Re: BlackICE and nmap

[Fyodor <fyodor () insecure org>]

On Tue, 23 May 2000, Greg Thomas wrote:

> imagine what it's like in Paranoid. Anyhow, anybody
> have any way around BI? I'm curious if it's possible.

One way is to use BlackICE Pro itself to break into the system running it
and then turn it off.  Then install Back Orifice :).  I hope you have
updated to the latest version which has fixed the two serious security
holes in ICEcap disclosed by rain.forest.puppy at CanSecWest (
http://www.wiretrip.net/rfp/p/doc.asp?id=52&iface=3 ).

Are there more bugs like this?  We have no idea!  NetworkICE still refuses
to let customers see the code, so who knows what it is doing or how
carefully they programmed it.  We have been in discussions with their
executives, urging them to rethink this policy.  

And source code access does matter.  Even if *you* don't read the code,
other people will and you will benefit from fixes to the holes they
discover.  For example, a couple weeks ago I downloaded an open source IDS
called snort [1] .  A quick source review turned up a serious
vulnerability.  I sent it to Marty and I'll bet he has a fixed version out
by now.  All the users benefit from those of us paranoid enough to read
the code.

The people I know at NetworkICE are all very smart guys.  But even the
brightest, most security-minded folks can make mistakes.  Witness the
recent remote overflow in the L0pht's AntiSniff product. Because the
research version is source-available (it is not Open Source [2]), users
were able to find and fix both the main overflow and the error in the
first official patch.  As ESR says, "given enough eyeballs, all bugs
are shallow" [3].

So we recommend that you carefully weight the benefits against the
security risks of installing this "mystery program" on your sensitive
networks.  I have no idea what that binary does, and neither will you
unless they change their policy.  I suspect we all remember the
commercial Bindview "HackerShield" security scanner which had the side
effect or creating a secret fully-privileged user with a known username
and password [4].  Again, smart people made a disasterous mistake that
would have been much easier to spot if the source had been available to
paying customers.

For what it is worth, scanlogd [5] is the only port scan detector we would
feel comfortable running on our own networks.

Cheers,
Fyodor

PS:  Now would be a good time to fill out the Nmap survey at
http://amy.insecure.org/nmap/nmap_survey.html :).  Thanks to the 664
people who have already filled it out.

[1] http://www.snort.org/
[2] http://www.opensource.org/
[3] http://www.tuxedo.org/~esr/writings/cathedral-bazaar/
[4] http://www.nmrc.org/advise/hs.txt
[5] http://www.openwall.com/scanlogd/