Page 3 of 4 FirstFirst 1234 LastLast
Results 41 to 60 of 65

Thread: Online Arrmor

  1. #41
    Ansgar -59cobalt- Wiechers
    Guest

    Re: Online Arrmor

    Volker Birk <bumens@dingens.org> wrote:
    > Ansgar -59cobalt- Wiechers <usenet-2009@planetcobalt.net> wrote:
    >> Volker Birk <bumens@dingens.org> wrote:
    >>> Ansgar -59cobalt- Wiechers <usenet-2009@planetcobalt.net> wrote:
    >>>> Geoff Smith <geoff915@yahoo.com> wrote:
    >>>>> If you want to be helpful, then suggest a different tool for the
    >>>>> average user.
    >>>> How about nmap-online.com?
    >>> It can't, too. How do you know if the network in between is filtering
    >>> or not using such a network based tool?

    >> How else would Joe Average test his border router from the outside?

    >
    > By using netstat or lsof or $TOOL (or %TOOL%) locally and not from the
    > outside,


    Volker, you're talking nonsense, and you know that. netstat, TCPView,
    lsof, openports, fport and other tools like that show the status of
    ports on the local system from the INSIDE. Unless no services are
    listening on the external interface (which is desirable, but not always
    feasible) The output of these tools doesn't say anything at all about
    which ports are accessible from the OUTSIDE.

    A local packet filter may or may not allow connections to port X. A SOHO
    router may or may not forward selected or all inbound connections to a
    particular host/port. None of the tools know the least about this.

    > or by directly connecting a second host to the network interface which
    > afterwards will be connected to the outside and doing a port scan,
    > i.e. with nmap.


    Unfortunately Joe Average doesn't necessarily have a second computer he
    can plug into the router's external port. Or is familiar enough with
    commandline tools like nmap, scanline or PortQuery. Your advice also
    doesn't account for hosts that are directly on a dialup connection.

    > But to be clear: Joe Average should not try to test border routers. He
    > should ask someone who understands.


    Although Joe Average shouldn't conduct a penetration test, there is
    nothing wrong at all with him running a port scan against his own border
    router to see, if all ports are closed (except for those he configured
    to be open).

    cu
    59cobalt
    --
    "If a software developer ever believes a rootkit is a necessary part of
    their architecture they should go back and re-architect their solution."
    --Mark Russinovich

  2. #42
    Volker Birk
    Guest

    Re: Online Arrmor

    Ansgar -59cobalt- Wiechers <usenet-2009@planetcobalt.net> wrote:
    > Volker, you're talking nonsense, and you know that. netstat, TCPView,
    > lsof, openports, fport and other tools like that show the status of
    > ports on the local system from the INSIDE.


    Yes. And this is not nonsense, but the better way to check.

    > The output of these tools doesn't say anything at all about
    > which ports are accessible from the OUTSIDE.


    If so, throw away your operating system.

    > A local packet filter may or may not allow connections to port X.


    Clear. If you're using a filtering implementation, read the config and
    check the status of it additionally.

    >> or by directly connecting a second host to the network interface which
    >> afterwards will be connected to the outside and doing a port scan,
    >> i.e. with nmap.

    > Unfortunately Joe Average doesn't necessarily have a second computer he
    > can plug into the router's external port. Or is familiar enough with
    > commandline tools like nmap, scanline or PortQuery.


    Then he cannot test. Sometimes it's so easy.

    > Your advice also
    > doesn't account for hosts that are directly on a dialup connection.


    Your recommendation for remote testing servers misleads the reader; in
    your own words:

    The output of these tools doesn't say anything at all about which are
    accessible from the outside. They're just showing, what is filtered away
    and what's faked in on the line.

    >> But to be clear: Joe Average should not try to test border routers. He
    >> should ask someone who understands.

    > Although Joe Average shouldn't conduct a penetration test, there is
    > nothing wrong at all with him running a port scan against his own border
    > router to see, if all ports are closed (except for those he configured
    > to be open).


    The wrong thing with it is, that he may believe that what this tool
    shows is how his box is behaving. The reality often is, that on the way
    to the testing server the net is being modified by the inter-connecting
    networks.

    We're living in the "filtering is cool" ages, Ansgar. Just if
    you didn't notice. This is true for internet providers, too.

    Unfortunately.

    Yours,
    VB.
    --
    Bitte beachten Sie auch die Rückseite dieses Schreibens!

  3. #43
    DevilsPGD
    Guest

    Re: Online Arrmor

    In message <MPG.24250fd4c2c62e3a989691@nntp.motzarella.org> G
    <geoff915@yahoo.com> was claimed to have wrote:

    >In article <gpekf6UkgdL1@news.in-ulm.de>, usenet-2009@planetcobalt.net
    >says...
    >>
    >> G <geoff915@yahoo.com> wrote:
    >> > usenet-2009@planetcobalt.net says...
    >> >> G <geoff915@yahoo.com> wrote:
    >> >>> Port Reporter is a nice tool, but all it does is log information.
    >> >>
    >> >> Which is exactly what it's supposed to do.
    >> >>
    >> >>> And it isn't exactly for the novice.
    >> >>
    >> >> Neither are logs/messages of the various personal firewalls.
    >> >
    >> > Log files isn't usually the primary reason someone uses a software
    >> > firewall.

    >>
    >> One reason I hear rather frequently is that personal firewall would tell
    >> people what's going on on their systems. Logfiles exist exactly for that
    >> purpose.
    >>
    >> > Rather than continue this back & forth, why don't you just share
    >> > exactly how an average Windows user on an internet-connected computer
    >> > can fully protect himself?

    >>
    >> Because there is no "one size fits all" solution. A good starting point
    >> would be:
    >>
    >> - Think before acting.
    >> - Never be root. Use an administrator account only for administrative
    >> tasks. Use a normal user account for everything else.
    >> - Configure software that requires admin privileges for non-admin tasks
    >> to run with limited user privileges [1].
    >> - Keep your operating sytem and all of your softwar up-to-date.
    >> Automatic updates help.
    >> - Don't provide services you don't want to provide [2,3]. Or use the
    >> Windows Firewall to block inbound connections.
    >> - Disable autostarts for removable media (via gpedit).
    >> - Use AV software to prevent known malware from being executed by
    >> mistake.
    >> - Don't use IE, at least not without locking it down tightly. Better use
    >> Firefox/SeaMonkey with NoScript or Opera, as they are easier to
    >> secure.
    >> - Before installing software think twice about whether you really need
    >> it. Less is more.
    >>
    >> Additional steps could be:
    >>
    >> - Use sandboxed environments (preferrably virtual machines) for
    >> evaluating software.
    >> - Revoke "execute" permission from caches and temp directories.
    >> - Use Software Restriction Policies to allow only whitelisted software

    >
    >That all sounds great. But I said for the average Windows user. Do you
    >really expect aunt Esther to understand how lock things down through the
    >registry and group policy editor? Or figure out how to set up a VPN?


    Note that Vista does most of the configuration related suggestions made
    here out of the box. Vista can't help you think, but you start out with
    limited user privileges, the OS nags you until you update automatically
    or take several conscious steps to turn off the nags, the firewall
    blocks all inbound requests by default, removable media prompts before
    execution.

    IE is fairly well locked down, and even if IE is completely and wholly
    pwned, protected mode keeps the malware from going far.

    (Don't get me wrong, I'm a Firefox user myself, but IE in Protected Mode
    isn't a particularly unsafe browser.

    The problem is going the next step as it involves the user. A sandboxed
    environment isn't impossible to implement at an OS level (again, IE
    protected mode is one such example -- You can run other apps with less
    privileges too if you desire, but you'll probably be disappointed with
    Excel when it can't open existing documents.)

    The iPhone version of OSX is one example of an OS built and managed in a
    relatively sandboxed fashion.

    As long as users are capable of installing their own software, they'll
    be capable of jumping through whatever hoops the OS puts in their way
    before installing the latest Trojan in an attempt to access whatever
    shiny new toy shows up, as most malware authors will just have to get
    smarter at engineering the human side of the equation.

    For less technical users this will be alerts from their system
    administrator that they need to install a patch manually. For more
    technically capable end-users it will be a fake codec pack to access
    some media that they sought out (and therefore assume the codec is safe)

  4. #44
    DevilsPGD
    Guest

    Re: Online Arrmor

    In message <oAGul.28500$cu.2914@news-server.bigpond.net.au> Lie Ryan
    <lie.1296@gmail.com> was claimed to have wrote:

    >Kayman wrote:
    >> On Sat, 14 Mar 2009 00:51:51 +0200, G wrote:
    >>
    >>> In article <gpekf6UkgdL1@news.in-ulm.de>, usenet-2009@planetcobalt.net
    >>> says...
    >>>> G <geoff915@yahoo.com> wrote:
    >>>>> usenet-2009@planetcobalt.net says...
    >>>>>> G <geoff915@yahoo.com> wrote:
    >>>>>>> Port Reporter is a nice tool, but all it does is log information.
    >>>>>> Which is exactly what it's supposed to do.
    >>>>>>
    >>>>>>> And it isn't exactly for the novice.
    >>>>>> Neither are logs/messages of the various personal firewalls.
    >>>>> Log files isn't usually the primary reason someone uses a software
    >>>>> firewall.
    >>>> One reason I hear rather frequently is that personal firewall would tell
    >>>> people what's going on on their systems. Logfiles exist exactly for that
    >>>> purpose.
    >>>>
    >>>>> Rather than continue this back & forth, why don't you just share
    >>>>> exactly how an average Windows user on an internet-connected computer
    >>>>> can fully protect himself?
    >>>> Because there is no "one size fits all" solution. A good starting point
    >>>> would be:
    >>>>
    >>>> - Think before acting.
    >>>> - Never be root. Use an administrator account only for administrative
    >>>> tasks. Use a normal user account for everything else.
    >>>> - Configure software that requires admin privileges for non-admin tasks
    >>>> to run with limited user privileges [1].
    >>>> - Keep your operating sytem and all of your softwar up-to-date.
    >>>> Automatic updates help.
    >>>> - Don't provide services you don't want to provide [2,3]. Or use the
    >>>> Windows Firewall to block inbound connections.
    >>>> - Disable autostarts for removable media (via gpedit).
    >>>> - Use AV software to prevent known malware from being executed by
    >>>> mistake.
    >>>> - Don't use IE, at least not without locking it down tightly. Better use
    >>>> Firefox/SeaMonkey with NoScript or Opera, as they are easier to
    >>>> secure.
    >>>> - Before installing software think twice about whether you really need
    >>>> it. Less is more.
    >>>>
    >>>> Additional steps could be:
    >>>>
    >>>> - Use sandboxed environments (preferrably virtual machines) for
    >>>> evaluating software.
    >>>> - Revoke "execute" permission from caches and temp directories.
    >>>> - Use Software Restriction Policies to allow only whitelisted software
    >>> That all sounds great. But I said for the average Windows user. Do you
    >>> really expect aunt Esther to understand how lock things down through the
    >>> registry and group policy editor? Or figure out how to set up a VPN?

    >>
    >> Education G, it's called EDUCATION!

    >
    >Yeah right.. tell that to my mom who doesn't even know how to send an
    >email and every time we told her how to, the very next day she asks again.


    Does she need to be able to install software at all? She's a perfect
    candidate for a limited user access account.

    This will limit what she can do with her PC without assistance, but I'd
    argue that she probably can't install a new stereo into her car without
    a trained professional's assistance either.

  5. #45
    DevilsPGD
    Guest

    Re: Online Arrmor

    In message <gpg2tmU5v8L4@news.in-ulm.de> Ansgar -59cobalt- Wiechers
    <usenet-2009@planetcobalt.net> was claimed to have wrote:

    >G <geoff915@yahoo.com> wrote:
    >> I agree that it would be great to educate others on these issues. But
    >> we also have to be realistic. Windows' greatest benefit (simplicity
    >> for the masses) is also its greatest security issue.

    >
    >Take a look at Mac OS X to understand that this is simply not true.


    OSX is a classic case of security by obscurity in practice. Why attack
    some ~10% of the market when you can just as easily go after some 85% of
    the desktop market?

    Also remember that a significant percentage of OSX users also run
    Windows and are therefore vulnerable to Windows based malware, driving
    the percentage of otherwise-unreachable OSX users even lower.

    There certainly are exceptions, but the vast majority of the recent
    malware outbreaks have been things installed by users without realizing
    that they're installing a trojan, this is not really a technological
    attack, but rather an attack exploiting vulnerabilities in the human.

    Move 50% of the least technical users from Windows over to OSX and the
    exploits will follow.

  6. #46
    DevilsPGD
    Guest

    Re: Online Arrmor

    In message <gpg9ctUk27L4@news.in-ulm.de> Volker Birk
    <bumens@dingens.org> was claimed to have wrote:

    >Geoff Smith <geoff915@yahoo.com> wrote:
    >> ShieldsUp! is an excellent tool to test your system.

    >
    >Better exchange "excellent" with "********".
    >
    >Of course, no network server can test your own system, because of the
    >problem that the network in between your host and the server can and
    >will filter and modify. You're testing the net, not your host.


    Depending on where the filtering is done, this may be good enough. A
    port isn't a threat just because it's open, it also needs to be remotely
    accessible and exploitable.

    The obvious problem shows up if your ISP filters from their edge routers
    and the attacker is another customer of your ISP (or more likely, a
    zombied machine within your ISP's network owned by a botmaster in some
    foreign country)

    >And of course, using netstat is enough on Windows, too, to find out
    >what's really going on. Of course, you don't need some network server
    >based tool at all.


    That isn't really true either, netstat can show a port as listening when
    a software packet filter wouldn't actually allow an inbound connection
    through to that port.

    In other words, netstat will report all open ports, but is subject to
    false positives. Netstat is a useful tool, but it's not an exhaustive
    solution.

    Still, this is a significant improvement over the false sense of
    security that GRC may leave you with if your ISP's edge routers filter
    some traffic that your local security would otherwise let through.

  7. #47
    Volker Birk
    Guest

    Re: Online Arrmor

    DevilsPGD <DeathToSpam@crazyhat.net> wrote:
    >>Take a look at Mac OS X to understand that this is simply not true.

    > OSX is a classic case of security by obscurity in practice.


    At least, the default number of network services a Macintosh offers
    to the rest of the internet is zero.

    In contrast to Windows.

    Yours,
    VB.
    --
    Bitte beachten Sie auch die Rückseite dieses Schreibens!

  8. #48
    Volker Birk
    Guest

    Re: Online Arrmor

    DevilsPGD <DeathToSpam@crazyhat.net> wrote:
    > Note that Vista does most of the configuration related suggestions made
    > here out of the box.


    Unfortunately you're wrong. Also Vista starts network services and
    filters them away as the default configuration.

    > IE is fairly well locked down, and even if IE is completely and wholly
    > pwned, protected mode keeps the malware from going far.
    > (Don't get me wrong, I'm a Firefox user myself, but IE in Protected Mode
    > isn't a particularly unsafe browser.


    Barring it's a piece of ****, because its the only browser left which
    breaks CSS2 seriously, it can be used (and therefore abused) to communicate
    with any COM object on the machine. If one of them has security flaws,
    Internet Exploder inherits them all.

    > The problem is going the next step as it involves the user. A sandboxed
    > environment isn't impossible to implement at an OS level (again, IE
    > protected mode is one such example -- You can run other apps with less
    > privileges too if you desire, but you'll probably be disappointed with
    > Excel when it can't open existing documents.)


    "IE Protected Mode" would be a sandbox only, if it would not support COM
    objects any more.

    > The iPhone version of OSX is one example of an OS built and managed in a
    > relatively sandboxed fashion.


    OSX on the iPhone is far from a sandbox concept. It's just the Darwin
    kernel without the BSD personality. Did you ever have a look onto this
    architecture before you're holding forth about it?

    Or are you just unfamiliar with the concept which is commonly known as
    "sandboxing"?

    Yours,
    VB.
    --
    Bitte beachten Sie auch die Rückseite dieses Schreibens!

  9. #49
    Volker Birk
    Guest

    Re: Online Arrmor

    DevilsPGD <DeathToSpam@crazyhat.net> wrote:
    >>Of course, no network server can test your own system, because of the
    >>problem that the network in between your host and the server can and
    >>will filter and modify. You're testing the net, not your host.

    > Depending on where the filtering is done, this may be good enough.


    May.

    And how can the user judge this?

    > A
    > port isn't a threat just because it's open, it also needs to be remotely
    > accessible and exploitable.


    A port is neither a door nor a gate nor a harbour above all. It's just a
    maintenance number.

    If people say, that a "port" is "open", usually they mean that there is
    a process running on the kernel, which allocated the port and offers a
    network service using this port.

    It is best practise to offer network services only, which have to be
    offered, because exploits in code which is not being executed are not
    endangering the system.

    And there are zero day exploits everytime.

    > The obvious problem shows up if your ISP filters from their edge routers
    > and the attacker is another customer of your ISP (or more likely, a
    > zombied machine within your ISP's network owned by a botmaster in some
    > foreign country)


    That is one of the problems, exactly.

    >>And of course, using netstat is enough on Windows, too, to find out
    >>what's really going on. Of course, you don't need some network server
    >>based tool at all.

    > That isn't really true either, netstat can show a port as listening when
    > a software packet filter wouldn't actually allow an inbound connection
    > through to that port.


    Yes, but filtering is not reliable in many cases. Commonly, there are
    exceptions like FTP helpers, which can be easily abused to ignore any
    filter.

    > In other words, netstat will report all open ports, but is subject to
    > false positives. Netstat is a useful tool, but it's not an exhaustive
    > solution.


    netstat shows what's going on exactly. There are no false positives in
    any way. It's just the wrong concept to try to filter away what could
    use the network services your box is offering. Just shut them down, and
    you don't need to filter.

    > Still, this is a significant improvement over the false sense of
    > security that GRC may leave you with if your ISP's edge routers filter
    > some traffic that your local security would otherwise let through.


    Yes.

    Yours,
    VB.
    --
    Bitte beachten Sie auch die Rückseite dieses Schreibens!

  10. #50
    Ansgar -59cobalt- Wiechers
    Guest

    Re: Online Arrmor

    Volker Birk <bumens@dingens.org> wrote:
    > Ansgar -59cobalt- Wiechers <usenet-2009@planetcobalt.net> wrote:
    >> Volker, you're talking nonsense, and you know that. netstat, TCPView,
    >> lsof, openports, fport and other tools like that show the status of
    >> ports on the local system from the INSIDE.

    >
    > Yes. And this is not nonsense, but the better way to check.
    >
    >> The output of these tools doesn't say anything at all about which
    >> ports are accessible from the OUTSIDE.

    >
    > If so, throw away your operating system.


    *sigh* This is regardless of the operating system. Because none of these
    tools know anything about packet filters. Neither local, nor remote.

    >> A local packet filter may or may not allow connections to port X.

    >
    > Clear. If you're using a filtering implementation, read the config and
    > check the status of it additionally.


    As you know quite well, the proper way to do that is a port scan.

    [...]
    > The wrong thing with it is, that he may believe that what this tool
    > shows is how his box is behaving. The reality often is, that on the
    > way to the testing server the net is being modified by the
    > inter-connecting networks.


    I'd like to see proof for that claim.

    cu
    59cobalt
    --
    "If a software developer ever believes a rootkit is a necessary part of
    their architecture they should go back and re-architect their solution."
    --Mark Russinovich

  11. #51
    GEO Me@home.here
    Guest

    Re: Online Arrmor

    On Sat, 14 Mar 2009 04:41:56 GMT, Lie Ryan <lie.1296@gmail.com> wrote:

    >>Kayman wrote:


    >>> That all sounds great. But I said for the average Windows user. Do you
    >>> really expect aunt Esther to understand how lock things down through the
    >>> registry and group policy editor? Or figure out how to set up a VPN?


    >> Education G, it's called EDUCATION!

    >
    >Yeah right.. tell that to my mom who doesn't even know how to send an
    >email and every time we told her how to, the very next day she asks again.
    >
    >> A sensible aunt Esther would not drive a motor vehicle without prior
    >> familiarization in relation to correct operating procedures of her car and
    >> traffic/street rules.

    >
    >The analogy is irrelevant. A more appropriate analogy is whether a
    >sensible aunt Esther should be taught the about whole legal system in
    >the country before doing anything since what she is doing may break any
    >arbitrary law.


    I prefer the analogy in which the user should only be allowed to
    drive the car if they can take apart the engine, and then put it back
    together.

    Geo


  12. #52
    DevilsPGD
    Guest

    Re: Online Arrmor

    In message <gph4ofU6n6L1@news.in-ulm.de> Volker Birk
    <bumens@dingens.org> was claimed to have wrote:

    >DevilsPGD <DeathToSpam@crazyhat.net> wrote:
    >>>Take a look at Mac OS X to understand that this is simply not true.

    >> OSX is a classic case of security by obscurity in practice.

    >
    >At least, the default number of network services a Macintosh offers
    >to the rest of the internet is zero.
    >
    >In contrast to Windows.


    This is consistent with the default configuration of every
    version/service pack of Windows released within the last four and a half
    years.

  13. #53
    DevilsPGD
    Guest

    Re: Online Arrmor

    In message <49bc6ba1.340947651@news.telus.net> "GEO" Me@home.here was
    claimed to have wrote:

    >On Sat, 14 Mar 2009 04:41:56 GMT, Lie Ryan <lie.1296@gmail.com> wrote:
    >
    >>>Kayman wrote:

    >
    >>>> That all sounds great. But I said for the average Windows user. Do you
    >>>> really expect aunt Esther to understand how lock things down through the
    >>>> registry and group policy editor? Or figure out how to set up a VPN?

    >
    >>> Education G, it's called EDUCATION!

    >>
    >>Yeah right.. tell that to my mom who doesn't even know how to send an
    >>email and every time we told her how to, the very next day she asks again.
    >>
    >>> A sensible aunt Esther would not drive a motor vehicle without prior
    >>> familiarization in relation to correct operating procedures of her car and
    >>> traffic/street rules.

    >>
    >>The analogy is irrelevant. A more appropriate analogy is whether a
    >>sensible aunt Esther should be taught the about whole legal system in
    >>the country before doing anything since what she is doing may break any
    >>arbitrary law.

    >
    > I prefer the analogy in which the user should only be allowed to
    >drive the car if they can take apart the engine, and then put it back
    >together.


    The issue isn't users driving, users are allowed to drive without too
    much of a problem, the problem is only when they start tinkering under
    the hood installing or removing components they don't understand.

  14. #54
    Root Kit
    Guest

    Re: Online Arrmor

    On Sat, 14 Mar 2009 04:41:56 GMT, Lie Ryan <lie.1296@gmail.com> wrote:

    >A more appropriate analogy is whether a sensible aunt Esther should be
    >taught the about whole legal system in the country before doing anything
    >since what she is doing may break any arbitrary law.


    YABA (Yet Another Bad Analogy)

  15. #55
    Volker Birk
    Guest

    Re: Online Arrmor

    Root Kit <b__nice@hotmail.com> wrote:
    > YABA (Yet Another Bad Analogy)


    Car analogies are the worst of all ;-) They never work.

    Yours,
    VB.
    --
    Bitte beachten Sie auch die Rückseite dieses Schreibens!

  16. #56
    Volker Birk
    Guest

    Re: Online Arrmor

    DevilsPGD <DeathToSpam@crazyhat.net> wrote:
    > In message <gph4ofU6n6L1@news.in-ulm.de> Volker Birk
    > <bumens@dingens.org> was claimed to have wrote:
    >>DevilsPGD <DeathToSpam@crazyhat.net> wrote:
    >>>>Take a look at Mac OS X to understand that this is simply not true.
    >>> OSX is a classic case of security by obscurity in practice.

    >>At least, the default number of network services a Macintosh offers
    >>to the rest of the internet is zero.
    >>In contrast to Windows.

    > This is consistent with the default configuration of every
    > version/service pack of Windows released within the last four and a half
    > years.


    Unfortunately, including Vista, Windows runs programs in the default
    configuration, which offer network services, and then filters them away.

    Yours,
    VB.
    --
    Bitte beachten Sie auch die Rückseite dieses Schreibens!

  17. #57
    Volker Birk
    Guest

    Re: Online Arrmor

    Ansgar -59cobalt- Wiechers <usenet-2009@planetcobalt.net> wrote:
    > Volker Birk <bumens@dingens.org> wrote:
    >>> The output of these tools doesn't say anything at all about which

    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
    >>> ports are accessible from the OUTSIDE.

    >> If so, throw away your operating system.

    > *sigh* This is regardless of the operating system. Because none of these
    > tools know anything about packet filters. Neither local, nor remote.


    Maybe you want to correct that then.

    >>> A local packet filter may or may not allow connections to port X.

    >> Clear. If you're using a filtering implementation, read the config and
    >> check the status of it additionally.

    > As you know quite well, the proper way to do that is a port scan.


    Not only. As you know, most filtering implementations are dynamic, i.e.
    with FTP helpers or even port knocking. You cannot see that with a port
    scan.

    > [...]
    >> The wrong thing with it is, that he may believe that what this tool
    >> shows is how his box is behaving. The reality often is, that on the
    >> way to the testing server the net is being modified by the
    >> inter-connecting networks.

    > I'd like to see proof for that claim.


    In many cases, you're scanning not your box but some NAT box outside
    or even some proxy server from the outside.

    It's so easy, Ansgar: many Internet providers are filtering. People are
    using such remote scanning and are thinking, that the words "your
    computer has the following ports closed" mean, that their computer has
    them closed. It just means, that someone sent a TCP NACK or some ICMP
    port unreachable.

    Someone.

    And with "stealth" it's even worse: that means, someone on the line,
    maybe the box itself, did throw away packets.

    Your users don't recognize the difference in scanning results. But I saw
    the other way arround, too:

    I was in a hotel in Spain. When I was scanning from the outside, my Box
    had port 25 open. What?

    Wenn I was scanning from the inside, every box in the outside had port
    25 open.

    The reason was, that this hotel did redirect any transport of any IP
    address to their filtering mail server. It did not matter which mail
    server you were trying to reach, they connected your TCP socket to any
    IP address port 25 to their own box.

    In this case, NAT did not make a difference, because they had none.

    And of course, their mail server was as b0rken as their network setup,
    so I used my own to send mail through an SSH tunnel to my server.

    Yours,
    VB.
    --
    Bitte beachten Sie auch die Rückseite dieses Schreibens!

  18. #58
    Root Kit
    Guest

    Re: Online Arrmor

    On Sun, 15 Mar 2009 07:17:36 +0100 (CET), Volker Birk
    <bumens@dingens.org> wrote:

    >Root Kit <b__nice@hotmail.com> wrote:
    >> YABA (Yet Another Bad Analogy)

    >
    >Car analogies are the worst of all ;-) They never work.


    Never say never. A few of them work in the right context :-)

  19. #59
    Ansgar -59cobalt- Wiechers
    Guest

    Re: Online Arrmor

    DevilsPGD <DeathToSpam@crazyhat.net> wrote:
    > Volker Birk <bumens@dingens.org> was claimed to have wrote:
    >> At least, the default number of network services a Macintosh offers
    >> to the rest of the internet is zero.
    >>
    >> In contrast to Windows.

    >
    > This is consistent with the default configuration of every
    > version/service pack of Windows released within the last four and a
    > half years.


    No, it isn't. Unlike every version of Windows released up to now, OS X
    in the default configuration does not have any services listening on the
    external interface (and very few services running at all). Windows OTOH
    still has lots of services listening on all interfaces, and is just
    denying access to them via the Windows firewall.

    However, only a service that is not running cannot be attacked. A
    service that is running can still be attacked, even if direct access
    is denied by the firewall. See e.g. [1].

    [1] http://www.enyo.de/fw/security/java-firewall/

    cu
    59cobalt
    --
    "If a software developer ever believes a rootkit is a necessary part of
    their architecture they should go back and re-architect their solution."
    --Mark Russinovich

  20. #60
    Ansgar -59cobalt- Wiechers
    Guest

    Re: Online Arrmor

    Volker Birk <bumens@dingens.org> wrote:
    > Ansgar -59cobalt- Wiechers <usenet-2009@planetcobalt.net> wrote:
    >> Volker Birk <bumens@dingens.org> wrote:
    >>>> The output of these tools doesn't say anything at all about which

    > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
    >>>> ports are accessible from the OUTSIDE.
    >>>
    >>> If so, throw away your operating system.

    >>
    >> *sigh* This is regardless of the operating system. Because none of these
    >> tools know anything about packet filters. Neither local, nor remote.

    >
    > Maybe you want to correct that then.


    No, I don't. Seeing which ports are open on the inside of a system does
    not tell you which of them are actually accessible from the outside. It
    may give you an idea which of them might be accessible at most, but
    that's about it.

    >>>> A local packet filter may or may not allow connections to port X.
    >>>
    >>> Clear. If you're using a filtering implementation, read the config
    >>> and check the status of it additionally.

    >>
    >> As you know quite well, the proper way to do that is a port scan.

    >
    > Not only. As you know, most filtering implementations are dynamic,
    > i.e. with FTP helpers or even port knocking. You cannot see that with
    > a port scan.


    You don't see that with netstat either. Your point being?

    >> [...]
    >>> The wrong thing with it is, that he may believe that what this tool
    >>> shows is how his box is behaving. The reality often is, that on the
    >>> way to the testing server the net is being modified by the
    >>> inter-connecting networks.

    >>
    >> I'd like to see proof for that claim.

    >
    > In many cases, you're scanning not your box but some NAT box outside
    > or even some proxy server from the outside.
    >
    > It's so easy, Ansgar: many Internet providers are filtering.


    I'd still like to see proof for that claim. And no, your hotel example
    does not count, because hotels aren't regular ISPs. I wouldn't expect
    unfiltered Internet from a hotel just like I wouldn't expect unfiltered
    Internet from some company Intranet. I do expect unfiltered Internet
    from my ISP, though.

    > People are using such remote scanning and are thinking, that the words
    > "your computer has the following ports closed" mean, that their
    > computer has them closed. It just means, that someone sent a TCP NACK
    > or some ICMP port unreachable.
    >
    > Someone.


    Yes. However, since that someone usually is either the host in question
    or its border router, online port scans still suffice in most
    situations. If you're worried about a middle man: there's still
    tcptraceroute.

    cu
    59cobalt
    --
    "If a software developer ever believes a rootkit is a necessary part of
    their architecture they should go back and re-architect their solution."
    --Mark Russinovich

Similar Threads

  1. Need advice regarding online Networking classes
    By william1971 in forum Networking Forum
    Replies: 2
    Last Post: 12-10-08, 03:55 PM
  2. Godswar Online
    By ruinfx in forum Gaming
    Replies: 0
    Last Post: 10-16-08, 09:24 PM
  3. Replies: 20
    Last Post: 08-07-08, 11:31 AM
  4. Before you get into another online argument ....
    By Jamie_R in forum General Discussion Board
    Replies: 5
    Last Post: 07-30-07, 10:09 AM
  5. Free Online Scans
    By BlueMax in forum Network Security
    Replies: 11
    Last Post: 05-03-07, 02:05 PM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •