Re: security enforcement - new monitor for winnt
From: SecurIT Informatique Inc. (securit_at_IQUEBEC.COM)
Date: 04/01/04
- Previous message: fbr: "Open Source Vulnerability Database Opens for Public Access"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 1 Apr 2004 01:28:22 -0500 To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
At 12:30 PM 30/03/2004, http-equiv@excite.com wrote:
><!--
>
>afaik, i can stop ie 0day exploits by doing these things.
>
>so, i made this:
>
>http://umbrella.name/winblox/
>
>of course, free.
>
>-->
>
>This is fantastic. A truly useful effort for the benefit of the
>so-called "security community". And free. And from security
>expert who actually finds new and imaginative full and complete
>remote compromises and other goodies against the ubiquitous mass
>produced products from 'Microsoft'. Perhaps others out there
>can contribute to Liu Die Yu's most generous efforts and develop
>this free utility even further for the good of the so-
>called "security community". There really is no need for anyone
>to spend a nickel to achieve any of this. For example, securing
>the 'My Computer' zone requires nothing more than a .reg entry
>to allow the same security settings in Internet Explorer to be
>revealed, there's even a 'Microsoft' KB article showing how to
>do that. For free !:
>
>
>http://support.microsoft.com/?kbid=315933
Well, then you may be interested to take a look at some of the things I've
done. I've spent the last four years or so trying to see how to improve
the security in Microsoft products, and writing papers and developping
tools on this subject. Although I've made a commercial spin-off of almost
all the tools I've made, I still keep an Open Source active as I believe it
would be a disservice to the said "community" to keep it under wraps.
I've focused heavily in intrusion detection lately, both by making new HIDS
modules and by making log monitoring/analyzing agents and consoles (there's
one console out already, I have another one that will be released
shortly). In my SITDk 1.0 (SécurIT Intrusion Detection Toolkit), I have
one module called LogProc that focus at the same thing as winblox, that is
running processes, although LogProc currently reports only on invalid
items, it does no blocking yet, although it is planned in the future. I
will use the same technique, that is hooking a kernel system call to filter
anything that will run on the machine. The reason it does not do so yet is
because of the implications of this kind of kernel hooking bloking, I want
the tool to mature a bit before giving it the keys of the castle.
I also think that it is about time that security researchers starts to use
the same tricks that the black hats are playing on us to hide their tools,
if we are ever to take a lead in this race, like hooking kernel calls to
filter possible malware from execution. Such another example would be my
ComLog, which is a command prompt keylogger that wraps around the real
command prompt. In other words, it is technically a trojan, but when
applied by a network admin, it actually helps him at having a session
history of any crack attempts made via this vector, even onan encrypted
connection. Another example would be an admin using BackOrifice instead of
PCAnywhere to do his remote management.
Take some time to look at the tools available at
http://securit.iquebec.com/, I think you will find some interesting things
there to satisfy your needs in innovative Open Source security software.
Thanks for your time,
Adam Richard
SécurIT Informatique Inc.
-----
NTBugtraq Editor's Note:
Wondering how to unsubscribe from NTBugtraq? Just send a message to Listserv@listserv.ntbugtraq.com with unsubscribe ntbugtraq in the message body, you don't need a subject line. If it says you aren't subscribed, you've either subscribed with a different email address or your address has changed somehow. Just email Russ.Cooper@rc.on.ca and I'll remove you.
-----
- Previous message: fbr: "Open Source Vulnerability Database Opens for Public Access"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
