Archived from groups: comp.security.firewalls (More info?)

Hi,

because I was mentioning this as a good topic some times already,
I want to start the discussion ;-)

I think, to prevent malware running on your PC, you should close the
attack vectors, with which malware is distributed onto your PC.

That means:

- you should not offer servers to the Internet, so worms or crackers,
who are trying to abuse network services, have no chance; if you're
PC is offering such services, stop them or filter away any traffic,
which is intended for those services

- you should handle mails and mail attachements carefully; a virus
scanner can help here to have a look on every attachement, before
you're opening it, but you also should use your brain, because
virus scanners cannot be perfect

- you should not use software for communication in the Internet, which
implements technology like ActiveX or ActiveScripting, because these
are security design flaws; so don't use Internet Explorer or Outlook
Express

- you should keep at least every software up to date, you're using in the
Internet or for data out of the Internet, because any software could
have an exploit you're using for communication

- you should use your brain before inserting disks into your PC, and
a virus scanner will help also, if you know, that virus scanners cannot
be perfect

And keep your system as simple as possible; increasing complexity anytime
is a security risk - try to remove software or to stop software before
adding other software, which is intended to control software, which also
could be stopped or removed.

Yours,
VB.
--
"Es kann nicht sein, dass die Frustrierten in Rom bestimmen, was in
deutschen Schlafzimmern passiert".
Harald Schmidt zum "Weltjugendtag"

Archived from groups: comp.security.firewalls (More info?)

"Volker Birk" <bumens@dingens.org> wrote in message
news:432ad957@news.uni-ulm.de...
> Hi,
>
> because I was mentioning this as a good topic some times already,
> I want to start the discussion ;-)
>
> I think, to prevent malware running on your PC, you should close the
> attack vectors, with which malware is distributed onto your PC.
>
> That means:
>
> - you should not offer servers to the Internet, so worms or crackers,
> who are trying to abuse network services, have no chance; if you're
> PC is offering such services, stop them or filter away any traffic,
> which is intended for those services
>
> - you should handle mails and mail attachements carefully; a virus
> scanner can help here to have a look on every attachement, before
> you're opening it, but you also should use your brain, because
> virus scanners cannot be perfect
>
> - you should not use software for communication in the Internet, which
> implements technology like ActiveX or ActiveScripting, because these
> are security design flaws; so don't use Internet Explorer or Outlook
> Express
>
> - you should keep at least every software up to date, you're using in the
> Internet or for data out of the Internet, because any software could
> have an exploit you're using for communication
>
> - you should use your brain before inserting disks into your PC, and
> a virus scanner will help also, if you know, that virus scanners cannot
> be perfect
>
> And keep your system as simple as possible; increasing complexity anytime
> is a security risk - try to remove software or to stop software before
> adding other software, which is intended to control software, which also
> could be stopped or removed.
>
> Yours,
> VB.
> --
> "Es kann nicht sein, dass die Frustrierten in Rom bestimmen, was in
> deutschen Schlafzimmern passiert".
> Harald Schmidt zum "Weltjugendtag"

You obviously don't grasp the concept of how malware is distributed. It is
not just about stopping services, not using OE and IE etc, but
mailware/virii/worms/trojans utilise known or unknown flaws in the Windows
OS to attack a PC whilst connected to the internet. Even good old
linux/unix/mac aren't foolproof and can be attacked.
To totally protect a PC, you will need to remove all floppy drives, cd/dvd
drives, disable USB ports and remove the PC from the internet.

Archived from groups: comp.security.firewalls (More info?)

>
> You obviously don't grasp the concept of how malware is distributed.
> It is not just about stopping services, not using OE and IE etc, but
> mailware/virii/worms/trojans utilise known or unknown flaws in the
> Windows OS to attack a PC whilst connected to the internet. Even good
> old linux/unix/mac aren't foolproof and can be attacked.




> To totally protect a PC, you will need to remove all floppy drives,
> cd/dvd drives, disable USB ports and remove the PC from the internet.
>

So you know that's impossible and no one is going to do it. One does the
best he or she can do to protect the machine by any means necessary.

Duane

Archived from groups: comp.security.firewalls (More info?)

"Volker Birk" <bumens@dingens.org> wrote in message
news:432ad957@news.uni-ulm.de...
> Hi,
>
> because I was mentioning this as a good topic some times already,
> I want to start the discussion ;-)
>
> I think, to prevent malware running on your PC, you should close the
> attack vectors, with which malware is distributed onto your PC.
>
> That means:

That means an impossible task because you don't know who you're giving the
advice to or what their experience or knowledge or situation is.
Good advice given to an inexperienced home user may be bad advice if given
to an experienced person in a different situation or even an inexperienced
business user. So there is no set of rules which, if followed by everyone,
will be a good idea for everyone. Therefore I think it's better to leave
people alone to come to their own conclusions about personal firewall
software. I don't use it, but I have little reason to care if other people
do.

>
> - you should not offer servers to the Internet, so worms or crackers,
> who are trying to abuse network services, have no chance; if you're
> PC is offering such services, stop them or filter away any traffic,
> which is intended for those services

That would make it a little difficult for me to get any email as I run my
own SMTP server. It would also mean I couldn't use my web server. I don't
run a web site of any importance but it's useful for transferring files to
other places when required.
It would also mean I couldn't do remote access to my PC.

>
> - you should handle mails and mail attachements carefully; a virus
> scanner can help here to have a look on every attachement, before
> you're opening it, but you also should use your brain, because
> virus scanners cannot be perfect

I prefer not to get any viruses instead of relying on software to fight
software, however I do sometimes advise other people to use virus scanners
because there's at least some chance that the scanner will know about and
stop the virus BEFORE it does damage.

>
> - you should not use software for communication in the Internet, which
> implements technology like ActiveX or ActiveScripting, because these
> are security design flaws; so don't use Internet Explorer or Outlook
> Express

You're going to have difficulty with Windows Update then, not to mention the
games the kids insist on playing (which use shockwave).

>
> - you should keep at least every software up to date, you're using in the
> Internet or for data out of the Internet, because any software could
> have an exploit you're using for communication

Many vendors use updates as an excuse to get users to purchase the latest
version.
How are users going to tell the difference between this and genuine security
updates?

>
> - you should use your brain before inserting disks into your PC, and
> a virus scanner will help also, if you know, that virus scanners cannot
> be perfect

That means that the person inserting the disk needs to have a brain.
This is not always the case in my experience.

Jason

>
> And keep your system as simple as possible; increasing complexity anytime
> is a security risk - try to remove software or to stop software before
> adding other software, which is intended to control software, which also
> could be stopped or removed.
>
> Yours,
> VB.
> --
> "Es kann nicht sein, dass die Frustrierten in Rom bestimmen, was in
> deutschen Schlafzimmern passiert".
> Harald Schmidt zum "Weltjugendtag"

Archived from groups: comp.security.firewalls (More info?)

On Fri, 16 Sep 2005 19:28:34 +0100, "Jason Edwards"
<none1@invalid.invalid> wrote:

<snip>

>You're going to have difficulty with Windows Update then,

The real problem with WU is that it's a Trojan. It often changes
settings and opens ports. Now, I've done what Volker suggests
for many years. But it's a good idea to have a sw firewall (I don't
use XP) to block inbound until you can recover from the WU Trojan,
assuming you don't have a external router/fw.

Also, I see no harm in using a sw firewall on OS other than XP with
its built-in inbound blocking fw. After all, not all malicious code is
smart enough to bypass or disable it. So as long as a sw firewall is
taken with seventeen grains of salt and anti-BS medicine I don't
think the good ones add significant vulnerabilities to the system.
And I like the kind of info Sygate gives me sometimes. It's a valuable
tool, IMO.

Art

Archived from groups: comp.security.firewalls (More info?)

"Volker Birk" <bumens@dingens.org> wrote in message
news:432ad957@news.uni-ulm.de...

Question: With DSL, fixed IP, WinXP, Windows Firewall (default config), no
Internet services, Firefox browser, Outlook Express in high-security mode
(no ActiveX)...is a NAT router of any value and why?

thanks,
nf

Archived from groups: comp.security.firewalls (More info?)

In article <IpKWe.4642$6e1.4624@newssvr14.news.prodigy.com>,
no.replies@no.where says...
>
> "Volker Birk" <bumens@dingens.org> wrote in message
> news:432ad957@news.uni-ulm.de...
>
> Question: With DSL, fixed IP, WinXP, Windows Firewall (default config), no
> Internet services, Firefox browser, Outlook Express in high-security mode
> (no ActiveX)...is a NAT router of any value and why?

Yes, it keeps things from reaching your computer - period - it means
that even if there is a hole in the OS or the Firewall provided by MS,
that it won't be reached unless you invite it in.

--

spam999free@rrohio.com
remove 999 in order to email me

Archived from groups: comp.security.firewalls (More info?)

> The real problem with WU is that it's a Trojan.

Yeah, that's it. great comment! That will help.

-Frank

Archived from groups: comp.security.firewalls (More info?)

ABC <simonbray@nospamemail.afraid.org> wrote:
> You obviously don't grasp the concept of how malware is distributed.

Surprising.

> It is
> not just about stopping services, not using OE and IE etc, but
> mailware/virii/worms/trojans utilise known or unknown flaws in the Windows
> OS to attack a PC whilst connected to the internet.

Which flaws do you mean? Exploits in the IP/ICMP implementation itself?
This is possible, but somewhat seldom. There were some exploits, but
since some years, no-one heard of new found exploits there.

Most of the worms I know - and how I myself would implement malware,
if I would be interested in - rely on bugs of services (i.e. like buffer
overflows) which can be used to run arbitrary code, or are using exploits
in Internet Explorer or the ActiveX infrastructure around. Sometimes,
with the Witty-Worm, they're using the "Personal Firewall" software itself
for distributing.

If there are no services reachable, then this attack vector is closed.

A second main target for attacks is PEBKAC. This is much more difficult.
Social engineering attacks have a broad range to be implemented, and new
ideas are being found every day. I think, this is the most difficult
topic, because "don't try to solve social problems with technology, it
will not work".

Technology can help here a little, though. At least, it has to be as
easy as possible for the user to use systems, which are using reliably
authorization methods like cryptography and certificates, and to
distinguish between reliable information and questionable information.

I think, the main topic for this field will be, how can this reliably
flagged to the user. Here, we're in the fledgling stages yet. The
technics used today like SSL are much more too complicated to use -
who of the users does really know, what a certificate is and how to
check, if this window with such curious questions pops up?

A third main target are the programs, which are used for communication,
say: the browser, the MUA, the IRC-client, the IM app, but also
wordprocessing and spreadsheet applications, as well as sound-playing and
video-playing applications, because people like to exchange such documents.
Sometimes also Windows-Explorer is such an application *sigh* - think
about the preview-exploit.

It is a very bad idea here to involve the user in security topics at all,
like it is done with this infamous ActiveX technology for example. Here
we shouldn't ask the user anything, but provide secure applications.

We need reliable technology with those programs. And here virus
scanners can help to find out if somebody is spreading poisoned
documents, if some provider failed.

> Even good old
> linux/unix/mac aren't foolproof and can be attacked.

Yes, of course. But, your point being?

> To totally protect a PC, you will need to remove all floppy drives, cd/dvd
> drives, disable USB ports and remove the PC from the internet.

Also clear. But, your point being?

Yours,
VB.
--
"Es kann nicht sein, dass die Frustrierten in Rom bestimmen, was in
deutschen Schlafzimmern passiert".
Harald Schmidt zum "Weltjugendtag"

Archived from groups: comp.security.firewalls (More info?)

Frankster <Frank@spam2trash.com> wrote:
> Everyone should remember that balancing functionality with
> security is the challenge.

Yes, this is the point.

> How much functionality that is necessary depends
> on your needs. Advice like "not offer servers to the Internet" does nothing
> to help the system with a web server requirement.

Yes. We have to distinguish between people, who have to do so, and people
who don't. But I think, we could say: "only offer as less services as
possible, because then the surface, which can be attacked, is as small as
possible", can we? Then, for home users, the sentence "do not offer
servers to the internet" usually is true, is it?

> Not using "ActiveX,
> Scripting, Internet Explorer or Outlook Express" does nothing to help the
> person that is required to use them.

Yes. But is this a good idea?

I think, ActiveX is a design flaw. You're getting the same functionality
it offers if it's used for webbrowsers (say: plugins) without having a
system-wide concept like COM for such plugins, but only a browser-dependend
one. So attacks against arbitrary components in the whole system like with
the problem, Tom Ferris recently published, are not possible any more.

To abandon ActiveX and to implement a plugin concept will eliminate such
problems.

> I attended a vendor specific Spyware seminar yesterday.

I think, this was a Microsoft seminar, was it? Because, only for
Microsoft products there are so many spyware problems today. :-P

> One of the points
> the speaker made was this. Popularity + standardization = vulnerability.

This is too nearsighted. The technology also has to be unsecure, if it
should be abused. Usually, if it's complicated, then it's hard to secure.

But of course, if a technology is unsecure, and popular and widespread,
then it likely is going to be abused.

> The above is a good example to point out that the real challenge is adding
> security ON TOP OF functionality.

I think, this is one of the main misunderstandings, we're suffering from.
Security is nothing, you can add, and not at all "on top".

Security is something, which is in your concept.

If it's not in your concept, usually it's very hard (if not impossible) to
add later.

> Not, reducing functionality to gain
> security.

Of course not.

Yours,
VB.
--
"Es kann nicht sein, dass die Frustrierten in Rom bestimmen, was in
deutschen Schlafzimmern passiert".
Harald Schmidt zum "Weltjugendtag"

Archived from groups: comp.security.firewalls (More info?)

Jason Edwards <none1@invalid.invalid> wrote:
> > - you should not offer servers to the Internet
> That would make it a little difficult for me to get any email as I run my
> own SMTP server.

OK, sorry, this is capable of being misunderstood, what I wrote. I mean,
"for home users".

> > - you should handle mails and mail attachements carefully; a virus
> > scanner can help here to have a look on every attachement, before
> > you're opening it, but you also should use your brain, because
> > virus scanners cannot be perfect
> I prefer not to get any viruses instead of relying on software to fight
> software, however I do sometimes advise other people to use virus scanners
> because there's at least some chance that the scanner will know about and
> stop the virus BEFORE it does damage.

Yes.

> > - you should not use software for communication in the Internet, which
> > implements technology like ActiveX or ActiveScripting, because these
> > are security design flaws; so don't use Internet Explorer or Outlook
> > Express
> You're going to have difficulty with Windows Update then, not to mention the
> games the kids insist on playing (which use shockwave).

The first can be done with Internet Explorer as an exception. The second
also is available for other browsers as a simple plugin, not as a COM
compatible ActiveX control.

> > - you should keep at least every software up to date, you're using in the
> > Internet or for data out of the Internet, because any software could
> > have an exploit you're using for communication
> Many vendors use updates as an excuse to get users to purchase the latest
> version.
> How are users going to tell the difference between this and genuine security
> updates?

I think, this is vendor specific. It is in the liability of the vendor
to make this clear, and to offer security updates also for older releases.
Perhaps people who watch this and publicize about vendors, who don't, can
help.

> > - you should use your brain before inserting disks into your PC, and
> > a virus scanner will help also, if you know, that virus scanners cannot
> > be perfect
> That means that the person inserting the disk needs to have a brain.
> This is not always the case in my experience.

Yes, PEBKAC. But I think, it will not work without involving users. Of
course, they have to be involved as less as possible. But education and
training for such topics is necessary.

Yours,
VB.
--
"Es kann nicht sein, dass die Frustrierten in Rom bestimmen, was in
deutschen Schlafzimmern passiert".
Harald Schmidt zum "Weltjugendtag"

Archived from groups: comp.security.firewalls (More info?)

Art <null@zip.com> wrote:
[Windows Update]
> The real problem with WU is that it's a Trojan.

I don't think so.

Yours,
VB.
--
"Es kann nicht sein, dass die Frustrierten in Rom bestimmen, was in
deutschen Schlafzimmern passiert".
Harald Schmidt zum "Weltjugendtag"

Archived from groups: comp.security.firewalls (More info?)

nutso fasst <no.replies@no.where> wrote:
> Question: With DSL, fixed IP, WinXP, Windows Firewall (default config), no
> Internet services, Firefox browser, Outlook Express in high-security mode
> (no ActiveX)...is a NAT router of any value and why?

You can have more than one PC with one single internet connection ;-)
For security purposes? Here: no.

Yours,
VB.
--
"Es kann nicht sein, dass die Frustrierten in Rom bestimmen, was in
deutschen Schlafzimmern passiert".
Harald Schmidt zum "Weltjugendtag"

Archived from groups: comp.security.firewalls (More info?)

On 17 Sep 2005 08:52:14 +0200, Volker Birk <bumens@dingens.org> wrote:

>Art <null@zip.com> wrote:
>[Windows Update]
>> The real problem with WU is that it's a Trojan.
>
>I don't think so.

I recently had occassion to do a fresh install of Win 98SE. As is my
custom, I then proceeded to disable services and make sure the
adapters were bound to TCP/IP only. The netstat -an result was
empty as usual.

After doing a Windows Update ... downloading and installing all
patches and IE 6 sp1 ... I rebooted and to my surprise the Windows
logon screen appeared. Sure enough, my work had been nullified
and netstat -an showed all the usual NETBIOS ports listening. I had
been on line for quite some time with DSL servcice wide open to
attack. Luckily, I took no hits.

To protect yourself from the WU trojan, you can keep the install
file of your favorite software fw on CD and install it immediately
after installing Windows and before going online. Do your OS hardening
_after_ doing WU since it will undo some of your work. Then if your
sw firewall is disabled for any reason, you'll still be safe going
online.

Art

http://home.epix.net/~artnpeg

Archived from groups: comp.security.firewalls (More info?)

"Art" <null@zilch.com> wrote in message
news:kq1oi1lb8ibt04l3uep2f0r8dl53bvc8hb@4ax.com...
> On 17 Sep 2005 08:52:14 +0200, Volker Birk <bumens@dingens.org> wrote:
>
> >Art <null@zip.com> wrote:
> >[Windows Update]
> >> The real problem with WU is that it's a Trojan.
> >
> >I don't think so.
>
> I recently had occassion to do a fresh install of Win 98SE. As is my
> custom, I then proceeded to disable services and make sure the
> adapters were bound to TCP/IP only. The netstat -an result was
> empty as usual.
>
> After doing a Windows Update ... downloading and installing all
> patches and IE 6 sp1 ... I rebooted and to my surprise the Windows
> logon screen appeared. Sure enough, my work had been nullified
> and netstat -an showed all the usual NETBIOS ports listening. I had
> been on line for quite some time with DSL servcice wide open to
> attack. Luckily, I took no hits.

That's one reason why a quick run of both netstat (I prefer tcpview) and
shields up is a good idea after a fresh install (including updates and
applications) of any version of Windows.
But it's a much better idea for home users to be behind an external firewall
box which filters incoming connection requests by default. This doesn't have
to be NAT but NAT is likely to be the cheapest way.
There is no reason why this filtering cannot be done in a DSL or cable modem
but this may create an administration problem (and thus cost a lot of money)
for ISPs. Some of us would rather do our own filtering but it would be best
for ISPs to do it for others.

Jason

> To protect yourself from the WU trojan, you can keep the install
> file of your favorite software fw on CD and install it immediately
> after installing Windows and before going online. Do your OS hardening
> _after_ doing WU since it will undo some of your work. Then if your
> sw firewall is disabled for any reason, you'll still be safe going
> online.
>
> Art
>
> http://home.epix.net/~artnpeg

Archived from groups: comp.security.firewalls (More info?)

"Leythos" <void@nowhere.lan> wrote in message
news:MPG.1d95438b84fc308698a09f@news-server.columbus.rr.com...
> Yes, it keeps things from reaching your computer - period - it means
> that even if there is a hole in the OS or the Firewall provided by MS,
> that it won't be reached unless you invite it in.

Thanks for the reply.

I worked for years behind a software NAT- & firewall-equipped server. HTTP
and mail services were not behind NAT, only workstations. Neither server nor
workstation were ever infected until one day I browsed some 'reputable' news
sites (NYTimes, CNN, NBC...) with lots of advertisements. I did not click on
any ad, yet IE5 got hijaacked by CoolWebSearch. IP sharing is good, but I
don't see that NAT did much for security. Stricter security settings,
switching to FireFox, email filtering, and using a blocker HOSTS file* were
sufficient to avoid another intrusion. But I'm advising an elderly lady
who's switching from AOL dialup to DSL, and if I'm missing something--that
HW NAT is going to add protection for her system with no internet services
running and NetBIOS unbound from the NIC--I'd like to know specifically what
it is. My biggest concern is that her system not get infected with a mass
mailer or dos attack zombie.

nf

* http://mvps.org/winhelp2002/hosts.txt

Archived from groups: comp.security.firewalls (More info?)

"Volker Birk" <bumens@dingens.org> wrote in message
news:432bbccd@news.uni-ulm.de...
> Jason Edwards <none1@invalid.invalid> wrote:
> > > - you should not offer servers to the Internet
> > That would make it a little difficult for me to get any email as I run
my
> > own SMTP server.
>
> OK, sorry, this is capable of being misunderstood, what I wrote. I mean,
> "for home users".

I am a home user

Jason