Excite@Home Claims Broadband 'Safe' 356
photozz writes: "Ya know it's rare when an article can get me angry, but this has managed. Cable provider Excite@Home claims that their users are 'relatively' free of attack from hackers due to DHCP, and say you should only be concerned if they are storing private information on their PC's. From the article:'The fear created in consumers' minds is actually greater than the risk that exists,' he said. 'If a customer operates the computer in a safe manner, there shouldn't be any problem.'" Perhaps not surprising that @Home would downplay the risk, but photozz is right -- the fear in broadband customers' minds ought actually be higher, not lower. BackOrifice, zombie attacks etc., ought to frighten the broadband providers into pushing at least simple firewall software themselves perhaps.
@Home's TOS try to enfoce security (Score:2)
I have a few friends that use @Home's cable service in the Southwestern Virginia (USA) area w/ Linux. This might only apply to Cox@Home, but their TOS state that they are not allowed to have any servers running. We think this is an effort to keep people from running insecure servers (like the exploited wu-ftpd 2.6.0 that ships w/ Red Hat 6.2) which can be cracked, and then their server can be used to start a DoS attack. In fact, @Home dropped a server in their subnet to scan all the clients for open ports. They got TOS'ed when the scanner detected their SSH servers running and were asked to shut them down w/n a week or lose their connection.
There are probably two other reasons why @Home's TOS include the "no servers" clause:
Bandwidth availability: I live in the dorms at Virginia Tech [www.vt.edutargetblank], and a large portion of the on-campus LAN bandwidth gets sucked up by users trading large files (MP3s, bootleg movies, ISOs, etc.) using the horribly bandwith-intesive Windows file sharing (the SMB protocol). While on a 10Mbps switched LAN this isn't too much of a problem, it can bring a network of cable modems to its knees.
CYA: If the RIAA goes after @Home b/c it willfully allowed the illegal distribution of copyrighted material, @Home is gonna quickly die a painful death, and a lot of people are gonna be lacking a high-bandwith connection.
The idea is worth merit and makes sense from a business standpoint when you think about it. I'd rather not go into that, though; this reply is already long enough. ;)
DHCP a vulnerability in itself (Score:3)
http://www.3com.com/technology/tech_net/white_pap
Basically describes how a well trained hacker can act as a dhcp server therby giving the victim whatever ip it wants or worse give it a DNS server run by the hacker which opens up all kinds of possibiltys(i.e. fake websites, ftp sites, you nameit).
Time is Change.
Everyone should... (Score:2)
1) Install Linux, FreeBSD, or GNU.
2) Connect to the Internet.
3) post your hostname and root password on Slashdot.
4) wait.
yup, XX-31337.whatever.home.com will magically point to your IP - even if it changes.
I'd do this just to see what happens...
Nevermind
Verbatim
@Home @asleep (Score:2)
When I tried contacting their support to see if they could recommend a firewall or other protection, I was told they have no recommendations. Not that they were protecting me. Not that DHCP was the cat's meow. Nope. Not even an assurance that all was well. Just an emphatic, we have no recommendations for you.
So I did some searching and reading and I found a firewall on my own. But it baffles me that they explicitly choose not to help their customers secure their machines. Dumb, head in the sand policy.
Windows boxes more dangerous than Unix boxes... (Score:2)
Compare this to Linux's web server market share [netcraft.com] according to Netcraft [netcraft.com].
Together, this tells me that Windows boxes are more likely to get cracked than Unix boxes. Of course, the numbers may be different for home systems, but as these are the only numbers I have I'll believe them until something better shows up.
Cheers //Johan
Re:I use @home (Score:2)
Between the proliferation of broadband access, and the way that @home's "service" is structured, I'm extremely surprised that we haven't seen any more seriously massive DDOS attacks-- I'd say that at least 98% of @home's subscriber boxes are sitting naked on the net, just waiting to be bent over.
@HOME SCANS IT'S OWN USERS!!!! (Score:2)
On top of @home's scanning, I get multitudes of other random scans for various ports. I get the usual scans for port 80,21,23,25,110 all the way from Japan to Germany and from the East to West coast of the US. I also got scanned for port 98(linuxconf) - if you have linuxconf service running you'd better disable it if you don't want to get hacked. Run SSH and get rid of telnet if you need to remotely access your box. It is imperative that anyone who has a cable connection use some kind of firewall. @home is full of shit if they tell you their network is safe. I've known many people, even geeks, get taken out because of some script kiddie or cracker.
Re:not to be a bitch... (Score:3)
I highly recommend this to even the most bigotted Linux advocates. I was one of them before I tried it. Linux is fine for my desktop box but I'll make damn sure from now on it'll stay behind me openbsd firewall on my DSL.
Re:Remember a Cracker's Motive (Score:2)
//rdj
Re:DHCP? What a laugh (Score:2)
I've been on RoadRunner for almost 2 years. I don't think I've had more than 5 IP addresses in that time. About 2 months ago my RedHat 6.2 firewall was getting crashed about every other day. I could see a ton of ftp attempts getting blocked, so I assumed someone published the wrong IP for their warez/mp3z server. I thought I would try to change my IP. The only way I could do it was to swap out the ethernet card and get a new MAC address. I suppose I could have left it shut down for a day or two, but didn't have the time.
Then I moved to OpenBSD [openbsd.org] and haven't had a crash since. Well, that's not exactly true. I did have one, but once I taped over the power button on that machine, my 1-year old can't pull that trick again.
There is no way I would run my Win2000 or NT4 Server boxes without a firewall. I've got a two-page list of what I need to do to attempt to secure an NT4 or Win2000 web server.
NAT at the router (Score:2)
I have DSL through USWest is now Qwest, and to the best of my knowledge, it is pretty secure from the get go.
My DSL 'modem' (would calling it a router be too hard for people?) is a cisco 675. It gets an IP via DHCP from qwest. Howerver, it's internal IP is 10.0.0.1 and all of the other computers on the inside get assigned a 10.0.0.X address via DHCP (from the router). When I want to get to a computer on the inside, i have to open up a port on the router. For example, 23 and 80 go though to my linux box. Is this as safe as I think it is?
---
Re:It's true, what goes on "out there" is horrendo (Score:2)
DHCP? What a laugh (Score:3)
Even if used to re-assign IP addresses on a regular basis DHCP is not a security feature. You box only needs to be up long enough to be cracked. The fact that your box might not be at the same IP address tommorrow makes it a slightly less attractive target, but I am sure a smart cracker could install something that would allow them to find you at whatever IP address you happen to have.
-josh
irc (Score:2)
I'm currently running an OpenBSD firewall and am pretty happy with it, altho my linux firewall previously did a fine job. The point is to do *something* to keep out the riff-raff.
Sure, the heavy-hitters won't be bothering to crack most DHCP boxes, but their are plenty of kiddies out there that are itching to crack *any* box and make a mess of it.
The Internet isn't some little town where you know everyone
It's true, what goes on "out there" is horrendous (Score:2)
Re:I use @home (Score:2)
If you go online anywhere with you personal/finacial data on the computer and you do not use encryption/firewalls, then you DESERVE to get you like screwed up by some punk who can prove he smarter at getting you information that you are at keeping it.
As for @HOME, When I when online with their service I got probed by several ip addresses in the domain. One letter to abuse@home.com and I have not seen these ip addresses touch my system again.
In short, Encrypt what you don't want others to see, Firewall the computers that you don't want others to probe. And rat out those that try to you ISP's abuse email account.
80% of the human race are idiots, 20% are morons, and 10% know what they are doing.
Chris Sutter
@Home Security Issues (Score:3)
Personal Computer Security is NOT the responsibility of the ISP. If you acquire broadband service in your home - then you have also acquired with it the inherent responsibility to protect your computer system for the would-be hackers of the internet. Why should it be the ISP's problem? They only provide the connection, not the content. By that same logic it seems rather short sighted to turn around and say they must secure your computer from the content you choose.
The term "Personal Computer" means just that - a personal computer. But when you place that computer at a pernament address on the internet - you are taking your chances and it is YOUR responsbility to minimize those chances.
Example: Lets say you buy a new mailbox and leave it sitting on your kitchen table inside your house. Well after a few weeks it becomes apparent that the mailbox is fairly useless without access to the outside world (aka the internet) so you place it on your front lawn and begin to send and receive mail.
So whats happens when some punk kid starts swiping social security checks from mailboxes? Hmmmmmm..... yeah it's illegal but would you even consider blaming the US Postal Service for something that is obviously your problem?(Solution: get a PO Box)
People need to start taking responsiblity. If you have a pernament, fast connection to the internet take the extra time to learn a little about computer security. If you dont want to care about it, or if you cant fathom opening a book and actually finding out just how your computer works, or you are one of those dimwits who actually paid money for an emachine - unplug the network connection NOW.
Too many people in America are content to simply bitch and moan rather than stand on their on two feet and do something about it. Perhaps you guys can solicit the aid of Al Gore - I'm sure he'll be more than happy to put your computer into his precious little lockbox, right along with trillons of dollars in so called Social Security money you'll never see again.
In essence - people have confused the term "Internet Service Provider" with "Internet Sercurity Provider" or perhaps in this case even "Internet Safety Provider".
Gamorck
"Flame at will"
@home DHCP == !Security (Score:2)
The skill level of some of these techs is really poor too. When I first got @home a few months ago they sent a tech out to my place. I didn't want to let him near my Linux box (don't think that he would have touched it anyway) and intead let him do his setup thing on my girlfriend's mac. He had a really hard time with that, and we're talking MacOS here not some really oddball alternate OS. Not a chance in hell these guys know what they're doing enough to properly secure machines. I don't trust them any further than I can throw them
What I do think is quite good is an LRP firewall. Charles Steinkuehler has one that I have found to be quite easy to setup and quite secure on his web site [steinkuehler.net]. It's really nice to be able to boot the whole router machine from a write protected floppy and know that if someone does start to mess with it you're only a reboot away from a system w/o any root kits left behind by some k1ddy. Also included are a DHCP server, NAT, and port forwarding. Well worth checking out.
________________
They're - They are
Their - Belonging to them
IPTraf (Score:2)
DHCP Irrelevant. Portscanning IP blocks. (Score:2)
24.112.*.*
The IP blocks of @Home connections are WELL known and are scanned constantly by hax0r dudes across the planet.
Just treat @Home as a hostile network environment, and act accordingly.
Use @Home with ZoneAlarm (Score:2)
Anyway, the point I was trying to make (badly) is that if you're going to maintain a constant connection to the Internet by all means run some type of firewall if you don't want to get your box compromised. I use ZoneAlarm [zonealarm.com] and couldn't be happier with it. I just passed the Port Probe and "Sheilds Up!" tests at grc.com [grc.com] with flying colors. Some of the scans ZoneAlarm protects me from (as reported by the security checks at GRC):
- Your Internet port 139 does not appear to exist!
- Unable to connect with NetBIOS to your computer.
- Port 21
FTP
Stealth! There is NO EVIDENCE WHATSOEVER that a port (or even any computer) exists at this IP address!
- 23
Telnet
Stealth! There is NO [...]
- 25
SMTP
Stealth! There is NO [...]
- 79
Finger
Stealth! There is NO [...]
-
80
HTTP
Stealth! There is NO [...]
-
110
POP3
Stealth! There is NO [...]
-
113
IDENT
Stealth! There is NO [...]
-
139
Net
BIOS
Stealth! There is NO [...]
- 143 IMAP Stealth! There is NO [...]
- 443
HTTPS
Stealth! There is NO [...]
To date (one month) ZoneAlarm has blocked 139 attempts at unauthorized access.--
Re:security (Score:2)
Re:Windows 98 security (Score:2)
A default winbloze98 install offers about as much protection as a chickenwire condom.
Do you hate other human beings?
I was cracked (Score:3)
I'm an @home user. Before I learned the value of having a firewall (LRP [linuxrouter.org] rocks!), I was cracked once (IMAPd [cert.org]) and had my DNS killed (BIND buffer overflow [cert.org]; killed the daemon but didn't get root-kitted).
Based on my friends logs, an @home customer can expect constant port scans.
Don't get me wrong - I like the service; people just shouldn't run unsecured systems. (For that matter, nor should you leave the keys in your car. ;-)
If your O/S is inherently unsecure (like Windows), I would definetly employ a firewall. I use LRP (I like the control), but I know folks having good luck with those cute LinkSys units.
DHCP is for ease of use... (Score:4)
I work for a major ISP that offers DSL service, and we use DHCP to allocate IP addresses. We do this because it's a pain to type in your IPs, particularly for mobile users, and because it does help allocate IP addresses a bit more efficiently. It's not a protection against someone who scans a pool of IP addresses looking for open shares, as the "911 Worm" did some months ago. Just for IP allocation, that's all.
Re:DHCP != security (Score:3)
Unfortunately, it also locks yourself out of services you might want, such as lpd or X. Then you have to set some permissions in hosts.allow, and there are way to spoof even localhost.
Alos install port sentry, soon as someone portscans you they'll be locked out by the time they reach port 20.
Sooner if it's set up properly. However, a lot of the scans that hit me came from people looking for open Netbus ports. Got the occasional scan looking for something else once in a while, along with the usual Wingate detection from IRC servers and @home scans for open NNTP ports.
Since when do viruses appear in text files? When I type "vi LIFE-STAGES.TXT", will my computer explode?
It a trojan that affect mIRC only. It relies on people accepting the file, usually because they have auto-DCC set to on. Really annoying, even for those of us who actually check what gets sent to us before accepting it.
In windows, if you share (for example), your mp3 directory, as world readable, is there an exploit?
Not sure, but it wouldn't surprise me to find out one shared directory can be used as a jumping-off point through the use of an exploit to fool Windows into thinking a remote viewer is, in fact, local. It's the same reason *nix people shut down nfsd; you don't even give potential attackers the opportunity to get a beachead on your system.
A healthy dose of paranoia is acceptable, but is it worth reducing usablility?
An ounce of prevention is better than a pound of cure.
-------------
Corrections (Score:5)
The DHCP remark was made by a DSL provider, NOT by EXCITE@HOME. The @HOME representative was quoted as saying that their techs take precautions during the installation such as "Disabling file sharing". They also say that people should take more precautions if they have "sensitive information" on their PC, not "private information", and that while Excite@home does not provide such software, they did say that they are willing to help a customer install and set it up to work with their service.
I'm not much of a fan of @HOME's tech support and security policies either(personally I run an ipchains firewall on my @HOME account), but the original poster made a pretty inaccurate review of the article and painted Excite as being more clueless than they actually were.
Don't be too quick to jump on the "bash @HOME's security advice" bandwagon based upon the posters comments. Read the quotes in the article for yourself first, the original poster was way off the mark.
Remember a Cracker's Motive (Score:4)
Not many crackers are going to waste their time scanning @Home subnets looking for Internet newbies that they can screw with. It isn't worth the time and the "kill value" is negligable. How fun is it to kill someone in Quake with a ping of 500+ who is stuck in a corner? The true glory comes from killing the best guy on the map. (Or, in Slashdot's case, from rooting a /. box and posting a story about it.)
Also, let's assume 90+ percent of @Home users run Windows boxes--Win95 and Win98. Even without firewall software, Win32 is much less likely to be cracked than *nix boxes. I'm not trying to start a huge flame war here--but the facts speak for themselves. Look at all the rootkits out there. Look at all the successful cracks. Were the servers running Unix and variants thereof? Probably.
Now I'm not saying that a Unix box can't be properly secured. But the fact remains that more hacker activity is exerted towards cracking Unix and its siblings than Win32 and other OSes--and with good reason: it's easier.
Interesting discussion invited; flames to /dev/nul please.
--
Re:Elf Bowling (Score:5)
Would that be "Security through unusability"?
;-)
Cheers,
Jim in Tokyo
Linux is a perfect firewall/router for @Home! (Score:3)
out about incompatibility with Linux. I use
an old 16-meg RAM 486 box with a floppy booted
copy of EigerStein/Linux router/firewall:
http://lrp.steinkuehler.net/
and it has worked perfectly 24X7 since the day
it went online last June.
As a cross-platform software developer, the
client machines on my LAN include Windows
98, NT, and 2000, and a Red Hat Linux 6.1
system. All work great with the Linux router/
firewall. I usually get around 1100 kilobits
(~130 kilobytes) per second on the receiving
bandwidth and you'd never know the router/
firewall was there.
The EigerStein package can either dynamically
assign IP addresses to the client machines,
or you can hardcode them, depending on your
needs. Additionally, like with any other
linux router package, you can pass through
(or lock out) individual ports if you want
to use something like Napster on the client
machines.
There was very little tweaking of the firewall
configuration files to get it working with @Home
and DHCP - the hardest part was figuring out the
real names of the local mail and news servers -
when installed, the @Home tech will simply use
"mail" and "news" as the server names. The
receipt they give you after the install has all
the info you need to figure them out.
Re:DHCP a vulnerability in itself (Score:2)
DHCP Server Spoofing: In DHCP server spoofing, a server that is not the one designated by the carrier responds to the cable client DHCP requests. This may be done maliciously or accidentally. A Windows NT user can by default enable a PC as a DHCP server. A DHCP client, a cable modem or host PC on the cable network, would accept DHCP responses from any server, generally taking the one first received. Rogue DHCP responses can play havoc with network clients' ability to get service. The 3Com smart DHCP relay agent on the CMTS is configurable to distinguish and honor operator-defined DHCP server addresses.
Is this something that ISPs or users here have experienced in the real world??
They are not selling you security... (Score:2)
They're selling you high speed internet access. My DSL provider, CapuNet [capu.net], displays a very sensible article [capu.net] about security in their customer support section. It basically says, your machine is valuble because it has a high speed connection, so do something to secure it. I agree, and that's all they need to say. It is up to the customer to weigh the risks, rewards, and options and act accordingly.
There are plenty of firewall and security products out there, and if your computer gets comprimised, it is not the fault of the service provider. For those hear on /., probably the one that many would be interested in is the NetBSD firewall solution [dubbele.com]. If you don't have a machine to dedicate as a firewall, there are plenty of others, including free software like ZoneAlarm [zonealarm.com]. One of the funniest things about this, though, is that a lot of the port scans and other intrusion attempts that people get are coming from their ISP. It would be nice if this was to benefit the customer, but I think it's mainly just to keep an eye on the customer instead.
Re:I use @home (Score:2)
@home install "tioga" on your machine. Maybe this is part of Buford? Anyway, this snatchware sits on your machine and reports the applications your run back to @home. This is their first line of defense/attack against people running server software.
I hadn't really done my homework when I first got @home last year, but did install ZoneAlarm on the machine. That is when I was asked which applications are ok to access the internet. Didn't take long before @home's dirty little secret popped up.
My advice for other Windoze users is to NOT install anything given by @home. They might make you think you need their software to connect, but you don't. Install ZoneAlarm to only allow apps to access the internet you want, and if you're getting a Christmas present, get yourself a Linksys Router/Firewall for just over $100 (or d-Link, whatever company's you want) That way you can share the fast internet connection with your other machines, and get another level of security, since now the IP address the rest of the world sees is actually your Router.
Is it fool proof? Most probably not. But it will stop the random modern-day-version of Wardialing the kiddies are up to today. They'll move on to much easier fodder.
Re:DHCP != security (Score:2)
Old 486: $50. Geek on a caffeine high: $5, $0 if s/he's already jacked on coffee. OpenBSD or Slackware burned on a CD: $0. A kickass firewall to confound the kiddiez with the latest 'sploits and nmap: priceless.
Cheers,
Slak
Better for a newbie (Score:3)
And yes, 15% of the the people who visit that web site do so from the @home domain...
-John
Re:It's a double-edged sword (Score:2)
For the record... (Score:2)
Re:I use @home (Score:2)
You'd have to specifically misconfigure the DHCP server to do this.
The way it usually works is that the client will attempt to renew the lease at the half way point.
Motives (Score:4)
What's the value of an average user's Windows box?
Perhapse a script that runs through open shares looking for a default install of financial software and harvesting the user's data. Maybe the script harvests cookie.txt files and scans them for common online bank identifications. Imagine the wealth of information an identity theif could have waiting for them after a day or two running such scripts.
Maybe the data itself isn't interesting. Instead we have a host with a broadband 24/7 connection. Relatively insecure. Perfect DDoS server host.
Of course... that's assuming the value is something that normally makes sense. Its great that you mention Quake. Quake cheats are relatively rampant. Why bother playing if you're playing with an artificial advantage - and one that's been "done" before? Yet it happens all the time. In the same line, you have skript kiddies who see themselves as something special if they can poke around, and maybe even delete, some unsuspecting target's files. The fact that it may have been trivial to do so means nothing to them.
The article opens up with the example of an unknown individual posting messages on target machine's WINDOWS desktops. Apparently enough of a customer base was affected by this "attack" to warrent a FBI investigation.It doesn't matter what OS you're using. It doesn't matter if your IP address is constantly moving. Connect a box up to a broadband, persistant connection and it is a target. Being unaware of this is the danger.
Re:DHCP != security (Score:4)
I may not be a Geek on a caffeine high, but that firewall is priceless - free, that is
-John
Plays into .NET's Hands (Score:2)
The net as we know it today (unlike the French Minitel of the 80's) doesn't encourage people to put up services. Articles like this; slow adoption of IPv6 by legacy O/S's; it's all part of a general disempowerment consumers are experiencing that favours plans like .Net and hotmail that centralise their information in other people's hands when they should be accessing it from their own machines. Why should I use .Net/hotmail when I can get at my own machine over a constant IPv6 address in a secure manner?
Earthlink offers free firewalls... (Score:2)
Subject: EarthLink DSL Members - Free Personal Firewall Software
Date: Thu, 19 Oct 2000 17:27:45
From: "EarthLink Broadband Team"
To:
Dear EarthLink Member,
EarthLink cares about keeping your information secure, which is why we're
pleased to offer personal firewall software FREE to our DSL members. Personal
firewall software monitors all Internet connections to and from your computer
and alerts you to attempted intrusions.
This special security package, valued at over $49.95, includes either Symantec
Norton Personal Firewall 2000 v2.0 for Windows users or Open Door DoorStop
Personal Firewall 2.0 for Macintosh users. Both of these powerful software
offerings provide security for your PC and privacy for your personal information.
In order to register for a digital coupon and download your free copy of
personal firewall software, please click on the link below.
http://www.mindspring.net/cgi-bin/dsl.pl?ramunro1
After you are registered, you will receive your digital coupon for your
free software in 2-3
business days.
Please Note:
-You must be an EarthLink DSL customer whose service is currently activated.
If your DSL service is not currently active, you will become eligible for
this offer upon activation.
-This offer includes one copy of either PC or Mac personal firewall software
per DSL account.
Thank you for choosing EarthLink DSL.
The EarthLink Broadband Team
Re:Windows 98 security (Score:2)
Re:@Home's TOS try to enfoce security (Score:2)
How many people yell and scream about companies, but don't actually just call and say something and be honest for once?
Re:I use @home (Score:2)
DHCP lease times (Score:2)
No thanks (Score:4)
However, one thing @home didn't do is silly things like this. Please, you want an ISP to infringe upon your freedom and dictate what kind of traffic can come in, and can't come out? Hey that's nice and all, but I'd rather have the freedom to setup a firewall for myself, I don't need my ISP to do that for me. For a website who talks about freedom so much, this is a pretty bogus idea
Re:@Home's TOS try to enfoce security (Score:2)
So, I wonder if you could just set up SSH on the ICQ port, and they'd ignore it. Might even be able to multiplex the port and get both ICQ or SSH out of it depending on the source address or even the first few bytes of each protocol.
I'm a soon-to-be @Home customer (no alternatives), and it pisses me off that they don't want to allow me to set up an ftp server for my sole use to get files that I forgot.
PS. I've always wondered why they don't just block incoming SYN packets. There's ways to get around that still, but it'd enforce their policy for 99% of the people.
PS2. They already cap the bandwidth, so that shouldn't be a problem. I don't see why ISP's or schools don't give users a fixed amount of bandwidth and let them do whatever they want with it. If the user is doing something illegal, then someone can sue the user. End of story.
PS2. If @Home were to be held liable for assiting warez distribution, then so could any other ISP, including AOL. So at most, a law could be passed that says "in 3 months, you'll be required to block napster ports".
--
It's a double-edged sword (Score:5)
I use the austrialian excite@home, and we get probed every day. It's important to warn consumers about the risks, - don't turn any services on that you can't control, stay up to date etc.
What would be worse would be for the broadband provider to put a big filtered firewall in the way so I couldn't use the internet the way I want.
What might be best is the ability for consumers to choose "safe/protected" mode or "open" mode where we are responsible for our own firewall.
Moderators! Ease off the crack! (Score:2)
Here, I'll be more informative:
Linux.com [linux.com]
Linux Kernel [kernel.org]
Computer Emergency Response Team (CERT) [cert.org]
Securityfocus.com [securityfocus.com]
Woo-hoo! Now I'll just kick back, relax, and watch the karma roll in...
You think that's bad (Score:4)
Optus@Home is completely secure if you are using a standard operating system like Windows 98.
I had a good laugh over that one.
Unplug the ethernet cable when you are finished (Score:2)
If the ethernet is disconnected, then they cannot get into the system.
DHCP? Yes. Changing IP? No. (Score:2)
In any case, it's easy enough under Linux, since I'm not doing masq or anything - I just closed off basically every service. All that's listening is Apache, SSH, sendmail (no relay), and imapd (but only to 127.0.0.1 for IMP via httpsd).
It's not a perfect setup by any means, but between that, a backup of my RPM database, and tripwire, I'm in decent enough shape.
***VERY WRONG*** (Score:2)
I just wanted to let you know just how pointless DHCP is here on mediaone (now AT&T broadband) in Massachusets. The nameserver here allowed me to a ZONE TRANSFER... yes thats right. It handed over a nice list of every host on the network... users and all. And since the names are usually based directly from MAC address, the IP doesn't even matter. This is a serious security problem that I've notified them about...
win smb bug (Score:2)
--
A little paranoia and a little common sense go far (Score:2)
Every once in a while I'd get portscanned. No big deal. If it's some script kiddie, if he doesn't see anything interesting he'll just move on. No response to http requests, and any attempted telnets would give the prompt "Login:". No kernel or distro information to give someone an idea about which buffer overflows to try to exploit.
If you've ever carried large amounts of cash through "bad" areas you already know how to play this game. It's called "Blend In", if you look as plain and normal as everyone else, you're not going to attract the wrong type of attention. If you're machine is responding to requests on every port (figuratively, not literally) and you're giving WAY too much information away in your issue.net, you're making yourself far too tempting of a target for crackers.
LK
It's the gateway, stupid... (not you, state*less) (Score:2)
Veracity check:
Does DOCSIS prevent this?
On a DOCSIS net, is the gateway essentially a null field, and your head end is always the gateway?
Or can you be spoofed into going through your own head end, and gate through the rogue's system?
Re:It's true, what goes on "out there" is horrendo (Score:2)
what? (Score:2)
Re: (Score:2)
Re:I use @home (Score:2)
not to be a bitch... (Score:3)
OpenBSD [openbsd.org]
Free alternative (Score:2)
---
Firey balls of broadband (Score:4)
Re:@Home @asleep (Score:2)
@Home firewalls (Score:2)
I've been cracked (Score:2)
I was cracked while my computer was on a dialup connection to my ISP. Completely dynamic IP, not a 24/7 connect by any means. Ever since I've had the experience of using Rogers@home, my friends and I have always received the same IP when renewing their lease with DHCP. It's almost as if they've just taken out the middleman of telling you that your IP address has been assigned and telling you to configure your data, and just assigning it to you using server side software.
A friend of mine apparently had someone stealing their IP address for two weeks on end. When phoning @home tech support, they traced it to one guy with the incorrect DHCP settings. However, under Acceptable Use Policy, they couldn't do anything but ask him to stop. The result? My friend's DHCP settings constantly returned the same IP, even though it was conflicting.
She paid for two weeks of @home cable modem usage without being able to use it.
Fuck you, @home.
Michael Labbe
Re:DHCP is for ease of use... (Score:2)
Re:AT&T@Home.... (Score:2)
Re:I use @home (Score:2)
They charge extra for more PCs because of the additional IP addresses that would require, not bandwidth. Just set up a Linux/BSD router with NAT or pick up something like the Linksys [linksys.com] cable/DSL router and connect PCs to your hearts content. I have a Linksys with three systems connected and I only pay MediaOne for a one system account.
IP broadcast (Score:2)
Re:Firey balls of broadband (Score:2)
Re:Free alternative (Score:2)
---
Game port scanners (Score:2)
I suggest to anyone with cable/adsl internet to get themselves a Linksys internet router. It has a built-in firewall and can redirect ports to specified computers for games, ftp, telnet and such. It also has a 100Mbit switch on the the internal side and it's cheap! Purchase of the year.
Re:It's the gateway, stupid... (not you, state*les (Score:2)
>his own IP address as your gateway, he has to specify another machine on your network. So he can shut you down remotely, but
>that's about all.
Understood. I was presuming this MITM attack from someone on my cable network. The subnet mask is 255.255.254.0, so I'm potentially sharing it with almost 500 others. Plus a rogue server could come in on a 10. (or other RFC1918) net.
>Security is a process, not a state. The more secure you think you are, the less secure you tend to be. Andy Grove would love this
>field -- 'only the paranoid survive'
I keep seeing, "I got a really tight firewall from linux-firewall-tools," show up out there, and that mindset bothers me, for just your reason. So far firewall rules tend to be less Open Source than other software. I suspect part of the reason is because people are scared to expose their protection. But IMHO the good side is that firewall rules should be a process, not a thing that you trust. Recently rc.firewall V5 came out. I'm looking at it not to use, but to tighten my own ruleset.
@home really *IS SAFE* to use. (Score:2)
- In flame wars, unlike real wars, noone has ever used ICBM's to assault the person they are pissed off at.
- In cybersex, unlike real sex, noone can get herpes, aids, crabs, etc.
- While running around shooting people in a game such as Quake or Unreal, unlike running around shooting people in school or a post office, the worst wound you can get is blistered fingers.
I can think of other reasons why @home would be considered safe, but it's all about relativity. Sure, @home might not be safe when compared to other ISPs, but they sure are safe compared to playing hot potato with a hand grenade. :o)
Hope DHCP keeps away from me :( + what security? (Score:4)
As for security, that is total bunk. DHCP does not stop the 5cr1p7 k1ddi35 from scanning a subnet and attempting to hack whatever open ports they can find. Once they have control of a machine, it is trivial to have it mail them or signal them (have it ping an address, or do a POP mail check, or even an ICMP unreachable packet). There are a million methods to get the new IP address when it changes. DHCP helps nothing.
Enigma
Check out Steve Gibson's Shields Up! (Score:2)
Check out Steve Gibson's Shields Up [grc.com], especially if you run Windows. It will probe your IP address for open ports and NetBIOS crap.
Good. Luckily, I have only public information. (Score:3)
Oh, gee, that puts my mind at ease... I was really worried that some evil hacker might break in and steal all of my public information. Apparently my fears were unfounded... I only need to be concerned if I have private information on my PC... These fears really are overblown... I mean, who puts private information on their PC, anyway?
*wipes brow in relief*
---
Re:DHCP? Yes. Changing IP? No. (Score:2)
Is closing off ports enough? I have a nagging feeling that in order to have a reasonably secure box I'm going to need to know a little more about ipchains.
Re:Don't be stupid and make noise about this... (Score:2)
It's nice to see a little honesty coming out from behind the corporate veil.
I've been a comcast@home subscriber from practically day 1, and for the most part have been very satisfied. My biggest problems so far have been:
It does work with linux! (Score:2)
Re:"Safe" Win/Mac only, and Firewalling all servic (Score:2)
Re:I use @home (Score:2)
When I first got @home, I was running 2 ip's with a hub. Each of my pc's was running firewall software (AtGuard on my wife's windoze box and ipchains on my linux box) I would usually log 10 or more port-scans PER DAY on both of my boxes.
After running this setup for about 2 years, I got a Linksys cable modem router [linksys.com]. Linksys bills this as a "firewall", but it's firewalling features are pretty rudimentary -- NAT and some simple port filtering. It's easy enough to defeat this if you know what you are doing, so I don't rely on it as my only layer of defense -- I still have everything behind the router locked down as tightly as I can get it.
The Linksys router dosn't do any logging, so I don't know how often it's getting probed; but I have not logged ANY scans that made it past the router in the 6+ months that it's been operational [except for the ones that I did myself]. I find this pretty amazing. It seems that even the most basic security measures will deter the vast majority of would-be attackers.
Re:It's true, what goes on "out there" is horrendo (Score:2)
Enigma
Re:Hope DHCP keeps away from me :( + what security (Score:2)
Well,..when the trafic starts to overload in one network, they can subnet off and keep things at a managable level. This realy cuts into the # of available IP addresses. If they are aiming at millions of customers, a class A gets chewed up prety quickly, thus DHCP scopes.
Firewalls for the masses? (Score:2)
Every clueless luser who installs a personal firewall is going to go batshit that they are being "attacked" 10 times a day. Logging is a Good Thing, but ONLY if you know how to read the fscking logs. I've played with a couple of personal firewall tools for windoze. These kinds of mass market programs need to install with minimal/no logging as the default, to help manage the "chicken little" syndrome. The alternative is to build in AI heuristics that can distinguish between random portscans and a real attack.
I have a cable modem router. It dosn't do any logging. On the windows box behind the router, I run AtGuard. Ever since the router went up, AtGuard's logs have stayed empty. If an "attack" dosn't get past the router, it dosn't get logged. That's fine with me; I'm not worried about script kiddies who are too dumb to source route through a simple NAT box. If anything DOES get thru and shows up in my AtGuard/ipchains logs, I'm DEFINATLY going to pay attention!
Re:If this is true... (Score:2)
Re:Free alternative (Score:2)
---
Re:AT&T@Home.... (Score:2)
Re:DHCP? Yes. Changing IP? No. (Score:2)
Enigma
Re:It's true, what goes on "out there" is horrendo (Score:2)
Re:Reminder (Score:2)
DHCP != security (Score:5)
However, there are some simple ways to make your broadband connection a little bit less like swiss cheese:
1) Disable file sharing and remote login - Running Windows? Take a look for any folder or file with that little hand icon, and un-share them. Even better, just go into Control Panel -> Network and shut it off completely. Don't think passwords on your shares will help you, as a recent bug was discovered in Win9X share-level password protection where a one-byte character string can be used to bypass a protected share should that byte happen to match the first byte of the actual password. If you're on Linux/*BSD, for the love of Bob shut off NFS, ftpd, telnetd, Apache, and the like until you know what you're doing! Can you say "backdoor"? Even experienced admins leave the occasional hole, and default installs aren't often known for being secure (OpenBSD people, stuff it while I make a point for everyone else:).
2) Don't let anything run automatically - Java and ActiveX in IE and Netscape installing and running automagically? Kill it. Auto-DCC in IRC clients? Un-auto it. Run attachments on preview in Outlook, or run macros in Word documents? You know the drill. Don't let a damn thing run automatically unless you actually know what's taking place. If I ever see LIFE-STAGES.TXT offered to me by DCC again, I'm going to reach through the monitor and shove a virus scanner up the patoot of the victim. The world doesn't need another Melissa or backdoor being passed around just by opening an e-mail in a brain-dead-by-default program.
3) Check for patches and follow directions - MS didn't tell people to change their Outlook settings while it took them a month to patch the program in the wake of ILOVEYOU because it was fun for everyone. Red Hat isn't releasing megs of updates for Red Hat 7 so you can sit there and kvetch about buggy
4) Extra steps if you're really careful and/or paranoid - Old 486: $50. Geek on a caffeine high: $5, $0 if s/he's already jacked on coffee. OpenBSD or Slackware burned on a CD: $0. A kickass firewall to confound the kiddiez with the latest 'sploits and nmap: priceless.
5) Ignore the DSL/cable pissing contest - Nothing to see here, move along...
I'm glad to say most cable installers where I live have a brain, and hence make sure filesharing is turned off in Win9x when they set up your system. Linux/BSD geeks usually have to take matters into their own hands, but most usually know enough to at least kill nfsd and ftpd if they're not going to be used. (Incidentally, this is also why Red Hat and others need to stop enabling every conceivable service by default.)
Closing your box off to kiddies is acutallly pretty easy. However, back-patting fluff like this Excite dropping does way more harm than good by instilling that false sense of security that leads people to think its OK to let attachments run automatically, or leave all those services running on their new Mandrake box. Hard advice is better than press releases and misrepresenting technologies as security measures.
-------------
Re:I use @home (Score:2)
http://security.rr.com/, formerly bofh.rr.com). Partially they're hunting down rogue servers. They're ORBSed, and are mainly trying to find the insecure SMTP servers. They also have some security guidelines on their webpage.
It's not great, but it's something.
With proper inflection, their words are true (Score:2)
Indeed. Any computer that's sitting with its bare ass out on the net with a static (or even dhcp-assigned) address with all ports open, unnecessary services running, and without a firewall for protection, is just begging to be pillaged.
It's like sex. Would you have sex without a condom or suitable barrier? You might out of laziness (or the mistaken thought that you're not getting the full experience), but if you do, nine times out of ten, you'll be coming home with an STD. It's the same with firewalls and network security. You might not run one out laziness, or the mistaken thought the firewall will impede your performance by constraining your movements, slowing down your "bandwidth", or impeding your access to others' ports, but nine times out of ten, you'll be coming home with a cracked box.
I tell all my lovers, "No glove, no love", and I encourage all of you to tell your sysadmins, "No firewalls, no thigh-or-balls, er, I mean, no service."
Re:It's true, what goes on "out there" is horrendo (Score:2)
At work, your firewall *should* be good enough. Reporting abuses of your network to the maintainer of that netblock may actually produce some results. You *should* have some qualification (read: you know what you're talking about), be able to speak that person's lingo, and *should* have some well documented log excerpts to show a clear pattern of abuse, not some untraceable and/or forgivable indiscretions.
That's my $0.02.
--
There is no K5 [kuro5hin.org] cabal.
Re:not to be a bitch... (Score:2)
Why wait until you're finished? (Score:2)
Re: Oh dear... (Score:4)
It should be the responsibility of the company supplying the broadband access to supply and configure a firewall as part of the installation, and explain to the users whay it is needed.
Great. You want to handle the tech support calls when your average cable modem using consumer hoses up his $ISP provided firewall software? I thought not.
Speaking as someone who used to work in broadband at a large ISP, no fscking way would we get involved in end-user security. Our customers were encouraged to read up on security and run firewall software, but we weren't going to give them the software or provide tech support for it.
You have to draw the line somewhere. If you help them install/configure a firewall, who is held responsible when it's compromised? Whether or not the ISP should be held responsible, that's exactly how the users would see it.
--
Turn on, log in, burn out...