[9536] in bugtraq
Re: ISS Internet Scanner Cannot be relied upon for conclusive
daemon@ATHENA.MIT.EDU (Joel Eriksson)
Fri Feb 12 21:28:30 1999
Date: Fri, 12 Feb 1999 17:42:58 +0100
Reply-To: Joel Eriksson <na98jen@STUDENT.HIG.SE>
From: Joel Eriksson <na98jen@STUDENT.HIG.SE>
X-To: Randy Taylor <rtaylor@MAIL.CIST.SAIC.COM>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <3.0.5.32.19990210092430.00c652b0@mail.cist.saic.com>
On Wed, 10 Feb 1999, Randy Taylor wrote:
> One of the hard lessons I learned long ago when writing vulnerability
> testing code is that exercising exploit methods can do more harm than
> good. A crash or a system lockup may be the result, even though the code
> was written to avoid such a thing. In other words, stuff can and often does
> happen. :-}
Unfortunately I do not doubt this. But it is the only way to make a
conclusive check. I think that there should be at least two
"testing-modes" available, one that can be used on production systems
without having to be afraid of loss of service, and one "real attack" mode.
When a real attacker tries to exploit the vulnerabilities and it results
in a crash, system lockup or in worst case a succesful exploit attempt one
probably wishes a "real attack" test would have been made in the first
place though..
> In the end, no commercial vulnerability testing tool can or should
> substitute for good old-fashioned human analysis of the post-test report.
This can not be emphasized enough..
> While I agree an attacker will most certainly attempt a full-blown
> exploit, the attacker has no liability in the corporate sense. A commercial
> testing tool like ISS or CyberCop does have such a liability. ISS and NAI
> have relatively deep pockets, and must exercise due diligence and care in
> the methods used by their products to test for vulnerabilities. No one would
> buy their products if they crashed or locked up systems on a regular basis.
> Crackers have shallow pockets (or none at all ;), and no such concerns for
> diligence or care.
Thats's what disclaimers are for.. ;-) Well, as said before, at least two
"testingmodes" should be available. I realize this a real pain to
implement, but they are _really_ useful and certainly should be of very
high priority.
> Best regards,
>
> Randy
/ Joel Eriksson
