RE: Political Analysis of Security Products

["Brass, Phil (ISS Atlanta)" <PBrass () iss net>]

It is possible to identify some of these backdoors using flow analysis - for
example, detecting ICMP traffic with unused control codes, or in the case of
Loki (an ICMP covert channel backdoor documented in Phrack) detecting
asymmetric ping payloads.  My collegue Tim Farley first explained this idea
to me.

The other is, source code audit is only valid if they show you all the
source code.  If they show you source code, and then they sell you a box
with their object code on it, you have no real way to verify that the source
code you saw was used to create the object code on the box you received.
Even if they sit you down and show you the compiler compiling their source
code and put the object code on the box, the compiler program or even the
file copying program could be trojaned to link in the backdoor.  While this
may seem extreme, it is not the kind of thing I would put past an
intelligence agency.

When national security is at stake, it may be best to have an in-house or at
least national solution because, even though it may not be best of breed, at
least you trust the engineers to be patriots.  

I wonder if there are any japanese supercomputers (in production use) at
NSA?

Phil



> -----Original Message-----
> From: Kurt Seifried [mailto:bugtraq () seifried net]
> Sent: Tuesday, February 05, 2002 2:16 PM
> To: R. DuFresne; pentestlist () hushmail com
> Cc: pen-test () securityfocus com
> Subject: Re: Political Analysis of Security Products
>
>
> Open port, to accept packets? No. It's a firewall. Hint: it 
> already sees all
> the network traffic. You can easily add a backdoor to a 
> product like that to
> (for exmaple) take ICMP packets of a special type not often 
> used (say type
> 40) and if they meet a special checksum/md5hash with secret 
> you decrupt the
> contents and carry out those instructions. There are some 
> examples of this,
> icmp backdoors, and the like for various UNIX systems. The 
> only way to find
> stuff like this is a source code audit.
>
>
> Kurt Seifried, kurt () seifried org
> A15B BEE5 B391 B9AD B0EF
> AEB0 AD63 0B4E AD56 E574
> http://seifried.org/security/
>
>
>
>
>
> --------------------------------------------------------------
> --------------
> This list is provided by the SecurityFocus Security 
> Intelligence Alert (SIA)
> Service. For more information on SecurityFocus' SIA service which
> automatically alerts you to the latest security 
> vulnerabilities please see:
> https://alerts.securityfocus.com/

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/