Re: Any personal Intrusion Detection Systems

From: Jack (tekctrl@earthlink.net)
Date: 08/18/02 

From: Jack <tekctrl@earthlink.net>
Date: Sun, 18 Aug 2002 18:32:52 GMT

"Joseph V. Morris" wrote:
<clipped for brevity>

> As I suspect you already know, there is no one (or even two)
> security-related products that are absolutely _guaranteed_ to protect one
> from all exploits. (Never mind what the marketeers would have you
> believe.) I presume that was the fundamental point you were trying to get
> across. BI won't do it; NIS/NPF won't do it; the combination won't do it
> (nor will anything else).

you're right on about marketeers hype vs the reality of the 'net. The only
guaranteed "safe hex" is Abstinance, and I think that's just a bit extreme
(aside from handing victory to the black-hats).

> | . . . . If I hadn't been reviewing my
> | system logs I'd have never known. Ended up finding new files, changed
> | permissions, and other unhappy things on my HD. . . .
>
> Now, THAT's interesting! Would you care to elaborate a bit more? I'm
> sure that there are some here that have no idea what you mean by "system
> logs" and could profit from some elaboration. From what little you've
> said so far, I surmise that you are using Win NT/2K/XP, at a minimum.
>
> | . . . . When I asked BI Support about
> | this, their response was something in the vein of "it can't happen, so
> you must
> | be mistaken". . . .
>
> Common problem. There are many vulnerabilities; there are many exploits.
> So far, and for the foreseeable future, we are unlikely to have a
> 'security' product from _any_ vendor that addresses all of them. Now, as
> for BI Support, well . . . what do they actually KNOW about? Simple, they
> only 'know' about the specific threats, vulnerabilities, and exploits that
> BI is 'designed' to confront. They, in all probability, know _absolutely_
> nothing about anything else. I presume this is not a fantastic
> revelation. "Support" staff are probably the least technically
> knowledgeable of anyone (other than the marketeers) employed by _any_ of
> the security product vendors. (Indeed, why do you think all the NNTP and
> UBB forums dedicated to security do such a flourishing business?)

LOL ... you're right on again about clueless "support desk" techs. The last
one that I talked with, about their hardware, I had to explain some Really
Basic concepts to him (duh ... "what's the diff between packet based and
stateful firewalling?"). As a long time support person myself, I find it
disheartening to see so many clueless people in the field lately.

> | . . . . Now I didn't put those files there, and I didn't change the
> | file/folder permissions to make them un-deletable. As best as I can
> tell, the
> | intruder did a stack overflow that usually works for SQL (even though I
> don't
> | run SQL), somehow logged as me, somehow upgraded their privileges
> (though the
> | security log shows the attempts, it doesn't show any successful
> changes), then
> | had a field day.
>
> Ummm, you got Access installed on any of these boxes? Maybe Visual Basic
> or Visual Studio? Maybe you _do_ have the MSDE installed and simply
> haven't realized it? (Just a thought, and at this point I can't even tell
> if it's relevant to what you've experienced.)

No, no and no. There was _nothing_ installed on the gateway machine that was
hacked that wasn't required to be there. It had the os, a well known firewall
(set to Paranoid), a reasonably good AV app...no user apps, no db's, no
"utility" apps with open ports, etc, that I was aware of.

After-action activities included chkg for trojans, sniffers and other junk,
and found nothing, so "idunno".

Just don't want anyone to get the idea that there's a "perfect fix" or one
single app or preventive measure that's guaranteed to secure against getting
successfully hacked. It just ain't so. If you're on the 'net, you're gonna
get burned occasionally. Take preventive measures as best as you're able,
learn to recognize unusual events and to take appropriate action, and learn to
live with the inconvenience involved.

Newbies, you wouldn't ask your doctor for a magic pill to protect you from the
flu, herpes, and cancer ... don't look for the equivalent on the 'net.

LOL ... enuff of the soapbox ... Live Long and Prosper! :-)

Relevant Pages

  • FW: {RTCProd#003-520-317}Windows Update Support Request
    ... support policy for Windows NT 4.0 Workstation SP6a. ... The Microsoft Support Lifecycle defines the support policies for all ... This means that after this date, Microsoft would no longer create ... security fixes for this platform, nor automatically post to WU, etc. ...
    (NT-Bugtraq)
  • RE: Vendor wants remote control of our Servers and Workstations
    ... Of course the age-old problem with security is that ... Vendor has significant access to your internal ... this vendor uses the same method to support a number ... customer and makes significant changes ... ...
    (Security-Basics)
  • Re: Are bad developer libraries the problem with M$ software?
    ... rarely poeple on security lists. ... If you want to add language specific content to the OWASP Guide feel ... > I think that most on the list would agree that, overall, most web apps are ... > programmers when they haven't been offered a clue. ...
    (SecProg)
  • Re: The Register: OpenVMS among most-secure of operating systems
    ... >story with out of support versions of VMS/OpenVMS as well. ... >Take LAND there is no CERT advisory for LAND refering to ... You have claimed that CERT advisory counts is ... not a good measure of the relative security of a system. ...
    (comp.os.vms)
  • Re: OT: Why Truman dropped the bomb
    ... > employing their own security guards on every flight. ... > Yet what's this administration's response? ... > drugs, but they're far less dangerous than alcohol, ... I don't see support for the Iraq war ...
    (rec.music.classical.recordings)