My boss bought Axent ESM and wants me to install it. Before installing it,I noticed it relies on CRC checksums as the mechanism to validate the integrity of the files. This appears to be a major security NO-NO, and even old freeware security packages like Tripwire use stronger algorithms. On CERT's web site, it is documented in the Intrusion Detection Checklist saying, "Trojan horse programs may produce the same standard checksum and timestamp as the legitimate version. Because of this, the standard UNIX sum(1) command and the timestamps associated with the programs are not sufficient to determine whether the programs have been replaced." I talked with our Axent contact and he claimed that their file integrity validation could not be compromised by a hacker because Axent has security experts that designed ESM. Before I install ESM, I would like either make sure their product can't easily be spoofed by hackers because of weak CRC checksums or Axent fix their vulnerability. Maybe other readers on BugTraq will encourage Axent to close up this hole since my own efforts have fallen on deaf ears. -- Dan Cupp System Administrator UNIX / PERL Ninja! --------------------------------------------------- Get free personalized email at http://www.iname.com
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:13:41 PDT