Home page logo

bugtraq logo Bugtraq mailing list archives

Re: Fwd: Information on MS99-022
From: netcmd () NETWORKCOMMAND COM (Mike C.)
Date: Mon, 5 Jul 1999 05:51:41 +0000

On Sun, 4 Jul 1999, Darren Reed wrote:

|In some mail from Vanja Hrustic, sie said:
|> I haven't seen this on the Bugtraq, but it's very interesting...
|> So, if I have my custom-developed IDS running, I won't be able to implement
|> a pattern for this, because I am not a member of 'Intrusion Detection
|> Consortium'?
|> Note the words...
|> "This will allow security vendors to have access to the information..." -
|> why only security vendors? What better they are than Bugtraq folks?
|bugtraq is not _only_ for security vendors.  It's open to the unwashed
|masses, if you get my drift.  I'm sure the ICSA IDS vendors are quite
|happy with this approach :)

Yes, however the unwashed masses are keeping the IDS vendors and other
vendors for that matter on their toes. If there was no large scale review
and disclose forum like bugtraq -- I fear the thought.

In the current software system, which allows the vendors to shoot products
through testing and development into the market full disclosure is the
only way to have them face up -- not telling the vendor and hoping they do
something. This is like telling a food processor their product is
poisoning people without telling the consumer. And in this example who
figures out the people are being poisoned? The institution that sees the
effects, the hospital.

I remember seeing all kinds of login attempts to a certain piece of
equipment all using the same password. Two weeks pass and what do you
know? Vendor built in a default backdoor username and password. And don't
think these login attempts were the vendor trying to be helpful.

|> "Security through obscurity" comes to mind...

Today, some companies house data that could be dangerous (Los Alamos NL),
or contain health care infomation which could ruin lives in the wrong
hands.  If a automobile manufacturer fails to take proper care in
designing a car, they issue a recall and essentially save lives . When are
we going to stop the allowing software companies off the hook with the
EULA and hold them responsible? Tell them, "no further releases until you
secure this one."

We are building our future and running our economy on software analogous
to a stick house. You read the Three Little Pigs, you put it together.

|I would hazard a guess that the number of custom IDS systems in place is
|a small number, so if you compare the number of hackers who would gain
|information on how to exploit this feature and otherwise wouldn't (i.e.
|script kiddies) and weigh that against those that run custom IDS solutions,
|I think the scales will tip in favour of the script kiddies.  I say that
|because if you have your own IDS system, chances are you've built it on
|a Unix system and hence run Unix elsewhere through your firewall, etc,
|and wouldn't need to worry about this threat because you don't have IIS4.0
|on any critical systems.  Does that make some sense ?

Don't guess about hazards,


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]