Re: ISS Response to Fate Research Labs RealSecure Advisory

[Loki <loki.loa () SUBDIMENSION COM>]

XForce--

I am completely at loss of words concerning your response and the actual
facts from the situation. We made 3 separate phone calls to your support
hotline to speak to a technician regarding this matter. After going
completely ignored, after being promised that we would be called back
regarding the matter and weren't, we warned of the creation of this
advisory. NO ONE in your technical support group knew anything about the
ability to detect Unicode and RDS. This advisory with incorrect information
is the fault of your support group and their lack of knowledge with your
product. We take no responsibility over this due to our multiple attempts at
finding out HOW to get RealSecure to log our RDS/Unicode attacks on the
remote network. Next time you post something like this, we suggest you
follow proper procedures to check your call center databases of any calls
regarding the matter. Don't insult me or this team by going as far as making
accusations that we did not follow proper procedures in open disclosure,
something we follow religiously.

If you even record the phone conversations of your technicians, you will
find that a technician even told me one could not write his own signature
for RDS and add it to RealSecure. We have been completely misrepresented in
your response, which I resent greatly. Our team wanted to resort to this due
to the fact that X-Press Update and an upgrade to 5.0 did not detect our RDS
attack on the remote network. We urge you to practice more care before
making the aforementioned accusations.

Loki
Founder F8 Research Labs



-----Original Message-----
From: Bugtraq List [mailto:BUGTRAQ () SECURITYFOCUS COM]On Behalf Of
X-Force
Sent: Monday, November 06, 2000 5:05 PM
To: BUGTRAQ () SECURITYFOCUS COM
Subject: ISS Response to Fate Research Labs RealSecure Advisory


-----BEGIN PGP SIGNED MESSAGE-----

Multiple Flaws in Fate Research Labs RealSecure Product Analysis
November 6, 2000

Internet Security Systems, Inc. Response to
RealSecure Advisory - Fate Research Labs (11-01-00)

Synopsis:

Fate Research Labs released a recent product analysis posted to the BugTraq
mailing list describing three perceived issues in the RealSecure product.
ISS believes that all of these issues were reported in error.

Description:

The message incorrectly states that ISS RealSecure does not support
user-defined signatures.  ISS RealSecure has supported user-defined
signatures
since version 3.1, released in June 1999.  ISS X-Force has released numerous
security advisories and alerts that contain user-defined signatures.

Their analysis incorrectly claims that ISS RealSecure does not detect the
very
common IIS/RDS security vulnerability discovered by Rain Forest Puppy.
ISS X-Force released a security alert with a description of this
vulnerability
and a user-defined signature for detection of this vulnerability on August
9,
1999.

On a related note, the message incorrectly claims that ISS RealSecure does
not
contain detection support for the much-publicized IIS Unicode vulnerability
affecting IIS versions 4 and 5.  ISS X-Force released a security alert
describing this vulnerability on October 26, 2000.  This X-Force alert also
contains a user-defined signature to detect this vulnerability.

The last portion of the message states that it is possible to detect the
RealSecure engine by looking for a listening TCP port 2998.  The TCP port
used
for RealSecure console communications is user definable to any TCP port. In
addition, ISS recommends that all RealSecure customers configure RealSecure
consoles in stealth mode, which prevents RealSecure detection.

Internet Security Systems has released new detection capabilities in X-Press
Updates for the ISS SAFEsuite family of products for over a year.

Recommendations:

ISS X-Force recommends that all RealSecure customers configure the
user-defined signatures as described in the advisories below.

ISS X-Force was not contacted by Fate Research Labs to review their product
analysis prior to posting to BugTraq. Please report all ISS security-related
issues to xforce () iss net.

References:

User-defined signature for RDS hole, August 9, 1999:
http://xforce.iss.net/alerts/advise32.php

User-defined signature for Unicode hole, October 26, 2000:
http://xforce.iss.net/alerts/advise68.php

- ---------
Copyright (c) 2000 by Internet Security Systems, Inc.

Permission is hereby granted for the redistribution of this Alert
electronically. It is not to be edited in any way without express
consent of the X-Force. If you wish to reprint the whole or any part of
this Alert in any other medium excluding electronic medium, please
e-mail xforce () iss net for permission.

Disclaimer

The information within this paper may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There
are NO warranties with regard to this information. In no event shall the
author be liable for any damages whatsoever arising out of or in
connection with the use or spread of this information. Any use of this
information is at the user's own risk.

X-Force PGP Key available at: http://xforce.iss.net/sensitive.php as well
as on MIT's PGP key server and PGP.com's key server.

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5

iQCVAwUBOgdBRDRfJiV99eG9AQEDfAP+IfzzIRVASCLlVh8VmGi0u7bF9CqJjuoQ
L6J3mb3cQuh72zhAqinS9EVjwkYzNla9QyCE4Hfq08Mn67nygTYy2RPViHxEuz/l
gBe37gOFcrBYQsXVLaeFoiNbf/6yvN0Og+hqhzkh52mSYmyw+epQsiztNIJAMA5X
Okw5tDgwprE=
=KmHo
-----END PGP SIGNATURE-----