker group, Hacking For Girliez, and their
> attack on the Route66 ISP. The article stated that the hacker, upon
> entering one of R66's servers saw that they had tripwire, but knew how to
> get around it. Apparently that was true because they went undetected for
> some time. My question is, does anyone know more about this, and if so,
> does that then make TripWire obsolete already since the exploit is certain
> to have been spread by now?
Hacking for Girlies needed to know nothing more than what any system administrator knows about Tripwire.. you must protect your database. With the "free" open-source version this means keeping it and your policy file on read-only or removable media. The whole concept of Tripwire is that you take a "snapshot" database, protect that database, and then check against it for changes. Very simple, very effective. If you were to leave the database on the system, and someone went root, they would have all the rights necessary to alter the database to match their changes (it's just a text file!). This is what Route66 did. No exploit, just user error. You can imagine all of us here yelling at that article when they made that claim.
They presumably did this because they wanted to run Tripwire as a cron job and had too big of database to fit onto a floppy or other readily available read-only media. There are a number of ways to accomplish this, though without being overly commercial in this forum I will say that this is one major part of why there is a market for the commercial version of Tripwire: signed and obfuscated database and policy file among other enhancements.
I wouldn't consider any security installation safe without a Tripwire layer.. but hey, I work here! ;-)
-Jon
~~~~~~~~~~~~~~~~~~~~~~~~~
Jon Speer
IS/Research Engineer
503.276.7578
Tripwire Security Systems
1631 NW Thurman
Portland, OR 97209
877.TRIPWIRe
