lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <Pine.LNX.4.58.0309220646290.2474@cia.zemos.net>
From: booger at unixclan.net (security snot)
Subject: Is Marty Lying?

I just finished reading Phrack 62's article on Sneeze, and some of the
threads here concerning the matter, and I must admit that I am bothered by
some of the responses.  There is nothing I hate quite as much as vendors
who lie to their customers, except perhaps vendors that are too stupid to
realize what really happened.  I guess Marty assumes that anyone dumb
enough to buy the hype of signature-based IDS and to think products like
Snort/OpenSnort have any value as a security mechanism, is going to be too
stupid to think independantly to arrive to a conclusion to what most
likely did happen with the Snort.org compromise.

First, if you look at the output from 'w' (I read a great article by BMcW
talking about the unix command 'w' being run on the ever-secure
cvs.openbsd.org by a malicious intruder, thanks Brian!), you'll notice
that users from the hacked box were logging in to www.sourcefire.com, and
some nameservers.  The compromise must definately have been limited to
that single machine!  No intruder would be smart enough to log
authentication credentials on one hacked machine to get to anther!

Second, Marty speaks about the machine being "removed" from the rest of
their network so if it gets compromised, it doesn't actually affect the
Snort/Sourcefire network's security.  Yet being proactively secure, and
assuming that a machine si going to get compromised, then logging into
your corporate network from that machine doesn't seem like a very
intelligent practice now, does it?  Security is policy based, and these
dopes can't understand that.

Some good questions are:
1) If the intrusion were limited to a single "shellbox" then why did they
need to audit the code in CVS to see if it was backdoored?

2) If the Snort developers cannot configure Snort to detect attacks on
their own networks, why are you hiring Sourcefire to install said
mechanisms on your network to protect you?

3) Why the fuck do people still thing signature-based IDS is worthwhile?

Get a clue, everyone.


Marty - I look forward to your reply here; we'll follow up with a critique
of your incoherent coding practices.l

- snot, the one and only infosec mucas

-----------------------------------------------------------
"Whitehat by day, booger at night - I'm the security snot."
- CISSP / CCNA / A+ Certified - www.unixclan.net/~booger/ -
-----------------------------------------------------------


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ