Every computer science major has learned how to leave a login Trojan Horse on a system. Before logging off the system, the perpetrator starts a problem that displays a login prompt and waits for a victim. The username and password entered into the Trojan Horse are logged to a file or mailed to a collecting account. Usually, the Trojan Horse fakes some type of problem and exits. The operating system then takes control and displays the true login prompt. Most users would assume that they had entered a password incorrectly or that some other glitch occurred in the system. Not surprisingly, this attack can be very fruitful.

The temporary Trojan Horse login succeeds because of a flaw in the login authentication protocol described so far. The user is required to authenticate to the computer, but the login program is assumed to be legitimate. To circumvent this problem, secure operating systems provide a secure attention key (SAK) sequence. The NT operating system instructs the user to enter Ctrl-Alt-Del to initiate a trusted path with the operating system. Most UNIX systems also provide a SAK. When this special key sequence is pressed, the user is assured that a clean environment is made available for login. For example, the system will detach any processes that are attached to or running on that terminal. What happens to these processes depends on the operating system implementation. The net result is that there will not be a chance for the previous user’s processes to act as a login impostor.

A more serious threat is replacement of the login program in the system itself. This attack depends on circumventing the system’s access control mechanisms because login and other I&A routines are part of the TCB. A hacker who manages to install a permanent login Trojan Horse can gain multiple username and password pairs. It is unlikely that only the login program was replaced. Trojan Horse versions of other security enforcing programs are certain to be found as well.