Re: [Snort-users] Snort and SourceFire "Backdoored"

[Richard DeYoung <webmaster () verticept com>]

Now for a somewhat different perspective on the whole thing....

> I guess now that we have this incident validated as positively true from
> the main Snort/SourceFire IT person, it lends a lot of credibility to
> the Snort/SourceFire "backdoor" rumor. 

Hmmm. So, "guess"+"validated"+"positively true"(vs "mostly true") ==
"credible" ???


> There have been lots of rumors on IRC that a few months ago, some of
> the PHC guys were able to compromise the snort CVS tree. Instead of creating
> a traditional backdoor in Snort/SourceFire (simply opening a rootshell
> on a specific port) they changed a lot of the code to introduce buffer
> overflows that didnt exist previously, and could be exploited at a later
> point in time. They changed a lot of the code to include strcpys where
> there was strncpys and such. This is a lot less noticeable than PHC's
> other open source security project trojan code inserts, such as the libpcap,
>  dsniff, and sendmail compromises. 

Given the fact that you heard the rumors of massive injections of
strcpy() into the main Snort CVS repository on an IRC channel and not
published to the community at large, what other sources do you cite in
order to arrive at your decision that this is a "credible" incident?? 


> Brian Caswell has said that Sourcefire did a major code audit after discovering
> this compromise, which I think is very cool of them. 
> Code audits can be very expensive, and Im sure SourceFire footed the
> bill. 

Code audit after a system compromise; a prudent and effective way of
maintaining code integrity. 

> But, the question remains, how long were all of us exposed? 

Exposed?? You still haven't demonstrated that the "rumors" you heard
were, in fact, more than just rumors. 


> And,
>  why did we learn of all this from blackhats releasing a fake phrack,
>  rather than from Snort/SourceFire? 

Again, what did we supposedly learn from some bh's releasing a fake
phrack? I believe they've succeded in demonstrating how quickly some
people claiming to be "in the IDS discipline" can be made to jump to
conclusions at the drop of a few "catch phrases" or half-truths.


> I find it high disturbing that this is how the whole incident unfolded,
>  as many Snort team members have ragged on the industry practice of hiding
> major security incidents in the past. Don't we Snort users have the right
> to know if our code has been trojaned and Snort/Sourcefire compromised?

Yes, you do. 

That's why you download it in source code format, and not in
pre-compiled binaries such as those released by other companies "in the
industry". IDS is only the leading-edge (topologically speaking)
technical representation of a company's policy/process structure. As has
been said repeatedly, where you go from there is up to you.

> Maybe not, but the paying customers of SourceFire for sure do. 
>
> Joey 

Gee, it must suck to be the target of a Social engineering hack, eh ???


-- 
--Rick[at]Verticept