[ISN] Intrusion detection team denies Trojan claim

From: InfoSec News (isn@private)
Date: Tue Sep 23 2003 - 08:01:37 PDT

  • Next message: InfoSec News: "[ISN] Re: Hollywood hacks impress experts"

    Patrick Gray
    ZDNet Australia
    September 22, 2003
    The author of Snort, an open-source Intrusion Detection System (IDS),
    Martin Roesch, has dismissed as untrue claims the software was
    'trojaned' by attackers.
    Roesch, who is also the chief technology officer of US-based IDS
    company Sourcefire, moved quickly to quell rumours in the security
    community that a hacking group had managed to insert back-door code
    into the Snort source-code repository.
    "There is no back door in Snort nor has there ever been, everyone can
    relax," Roesch wrote in a posting to the full disclosure security
    mailing list.
    Attackers had breached one of Roesch's systems, he admits, but that
    was a low-security shell server -- used by members of the Snort team
    and their associates to access services such as IRC without exposing
    their own machines to risk -- located in his basement, 37km away from
    the Snort code repository.
    "If you're wondering 'how do you know the code isn't backdoored?',
    since we know that that server is an 'at risk' server, we're not in
    the habit of checking code into [the Snort code repository] from
    there. If that's not good enough for you, Snort has been through three
    code audits since March -- one Sourcefire internal, two third-party
    external -- and there are most definitively no back doors in the code,
    nor were there any," Roesch added.
    Trojans have been found in several open-source projects over the last
    year, including those found in Sendmail and OpenSSH. Malicious code
    was also found in the libpcap and tcpdump libraries -- software which
    is required by the Snort IDS to operate.
    Australian security consultant Daniel Lewkovitz says that the mere
    fact that a rumour like this could turn out to be true, even though it
    looks unlikely in this case, means the issue at least warrants
    discussion. "A lot of threats haven't changed that much, but what has
    changed is normal people's awareness and attitudes to it. I think
    anything that makes people more aware of relevant issues and relevant
    threats a good thing," he told ZDNet Australia.
    There's nothing necessarily wrong with listening to a rumour so you
    can check it out for yourself, Lewkovitz says, as long as the source
    of the rumour is at least somewhat credible. "If there was a threat
    I'd want to know about it," he said. "If it came from a reliable
    source I'd be much more likely to give it credence than the paranoid
    rants of tin-foil-hat-wearing conspiracy theorists."
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomo@private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Tue Sep 23 2003 - 12:04:35 PDT