Re: (NIS/NPF) Event log and other issues.

From: Joseph V. Morris (jvmorris@erols.com)
Date: 06/28/02 

From: "Joseph V. Morris" <jvmorris@erols.com>
Date: Fri, 28 Jun 2002 11:49:41 -0400

Tack,

"Tack" <nospam@tack.flyer.co.uk> wrote in message
news:MPG.1785dce9856069749896c7@news.cis.dfn.de...
| A definite security risk concerning the Event Log and un-encrypted
| passwords.

| (begin link 1)
| http://servicenews.symantec.com/cgi-
| bin/displayArticle.cgi?group=symantec.support.win9x.nis2002.general&
| article=35563
| (end link 1)

Don't you just hate those links? That's one thing they really ought to
fix. However, I've gone over and looked at their responses. I will spare
you my normal editorial comments on the quality of Symantec tech support
(think I've just put those into this newsgroup the other day, as a matter
of fact).

However, I note one glaring omission from the correspondence: They never
asked you to cut and paste an example of this event in the Privacy tab!
(Well, I'd obviously expect you to fudge up the password itself, but
still... it's sort of difficult for them to be offering advice without
knowing for sure what you're actually seeing.) So, how 'bout we do that
here? Find an event in the Privacy tab representing this effect and cut
and paste it into a reply (taking care to obfuscate your REAL password in
the process).

I'm rather curious about how this is happening on your machine, because it
isn't happening on any of mine -- and that includes Win 98 SE, Win ME, Win
2000 Pro and Win XP.

Incidentally, are you getting a pop-up alert at the time this event is
getting recorded in the Privacy Tab? You should be.

And, you're absolutely positive (i.e., you actually checked) that your
password is NOT in the 'Confidential Info' list?

| and...
|
| My concerns about the ability of NMain.exe to connect to internet
| unhindered in certain instances.
|
| (begin link 2)
| http://servicenews.symantec.com/cgi-
| bin/displayArticle.cgi?product=nis&mini_version=nis_2002&button=&tpr
| e=sg&article=<1020512233919.8529196516@servicenews.symantec.com>&gro
| up=symantec.support.win9x.nis2002.general
| (end link 2)

Well, I can't find this second link at all . . . .

Did they ask you to document any rules in your firewall ruleset relating
to NMain.exe? (Use Albert Janssen's NIS Rules Viewer to do this.)

Did they ask you to document any firewall log events in which you found
NMain.exe actually doing a connect? (Use Sven Schaefer's Rules Viewer to
find and document such events quickly.)

And, do you realize that NMAIN.EXE isn't NIS, at all? It's the so-called
Norton Integrator that allows a common user interface for NIS, NAV, NSW,
and NU. This is an XML application (more's the pity because it's really
slow and awkward), so it _will_ show up as being an Internet-enabled
application.

| I won't pretend to know anything about the abilities of some
| Trojans, but couldn't it be possible for one to replace NMain.exe
| with a different program with the same name and then that program to
| access the internet bypassing NPF?

Well, it's possible but unlikely. Just duplicating the name isn't going
to cut it. It's got to have the same SHA1 hash as authorized in an
_existing_ PERMIT rule for nmain.exe. That's a bit of a tall order. I
haven't yet seen a documented exploit that can dupe the SHA1 hash, but
I'll acknowledge that it's certainly theoretically possible. (There _is_
a demonstrated exploit for the MD5 hash used by most of the other personal
software firewalls, incidentally -- but it ain't easy to beat that one
either!) 

--
Regards,
    Joseph V. Morris
    jvmorris@erols.com
    ICQ #29438199

This is a NEWSGROUP message; except for privacy reasons, please respond
therein; an e-mail COPY is always appreciated, of course.
Almost all electrons used in the creation of this message were recycled.
No electrons used in the production of this message were harmed or
mistreated in any manner.

Quantcast