Re: Political Analysis of Security Products

From: E (j46@btinternet.com)
Date: 02/06/02


Date: Wed, 06 Feb 2002 14:33:03 +0000
From: E <j46@btinternet.com>
To: pen-test@securityfocus.com

Packet based triggers would stand out like a sore thumb in any properly
monitored
network. Something like that would have been discovered a long time ago. (That
is
an amateur way to backdoor something. This is Checkpoint we are talking about
here,
not linux hackers playschool group...)
Especially if you use an abnormal packet (abnormal doesnt always mean IDS
will miss it, and against a background pattern of "normal" traffic, something
like a
type 40 ICMP would look very suspicious) The chances are in a sophisticated
piece
of software like FW-1, a backdoor would be _properly_ hidden.

 It has occured to me that a much more insidious way to backdoor high profile
software is to intentionally write remotely exploitable bugs into the code.
This could go undetected for a very long time in closed source software, with
the authors being aware of the hole long before the public security community
discovers it. (if it ever discovers it)
 When the bug is discovered by the public, the immediate reaction is to just
assume its down to sloppy coding - vendor is informed, patches etc released.
This is all very well for open source products - but with closed source, you
have
no idea how many more such holes could be engineered in.
 The only problem with this idea is that a company who produces commercial
security software does NOT want to have bugs discovered in its code, it is
against its interest, because a remote security flaw doesnt do much for their
reputation. On the other hand,when you have a big company whos software
regularly has security issues, these become the norm and noone questions
it when a new one appears.

Frankly, you just cant trust closed source security products. This is like
asking someone to install a home-made alarm in your house, without knowing if
they
are a convicted thief...Its a question of trust, and if you dont trust it, dont
use it.

Kurt Seifried wrote:

> Open port, to accept packets? No. It's a firewall. Hint: it already sees all
> the network traffic. You can easily add a backdoor to a product like that to
> (for exmaple) take ICMP packets of a special type not often used (say type
> 40) and if they meet a special checksum/md5hash with secret you decrupt the
> contents and carry out those instructions. There are some examples of this,
> icmp backdoors, and the like for various UNIX systems. The only way to find
> stuff like this is a source code audit.
>
> Kurt Seifried, kurt@seifried.org
> A15B BEE5 B391 B9AD B0EF
> AEB0 AD63 0B4E AD56 E574
> http://seifried.org/security/
>
> ----------------------------------------------------------------------------
> This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
> Service. For more information on SecurityFocus' SIA service which
> automatically alerts you to the latest security vulnerabilities please see:
> https://alerts.securityfocus.com/

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/