Penetration Testing mailing list archives
Re: Political Analysis of Security Products
From: "R. DuFresne" <dufresne () sysinfo com>
Date: Tue, 5 Feb 2002 13:17:13 -0500 (EST)
Marcus Ranum, if I recall correctly, has an outstanding reward for anyone with proof that fw-1 was ever backdoored by the Israeli's, it has never bee collected nor has any evidence of such a backdoor ever really been offered up. It remains an unsubstantiated rumor, perhaps initiated by those competing with fw-1, years back. An open backkdoor should be able to be gleened from port mapping techniques, the port has to be openly accesible for it to be used, yes? A review/audit of the code for the product might further provide evidence, but, would require much more time as well as skill level <i.e. one would need to know C or C++ quite well, or whatever code base the application./device was written in> An examination of theunderlying OS, before and after install, if this is not a drop and place and configure blackboox device might prove useful also. Most of the blackbox designs might prove hard to thouroughly audit from an OS/source perspective as they owner/writers might not be too willing to provide particulars of their design. Thanks, Ron DuFresne On Tue, 5 Feb 2002 pentestlist () hushmail com wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I have never seen anything like this on the list so if it does not make it through I understand. I have a very large client right now who is paying for a company wide (offices in 16 countries with 26 differant networks) audit of their security infrastructure. Nothing really out of the ordinary here. What is differant for us at least is this client has asked us to review their security products from a national security point of view. The case here is that they run or are evaluating several products from Israel and one from South Korea and want us to evalute how likely it is that a sovereign state (in this case Israel or South Korea) may have manipulated these products in order to gain access to them remotely for their intel services. I remember reading years ago discussions like this about Firewall-1 and for the most part nothing of interest ever came from it. Does anyone have any evidence which can be publicly cited that something like this has ever happened? And does anyone here have any idea how we would go about performing a review like this without looking like conspiracy theorists? Hush provide the worlds most secure, easy to use online applications - which solution is right for you? HushMail Secure Email http://www.hushmail.com/ HushDrive Secure Online Storage http://www.hushmail.com/hushdrive/ Hush Business - security for your Business http://www.hush.com/ Hush Enterprise - Secure Solutions for your Enterprise http://www.hush.com/ -----BEGIN PGP SIGNATURE----- Version: Hush 2.1 Note: This signature can be verified at https://www.hushtools.com wmAEARECACAFAjxgG0AZHHBlbnRlc3RsaXN0QGh1c2htYWlsLmNvbQAKCRCRKy2sIa3M 7XHOAJ9HqkJR344rGzuxGwz2SfUE95E1ugCeN99PvLaIOVJJk7dSsHb1/wCJHjo= =vhtz -----END PGP SIGNATURE----- ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ admin & senior security consultant: sysinfo.com http://sysinfo.com "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart testing, only testing, and damn good at it too! ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
Current thread:
- Political Analysis of Security Products pentestlist (Feb 05)
- Re: Political Analysis of Security Products William D. Colburn (aka Schlake) (Feb 05)
- Re: Political Analysis of Security Products R. DuFresne (Feb 05)
- Re: Political Analysis of Security Products ed (Feb 05)
- Re: Political Analysis of Security Products Kurt Seifried (Feb 05)
- Re: Political Analysis of Security Products E (Feb 06)
- Re: Political Analysis of Security Products Charles 'core' Stevenson (Feb 05)
- Re: Political Analysis of Security Products Rainer Duffner (Feb 05)
- Re: Political Analysis of Security Products Patrick Oonk (Feb 06)
- Re: Political Analysis of Security Products yossarian (Feb 05)
- <Possible follow-ups>
- RE: Political Analysis of Security Products Brass, Phil (ISS Atlanta) (Feb 05)
- RE: Political Analysis of Security Products Moonen, Ralph (Feb 06)