Attempts to connect to port 10 - home.com response
FEEB
as a response to my complaint about repeated attempts to connect to port 10
of my various servers from their node.
Read it, it would be funny if it weren't so sad. Not a single word of
apology, nor any mention of an action taken.
You will find several examples of profound wisdom there. I personally
prefer this:
"if your computer has not been
compromised by that particular Trojan virus, that probe is harmless"
It comes as no surprise to me, that company with this attitude towards
security has so much troubles with trivial routing configs in the Toronto,
ON area, where thousands of subscribers of Rogers Cable internet access
(Rogers subcontracts home.com) are suffering from intermittent prolonged
unavailability of the connection.
OK, here's the mail:
-------Message begins----------------
Thank you for your report of system probes. The @Home Network Policy
Management Team receives a high volume of complaints on this issue, and we
are sending this message to you with some basic information that may be
helpful in understanding what is occurring, and how you can proactively
manage your personal computer's security.
@Home's extensive investigation into this issue has shown us that the vast
majority of these system probes are originating from computers that have
been compromised by various means, usually Trojan viruses. We are taking
steps to control hacking attempts by increasing the security awareness of
our customers and enforcement designed to detect and eliminate those
hacking
attempts that actually originate on the @Home network.
Please note, if you are complaining about an actual system breach, i.e.,
your computer has actually been penetrated by an @Home subscriber without
your permission, please resend your complaint to us with the email subject
line, SYSTEM BREACH. If you are not sure if your computer has been
breached
or not, please continue to read this message.
I'm being hacked!!!
It can be worrisome when your firewall software reports a system probe, but
there are several things to be aware of when your firewall sounds the
alarm.
They relate to how the Internet works, and are explained below.
How does all this work anyways?
What is actually happening when your firewall reports a system probe? Your
computer has just received traffic over the Internet. What that traffic
was
actually trying to do is more difficult to determine. Your firewall tries
to interpret the traffic according to how it is programmed. Since firewall
programs are designed to report attacks, it will usually report any
unexpected traffic as an attack, even if it is not. In fact, if firewall
software is set to a 'high' security level, it may report normal traffic
from servers that are a part of the network that you are connected to as an
attack. Note, changing the 'security' level of firewall software does not
really change the level of protection it affords, it changes the level at
which it reports network traffic.
How does that traffic get to your computer? In order for computers to
communicate over the Internet, they are assigned an IP address (IP stands
for Internet Protocol). Every person's computer that is connected to the
Internet, every website, every server, switch and router that is connected
to the Internet in the world has to have a unique IP address. When you go
to a website, you type in the URL (Uniform Resource Locator) into your
browser, say, www.excite.com, and a server in the network takes that URL,
translates it into the corresponding IP address, and your computer connects
to that website's IP address.
Say you go to check your email. Your computer sends traffic on the
Internet
to your mail server, and it responds back to you by sending you your email.
How does your computer, and the servers you are accessing, know what the
traffic you are sending is for? This is accomplished because the traffic
not only has a source and a destination IP address, but a source and
destination port also. Port numbers are assigned and registered to
Internet
functions and software that uses them. In the above example, you go to
check your email. Your computer sends traffic to the mail server, asking
to
check if you have any email. You are sending traffic to the mail server's
IP address, with a destination port 110. Port 110 is registered as the
port
with which you (or anyone else on the Internet) use to check your email.
Simply put, a system probe is someone sending traffic directed to your
computer's IP address, with a destination port.
Trojan Viruses
As stated before, other programs are registered to use different ports.
This includes so-called Trojan viruses. Most viruses that you hear about
are designed to disrupt your computer in some way, from interfering with
your Operating System to destroying files on your hard drive. Trojan
viruses, on the other hand, are designed to hide on your hard drive. They
do not want to be discovered because, as opposed to harming your software,
they allow other people access to your computer. Once your computer has
been compromised with a Trojan virus, it can be "remote controlled" by
other
people on the Internet. Trojans also have to use a port number to work
correctly. For example, the Sub Seven Trojan, which is in common usage at
this time, runs on port 27374. So, in order, this is what happens when you
get probed for a Trojan virus. We are still using the Sub Seven Trojan as
our example:
1) Another computer on the Internet sends traffic to your
computer's IP address, directed at port 27374.
2) Your computer receives the traffic.
3) Your firewall software is programmed to understand that
traffic to port 27374 is probably a probe to detect if the Sub Seven Trojan
is present on your computer.
4) The firewall blocks the traffic and reports to you that you
were just probed for the Sub Seven Trojan.
There are two significant things that happened here. First, note that the
firewall reported the traffic as being blocked. That means that the
firewall did its job and did not allow the traffic through to your
computer.
Secondly, and this is not as well known, if your computer has not been
compromised by that particular Trojan virus, that probe is harmless. It
wouldn't have affected your computer if the firewall were there or not. If
you are worried that your system was breached, you can be assured that, as
long as your system has not been infected with that virus, and your
firewall
reported (blocked) the traffic, your computer is still secure.
What does this mean to me?
Now that we have defined how the Internet works, and what happens when your
firewall reports a probe, you are probably interested in how this affects
you and your personal computer. A typical Windows user needs three tools
to
secure their system against the majority of security problems you may
encounter on the Internet: a properly-configured Operating System, a
strong
anti-virus program with frequently-updated virus definitions, and some
knowledge and discretion.
1) A properly-configured Operating System - The easiest thing
you can do to secure your computer from unauthorized access is make sure
you
are not opening any holes that are easily exploitable. The most common of
these is File and Print Sharing. If you have File and Print Sharing turned
on in your Network Control Panel, other computers on the @Home Network in
your area can see and access your hard drive and/or printer. If you want
to
share hard drives or printers in a home network, you should configure a
different network protocol, such as NETBEUI, to do so.
The second Operating System-related issue is with Windows
NT
and 2000. If you are not running these operating systems, you may skip to
the next item. These operating systems, if you do a default install, will
open several services, such as FTP (File Transfer Protocol), Email, and
HTTP. The running of such services can allow others access to your
computer, as well as being a violation of the @Home Acceptable Use Policy
(http://www.home.com/aup/). You should re-configure NT or 2000 to not have
any services running.
2) A strong anti-virus program - Most computers come with an
anti-virus program these days. They are effective in protecting your
computer from Trojan and other types of viruses, but only if the virus
definitions are up to date. An anti-virus program has two components, the
program itself, and the virus definitions. The virus definitions are what
tell the program how to look for viruses. Since there are new viruses that
come out on an almost-daily basis, if your definitions are not updated,
eventually your anti-virus software will become useless. You can configure
your anti-virus software to update the virus definitions as frequently as
you wish (we recommend monthly, if not more frequently) and automatically.
Check the help file or web site for your particular anti-virus program. It
should be free to update your virus definitions as long as the program is
current. If you are not running any anti-virus software at all, we highly
recommend that you obtain and install some as soon as possible. There are
too many such viruses out there to seriously consider being on the Internet
without one for very long.
3) Knowledge - As the old saying goes, "Forewarned is
forearmed." Now that you have some idea of what's actually occurring, and
security issues as they relate to you, you can make some choices about how
you want to protect your computer and what you should protect it from. The
easiest way to protect yourself from Trojan viruses, however, is to use
extreme caution in opening files that are sent to your computer, including
attachments to email, or files sent through an instant messaging service,
or
IRC. Even if a file is being sent to you by someone that you know, they
may
themselves be infected with a virus and not know it.
Do I need a firewall?
As stated above, taking the precautions we outlined will secure your
computer from most, if not all, of the security issues it may encounter
while using the Internet. You may have noted that we did not recommend
that
you run any firewall software. Is a firewall really needed in the Internet
environment? On first thought, it may appear so, but consider these
points.
You may have heard that you need a firewall if you have an "always-on",
broadband connection. Does having such a connection equal an enhanced risk
to your computer? No, you do not have any significantly higher risk than a
dial-up customer. As we stated before, if your computer is secured against
Trojan viruses, a probe on a Trojan port cannot compromise your computer.
The firewall is not affording you any protection to these types of probes
because there is none needed. All it is doing is reporting to you that
other computers on the Internet are sending traffic to your IP address.
The
only potentially-higher risk you have is that if you leave your computer
connected to the Internet 24 hours a day, you will receive more scans
simply
because your computer is on the Internet longer than other people's
computers would be. Again, however, if your computer is secured as we
recommended, these probes cannot penetrate your computer. If you are
concerned about this, you can simply disconnect the modem from your
computer
until you are ready to use it again, or turn your computer off. You may
have heard that you need a firewall because of the prevalence of Trojan
viruses. While it is true that these Trojans are out there and they can be
very malicious, a strong anti-virus program can actually detect and, if
your
hard drive has such a virus, remove the Trojan. A firewall can't do this.
That is why we stress running anti-virus software; a firewall is your
personal choice to run, but is not critical to a computer's security.
Are you running Linux?
Linux is a UNIX-based Operating System that is an alternative to the MS
Windows family of Operating Systems. There are some very common exploits
for Linux (WU-ftpd, SunRPC) that will allow others access to your
Linux-based computer. If you are not familiar with Linux and know how to
secure it from these and other security issues, we would recommend that you
use an Operating System that you are more familiar with.
-------Message ends-----------------------------
Frank Bures, <grandial at softex.cz>
Barry Margolin
FEEB <nos...@neverland.com.invalid> wrote:
>FYI, I am posting here the mail I received from <abuse...@corp.home.net>,
>as a response to my complaint about repeated attempts to connect to port 10
>of my various servers from their node.
>
>Read it, it would be funny if it weren't so sad. Not a single word of
>apology, nor any mention of an action taken.
I don't see a real problem with the response. Everything was technically
accurate. For instance, if you're not running any network servers, you
don't need a personal firewall.
As far as action taken, I think they're being realistic. They have
hundreds, maybe even thousands, of customers who are probing, and tracking
them all down and punishing them is a nearly impossible task. And once
they track them down, what do you expect them to do about it? Sure, they
could cancel their account, but they'll just get another account, either
with another ISP or with the same ISP by providing a different name. It's
no more than a slap on the wrist, so what's the point?
And these days, with all the people running personal firewalls, I'll bet
that a significant fraction of the hacking reports they receive are false
alarms, because the user doesn't know how to interpret the firewall's
report. If the number of messages posted to comp.security.{misc,unix}
asking for help interpreting firewall logs is any indication, many users
are confused by them.
If he actually did compromise your system then you may be able to take
legal action against him. The response said that if this is the case, you
should respond with "SYSTEM BREACH" in the subject and they'll help you
pursue this further.
--
Barry Margolin, bar...@genuity.net
Genuity, Burlington, MA
*** DON'T SEND TECHNICAL QUESTIONS DIRECTLY TO ME, post them to newsgroups.
Please DON'T copy followups to me -- I'll assume it wasn't posted to the group.
Angry Bob
This is a Barry Margolin <bar...@genuity.net> scroll! it says:
> As far as action taken, I think they're being realistic. They have
> hundreds, maybe even thousands, of customers who are probing, and tracking
> them all down and punishing them is a nearly impossible task. And once
> they track them down, what do you expect them to do about it? Sure, they
> could cancel their account, but they'll just get another account, either
> with another ISP or with the same ISP by providing a different name. It's
> no more than a slap on the wrist, so what's the point?
Just to agree with you here....
It's not illegal to scan anything.... that has been determined by a
court of law. If there were an ISP that would do something to me
because I was scanning I would just sue their ass off, and have a court
ruling to back me up....
There is nothing wrong with looking across the street and seeing that
your neighbor leaves his front door open, there is nothing wrong with
looking across the information superhighway and seeing that someone has
left their front door open. It's only illegal when you decide that that
means that you should go in and take the TV, even if you leave a
different TV where it used to be.
you can't arrest a bunch of protesters because you _think_ that they are
going to riot. We're not a telepathic species (yet), so we have to go
with evidence and real actions.... we can't assume someone's intentions.
--
AngryBob
if i were a rom construct, would a lexical closure be my womb?
--nicholas black (from git.personals)
Barry Margolin
Angry Bob <angr...@havoc.gtf.org> wrote:
>It's not illegal to scan anything.... that has been determined by a
>court of law. If there were an ISP that would do something to me
>because I was scanning I would just sue their ass off, and have a court
>ruling to back me up....
On what grounds? It may not be illegal, but it might be a violation of the
ISP's TOS. However, it's usually not cost-effective for an ISP to
investigate every scanning complaint; the clause is in there so they can
invoke it if they need to.
s...@nospam.unt.edu
> It's not illegal to scan anything.... that has been determined by a
> court of law. If there were an ISP that would do something to me
> because I was scanning I would just sue their ass off, and have a court
> ruling to back me up....
'fraid it's not that simple. You're not allowed to do anything you
want, just because it isn't illegal. You still are contracturally
bound to abide by their AUP (acceptable use policy).
In this case, their AUP is pretty clear. Here's a quote of some
things an @home customer is NOT allowed to do:
This includes, but is not limited to, accessing data not intended
for you, logging into or making use of a server or account you are
not expressly authorized to access, or probing the security of
other networks. Use or distribution of tools designed for
compromising security, such as password guessing programs,
cracking tools, packet sniffers or network probing tools, is
prohibited.
Notice that you are forbidden from "probing the security of other
networks" or using "network probing tools".
So scanning might be legal, but they could still yank your account and
you wouldn't have a leg to stand on if you tried to "sue their ass
off"...
--
Steve Tate --- srt[At]cs.unt.edu | Gratuitously stolen quote:
Dept. of Computer Sciences | "The box said 'Requires Windows 95, NT,
University of North Texas | or better,' so I installed Linux."
Denton, TX 76201 |
Alun Jones
> your neighbor leaves his front door open, there is nothing wrong with
> looking across the information superhighway and seeing that someone has
> left their front door open. It's only illegal when you decide that that
> means that you should go in and take the TV, even if you leave a
> different TV where it used to be.
Analogies for port scanning don't reveal anything so much as the poster's
views. They certainly don't accurately represent the situation.
Mere scanning _can_ be a denial of service attack, and that _is_ wrong. It
can also be that you mistyped the address of a computer, and your client
software sends a connection attempt to a computer that you don't have rights
to access - and that looks like a 'scan' for the port you tried to connect
to. Whatever, it is certainly not polite to be scanning systems that you do
not have an invitation to scan.
Alun.
~~~~
[Note that answers to questions in newsgroups are not generally
invitations to contact me personally for help in the future.]
--
Texas Imperial Software | Try WFTPD, the Windows FTP Server. Find us at
1602 Harvest Moon Place | http://www.wftpd.com or email al...@texis.com
Cedar Park TX 78613-1419 | VISA/MC accepted. NT-based sites, be sure to
Fax/Voice +1(512)378-3246 | read details of WFTPD Pro for NT.
Barry Margolin
Alun Jones <al...@texis.com> wrote:
>Mere scanning _can_ be a denial of service attack, and that _is_ wrong. It
>can also be that you mistyped the address of a computer, and your client
>software sends a connection attempt to a computer that you don't have rights
>to access - and that looks like a 'scan' for the port you tried to connect
>to. Whatever, it is certainly not polite to be scanning systems that you do
>not have an invitation to scan.
I think the word "scan" implies multiple attempts; port-scanning is an
attempt to connect to multiple ports on a machine, while network scanning
is an attempt to connect to multiple addresses on a network. A single
connection is likely to be an innocent error -- a scan is indicated by a
pattern of unauthorized connection attempts.
Angry Bob
> 'fraid it's not that simple. You're not allowed to do anything you
> want, just because it isn't illegal. You still are contracturally
> bound to abide by their AUP (acceptable use policy).
true 'nuf....
--
AngryBob
"The pickle doesn't know anything about the Electoral
College. After all, it's a pickle."
-- Eugene F. "Pucker" O'Grady
Angry Bob
> Analogies for port scanning don't reveal anything so much as the poster's
> views. They certainly don't accurately represent the situation.
why not? it's the same thing on a larger scale.... technically non
masq'd IP's are all on the same street, but you can always move
computers onto side-streets.... (just to continue the analogy)
and since you're so privy to my views just based on that example, I want
to hear em before I start disproving them. <grin>
--
AngryBob
I'm a cynical son of a bitch. compred to me, beaker
is puppy dogs and ice cream. :-)
-Trey
Alun Jones
> What would you like to read? [comp.os.linux.security or *?]
> This is a Alun Jones <al...@texis.com> scroll! it says:
>
> > Analogies for port scanning don't reveal anything so much as the poster's
> > views. They certainly don't accurately represent the situation.
>
> why not? it's the same thing on a larger scale.... technically non
> masq'd IP's are all on the same street, but you can always move
> computers onto side-streets.... (just to continue the analogy)
And technically, the only way to tell if someone's "trying the locks" with a
port-scan is to be on the inside of the door. In the analogy, of course,
anyone trying the locks will be seen by any number of people, possibly the
Neighbourhood Watch, and can be recognised and observed as suspicious. The
analogy is only very remotely applicable, and the obvious implication is to
expand the applicability of the analogy - and that doesn't work.
Houses don't have up to 65535 doors, and houses don't use up resources,
possibly denying access, when someone's trying the locks. I'm sure you can
come up with hundreds of other examples where the analogy is completely
useless.
Tim Haynes
> In article <tenaqvnyfbsgrkpm...@news1.chem.utoronto.ca>,
> FEEB <nos...@neverland.com.invalid> wrote:
> >FYI, I am posting here the mail I received from <abuse...@corp.home.net>,
> >as a response to my complaint about repeated attempts to connect to port 10
> >of my various servers from their node.
> >
> >Read it, it would be funny if it weren't so sad. Not a single word of
> >apology, nor any mention of an action taken.
>
> I don't see a real problem with the response. Everything was technically
> accurate.
And about as much use as a pogo-stick in a minefield.
> For instance, if you're not running any network servers, you don't need a
> personal firewall.
No? You think not? That's news to me. Care to elucidate?
> If he actually did compromise your system then you may be able to take
> legal action against him. The response said that if this is the case, you
> should respond with "SYSTEM BREACH" in the subject and they'll help you
> pursue this further.
And why the **** should anyone have to *resubmit* their original report so
they bother reading it? That is just plain offensive.
~Tim
--
The light of the world keeps shining, |pig...@glutinous.custard.org
Bright in the primal glow |http://piglet.is.dreaming.org
FEEB
>In article <tenaqvnyfbsgrkpm...@news1.chem.utoronto.ca>,
>FEEB <nos...@neverland.com.invalid> wrote:
>>FYI, I am posting here the mail I received from
<abuse...@corp.home.net>,
>>as a response to my complaint about repeated attempts to connect to port
10
>>of my various servers from their node.
>>
>>Read it, it would be funny if it weren't so sad. Not a single word of
>>apology, nor any mention of an action taken.
>
>I don't see a real problem with the response. Everything was technically
>accurate. For instance, if you're not running any network servers, you
>don't need a personal firewall.
>
>As far as action taken, I think they're being realistic. They have
>hundreds, maybe even thousands, of customers who are probing, and tracking
>them all down and punishing them is a nearly impossible task. And once
>they track them down, what do you expect them to do about it? Sure, they
>could cancel their account, but they'll just get another account, either
>with another ISP or with the same ISP by providing a different name.
Could you please explain how can one get an account with home.com,
providing a different name without actually selling his house and moving?
The technique involved in this trick escapes me.
FEEB
>What would you like to read? [comp.os.linux.security or *?]
>This is a Barry Margolin <bar...@genuity.net> scroll! it says:
>
>> As far as action taken, I think they're being realistic. They have
>> hundreds, maybe even thousands, of customers who are probing, and
tracking
>> them all down and punishing them is a nearly impossible task. And once
>> they track them down, what do you expect them to do about it? Sure,
they
>> could cancel their account, but they'll just get another account, either
>> with another ISP or with the same ISP by providing a different name.
It's
>> no more than a slap on the wrist, so what's the point?
>
>Just to agree with you here....
>
>It's not illegal to scan anything.... that has been determined by a
>court of law.
Could you please be more specific? Any reference to the actual case and
court decision?
Thanks
FEEB
>In article <95clcv$3pm$1...@news-int.gatech.edu>, Angry Bob
><angr...@havoc.gtf.org> wrote:
>> There is nothing wrong with looking across the street and seeing that
>> your neighbor leaves his front door open, there is nothing wrong with
>> looking across the information superhighway and seeing that someone has
>> left their front door open. It's only illegal when you decide that that
>> means that you should go in and take the TV, even if you leave a
>> different TV where it used to be.
>
>Analogies for port scanning don't reveal anything so much as the poster's
>views. They certainly don't accurately represent the situation.
>
>Mere scanning _can_ be a denial of service attack, and that _is_ wrong.
It
>can also be that you mistyped the address of a computer, and your client
>software sends a connection attempt to a computer that you don't have
rights
>to access - and that looks like a 'scan' for the port you tried to connect
>to. Whatever, it is certainly not polite to be scanning systems that you
do
>not have an invitation to scan.
I usually do not complain, when a single probe of a single machine occurs.
However, I do complain, when more than 5 machines are probed at
approximately the same time from the same node, or if an attempt to connect
to non-existent machines on my whole domain occurs. One of my domains has
1000 IP addresses so I think I should be able to distinguish between an
operator's error and a malicious intent.
s...@nospam.unt.edu
Here's a story on SecurityFocus:
http://www.securityfocus.com/frames/?content=/templates/article.html%3Fid%3D126
Barry Margolin
Tim Haynes <pig...@glutinous.custard.org> wrote:
>Barry Margolin <bar...@genuity.net> writes:
>> For instance, if you're not running any network servers, you don't need a
>> personal firewall.
>
>No? You think not? That's news to me. Care to elucidate?
Sure. The way to break into a machine is by taking advantage of a security
hole in a server. If you aren't running any TCP/IP servers, then there
aren't any server security holes that can be exploited from the Internet.
>> If he actually did compromise your system then you may be able to take
>> legal action against him. The response said that if this is the case, you
>> should respond with "SYSTEM BREACH" in the subject and they'll help you
>> pursue this further.
>
>And why the **** should anyone have to *resubmit* their original report so
>they bother reading it? That is just plain offensive.
Because your original report was a single raindrop in a deluge. They
apparently have an automated system that tries to separate out the more
serious ones, by looking for a special subject line.
Tim Haynes
> In article <8666itn...@potato.vegetable.org.uk>,
> Tim Haynes <pig...@glutinous.custard.org> wrote:
> >Barry Margolin <bar...@genuity.net> writes:
> >> For instance, if you're not running any network servers, you don't need a
> >> personal firewall.
> >
> >No? You think not? That's news to me. Care to elucidate?
>
> Sure. The way to break into a machine is by taking advantage of a
> security hole in a server. If you aren't running any TCP/IP servers, then
> there aren't any server security holes that can be exploited from the
> Internet.
Oh I see. So if I disable sshd so I can't log into my gateway box, I can
drop the firewall on it as well? <shudder>.
Get *real*! TCP is not secure. Sequence numbers vary in predictability, and
injection-type attacks are not unheard of. Besides, why should I have to
give away my existence by actually responding to pings? traceroutes? What
about broadcast ICMP, smurf attacks and other tricks that operate on bugs
in the IP stack?
> >> If he actually did compromise your system then you may be able to take
> >> legal action against him. The response said that if this is the case,
> >> you should respond with "SYSTEM BREACH" in the subject and they'll
> >> help you pursue this further.
> >
> >And why the **** should anyone have to *resubmit* their original report
> >so they bother reading it? That is just plain offensive.
>
> Because your original report was a single raindrop in a deluge.
I made no report. Learn to read who you're following up to.
> They apparently have an automated system that tries to separate out the
> more serious ones, by looking for a special subject line.
Congratulations, I'd never have guessed? Why should someone have to root
out their already-sent mail in order to resend it to comply with their
"automated" rules?
~Tim
--
6:07pm up 39 days, 20:16, 10 users, load average: 0.16, 0.16, 0.12
pig...@glutinous.custard.org |The light of the world keeps shining,
http://piglet.is.dreaming.org |Bright in the primal glow
Johan Kullstam
> In article <tenaqvnyfbsgrkpm...@news1.chem.utoronto.ca>,
> FEEB <nos...@neverland.com.invalid> wrote:
> >FYI, I am posting here the mail I received from <abuse...@corp.home.net>,
> >as a response to my complaint about repeated attempts to connect to port 10
> >of my various servers from their node.
> >
> >Read it, it would be funny if it weren't so sad. Not a single word of
> >apology, nor any mention of an action taken.
>
> I don't see a real problem with the response. Everything was technically
> accurate. For instance, if you're not running any network servers, you
> don't need a personal firewall.
agreed.
> As far as action taken, I think they're being realistic. They have
> hundreds, maybe even thousands, of customers who are probing, and tracking
> them all down and punishing them is a nearly impossible task. And once
> they track them down, what do you expect them to do about it? Sure, they
> could cancel their account, but they'll just get another account, either
> with another ISP or with the same ISP by providing a different name. It's
> no more than a slap on the wrist, so what's the point?
what other account? going from cablemodem to 56k (laugh) POTS is
going to suck royally. and so what if they try using a new name? it
takes like 6 months of waiting for installation of cablemodem. if
they DSL it might be a year. ;-)
--
J o h a n K u l l s t a m
[kull...@ne.mediaone.net]
sysengr
Barry Margolin
Tim Haynes <pig...@glutinous.custard.org> wrote:
>Barry Margolin <bar...@genuity.net> writes:
>
>> In article <8666itn...@potato.vegetable.org.uk>,
>> Tim Haynes <pig...@glutinous.custard.org> wrote:
>> >Barry Margolin <bar...@genuity.net> writes:
>> >> For instance, if you're not running any network servers, you don't need a
>> >> personal firewall.
>> >
>> >No? You think not? That's news to me. Care to elucidate?
>>
>> Sure. The way to break into a machine is by taking advantage of a
>> security hole in a server. If you aren't running any TCP/IP servers, then
>> there aren't any server security holes that can be exploited from the
>> Internet.
>
>Oh I see. So if I disable sshd so I can't log into my gateway box, I can
>drop the firewall on it as well? <shudder>.
The part of their message that I was referring to was specifically directed
to Windows users. There was a later section directed towards Linux. But
if you're sophisticated enough to have installed sshd, you hopefully don't
need their help in securing your system.
>Get *real*! TCP is not secure. Sequence numbers vary in predictability, and
>injection-type attacks are not unheard of.
So? Personal firewalls won't protect against connection hijacking using
sequence number prediction.
>> >> If he actually did compromise your system then you may be able to take
>> >> legal action against him. The response said that if this is the case,
>> >> you should respond with "SYSTEM BREACH" in the subject and they'll
>> >> help you pursue this further.
>> >
>> >And why the **** should anyone have to *resubmit* their original report
>> >so they bother reading it? That is just plain offensive.
>>
>> Because your original report was a single raindrop in a deluge.
>
>I made no report. Learn to read who you're following up to.
I have no idea who made the original report; I don't feel the need to scan
back in the thread every time I respond. The tone of your message implied
that you were the original poster.
>
>> They apparently have an automated system that tries to separate out the
>> more serious ones, by looking for a special subject line.
>
>Congratulations, I'd never have guessed? Why should someone have to root
>out their already-sent mail in order to resend it to comply with their
>"automated" rules?
Because the original report just said that their machine was scanned, and
that's not as serious as being penetrated. If you want your report to get
higher priority than the thousands of abuse complaints they receive, you
need to do something to make it noticeable.
FEEB
>FEEB <nos...@neverland.com.invalid> wrote:
>> On 1 Feb 2001 21:45:03 GMT, Angry Bob wrote:
>
>>>It's not illegal to scan anything.... that has been determined by a
>>>court of law.
>
>> Could you please be more specific? Any reference to the actual case and
>> court decision?
>
>Here's a story on SecurityFocus:
>
>http://www.securityfocus.com/frames/?content=/templates/article.html%3Fid%
3D126
Thanks, but I must disagree with the decision. I definitely would not feel
comfortable if I found a person with 500 keys, trying them one by one on my
house lock. Of course, there would be no damage (probably - if the lock is
of good quality), but I'm sure the majority of home owners would consider
such activity unacceptable.
Nobody can persuade me, that a massive scan of my whole domain on port 111
is done just for the heck of it. The perpetrator obviously intended to
exploit the rpc vulnerability, hence the malicious intent was there.
If there can be a felony of _attempted_ murder, there should be a felony of
_attempted_ break-in into a computer system.
Barry Margolin
>is done just for the heck of it. The perpetrator obviously intended to
>exploit the rpc vulnerability, hence the malicious intent was there.
>If there can be a felony of _attempted_ murder, there should be a felony of
>_attempted_ break-in into a computer system.
Well, if you're going to make use of silly analogies, how about this:
Suppose someone wants to murder you by exposing you to something you're
highly allergic to. So he gets access to your medical records, and finds
out you don't have any deadly allergies, so he never goes any further.
Would you consider him guilty of attempted murder just because he was
trying to find out if he could kill you that way?
BTW, the article didn't say that port-scanning is or isn't legel. It
addressed a civil suit that claimed damages based on the value of the time
spent investigating the port scan. The article went on to say that the
perpetrator "is still facing criminal charges of attempted computer trespass
under Georgia's computer crime laws for port scanning a system owned by a
competing contractor." So it sounds like there *is* a crime of attempted
break-in in Georgia. I have no idea whether the latter case has been
decided yet.
Michael Erskine
The embedded comments are mine and mine alone. They express MY OPINION.
I do not speak for the people who wrote the original response...
>
> Please note, if you are complaining about an actual system breach, i.e.,
> your computer has actually been penetrated by an @Home subscriber without
> your permission, please resend your complaint to us with the email subject
> line, SYSTEM BREACH. If you are not sure if your computer has been
> breached or not, please continue to read this message.
Don't call us until you have identified the culprit... ok... that's
real good.
> In fact, if firewall
> software is set to a 'high' security level, it may report normal traffic
> from servers that are a part of the network that you are connected to as an
> attack. Note, changing the 'security' level of firewall software does not
> really change the level of protection it affords, it changes the level at
> which it reports network traffic.
This is flatly too broad a statement to be correct. Different firewall
products different behaviors. Dangerous and incorrect statement.
>
> How does that traffic get to your computer? In order for computers to
> communicate over the Internet, they are assigned an IP address (IP stands
> for Internet Protocol). Every person's computer that is connected to the
> Internet, every website, every server, switch and router that is connected
> to the Internet in the world has to have a unique IP address.
Wrong... NAT, IP Masq... sorry internal addresses DO NOT communicate over
the internet therefore the statement is an oversimplification.
>
> Simply put, a system probe is someone sending traffic directed to your
> computer's IP address, with a destination port.
Too simply put.
>
> Trojan Viruses
There are "Trojan Horses", "trojans" for short. There are "worms".
There are "viruses" (and not virii -- look it up). There are *not*
"trojan viruses" but in a stretch one might call an infected (with
a virus) program, "a program that has been trojaned by a virus".
Stick to "malware" it's safe enough. These "trojan viruses" to which
they allude are "E-Mail Trojans Horse Programs". Hell, why does it
matter anyway? The people that wrote this (and the people they are
writing to) probably don't understand the biological differences
between worms, viruses, and bacteria, anyway...
>
> As stated before, other programs are registered to use different ports.
> This includes so-called Trojan viruses. Most viruses that you hear about
> are designed to disrupt your computer in some way, from interfering with
> your Operating System to destroying files on your hard drive. Trojan
> viruses, on the other hand, are designed to hide on your hard drive. They
> do not want to be discovered because, as opposed to harming your software,
> they allow other people access to your computer. Once your computer has
> been compromised with a Trojan virus, it can be "remote controlled" by
> other
> people on the Internet. Trojans also have to use a port number to work
> correctly. For example, the Sub Seven Trojan, which is in common usage at
> this time, runs on port 27374. So, in order, this is what happens when you
> get probed for a Trojan virus. We are still using the Sub Seven Trojan as
> our example:
>
> 1) Another computer on the Internet sends traffic to your
> computer's IP address, directed at port 27374.
>
> 2) Your computer receives the traffic.
>
> 3) Your firewall software is programmed to understand that
> traffic to port 27374 is probably a probe to detect if the Sub Seven Trojan
> is present on your computer.
*OR* your system's firewall was disabled by a trojan and you only think
you are firewalled. Your system then opens its doors and says, "$&#^
me, I'm ready, honey." Whereupon he opens your Online banking software
connects to your account (you didn't *really* chec "save my password",
did you) and transfers a couple hundred bucks to his bank account in
Bum*$&% Eygpt... Then he bounces off your machine thru a couple of
dozen more just like it and on the way picks up some dial-up account,
a few hundred more bucks, some juicy E-Mail in a coorporate CEO's
mail file, a few credit card numbers and laugh all the way to the bank.
Now mind you these "Trojan Viruses" aren't that bad a problem,
probably not more than 10 or twenty percent of the desktops on the
Interned have them... Most of the people that use these back doors
are after *nix servers anyway... We don't have any of those so we
don't really give a **** about it.
>
> 4) The firewall blocks the traffic and reports to you that you
> were just probed for the Sub Seven Trojan.
... *IF* You didn't open that mail message about Snow White and the
Seven Dwarfs... You didn't did you? Oh, s&*^%, you did, well your
firewall probably won't notice the connection... go to Number 3 and
reread the OR part.
>
> There are two significant things that happened here.
1) We gave you half the story.
2) You haven't got a clue so we got away with it.
> First, note that the
> firewall reported the traffic as being blocked.
If you were lucky... and haven't done stupid at some point in the
past.
> That means that the
> firewall did its job and did not allow the traffic through to your
> computer.
If infact you got this far and saw the things we said you saw,
we hope your firewall did it's job.... we think it probably did,
but to be honest we don't have a clue either, and we just want
to tie you up with reading this drivel 'cause they don't pay us
enough, we don't have enough people, and the whole *%&%*%$ Internet
is full of crackers, worms, and other *%&$ anyway... so...
> Secondly, and this is not as well known, if your computer has not been
> compromised by that particular Trojan virus, that probe is harmless.
The probe is harmless... the IP address from which it came only *may* be
harmless, we don't have the time to chase down every IP address that
does this sort of thing so...
> It
> wouldn't have affected your computer if the firewall were there or not.
Unless you are running an old unpatched IP stack and it is something like
an old newtear or other fragment that makes your system go belly up...
> If
> you are worried that your system was breached, you can be assured that, as
> long as your system has not been infected with that virus, and your
> firewall
> reported (blocked) the traffic, your computer is still secure.
Crap... you *may* be able to say you are not vulnerable to that attack.
You could *never* make the assumption that you are secure because that
particular attack didn't succeed.
>
> What does this mean to me?
Precious little, no doubt.. but we are going to tell you just in case
you are still reading this.
>
> Now that we have defined how the Internet works,
hooooahaaa! You and Al Gore.
> and what happens when your
> firewall reports a probe, you are probably interested in how this affects
> you and your personal computer.
This right here (below) would have made a good opening statement. A
paper developed upon the following premis might have turned out useful
to the hundreds of people who must be driving these folks nuts with
their reports.... "*hit, Billy, ma durned ten dolla farwall sez derz
someun a tryin' ta git inta dis here computer... Wha' du h*** ahm ah
gonna do?"
Unfortunatly they wind up with the following...
>
> Are you running Linux?
>
> Linux is a UNIX-based Operating System that is an alternative to the MS
> Windows family of Operating Systems. There are some very common exploits
> for Linux (WU-ftpd, SunRPC) that will allow others access to your
> Linux-based computer. If you are not familiar with Linux and know how to
> secure it from these and other security issues, we would recommend that you
> use an Operating System that you are more familiar with.
Probably need to reword that last sentence to read "an Operating System that
WE are more familiar with." The truth is these people clearly have not
shown that they understand IP sockets, let alone their Microsux servers.
They are not ready to *even* deal with the average Linux, BSD, *nix, user.
Their network generates a CONSTANT stream of probes because the have a
huge *flat* address space, and what appear to be clueless tech writers.
Yeah, this was a great response... It boiled down to, "Git rid o' dat
Linux machine, we don't understan' it. Use MicroSux, we don' understan'
dat neither BUT we don't understan' it better."
-m-
--
Everyone has cracks, that's how the crackers get in. Unknown
Angry Bob
> Thanks, but I must disagree with the decision. I definitely would not feel
> comfortable if I found a person with 500 keys, trying them one by one on my
> house lock. Of course, there would be no damage (probably - if the lock is
> of good quality), but I'm sure the majority of home owners would consider
> such activity unacceptable.
BASS scanner, an internet auditing project:
http://www.hicsalta.si/doc/auditing.html
--
Angrybob
"F--- off Gates, I'm in a meeting."
-- http://www.ghetto-prostitute.com/lalala/23.html
Barry Margolin
Michael Erskine <osi...@urbanna.net> wrote:
[lots of point-by-point complaints about @Home's message's lack of
technical precision.]
Most of your points are valid, but what do you realistically expect them to
do? Most of the people who send abuse complaints based on messages from
personal firewalls are barely competent to understand that message as it
is. It's extremely long, and I expect many recipients will stop reading it
after a screen or so. There's only so much detail you can put into a form
letter; if you try to cover all bases, it will just get longer and more
incomprehensible.
I work in technical support at a tier-1 ISP, and our customers are
primarily Fortune 1000 companies, and we deal with their network
administrators. If we sent out a message like that, I know that at least
half of them would zone out; and if we brought it up to the level that
you're expecting, it would probably raise the zone-out level to 75%.
If you understand enough about networking that a more technically accurate
response would make sense to you, then you probably don't need the response
in the first place.
John Doe
Michael Erskine wrote:
[snip]
>
> The truth is these people clearly have not
> shown that they understand IP sockets, let alone their Microsux servers.
?????????????
The site www.home.com runs Apache/1.3.12 (Unix) mod_perl/1.22 mod_fastcgi/2.2.2 on
Solaris
Solaris users include www.cibc.com, Verisign and O'Reilly
Apache is also being used by O'Reilly, www.redhat.com and Rackspace
John Doe
Michael Erskine wrote:
[snip]
>
> The truth is these people clearly have not
> shown that they understand IP sockets, let alone their Microsux servers.
Tim Haynes
[snip]
> >Oh I see. So if I disable sshd so I can't log into my gateway box, I can
> >drop the firewall on it as well? <shudder>.
>
> The part of their message that I was referring to was specifically
> directed to Windows users. There was a later section directed towards
> Linux. But if you're sophisticated enough to have installed sshd, you
> hopefully don't need their help in securing your system.
Young, you are. Much optimism I sense in you.
If you're in the realms of those who compile openssh from source, create
their own packages with PasswordAuthentication set to `no' by default (root
login, X, port and agent forwarding all disabled) then maybe you're on the
right tracks, but that's no reason to skirt around the issue: any worm
will tell you two holes are better than one, so you jolly well firewall
pretty securely as well. Between then, `there is a firewall' *and* `such
few services as there are are secured as much as possible' work *together*
to ease the stress level.
You don't expect the same kind of thing from some friendly little kid who's
just bought RH7.0 or Mandrake 7.2, both of which I don't need to tell you
come with OpenSSH, falling foul of false security and bringing the
community strength down in the process.
[snip]
~Tim
--
We all talk a different language, |pig...@glutinous.custard.org
Talking in defence |http://piglet.is.dreaming.org
Michael Erskine
I poked pretty hard. I will read this carefully and give you a
more *honest and fair* reading. :)
Barry Margolin wrote:
>
> In article <3A7B1263...@urbanna.net>,
> Michael Erskine <osi...@urbanna.net> wrote:
>
> [lots of point-by-point complaints about @Home's message's lack of
> technical precision.]
>
> Most of your points are valid, but what do you realistically expect them to
> do?
The truth is the problem rests with management and not networking staff,
usually anyway. Management simply does not realize that one *must*
staff
the NOC, that staff costs money, and that sufficient help ensures vastly
improved performance and security.
> Most of the people who send abuse complaints based on messages from
> personal firewalls are barely competent to understand that message as it
> is.
Most of the people sending abuse complaints are technical *wannabies*
they *dont* have the first clue as to what they are seeing because they
are running M$ products and have bought into the line that *xxx is user
friendly* (you fill in the xxx).
> It's extremely long, and I expect many recipients will stop reading it
> after a screen or so. There's only so much detail you can put into a form
> letter; if you try to cover all bases, it will just get longer and more
> incomprehensible.
Yes, sir, it will. Give them a web site. Nicely done, links and
indexes.
Educate those who will be educated. There is *nothing* you can do for
those who *faithful* who will not learn.
>
> I work in technical support at a tier-1 ISP, and our customers are
> primarily Fortune 1000 companies, and we deal with their network
> administrators. If we sent out a message like that, I know that at least
> half of them would zone out; and if we brought it up to the level that
> you're expecting, it would probably raise the zone-out level to 75%.
Yes, sir, that is true as well. The rank and file are embracing the
medium at a rate much faster than the schools and experience can produce
people comptent to manage a network (of any size at all).
>
> If you understand enough about networking that a more technically accurate
> response would make sense to you, then you probably don't need the response
> in the first place.
Also *quite* true. I opt for the web page response and a very short
form message. No way should the provider ask that the message be
resent.
The message (and the reality) should be "We view this activity in a
*very*
dim light. We are looking into this complaint and we *will* get back to
you.
In the meantime you may find this information helpfull
http://somewhere.help".
-m-
Michael Erskine
good piece of hardware, all they need are $$$$. Any idiot can hire
the vendor to maintain that hardware... That they have a Solaris
server running Apache proves nothing.
-m-
Michael Erskine
>
> In article <tenaqvnyfbsgrkpm...@news1.chem.utoronto.ca>,
> FEEB <nos...@neverland.com.invalid> wrote:
> >Could you please explain how can one get an account with home.com,
> >providing a different name without actually selling his house and moving?
> >The technique involved in this trick escapes me.
>
> Why does he have to replace his home.com account with another home.com
> account? He could get a dialup account, wait a few months for them to
> forget about him, and then get a new home.com account.
That would be a problem with @home.com, now wouldn't it? If I discover
someone port scanning from our network, I don't bother them at all. I
wait for them to tromp on their thingie... which they almost certainly
*will* do eventually. And then I turn them off and where appropriate,
try *real* hard to get the owners to press charges.
Barry, scanning is not (and should not be illegal) but one should
always bear in mind it *is* threatening. The *only* HOSTS I will scan
outside of my domain are those to whom I wish to send the "I AM WATCHING
YOUR ACTIVITY AND IT HAD BETTER STOP" message.
Actually I usually send them a ping or two before it comes to that, it
really depends upon just what it was they did that I thought they should
not have done.
As to the comments elsewhere about *not* needing a firewall if you are
*not* running services... absolute rubbish, engendered by a lack of
understanding, which could not possibly be addressed in just a single
message to this thread.
-m-
--
Remember it's one piece of string, two bits of wood, three feathers, all
the rest is propaganda. The only accuracy requirement is to be able to hit
a Frenchman on a horse at 200 paces or on foot at 60.
W1...@lina.inka.de
> As to the comments elsewhere about *not* needing a firewall if you are
> *not* running services... absolute rubbish, engendered by a lack of
> understanding, which could not possibly be addressed in just a single
> message to this thread.
You mean you can access Ports which are not open? Thats quite interesting. you
are a real expert.
Greetings
Bernd
Tim Haynes
You mean you think Ports (sic) are the only things to access?
*plonk*, *thread-plonk*
~Tim
--
The sun is melting over the hills, |pig...@glutinous.custard.org
All our roads are waiting / To be revealed |http://piglet.is.dreaming.org
Bernd Eckenfels
> You mean you think Ports (sic) are the only things to access?
what else a personal firewall is protecting?
Greetings
Bernd
Tim Haynes
Your sanity, bandwidth and the rest of the 'Net at large.
How about blocking outgoing trojan requests? About preventing smurf attacks
and dodgy ICMP stuff and spoofed source/destination IP#s? And slowing down
the evil scanners, too?
<sigh>.
~Tim
--
Roobarb and Custard let fly |pig...@glutinous.custard.org
with their secret weapon. |http://piglet.is.dreaming.org
Bernd Eckenfels
> How about blocking outgoing trojan requests?
if you have a trojan on your computer you can't be safe. A PF is unable to
protect you from it, especially on Operating Systems which dont have access
control (i.e. windows < NT or windows NT with default admin user).
> About preventing smurf attacksa
A PF can not prevent Smurf Attacks. A smurf Attack will fill your pipe or kill
the backbone routers of your isp. The PF will only burn some more CPU cycles
thwroing away all the unwanted traffic, but it will buy you nothing. I suspect
it will make the situation worde becvause of the additional processing
overhead, logging and state keeping. You should read about smurf before you
think a personal firewall can protect you from it.
> and dodgy ICMP stuff and spoofed source/destination IP#s
A reasonable patched window is not vulnerable to "dodgy icmp stuff" so i see
no use in a PF. And I am quite sure, that in case a new IP/ICP Vulnerability
is found, the PF wont helpo you, it is after all using the OSes IP Stack.
> And slowing down
> the evil scanners, too?
Evil Scanners will not scan in synchron mode, this means they can scan
hundereds of hosts and thousands of ports without waiting for responses. A
stealth port does not slow down any attacker. And frankly speaking, if i have
a secure system, why should i bother about those scanners?
So, are you sure you actually have a reason for a PF or is it only that those
tools have a cool try icon and you feel "like a real man with a cool d#"?
Greetings
Bernd
--
www.freefire.org
Tim Haynes
> In comp.security.unix Tim Haynes <pig...@glutinous.custard.org> wrote:
> > How about blocking outgoing trojan requests?
>
> if you have a trojan on your computer you can't be safe. A PF is unable
> to protect you from it, especially on Operating Systems which dont have
> access control (i.e. windows < NT or windows NT with default admin user).
I said *outgoing* trojan requests. If you have one on your box you still
have a duty to the rest of the world to stop it getting any further.
> > About preventing smurf attacks
>
> A PF can not prevent Smurf Attacks. A smurf Attack will fill your pipe or
> kill the backbone routers of your isp. The PF will only burn some more
> CPU cycles thwroing away all the unwanted traffic, but it will buy you
> nothing. I suspect it will make the situation worde becvause of the
> additional processing overhead, logging and state keeping. You should
> read about smurf before you think a personal firewall can protect you
> from it.
Tell you what. When your syslogs are giving you >4K/s traffic to your
loghost and you never get a packet designed to spark a smurf attack, you
can talk to me about the packets *I* get every day.
> > and dodgy ICMP stuff and spoofed source/destination IP#s
>
> A reasonable patched window is not vulnerable to "dodgy icmp stuff"
WTF is a `reasonable patched window'?
> so i see no use in a PF. And I am quite sure, that in case a new IP/ICP
> Vulnerability is found, the PF wont helpo you, it is after all using the
> OSes IP Stack.
*D'uh*. A firewall operates at the lowest level before the packet is passed
up for any use whatsoever. That's why if you just sink everything you can't
go wrong.
> > And slowing down the evil scanners, too?
>
> Evil Scanners will not scan in synchron mode, this means they can scan
> hundereds of hosts and thousands of ports without waiting for responses.
> A stealth port does not slow down any attacker. And frankly speaking, if
> i have a secure system, why should i bother about those scanners?
You seem to think `a secure system' actually exists.
> So, are you sure you actually have a reason for a PF or is it only that
> those tools have a cool try icon and you feel "like a real man with a
> cool d#"?
I beg your pardon? What is a `cool try icon'?
~Tim
--
The light of the world keeps shining, |pig...@glutinous.custard.org
Bright in the primal glow |http://piglet.is.dreaming.org
Michael Erskine
No, you can not access ports which are not open. You are absolutly
correct in as far as your understanding takes you.
See below.
Bernd, suppose for a moment that you get a mail worm on your system and
it
drops a service on there that you do not know about or suppose that you
access
a bit of malicious Java because you foolishly had java script turned on
when
you were browsing the web. Suddenly there is a worm installed and you
don't
know that it is there. It phones home and the owner pops in and
finishes
the compromise of your system, removes the worm, and installs a couple
of
legitimate looking services you will decide were part of the default
install
which you *must* have missed... Would a firewall with egress filtering
enabled have protected you?
Where I may be a real expert, you are just a real smart ass. 'Course I
am a real smart ass too, so I doubt that anyone will hold that against
you
anymore than I might have a right... I don't.
The water is deeper than you think, Bern. Make sure you are a good
swimmer
before you go surfin' with the sharks.
-m-
Michail Bachmann
<W1...@lina.inka.de> wrote:
> So, are you sure you actually have a reason for a PF or is it only that
> those tools have a cool try icon and you feel "like a real man with a
> cool d#"?
You are right, on a well configured standard windows box a personal
firewall is mostly overkill. For most users checking that their drives are
not accessible through the DUN is enough. But imagine you have installed
the MS-Personal-Web-And-Ftp-Server (not that far fetched if you want to
do a little web-developing) or any other "cool" gadget. IIRC you cant
configure the MS-server to allow connects only from the local{host|net}
and whoops you have opened your box. I am sure there is at least one
exploit for this configuration.
>
> Greetings Bernd
CU Micha
--
Michail Bachmann: michail....@gmx.net
Ceterum censeo ParvamMolliam esse delendam
Bernd Eckenfels
> Bernd, suppose for a moment that you get a mail worm on your system and
> it
> drops a service on there that you do not know about or suppose that you
> access
> a bit of malicious Java because you foolishly had java script turned on
> when
> you were browsing the web. Suddenly there is a worm installed and you
> don't
> know that it is there. It phones home and the owner pops in and
> finishes
> the compromise of your system, removes the worm, and installs a couple
> of
> legitimate looking services you will decide were part of the default
> install
> which you *must* have missed... Would a firewall with egress filtering
> enabled have protected you?
Neighter a Firewll nor a personal Firewall can stop malicious code from
phoning home as long as you allow outgoing traffic at all. There are thousands
of ways to tunnel through. In a Environment where you have "labeled" security
it might be possible to stop leakage of sensitive data, but on a normal
desktop operating system there is no way.
If the worm does not want to tunnel, he can also alter the Personal Firewall.
Again, there is no way to prevent malicious code, running with super user
priveledges to not deinstall or reconfigure the firewall. Even such funny
stuff like crypted config files for a Firewall wont help you.
There is only one protection about trojans: dont install them.
Of course current firewaöös will be able to catch a few common trojans, but
the enemy is always one step in front.
> The water is deeper than you think, Bern. Make sure you are a good
> swimmer
> before you go surfin' with the sharks.
Actually you just dont know my records in this topic. Well, perhaps you might
want to see my old article on that topic:
http://www.cyberpunks.org/display/356/article/index.html
Greetings
Bernd
Bernd Eckenfels
> I said *outgoing* trojan requests. If you have one on your box you still
> have a duty to the rest of the world to stop it getting any further.
i repeat myself, you can not protect your system, nor the outside world from
trojans with a personal firewall. The reason for this is, that there is too
many possibilities for the trojan to tunnel through open protocols, and there
are even more posibilities for the trojan to disable the personal firewall.
There is only one solution: dont install trojans.
> WTF is a `reasonable patched window'?
Latest Servicepacks and Hotfixes.
> *D'uh*. A firewall operates at the lowest level before the packet is passed
> up for any use whatsoever. That's why if you just sink everything you can't
> go wrong.
The problem with this aproach is well known. Just look at application level
Firewalls or even stateful inspection. Since they have to pass the packets to
the OS at some time after doing a decision there is often a window between the
asumption the firewall maker made and the operating system is actually doing.
Eighter the asumption is too thight, in that case you will break hosts
functionality in some way (latext PIX/ECN Problem) or the Asumption is not
thight enough (which is the most common case) then you got problems like the
Mime Header Overflow in Outlook or simple !-Address sendmail Exploits from
years back.
Well, the history is teaching us, but of course things can change.. i just
wont bet on it.
>> A stealth port does not slow down any attacker. And frankly speaking, if
>> i have a secure system, why should i bother about those scanners?
> You seem to think `a secure system' actually exists.
Well, at least i am sure i dont have to bother with scanners my or your
firewall will detect. I sure have to fear scans which do use new methods. But
those are neighter detected by your nor by my security systems.
> I beg your pardon? What is a `cool try icon'?
Tray Icon (typo)
BTW: to set things straight, since, after all we are posting in a Unix Group:
I am personally not against Personal Firewalls, they have a few Advantages,
one of them is the ability to have rules based on programs (something only the
latest linux kernel can offer with the netfilter module for user acls) the
other thng is, the good interaction with the user. If you have a remote
firewall or proxy, you always need to run some kind of firewall authentication
agent, and you will miss a great deal of onformation a personal firewall can
give you.
But one thing a personal firewall (and even a networked one) will not protect
you is a trojan or malware. Under Systems with DAC or MAC (Linux, NT) the
impact of malware is reduced (but still possible), on systems like Win 3.1-ME
there is no way to stop malware. (No way means NOT that PF are generally
unable to stop any malware, it only means you cant stop all of them, so you
are better off finding another solution).
Just to give you another Pointer NAI has a cool KErnel PAtch for Linux doing
kind of leightweight Labeled Security System. It is called LOMAC. Check it
out, will increase your systems security by generating a Sandbox for networked
programs.
Greetings
Bernd
--
www.freefire.org
Michail Bachmann
<W1...@lina.inka.de> wrote:
> Actually you just dont know my records in this topic. Well, perhaps you
> might want to see my old article on that topic:
>
> http://www.cyberpunks.org/display/356/article/index.html
>
> Greetings Bernd
As I see it it boils down to "Dont Run Unneeded Software On The Firewall"
and with *personal* firewalls you have no way to enforce this.
Angry Bob
> In comp.security.unix Tim Haynes <pig...@glutinous.custard.org> wrote:
>> I said *outgoing* trojan requests. If you have one on your box you still
>> have a duty to the rest of the world to stop it getting any further.
> i repeat myself, you can not protect your system, nor the outside world from
> trojans with a personal firewall. The reason for this is, that there is too
> many possibilities for the trojan to tunnel through open protocols, and there
> are even more posibilities for the trojan to disable the personal firewall.
there is logic in your reasoning, but I do not agree. Most
demonstration exploits and trojans are written to make use of
non-standard ports. otherwise when you look at a port listing you'd see
_all_ trojan's as coming out of port 21 or 80 or something like that.
It's true that they could all be made slyly, but 95% of the
script-kiddies out there have no clue about 'ports' and aren't likely to
change the source code of their programs.
Having a personal firewall prevents these thigns from getting out. yes,
an intelligent hacksor could work around, but 95% of the attempts you're
going to get hit with are not from the bleetest minds around.
Personally, I'd rather know that I got cracked by an intelligent hack
rather than to know that I got 0wn3d by a l00zr....
--
AngryBob
I ust Mandrake Linux for the same reason I turn the light switch
on and off 17 times before leaving the room.... If I don't my
family will die. -- I wish I remembered.
Barry Margolin
Michael Erskine <osi...@urbanna.net> wrote:
>Barry, scanning is not (and should not be illegal) but one should
>always bear in mind it *is* threatening.
I never said otherwise. Most ISPs have clauses in their AUP that prohibit
it. But expecting an ISP that charges $40/month to have the resources to
investigate every scanning complaint is unrealistic; the clause exists for
CYA purposes, not to imply that they will actively disconnect every
scanner.
Barry Margolin
It may be able to prevent your machine from being used as a smurf
amplifier. But if you're running Windows, I think you're already safe from
that, as it doesn't normally respond to broadcast pings. Most versions of
Unix have a kernel configuration option to disable responding to broadcast
pings.
Barry Margolin
Angry Bob <angr...@havoc.gtf.org> wrote:
>there is logic in your reasoning, but I do not agree. Most
>demonstration exploits and trojans are written to make use of
>non-standard ports. otherwise when you look at a port listing you'd see
>_all_ trojan's as coming out of port 21 or 80 or something like that.
>It's true that they could all be made slyly, but 95% of the
>script-kiddies out there have no clue about 'ports' and aren't likely to
>change the source code of their programs.
It doesn't matter whether the script kiddies have a clue about this, what
matters is whether the cracker who wrote the scripts they downloaded do.
And if we can think of the possibility of a trojan disabling the firewall,
so can they.
However, if none of the common trojans currently do this, firewalls do
provide a measure of safety. Eventually the trojans will evolve to solve
this problem (I expect that some trojan authors read these newsgroups, so
if they didn't think of it before, we've now given them the idea), and then
the firewalls won't be as effective.
Defibrillator
>It's not illegal to scan anything....
In which jurisdiction?
--
Regards,
Hugh.
Defibrillator
>For instance, if you're not running any network servers, you
>don't need a personal firewall.
Whoah! It's not often I disagree with you, Barry, but this one's way wide of
the mark....
--
Regards,
Hugh.
Angry Bob
> Try getting cracked by a team that has atleast two members who are better
> than you are... People who don't use other peoples cracks. People who
> write cracks and develop new cracks for the kiddies they use as their
> cover...
> The kind that delight in making it look like the sysop is the problem.
> I'll take kiddies any day, thanks.
<shrug> so the choice is to get cracked by kiddies and never even make
it that far? Granted, firewalling your outgoing isn't going to protect
you from everything, but at least you'll _know_ when you get cracked by
a kiddie.
Jay
on port 119 I'm running a commercial server. Stupid idiots. I wrote a
program that just spews data to them when they connect and they aren't smart
enough to figure it out, they sent me another warning.
here are the scans, this is to port 119 , needless to say they are in my
hosts.deny file.
Jay
Feb 11 01:21:51 scs dumpx[30908]: refused connect from
authorized-scan1.security
.home.net
Feb 11 05:09:02 scs dumpx[32529]: refused connect from
authorized-scan1.security
.home.net
Feb 11 09:22:54 scs dumpx[1563]: refused connect from
authorized-scan1.security.
home.net
Feb 11 14:27:33 scs dumpx[3657]: refused connect from
authorized-scan1.security.
home.net
Feb 11 20:11:21 scs dumpx[6049]: refused connect from
authorized-scan1.security.
home.net
Feb 12 01:41:24 scs dumpx[8282]: refused connect from
authorized-scan1.security.
home.net
Feb 12 05:14:26 scs dumpx[9542]: refused connect from
authorized-scan1.security.
home.net
Feb 12 09:17:26 scs dumpx[10989]: refused connect from
authorized-scan1.security
.home.net
Feb 12 13:47:31 scs dumpx[12646]: refused connect from
authorized-scan1.security
.home.net
Barry Margolin <bar...@genuity.net> wrote in message
news:tGje6.6$ss1.328@burlma1-snr2...
> In article <tenaqvnyfbsgrkpm...@news1.chem.utoronto.ca>,
> FEEB <nos...@neverland.com.invalid> wrote:
> >FYI, I am posting here the mail I received from
<abuse...@corp.home.net>,
> >as a response to my complaint about repeated attempts to connect to port
10
> >of my various servers from their node.
> >
> >Read it, it would be funny if it weren't so sad. Not a single word of
> >apology, nor any mention of an action taken.
>
> I don't see a real problem with the response. Everything was technically
> accurate. For instance, if you're not running any network servers, you
> don't need a personal firewall.
>
> As far as action taken, I think they're being realistic. They have
> hundreds, maybe even thousands, of customers who are probing, and tracking
> them all down and punishing them is a nearly impossible task. And once
> they track them down, what do you expect them to do about it? Sure, they
> could cancel their account, but they'll just get another account, either
> with another ISP or with the same ISP by providing a different name. It's
> no more than a slap on the wrist, so what's the point?
>
> And these days, with all the people running personal firewalls, I'll bet
> that a significant fraction of the hacking reports they receive are false
> alarms, because the user doesn't know how to interpret the firewall's
> report. If the number of messages posted to comp.security.{misc,unix}
> asking for help interpreting firewall logs is any indication, many users
> are confused by them.
>
> If he actually did compromise your system then you may be able to take
> legal action against him. The response said that if this is the case, you
> should respond with "SYSTEM BREACH" in the subject and they'll help you
> pursue this further.
Jeremia d.
--Â A little experience often upsets a lot of theory.Â
stanislav shalunov
> @home scans my linux box all the time! They think because a program
> answers on port 119 I'm running a commercial server.
@Home used to be a major source of Usenet spam, and they were
threatened with Usenet Death Penalty. A significant portion of spam
coming out of @Home networks was in fact, relayed through NNTP proxies
users set up for their home networks, which end up accepting postings
from anyone in the world.
@Home got their act together and are scanning their networks for open
NNTP ports (there's little reason to have it open).
What makes you unhappy? They reduced the amount of Usenet spam coming
out of their network quite dramatically.
--
Stanislav Shalunov http://www.internet2.edu/~shalunov/
"Nuclear war can ruin your whole compile." -- Karl Lehenbauer
Barry Margolin
Jay <NOSPAMk...@yahoo.com> wrote:
>@home scans my linux box all the time! They think because a program answers
>on port 119 I'm running a commercial server. Stupid idiots. I wrote a
>program that just spews data to them when they connect and they aren't smart
>enough to figure it out, they sent me another warning.
If it's not a real NNTP server, why not just close the port, instead of
spewing garbage at them? Do you really expect an automated scanner to test
whether the server really implements the NNTP protocol? If it did, it
would result in lots of bogus messages being posted through the systems
that it finds. Since there's virtually no legitimate reason to have a
server on port 119 that isn't an NNTP server, that's good enough to make
them suspect an open relay.
Johan Kullstam
> @home scans my linux box all the time! They think because a program answers
> on port 119 I'm running a commercial server. Stupid idiots. I wrote a
> program that just spews data to them when they connect and they aren't smart
> enough to figure it out, they sent me another warning.
>
> here are the scans, this is to port 119 , needless to say they are in my
> hosts.deny file.
i think you need a firewall. to get rid of these annoying messages,
try this
ipchains -A input -i eth0 -p tcp -s 0.0.0.0/0 119 -j DENY
i recommend netfilter/iptables because the dynamic stateful firewall
(not shown here) is much easier and more secure.
iptables -A INPUT -i eth0 -p tcp --dport 119 -j DROP
--
J o h a n K u l l s t a m
[kull...@ne.mediaone.net]
sysengr
Douglas Siebert
>If it's not a real NNTP server, why not just close the port, instead of
>spewing garbage at them? Do you really expect an automated scanner to test
>whether the server really implements the NNTP protocol? If it did, it
>would result in lots of bogus messages being posted through the systems
>that it finds. Since there's virtually no legitimate reason to have a
>server on port 119 that isn't an NNTP server, that's good enough to make
>them suspect an open relay.
There is a legitimate reason to put nonstandard things on standard ports,
if you want to have them accessible from the outside through firewalls
that only allow a limited set of ports. At a consulting gig I did last
year for about 7 months, I was behind a firewall that allowed access out
through only a few ports. Among them were 110 (pop) and 119 (smtp).
Among those that were not allowed out were the ports for SSL IMAP (993)
and SSL SMTP (465). So to access my email I set up extra stunnel
processes on 110 and 119 and used them for SSL IMAP and SSL SMTP. A
simple port scan on my box to determine what services I'm running might
think I'm running a POP server and an NNTP server, but they wouldn't get
the expected responses if they tried to use them.
--
Doug Siebert
dsie...@excisethis.khamsin.net
If at first you don't succeed, skydiving is not for you.
.
"Jay" <krie...@yahoo.com> wrote in message
news:yvYh6.180003$P82.22...@news1.rdc1.ct.home.com...
> @home scans my linux box all the time! They think because a program
answers
> on port 119 I'm running a commercial server.
"Commercial" has nothing to do with this. @home almost got the
USENET kiss-o-death a short while ago for being a major source
of USENET spam. The reason you can read USENET via your
@home account right now is because @home finally took a
stand on *public*, not commercial, NNTP servers within their
domain.
> Stupid idiots.
More on this later. See below.
> I wrote a
> program that just spews data to them when they connect and they aren't
smart
> enough to figure it out
So you wrote a program to "spew" TCP/UCP packets via
port 119 to show them you are not running a news server
when they test to see if your running a NNTP server?
Hmm ... maybe their logic for determining what service
is running on a port is crude ..... but port 119 is
officially registered for NNTP.
nntp 119/tcp Network News Transfer Protocol
nntp 119/udp Network News Transfer Protocol
It's not an unreasonable test, I guess they do not account for
people with "spew" programs such as yours.
> they sent me another warning
If you end up losing your broadband cable modem account with
@home, after receiving your n'th warning, you will need to reassess who
of the two parties involved is the real "stupid idiot".
In the meantime, keep your "spew" program running.
Good luck
Johan Kullstam
configure your firewall (ipchains/iptables/whatever it was called for
2.0.*) depending on what is applicable to filter the @home scan.
Alun Jones
> There is a legitimate reason to put nonstandard things on standard ports,
> if you want to have them accessible from the outside through firewalls
> that only allow a limited set of ports. At a consulting gig I did last
> year for about 7 months, I was behind a firewall that allowed access out
> through only a few ports. Among them were 110 (pop) and 119 (smtp).
> Among those that were not allowed out were the ports for SSL IMAP (993)
> and SSL SMTP (465). So to access my email I set up extra stunnel
> processes on 110 and 119 and used them for SSL IMAP and SSL SMTP.
Doesn't this mean that you were, essentially, engaged in unauthorised use of
your employer's systems?
If a firewall is in place, that is usually a sign of some intent that
certain accesses should _not_ be allowed. To circumvent that would seem to
be quite a serious error, and I know that if I found a contractor on my site
worming his way through protections I had set up - even if he thought my
restrictions made no sense - I would have security pick him up and throw him
out.
The appropriate way for you to deal with a restricted firewall such as that
is either to ask the administrators to open up the services you feel you
need, or to answer your email in some other way, or at some other time.
Hacking your employer's systems is generally considered a serious CLM.
Alun.
~~~~
[Note that answers to questions in newsgroups are not generally
invitations to contact me personally for help in the future.]
--
Texas Imperial Software | Try WFTPD, the Windows FTP Server. Find us at
1602 Harvest Moon Place | http://www.wftpd.com or email al...@texis.com
Cedar Park TX 78613-1419 | VISA/MC accepted. NT-based sites, be sure to
Fax/Voice +1(512)378-3246 | read details of WFTPD Pro for NT.
Tim Haynes
[snip]
> Doesn't this mean that you were, essentially, engaged in unauthorised use
> of your employer's systems?
No, merely creative, from what the chap said.
> If a firewall is in place, that is usually a sign of some intent that
> certain accesses should _not_ be allowed. To circumvent that would seem
> to be quite a serious error, and I know that if I found a contractor on
> my site worming his way through protections I had set up - even if he
> thought my restrictions made no sense - I would have security pick him up
> and throw him out.
Let me rephrase that for you. If you think your blocking of specific ports
is going to stop protocols over them, you need a new security consultant.
Looks like you have someone who's
a) creative, not limited to proto==port
b) not anal in holding their approach to security
c) already on site
ready & raring to talk to you.
> The appropriate way for you to deal with a restricted firewall such as
> that is either to ask the administrators to open up the services you feel
> you need, or to answer your email in some other way, or at some other
> time.
>
> Hacking your employer's systems is generally considered a serious CLM.
Only by employers relying on legalism to get themselves round a broken
installation.
~Tim
--
The sun is melting over the hills, |pig...@stirfried.vegetable.org.uk
All our roads are waiting / To be revealed |http://spodzone.org.uk/
Joe Schaefer
> al...@texis.com (Alun Jones) writes:
>
> > The appropriate way for you to deal with a restricted firewall such as
> > that is either to ask the administrators to open up the services you feel
> > you need, or to answer your email in some other way, or at some other
> > time.
> >
> > Hacking your employer's systems is generally considered a serious CLM.
>
> Only by employers relying on legalism to get themselves round a broken
> installation.
And some of them are rather zealous about it. For a peek at the Intel -
Randal Schwartz debacle, see
http://www.rahul.net/jeffrey/ovs/
It is a cautionary tale, but now bears some relevance to this thread.
--
Joe Schaefer "Whenever you find you are on the side of the majority, it is
time to pause and reflect."
--Mark Twain
Barry Margolin
Tim Haynes <pig...@stirfried.vegetable.org.uk> wrote:
>al...@texis.com (Alun Jones) writes:
>
>[snip]
>> Doesn't this mean that you were, essentially, engaged in unauthorised use
>> of your employer's systems?
>
>No, merely creative, from what the chap said.
>
>> If a firewall is in place, that is usually a sign of some intent that
>> certain accesses should _not_ be allowed. To circumvent that would seem
>> to be quite a serious error, and I know that if I found a contractor on
>> my site worming his way through protections I had set up - even if he
>> thought my restrictions made no sense - I would have security pick him up
>> and throw him out.
>
>Let me rephrase that for you. If you think your blocking of specific ports
>is going to stop protocols over them, you need a new security consultant.
But the point is that the firewall's configuration usually reflects the
organizations intended security policy. Whether or not they really believe
this will stop someone determined to circumvent it is irrelevant. If you
circumvent it, you are most likely violating the policy that it represents.
Isn't this "creative" use of the firewall essentially what Randal Schwartz
was convicted of?
Tim Haynes
[snip]
> >Let me rephrase that for you. If you think your blocking of specific
> >ports is going to stop protocols over them, you need a new security
> >consultant.
>
> But the point is that the firewall's configuration usually reflects the
> organizations intended security policy. Whether or not they really
> believe this will stop someone determined to circumvent it is irrelevant.
> If you circumvent it, you are most likely violating the policy that it
> represents.
The difference being `intended security policy'. That policy wasn't
mentioned in the OP's article. For all I know they could have tea & biscuit
sessions to explain the spirit of the thing, in which case there would be
reasonable expectation of restriction to doing "normal" things.
Of course, how an organization expects to have total control over what's
allowed or what's not, in order to be legalistic about it later, is another
matter and rather casts a doubt over the whole lot. As does the idea of
having unimaginitive drone employees who'd be best left in the playground
and their jobs automated, with that degree of prescriptiveness flying around.
> Isn't this "creative" use of the firewall essentially what Randal Schwartz
> was convicted of?
I dunno, but I see Joe's posted a relevant URL so I'll have a look at that
ere long.
~Tim
--
And your radiance shines |pig...@stirfried.vegetable.org.uk
Like the moon of all innocent grace |http://spodzone.org.uk/
Tim Haynes
[snip]
> > > Hacking your employer's systems is generally considered a serious
> > > CLM.
> >
> > Only by employers relying on legalism to get themselves round a broken
> > installation.
>
> And some of them are rather zealous about it. For a peek at the Intel -
> Randal Schwartz debacle, see
>
> http://www.rahul.net/jeffrey/ovs/
>
> It is a cautionary tale, but now bears some relevance to this thread.
Indeedie. Well, I've now had a look, and it only seems to confirm that the
world's `justice systems' aren't exactly ready for the 'Net just yet. Bah.
~Tim
--
And we feel these shimmering moments, |pig...@stirfried.vegetable.org.uk
Like silk, the flags of our days |http://spodzone.org.uk/
Alun Jones
> The difference being `intended security policy'. That policy wasn't
> mentioned in the OP's article. For all I know they could have tea & biscuit
> sessions to explain the spirit of the thing, in which case there would be
> reasonable expectation of restriction to doing "normal" things.
You know, if my company restricts everything but a couple of ports at the
firewall, I'd say that's a fairly clear suggestion that there may be a
policy in place limiting the use of everything other than the protocols that
normally run over such ports. I'd go ask. I'd expect that if I merely
hacked my way through, and was found out (who's to say the firewall isn't
the first stage in a 'honeypot'?), I'd be fired on the spot, and be damned
lucky not to be up on charges of unauthorised access.
> Of course, how an organization expects to have total control over what's
> allowed or what's not, in order to be legalistic about it later, is another
> matter and rather casts a doubt over the whole lot. As does the idea of
> having unimaginitive drone employees who'd be best left in the playground
> and their jobs automated, with that degree of prescriptiveness flying around.
Whether you believe in a free and unfettered workplace, the fact remains
that it's your employer, not you, who is paying for all Internet access
through their systems. Just as with a stationery cabinet, a small amount of
non-work use is to be expected and somewhat condoned, but when abuse is
suspected, expect to find a lock on the door, or a sign-out sheet, or
similar measures.
Morally speaking, it's not your equipment to play with, but your employer
might allow a certain leeway to reflect the fact that there are some things
you can only do during work hours, when he expects you to be at your desk.
Legally speaking, however, if your employer doesn't want you using his email
system for your own purposes, then it doesn't matter how easy it is to do
so, such access is unauthorised and illegal. And morally, to do so would be
wrong.
Alun Jones
<pig...@stirfried.vegetable.org.uk> wrote:
> al...@texis.com (Alun Jones) writes:
> > If a firewall is in place, that is usually a sign of some intent that
> > certain accesses should _not_ be allowed. To circumvent that would seem
> > to be quite a serious error, and I know that if I found a contractor on
> > my site worming his way through protections I had set up - even if he
> > thought my restrictions made no sense - I would have security pick him up
> > and throw him out.
>
> Let me rephrase that for you. If you think your blocking of specific ports
> is going to stop protocols over them, you need a new security consultant.
I'm well aware that protocol!=port. However, if someone's blocking all but
port 119 at a site I'm working at, then I'd take that as an indication that
they're really rather unlikely to want me using anything other than a
newsreader through their firewall.
I know that I can funnel anything from mail to VPN through that port with
suitable tunneling, but I'm also aware that if my employers search all bags
coming in to the facility looking for drugs, they're hardly likely to think
I'm "creative" for hoilding my stash in a condom in my mouth while I pass
through the security search.
> Looks like you have someone who's
> a) creative, not limited to proto==port
> b) not anal in holding their approach to security
> c) already on site
> ready & raring to talk to you.
Looks like you have someone who's willing to sidestep security measures in
order to get his own way. Just what you want as a consultant, right? I
don't think so. If a consultant is going to get "creative", as you put it,
on my dime, then I want to know about it - before he does it. If I find out
after the fact, then I think I'd be wanting to know why someone I'd hired
was so interested in subverting security measures that hinted at a basic
underlying policy.
> > Hacking your employer's systems is generally considered a serious CLM.
>
> Only by employers relying on legalism to get themselves round a broken
> installation.
I doubt that the firewall was the only item in place - I suspect that such a
company would also have a security policy for its staff to sign. The
firewall is, if you like, a hint - rather like putting up metal detectors on
the doors. The fact that you can buy a ceramic pistol, or scale the wall to
get in, doesn't mean that it's okay to bring a gun into the office.
Particularly when working as a consultant in someone else's offices. If you
want email, and the company you're working at has obviously no desire for
you to have easy access, then it's time for you to step outside the office
and use a payphone, or get a cellular modem. Not hack your way out.
Tim Haynes
[snip]
> > Let me rephrase that for you. If you think your blocking of specific ports
> > is going to stop protocols over them, you need a new security consultant.
>
> I'm well aware that protocol!=port. However, if someone's blocking all
> but port 119 at a site I'm working at, then I'd take that as an
> indication that they're really rather unlikely to want me using anything
> other than a newsreader through their firewall.
I'd say I'm allowed to do whatever I like with port 119. If you open it
fully with e.g. ipchains -j ACCEPT or equivalent, you're allowing all
traffic over it, `security policy' or no.
> I know that I can funnel anything from mail to VPN through that port with
> suitable tunneling, but I'm also aware that if my employers search all
> bags coming in to the facility looking for drugs, they're hardly likely
> to think I'm "creative" for hoilding my stash in a condom in my mouth
> while I pass through the security search.
I hardly think that a fair comparison. Wrong-doing quite often doesn't lie
in what you do, but in how you do it, especially in this case.
(Why should 55mph be OK but 56 not? Why are laws so arbitrary? But I
digress.)
> > Looks like you have someone who's
> > a) creative, not limited to proto==port
> > b) not anal in holding their approach to security
> > c) already on site
> > ready & raring to talk to you.
>
> Looks like you have someone who's willing to sidestep security measures
> in order to get his own way.
Nothing wrong with that. Or rather, the only wrong thing with that is "you"
coming along and saying it's wrong.
> Just what you want as a consultant, right?
I suspect you're expecting a different answer to the one I'd give there.
> I don't think so. If a consultant is going to get "creative", as you put
> it, on my dime, then I want to know about it - before he does it. If I
> find out after the fact, then I think I'd be wanting to know why someone
> I'd hired was so interested in subverting security measures that hinted
> at a basic underlying policy.
In order to get something done, obviously. After all, "you're" the folks
who put the hole there, expect it to be used. Be grateful it was a nice
chap who's found it for you in the process of doing something useful, don't
go around jumping to conclusions that infringements of The Policy are
always Bad.
[snip]
~Tim
--
Another day, |pig...@stirfried.vegetable.org.uk
Another apt-get dist-upgrade |http://spodzone.org.uk/
Tim Haynes
> In article <86snliy...@potato.vegetable.org.uk>, Tim Haynes
> <pig...@stirfried.vegetable.org.uk> wrote:
> > The difference being `intended security policy'. That policy wasn't
> > mentioned in the OP's article. For all I know they could have tea & biscuit
> > sessions to explain the spirit of the thing, in which case there would be
> > reasonable expectation of restriction to doing "normal" things.
>
> You know, if my company restricts everything but a couple of ports at the
> firewall, I'd say that's a fairly clear suggestion that there may be a
> policy in place limiting the use of everything other than the protocols that
> normally run over such ports. I'd go ask. I'd expect that if I merely
> hacked my way through, and was found out (who's to say the firewall isn't
> the first stage in a 'honeypot'?), I'd be fired on the spot, and be damned
> lucky not to be up on charges of unauthorised access.
All I can say is I'm glad not to be in your job.
> Morally speaking, it's not your equipment to play with, but your employer
> might allow a certain leeway to reflect the fact that there are some
> things you can only do during work hours, when he expects you to be at
> your desk. Legally speaking, however, if your employer doesn't want you
> using his email system for your own purposes, then it doesn't matter how
> easy it is to do so, such access is unauthorised and illegal. And
> morally, to do so would be wrong.
Bullshit! Moral right/wrongness are utterly independent of whether your
employer prescribes one way or another. Or is your great & wonderful
employer perfection personified?
~Tim
--
Move a mountain / Fill the ground |pig...@stirfried.vegetable.org.uk
Take death on wheels / Re-create the land |http://spodzone.org.uk/
Barry Margolin
Tim Haynes <pig...@stirfried.vegetable.org.uk> wrote:
>I'd say I'm allowed to do whatever I like with port 119.
Even if the company's security policy says otherwise? The policy probably
isn't written in terms of port numbers, but applications, so it would
presumably say that you're allowed to access outside news servers. But
since firewalls usually only know about port numbers, that's the best it
can do. The firewall's configuration isn't the last word in what you're
allowed to do, the written security policy is. The firewall just makes it
easier to enforce the policy.
Tim Haynes
> In article <86r912w...@potato.vegetable.org.uk>,
> Tim Haynes <pig...@stirfried.vegetable.org.uk> wrote:
> >I'd say I'm allowed to do whatever I like with port 119.
>
> Even if the company's security policy says otherwise?
If I was aware that that was the restriction, obviously I'd have to have a
pretty good reason for doing something else with it. Same as with any
company regulation: you've got to be allowed to have your reasons to behave
differently, otherwise the company simply isn't worth working for.
> The policy probably isn't written in terms of port numbers, but
> applications, so it would presumably say that you're allowed to access
> outside news servers. But since firewalls usually only know about port
> numbers, that's the best it can do. The firewall's configuration isn't
> the last word in what you're allowed to do, the written security policy
> is. The firewall just makes it easier to enforce the policy.
You're confusing `firewall' and `packet filter'. Firewalls include
application/protocol matching, e.g. "allow HTTP", packet filters normally
say "allow 80/tcp". Firewall is a wider term - arguably including libwrap,
for example, as a part of your (coherent :) security policy across the
board. And protocol firewalls do exist, they're just not so commonly
encountered.
(Thought: it must be possible to knock one up on linux somehow. Has anyone
done it yet?)
~Tim
--
Crossing the river, caught in the rain |pig...@stirfried.vegetable.org.uk
Crossing the rhythm, caught in the rain. |http://spodzone.org.uk/
Barry Margolin
Tim Haynes <pig...@stirfried.vegetable.org.uk> wrote:
>You're confusing `firewall' and `packet filter'. Firewalls include
>application/protocol matching, e.g. "allow HTTP", packet filters normally
>say "allow 80/tcp".
Some firewalls are implemented mainly using packet filters. Checkpoint
Firewall-1, for instance. Even some proxy-based firewalls don't check
application level data; for instance, Gauntlet/fwtk has application-layer
proxies for some protocols, but for others you may have to use plug-gw,
which is a transparent relay.
Vincent C Jones
Tim Haynes <pig...@stirfried.vegetable.org.uk> wrote:
>Joe Schaefer <joe+u...@sunstarsys.com> writes:
>
>[snip]
>> > > Hacking your employer's systems is generally considered a serious
>> > > CLM.
>> >
>> > Only by employers relying on legalism to get themselves round a broken
>> > installation.
>>
>> And some of them are rather zealous about it. For a peek at the Intel -
>> Randal Schwartz debacle, see
>>
>> http://www.rahul.net/jeffrey/ovs/
>>
>> It is a cautionary tale, but now bears some relevance to this thread.
>
>Indeedie. Well, I've now had a look, and it only seems to confirm that the
>world's `justice systems' aren't exactly ready for the 'Net just yet. Bah.
>
>~Tim
Judging from the morass of garbage posted (and not just in alt.porn.*)
and SPAM flooding Usenet & e-mail, I'm more inclined to think the
problem is that the 'Net just isn't quite ready for civilization.
Vincent C Jones
--
VCJ...@NetworkingUnlimited.com Author of the Addison-Wesley book
Computer Network Consultant High Availability Networking with
http://www.networkingunlimited.com Cisco, see the web link for info.
-----= Posted via Newsfeeds.Com, Uncensored Usenet News =-----
http://www.newsfeeds.com - The #1 Newsgroup Service in the World!
-----== Over 80,000 Newsgroups - 16 Different Servers! =-----
Tim Haynes
> In article <86ae7qw...@potato.vegetable.org.uk>,
> Tim Haynes <pig...@stirfried.vegetable.org.uk> wrote:
> >You're confusing `firewall' and `packet filter'. Firewalls include
> >application/protocol matching, e.g. "allow HTTP", packet filters normally
> >say "allow 80/tcp".
>
> Some firewalls are implemented mainly using packet filters. Checkpoint
> Firewall-1, for instance.
Oh, for sure, and here (cols, of the cross-posted groups) they're often
almost synonymous. But the difference is still there.
> Even some proxy-based firewalls don't check application level data; for
> instance, Gauntlet/fwtk has application-layer proxies for some protocols,
> but for others you may have to use plug-gw, which is a transparent relay.
Yep. I've never written anything to sniff the protocol, but it'd be an
interesting line to tread isolating the protocol and avoiding people
sending eachother mails with `Content-Type: text/html\n\n' in being
intercepted as HTTP... ;)
Alun Jones
> Bullshit! Moral right/wrongness are utterly independent of whether your
> employer prescribes one way or another. Or is your great & wonderful
> employer perfection personified?
Actually, in my specific case, I am my employer.
I'm talking about the general case, though.
If it's my employer's Internet access, then using it in a manner proscribed
by my employer is morally wrong. It's theft. Similarly, I wouldn't use the
company car to go cruising.
Or are you really trying to tell me that you think it is morally acceptable
to use your employer's resources in a manner that your employer does not
wish you to?
Tim Haynes
> In article <86itmew...@potato.vegetable.org.uk>, Tim Haynes
> <pig...@stirfried.vegetable.org.uk> wrote:
> > Bullshit! Moral right/wrongness are utterly independent of whether your
> > employer prescribes one way or another. Or is your great & wonderful
> > employer perfection personified?
>
> Actually, in my specific case, I am my employer.
I had this feeling that self-employment would be an interesting case.
[]
> Or are you really trying to tell me that you think it is morally
> acceptable to use your employer's resources in a manner that your
> employer does not wish you to?
Read what I wrote again. Your employer is not perfect (general case noted),
nor are all the regulations in your contract of employment. Rules are only
rules, you can quite happily break them, and if you have good reason then
the reason can override the rule.
Would you not help the police if they came asking (cluefully) about your
employer and you had to use company property to answer them?
Moral choices != company_rules. End of story.
~Tim
--
That morning dawn, with no regrets |pig...@stirfried.vegetable.org.uk
We stood in line, we laughed |http://spodzone.org.uk/
In silhouette |
Barry Margolin
Tim Haynes <pig...@stirfried.vegetable.org.uk> wrote:
>Read what I wrote again. Your employer is not perfect (general case noted),
>nor are all the regulations in your contract of employment. Rules are only
>rules, you can quite happily break them, and if you have good reason then
>the reason can override the rule.
Of course there are always exceptions in the real world, and common sense
must prevail. But the earlier messages didn't suggest that this was the
case, the implication was that if the firewall allows you to get out on
port 119, anything you do on that port is acceptable. That's not the case;
company policy violations should not be done capriciously. In an emergency
you do what you have to do, but if it's something you need to do routinely
then it would make sense to get an explicit waiver from management, to
avoid problems when someone notices your suspicious activity.
Douglas Siebert
>In article <96a8qk$o2f$1...@sword.avalon.net>, dsie...@excisethis.khamsin.net
>(Douglas Siebert) wrote:
>> There is a legitimate reason to put nonstandard things on standard ports,
>> if you want to have them accessible from the outside through firewalls
>> that only allow a limited set of ports. At a consulting gig I did last
>> year for about 7 months, I was behind a firewall that allowed access out
>> through only a few ports. Among them were 110 (pop) and 119 (smtp).
>> Among those that were not allowed out were the ports for SSL IMAP (993)
>> and SSL SMTP (465). So to access my email I set up extra stunnel
>> processes on 110 and 119 and used them for SSL IMAP and SSL SMTP.
>Doesn't this mean that you were, essentially, engaged in unauthorised use of
>your employer's systems?
>If a firewall is in place, that is usually a sign of some intent that
>certain accesses should _not_ be allowed. To circumvent that would seem to
>be quite a serious error, and I know that if I found a contractor on my site
>worming his way through protections I had set up - even if he thought my
>restrictions made no sense - I would have security pick him up and throw him
>out.
>The appropriate way for you to deal with a restricted firewall such as that
>is either to ask the administrators to open up the services you feel you
>need, or to answer your email in some other way, or at some other time.
>Hacking your employer's systems is generally considered a serious CLM.
I handled it in exactly the way you suggest. I spent several days
tracking down the appropriate people (this was a pretty good sized
place) and asked them if there was any way they could open up the
relevent ports. They said the last time the configuration was changed
was about five years ago to open up SSL HTTP, and asked if I couldn't
just remap the services I needed to different ports, as that is how they
have handled similar requests in the past. He even helpfully provided
a list of the ports they pass through. I asked the guy in charge of
the whole operation I was a part of about it, and he said he'd get back
to me. The next day he told me (in writing) to just go ahead and do
that, and if anyone ever said anything to refer them to him.
You have to understand that this place did not provide email accounts
for anyone but employees, assuming consultants would have their own
email, of course. If I didn't have a way to check email during the day
over a network, my only alternative was via modem, and there was only
one modem line easily available and it was almost constantly in use by
other consultants. There were constant problems with people not getting
important email because they didn't have a chance to check it for the
entire day. But had I not been given the OK, I would have just had to
live with it. As it was, several other people did something similar to
what I did, which eased the burden on the phone for those without any
other option.
I'm not dumb enough to risk losing a very good gig by deliberately
violating the security policies of my client, and then brag about it
on a newsgroup that will be indexed for eternity on the web with my
name attached. As it is, there'll be plenty of posts with accusations
against me, which is bad enough, so I probably just should just stop
posting if people are going to be so accusatory when they don't know
any of the facts! I wasn't using the example as a "cool hack around
the evil corporate security restrictions", or trying to encourage others
to do that, though I guess I can see how it could have read that way.
I just wanted to illustrate that there are reasons why you might want
to run services on ports other than those that are traditionally
assigned to them.
Please don't be so quick to jump to conclusions and risk harming
someone's reputation in the future.
Alun Jones
> Please don't be so quick to jump to conclusions and risk harming
> someone's reputation in the future.
Perhaps next time it would be appropriate for you to note that you were
explicitly given permission to tunnel through an employer-provided firewall,
in order to avoid the obvious conclusion from being drawn.
David F. Newman
> Barry Margolin <bar...@genuity.net> writes:
>
> You're confusing `firewall' and `packet filter'. Firewalls include
> application/protocol matching, e.g. "allow HTTP", packet filters normally
> say "allow 80/tcp". Firewall is a wider term - arguably including libwrap,
> for example, as a part of your (coherent :) security policy across the
> board. And protocol firewalls do exist, they're just not so commonly
> encountered.
>
Your right in that Firewall is a wider term, but I'd prefer to say
more general. A firewall is a system designed to prevent unauthorizezd
access to or from a private network. All network traffic passes
through the firewall and is subject to security rules. There is
nothing that says what features a device must have before it is
considered a firewall. A system that doesn't route but has a proxy
on it could be considered a firewall (with all the regular services
turned off of course).
--
Dave Newman
dne...@maraudingpirates.org
Tim Haynes
> In article <96cd65$hc7$1...@sword.avalon.net>, dsie...@excisethis.khamsin.net
> (Douglas Siebert) wrote:
> > Please don't be so quick to jump to conclusions and risk harming
> > someone's reputation in the future.
>
> Perhaps next time it would be appropriate for you to note that you were
> explicitly given permission to tunnel through an employer-provided
> firewall, in order to avoid the obvious conclusion from being drawn.
What, so he has to cover every possible interpretation to avoid your
deliberate misreading?
Add me to your killfile now, I don't want the same bullshit treatment.
~Tim
--
no se encuentra el sistema operativo |pig...@stirfried.vegetable.org.uk
(seen mid-windows 98 installation) |http://spodzone.org.uk/
Norman Tackett
Bernd Eckenfels wrote in message <95k845$nuf$6...@sapa.inka.de>...
>In comp.security.unix Tim Haynes <pig...@glutinous.custard.org> wrote:
>A PF can not prevent Smurf Attacks. A smurf Attack will fill your pipe or
kill
>the backbone routers of your isp. The PF will only burn some more CPU
cycles
>thwroing away all the unwanted traffic, but it will buy you nothing. I
suspect
>it will make the situation worde becvause of the additional processing
>overhead, logging and state keeping. You should read about smurf before you
>think a personal firewall can protect you from it.
I use an old P120 for my firewall router and it hits 20% when I have max
traffic from
the internet and that is with an IDS examining each packet on top of that.
(I wrote the
IDS my self so it is small and light). Packet filters improve CPU
performance by
keeping the crap from getting to the application level of the stack. How can
not
processing a packet use more CPU than processing it?
DOS attacks are another topic altogether and are dealt with by having
multiple
connections and redundancy in your routers. PF's cannot protect you from DOS
but they don't make it worse.
Suppose someone is scanning for port 111, the benefit of having a PF is that
the
scanner does not get a ICMP rejection while the scanner will get one from
you.
It appears that my host is turned off completely while your host is now
known to
be a valid IP and more likely to scanned and probed more. Most script
kiddies
get frustrated waiting for my box to respond to nmap and go on to easier
targets
like yours.
A computer is not a safe. If they are determined they will get in and your
responding
to bogus requests via ICMP is going to help them.