From cklaus@iss.net Sat Sep 14 10:15:47 1996 Received: from bitcom.ch ([193.192.228.9]) by suburbia.net (8.7.4/Proff-950810) with SMTP id KAA12658 for ; Sat, 14 Sep 1996 10:15:25 +1000 Date: Sat, 14 Sep 1996 10:15:25 +1000 From: cklaus@iss.net Message-Id: <199609140015.KAA12658@suburbia.net> Received: from [193.192.228.39] by bitcom.ch (SMTPD32-3.00) id A9554B10244; Sat Sep 14 02:16:21 1996 Received: by scout.net (Amiga SMTPpost 1.04 December 9, 1994) id AA01; Sat, 14 Sep 96 02:16:26 CET ct: BoS: RealSecure To: best-of-security@suburbia.net Organization: The Global ScoutNet Organization ISS has been developing the technology for real-time attack recognition and response (RealSecure) for over twelve months. In collabaration with our customers, universities, and our partners, ISS has undertaken a significant investment in time and resources to deliver a comprehensive tool to detect numerous kinds of attacks, only one of which is the SYN flood. To denegrate this product as only a SYN flood detector is erroneous and unfair. RealSecure recognizes and responds to hundreds of attacks. lacious and without merit. Please don't base your conclusions upon emotion and innuendo. RealSecure represents the diligent work of numerous very bright engineers and your references to the underground are inappropriate. Thank you, Mr. Klaus -- Christopher William Klaus Voice: (770)395-0150. Fax: (770)395-1972 Internet Security Systems, Inc. "Internet Scanner finds Ste. 660,41 Perimeter Center East,Atlanta,GA 30346 your network security holes Web: http://www.iss.net/ Email: cklaus@iss.net before the hackers do." >From dsaxer Sat, 14 Sep 96 02:11:00 CET remote from scout.net BoS: Attacks against NetBIOS via TCP/IP To: Bernd.Lehle@RUS.Uni-Stuttgart.DE, BUGTRAQ@NETSPACE.ORG, best-of-security@suburbia.net Well, there are a couple of issues that make this interesting. Windows NT by default binds Netbios to TCP/IP. So, if you do not have a domain controller that you use to govern your authentication then chances are very high that you are vulnerable. Samba makes a network probe of this type very simple. Since people assume there windows network to be a LAN thing, imagine this type of situation: Windows\Start Menu\Programs\StartUp" directory, then the next time someone logged into the machine it would start up. Even better you could run a batch file that then removed it from the startup group. And add a line to the autoexec to add it back in on bootup. The user (most any execpt someone looking for it) would never notice anything at all. Or, say that Machine A has a corporate database. Say that it has a password database (some places are dumb). The original thing that people were worried about was people cracking the then can be routed through a Campus LAN or out >into the Internet. > >Maybe due to it's history as a LAN protocol, NetBIOS over TCP/IP commu- >nicates almost entirely with broadcasts (IP and Ethernet). This has been >verified with a sniffer. So security does not seem to be an issue. > >So it should be easy for someone who knows the odds and ends of NetBIOS >to either modify the TCP/IP stack of Windows, so it tries to send NetBIOS >requests through TCP/IP specifically to remote machines, or use a UNIX >Box (e.g. Linux) with NetBIOS related services (Samba) to launch an attack >against a remote Windows box. > >It does not seem to be very tempting to hack a Windows PC, but on the >shared disks of Windows PCs in University offices there is often im- >portant data like grades or similar. > >Does anybody have experience with problems, attacks or defences for this >kind of setup ? > >We're trying to consider this problem in detail soon, but first we have >to arrange a meeting with the PC guys and the (heavily UNIX-inclined) >security guys :-) > >-- >> Bernd Lehle - Stuttgart University Computer Center * A supercomputer < >> Visualization / Security / Astrophysics * is a machine < >> lehle@rus.uni-stuttgart.de Tel:+49-711-685-5531 * that runs an < >> http://www.tat.physik.uni-tuebingen.de/~lehle * endless loop < >> pgp? -> finger bernd@visbl.rus.uni-stuttgart.de * in 2 seconds < > > >