Intrusion detection team denies Trojan claim

[InfoSec News <isn () c4i org>]

http://news.zdnet.co.uk/0,39020330,39116542,00.htm

Patrick Gray
ZDNet Australia
September 22, 2003

The author of Snort, an open-source Intrusion Detection System (IDS),
Martin Roesch, has dismissed as untrue claims the software was
'trojaned' by attackers.

Roesch, who is also the chief technology officer of US-based IDS
company Sourcefire, moved quickly to quell rumours in the security
community that a hacking group had managed to insert back-door code
into the Snort source-code repository.

"There is no back door in Snort nor has there ever been, everyone can
relax," Roesch wrote in a posting to the full disclosure security
mailing list.

Attackers had breached one of Roesch's systems, he admits, but that
was a low-security shell server -- used by members of the Snort team
and their associates to access services such as IRC without exposing
their own machines to risk -- located in his basement, 37km away from
the Snort code repository.

"If you're wondering 'how do you know the code isn't backdoored?',
since we know that that server is an 'at risk' server, we're not in
the habit of checking code into [the Snort code repository] from
there. If that's not good enough for you, Snort has been through three
code audits since March -- one Sourcefire internal, two third-party
external -- and there are most definitively no back doors in the code,
nor were there any," Roesch added.

Trojans have been found in several open-source projects over the last
year, including those found in Sendmail and OpenSSH. Malicious code
was also found in the libpcap and tcpdump libraries -- software which
is required by the Snort IDS to operate.

Australian security consultant Daniel Lewkovitz says that the mere
fact that a rumour like this could turn out to be true, even though it
looks unlikely in this case, means the issue at least warrants
discussion. "A lot of threats haven't changed that much, but what has
changed is normal people's awareness and attitudes to it. I think
anything that makes people more aware of relevant issues and relevant
threats a good thing," he told ZDNet Australia.

There's nothing necessarily wrong with listening to a rumour so you
can check it out for yourself, Lewkovitz says, as long as the source
of the rumour is at least somewhat credible. "If there was a threat
I'd want to know about it," he said. "If it came from a reliable
source I'd be much more likely to give it credence than the paranoid
rants of tin-foil-hat-wearing conspiracy theorists."



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.