OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: IDS: SERIOUS PROBLEM (REPLY)
From: Jackie Chan (blue0neigloo.org)
Date: Mon Oct 09 2000 - 13:21:32 CDT

Archive: http://msgs.securepoint.com/ids
FAQ: http://www.ticm.com/kb/faq/idsfaq.html
IDS: http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
HELP: Having problems... email questions to ids-owneruow.edu.au
NOTE: Remove this section from reply msgs otherwise the msg will bounce.
SPAM: DO NOT send unsolicted mail to this list.
UNSUBSCRIBE: email "unsubscribe ids" to majordomouow.edu.au
-----------------------------------------------------------------------------
Folks,
        Many points have been shared, and I am grateful for them all. My
main point was that even though "hackers" have been aware of this for
years, there currently is no script or executable that will bounce an
entire port scan via proxy, nor a brute force of anykind. I would have
expected to see something like this in nmap.

I was orginally frightened at how easy it was for me to do it, and
realized that it was no great leap of thought, hower there is no current
"script-kiddy" version. I personally belive in full disclosure when a
vendor is involved, but when it is a practice such as turning on Auth on
Socks 5, I do not agree with releasing exploit code.

My post was meant mainly to generate awareness to this problem, which I
belive has long been forgotten. Every time I mention this in person, I am
met with amazement, (until I show them how easy it really was). Since
most of these people are well inititated security professionals, I felt it
was worth the mention to re-iterate the reason why securing proxies is
important.

Judging by the amount of email generated by this post, I think I hit the
mark.

-blue0ne

http://www.digitz.org

On Mon, 9 Oct 2000, Dug Song wrote:

> Archive: http://msgs.securepoint.com/ids
> FAQ: http://www.ticm.com/kb/faq/idsfaq.html
> IDS: http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
> HELP: Having problems... email questions to ids-owneruow.edu.au
> NOTE: Remove this section from reply msgs otherwise the msg will bounce.
> SPAM: DO NOT send unsolicted mail to this list.
> UNSUBSCRIBE: email "unsubscribe ids" to majordomouow.edu.au
> -----------------------------------------------------------------------------
> On Mon, Oct 09, 2000 Jackie Chan wrote:
>
> > I just realized a problem that could set IDS back a few years...
> > The problem is this, there are way too many Socks 4 proxies on the
> > internet, and the percentage of Socks 5 proxies that actually enforce
> > authentication... is drastically low.
>
> ppl have been using open proxies (whether SOCKS, wingate, squid,
> bouncable FTP or portmap daemons, etc.) for many, many years to relay,
> distribute, or otherwise obfuscate their attacks. this is nothing new.
>
> you'll find many open proxy lists on the net if you just look...
>
> -d.
>
> ---
> http://www.monkey.org/~dugsong/
>