Nmap Announce mailing list archives
RE: BlackICE and nmap
From: "Jay Freeman \(saurik\)" <saurik () saurik com>
Date: Wed, 24 May 2000 10:59:46 -0500
Might also want to take a look at another open source project, Psionic PortSentry < http://www.psionic.com/abacus/portsentry/ >. Detects various kinds of scans (including nmap's FIN, X-MAS, and NULL scans), and can run external programs so the user can do something about the scan (I have a script that pages me with all the related information, and then let PortSentry firewall off the IP address (to both minimize information gain and to hopefully provide some protection), of course with a file to ignore various IP addresses from the firewalling procedure in case of a denial of service attempt). Sincerely, Jay Freeman (saurik) saurik () saurik com -----Original Message----- From: Fyodor [mailto:fyodor () insecure org] Sent: Wednesday, May 24, 2000 4:39 AM To: Greg Thomas Cc: nmap-hackers () insecure org Subject: Re: BlackICE and nmap On Tue, 23 May 2000, Greg Thomas wrote:
imagine what it's like in Paranoid. Anyhow, anybody have any way around BI? I'm curious if it's possible.
One way is to use BlackICE Pro itself to break into the system running it and then turn it off. Then install Back Orifice :). I hope you have updated to the latest version which has fixed the two serious security holes in ICEcap disclosed by rain.forest.puppy at CanSecWest ( http://www.wiretrip.net/rfp/p/doc.asp?id=52&iface=3 ). Are there more bugs like this? We have no idea! NetworkICE still refuses to let customers see the code, so who knows what it is doing or how carefully they programmed it. We have been in discussions with their executives, urging them to rethink this policy. And source code access does matter. Even if *you* don't read the code, other people will and you will benefit from fixes to the holes they discover. For example, a couple weeks ago I downloaded an open source IDS called snort [1] . A quick source review turned up a serious vulnerability. I sent it to Marty and I'll bet he has a fixed version out by now. All the users benefit from those of us paranoid enough to read the code. The people I know at NetworkICE are all very smart guys. But even the brightest, most security-minded folks can make mistakes. Witness the recent remote overflow in the L0pht's AntiSniff product. Because the research version is source-available (it is not Open Source [2]), users were able to find and fix both the main overflow and the error in the first official patch. As ESR says, "given enough eyeballs, all bugs are shallow" [3]. So we recommend that you carefully weight the benefits against the security risks of installing this "mystery program" on your sensitive networks. I have no idea what that binary does, and neither will you unless they change their policy. I suspect we all remember the commercial Bindview "HackerShield" security scanner which had the side effect or creating a secret fully-privileged user with a known username and password [4]. Again, smart people made a disasterous mistake that would have been much easier to spot if the source had been available to paying customers. For what it is worth, scanlogd [5] is the only port scan detector we would feel comfortable running on our own networks. Cheers, Fyodor PS: Now would be a good time to fill out the Nmap survey at http://amy.insecure.org/nmap/nmap_survey.html :). Thanks to the 664 people who have already filled it out. [1] http://www.snort.org/ [2] http://www.opensource.org/ [3] http://www.tuxedo.org/~esr/writings/cathedral-bazaar/ [4] http://www.nmrc.org/advise/hs.txt [5] http://www.openwall.com/scanlogd/ -------------------------------------------------- For help using this (nmap-hackers) mailing list, send a blank email to nmap-hackers-help () insecure org . List run by ezmlm-idx (www.ezmlm.org).
Current thread:
- BlackICE and nmap Greg Thomas (May 23)
- Re: BlackICE and nmap Fyodor (May 24)
- RE: BlackICE and nmap Jay Freeman (saurik) (May 24)
- Re: BlackICE and nmap Archer (May 24)
- Re: BlackICE and nmap Matt (May 24)
- <Possible follow-ups>
- RE: BlackICE and nmap Patrick O Neil (May 25)
- Re: BlackICE and nmap Fyodor (May 24)