[ISN] "Nessus calls home"? Facts of the matter.

From: InfoSec News (isnat_private)
Date: Thu May 09 2002 - 00:06:59 PDT

  • Next message: InfoSec News: "Re: [ISN] Security myths costing firms"

    Forwarded from: Jay D. Dyson <jdysonat_private>
    
    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1
    
    Courtesy of Renaud Deraison (forwarded with permission).
    
    I believe this should be given wide dissemination to dispel the rumors
    that flew around CanSecWest.  -Jay
    
    
    - ---------- Forwarded message ----------
    Date: Wed, 8 May 2002 16:50:09 +0200
    From: Renaud Deraison <deraisonat_private>
    To: nessusat_private
    Subject: "Nessus calls home"
    
    Hi,
    
    I attended CanSecWest last week and I was told there were rumors of people
    complaining about Nessus "calling home" when doing a scan. 
    
    In order to clear the confusion, here's a small explanation of what Nessus
    does, followed by a short poll asking you what you'd prefer it to do. 
    
    First, let me emphasizes something : Nessus does *not* call home. It never
    does, never did and never will. 
    
    However, the checks have a side effect that may have the naughty side
    effect to sending some packets to nessus.org, which can make people think
    I have the ability to monitor their scans - here's the list : 
    
    
    1. SMTP checks
    
    Several SMTP checks send an email coming from are going to
    nessusat_private (also test_1at_private and test_2at_private). These
    checks are mostly used for bounce or old sendmail attacks. With these
    checks, the expected behavior of the MTA is either to send a 50x error
    code or to fail to the attack. Under some rare circumstances however, the
    mail may be bounced back to nessusat_private, which is a non-existing
    mailbox on mail.nessus.org. So if I were to spy on my users, one could
    imagine I'd grep "nessusat_private" in /var/log/maillog and see who's
    using Nessus. I don't do that, but I admit it could be done. 
    
    Why do I use "nessusat_private" ? Well, for the relay checks, it sounded
    good to use a really existing mail domain, so that half smart mailer which
    do some DNS checks on email address would not reject the mail for the sole
    reason the email domain is not valid. I was suggested to use example.com,
    but there's no MX for that domain, so I don't like it. 
    
    
    2. Proxy check
    
    A proxy check attempts to establish a connection to www.nessus.org. As for
    relaying, the point here is to see if we can use the remote proxy to
    connect to an outside web server. So if I were naughty, I could attempt to
    differentiate the requests going to www.nessus.org and find out which one
    were coming from an open proxy, then use that proxy to get my pr0n. 
    
    
    Note that in all these cases, even I was bersek, I would not get the
    results of the scan or even know what other hosts you're testing on your
    network.
    
    I understand however that people may think that means Nessus is "phoning
    home". Once again, this is not the purpose - I just use the nessus.org
    domain in some checks because these checks require a valid third party
    domain (and if I was to change that to microsoft.com or something that
    does not belong to me, it might be unpopular). Note that these choice make
    the detection of Nessus quite easier for IDSes. 
    
    I can change that to www.example.com, I did not know this website existed
    until last week. 
    
    
    So now, this is poll time (please reply privately) : 
    
    - - Do that issue bothers you ?
    - - If it does, would you feel safer if Nessus was using example.com
      as a domain ? (even though it may mean weaker tests as example.com
      has no MX record). Or would you prefer to have the ability to select
      the domain name yourself manually ? (with the option defaulting to
      nessus.org or example.com)
    
    				-- Renaud
    
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.0.7 (TreacherOS)
    Comment: See http://www.treachery.net/~jdyson/ for current keys.
    
    iD8DBQE82cAnGI2IHblM+8ERArqyAJ0cBNhg69mwz3dwls5DaV5QqvAzlACfb10u
    +lmCLCIAPsOTMSURibV13hk=
    =C7BR
    -----END PGP SIGNATURE-----
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Thu May 09 2002 - 03:23:23 PDT