Tuesday, June 24, 2008

learning from the past

saw this post on the agnitum blog about how an older version of their technology was being detected as a stealthkit... basically they were keeping integrity information about files that had been previously scanned to optimize future scanning (no need to scan a file that hasn't changed) and hiding that integrity information using all too familiar means...

it reminded me of two things - first is yisreal radai's nearly 15 year old paper on integrity checking (due to his conclusion that to truly protect integrity information from attack it must be stored offline) and the second is the witch hunt that resulted from the misguided redefinition of rootkit to be anything that hides things (which has already dinged other security vendors - especially kaspersky for remarkably similar reasons)...

as the saying goes - those who cannot remember the past are condemned to repeat it...

0 comments: