Re: I'm feeling paranoid - with good reason.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



I've been checking my new adsl router. It flies through even on service 
requests.
Some more notes on the subject:

The new one stealths all ports. While this gets round my system looking like a 
full blow server to scans from the net as it no longer reports "service there 
but not currently available" it may not mean that there are no open ports it 
just means that requests are being  dropped. Next thing will be too drop the 
stealth for a while and check it again. At least this one doesn't automate 
ping responses though. If there is an open port I have a feeling that  it can 
be circumvented with virtual servers failing that open source units do have 
an advantage (linksys and netgear others?) maybe the source can be changed. 
It seems that some people trash the existing firmware and replace it with 
simple routing plus what ever else they want. (A KDE version might be an 
interesting project for some one as integration would offer all sorts of 
interesting possibilities.)

I haven't added the scripts from this thread as I feel that they are still 
flawed and Basil's problem is  a fairly simple example. It's no good just 
handling things from the net side the machine side needs to be firewalled 
too. Even that is useless if the source can't be tracked. Most windoze 
snooping software hides behind a service and doesn't use the net directly. It 
often isn't from hackers either. I had an epson printer driver that reported 
back to epson every time I printed something, odobe and others have and do 
simular things. Large companies are often involved - eg winsock mods to 
enable .law etc dns. Open source is very open to this sort of thing 
especially with rpm's but why not sources too? The other point on this 
subject is that the hacking elite do not broadcast their methods. They keep 
quite and use them. It seems that even cisco code is available so who knows 
what they can do. Most hacking usual involves prowling around machines or 
usage monitoring not sabotage. Some will do something trivial, a few will 
trash machines.

I'm trawling netfilter.org now to try and see what can be done but as is often 
the case especially with linux etc there doesn't seem to be any task 
orientated documentation with examples. I may want the detail later all I 
want at the moment is capability, syntax and examples with a little jargon as 
possible.

Having said all that though - what happens if the box connected to the 
physical layer gets reprogrammed by some one. I've worked on embedded systems 
for a long time and can state that there is almost bound to be some method of 
doing that in most units. Code can be extracted from most micro's and failing 
that it isn't all that difficult to probe a unit and find out what it can be 
made to do.  Maybe bastion installations should monitor what's on the 
physical side too.

Then there's the cia,fbi and mi5 etc. I met some of the uk guys that do that 
sort of work for them sometime ago. Not that they would tell me much though.

On closing it's worth noting what sort of people attract attention. Usually it 
means that there is something of interest on the machine. Cases I have come 
across include, information on anything, scans of dan dare magazines, dress 
making patterns and porn. The point to note is that some one must go in to 
find out if it's there in the first place - might even just be some bored 
person or otherwise at your isp.

Regards
John




On Saturday 04 February 2006 14:44, Basil Fowler wrote:
> Following the hint in John's message below, I checked my replacement
> SpeedTouch 510 modem with Shieldup at grc.com.  All my ports were closed,
> but pings were acknowledged.  This was not the case with old 530 modem,
> which gave all clear.
>
> I went into the command line interface to read the rules.  There was a rule
> that stated "accept icmp echo-request".  This I changed to "drop".  The
> modem is now fully stealthed.
>
> BUT it had a backdoor.  The suppliers
>
> DSL Shop
> Net Lynk Limited
> Roman Park, Roman Way,
> Coleshil, Birmingham, B46 1HG
> England.
>
> had placed a rule in the modem firewall that it was to accept any incoming
> packages from 217.196.1.140.  This I traced back via reverse DNS lookup to
> the firm that suppled the modem.
>
> I shall apprise the firm later that I have discovered the backdoor and the
> have placed the fact on record.  Perhaps other readers could spread the
> word to other more appropriate lists.
>
> As far as I know, no attempt has been made by dslshop to contact my
> computer. There is no trace in the logs from the secondary firewall.
>
> Thanks for the hint John!
>
> Basil Fowler
>
> On Thursday 02 Feb 2006 19:06, John wrote:
> > I know this is ot but.
> > I strongly urge anybody that uses any sort of modem router to visit
> > shields up at grc.com and see if their ports 254 and 255 are open. A
> > search on the web will show that there is a problem on lots of them in
> > this area. It seems that that most of them carried on shipping like that
> > for a long time so it's probably a chip set problem. The zoom modem use a
> > texas instruments chip set. Any sort of firewall is useless as the unit
> > itself is at risk - mine definitely had it's firmware and or settings
> > reprogrammed. Zoom also admitted that the firmware update does not
> > prevent the open port. My current router does have a capability for
> > remote adim but it can be turned off. (I hope) I ditched a Sagem adsl
> > unit some time ago (years) as it was open to the same problem. They made
> > them like that so that isp's can tweak them for their users etc.
> > regards
> > John
>
> ___________________________________________________
> .
> Account management:  https://mail.kde.org/mailman/listinfo/kde.
> Archives: http://lists.kde.org/.
> More info: http://www.kde.org/faq.html.

-- 
Suse 10.0
KDE 3.4.2 B
___________________________________________________
.
Account management:  https://mail.kde.org/mailman/listinfo/kde.
Archives: http://lists.kde.org/.
More info: http://www.kde.org/faq.html.

[Index of Archives]     [Trinity (TDE) Desktop Users]     [Fedora KDE]     [Fedora Desktop]     [Linux Kernel]     [Gimp]     [GIMP for Windows]     [Gnome]     [Yosemite Hiking]
  Powered by Linux