[20176] in bugtraq
Re: webHancer Information / BugTraq mailing list
daemon@ATHENA.MIT.EDU (Dan Kaminsky)
Thu Apr 12 15:31:43 2001
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Message-ID: <01f101c0c2c6$7797e3d0$1900040a@na.cisco.com>
Date: Wed, 11 Apr 2001 13:31:30 -0700
Reply-To: Dan Kaminsky <dankamin@CISCO.COM>
From: Dan Kaminsky <dankamin@CISCO.COM>
X-To: Michael Merhej <michael@AUDIOGALAXY.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
Some Thoughts on the recent AudioGalaxy / WebHancer furor:
Full Disclosure applies to spyware alerts too. Just as the exploit is
critical to know if the platform is actually at risk, so too are the logs
critical to know if the "Spyware" qualifies as such. Filemon, from
www.sysinternals.com , will display all but the most intensely hidden file
scans, as Regmon will display registry accesses. Various packet sniffers
exist on both the Windows and Unix platform; a text dump mode such as
emitted from tcpdump -X can be useful:
12:09:08.709747 ns1.cfl.rr.com.domain >
dsl081-067-079.sfo1.dsl.speakeasy.net.1542: 2823* 1/2/2 (184)
0000: 4500 00d4 834a 0000 7311 44af 185f e320 E....J..s.D.._.
0010: 4051 434f 0035 0606 00c0 0188 0b07 8480 @QCO.5..........
0020: 0001 0001 0002 0002 0231 3103 3233 3202 .........11.232.
0030: 3935 0232 3407 696e 2d61 6464 7204 6172 95.24.in-addr.ar
0040: 7061 0000 0c00 01c0 0c00 0c00 0100 0151 pa.............Q
0050: 8000 ..
When the protocols are standardized, Text Mode Ethereal(tethereal) is
absolutely priceless for any kind of network analysis.
Look: Alerts need to be self-contained. Public arguments over the
basics of a vulnerability (like whether or not files are actually opened)
don't benefit anyone and simply serve to reduce faith in the validity of the
public security community.
It is not that I don't want to see arguments. I simply do not find any
value to a he said / she said style debacle, with neither side providing any
evidence that's there's something of note to complain about. Since
AudioGalaxy would literally have to provide a full accounting of every
single operation their applications executed in order to really provide
evidence (about the closest one can get to proving a negative), it really is
Global Integrity's responsibility to show exactly where the vulnerability
lies.
It's very important to note there might very well be an actual problem.
Whatever is said in the Readme.TXT is irrelevant: It's not the readme
that's executed, and I wouldn't really expect the readme to describe every
possible problem, SEC Filing Style. Furthermore, the same authorship
separation which Audiogalaxy uses to separate Webhancer from its Satellite
email-retrieval system also means that Audiogalaxy not only never wrote but
has probably never seen the code embedded within Webhancer.
That's not to say there's a hole in Webhancer; just that they wouldn't
know--and because Global Integrity didn't include any evidence, they
couldn't find out.
This is all moderately annoying, because Webhancer is actually doing
something moderately cool. Distributed Latency Analysis, finely associated
with user reactions, is a very interesting method of monitoring large scale
networks. While it should clearly uninstall when its parent application is
removed(as per the "user consent" model I talked about earlier), it's
definitely a good idea from a network monitoring standpoint.
Has anybody written a well-done guide to what exactly defines something
as Spyware? It's difficult for an auditing firm to audit that which is
undefined.
Yours Truly,
Dan Kaminsky, CISSP
http://www.doxpara.com
