Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Privacy

Excite@Home Claims Broadband 'Safe' 356

photozz writes: "Ya know it's rare when an article can get me angry, but this has managed. Cable provider Excite@Home claims that their users are 'relatively' free of attack from hackers due to DHCP, and say you should only be concerned if they are storing private information on their PC's. From the article:'The fear created in consumers' minds is actually greater than the risk that exists,' he said. 'If a customer operates the computer in a safe manner, there shouldn't be any problem.'" Perhaps not surprising that @Home would downplay the risk, but photozz is right -- the fear in broadband customers' minds ought actually be higher, not lower. BackOrifice, zombie attacks etc., ought to frighten the broadband providers into pushing at least simple firewall software themselves perhaps.
This discussion has been archived. No new comments can be posted.

Excite@Home Claims Broadband "Safe"

Comments Filter:
  • I have a few friends that use @Home's cable service in the Southwestern Virginia (USA) area w/ Linux. This might only apply to Cox@Home, but their TOS state that they are not allowed to have any servers running. We think this is an effort to keep people from running insecure servers (like the exploited wu-ftpd 2.6.0 that ships w/ Red Hat 6.2) which can be cracked, and then their server can be used to start a DoS attack. In fact, @Home dropped a server in their subnet to scan all the clients for open ports. They got TOS'ed when the scanner detected their SSH servers running and were asked to shut them down w/n a week or lose their connection.

    There are probably two other reasons why @Home's TOS include the "no servers" clause:

    • Bandwidth availability: I live in the dorms at Virginia Tech [www.vt.edutargetblank], and a large portion of the on-campus LAN bandwidth gets sucked up by users trading large files (MP3s, bootleg movies, ISOs, etc.) using the horribly bandwith-intesive Windows file sharing (the SMB protocol). While on a 10Mbps switched LAN this isn't too much of a problem, it can bring a network of cable modems to its knees.

    • CYA: If the RIAA goes after @Home b/c it willfully allowed the illegal distribution of copyrighted material, @Home is gonna quickly die a painful death, and a lot of people are gonna be lacking a high-bandwith connection.

    The idea is worth merit and makes sense from a business standpoint when you think about it. I'd rather not go into that, though; this reply is already long enough. ;)

  • by state*less ( 246807 ) on Monday October 23, 2000 @06:48PM (#681494)
    DHCP is actually a weakness for a well trained hacker. In case you haven't read some of the papers i direct you to:

    http://www.3com.com/technology/tech_net/white_pape rs/503011.html

    Basically describes how a well trained hacker can act as a dhcp server therby giving the victim whatever ip it wants or worse give it a DNS server run by the hacker which opens up all kinds of possibiltys(i.e. fake websites, ftp sites, you nameit).

    Time is Change.
  • EVERYONE with a "broadband" (ie. faster than 56k) connection should IMMEDIATLY follow the following steps:

    1) Install Linux, FreeBSD, or GNU.
    2) Connect to the Internet.
    3) post your hostname and root password on Slashdot.
    4) wait.

    yup, XX-31337.whatever.home.com will magically point to your IP - even if it changes.

    I'd do this just to see what happens... :)

    Nevermind

    Verbatim
  • I have @home service and it rocks. (I managed to get a static IP too. Nice personal staging setup for my hobby projects! But forget trying to get support from them. The first question in their script is to review DHCP settings. Sheesh.)

    When I tried contacting their support to see if they could recommend a firewall or other protection, I was told they have no recommendations. Not that they were protecting me. Not that DHCP was the cat's meow. Nope. Not even an assurance that all was well. Just an emphatic, we have no recommendations for you.

    So I did some searching and reading and I found a firewall on my own. But it baffles me that they explicitly choose not to help their customers secure their machines. Dumb, head in the sand policy.

  • ... at least according to Attrition [attrition.org]'s statistics about operating systems on cracked web servers [attrition.org].

    Compare this to Linux's web server market share [netcraft.com] according to Netcraft [netcraft.com].

    Together, this tells me that Windows boxes are more likely to get cracked than Unix boxes. Of course, the numbers may be different for home systems, but as these are the only numbers I have I'll believe them until something better shows up.

    Cheers //Johan

  • I know two people who subcontract work from the local @home affiliate (no names, obvious reasons). They are specifically instructed to not even breathe the word "firewall" in front of the customer. The only thing that they're supposed to do is go in, install Buford (@home's branded Aieee/Netscrape hackjob), and get out.

    Between the proliferation of broadband access, and the way that @home's "service" is structured, I'm extremely surprised that we haven't seen any more seriously massive DDOS attacks-- I'd say that at least 98% of @home's subscriber boxes are sitting naked on the net, just waiting to be bent over.

  • I too use @home. I run an ipchains firewall with a very tight ruleset. I monitor my logs and I've noticed that @home scans, at least in my area, for port 119 every 4 hours on the dot. It's not just my IP, it's across my area. I have a friend on the other side of town who gets the same scans and we're not even on the same subnet. I know that newsfeeds take up a lot of bandwidth, but damn! The scan originates from 24.0.0.203 which resolves to authorized-scan1.security.home.net. Is there anybody else out there who is getting scanned by @home itself? And if so, what ports?

    On top of @home's scanning, I get multitudes of other random scans for various ports. I get the usual scans for port 80,21,23,25,110 all the way from Japan to Germany and from the East to West coast of the US. I also got scanned for port 98(linuxconf) - if you have linuxconf service running you'd better disable it if you don't want to get hacked. Run SSH and get rid of telnet if you need to remotely access your box. It is imperative that anyone who has a cable connection use some kind of firewall. @home is full of shit if they tell you their network is safe. I've known many people, even geeks, get taken out because of some script kiddie or cracker.
  • by drsoran ( 979 ) on Monday October 23, 2000 @06:54PM (#681506)
    I agree. OpenBSD is absolutely beautiful for a cheap home NAT'ing firewall. I found myself one of those nice Siemens Linux terminals (IDT 200MHz Winchip, 64 megs of ram, built in ethernet and SVGA onboard) on an onsale.com auction, popped an old 545 meg hard drive into it and two $15 Realtek PCI ethernet cards (also via onsale) and voila. OpenBSD firewall box complete with onboard third interface for services network. ;-)
    I highly recommend this to even the most bigotted Linux advocates. I was one of them before I tried it. Linux is fine for my desktop box but I'll make damn sure from now on it'll stay behind me openbsd firewall on my DSL. :-)
  • there are also problems with spammers using cable-modem boxen as mail relay...wouldn't be the first time i've seen that happen...

    //rdj
  • I've been on RoadRunner for almost 2 years. I don't think I've had more than 5 IP addresses in that time. About 2 months ago my RedHat 6.2 firewall was getting crashed about every other day. I could see a ton of ftp attempts getting blocked, so I assumed someone published the wrong IP for their warez/mp3z server. I thought I would try to change my IP. The only way I could do it was to swap out the ethernet card and get a new MAC address. I suppose I could have left it shut down for a day or two, but didn't have the time.

    Then I moved to OpenBSD [openbsd.org] and haven't had a crash since. Well, that's not exactly true. I did have one, but once I taped over the power button on that machine, my 1-year old can't pull that trick again.

    There is no way I would run my Win2000 or NT4 Server boxes without a firewall. I've got a two-page list of what I need to do to attempt to secure an NT4 or Win2000 web server.

  • I didn't see anyone else posting this, so I thought i'd share:

    I have DSL through USWest is now Qwest, and to the best of my knowledge, it is pretty secure from the get go.

    My DSL 'modem' (would calling it a router be too hard for people?) is a cisco 675. It gets an IP via DHCP from qwest. Howerver, it's internal IP is 10.0.0.1 and all of the other computers on the inside get assigned a 10.0.0.X address via DHCP (from the router). When I want to get to a computer on the inside, i have to open up a port on the router. For example, 23 and 80 go though to my linux box. Is this as safe as I think it is?

    ---

  • So true, now what's your IP again???

  • by joshv ( 13017 ) on Monday October 23, 2000 @05:38PM (#681525)
    DHCP is used as a convenience for the ISP, allowing them to reallocate IP addresses dynamically, but they tend to re-allocate infrequenty. My cable modem has given me the same IP address for over 6 months.

    Even if used to re-assign IP addresses on a regular basis DHCP is not a security feature. You box only needs to be up long enough to be cracked. The fact that your box might not be at the same IP address tommorrow makes it a slightly less attractive target, but I am sure a smart cracker could install something that would allow them to find you at whatever IP address you happen to have.

    -josh

  • by jetpack ( 22743 )
    DHCP makes you safe? That's fairly humorous. As soon as you log onto IRC, some script kiddie has already done an /nslookup on you and started scanning your box looking for holes with some warscript.

    I'm currently running an OpenBSD firewall and am pretty happy with it, altho my linux firewall previously did a fine job. The point is to do *something* to keep out the riff-raff.

    Sure, the heavy-hitters won't be bothering to crack most DHCP boxes, but their are plenty of kiddies out there that are itching to crack *any* box and make a mess of it.

    The Internet isn't some little town where you know everyone ... you do *not* want to leave your front door wide open.
  • I've been using broadband DSL for quite a while, and some of the things that pass by my firewall are disgusting. I'm not even located on the usual 24.X.X.X range that is often associated with cable modem attacks, and every day I get no less than 10 or 20 attack attempts registered on PortSentry [psionic.com]. As we all know, it's a dangerous web out there, and I'd really pity the foo' that doesn't use a dedicated firewall in cojunction with a broadband connection. Safe web surfing is one thing, but let's be serious, folks.
  • What is wrong with people! You dont leave the back door to you house open at night. Anytime you go online, regarless of the method, you are opening a back door to you computer!!

    If you go online anywhere with you personal/finacial data on the computer and you do not use encryption/firewalls, then you DESERVE to get you like screwed up by some punk who can prove he smarter at getting you information that you are at keeping it.

    As for @HOME, When I when online with their service I got probed by several ip addresses in the domain. One letter to abuse@home.com and I have not seen these ip addresses touch my system again.

    In short, Encrypt what you don't want others to see, Firewall the computers that you don't want others to probe. And rat out those that try to you ISP's abuse email account.

    80% of the human race are idiots, 20% are morons, and 10% know what they are doing.
    Chris Sutter

  • by gamorck ( 151734 ) <jaylittle AT jaylittle DOT com> on Tuesday October 24, 2000 @03:41AM (#681530) Homepage
    To put it rather bluntly:

    Personal Computer Security is NOT the responsibility of the ISP. If you acquire broadband service in your home - then you have also acquired with it the inherent responsibility to protect your computer system for the would-be hackers of the internet. Why should it be the ISP's problem? They only provide the connection, not the content. By that same logic it seems rather short sighted to turn around and say they must secure your computer from the content you choose.

    The term "Personal Computer" means just that - a personal computer. But when you place that computer at a pernament address on the internet - you are taking your chances and it is YOUR responsbility to minimize those chances.

    Example: Lets say you buy a new mailbox and leave it sitting on your kitchen table inside your house. Well after a few weeks it becomes apparent that the mailbox is fairly useless without access to the outside world (aka the internet) so you place it on your front lawn and begin to send and receive mail.

    So whats happens when some punk kid starts swiping social security checks from mailboxes? Hmmmmmm..... yeah it's illegal but would you even consider blaming the US Postal Service for something that is obviously your problem?(Solution: get a PO Box)

    People need to start taking responsiblity. If you have a pernament, fast connection to the internet take the extra time to learn a little about computer security. If you dont want to care about it, or if you cant fathom opening a book and actually finding out just how your computer works, or you are one of those dimwits who actually paid money for an emachine - unplug the network connection NOW.

    Too many people in America are content to simply bitch and moan rather than stand on their on two feet and do something about it. Perhaps you guys can solicit the aid of Al Gore - I'm sure he'll be more than happy to put your computer into his precious little lockbox, right along with trillons of dollars in so called Social Security money you'll never see again.

    In essence - people have confused the term "Internet Service Provider" with "Internet Sercurity Provider" or perhaps in this case even "Internet Safety Provider".

    Gamorck
    "Flame at will"
  • The worst thing (or possibly the best, depending on how you look at it) about the @home service is that they don't even use the DHCP server to change your IP address on occasion. The DHCP server is just there to make it easier for the incompetent tech when he comes to your house to fuck^H^H^H^Hset up your computer. From a DHCP provides security standpoint this is a bug. I tend to think of it as a feature; I know my IP address.

    The skill level of some of these techs is really poor too. When I first got @home a few months ago they sent a tech out to my place. I didn't want to let him near my Linux box (don't think that he would have touched it anyway) and intead let him do his setup thing on my girlfriend's mac. He had a really hard time with that, and we're talking MacOS here not some really oddball alternate OS. Not a chance in hell these guys know what they're doing enough to properly secure machines. I don't trust them any further than I can throw them

    What I do think is quite good is an LRP firewall. Charles Steinkuehler has one that I have found to be quite easy to setup and quite secure on his web site [steinkuehler.net]. It's really nice to be able to boot the whole router machine from a write protected floppy and know that if someone does start to mess with it you're only a reboot away from a system w/o any root kits left behind by some k1ddy. Also included are a DHCP server, NAT, and port forwarding. Well worth checking out.
    ________________
    They're - They are
    Their - Belonging to them

  • I keep IPTraf running on my firewall at home. It's in the TCP/UDP port watching mode, whatever it's called. I love coming home and finding screens of port #'s listed as ports that have seen activity. We aren't talking 1-2 packets from a simple TCP connect port scan. I'm talking a couple hundred packets over a meer weekend. Let me see, how many port scans is that... ADSL and Cable modems are the greatest thing since the invention of pron (and you can download a lot of it real fast too!) but it's the worst possible thing for security since the first release of Irix.

  • It doesn't matter what IP you have when people are portscanning:

    24.112.*.*

    The IP blocks of @Home connections are WELL known and are scanned constantly by hax0r dudes across the planet.

    Just treat @Home as a hostile network environment, and act accordingly.
  • I signed up for @Home access about a month ago. It's the best you can get out here in the SW Chicago suburbs other than 56K or ISDN--DSL won't be here for another year or so. I have to say that, this article aside, my experience has been pleasant so far. Download speeds average about 300kbps (I'm not kidding). Everyone I talk to enviously says, "Just wait till your neighbors get hooked up." Well, DSL still has to get shared at some junctions as well--it doesn't matter if that switch is at the CO or at the junction box. I don't have the numbers in front of me, but @Home guarantees 144kbps or something like that.

    Anyway, the point I was trying to make (badly) is that if you're going to maintain a constant connection to the Internet by all means run some type of firewall if you don't want to get your box compromised. I use ZoneAlarm [zonealarm.com] and couldn't be happier with it. I just passed the Port Probe and "Sheilds Up!" tests at grc.com [grc.com] with flying colors. Some of the scans ZoneAlarm protects me from (as reported by the security checks at GRC):

    • Your Internet port 139 does not appear to exist!
    • Unable to connect with NetBIOS to your computer.
    • Port 21 FTP Stealth! There is NO EVIDENCE WHATSOEVER that a port (or even any computer) exists at this IP address!
    • 23 Telnet Stealth! There is NO [...]
    • 25 SMTP Stealth! There is NO [...]
    • 79 Finger Stealth! There is NO [...]
    • 80 HTTP Stealth! There is NO [...]
    • 110 POP3 Stealth! There is NO [...]
    • 113 IDENT Stealth! There is NO [...]
    • 139 Net BIOS Stealth! There is NO [...]
    • 143 IMAP Stealth! There is NO [...]
    • 443 HTTPS Stealth! There is NO [...]
    To date (one month) ZoneAlarm has blocked 139 attempts at unauthorized access.
    --
  • bunch of kiddies get their systems together in one room and try to blow the hell out of eachother in Quake arena.

  • go to a 1337 irc channel & say something like "u h4x0rz n0 1337 u sux". Wait a few minutes.

    A default winbloze98 install offers about as much protection as a chickenwire condom.


    Do you hate other human beings?

  • by cybersquid ( 24605 ) on Monday October 23, 2000 @07:13PM (#681552) Homepage
    As Bender might say, Safe my shiny metal ass.

    I'm an @home user. Before I learned the value of having a firewall (LRP [linuxrouter.org] rocks!), I was cracked once (IMAPd [cert.org]) and had my DNS killed (BIND buffer overflow [cert.org]; killed the daemon but didn't get root-kitted).

    Based on my friends logs, an @home customer can expect constant port scans.

    Don't get me wrong - I like the service; people just shouldn't run unsecured systems. (For that matter, nor should you leave the keys in your car. ;-)

    If your O/S is inherently unsecure (like Windows), I would definetly employ a firewall. I use LRP (I like the control), but I know folks having good luck with those cute LinkSys units.

  • by sulli ( 195030 ) on Monday October 23, 2000 @07:14PM (#681553) Journal
    NOT security.

    I work for a major ISP that offers DSL service, and we use DHCP to allocate IP addresses. We do this because it's a pain to type in your IPs, particularly for mobile users, and because it does help allocate IP addresses a bit more efficiently. It's not a protection against someone who scans a pool of IP addresses looking for open shares, as the "911 Worm" did some months ago. Just for IP allocation, that's all.

  • by Platinum Dragon ( 34829 ) on Tuesday October 24, 2000 @04:13AM (#681561) Journal
    HOw about adding ALL: ALL to /etc/hosts.deny? Is there a way around that?

    Unfortunately, it also locks yourself out of services you might want, such as lpd or X. Then you have to set some permissions in hosts.allow, and there are way to spoof even localhost.

    Alos install port sentry, soon as someone portscans you they'll be locked out by the time they reach port 20.

    Sooner if it's set up properly. However, a lot of the scans that hit me came from people looking for open Netbus ports. Got the occasional scan looking for something else once in a while, along with the usual Wingate detection from IRC servers and @home scans for open NNTP ports.

    Since when do viruses appear in text files? When I type "vi LIFE-STAGES.TXT", will my computer explode?

    It a trojan that affect mIRC only. It relies on people accepting the file, usually because they have auto-DCC set to on. Really annoying, even for those of us who actually check what gets sent to us before accepting it.

    In windows, if you share (for example), your mp3 directory, as world readable, is there an exploit?

    Not sure, but it wouldn't surprise me to find out one shared directory can be used as a jumping-off point through the use of an exploit to fool Windows into thinking a remote viewer is, in fact, local. It's the same reason *nix people shut down nfsd; you don't even give potential attackers the opportunity to get a beachead on your system.

    A healthy dose of paranoia is acceptable, but is it worth reducing usablility?

    An ounce of prevention is better than a pound of cure.

    -------------
  • by Shagg ( 99693 ) on Tuesday October 24, 2000 @04:13AM (#681562)
    Actually, if you read the article, the majority of it is talking about how INSECURE broadband connections are, and experts were quoted saying that everyone should be running a "personal firewall".

    The DHCP remark was made by a DSL provider, NOT by EXCITE@HOME. The @HOME representative was quoted as saying that their techs take precautions during the installation such as "Disabling file sharing". They also say that people should take more precautions if they have "sensitive information" on their PC, not "private information", and that while Excite@home does not provide such software, they did say that they are willing to help a customer install and set it up to work with their service.

    I'm not much of a fan of @HOME's tech support and security policies either(personally I run an ipchains firewall on my @HOME account), but the original poster made a pretty inaccurate review of the article and painted Excite as being more clueless than they actually were.

    Don't be too quick to jump on the "bash @HOME's security advice" bandwagon based upon the posters comments. Read the quotes in the article for yourself first, the original poster was way off the mark.

  • by dmccarty ( 152630 ) on Monday October 23, 2000 @07:16PM (#681564)
    Let's remember what a cracker does this for: the thrill of the chase, the bragging rights to a successful crack, and (more maliciously) any rewards from the compromized site.

    Not many crackers are going to waste their time scanning @Home subnets looking for Internet newbies that they can screw with. It isn't worth the time and the "kill value" is negligable. How fun is it to kill someone in Quake with a ping of 500+ who is stuck in a corner? The true glory comes from killing the best guy on the map. (Or, in Slashdot's case, from rooting a /. box and posting a story about it.)

    Also, let's assume 90+ percent of @Home users run Windows boxes--Win95 and Win98. Even without firewall software, Win32 is much less likely to be cracked than *nix boxes. I'm not trying to start a huge flame war here--but the facts speak for themselves. Look at all the rootkits out there. Look at all the successful cracks. Were the servers running Unix and variants thereof? Probably.

    Now I'm not saying that a Unix box can't be properly secured. But the fact remains that more hacker activity is exerted towards cracking Unix and its siblings than Win32 and other OSes--and with good reason: it's easier.

    Interesting discussion invited; flames to /dev/nul please.
    --

  • by wirefarm ( 18470 ) <(jim) (at) (mmdc.net)> on Monday October 23, 2000 @07:19PM (#681569) Homepage
    "Because Windows 98 does not by default have lots of services running and doesn't have a good command prompt, it's harder and a less desirable target for crackers..."

    Would that be "Security through unusability"?

    ;-)
    Cheers,
    Jim in Tokyo
  • by baudtender ( 80377 ) on Monday October 23, 2000 @07:19PM (#681570)
    Don't listen to the baloney that @Home dishes
    out about incompatibility with Linux. I use
    an old 16-meg RAM 486 box with a floppy booted
    copy of EigerStein/Linux router/firewall:

    http://lrp.steinkuehler.net/

    and it has worked perfectly 24X7 since the day
    it went online last June.

    As a cross-platform software developer, the
    client machines on my LAN include Windows
    98, NT, and 2000, and a Red Hat Linux 6.1
    system. All work great with the Linux router/
    firewall. I usually get around 1100 kilobits
    (~130 kilobytes) per second on the receiving
    bandwidth and you'd never know the router/
    firewall was there.

    The EigerStein package can either dynamically
    assign IP addresses to the client machines,
    or you can hardcode them, depending on your
    needs. Additionally, like with any other
    linux router package, you can pass through
    (or lock out) individual ports if you want
    to use something like Napster on the client
    machines.

    There was very little tweaking of the firewall
    configuration files to get it working with @Home
    and DHCP - the hardest part was figuring out the
    real names of the local mail and news servers -
    when installed, the @Home tech will simply use
    "mail" and "news" as the server names. The
    receipt they give you after the install has all
    the info you need to figure them out.

  • Presumably the DHCP relay in the CMTS, as advertised by 3Com, or the DSL aggregation router could be set to prevent the attack described in this paper:

    DHCP Server Spoofing: In DHCP server spoofing, a server that is not the one designated by the carrier responds to the cable client DHCP requests. This may be done maliciously or accidentally. A Windows NT user can by default enable a PC as a DHCP server. A DHCP client, a cable modem or host PC on the cable network, would accept DHCP responses from any server, generally taking the one first received. Rogue DHCP responses can play havoc with network clients' ability to get service. The 3Com smart DHCP relay agent on the CMTS is configurable to distinguish and honor operator-defined DHCP server addresses.

    Is this something that ISPs or users here have experienced in the real world??

  • They're selling you high speed internet access. My DSL provider, CapuNet [capu.net], displays a very sensible article [capu.net] about security in their customer support section. It basically says, your machine is valuble because it has a high speed connection, so do something to secure it. I agree, and that's all they need to say. It is up to the customer to weigh the risks, rewards, and options and act accordingly.

    There are plenty of firewall and security products out there, and if your computer gets comprimised, it is not the fault of the service provider. For those hear on /., probably the one that many would be interested in is the NetBSD firewall solution [dubbele.com]. If you don't have a machine to dedicate as a firewall, there are plenty of others, including free software like ZoneAlarm [zonealarm.com]. One of the funniest things about this, though, is that a lot of the port scans and other intrusion attempts that people get are coming from their ISP. It would be nice if this was to benefit the customer, but I think it's mainly just to keep an eye on the customer instead.

  • by Anonymous Coward
    This isn't anything terribly new or secret, but your post reminded me of this.

    @home install "tioga" on your machine. Maybe this is part of Buford? Anyway, this snatchware sits on your machine and reports the applications your run back to @home. This is their first line of defense/attack against people running server software.

    I hadn't really done my homework when I first got @home last year, but did install ZoneAlarm on the machine. That is when I was asked which applications are ok to access the internet. Didn't take long before @home's dirty little secret popped up.

    My advice for other Windoze users is to NOT install anything given by @home. They might make you think you need their software to connect, but you don't. Install ZoneAlarm to only allow apps to access the internet you want, and if you're getting a Christmas present, get yourself a Linksys Router/Firewall for just over $100 (or d-Link, whatever company's you want) That way you can share the fast internet connection with your other machines, and get another level of security, since now the IP address the rest of the world sees is actually your Router.

    Is it fool proof? Most probably not. But it will stop the random modern-day-version of Wardialing the kiddies are up to today. They'll move on to much easier fodder.

  • Best be careful, you might wind up like Nader being sued by MasterCard for your parody. That said, very nicely done:

    Old 486: $50. Geek on a caffeine high: $5, $0 if s/he's already jacked on coffee. OpenBSD or Slackware burned on a CD: $0. A kickass firewall to confound the kiddiez with the latest 'sploits and nmap: priceless.

    Cheers,
    Slak
  • by DreamerFi ( 78710 ) <john.sinteur@com> on Monday October 23, 2000 @07:42PM (#681593) Homepage
    Check out the NetBSD/i386 Firewall Project [dubbele.com]. Far, far easier for a newbie.

    And yes, 15% of the the people who visit that web site do so from the @home domain...

    -John
  • There was a user where I used to work who went mental when his machine was _pinged_. It's dangerous to give Windows users software like Zone Alarm or Norton Personal Firewall...
  • Elf Bowling, a holiday-themed bowling simulator for Windows, was not a trojan. There was a hoax [google.com] going around that it carried a virus, but this proved to be false. Either way, you can pick up a clean copy of the latest version here [nstorm.com].
  • Your DHCP lease runs out every so often. Lets say you are fragging away in a game of Q3A. Your IP is 24.5.5.5. All of a sudden, windows renews your IP lease, and you get 24.5.6.7. The quake server has no clue that your IP changed, and ignores the packets now coming from 24.5.6.7. Oops, you just got disconnected.

    You'd have to specifically misconfigure the DHCP server to do this.
    The way it usually works is that the client will attempt to renew the lease at the half way point.
  • by _Sprocket_ ( 42527 ) on Tuesday October 24, 2000 @01:11AM (#681599)
    Let's remember what a cracker does this for: the thrill of the chase, the bragging rights to a successful crack, and (more maliciously) any rewards from the compromized site.

    Not many crackers are going to waste their time scanning @Home subnets looking for Internet newbies that they can screw with. It isn't worth the time and the "kill value" is negligable. How fun is it to kill someone in Quake with a ping of 500+ who is stuck in a corner? The true glory comes from killing the best guy on the map. (Or, in Slashdot's case, from rooting a /. box and posting a story about it.)

    Different people are motivated by different things. Sure, you're going to have attackers whose interests aren't met by @home customer targets. That doesn't hold for every attacker.

    What's the value of an average user's Windows box?

    Perhapse a script that runs through open shares looking for a default install of financial software and harvesting the user's data. Maybe the script harvests cookie.txt files and scans them for common online bank identifications. Imagine the wealth of information an identity theif could have waiting for them after a day or two running such scripts.

    Maybe the data itself isn't interesting. Instead we have a host with a broadband 24/7 connection. Relatively insecure. Perfect DDoS server host.

    Of course... that's assuming the value is something that normally makes sense. Its great that you mention Quake. Quake cheats are relatively rampant. Why bother playing if you're playing with an artificial advantage - and one that's been "done" before? Yet it happens all the time. In the same line, you have skript kiddies who see themselves as something special if they can poke around, and maybe even delete, some unsuspecting target's files. The fact that it may have been trivial to do so means nothing to them.

    Also, let's assume 90+ percent of @Home users run Windows boxes--Win95 and Win98. Even without firewall software, Win32 is much less likely to be cracked than *nix boxes.
    The article opens up with the example of an unknown individual posting messages on target machine's WINDOWS desktops. Apparently enough of a customer base was affected by this "attack" to warrent a FBI investigation.

    It doesn't matter what OS you're using. It doesn't matter if your IP address is constantly moving. Connect a box up to a broadband, persistant connection and it is a target. Being unaware of this is the danger.

  • by DreamerFi ( 78710 ) <john.sinteur@com> on Monday October 23, 2000 @07:48PM (#681600) Homepage
    Step 4: visit www.dubbele.com [dubbele.com]

    I may not be a Geek on a caffeine high, but that firewall is priceless - free, that is :-)

    -John
  • The net as we know it today (unlike the French Minitel of the 80's) doesn't encourage people to put up services. Articles like this; slow adoption of IPv6 by legacy O/S's; it's all part of a general disempowerment consumers are experiencing that favours plans like .Net and hotmail that centralise their information in other people's hands when they should be accessing it from their own machines. Why should I use .Net/hotmail when I can get at my own machine over a constant IPv6 address in a secure manner?

  • to its DSL subscribers. Only for Windows and MacIntosh, so I can't use it (I run OS/2 with Injoy Firewall, and Linux). Here's their letter:

    Subject: EarthLink DSL Members - Free Personal Firewall Software
    Date: Thu, 19 Oct 2000 17:27:45
    From: "EarthLink Broadband Team"
    To:

    Dear EarthLink Member,

    EarthLink cares about keeping your information secure, which is why we're
    pleased to offer personal firewall software FREE to our DSL members. Personal
    firewall software monitors all Internet connections to and from your computer
    and alerts you to attempted intrusions.

    This special security package, valued at over $49.95, includes either Symantec
    Norton Personal Firewall 2000 v2.0 for Windows users or Open Door DoorStop
    Personal Firewall 2.0 for Macintosh users. Both of these powerful software
    offerings provide security for your PC and privacy for your personal information.

    In order to register for a digital coupon and download your free copy of
    personal firewall software, please click on the link below.

    http://www.mindspring.net/cgi-bin/dsl.pl?ramunro1@ ix.netcom.com

    After you are registered, you will receive your digital coupon for your
    free software in 2-3
    business days.

    Please Note:
    -You must be an EarthLink DSL customer whose service is currently activated.
    If your DSL service is not currently active, you will become eligible for
    this offer upon activation.
    -This offer includes one copy of either PC or Mac personal firewall software
    per DSL account.

    Thank you for choosing EarthLink DSL.

    The EarthLink Broadband Team
  • This is a nice example of window security is the following worm [umd.edu]. Or how about password passing [securityfocus.com]? The only reason windows machines aren't cracked so often is that are not so easy to use remotly as Unixen. Windows 2000 is about to change this....

  • I've used @Home for almost a year now and called them up the first week I had it to tell them that I'm a tech and I run several server daemons on my machine to log in from work, etc. They just flagged my account.

    How many people yell and scream about companies, but don't actually just call and say something and be honest for once?
  • The internet is a big scary place, and it behooves the prudent to do the basics - for example, install a firewall. @home can't do all your homework for you - if you're connected full time to the net, then you have to take responsibility for that.
  • FYI: the DHCP lease times on cable providers (Roadrunner anyway) is about 2 hours. Anyone running firewall will see a ping from them about once an hour or so to see if your still there. When I asked them, they said they needed to "up" the time to 2 hrs 'cause the "network" folks were screaming about the corporate mandated 15 MINUTE LEASE TIMES. cna you say ping nightmare?

  • by Zagato-sama ( 79044 ) on Monday October 23, 2000 @05:39PM (#681620) Homepage
    Well, I'll be the first to say that @home sucks like no tommorow. I was one of their first beta testers, and had stuck in until half a year ago when I finally couldn't take their ex-taco bell phone support anymore. Having to stay on hold for twenty minutes in order to get transferred to someone who knows what "traceroute" is bites.

    However, one thing @home didn't do is silly things like this. Please, you want an ISP to infringe upon your freedom and dictate what kind of traffic can come in, and can't come out? Hey that's nice and all, but I'd rather have the freedom to setup a firewall for myself, I don't need my ISP to do that for me. For a website who talks about freedom so much, this is a pretty bogus idea
  • What does @Home do about ICQ? I bet they ignore certain open ports just because John. Q User would be pissed if he @Home tells him that he can't run ICQ.

    So, I wonder if you could just set up SSH on the ICQ port, and they'd ignore it. Might even be able to multiplex the port and get both ICQ or SSH out of it depending on the source address or even the first few bytes of each protocol.

    I'm a soon-to-be @Home customer (no alternatives), and it pisses me off that they don't want to allow me to set up an ftp server for my sole use to get files that I forgot.


    PS. I've always wondered why they don't just block incoming SYN packets. There's ways to get around that still, but it'd enforce their policy for 99% of the people.

    PS2. They already cap the bandwidth, so that shouldn't be a problem. I don't see why ISP's or schools don't give users a fixed amount of bandwidth and let them do whatever they want with it. If the user is doing something illegal, then someone can sue the user. End of story.

    PS2. If @Home were to be held liable for assiting warez distribution, then so could any other ISP, including AOL. So at most, a law could be passed that says "in 3 months, you'll be required to block napster ports".
    --

  • by petermarks ( 133408 ) on Monday October 23, 2000 @05:40PM (#681630)

    I use the austrialian excite@home, and we get probed every day. It's important to warn consumers about the risks, - don't turn any services on that you can't control, stay up to date etc.

    What would be worse would be for the broadband provider to put a big filtered firewall in the way so I couldn't use the internet the way I want.

    What might be best is the ability for consumers to choose "safe/protected" mode or "open" mode where we are responsible for our own firewall.

  • Who the heck moderated this thing up as Informative? It has one link!! To a well-known OS's website, no less!

    Here, I'll be more informative:

    Linux.com [linux.com]
    Linux Kernel [kernel.org]
    Computer Emergency Response Team (CERT) [cert.org]
    Securityfocus.com [securityfocus.com]

    Woo-hoo! Now I'll just kick back, relax, and watch the karma roll in...
  • by nihilogos ( 87025 ) on Monday October 23, 2000 @05:41PM (#681633)
    Optus@home ( an australian cable ISP ) states in their FAQ that

    Optus@Home is completely secure if you are using a standard operating system like Windows 98.

    I had a good laugh over that one.
  • A house guest of mine (who is an experienced unix sysadmin) suggested this. When I am finished using the workstation, I would unplug the ethernet connection from the dsl modem that my ISP sold to me with the service.

    If the ethernet is disconnected, then they cannot get into the system.

  • Sure, @Home says they're using DHCP. Every time my system comes up or down, I always get the exact same IP address - it's configured through dhcpcd, but never changes.

    In any case, it's easy enough under Linux, since I'm not doing masq or anything - I just closed off basically every service. All that's listening is Apache, SSH, sendmail (no relay), and imapd (but only to 127.0.0.1 for IMP via httpsd).

    It's not a perfect setup by any means, but between that, a backup of my RPM database, and tripwire, I'm in decent enough shape.
  • This goes even beyond the basic insecurities I'm sure you've all already posted about.

    I just wanted to let you know just how pointless DHCP is here on mediaone (now AT&T broadband) in Massachusets. The nameserver here allowed me to a ZONE TRANSFER... yes thats right. It handed over a nice list of every host on the network... users and all. And since the names are usually based directly from MAC address, the IP doesn't even matter. This is a serious security problem that I've notified them about...
  • There's a bug in windows filesharing right now, where the client attempting to connect can specify the length of the password.. Okay, so they specify 1, and that's 256 max to try, 128 avg.

    --
  • When I had my linux box sitting between my cable modem and the outside world, I killed just about every service on eth1(which was connected to the cable modem) except for appletalk, telnet and a couple of others which I wanted to use from work.

    Every once in a while I'd get portscanned. No big deal. If it's some script kiddie, if he doesn't see anything interesting he'll just move on. No response to http requests, and any attempted telnets would give the prompt "Login:". No kernel or distro information to give someone an idea about which buffer overflows to try to exploit.

    If you've ever carried large amounts of cash through "bad" areas you already know how to play this game. It's called "Blend In", if you look as plain and normal as everyone else, you're not going to attract the wrong type of attention. If you're machine is responding to requests on every port (figuratively, not literally) and you're giving WAY too much information away in your issue.net, you're making yourself far too tempting of a target for crackers.

    LK
  • One of the parameters passed by DHCP is the gateway. If a rogue server passes a bum gateway address, they can route all of your traffic through them, and sniff it all.

    Veracity check:

    Does DOCSIS prevent this?
    On a DOCSIS net, is the gateway essentially a null field, and your head end is always the gateway?
    Or can you be spoofed into going through your own head end, and gate through the rogue's system?
  • You might want to check the IP of the attacks, I was getting about 30 or so a day until I found out most of them were just pings from the provider asking to renew the lease on the IP

  • What the hell? Having a live IP at ANY point means you are exposed. God forbid anyone take any personal responsibility for their own systems and make sure that they are not at risk. Why would an ISP be responsible for your personal configuration at all? Take care of yourselves... dont expect others to do so. Sorry for the rant but that's like asking the government to stop by and lock your doors at night because you'll forget.
  • Comment removed based on user account deletion
  • I'm not complaning that excite should provide a firewall, but when i was set up. they never mentioned anything about it at all. I know better, but there are a lot of people that don't

  • by niekze ( 96793 ) on Monday October 23, 2000 @05:45PM (#681681) Homepage
    but this would be a good time to mention

    OpenBSD [openbsd.org]

  • I see a few people recommending firewalls or routers with a built-in firewall. Whenever this discussion comes up, I always recommend Zone Alarm [zdnet.com]. It's free (beer, the only one I care about), works great, and is super easy to use. I also like the privacy feature of prompting me when a program is trying to send OUTBOUND packets as well and allowing me to block it.
    ---
  • by Graymalkin ( 13732 ) on Monday October 23, 2000 @05:46PM (#681689)
    When Skeletor finally kicked He-Man's ass he bestowed upon man broadband. There were those that said of this thing nothing good shall come. These nay-sayers tried to convince people that they were in danger of everything. Broadband won't hurt you. Why don't broadband companies invest a few more dollars (offer to thier customers at a discount) good cable or DSL modems that have built-in routers with a bit of security. And completely besides the point, where the fuck are my internet active toys? Why can't I plug my microwave into my router and surf the net on its one line monochrome screen? I need to check my fucking email!
  • I think you're right. But silence could also be construed to be negligent too.
  • I'm a Rogers Excite@Home customer, and I can assure everyone @Home broadband is safe: they knock you off their network for hours or days to make sure! You can't get hacked when you're off their network, which is quite often. Service has stunk lately, with email outtages lasting entire week-ends (and who knows if emails bounce or are lost). Now that's a good firewall.
  • I'm a member of rogers@home, as I have been for two (unhappy) years.

    I was cracked while my computer was on a dialup connection to my ISP. Completely dynamic IP, not a 24/7 connect by any means. Ever since I've had the experience of using Rogers@home, my friends and I have always received the same IP when renewing their lease with DHCP. It's almost as if they've just taken out the middleman of telling you that your IP address has been assigned and telling you to configure your data, and just assigning it to you using server side software.

    A friend of mine apparently had someone stealing their IP address for two weeks on end. When phoning @home tech support, they traced it to one guy with the incorrect DHCP settings. However, under Acceptable Use Policy, they couldn't do anything but ask him to stop. The result? My friend's DHCP settings constantly returned the same IP, even though it was conflicting.

    She paid for two weeks of @home cable modem usage without being able to use it.

    Fuck you, @home.


    Michael Labbe
  • No, silly, mobile PC users who switch from office networks to DSL connections at home. Carry a laptop around from office to office and you'll quickly see that typing in IPs is a pain in the ass. That's a major reason DHCP is in common use on office networks, and in hotels, and it's why we use it in our DSL service.
  • If you shut down your system for a day or so, you would probly get a diferent address, as long as your old one has been reasigned in the mean time. that's how it works. It allows them to keep a smaller base of IP's for a larger base of users. also facilitates subneting when trafic gets too heavy on one network.

  • Further, it's rather lame that there's no provisions in most dialup, ISDN and xDSL accounts as to how many computers share the bandwidth. As opposed to MediaOne who requires you pay an extra fee in order for other computers in your house to perform such tasks as receiveing email..

    They charge extra for more PCs because of the additional IP addresses that would require, not bandwidth. Just set up a Linux/BSD router with NAT or pick up something like the Linksys [linksys.com] cable/DSL router and connect PCs to your hearts content. I have a Linksys with three systems connected and I only pay MediaOne for a one system account.

  • Not just a smart cracker - anyone with half a brain could set up a system on a hacked PC to get it to broadcast its IP when it goes online or changes! I mean, I've done it, and if I can do it anyone can...
  • FlexNet IIRC is only available in Hawai'i and besides which, you do not own your boardband pipe, you're simply paying for access though it. You can't operate a heavy usage email or webserver if your provider says no. You own jack and shit that you're using, you can't dictate terms on something like that. I'd like it if the cable or DSL provider gave me a router/modem that way I don't need to spend any extra money on anything. Having a router at each end is also going ot make things simpler because then everyone can use internal IP's that won't get routed and set up effective firewalls without really complex inclusions and exclusions.
  • so,,, just turn it off. I don't care about reporting the scans. Just don't let 'em in... I take it your site is getting there IP or something? I've never had this problem, but I turn off the reporting (I don't have it get the alerts, just block it)
    ---
  • Just for information, a lot of the entries in firewall logs are often from game port scanning robots.

    I suggest to anyone with cable/adsl internet to get themselves a Linksys internet router. It has a built-in firewall and can redirect ports to specified computers for games, ftp, telnet and such. It also has a 100Mbit switch on the the internal side and it's cheap! Purchase of the year.
  • >About all that would happen that way is a denial-of-service. Default gateway has to be one hop away. A remote attacker can't specify
    >his own IP address as your gateway, he has to specify another machine on your network. So he can shut you down remotely, but
    >that's about all.

    Understood. I was presuming this MITM attack from someone on my cable network. The subnet mask is 255.255.254.0, so I'm potentially sharing it with almost 500 others. Plus a rogue server could come in on a 10. (or other RFC1918) net.

    >Security is a process, not a state. The more secure you think you are, the less secure you tend to be. Andy Grove would love this
    >field -- 'only the paranoid survive' :-)

    I keep seeing, "I got a really tight firewall from linux-firewall-tools," show up out there, and that mindset bothers me, for just your reason. So far firewall rules tend to be less Open Source than other software. I suspect part of the reason is because people are scared to expose their protection. But IMHO the good side is that firewall rules should be a process, not a thing that you trust. Recently rc.firewall V5 came out. I'm looking at it not to use, but to tighten my own ruleset.
  • Using the @home service is extremely safe if you take the following into consideration:

    - In flame wars, unlike real wars, noone has ever used ICBM's to assault the person they are pissed off at.
    - In cybersex, unlike real sex, noone can get herpes, aids, crabs, etc.
    - While running around shooting people in a game such as Quake or Unreal, unlike running around shooting people in school or a post office, the worst wound you can get is blistered fingers.

    I can think of other reasons why @home would be considered safe, but it's all about relativity. Sure, @home might not be safe when compared to other ISPs, but they sure are safe compared to playing hot potato with a hand grenade. :o)

  • I am on @Home, but in my area they don't force us to use DHCP (yet). In my area, you have an IP address assigned to the MAC address of your modem and you keep the same IP address. Of course, they have DHCP available, but you don't have to use it. They are planning on forcing everyone to use DHCP in the future, so they can have more IP addresses available at any given time. They have a class A, how many damn ip addresses do they need? I use my IP address for alot of things (network administration from work, web server, etc.) I hope they don't try to make me change it every 2 hours. I imagine it will be awhile, they just barely are getting around to putting the 128 kbps cap on my line :( I guess it was good while it lasted, many market have had the cap on for quite a while.

    As for security, that is total bunk. DHCP does not stop the 5cr1p7 k1ddi35 from scanning a subnet and attempting to hack whatever open ports they can find. Once they have control of a machine, it is trivial to have it mail them or signal them (have it ping an address, or do a POP mail check, or even an ICMP unreachable packet). There are a million methods to get the new IP address when it changes. DHCP helps nothing.


    Enigma


  • Check out Steve Gibson's Shields Up [grc.com], especially if you run Windows. It will probe your IP address for open ports and NetBIOS crap.

  • by Booker ( 6173 ) on Monday October 23, 2000 @05:55PM (#681756) Homepage
    ...[they] should only be concerned if they are storing private information on their PC's

    Oh, gee, that puts my mind at ease... I was really worried that some evil hacker might break in and steal all of my public information. Apparently my fears were unfounded... I only need to be concerned if I have private information on my PC... These fears really are overblown... I mean, who puts private information on their PC, anyway?

    *wipes brow in relief*

    ---

  • I did this too, although can anyone tell me what the hell sunrpc need to have port 111 open for? Actaully, what is sunrpc?

    Is closing off ports enough? I have a nagging feeling that in order to have a reasonably secure box I'm going to need to know a little more about ipchains.
  • Eric,
    It's nice to see a little honesty coming out from behind the corporate veil.

    I've been a comcast@home subscriber from practically day 1, and for the most part have been very satisfied. My biggest problems so far have been:

    • Undependable DNS. My assigned DNS servers seem to go down at least once every other week. This bothers me less now that I have my own caching DNS server; but renders the service useless to most people.
    • Undependable email. I'll take your word that your email department is staffed by idiots. Lately, it takes 2 or 3 tries to connect to the mail server. I might have to go to self-hosting, taking advantage of Tzo's [tzo.com] store & forward service.
    • Really goofy routing. For example, packets going from work to home (3 miles apart in MD) get routed dc (qwest) > chicago (qwest) > cleavland (@home) > nj > dc. There should be a more direct route, since both @home & qwest both have backbone connections in DC. The return route is basically identical. I also see several 10.*.*.* addresses when tracerouting in from work.
  • AT&T won't support linux, but that's far from saying it won't work at all if you know what to do yourself. Here's [computerbits.com] one person's experiences with successfully hooking his linux box up to his @Home service.
  • As a comcast@home customer, I can say for a fact that the NetBIOS ports are definately filtered and have been for at least the last year or so. I've confirmed this by doing nmap scans of hosts that I knew had open netbios ports and seeing those ports come back as "filtered".
  • Define "break-in attempt". A simple port-scan is NOT a break-in attempt. Repeated attempts from the same address to connect to an open port probably is.

    When I first got @home, I was running 2 ip's with a hub. Each of my pc's was running firewall software (AtGuard on my wife's windoze box and ipchains on my linux box) I would usually log 10 or more port-scans PER DAY on both of my boxes.

    After running this setup for about 2 years, I got a Linksys cable modem router [linksys.com]. Linksys bills this as a "firewall", but it's firewalling features are pretty rudimentary -- NAT and some simple port filtering. It's easy enough to defeat this if you know what you are doing, so I don't rely on it as my only layer of defense -- I still have everything behind the router locked down as tightly as I can get it.

    The Linksys router dosn't do any logging, so I don't know how often it's getting probed; but I have not logged ANY scans that made it past the router in the 6+ months that it's been operational [except for the ones that I did myself]. I find this pretty amazing. It seems that even the most basic security measures will deter the vast majority of would-be attackers.

  • If you can't differentiate between a ping request and a portscan, maybe you need to read up a little on TCP/IP. Here is a great place to start: The firewall forensics page [robertgraham.com] It is chock-full of commonly scanned ports (and tasty goodness!).


    Enigma
  • They have a class A, how many damn ip addresses do they need?

    Well,..when the trafic starts to overload in one network, they can subnet off and keep things at a managable level. This realy cuts into the # of available IP addresses. If they are aiming at millions of customers, a class A gets chewed up prety quickly, thus DHCP scopes.

  • I agree with you that cable modem providers need to do more user education about security. That being said, installing somthing like Zone Alarm or Norton Internet Security is pretty much asking for a support NIGHTMARE.

    Every clueless luser who installs a personal firewall is going to go batshit that they are being "attacked" 10 times a day. Logging is a Good Thing, but ONLY if you know how to read the fscking logs. I've played with a couple of personal firewall tools for windoze. These kinds of mass market programs need to install with minimal/no logging as the default, to help manage the "chicken little" syndrome. The alternative is to build in AI heuristics that can distinguish between random portscans and a real attack.

    I have a cable modem router. It dosn't do any logging. On the windows box behind the router, I run AtGuard. Ever since the router went up, AtGuard's logs have stayed empty. If an "attack" dosn't get past the router, it dosn't get logged. That's fine with me; I'm not worried about script kiddies who are too dumb to source route through a simple NAT box. If anything DOES get thru and shows up in my AtGuard/ipchains logs, I'm DEFINATLY going to pay attention!

  • Probly ping requests from Excite themselves looking to renew the DHCP lease. send the log in and see what they have to say.

  • I don't know. What's your timeout on the web server? What are the chances of someone else getting that IP in that short amount of time? OK I guess. Tell the author, but my web servers have never generated a quivver on my zone alarm.....
    ---
  • Then you must have a static IP asigned to the MAC address of your modem. It dosen't nessesarily have to be set on your system.

  • Sunrpc is remote procedure call, which is a VERY DANGEROUS service to leave open. It is used primarily for NFS(Network Failure^H^H^H^H^H^H^ile System)and NIS(Network Information System), which is basically the same as windows file shares. Usually you don't have NFS mounts available by default, but on some systems you might. Yes you should learn about IP chains. Here is a great site [linux-firewall-tools.com] that will custom-build you a firewall on the fly. Firewall Forensics [robertgraham.com] is also a great page to find out what port scans are looking for. Be careful, I see quite a few scans for RPC in my logs, if you leave it open, you will be comprimised sooner or later.


    Enigma
  • Well, he said "attack atempts" not specificaly portscans. I know I was a little freaked out at getting 30+ allerts on my first day running a firewall, and found out later most of them were just ping requests.

  • Only one man would give me the rasbery.......

  • by Platinum Dragon ( 34829 ) on Monday October 23, 2000 @06:26PM (#681812) Journal
    DHCP just makes you a slightly moving target, and if an attacker is looking for victims, they probably won't restrict their portscans and probes to single addresses, but IP ranges. I occasionally do a sweep of my university's residence network just for yuks, and I've run across a few unsecured boxen, Windows and Linux alike (the guy in Pitman Hall who just installed Debian, this means you!)

    However, there are some simple ways to make your broadband connection a little bit less like swiss cheese:

    1) Disable file sharing and remote login - Running Windows? Take a look for any folder or file with that little hand icon, and un-share them. Even better, just go into Control Panel -> Network and shut it off completely. Don't think passwords on your shares will help you, as a recent bug was discovered in Win9X share-level password protection where a one-byte character string can be used to bypass a protected share should that byte happen to match the first byte of the actual password. If you're on Linux/*BSD, for the love of Bob shut off NFS, ftpd, telnetd, Apache, and the like until you know what you're doing! Can you say "backdoor"? Even experienced admins leave the occasional hole, and default installs aren't often known for being secure (OpenBSD people, stuff it while I make a point for everyone else:).

    2) Don't let anything run automatically - Java and ActiveX in IE and Netscape installing and running automagically? Kill it. Auto-DCC in IRC clients? Un-auto it. Run attachments on preview in Outlook, or run macros in Word documents? You know the drill. Don't let a damn thing run automatically unless you actually know what's taking place. If I ever see LIFE-STAGES.TXT offered to me by DCC again, I'm going to reach through the monitor and shove a virus scanner up the patoot of the victim. The world doesn't need another Melissa or backdoor being passed around just by opening an e-mail in a brain-dead-by-default program.

    3) Check for patches and follow directions - MS didn't tell people to change their Outlook settings while it took them a month to patch the program in the wake of ILOVEYOU because it was fun for everyone. Red Hat isn't releasing megs of updates for Red Hat 7 so you can sit there and kvetch about buggy .0 releases. You don't think the latest macro virus craze can get you? Think again, spam-boy; why do you think Unix/Linux vendors have been going batshit looking for format string holes in their software offerings? The exploits may be merely theoretical, but it's best to close them up before the theoretical becomes practical (with apologies to the L0pht).

    4) Extra steps if you're really careful and/or paranoid - Old 486: $50. Geek on a caffeine high: $5, $0 if s/he's already jacked on coffee. OpenBSD or Slackware burned on a CD: $0. A kickass firewall to confound the kiddiez with the latest 'sploits and nmap: priceless.

    5) Ignore the DSL/cable pissing contest - Nothing to see here, move along...

    I'm glad to say most cable installers where I live have a brain, and hence make sure filesharing is turned off in Win9x when they set up your system. Linux/BSD geeks usually have to take matters into their own hands, but most usually know enough to at least kill nfsd and ftpd if they're not going to be used. (Incidentally, this is also why Red Hat and others need to stop enabling every conceivable service by default.)

    Closing your box off to kiddies is acutallly pretty easy. However, back-patting fluff like this Excite dropping does way more harm than good by instilling that false sense of security that leads people to think its OK to let attachments run automatically, or leave all those services running on their new Mandrake box. Hard advice is better than press releases and misrepresenting technologies as security measures.
    -------------
  • Personal firewalls are the way to go, but the education is humbling for many home users nowadays. What RR does is portscan on the more popular ports (For fun, read
    http://security.rr.com/, formerly bofh.rr.com). Partially they're hunting down rogue servers. They're ORBSed, and are mainly trying to find the insecure SMTP servers. They also have some security guidelines on their webpage.

    It's not great, but it's something.
  • If a customer operates the computer in a safe manner, there shouldn't be any problem.

    Indeed. Any computer that's sitting with its bare ass out on the net with a static (or even dhcp-assigned) address with all ports open, unnecessary services running, and without a firewall for protection, is just begging to be pillaged.

    It's like sex. Would you have sex without a condom or suitable barrier? You might out of laziness (or the mistaken thought that you're not getting the full experience), but if you do, nine times out of ten, you'll be coming home with an STD. It's the same with firewalls and network security. You might not run one out laziness, or the mistaken thought the firewall will impede your performance by constraining your movements, slowing down your "bandwidth", or impeding your access to others' ports, but nine times out of ten, you'll be coming home with a cracked box.

    I tell all my lovers, "No glove, no love", and I encourage all of you to tell your sysadmins, "No firewalls, no thigh-or-balls, er, I mean, no service."
  • These personal firewall systems are really starting to piss me off. Now millions of instant "security experts" can shriek every fucking time they get a ping. At home, you'll know you've been r00ted when mysterious traffic starts showing up on your modem or router. Sure, you've noticed someone scanned you, but WTF do you do after that? Send a complaint to the netblock maintainer? Hah, like they care what someone from their thousands of systems ran a portscan on someone in 24.x.x.x!

    At work, your firewall *should* be good enough. Reporting abuses of your network to the maintainer of that netblock may actually produce some results. You *should* have some qualification (read: you know what you're talking about), be able to speak that person's lingo, and *should* have some well documented log excerpts to show a clear pattern of abuse, not some untraceable and/or forgivable indiscretions.

    That's my $0.02.
    --
    There is no K5 [kuro5hin.org] cabal.
  • Doesn't matter what OS you run, if its misconfigured, its not going to be secure. Look here [openbsd.org] if you think it is 100% secure. I know you were probly making a bit of a joke when you posted, but I still think its worth mentioning that no OS is secure unless you maintain and keep it up to date.
  • by jihad23 ( 101840 ) on Monday October 23, 2000 @06:46PM (#681843)

    It should be the responsibility of the company supplying the broadband access to supply and configure a firewall as part of the installation, and explain to the users whay it is needed.

    Great. You want to handle the tech support calls when your average cable modem using consumer hoses up his $ISP provided firewall software? I thought not.

    Speaking as someone who used to work in broadband at a large ISP, no fscking way would we get involved in end-user security. Our customers were encouraged to read up on security and run firewall software, but we weren't going to give them the software or provide tech support for it.

    You have to draw the line somewhere. If you help them install/configure a firewall, who is held responsible when it's compromised? Whether or not the ISP should be held responsible, that's exactly how the users would see it.


    --
    Turn on, log in, burn out...

Business is a good game -- lots of competition and minimum of rules. You keep score with money. -- Nolan Bushnell, founder of Atari

Working...