Re: BlackIce security questions
From: Fred (fredd_at_nana.com)
Date: 03/02/04
- Next message: Fred: "IP Address lookup help ?"
- Previous message: Geese_Hunter: "Re: Strange Thing"
- In reply to: Duane Arnold: "Re: BlackIce security questions"
- Next in thread: Duane Arnold: "Re: BlackIce security questions"
- Reply: Duane Arnold: "Re: BlackIce security questions"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 02 Mar 2004 02:07:19 GMT
Thanks Duane,
Can you or anyone advise who this is ? See below : When I run a who is on a
Blackice IP address result I get this sometimes?
Internet Assigned Numbers Authority
4676 Admiralty Way, Suite 330
Marina del Rey, CA, 90292-6695
US
Thanks
Fred
Duane Arnold wrote:
> >
> > OK, let me know what they say!
> >
> >
>
> As I promised, the response from ISS Tech Support. Also down at the bottom,
> the response also addresses the issues with the SYSTEM exploit mentioned in
> the BlackIce ccd release thread.
>
> Duane :)
>
> -----Original Message-----
> From: support-l1@networkice.com [mailto:support-l1@networkice.com]
> Sent: Monday, March 01, 2004 10:33 AM
> To: darnold92@insightbb.com
> Subject: RE: Operations: NON Admin Use Accountr is able to change
> BlackIcesettings1515950-rs-43998[T200402210046]
>
> Dear Mr. Arnold,
>
> Your files are unusual. Mainly, it appears the BIPCP never got
> completely installed. The following will address this and the "issue"
> mentioned by the online fellow.
>
> The "issue" required the hacker to have so many "ducks in a row" on the
> target system that it seemed impossible to accomplish. In any case, it's
> handled with the latest version and a clean un/reinstall should get you
> rolling as well.
>
> A clean un/reinstall should put you right. However, a more aggressive
> approach is called for here. Look at your OS's Help files to learn how to
> get into Safe Mode. That done, get the install files
>
> (http://blackice.iss.net/update_center/index.php) and BIRemove.exe
> (http://www.iss.net/support/consumer/BI_uninstall_exe.php) on your DeskTop.
> Then shut down the PC. NOTE: The BIRemove file is also currently in your
> BlackICE folder.
>
> Cold boot into Safe Mode and run BIRemove.exe. Next, run a rigorous
> anti-virus scan. Then shut down the PC, wait 10 seconds fort he hard disk
> to spin down and stop. Re-apply power to the PC and install in regular
> Windows mode.
>
> Remember, uninstall and AV scan in SM. Cold boot to normal Windows for
> reinstall.
>
> A few notes about Application Protection...
>
> When installing or updating applications:
>
> The Application Protection window will pop up. Click on Install Mode
> Options, then Enable Install Mode. This will pause the Application Control
> so that you are not prompted to accept every file that is included in the
> new program. Install Mode will stay in memory for 3 minutes. After 3
> minutes, a window will appear that will ask you if you want to Disable
> Install Mode. If the installation is finished, click on Disable Install
> Mode. If the installation is not finished, click on Cancel to continue in
> Install Mode. Once the installation is finished, click on Disable Install
> Mode when the window reappears. This will restart Application and
> Communication Control.
>
> Starting with version 3.6.cbd, there is a new feature that will
> automatically update the baseline for you. Once you have selected Disable
> Install Mode, a window will appear that will ask you if you want to update
> the baseline to include the files that have been created or modified. At
> this point, you should choose "Update" to proceed, or "Cancel" if you want
> to manually update the baseline later.
>
> If you choose to manually re-baseline your system after
> installing/updating programs, follow the directions below.
>
> Right click on the BlackICE icon and choosing Advanced Application
> Protection Settings. Click on the Baseline tab. On the left, check the drive
> that you have installed the update or new application to. Then click on Run
> Baseline at the bottom of the window.
>
> As well, when the Application Protection Window pops up and tells you
> that an Unknown Application is detected, you have 4 options.
>
> Terminate: Will not allow the application to run
>
> Continue: Allows the application to run, but does not add it to the
> baseline file
>
> More Info: Gives you more information about the file
>
> Don't Ask Me Again and then Continue: Adds the file to your baseline and
> enters the file into the checksum.txt file as a trusted application/file.
>
> Note, if you choose Terminate AND Don't Ask Me Again, the application
> will never run and you will not be prompted to let it run.
>
> We also recommend that you read the BlackICE PC Protection 3.6 User's
> Guide located at the following link.
>
> http://blackice.iss.net/product_documentation.php
>
> Please let us know if we can aid you further. Please be sure to
> include all previous correspondence.
>
> Thank you for choosing BlackICE to secure your system!
>
> Regards,
>
> Thomas
>
> BlackICE Support
>
> Sender : darnold92@insightbb.com
>
> Tracking Number : T200402210046Z1454086
>
> Pool : Level1
>
> Sent to : <support-l1@networkice.com>
>
> Date : 2/28/04 2:26 PM
>
> ---
>
> Protect Agent Files is enabled.
>
> Also, can you comment on the response I got from some little *Tool Tips*
>
> clown when I made a post about ccd being released and I made a post about it
>
> in a FW and Security NG?
>
> We call him little Mikey. I call him Milk Toast Mikey, because he is a real
> PITA
>
> You know, one of these little so called *hacker* types.
>
> I know about the link below.
>
> http://www.eeye.com/html/Research/Upcoming/20040213.html
>
> Duane :)
>
> Duane Arnold wrote:
>
> >-----------------------------------------------------------------------
>
> >-- WHAT'S NEW ---------------------------------------------------------
>
> >-----------------------------------------------------------------------
>
> >
>
> >- Updated to detect and block attacks that cause a buffer overflow in
>
> > Check Point VPN clients and Check Point VPN-1.
>
> > New IssueID: 2110045,ISAKMP_Certificate_Request_Overflow
>
> > Refer to http://xforce.iss.net/xforce/xfdb/14150.
>
> >
>
> >- Updated to detect an exploit of the ASN.1 vulnerability covered in
>
> > MS04-007.
>
> > New IssueID: 2120012,SSL_ASN1_Overflow
>
> >
>
> >- Updated SMB parser.
>
> >
>
> >Duane :)
>
> Yeah, it's a good idea to upgrade, since older versions have a
>
> critical, remotely exploitable vulnerability:
>
> eEye Digital Security has discovered a critical vulnerability in both
>
> RealSecure and BlackICE. The vulnerability allows a remote attacker to
>
> reliably overwrite heap memory with user-controlled data and execute
>
> arbitrary code within the SYSTEM context. This attack will succeed
>
> with BlackICE using its most paranoid settings.
>
> This exploit is made possible largely due to the fact that BI doesn't
>
> perform SPI. Obviously, it's a poor choice for defense.
>
> -----Original Message-----
>
> From: support-l1@networkice.com [mailto:support-l1@networkice.com]
>
> Sent: Monday, February 23, 2004 2:12 PM
>
> To: darnold92@insightbb.com
>
> Subject: RE: Operations: NON Admin Use Accountr is able to change
>
> BlackIcesettings1515950-rs-43998 [T200402210046]
>
> Dear Sir,
>
> I'd be delighted to assist you. That sounds correct. Only the
>
> Administrator who installed should be able to change settings. Have you
>
> selected Protect Agent Files in the Application Control tab?
>
> In order to further speculate on this, I'll need to examine some
>
> files from your BlackICE folder. Please send the following:
>
> Attack-List.csv
>
> BlackD.log
>
> BlackD-Old.log
>
> BlackICE.ini
>
> FireWall.ini
>
> License.key
>
> Sigs.ini
>
> The next 5 files will only be present if you are running version 3.5 or
>
> newer.
>
> Actlcl.txt (might or might not exist),
>
> Checksum.txt
>
> Protect.ini
>
> RapApp.log
>
> RapApp-old.log
>
> NOTE: All the requested files will have an icon resembling an
>
> stenographer's notebook except the Attack-List.CSV file. This will have a
>
> MSExcel icon. All can be zipped together.
>
> If you are unfamiliar with zipped files, go to this URL:
>
> http://www.WinZip.com/ and select "Download Evaluation Version." Install it
>
> and read the Help files. This will allow you to unzip files sent to you and
>
> zip files into a group of files like those we need to aid you with BlackICE.
>
> Finally, who is your Internet Service Provider? Which browser & version
>
> number are you using?
>
> Please let us know if we can aid you further. Please be sure to
>
> include all previous correspondence.
>
> Thank you for choosing BlackICE to secure your system!
>
> Regards,
>
> Thomas
>
> BlackICE Support
>
> Sender: darnold92@insightbb.com
>
> Tracking Number: T200402210046Z1449003
>
> Pool: Level1
>
> Sent to: <support-L1@networkice.com>
>
> Date: 2/21/04 7:00 AM
>
> I just noticed that any non Admin user can Edit BlackIce Settings and go to
>
> the Advanced Firewall rules and make changes and they HOLD when I logoff and
>
> log back in when an Admin account on my XP Pro machine. As a non Admin, I
>
> cannot stop and start the Engine or Application Control, but I can make
>
> changes to the settings? A message box from BI shows on the login indicating
>
> *as a NON Admin that the account doesn't have rights to make changes to BI*,
>
> but it happens.
>
> So what's the deal with this?
>
> Duane J
>
> __________ NOD32 1.629 (20040220) Information __________
>
> This message was checked by NOD32 antivirus system.
>
> http://www.nod32.com
>
> __________ NOD32 1.643 (20040301) Information __________
>
> This message was checked by NOD32 antivirus system.
>
> http://www.nod32.com
- Next message: Fred: "IP Address lookup help ?"
- Previous message: Geese_Hunter: "Re: Strange Thing"
- In reply to: Duane Arnold: "Re: BlackIce security questions"
- Next in thread: Duane Arnold: "Re: BlackIce security questions"
- Reply: Duane Arnold: "Re: BlackIce security questions"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
