Firewall Wizards mailing list archives

BO2k : was (Re: how to block ICMP tunneling?)

From: Jason Brvenik <jbrvenik () teksystems com>
Date: Tue, 20 Jul 1999 10:04:41 -0400

Jason - UnLurking
begin snip

BO2k is, to me, a demonstration of where firewalls stop being useful.
The attacker gets his back door onto your network, converting a
trusted machine into his base of operations.  You now have a problem
that an 'insider' can start doing nasty stuff inside your firewall.


end snip

BO2k does nothing that can't already be done. If you have proper security in place
and have taken the time to educate your users actually getting BO2k onto a targets
machine becomes harder than the end objective. There are numerous _remote_
administration tools and _trojans_ that have been in existence for some time.
SubSeven is one that just recently got named and will likely show up in virus
scanners soon but has a lot of the features (capabilities) of BO2k and was around
when BO2k was just a rumor. There are currently ~30 trojan apps with similar
features available on the net. Worry more about local security and trust
relationships than the potential threat of an intrusion by an employee. You should
be focusing on the rule not the exception and by doing you will greatly reduce the
threat of the exception.

--
===========================================================

CONFIDENTIALITY NOTICE:  E-mail may contain confidential information that is
legally privileged.

This e-mail transmission, and any documents, files or previous e-mail messages
attached to it may contain confidential information that is legally privileged.
If you are not the intended recipient, or a person responsible for delivering it
to the intended recipient, you are hereby notified that any disclosure, copying,
distribution or use of any of the information contained in or attached to this
transmission is STRICTLY PROHIBITED.  If you have received this transmission in
error, please immediately notify me by reply e-mail, or by telephone at (410)
579-4037 and destroy the original transmission and its attachments without reading
or saving in any manner.  Thank you.
===========================================================

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

Current thread:

how to block ICMP tunneling? Razvan Peteanu (Jul 16)
- Re: how to block ICMP tunneling? Darren Reed (Jul 18)
  - Re: how to block ICMP tunneling? Sebastian Krahmer (Jul 19)
- Re: how to block ICMP tunneling? Ted Doty (Jul 18)
- Re: how to block ICMP tunneling? Adam Shostack (Jul 19)
  - BO2k : was (Re: how to block ICMP tunneling?) Jason Brvenik (Jul 20)
- <Possible follow-ups>
- RE: how to block ICMP tunneling? Jason Diesel (Jul 19)
  - RE: how to block ICMP tunneling? Kevin Steves (Jul 26)
- RE: how to block ICMP tunneling? Kyle Starkey (Jul 19)
  - Re: how to block ICMP tunneling? Joseph S D Yao (Jul 20)
  - Re: how to block ICMP tunneling? Chris Brenton (Jul 20)
    - Re: how to block ICMP tunneling? carson (Jul 21)
  - Re: how to block ICMP tunneling? Geva Patz (Jul 20)
- RE: how to block ICMP tunneling? Marcus J. Ranum (Jul 19)
- Re: how to block ICMP tunneling? Steven M. Bellovin (Jul 20)
- RE: how to block ICMP tunneling? Ben Nagy (Jul 20)

(Thread continues...)