Dailydave mailing list archives
RE: We have met the enemy, and the enemy is ... you.
From: "Mehta, Neel (ISS Atlanta)" <NMehta () iss net>
Date: Wed, 12 Apr 2006 19:11:04 -0400
I was personally involved in our competitive analysis of Determina's "memory firewall" product. We successfully compromised a system with Determina's product installed using a user-mode vanilla stack overflow in a core Windows service. Total time from first install to compromise: 3 hours. This is about typical and probably no surprise to anyone who has looked at similar products. You'll find that every HIPS-only system is going to be vulnerable to similar if not identical evasions. I won't completely ruin the surprise, but the core of one of the weaknesses in their product is based around a lack of proper segmentation. I'm not entirely convinced it can be fixed without ruining performance. This evasion is definitely not vapor-ware. When we talked to Determina and offered them information on this evasion, they actually refused and were uninterested in how we were bypassing their product. Ignorance is bliss? I'll take this opportunity to once again invite anyone working for Determina to contact myself or ISS about this evasion. Thanks, ------------------------------------- Neel Mehta Team Lead, X-Force R&D -----Original Message----- From: redsand [mailto:redsand () redsand net] Sent: Tuesday, April 11, 2006 4:10 PM To: dailydave () lists immunitysec com Subject: Re: [Dailydave] We have met the enemy, and the enemy is ... you. possibly an intriguing new sales tactic? Nah, actually they were telling us of ISS's claims but that ISS has yet to show anything to prove them wrong. It's the salesforce "he said" "she said" shit. On Tue, 2006-04-11 at 12:02 -0700, Ian Melven wrote:
maybe a good way to start would be running julien's SLIPFEST tool... why on earth would a sales rep announce a competitor had an exploit for the product they were trying to sell you ? On 4/11/06, redsand <redsand () redsand net> wrote:Black Security is also currently doing some audits on the Determina Software Suite. Nothing has come of it yet but hopefully some
positive
results will come out of our testing soon. Any information may/hopefully will make it to our blogs or a formal piece of documentation. In the sales meeting, a Determina rep even claimed that ISS had a
hack
for it but couldn't prove it.
Current thread:
- Re: We have met the enemy, and the enemy is ... you., (continued)
- Re: We have met the enemy, and the enemy is ... you. Ian Melven (Apr 11)
- Re: We have met the enemy, and the enemy is ... you. redsand (Apr 11)
- RE: We have met the enemy, and the enemy is ... you. jnf (Apr 11)
- RE: We have met the enemy, and the enemy is ... you. pageexec (Apr 12)
- Re: We have met the enemy, and the enemy is ... you. Michael Spath (Apr 13)
- Re: We have met the enemy, and the enemy is ... you. Ian Melven (Apr 13)
- Re: We have met the enemy, and the enemy is ... you. jnf (Apr 14)
- Re: We have met the enemy, and the enemy is ... you. Halvar Flake (Apr 14)
- Re: We have met the enemy, and the enemy is ... you. Oezguer Kesim (Apr 14)
- Re: We have met the enemy, and the enemy is ... you. Michael Spath (Apr 14)
- RE: We have met the enemy, and the enemy is ... you. pageexec (Apr 13)