Slashdot Mirror

You're a bit behind the times. Both Linux and OS X are now more vulnerable operating systems than Windows.

Show me one Linux vulnerability in the last year that didn't require a highly skilled attacker combined with a set of highly unlikely conditions, or rely on the system to be poorly configured. Hell, forget the year limit. Show me one from within the last decade. Good Luck!

I guess you've forgotten about this. Or you can search for ShellShock or Heartbleed. And then there are the kernel bugs that cause race conditions last December, or last May's bug that allows users to get privileged access or do a DoS, not too good in a shared hosting / shared server environment. This bug has nothing to do with a "poorly configured system". It's a flaw.

Here's the security vulnerability list for the linux kernel for 2014, with 133 bugs.

Some of these bugs made the evening news, so I don't know how you missed them all,

http://www.iss.net/security_ce...

Any major organization does this. Signature based intrusion detection systems connected to a SIEM. Most of these aren't configured to log payload, it's too much volume by default. In FOSS terms, think Snort with a custom signature set and a proprietary correlation engine doing real-time alerting and monitoring.

It's helpful to track worm breakouts, hack attacks, etc, etc. Often you outsource the monitoring because real-time 24x7x365 monitoring analysis and response runs a lot of money.

The Tor signature probably fired on some sensors in the centre http://www.iss.net/security_center/reference/vuln/TOR_Client_Request.htm . The IP was authenticated with 802.1x and that's all they needed to shake him down until he confessed.

"No, it can't. No mainstream operating system has ever shipped with a version of ping that outputs malformed ping packets, let alone ping packets malformed in a way that would cause a PoD. Ever. Exploiting the PoD requires a specially written tool to output a malformed ping packet. You cannot use the ping command to do that. If I'm wrong, it's fairly easy to prove." - by squiggleslash (241428) on Thursday January 19, @01:27PM (#38750686) Homepage

Squiggleslash has to "eat his words" on PING OF DEATH now:

http://www.iss.net/security_center/advice/Intrusions/2000012/default.htm

---

PERTINENT QUOTE/EXCERPT:

"Ping of death can actually be run from older versions of Windows. At a command line, simply type: ping -l 65550 VICTIM"

Just like I said it was, here:

http://slashdot.org/comments.pl?sid=2610052&cid=38753762

You STUPID little ignorant NOOB... lol, & YOU SAID I DON'T KNOW WHAT I AM TALKING ABOUT? LOL, speak for yourself, dimwit... lol!

---

* That all "said & aside", you anonymously stalking/harassing trolling scumbag? U FAIL vs. myself, as always... lol!

APK

P.S.=> Hey stupid, tell us - How does 'eating your words' taste, especially when you stuck YOUR FOOT IN YOUR DUMB ASS MOUTH & ALSO FLAVORED IT WITH "the bitter taste of defeat"?... accept it - you can try to troll/stalk/harass me via AC replies as you have, but you blew it YET again, vs. myself, as always... & you KNOW I've just GOTTA say it:

This? This was just "too, Too, TOO EASY - just '2EZ'", lmao... especially vs. this little ac stalking/harassing little WEASEL of a registered 'luser' named Squiggleslash who'd been stalking/harassing me via AC replies here (proof of that's regarding THIS VERY THREAD & his admitting he's doing it elsewhere -> )

U FAIL TROLL, lol... as usual, vs. myself - even when you TRY to do it "on the down-low/sly" via ac trolling posts, too bad you posted as yourself this time, eh? Stupid, lol...

...apk

Seems like a reasonable technical approach, but the problem is clearly with adoption.

AFAIK, IBM does not make wireless access points, and it's probably going to be hard to get the IEEE to adopt the mechanism (esp. if patented and restricted) as part of the 802.11x standards.

Looks like the team there recognizes this as a key challenge. See the bottom of this post: A new solution to wireless security issues

Microsoft Windows products have been known to scan media streams for executables, either deliberately (for installing gov't keyloggers, for example) or accidentally:

http://www.iss.net/security_center/reference/vuln/RIFF_Codec_Overflow.htm

Since the search results mostly go to the video, here's a blog which includes link to the slides and some discussion http://blogs.iss.net/archive/Shmoocon2011.html

Are you aware that the majority of security vendors employ such personnel? The most effective means of finding vulnerabilities like these is, oh I don't know, to attempt to exploit systems. Reference Internet Security Systems (now owned by IBM), several key members of which I used to have coffee with once or twice a week.

"Fortunately a version of OpenSSL (0.9.8l) is available which disables renegotiation, which is appropriate for most applications. According to Mr. Kurmu, Twitter seems to have already applied it. Have you?"

http://blogs.iss.net/archive/stealingcookieswiths.html

Unless I'm missing something, I need not worry about the wife, or myself. We both have OpenSSL 0.9.8 but I ain't sure WHAT my sons are using. Windows XP probably doesn't use SSL.

Oh well - I'll just warn them one more time NOT to do internet banking on their Windows machines, and warn as well that their SSL connections may be vulnerable.

And it even links right after that quote to a follow-up post from the same blog that notes that "Unfortunately, the situation is worse than I thought".

'Actually the IE8 exploit used during Pwn2Own contest wouldn't work on the final release of IE8 published one day later on the 19th of March'

According to this only when .NET controls have been disabled

Ummm... no. If you really want to enlist the services of the best in the field, talk to some folks at ISS (now owned by IBM) about they your threat assessment needs. I've known a couple of guys there for a *long* time, and I can assure you that they are among the absolute best in the industry at penetration testing and forensic analysis.

my suggestion is to call ibm. if you're concerned about windows and windows-based application vulnerabilities, ibm's xforce is responsible for finding a large percentage of known MS vulnerabilities. a couple of years ago, ibm acquired Internet Security Solutions, and incorporated their portfolio into the ibm high performance line.

of all security products that i'm aware of, it's the only one people never seem to be let down by.

check them out, give them a call, ask them questions. if it's not for you, they'll tell you so. www.iss.net

Nominees

• Best Server-Side Bug
• Best Client-Side Bug
• Mass 0wnage
• Most Innovative Research
• Lamest Vendor Response
• Most Overhyped Bug
• Best Song
• Most Epic FAIL
• Lifetime Achievement Award

We received 134 submissions for the Pwnie Awards, of which we've selected 37 nominees. Please select an award category from the list above to see the nominees.

The winners of the Pwnie Awards will be anounced on August 6, 2008 at a ceremony at the BlackHat USA conference in Las Vegas.

Pwnie for Best Server-Side Bug

Awarded to the person who discovered the most technically sophisticated and interesting server-side bug. This includes any software that is accessible remotely without using user interaction.

• Windows IGMP kernel vulnerability (CVE-2007-0069)

  Discovered by: Alex Wheeler and Ryan Smith

  Not only did Alex Wheeler and Ryan Smith lay claim to a lucky CVE number, they also laid down the law with a remote kernel code execution vulnerability that was exploitable in the default firewall configuration on Windows XP, 2003 and Vista. Despite the SWI team's claim that its exploitation is "unlikely in real-world conditions", Kostya Kortchinsky was able to develop a highly reliable exploit for this vulnerability.

• NetWare kernel DCERPC stack buffer overflow

  Discovered by: Nicolas Pouvesle

  At REcon 2008, Nicolas Pouvesle demonstrated some amazing NetWare-Fu with his kernel exploitation techniques and staged payloads for a stack overflow in the DCERPC stack in the NetWare kernel. Besides impressing everyone at the conference (not to mention all of the Quebecois women around Montreal), he also struck fear into the hearts of NetWare administrators everywhere. All three of them.

  This vulnerability also shows how there can often be similar vulnerabilities in different implementations of the same functionality. And when a vulnerability in one implementation is found and fixed, similar bugs in other implementations may go unnoticed for a while. What does it take to make a vendor like Novell audit their DCERPC code for simple vulnerabilities? A widespread worm exploiting a stack overflow in the Microsoft DCERPC stack, crippling large portions of the Internet, and supposedly causing a blackout of the entire East Coast of the USA? Apparently not.

• ClamAV Remote Command Execution (CVE-2007-4560)

  Discovered by: Nikolaos Rangos

  This vulnerability was a remote command injection in the recipient e-mail address of an e-mail message examined by the ClamAV open-source AntiVirus scanner. In a nod to 1993, ClamAV called sendmail with popen(), placing the recipient e-mail address right there in the command. With open source anti-virus products, Linus's Law clearly does hold: "Given enough eyeballs, all bugs shallow", even the ones that we knew about fifteen years ago.

• SQL Server 200

Cute. Read the actual paper from IBM, not the blogodreck. The same attack works on IE and Firefox, on XP and Vista. An attack for Firefox on Linux is probably possible.

This is easy to fix; it's a one line bug in Flash. But it will take years to replace all the bad versions of Flash out there.

http://www.iss.net/x-force_report_images/2008/index.html that's it

Here is the link to the source : http://www.iss.net/x-force_report_images/2008/index.html/

How many times does it have to be repeated? Counting vulnerabilities is a stupid way to measure security. Counting vulnerabilities is a stupid way to measure security. Counting vulnerabilities is a stupid way to measure security.

Shouldn't Slashdot link to some more insightful analysis?

From the ISS X-Force Database...

From microsofts own webiste.
List of know applications that service pack 2 broke
Untest updates are always bad for business.

OL Toolbar 1.13.2 AOL 32-bit and 64-bit (NX) http://www.aol.com/ The Information Bar blocks access to the tool's edit boxes.
PhotoShop CS 8.0 Adobe 64-bit (NX) http://www.adobe.com/products/photoshop/main.html Program installs, but will not start.
BlackICE 3.6 crj Internet Security Systems 64-bit (NX) http://www.iss.net/ When you use this program, you may receive a Stop error that causes the program to quit.
BootSkin All Stardock 32-bit and 64-bit (NX) http://www.stardock.com/ When you restart your computer during the Windows XP SP2 Setup program, a Stop error occurs. For more information, see the following Microsoft Knowledge Base article: http://support.microsoft.com/default.aspx?scid=kb;%5Bln%5D;873159.
Command Antivirus 4.9 Authentium 32-bit and 64-bit (NX) http://www.authentium.com/ This program does not start.
Encyclopedia Britannica 2000 Deluxe 1 Encyclopedia Britannica 32-bit and 64-bit (NX) http://www.britannica.com/ Java rendering does not function after you install this program.
eTrust EZ Armor 1 Computer Associates 64-bit (NX) http://www.ca.com/ The EZ Firewall part of this program generates a Stop error during installation.
Freedom Force 1 Electronic Arts 32-bit and 64-bit (NX) http://www.ea.com/ When you start the program, a message appears that points you to the following EA Web site: http://techsupport.ea.com./
Kaspersky Anti-Virus (German) 4.5 and 5.0 Kaspersky Labs 64-bit (NX) http://www.kaspersky.com/ Real-Time scanning does not work in version 4.5 or 5.0. The vendor's Web site has available product updates that are designed to address this issue.
Live Motion 1 Adobe 32-bit and 64-bit (NX) http://www.adobe.com/ This program displays various errors that prevent typical operation.
MapSend DirectRoute 1.0 Magellan 32-bit and 64-bit (NX) http://www.magellangps.com/ When you start the program, a message appears that points you to the following Web site: http://www.magellangps.com/en/support.
MPEGcraft DVD All Canopus 32-bit and 64-bit (NX) When you try to save an MPEG file, you receive a "Failed to Edit" error, and the file cannot be saved.
NBA LIVE 2000 1 Electronic Arts 32-bit and 64-bit (NX) http://www.ea.com/ This program does not start in certain systems.
NOD32 for Microsoft Windows 2.000.11 Eset 64-bit (NX) http://www.eset.com/ When this program is started on an AMD64-based computer, all network connectivity is lost. To resolve this issue, upgrade to NOD32 version 2.12.2 or higher.
Norman Personal Firewall 1.4 Norman 32-bit and 64-bit (NX) http://www.norman.com/ Norman Personal Firewall Assistant will not start.
Norman Personal Firewall 1.4 Norman 64-bit (NX) After this program installs and restarts, the desktop does not load correctly
Norton AntiVirus 2003 Symantec 32-bit and 64-bit (NX) http://www.symantec.com/ At system startup, Scheduled Tasks in Norton AntiVir

Dude, he left all active management of the company years ago. Invent some new insults, OK? I believe after this deal is, well, a done deal, he'll be out of the loop entirely, having sold all of his stock. Maybe he'll be getting a token IBM position, I haven't heard... in any case, nothing mentioned above has anything to do with Chris Klaus. If you want to diss the products (and services!) ISS delivers, go ahead. But try to be informed, you fucking moron.

This is like the endless array of people complaining about Internet Scanner, a product ISS doesn't even really market anymore! It's been replaced for any customer that matters (enterprise, not shrink-wrapped one-off sales):

http://www.iss.net/products/Proventia_Network_Ente rprise_Scanner/product_main_page.html

http://www.iss.net/

...ISS is having its clock cleaned in the market, pulled apart by high-performance enterprise IPS vendors (Tipping Point, Juniper, Cisco, and the like) ...

Pulled apart? Yes, those are all ISS competitors, but I wouldn't exactly say that Cisco IDS technology is leading edge or that Juniper is cleaning house these days. TippingPoint/3com? $400 million for an ASIC-accelerated pattern matching engine is not bad if you're one of the TP founders I suppose.

...not to mention the "built-in" stuff that Microsoft has released and the more advanced platform security controls that the company is prepping for release.

Oh yeah, the XP firewall... wow, that was really a direct shot in the heart to ISS. Considering the huge number of enterprises currently running Vista, I can see how you might conclude there is no longer a market for 3rd-party desktop security agents.

...Not too long ago, ISS made the fateful decision to knife most of its IDS/IPS product lines in the back by discontinuing support for "General Purpose" servers and third party appliances, effectively forcing all of its enterprise customers to buy an "owned" ISS appliance (the Proventia series).

Hmmm... I think you have selective memory and possibly maintain a very naive notion about how a company works. Here's an EOL announcement for RealSecure for Nokia:
http://documents.iss.net/literature/RealSecure/EOC _RSNS7_Nokia_Announce.pdf
Yes, that's right, an EOL date in 2007. Considering ISS has been shipping Proventia appliances for well over 3 years now, I'm not sure how you'd justify calling this a "knifing" of product lines. And guess what? RealSecure Network Sensor 7.0 for Windows and Linux have not been EOLed! Wow, so much for that argument.

Furthermore, I see the move to purpose-built appliances as one of the best moves the company ever made. Have you ever deployed a software IDS across an Enterprise? Did you ever use RealSecure prior to 7.0 or actually see RealSecure for Nokia in action? Uhuh, the Proventia appliances were a real step back compared to those Celeron behemoths. I could spend time explaining the performance advantages that Proventia brought to the table, or the fact that tech support calls per appliance sold took a drastic nosedive, or that a *majority* of customers have moved to Proventia, but you're clearly either a competitor or otherwise motivated by some negative interaction you had with the company, so I'll let it slide.

...Then there's ISS's reputation for "leading-edge" security research. Enter the firing of Michael Lynn related to the Cisco BlackHat presentation...

Mike Lynn resigned. To this day he doesn't have much bad to say about ISS the company, but does hold a handful of employees responsible for the situation that ensued.

...They look like idiots out of the whole ordeal, more interested in protecting their corporate butts from the Cisco PR engine than the disclosure of even SANTITIZED security information.

ISS released dozens of security advisories on Cisco gear over the years... I could list a bunch of them, but you're just as capable of searching Google (or the X-Force database) as am I.

I trust IBM did it's homework a lot more thoroughly that you before performing this acquisition. And it's a good thing, since your version of homework is false accusations, half-truths and conjecture.

irregular_hero, you are of course entitled to your opinions. Hopefully I can provide a little more information about some of the points you are confused on.

> Not too long ago, ISS made the fateful decision to knife most of its IDS/IPS product lines in the back by discontinuing support for "General Purpose" servers and third party appliances, effectively forcing all of its enterprise customers to buy an "owned" ISS appliance (the Proventia series).

I'm guessing by "General Purpose" servers you are referring to the Network Sensor and Server Sensor products which could run on hardware you bought. The first Proventia appliance launched was the Proventia A, which was the Network Sensor software pre-installed on a rackmount, sold as a unit. In truth the Proventia A was not very different from the Network Sensor software because it was almost running the same software. The appliance came about because many customers did not wish to buy their own hardware -- they wished to have the appliance. On the other hand, many customers did still wish to buy their own hardware. Thus, Network Sensors, Server Sensors, and Proventia As are in fact all still fully supported. The exception is the slow phase-out of the least popular Nokia and Solaris platforms.

For more information on the Product Life Cycle of the above mentioned products, please see the Product Documentation for the product you're interested in:
Server Sensor -- http://www.iss.net/support/documentation/docs.php? product=15&family=7
Network Sensor -- http://www.iss.net/support/documentation/docs.php? product=12&family=6
Proventia A -- http://www.iss.net/support/documentation/docs.php? product=35&family=12
Or for a full listing of products you can see the documentation for, please see: http://www.iss.net/support/documentation/index.php

There may have been some confusion on this point due to the wild popularity of the Proventia G and Proventia M products which is a completely different product and relies on completely different software. The older Network Sensor, Server Sensor, and Proventia A products are in fact still available, supported, and sold.

> Companies with large deployments of ISS RealSecure on now End of Lifed platforms suddenly found themselves offered a year of update support and another capital outlay to "upgrade" to Proventia appliances. Not many followed the company down that path, but the ones that did get "first cut" appliances found that they, well, sucked. The company then recentered on a more "appliance"-looking hardware platform, but, by then, the damage was done.

I believe you may have to be more specific to help resolve your confusion here. Perhaps you were on one of the least-popular platforms of Nokia or Solaris which has been slowly phased out to improve support for more popular products? Based on your mention of appliances, I can only guess you had a Network Sensor (since there is no such thing as a Server Sensor appliance)? The first appliances that came out were the Proventia As, which ran pretty much the same exact software as the Network Sensor software. So your frustration was perhaps due to the hardware? As I mentioned above, the Network Sensor software on many platforms including Linux is still fully supported.

> Then ISS took a market-leading desktop security product, BlackICE, and folded it into their IDS/IPS management product. The integration damn near killed a lot of existing BlackICE customers, not to mention the fact that succeeding software releases were, in many cases, incompatible with previous

irregular_hero, you are of course entitled to your opinions. Hopefully I can provide a little more information about some of the points you are confused on.

> Not too long ago, ISS made the fateful decision to knife most of its IDS/IPS product lines in the back by discontinuing support for "General Purpose" servers and third party appliances, effectively forcing all of its enterprise customers to buy an "owned" ISS appliance (the Proventia series).

I'm guessing by "General Purpose" servers you are referring to the Network Sensor and Server Sensor products which could run on hardware you bought. The first Proventia appliance launched was the Proventia A, which was the Network Sensor software pre-installed on a rackmount, sold as a unit. In truth the Proventia A was not very different from the Network Sensor software because it was almost running the same software. The appliance came about because many customers did not wish to buy their own hardware -- they wished to have the appliance. On the other hand, many customers did still wish to buy their own hardware. Thus, Network Sensors, Server Sensors, and Proventia As are in fact all still fully supported. The exception is the slow phase-out of the least popular Nokia and Solaris platforms.

For more information on the Product Life Cycle of the above mentioned products, please see the Product Documentation for the product you're interested in:
Server Sensor -- http://www.iss.net/support/documentation/docs.php? product=15&family=7
Network Sensor -- http://www.iss.net/support/documentation/docs.php? product=12&family=6
Proventia A -- http://www.iss.net/support/documentation/docs.php? product=35&family=12
Or for a full listing of products you can see the documentation for, please see: http://www.iss.net/support/documentation/index.php

There may have been some confusion on this point due to the wild popularity of the Proventia G and Proventia M products which is a completely different product and relies on completely different software. The older Network Sensor, Server Sensor, and Proventia A products are in fact still available, supported, and sold.

> Companies with large deployments of ISS RealSecure on now End of Lifed platforms suddenly found themselves offered a year of update support and another capital outlay to "upgrade" to Proventia appliances. Not many followed the company down that path, but the ones that did get "first cut" appliances found that they, well, sucked. The company then recentered on a more "appliance"-looking hardware platform, but, by then, the damage was done.

I believe you may have to be more specific to help resolve your confusion here. Perhaps you were on one of the least-popular platforms of Nokia or Solaris which has been slowly phased out to improve support for more popular products? Based on your mention of appliances, I can only guess you had a Network Sensor (since there is no such thing as a Server Sensor appliance)? The first appliances that came out were the Proventia As, which ran pretty much the same exact software as the Network Sensor software. So your frustration was perhaps due to the hardware? As I mentioned above, the Network Sensor software on many platforms including Linux is still fully supported.

> Then ISS took a market-leading desktop security product, BlackICE, and folded it into their IDS/IPS management product. The integration damn near killed a lot of existing BlackICE customers, not to mention the fact that succeeding software releases were, in many cases, incompatible with previous

irregular_hero, you are of course entitled to your opinions. Hopefully I can provide a little more information about some of the points you are confused on.

> Not too long ago, ISS made the fateful decision to knife most of its IDS/IPS product lines in the back by discontinuing support for "General Purpose" servers and third party appliances, effectively forcing all of its enterprise customers to buy an "owned" ISS appliance (the Proventia series).

I'm guessing by "General Purpose" servers you are referring to the Network Sensor and Server Sensor products which could run on hardware you bought. The first Proventia appliance launched was the Proventia A, which was the Network Sensor software pre-installed on a rackmount, sold as a unit. In truth the Proventia A was not very different from the Network Sensor software because it was almost running the same software. The appliance came about because many customers did not wish to buy their own hardware -- they wished to have the appliance. On the other hand, many customers did still wish to buy their own hardware. Thus, Network Sensors, Server Sensors, and Proventia As are in fact all still fully supported. The exception is the slow phase-out of the least popular Nokia and Solaris platforms.

For more information on the Product Life Cycle of the above mentioned products, please see the Product Documentation for the product you're interested in:
Server Sensor -- http://www.iss.net/support/documentation/docs.php? product=15&family=7
Network Sensor -- http://www.iss.net/support/documentation/docs.php? product=12&family=6
Proventia A -- http://www.iss.net/support/documentation/docs.php? product=35&family=12
Or for a full listing of products you can see the documentation for, please see: http://www.iss.net/support/documentation/index.php

There may have been some confusion on this point due to the wild popularity of the Proventia G and Proventia M products which is a completely different product and relies on completely different software. The older Network Sensor, Server Sensor, and Proventia A products are in fact still available, supported, and sold.

> Companies with large deployments of ISS RealSecure on now End of Lifed platforms suddenly found themselves offered a year of update support and another capital outlay to "upgrade" to Proventia appliances. Not many followed the company down that path, but the ones that did get "first cut" appliances found that they, well, sucked. The company then recentered on a more "appliance"-looking hardware platform, but, by then, the damage was done.

I believe you may have to be more specific to help resolve your confusion here. Perhaps you were on one of the least-popular platforms of Nokia or Solaris which has been slowly phased out to improve support for more popular products? Based on your mention of appliances, I can only guess you had a Network Sensor (since there is no such thing as a Server Sensor appliance)? The first appliances that came out were the Proventia As, which ran pretty much the same exact software as the Network Sensor software. So your frustration was perhaps due to the hardware? As I mentioned above, the Network Sensor software on many platforms including Linux is still fully supported.

> Then ISS took a market-leading desktop security product, BlackICE, and folded it into their IDS/IPS management product. The integration damn near killed a lot of existing BlackICE customers, not to mention the fact that succeeding software releases were, in many cases, incompatible with previous

irregular_hero, you are of course entitled to your opinions. Hopefully I can provide a little more information about some of the points you are confused on.

> Not too long ago, ISS made the fateful decision to knife most of its IDS/IPS product lines in the back by discontinuing support for "General Purpose" servers and third party appliances, effectively forcing all of its enterprise customers to buy an "owned" ISS appliance (the Proventia series).

I'm guessing by "General Purpose" servers you are referring to the Network Sensor and Server Sensor products which could run on hardware you bought. The first Proventia appliance launched was the Proventia A, which was the Network Sensor software pre-installed on a rackmount, sold as a unit. In truth the Proventia A was not very different from the Network Sensor software because it was almost running the same software. The appliance came about because many customers did not wish to buy their own hardware -- they wished to have the appliance. On the other hand, many customers did still wish to buy their own hardware. Thus, Network Sensors, Server Sensors, and Proventia As are in fact all still fully supported. The exception is the slow phase-out of the least popular Nokia and Solaris platforms.

For more information on the Product Life Cycle of the above mentioned products, please see the Product Documentation for the product you're interested in:
Server Sensor -- http://www.iss.net/support/documentation/docs.php? product=15&family=7
Network Sensor -- http://www.iss.net/support/documentation/docs.php? product=12&family=6
Proventia A -- http://www.iss.net/support/documentation/docs.php? product=35&family=12
Or for a full listing of products you can see the documentation for, please see: http://www.iss.net/support/documentation/index.php

There may have been some confusion on this point due to the wild popularity of the Proventia G and Proventia M products which is a completely different product and relies on completely different software. The older Network Sensor, Server Sensor, and Proventia A products are in fact still available, supported, and sold.

> Companies with large deployments of ISS RealSecure on now End of Lifed platforms suddenly found themselves offered a year of update support and another capital outlay to "upgrade" to Proventia appliances. Not many followed the company down that path, but the ones that did get "first cut" appliances found that they, well, sucked. The company then recentered on a more "appliance"-looking hardware platform, but, by then, the damage was done.

I believe you may have to be more specific to help resolve your confusion here. Perhaps you were on one of the least-popular platforms of Nokia or Solaris which has been slowly phased out to improve support for more popular products? Based on your mention of appliances, I can only guess you had a Network Sensor (since there is no such thing as a Server Sensor appliance)? The first appliances that came out were the Proventia As, which ran pretty much the same exact software as the Network Sensor software. So your frustration was perhaps due to the hardware? As I mentioned above, the Network Sensor software on many platforms including Linux is still fully supported.

> Then ISS took a market-leading desktop security product, BlackICE, and folded it into their IDS/IPS management product. The integration damn near killed a lot of existing BlackICE customers, not to mention the fact that succeeding software releases were, in many cases, incompatible with previous

It is internet security systems: http://iss.net/ I hope blackice remains as a pc firewall, I think it is one of the best

This product already exists in the form of ISS's Proventia Desktop. Unfortunately, it introduces a noticable delay when executing a program the first time (for VM execution and analysis) and only a slightly noticable delay when executing a program the nth times (for comparison against a MD5 hash; if the hash is different, it re-scans the program). As far as I can tell, this process happens on every PE file load as well as the usual "non-executable" executable-bearing file types like .doc or .zip. It's a great idea - no signature updates (like most AV software), no complicated API access control list (like most host-based behavioral IPSes) - but it was brand new as of last year. Our performance problems may have been exacerbated by the fact that we were running this in tandem with McAfee VirusScan 7.1/8.0, both of which are serious resource hogs. Running something like Proventia Desktop together with a main-stream AV product might be akin to running multiple anti-virus systems in tandem - not usually a good idea.

Well, how many widely used MTAs are written by somebody that put in a backdoor? Sendmail wizard (WIZ) backdoor allows anonymous remote root access

I go for Postfix these days, but Sendmail is infinitely configurable, even (Turing complete. Finally, Eric is All Man.

As for the "getting hacked via sendmail issue", I've never known anybody that has, personally, or even a friend of a friend. I know more people that got hacked via SSH (some issue around 2000 or so, I forget, but it was bad).

If I had complicated needs for an MTA, I would assume that Sendmail would be more likely to support those needs than any other MTA. Simplicity is better, though, if possible.

There was a remote root exploit in 2001 - Advisory.

Not sure offhand. iss

The main factor for Check Point's acquisition was for the RNA technology and the way that the rest of SourceFire's products fit into a centralized management architecture (like Check Point's). Check Point's firewalls have been doing IPS/IDS firewalling for some time. Now combine the existing technology with SourceFire's passive IDS approach and you have quite an interesting technology. Check Point is constantly pushing the envelope and it would have been exciting to see what this would have brought.

As far as all the "US gov't doesn't use Check Point" consider this: one of Check Point's largest customers is the U.S. Army. So we can pretty much put that to rest.

Let's put another one to rest: this whole "Check Point sucks because its all closed source and they make money" is tiring. While yes Check Point's security applications are closed source, the development platform for all the apps is Linux. Check Point's own hardened Linux version SecurePlatform is available at no extra cost, is supported without extra cost and is the preferred platform. Download a version and see for yourself http://www.vmware.com/vmtn/appliances/. You'll see that Check Point makes extensive use of OSS, and even contributes back to the community from what I hear.

Check Point is a strong advocate for Open Source where it makes sense, and I don't think they need to apologize for being profitable when US based companies like Cisco and Microsoft make billions off the crap they have slopped together.

This whole Israeli "back door" thing is ridiculous, and stings of anti-semetic conspiracy. Israel has consistently been the US's most staunch ally (when allowed). What possible benefit would Israel or Check Point gain by allowing a backdoor to be widely distributed throughout the world? Think about it, Check Point has been in business for 13+ years, and has hundreds of thousands of Internet perimeter firewalls out there in operation. Don't you think that if there was a deliberate back door that it would have been found by now. Yeah those crazy Jews are out for world domination again. Ridiculous.

It is no secret that Check Point is run by mad scientists who make great product, but don't have a clue when it comes to running a business (well maybe just the bribing part). Could it be that Check Point maybe didn't grease Washington the way it should have? Could it be that Sam Nunn being on the board of directors for direct competitor of Sourcefire and Check Point's might have had something to do with this? Could it be that market powerhouses like Cisco who spend more money on marketing the mythical "self-defending network" than actually fixing their sh!t helped put a stop to this?

Follow the money. It was big businees and big Bush that killed this deal. And yes Check Point is a $Billion+ company so I'm sure they will survive (sniff sniff), but how does this play into the mythical "global free market" we keep hearng about? Is protecting stagnant companies like ISS and Cisco what is really best for the security market and the rest of us?

Looks like I haven't kept up with this one. It was patched a while ago

Not just MS was afflicted with this

Why not simply associate the cookie with the IP address? Please do not go down the road of spoofing. (I got bored finding links)

And the news keep getting worse...
Internet Security Systems are reporting buffer overflows.
Full report here.
This is a cluster fock!

ISS just released an alert, http://xforce.iss.net/xforce/alerts/id/208 Its for buffer overflows in the rootkit.

If you can't address a node, how can you attack it?

Source routing.

Yeah, that's why smart security companies stick with things like 1 == Everything is OK, 4 == Oh fuck. Easy to remember that.

Some of us might even, oh, publish detailed explanations of why things might be a bit f'ed-up, then let you decide if this might be something to worry about. ;-)

You'll probably want to look into the Internet Security Systems products for IDS and IPS.

RealSecure Network Sensor and the Proventia A appliance are passive IDS.

The Proventia G is a transparent inline IPS.

The Proventia M is an inline firewall with IPS built-in, along with lots of other modules.

Check out http://www.iss.net/

--
Rob

One of the better worm analysis papers I've read was "Reflections on Witty" by Nicholas Weaver and Dan Ellis (of MITRE), published in the June 2004 issue of ;login, the Usenix magazine.

Rather than a dissection of the worm itself, the authors give a detailed analysis of the author/attacker of Witty.

Some insights about the worm author that Weaver and Ellis proposed:

• he was a fairly proficient programmer - there were no significant bugs in the code of the worm, he knew how to program x86 assembly and access the Windows API, he implemented a stack-overflow attack, and most importantly, he constructed a payload that was malicious to the host, but didn't significantly slow the worm's spread.
• he was quite clever at what he did - randomly padded packet sizes, randomized the destinations and port numbers, and he seeded the worm (rather than start at a single location, the worm started out from 110 different victims) -- prior to this no one had significantly seeded their worms
• he wrote compact code, Witty consists of 177 x86 instructions in 474 bytes (the rest is the buffer overflow and padding); with 177 instructions, he was able to construct routines to cleanup from the overflow attack, seed the RNG, propagate the worm, and execute the malicious payload (Witty slowly overwrites disks on the infected hosts until the machine crashes)
• he worked quite fast; the stack overflow in the ISS BlackIce products was published on March 18, 2004. Witty was released on March 19, 2004, less than 48 hours after the security advisory was published by eEye; it is possible that he knew of the vulnerability when eEye notified ISS on March 8, 2004, but the paper goes into why this is unlikely
• he probably tested the worm before he released it (cf. the lack of major bugs); this combined with the fact that he seeded on 110 hosts, means that he had access to a wide array of compromised machines -- it probably means he has access to the "hacker underground", to gain access to these machines in such a short time frame

The authors' conclusion is somewhat alarming, they reason that Witty represents a new generation of virus/worm authors: motivated, skilled and malicious individuals who are experts at what they do.

it was probably dobrk, that was one of the vulnerabilities the attacker(s) used last year to root systems.

see http://xforce.iss.net/xforce/xfdb/13880 (this was the 1st google link i saw, there are probably others with better information but i'm lazy).

dw.com.com is SPYWARE.

Why did shashark ebmed the links to Unbound Spiral and Moodle (defanged here) in dw.com.com SPYWARE links? Is this the sleaziest submission scam yet, which actually forces us to install spyware to follow a frontpage Slashdot link? Are all those jokes about soulsucking NYT registrations really true about shashark? This should be the abuse that finally forces Slashdot editors to check the links on submissions.

"dw.com.com is advertising-oriented spyware (adware) that downloads and displays new advertisements in a popup window while a user is browsing the Web. dw.com.com is difficult to remove, as it does not provide an uninstaller."

Are they still bundling WildTangent GameChannel? Because yeah, that's bundled spyware right there.

- A former HP tech support agent (who worked for one of the companies they outsourced it to)

I fight this daily, but wasn't/isn't Lycos the same company that distributes Lycos Sidesearch, a BHO/toolbar recognized by most spyware fighting organizations as spyware?

http://www3.ca.com/securityadvisor/pest/pest.aspx? id=453078521
http://www.intermute.com/spysubtract/researchcente r/Sidesearch.html
http://xforce.iss.net/xforce/xfdb/14405

Would I be out of place calling hypocrisy here?

The article didn't give much explanation about the drag-and-drop exploit itself. Understandably, given the audience, but I was curious. Here's a good link: http://xforce.iss.net/xforce/xfdb/13679

I have a set of tabs that I load every morning precisely for this; some of them are:

• ISS GTOC
• myNetWatchman (another perspective on port activity)
• NIPC Critical Infrastructure (updates are spotty but sometimes interesting)
• US-CERT Current Activity (often a tad behind)

ISC is definitely the main one to get but these are useful. I didn't list virus sites but those may be useful as well depending on your environment.

can you name one backdoor that made it into a widely used open source product?

can you name one backdoor that made it into a widely used open source product?