On 15 Jul 99, at 11:58, Marcus J. Ranum wrote: > A couple of thoughts: > Altering the way BO2K works or uses its packets will break > compatibility. The current version of BO is all over the > place, and one of the things script kiddies appear to do > is blanket sweeps for systems that are infected with it. > If you have your own customized version of BO, then you > can talk to machines you've targetted but other script > kiddies won't be able to have fun. Let us say hypothetically that I am some sort of black-hatted nasty who has managed to get my favourite trojan onto a system. What are the threats to my enjoyment of the fruits of this endeavor? 1. Discovery by the owners/admins of the system, due to: (a) their own vigilance, IDS, etc. Nothing I can do about that. (b) my own greed or other error that draws attention. I can try to be careful. (c) attention drawn by less-careful users of my trojan.... 2. I can't think of any others. Look again at (c). Do I leave the trojan set to use default port, etc, so any random script kiddie can waltz in and blow my sweet setup? NO WAY. Let us say hypothetically that I am some sort of script kiddie who has found some well-known trojan's default port open and responsive on a system. What are the likely scenarios? 1. The site is running some decoy software, such as Back Officer Friendly. I'll be getting a nasty call from my ISP, I bet. 2. Some black-hat, having gone to the trouble of getting a trojan onto the system, found it uninteresting. He has left an open invitation for shmucks (like me) to attack the system (and take the fall, if caught...). 3. The host has been compromised by someone who hasn't thought through the black-hat scenario above; this trojan is as likely to be discovered because of his own abuse of it as because of mine, and we are likely to both get caught. My conclusion is that scanning for trojans left with default access is a good way for script kiddies to get caught and (hopefully) reformed before they become a serious threat. I don't believe that most hackers who plant trojans really *want* "other script kiddies" to have fun with them, so I don't think the compatibility issue is meaningful. > It also means that > unique versions of BO will "belong" to an individual, > which might make it easier to track/identify the > perpetrator of an attack. Well, the original installer of the trojan would have had to have shared his customized version/settings with any attackers who exploited it. That could provide corroboration after the fact, but I don't see any proactive way to "track/identify" based on this. > One big bummer about BO2K is that it can use good crypto. > Which means that folks who develop tools that latch > into the crypto are going to be under export controls. > This is a monumental pain in the butt - it means that the > good guys' hands are tied (as usual) but the bad guys' > aren't (as usual) by the very laws that FBI et al says > are there to tie the bad guys' hands. Agreed. David G - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.]
