Slashdot Mirror

L(should have)GT: https://research.checkpoint.com/sending-fax-back-to-the-dark-ages/

I attended this talk yesterday, and it was by far the best talk I attended at defcon26. The researchers did some amazing work to get this exploit. You can get the full tail of hackery at the link above, but here's my (probably/mostly correct) summary:
 

• At some point, the fax standard was amended to include support for JPGs, in order to allow full-color faxes
• As the researchers wrote in the above-linked blog article, "For some unknown reason, firmware developers tend to re-implement modules that are already implemented in major popular open sources. This means that instead of using libjpeg [ref.13], the developers implemented their own JPEG parser."
• When the All-in-One device receives a JPG fax, it stores the whole JPG file in local storage (on disk, essentially). This differs from how it processes TIFF files, where the headers and image data are separated. Because the whole JPG file is stored as a normal file, it gives the attacker a platform from which to operate.
• The firmware-developer-implemented JPG parser has a number of bugs, including buffer overflow vulnerabilities in the COM (CVE-2018-5925) and DHT (CVE-2018-5924) markers. It turned out the bug in the DHT marker parser was the easier one to exploit.
• Exploiting the DHT marker parser buffer overflow gets them arbitrary code execution. The code they want to execute is stored in the remainder of the JPG file. Because the OS on these All-in-One devices has no security controls and everything runs with highest privileges, they were able to use this ability to overwrite the LCD screen (to visually prove pwnage) and then to use the Eternal Blue and Double Pulsar (which they managed to squeeze into the ~4000 byte payload they had available in the JPG file) exploits to start attacking other hosts on the network. Since these All-in-One devices tend to be connected to the office network (else, it's hard to print on them), this presents an excellent jumping off point for attacks.

All in all (all-in-one?) this was some amazing research and the full article is well worth a read.

It's an attack over the phone line, so no network communication is involved in the exploit stage. That particular fax machine implements a protocol extension which allows the transmission of color faxes. This is achieved by sending a JPEG file instead of the typical black and white data. The attack exploits a bug in the JPEG decoder. With remote code execution achieved, the attack then proceeds with a payload that attacks the network to which the fax machine is connected.

The technical paper is at: https://research.checkpoint.com/sending-fax-back-to-the-dark-ages/

0.0.0.0 namylufy.com
0.0.0.0 lindamullins.info
0.0.0.0 spgbotup.club
0.0.0.0 namyyeatop.club
0.0.0.0 namybotter.info
0.0.0.0 sanjynono.website
0.0.0.0 exvsnomy.club
0.0.0.0 ezofiezo.website
0.0.0.0 hitmesanjjoy.pro
0.0.0.0 www.clearskysec.com
0.0.0.0 clearskysec.com
0.0.0.0 support.space
0.0.0.0 falcondefender.com
0.0.0.0 update.ml
0.0.0.0 such.market
0.0.0.0 support.mafy
0.0.0.0 mafy.2waky.com
0.0.0.0 2waky.com
0.0.0.0 smail.otzo.com
0.0.0.0 otzo.com
0.0.0.0 ad.education
0.0.0.0 support.space
0.0.0.0 info.education
0.0.0.0 support.space
0.0.0.0 support.servecounterstrike.com
0.0.0.0 servecounterstrike.com
0.0.0.0 reme.otzo.com
0.0.0.0 supports.esmtp.biz
0.0.0.0 esmtp.biz
0.0.0.0 news.cloudns.cc
0.0.0.0 cloudns.cc
0.0.0.0 speed.ns01.biz
0.0.0.0 ns01.biz
0.0.0.0 space.support
0.0.0.0 reg.space
0.0.0.0 mo.mefound.com
0.0.0.0 mefound.com
0.0.0.0 support.read
0.0.0.0 books.org
0.0.0.0 supports.3utilities.com
0.0.0.0 3utilities.com
0.0.0.0 drive.google.com
0.0.0.0 support.mafy-koren.online
0.0.0.0 mafy-koren.online

* These entries in hosts blocks it.

APK

P.S.=> SOURCES https://research.checkpoint.co... https://www.clearskysec.com/wp... https://www.bleepingcomputer.c...

0.0.0.0 namylufy.com
0.0.0.0 lindamullins.info
0.0.0.0 spgbotup.club
0.0.0.0 namyyeatop.club
0.0.0.0 namybotter.info
0.0.0.0 sanjynono.website
0.0.0.0 exvsnomy.club
0.0.0.0 ezofiezo.website
0.0.0.0 hitmesanjjoy.pro
0.0.0.0 www.clearskysec.com
0.0.0.0 clearskysec.com
0.0.0.0 support.space
0.0.0.0 falcondefender.com
0.0.0.0 update.ml
0.0.0.0 such.market
0.0.0.0 support.mafy
0.0.0.0 mafy.2waky.com
0.0.0.0 2waky.com
0.0.0.0 smail.otzo.com
0.0.0.0 otzo.com
0.0.0.0 ad.education
0.0.0.0 support.space
0.0.0.0 info.education
0.0.0.0 support.space
0.0.0.0 support.servecounterstrike.com
0.0.0.0 servecounterstrike.com
0.0.0.0 reme.otzo.com
0.0.0.0 supports.esmtp.biz
0.0.0.0 esmtp.biz
0.0.0.0 news.cloudns.cc
0.0.0.0 cloudns.cc
0.0.0.0 speed.ns01.biz
0.0.0.0 ns01.biz
0.0.0.0 space.support
0.0.0.0 reg.space
0.0.0.0 mo.mefound.com
0.0.0.0 mefound.com
0.0.0.0 support.read
0.0.0.0 books.org
0.0.0.0 supports.3utilities.com
0.0.0.0 3utilities.com
0.0.0.0 drive.google.com
0.0.0.0 support.mafy-koren.online
0.0.0.0 mafy-koren.online

* DATA SOURCES = https://research.checkpoint.co... https://www.clearskysec.com/wp... https://www.bleepingcomputer.c... & article pointed to by this /. article (which leads to all these).

APK

P.S.=> Enjoy... apk

detailed analysis with real info: SiliVaccine: Inside North Korea’s Anti-Virus

See subject & my sources my program gets do it @ diff. intervals ALL AROUND THE CLOCK & I go 'above & beyond it' personally - how?

SECURITY SITES I WILL LIST FOR YOU (these are excellent finding all kinds of exploiters & malicious sites/servers galore for ALL types of threats):

http://blog.talosintelligence....
https://www.welivesecurity.com...
https://blog.malwarebytes.com/
https://researchcenter.paloalt...
https://www.bleepingcomputer.c...
https://securityintelligence.c...
https://www.cyren.com/blog
http://garwarner.blogspot.com/
http://www.malwaretech.com/
https://securelist.com/all/?ca...
https://www.fireeye.com/blog/t...
https://www.secureworks.com/re...
https://research.checkpoint.co...
http://blog.trendmicro.com/tre...
https://www.proofpoint.com/us/...
https://blog.comodo.com/catego...

That's 25 sources in total from the security community that UPDATES all the time around the clock - my program makes easy work of consolidating all that data is all! It works (see testimonials I posted in my other replies to you from /. peers).

APK

P.S.=> ... & YOU, personally, have FULL CONTROL OF THE DATA (try that w/ addons OR a REMOTE DNS - good luck on the latter & the former? You'd best know regular expressions)... apk

See subject & again, the source of the data for hosts I posted was from checkpoint's research here http://blog.checkpoint.com/2017/06/01/fireball-chinese-malware-250-million-infection/ so you can verify its legitimacy from a reputable reliable security community source.

APK

P.S.=> cloudfront's one I've been seeing hosting malware/exploits/bad pages for a LONG time now in many lists of dangerous sites/servers etc. - et al (e.g. - https://malwr.com/ often shows servers from cloudfront spreading malicious things)... apk

See subject: Checkpoint did a thorough/comprehensive report on it which was the source of the hosts file data http://blog.checkpoint.com/2017/06/01/fireball-chinese-malware-250-million-infection/

APK

P.S.=> Giving credit where it's REALLY due... apk

1. Qualcomm has monopoly on mobile patents.

2. Qualcomm chips has backdoors baked in.

When Check Point Software Technologies (a company that produces Internet security products, such as FireWall-1) had its own IPO, some investor gladly bought Checkpoint Systems's stock (at the time, producing store exit security systems for preventing theft). Shachar

See subject: It's mirrored shadow stack stopping buffer overflow exploits, stack smashing etc. (via CPU) http://blog.checkpoint.com/201...

* It stops "ROP" gadgets (fish around ram to get past ASRL protections) finding "return oriented programming" call areas & overwriting them...

APK

P.S.=> It's a great idea I've noted here before after stumbling on it https://it.slashdot.org/commen... - imo, it'd work... apk

QuadRooter vulnerabilities are found in software drivers that ship with Qualcomm chipsets.

http://blog.checkpoint.com/201...

These types of worms also rely on social engineering to convince the user to click on the link and run the malware.

So, not a worm, but a trojan, which iOS also has.

Here is the Checkpoint blog entry on the vulnerability. The vulnerability is real, I got an unsolicited message last week with a "vcard" attached, but since it was unsolicited and not from someone I know, I deleted the conversation and blocked the user without looking at it. Now I'm wishing that I'd at least kept a record of who it was from so I can figure out who was doing the spearphishing.

You get administrative rights, it's in the Checkpoint report in the article: http://www.checkpoint.com/blog...

Analysis by Check Point security researchers revealed how this particular vulnerability could be exploited by attackers:
1.The bug enables unknown users to gain administrative privileges
2.By using these admin credentials, attackers can then view and edit private and undisclosed bug details. Software bug tracking data is typically closely guarded as it exposes software vulnerabilities and known issues
3.Furthermore, this access allows attackers to exploit design weaknesses, or even irreversibly destroy bug data, slowing down development

And have info about their disclosure:

September 29th – Vulnerability discovered and verified by Check Point security researchers
September 30th – Report submitted to the Bugzilla team
September 30th – Acknowledgement and confirmation of vulnerability and severity received by Mozilla
September 30th – Bugzilla team privately shared preliminary patch with prominent Bugzilla installations
October 6th – Security advisory and final patch released

The Checkpoint article is a lot more professional than the Krebs article No jabs at FOSS either.

This looks like a major company which uses FOSS (IIRC, SPLAT is a Linux-based-platform) made a contribution in discovering a vulnerability in common software.

CheckPoint HTTPS description states that the proxy "Creates a new SSL certificate for the communication between the Security Gateway and the client, sends the client the new certificate and continues the SSL negotiation with it [...] you must deploy [your Security Management Server's root certificate] in the Trusted Root Certification Authorities Certificate Store on the client computers." This is MITM, and Comcast is going to have a hard time getting the required root certificate installed on everyone's browser.

I have been extremely tempted to buy Check Point's latest all in one security appliance... they no longer use SofaWare as their embedded OS on their smaller appliances, it's a scaled down GAIA (the next evolution of Check Point's SPLAT for those who do Check Point stuff). It's pretty nuts all the things they pack into one little box... 10 1 gig ports, and 802.11 b/g/n

"All 600 Appliances come standard with 10 x 1Gbps Ethernet ports. For added flexibility and convenience, the wireless version of the 600 Appliance includes a WiFi access point (802.11b/g/n) that supports WEP, WPA and WPA2 authentication as well as secured guest access capabilities. The optional integrated ADSL modem eliminates the need for a separate external ADSL modem. Additionally, the included USB and PCI Express card slots allow an administrator to plug in a compatible third party 3G modem, providing an additional WAN connectivity for a redundant Internet link for maximum reliability."

http://www.checkpoint.com/products/600-appliances/index.html

Looks like they're about $400 on a random site I googled. Really tempting... I've been thinking about doing the same thing (plus REAL web filtering built-in, for my daughter).

"The multi-staged attack infected the computers and mobile devices of online banking customers and once the Eurograbber Trojans were installed on both devices, the bank customers' online banking sessions were completely monitored and manipulated by the attackers. Even the two-factor authentication mechanism used by the banks to ensure the security of online banking transactions was circumvented in the attack and actually used by the attackers to authenticate their illicit financial transfer. Further, the Trojan used to attack mobile devices was developed for both the Blackberry and Android platforms in order to facilitate a wide "target market" and as such was able to infect both corporate and private banking users and illicitly transfer funds out of customers' accounts in amounts ranging from 500 to 250,00 Euros each.

This case study dissects the attack and provides a step-by-step walkthrough of how the full attack transpired from the initial infection through to the illicit financial transfer. The case study closes with an overview of how individuals can protect themselves against the Eurograbber attack, including specific insight to how Check Point products and Versafe products protect against this attack. link

When did he do his last google search?

Must be some time, otherwise he might have found Firewalls from "traditional vendors" integrated into the Hypervisor like https://www.checkpoint.com/products/security-gateway-virtual-edition/index.html

The product is on the market for some years now....

This is funny because all the banking companies, in the past, removed their firewalls on their intoconnection with trading places. Now that they've been hacked left and right, they are starting to put them back because of this. Firewall vendors are now starting a war with regards to latency (also keep in mind this is one-way latency).

Fortinet for instance announced a sub-9 microseconds firewall. That's 9000 nanoseconds. Check Point followed-up with a sub-5 microseconds latency. Oh, this is with 64 bytes packets, pretty much the minimum size you can get on a link.

With such "bottle necks" I don't see the point of going to the 100's in the nano-second (but I'm not a layer 2-3 guy, I'm layer 4-7 all the way) given this.

A solution seems to be timestamping the financial requests when the order is sent, and when the server receives the packet it can back-order at the price of the stock when the order was given. I guess it's better not to buy stock than to buy it at the wrong price. But then again, I don't like high-speed trading very much and I'd rather have this concept die.

If security issues of ANY kind happened on ANDROID? It's an ANDROID (thus, a Linux problem) problem.

Wow, that has to be the most feeble attempt at constructing an argument I have seen in a long time.

Firstly, we've already established none of your 90 odd links relate to hacked linux, all they show is despite significant effort by hackers to target Android users, they have not escaped Linux userspace, and the best they can do is bypass some additional permissions created by the Dalvik VM in applications the user chooses to install. And even then they are easy to remove using stock application management settings.

And then to top it all off you finish with a blatantly false claim.
Here is a screenshot of the "IPSec solution integrated into stock ANDROID" settings screen.
https://sc1.checkpoint.com/sc/SolutionsStatics/sk63324/AndroidL2TP.png

Some people do this in hardware now with no performance impact (DPI is traditionally very processor intensive). They don't look at things in term of TCP anymore, but by application. You can block, say, Facebook and Twitter but allow RMTPT (Flash video streaming over HTTP). And you can easily block any traffic on port 80 that you don't recognize as HTTP. This exists because people used to do protocol tunneling to circumvent traditional firewalls (HTTP in DNS over UDP for example). Modern DPI devices are designed to detect those creative methods with no performance (and therefore delay) impact.

You do need a lot of hardware, but not as much as 3 years ago. And when you have a government-sized budget for this, nothing is impossible.

I hate mentioning only Palo Alto, but in my knowledge (I'm a network test equipment vendor employee - I test the performance of these devices for a living) they are the only ones to do that in hardware. Checkpoint does the exact same thing but as far as I know it's not done in hardware - they do claim it has no performance impact but I haven't had a chance to test this myself.

Gartner published a report (here hosted by PA, reg. unfortunately required) that goes over all these challenges. I'm fairly sure somebody in Iran read this report and implemented it.

The format is trivial, but oddly enough a secure parser is not.

One of the exploitable Firefox bugs this year is in the GIF parsing code, in a situation where there are multiple images in a GIF file, and one has a small color map and is malformed in a specific way, followed by one with a larger color map.

See https://bugzilla.mozilla.org/show_bug.cgi?id=511689 for more details.

Java and windows have also had GIF parsing security bugs in the past:
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102760-1
http://www.checkpoint.com/defense/advisories/public/2008/cpai-02-Sepa.html

Remember, this GIF parsing is but one of the things I mentioned, and I only mentioned a small faction of the potential bugs in any web browser.

This is why security is hard: Secure software is perfect software, and we don't write perfect software.

Let's try this again...without blown links (Need caffeine in the morning before posting

http://www.schneier.com/blog/archives/2008/12/forging_ssl_cer.html
http://www.checkpoint.com/defense/advisories/public/2009/cpai-31-Dec.html
http://www.win.tue.nl/hashclash/rogue-ca/

An Israeli company produces the underlying software of the only product they could be talking about, Checkpoint. Maybe that would make a stink with the people that bought it.

At least WinVista and WinXP users have several full disk encryption options, including the opensource TrueCrypt.

But Mac users are out of luck, since no opensource full disk encryption exists for the MacOSX. Neither TrueCrypt or Apple's FileVault support full disk encryption on MacOSX. The only option is the closed source Check Point Full Disk Encryption product.

But if it is not opensource, then I personally would not trust it not to have back doors, especially since multinational corporations left-right-and-center have been falling all over themselves to help the US and other governments spy on the general population.

You may consider Checkpoint Full Disk Encryption (formerly Pointsec).
http://www.checkpoint.com/products/datasecurity/pc/index.html

Apparently they did, either that or Checkpoint's protection feature for the general class of DNS poisoning attacks just happened to protect against this one too. However, even if it did protect against it I doubt they could have release a same day press release stating it did if they hadn't been notified of the vulnerability ahead of time.

http://www.checkpoint.com/products/datasecurity/pc/index.html

Hell...

http://www.truecrypt.org/docs/?s=system-encryption

I wonder when stupidity actually became an asset in our society.

I work somewhere that uses the commercial EPHD product (I think this is it). I believe the systems actually got less secure after installing EPHD.

• To start, the Single Sign-on allows entry of username/password at boot, and then by-passes the Windows login. Even if you time-out at the Windows login, it will usually just let you in.

But how often does a user boot the computer, put in their password, and then just walk away? And more to the point, how is this less secure then booting into Windows, putting in a password and then walking away till the desktop comes up? At some point you need to trust your users enough to follow simple directions. (I admit that is part of the problem where I work, Management thinks that they hired idiots that can't follow directions. Said idiots are making $50,000-$150,000/yr working with hazardous materials, I think that they can follow simple directions.)

• If you fail to provide the correct password after 3 to 5 times, it prompts to call the help desk for a special code. However, if you simply turn off the computer and turn it back on, you can try again. Repeat until you get it right.

I'm not familiar with the product you mentioned, but my guess is that there is a policy setting that can be set up by the admin to prevent this type of behavior (IE: 15 minute lockout after 5 incorrect attempts) I know that they product that we are using (pointsec, now checkpoint does. If it doesn't it is an defective product, and if it does, then the people in charge of security at your company didn't think this through (or it was decided against for other reasons. (For example they may have 32 character minimum password requirement and they thought that would be enough of a deterrent for a brute-force attack))

• You cannot have multiple people/users recognized for the login. Only one user can login to EPHD. So, people (even managers) started creating dummy users for systems and told others how to generate the password for the users so that more than one person could login. Keep in mind password sharing is forbidden by policy.

This is a big defect. But perhaps the functionality is there, and it hasn't been implemented. (See above for polices not being enforced, or see below for my point on companies investing in this technology.)

We also had a 50% success rate with installation because it kept corrupting the master FAT table. Kept the techs busy for a few weeks as they tried to sort it all out. They had to rebuild my system 2 or 3 times before it took.

With Pointsec, our success rate is 95%+ We found out in testing that certain (Windows) patches needed to be installed before it would work reliably. Before that it was fairly hit or miss as to whether it would work or not. (It's only that low because I can think of one time where a hard drive died, and a couple of others that had so much crap installed that Pointsec refused to install correctly and a re-image of the laptop fixed those issues) The product that your company is using my have had similar quirks that had not been discovered by the time that your machine was worked on.

Which brings up a good point: Companies invest in the technology blindly. Management imposes unrealistic deadlines, or they impose unrealistic dollar constraints, or they burden people who are overworked, and fail to budget for training, or allot time for testing, or even asking end users for their input. This almost guarantees that someone (usually with clout) will be upset, the deployment will go badly (50% success rate? 3 tries to get it right on one machine? Defiantly a botched deployment, probably because of lack of training/testing) or the project fails completely and gets scrapped.

There's good ways to manage it - BitArmor seems to hav

I have to say that everybody is all for encrypting your laptop until you realize what that means. For us we are running Pointsec (or as some people call it, PointSuck) on every laptop in the company. It's annoying because Pointsec is a dog to install and about 1 in 10 people who do end up having it crash before it reaches the magical 1% and have to rebuild their machine from scratch. They say it doesn't affect disk performance, but it is yet another layer of overhead that makes the Core2Duo based Laptops we use now take 10 minutes to boot up (10 minutes until the disk dies down and it's usable at least, thanks to Symantic, ZoneAlarm, Patch Checker, Radia, etc...) and not feel any faster than the previous generation laptops.

It has been especially annoying for my department because we have lots of older hardware (like Sony Vaio Picturebooks that are really nice for portable testing, and Sharp Zaurus SL-C7xx series linux boxes that we really have no way of encrypting, and must plant clear instead, even though they'll never have any kind of vital information on them). Not to mention all of the people who are in to dual booting (we now use VMware a lot instead, although VMware has several issues that make it annoying, the most basic of which is the clock drift). It's also been a pain for our laptop re-imaging system (which is basically dead now)

In the end I'll be glad if my main work machine is stolen since I'm pretty sure Outlook doesn't encrypt anything and I have confidental information on it, but the cost is a lot higher than the price of one copy of Pointsec.

For laptop security we use this: http://www.checkpoint.com/pointsec/ For remote laptop users we schedule a batch file that stops services (if needed) and we use this for backups: http://www.carbonite.com/

We use Check Point firewalls. I don't have any direct experience with them because our network team is almost 100 people and it's simply not my area. Been hearing good things about the Junipers as well.

you this that's bad, there was another security flaw in the mouse code announced over 15 months ago( Jan 05 ). They patched that but never examined the code for other exploits. I mean really, if you've got SOOO much freaking legacy code, you'd atleast want to be refactoring what you have to touch because of bugs or, for example, security holes.

http://www.checkpoint.com/defense/advisories/publi c/2005/cpai-2005-06.html

But, the great minds at Microsoft and their Trusted Computing efforts appear to be spending more time on marketing and public relations and less time on even attempting to make a better product. It's bad enough that the mouse code is an attack vector but to just put a band aide on it and send it right into the Windows Vista product is just plain bad.

Remember, Vista was said to be the most secure operating system available. Not the most secure version of Windows but the most secure operating system. And yet they are letting relatively small bits of code like this mouse code get through their masterful security techniques. Well, I guess that is why they've decided their security system will be based on a billion sandboxes instead of secure model for the whole... What a joke.

LoB

I used to work for a Telco that is also a major ISP. Our internal .com users were not allowed to access our own .net webmail accounts PROVIDED BY OUR COMPANY!!! It was claimed to be for security reasons.

Bad files are going to get inside regardless of what you do to prevent them coming in - unless you disable all USB ports, floppy drives and external networking like DoD does. Your network and each system needs to be able to protect itself even when "inside." Blocking at a firewall is just 1 of many layers that are needed in any network environment.

Don't be a fool, your PC is never safe. Learn it, know it, get over it, protect it.
http://www.checkpoint.com/products/internal_securi ty/articles/rr_elements.html

Virtually every Cisco, Juniper or other router supports IPv6 - Cisco started its IPv6 transition in 2000 and finished it a long time ago, so a huge number of installed routers just need to be configured for IPv6 - still a big task, but not a capital investment and can be done gradually rather than as a 'fork lift upgrade'. As for firewalls, Check Point is the market leader and announced IPv6 support in 2002: http://www.checkpoint.com/press/2002/ipv6_081402.h tml - and for geeky home users, IPv6 is already suppported by DD-WRT and other Linux-based firmware for the Linksys WRT54G box, and of course by BSD/Linux on PCs.

Consumer routers are fairly disposable - when a real service comes along needing IPv6 they can be firmware-upgraded in many cases or just replaced. Many new services such as BT Total Broadband in the UK come with an integrated router/WiFi/VoIP box. Other services driving IPv6 might be 3G mobile, fixed-mobile convergence (3G femtocell access points for the home are coming, roam onto your home 3G cell for about $100 wholesale, less with subsidy), or IMS (IP Multimedia Subsystem, telcos' attempt to push high-QoS services across any access link).

IPv6 is taking off first in AsiaPac (China is doing a huge amount of IPv6, Japan has a lot of networks already), but it's also hitting Europe. I recently saw strong indications that IPv6 will be required for systems going in this year, from two well-known telcos, which is a first in my experience. And of course the DoD is procuring IPv6-based systems and networks.

Apps re the main area for IPv6 now, so Microsoft AD and Squid do need to support IPv6. But at least Windows Vista includes IPv6 enabled by default - v6 was included in XP but had to be enabled (just one command though).

The main factor for Check Point's acquisition was for the RNA technology and the way that the rest of SourceFire's products fit into a centralized management architecture (like Check Point's). Check Point's firewalls have been doing IPS/IDS firewalling for some time. Now combine the existing technology with SourceFire's passive IDS approach and you have quite an interesting technology. Check Point is constantly pushing the envelope and it would have been exciting to see what this would have brought.

As far as all the "US gov't doesn't use Check Point" consider this: one of Check Point's largest customers is the U.S. Army. So we can pretty much put that to rest.

Let's put another one to rest: this whole "Check Point sucks because its all closed source and they make money" is tiring. While yes Check Point's security applications are closed source, the development platform for all the apps is Linux. Check Point's own hardened Linux version SecurePlatform is available at no extra cost, is supported without extra cost and is the preferred platform. Download a version and see for yourself http://www.vmware.com/vmtn/appliances/. You'll see that Check Point makes extensive use of OSS, and even contributes back to the community from what I hear.

Check Point is a strong advocate for Open Source where it makes sense, and I don't think they need to apologize for being profitable when US based companies like Cisco and Microsoft make billions off the crap they have slopped together.

This whole Israeli "back door" thing is ridiculous, and stings of anti-semetic conspiracy. Israel has consistently been the US's most staunch ally (when allowed). What possible benefit would Israel or Check Point gain by allowing a backdoor to be widely distributed throughout the world? Think about it, Check Point has been in business for 13+ years, and has hundreds of thousands of Internet perimeter firewalls out there in operation. Don't you think that if there was a deliberate back door that it would have been found by now. Yeah those crazy Jews are out for world domination again. Ridiculous.

It is no secret that Check Point is run by mad scientists who make great product, but don't have a clue when it comes to running a business (well maybe just the bribing part). Could it be that Check Point maybe didn't grease Washington the way it should have? Could it be that Sam Nunn being on the board of directors for direct competitor of Sourcefire and Check Point's might have had something to do with this? Could it be that market powerhouses like Cisco who spend more money on marketing the mythical "self-defending network" than actually fixing their sh!t helped put a stop to this?

Follow the money. It was big businees and big Bush that killed this deal. And yes Check Point is a $Billion+ company so I'm sure they will survive (sniff sniff), but how does this play into the mythical "global free market" we keep hearng about? Is protecting stagnant companies like ISS and Cisco what is really best for the security market and the rest of us?

Check Point's website has some decent info about the acquisition, albeit somewhat fluffed with marketing. They also have a pdf FAQ regarding the acquisition.

Check Point's website has some decent info about the acquisition, albeit somewhat fluffed with marketing. They also have a pdf FAQ regarding the acquisition.

The assertion that packet filtering firewalls cannot block this attack is just plain wrong. For instance, Check Point, and probably other firewall manufacturers, had a block for this attack back in April of 04. Firewalls aren't just the freeware open source flavor of the month gang. Some corporations actually buy more advanced tools that have features beyond blocking a given port.

Reference: http://www.checkpoint.com/defense/advisories/publi c/2005/cpai-28-Dec.html

Here is some more info from checkpoint including a FAQ.
http://www.checkpoint.com/sourcefire/

I use both firewall-1 and sourcefire currently. The one thing I hope they /don't/ do is merge the two support teams. Sourcefire's support is decent, but checkpoints is down right awful.

Interesting. Snort looks like a pretty cool tool. Anyone know more about it? How does it hold up against other intrusion detection packages?

And, any info on check point? I've heard of them, but haven't really seen much about their products.. then again, I code mainly, don't see much of the network admin side of IT. I try to keep up though.

Oh.. and since Snort.org looks like its flying toward slashdotted.. it barely loaded. Here's the letter.

------
October 6, 2005

To the Snort community:

I am very excited to announce that Check Point has signed an agreement to acquire Sourcefire, the company that develops the Snort® project and maintains the snort.org domain. I know that many of you are probably going to ask "what does this mean for Snort?", so I'd like to take a few minutes to talk about that.

I'll start by stating again what I've stated in the past, Snort is now and will continue to be free to end-users. We will continue to develop and distribute the Snort engine under the GPL, improve and document the program to stay on the cutting edge and expand the snort.org web site. The community continues, as always, to be important to us as a group of people who use the code pervasively throughout the entire Internet, report on problems and make suggestions and contributions to the project. Check Point is very excited about continuing Sourcefire's involvement with the open source community!

I'd also like to take a moment to extend a personal "thank you" to the Snort community for your contribution to Sourcefire's success. Little did I know when I first decided to GPL and release Snort in 1998 that it would become the foundation of this worldwide community of hundreds of thousands of users and the core technology of Sourcefire at its founding, and now the launching point for an acquisition by one of the largest and most respected security companies in the world. All of us at Sourcefire look forward to taking our vision and technology to the next level as a vital part of a true industry leader and continuing to build the best open source intrusion detection and prevention technology in the world.

The acquisition is subject to regulatory conditions and approvals and is expected to close by Q106. You can review the press release and FAQ documents at http://www.checkpoint.com/sourcefire.

Sincerely,

Martin Roesch
Founder and CTO
Sourcefire, Inc.

-----

So what does the Slashdot crowd use when they need to secure their Linux and Windows servers?

i hate those questions. It's like "What car do you recommend?" without going much into the details of the intended use. Well general questions ask for general answers:

I would use Check Point Firewall-1. There is a single server license available for 1.000 US$ (list price). But you still need a management station (about 20K for an unlimted number of managed firewalls). It's available for the major operating systems, very flexible and powerfull.

Regards, Martin

An IDS (Intrusion Detection System) is not meant for inline functionality and dropping packets. It is merely meant to detect attacks and log them by seeig copies of all packets such as using a mirror port of a switch. Some IDS applications (such as SNORT) also support plugins which can dynamically install firewall rules in a separate firewall (such as CISCO ACL's, iptables, etc) when an attack is detected.

An IPS (Intrusion Prevention System) is an IDS system built to be placed inline with the capabilities of blocking attacks itself. SNORT also has some IPS (inline) functionality.

Unless you install a firewall which contains application intelligence (such as Checkpoint), the firewall will not detect attacks such as zombies. The parent is right in stating that an IDS or IPS is best used for this functionality.

I recently did an evaluation of PestPatrol Corporate Edition 5.0, which runs in a similar fashion to Symantec's Corporate Antivirus. The software is server based, connects to PestPatrol for spyware removal updates, and can run a daily scan of hard drives to remove spyware. The only thing that is actually installed on the workstations is a small app that performs the actual scans. It's not that expensive either, I think it was about $2k for a 250 user license. Check it out at http://www.pestpatrol.com/Products/PestPatrolcE/

Check Point's Interspect hardware is really interesting. It's a piece of hardware that plugs into your network backbone and protects the network from spyware, Trojans, worms, etc. It doesn't actually remove anything, but if it detects an infected computer on the network, it can either prevent that computer from accessing resources on the network, or if need be, it can actually disable that nodes port on the switch that it's plugged in to. It does a lot more too, and I can't wait to get an eval of it. Check it out here: http://www.checkpoint.com/products/interspect/inde x.html/

Hope this helps...

So we have about 3000 laptops in our organization. Mostly Win2K Pro, some XP pro. Users only have power user rights, and we're so far behind on patching it's not even funny (can you say SP2 with 1 or 2 hotfixes?). Their machines are so overrun with Spyware that some web apps won't even run.

Due to our desktop team's negligence in patching (even though we own Altiris), I've been taking a hard look at Cisco's Secure Agent... It's really robust, but it complains about ANYTHING trying to do ANYTHING (think Zonealarm from hell), the Altiris client apparently needs 'self modifying code' to run, KlipFolio tries to make a network connection and all sorts of alarms go off, and most spyware still ends up installing anyway. I've been spending some time with Cisco, and I'm sure I'll be spending more, but this looks like an uphill battle the entire way.

Another 'solution' I'm looking at is the Check Point Integrity VPN client (Check Point sucked up Zone Labs last year)... Instead of my clients using traditional VPN software, we'd look at deploying an SSL-type-VPN with Integrity. Basically, everytime you make a VPN connection back to our office, your machine gets scanned for spyware (this would hold true for Internet kiosks as well as their home PCs and even corporate PCs)... Depending on how infuckted you are, you can define different access levels (keylogger = no access, normal cookie crap and a couple Browser Helper Objects, you get access to webmail only. You're clean? Congrats, you get the Intranet and network drive shares). It sounds great and all, but I can't say I've had time to see if the rubber meets the road. Read for yourself, more info here and here.

This is definitely a very interesting 'ask slashdot', and I'll be keeping my eye on the ideas presented.

So we have about 3000 laptops in our organization. Mostly Win2K Pro, some XP pro. Users only have power user rights, and we're so far behind on patching it's not even funny (can you say SP2 with 1 or 2 hotfixes?). Their machines are so overrun with Spyware that some web apps won't even run.

Due to our desktop team's negligence in patching (even though we own Altiris), I've been taking a hard look at Cisco's Secure Agent... It's really robust, but it complains about ANYTHING trying to do ANYTHING (think Zonealarm from hell), the Altiris client apparently needs 'self modifying code' to run, KlipFolio tries to make a network connection and all sorts of alarms go off, and most spyware still ends up installing anyway. I've been spending some time with Cisco, and I'm sure I'll be spending more, but this looks like an uphill battle the entire way.

Another 'solution' I'm looking at is the Check Point Integrity VPN client (Check Point sucked up Zone Labs last year)... Instead of my clients using traditional VPN software, we'd look at deploying an SSL-type-VPN with Integrity. Basically, everytime you make a VPN connection back to our office, your machine gets scanned for spyware (this would hold true for Internet kiosks as well as their home PCs and even corporate PCs)... Depending on how infuckted you are, you can define different access levels (keylogger = no access, normal cookie crap and a couple Browser Helper Objects, you get access to webmail only. You're clean? Congrats, you get the Intranet and network drive shares). It sounds great and all, but I can't say I've had time to see if the rubber meets the road. Read for yourself, more info here and here.

This is definitely a very interesting 'ask slashdot', and I'll be keeping my eye on the ideas presented.

Plenty of boxes ship with modified embedded Linux without the sources, if you ask the sources you are laughed at.

Try to get the kernel modification for Check Point SecurePlatform for example.

Your point is moot as the GPL is just not respected...

One of my college professors, a Chinese fellow whose command of the english language was not perfect, often called me "Demon." :)

Here is my explanation on the name PhoneBoy. Since I'm not interested in increasing the slashdot effect on my site, I'll post the relevant bit here:

For those who care, the name PhoneBoy was given to me by one of the hosts of Radionet Talk Radio, a radio show I used to work on in 1996. I used to screen calls for the show. The host forgot my name one day and called me PhoneBoy just to call me something. The thought I had at the time was "[The host] is never going to let this name go, so I might as well embrace it." And embrace it I have. :)

As I've evolved my web presence over the years, the name PhoneBoy became very closely tied to FireWall-1. In fact, if you Google for FireWall-1, you'll see that www.phoneboy.com comes up right after Check Point, the company that makes FireWall-1 (now marketed as VPN-1).

The company I used to work for used multiple CheckPoint FW-1 firewalls, which eventually I happened to administer (the version previous to NG).

Unfortunately, mgmnt decided to run them on NT 4 Server instead of Solaris or even Linux (this is from 2000 - 2002). (CheckPoint was originally a Solaris product ported to Linux and eventually Windows).

It sucked HARD on NT - in particular because NT 4 had no native ability to limit file size, and the Checkpoint logs grew exponentially if you happened to be a few connections over your licence limit. If the hard drive volume filled up, you couldn't make any firewall config changes, so you had to stop the services, clear out the log file, restart the services, and you were good.

Also, FloodGate-1 (their traffic-shaping product) didn't work worth a darn on NT either. It was supposed to, the logs said it was running, but it didn't do a darn thing on one firewall, but would work perfectly on a different firewall server in the EXACT SAME CONFIG!! (we had checkpoint support try and help us with this, they couldn't figure it out either)

Mgmnt wouldn't consider even moving to Linux, as I was the only back-end admin with ANY experience with it - even though you spend 90% of your time in the GUI. CheckPoint has even come out with a one-disk "hardened" solution that runs on Linux called SecurePlatform - couldn't be easier.

I haven't had much experience with NG - when I left after the company went bust we had one NG firewall in the mix running on Win2k server. Supposedly they had cleaned up a bunch of the issues that were present in the previous version (and you can limit file size natively on Win2k!! Yay!!)

Anyway, thanks for the rant :)