Nmap Announce mailing list archives
Re: BlackICE and nmap
From: Fyodor <fyodor () insecure org>
Date: Wed, 24 May 2000 02:39:03 -0700 (PDT)
On Tue, 23 May 2000, Greg Thomas wrote:
imagine what it's like in Paranoid. Anyhow, anybody have any way around BI? I'm curious if it's possible.
One way is to use BlackICE Pro itself to break into the system running it and then turn it off. Then install Back Orifice :). I hope you have updated to the latest version which has fixed the two serious security holes in ICEcap disclosed by rain.forest.puppy at CanSecWest ( http://www.wiretrip.net/rfp/p/doc.asp?id=52&iface=3 ). Are there more bugs like this? We have no idea! NetworkICE still refuses to let customers see the code, so who knows what it is doing or how carefully they programmed it. We have been in discussions with their executives, urging them to rethink this policy. And source code access does matter. Even if *you* don't read the code, other people will and you will benefit from fixes to the holes they discover. For example, a couple weeks ago I downloaded an open source IDS called snort [1] . A quick source review turned up a serious vulnerability. I sent it to Marty and I'll bet he has a fixed version out by now. All the users benefit from those of us paranoid enough to read the code. The people I know at NetworkICE are all very smart guys. But even the brightest, most security-minded folks can make mistakes. Witness the recent remote overflow in the L0pht's AntiSniff product. Because the research version is source-available (it is not Open Source [2]), users were able to find and fix both the main overflow and the error in the first official patch. As ESR says, "given enough eyeballs, all bugs are shallow" [3]. So we recommend that you carefully weight the benefits against the security risks of installing this "mystery program" on your sensitive networks. I have no idea what that binary does, and neither will you unless they change their policy. I suspect we all remember the commercial Bindview "HackerShield" security scanner which had the side effect or creating a secret fully-privileged user with a known username and password [4]. Again, smart people made a disasterous mistake that would have been much easier to spot if the source had been available to paying customers. For what it is worth, scanlogd [5] is the only port scan detector we would feel comfortable running on our own networks. Cheers, Fyodor PS: Now would be a good time to fill out the Nmap survey at http://amy.insecure.org/nmap/nmap_survey.html :). Thanks to the 664 people who have already filled it out. [1] http://www.snort.org/ [2] http://www.opensource.org/ [3] http://www.tuxedo.org/~esr/writings/cathedral-bazaar/ [4] http://www.nmrc.org/advise/hs.txt [5] http://www.openwall.com/scanlogd/
Current thread:
- BlackICE and nmap Greg Thomas (May 23)
- Re: BlackICE and nmap Fyodor (May 24)
- RE: BlackICE and nmap Jay Freeman (saurik) (May 24)
- Re: BlackICE and nmap Archer (May 24)
- Re: BlackICE and nmap Matt (May 24)
- <Possible follow-ups>
- RE: BlackICE and nmap Patrick O Neil (May 25)
- Re: BlackICE and nmap Fyodor (May 24)