Penetration Testing mailing list archives
Re: Political Analysis of Security Products
From: <ed () the7thbeer com>
Date: Tue, 5 Feb 2002 11:38:23 -0800 (PST)
Being systemically a paranoid people, a simple portscan would be highly unlikely to reveal a backdoor written into FW-1 by the Israelis. More insidious, and well discussed in certain circles, is the idea of "multiple triggers", wherein a seemingly benign application received multiple triggers, each one inconsequential but retained and examined. When each trigger is in place and sent to the applicaiton in question, a master-key routine executes, thereby opening the backdoor. This is similar to symmetric split keys in one sense of having multiple pieces for the single key(or single trigger). So you could nmap FW1 all you wanted, and still never find anything. A complete code review would be the only way to determine if such a vulnerability existed. Even then, a crafty coder could hide each trigger piece in seemingly benign ways. If the paranoia of the client is that great, go with something homegrown, whose code CAN be audited and reviewed, IMHO. =============================== Ed Mitchell (ed<-at->the7thbeer.com) Finger for PGP public key =============================== This boxen's uptime stats.... 10:27am up 28 day(s), 57 min(s), 0 users, load average: 0.07, 0.05, 0.04 Inter Arma Enim Silent Leges - Marcus Tullius Cicero In time of War, the law falls silent On Tue, 5 Feb 2002, R. DuFresne wrote:
Marcus Ranum, if I recall correctly, has an outstanding reward for anyone with proof that fw-1 was ever backdoored by the Israeli's, it has never bee collected nor has any evidence of such a backdoor ever really been offered up. It remains an unsubstantiated rumor, perhaps initiated by those competing with fw-1, years back. An open backkdoor should be able to be gleened from port mapping techniques, the port has to be openly accesible for it to be used, yes? A review/audit of the code for the product might further provide evidence, but, would require much more time as well as skill level <i.e. one would need to know C or C++ quite well, or whatever code base the application./device was written in> An examination of theunderlying OS, before and after install, if this is not a drop and place and configure blackboox device might prove useful also. Most of the blackbox designs might prove hard to thouroughly audit from an OS/source perspective as they owner/writers might not be too willing to provide particulars of their design. Thanks, Ron DuFresne On Tue, 5 Feb 2002 pentestlist () hushmail com wrote:
---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
Current thread:
- Political Analysis of Security Products pentestlist (Feb 05)
- Re: Political Analysis of Security Products William D. Colburn (aka Schlake) (Feb 05)
- Re: Political Analysis of Security Products R. DuFresne (Feb 05)
- Re: Political Analysis of Security Products ed (Feb 05)
- Re: Political Analysis of Security Products Kurt Seifried (Feb 05)
- Re: Political Analysis of Security Products E (Feb 06)
- Re: Political Analysis of Security Products Charles 'core' Stevenson (Feb 05)
- Re: Political Analysis of Security Products Rainer Duffner (Feb 05)
- Re: Political Analysis of Security Products Patrick Oonk (Feb 06)
- Re: Political Analysis of Security Products yossarian (Feb 05)
- <Possible follow-ups>
- RE: Political Analysis of Security Products Brass, Phil (ISS Atlanta) (Feb 05)
- RE: Political Analysis of Security Products Moonen, Ralph (Feb 06)