I'm feeling paranoid - with good reason.
John
john_82 at tiscali.co.uk
Sun Feb 5 14:53:33 GMT 2006
I've been checking my new adsl router. It flies through even on service
requests.
Some more notes on the subject:
The new one stealths all ports. While this gets round my system looking like a
full blow server to scans from the net as it no longer reports "service there
but not currently available" it may not mean that there are no open ports it
just means that requests are being dropped. Next thing will be too drop the
stealth for a while and check it again. At least this one doesn't automate
ping responses though. If there is an open port I have a feeling that it can
be circumvented with virtual servers failing that open source units do have
an advantage (linksys and netgear others?) maybe the source can be changed.
It seems that some people trash the existing firmware and replace it with
simple routing plus what ever else they want. (A KDE version might be an
interesting project for some one as integration would offer all sorts of
interesting possibilities.)
I haven't added the scripts from this thread as I feel that they are still
flawed and Basil's problem is a fairly simple example. It's no good just
handling things from the net side the machine side needs to be firewalled
too. Even that is useless if the source can't be tracked. Most windoze
snooping software hides behind a service and doesn't use the net directly. It
often isn't from hackers either. I had an epson printer driver that reported
back to epson every time I printed something, odobe and others have and do
simular things. Large companies are often involved - eg winsock mods to
enable .law etc dns. Open source is very open to this sort of thing
especially with rpm's but why not sources too? The other point on this
subject is that the hacking elite do not broadcast their methods. They keep
quite and use them. It seems that even cisco code is available so who knows
what they can do. Most hacking usual involves prowling around machines or
usage monitoring not sabotage. Some will do something trivial, a few will
trash machines.
I'm trawling netfilter.org now to try and see what can be done but as is often
the case especially with linux etc there doesn't seem to be any task
orientated documentation with examples. I may want the detail later all I
want at the moment is capability, syntax and examples with a little jargon as
possible.
Having said all that though - what happens if the box connected to the
physical layer gets reprogrammed by some one. I've worked on embedded systems
for a long time and can state that there is almost bound to be some method of
doing that in most units. Code can be extracted from most micro's and failing
that it isn't all that difficult to probe a unit and find out what it can be
made to do. Maybe bastion installations should monitor what's on the
physical side too.
Then there's the cia,fbi and mi5 etc. I met some of the uk guys that do that
sort of work for them sometime ago. Not that they would tell me much though.
On closing it's worth noting what sort of people attract attention. Usually it
means that there is something of interest on the machine. Cases I have come
across include, information on anything, scans of dan dare magazines, dress
making patterns and porn. The point to note is that some one must go in to
find out if it's there in the first place - might even just be some bored
person or otherwise at your isp.
Regards
John
On Saturday 04 February 2006 14:44, Basil Fowler wrote:
> Following the hint in John's message below, I checked my replacement
> SpeedTouch 510 modem with Shieldup at grc.com. All my ports were closed,
> but pings were acknowledged. This was not the case with old 530 modem,
> which gave all clear.
>
> I went into the command line interface to read the rules. There was a rule
> that stated "accept icmp echo-request". This I changed to "drop". The
> modem is now fully stealthed.
>
> BUT it had a backdoor. The suppliers
>
> DSL Shop
> Net Lynk Limited
> Roman Park, Roman Way,
> Coleshil, Birmingham, B46 1HG
> England.
>
> had placed a rule in the modem firewall that it was to accept any incoming
> packages from 217.196.1.140. This I traced back via reverse DNS lookup to
> the firm that suppled the modem.
>
> I shall apprise the firm later that I have discovered the backdoor and the
> have placed the fact on record. Perhaps other readers could spread the
> word to other more appropriate lists.
>
> As far as I know, no attempt has been made by dslshop to contact my
> computer. There is no trace in the logs from the secondary firewall.
>
> Thanks for the hint John!
>
> Basil Fowler
>
> On Thursday 02 Feb 2006 19:06, John wrote:
> > I know this is ot but.
> > I strongly urge anybody that uses any sort of modem router to visit
> > shields up at grc.com and see if their ports 254 and 255 are open. A
> > search on the web will show that there is a problem on lots of them in
> > this area. It seems that that most of them carried on shipping like that
> > for a long time so it's probably a chip set problem. The zoom modem use a
> > texas instruments chip set. Any sort of firewall is useless as the unit
> > itself is at risk - mine definitely had it's firmware and or settings
> > reprogrammed. Zoom also admitted that the firmware update does not
> > prevent the open port. My current router does have a capability for
> > remote adim but it can be turned off. (I hope) I ditched a Sagem adsl
> > unit some time ago (years) as it was open to the same problem. They made
> > them like that so that isp's can tweak them for their users etc.
> > regards
> > John
>
> ___________________________________________________
> This message is from the kde mailing list.
> Account management: https://mail.kde.org/mailman/listinfo/kde.
> Archives: http://lists.kde.org/.
> More info: http://www.kde.org/faq.html.
--
Suse 10.0
KDE 3.4.2 B
___________________________________________________
This message is from the kde mailing list.
Account management: https://mail.kde.org/mailman/listinfo/kde.
Archives: http://lists.kde.org/.
More info: http://www.kde.org/faq.html.
More information about the kde
mailing list