Re: Windows 98 box is 'owned'

[GuidoZ <uberguidoz () gmail com>]

*NOTE* This was sent directly to Glen off list, however I believe it
applies to some current topics on-list. Therefore, I'm sending it here
as well.
---------------------
Hello again. =)

> I don't expect home users to have to invest a few hundred dollars (in
> some cases, per year) to be able to use their cablemodem/DSL
> connections... However, whenever I help friends set up their home
> networks, I do suggest (nowadays) the Netgear WGR614, which gives SPI,
> allows IPSEC outbound for connection to their work VPNs, and lets them
> use their laptops via wireless (with a key, etc., of course). It's all
> based on need--home users don't need content filtering, VPN support
> (except for being able to get to their work connections) or PKI in
> general. Power users like those of us who are sysadmins, sure... but Ma
> and Pa Kettle? Nah. Frankly, there is such a thing as "too much"
> complexity for end users--in my experience, if they can't plug it in and
> use it (or have me over for dinner and make sure it's all plugged in and
> useable), they aren't going to use it. It'll end up gathering dust next
> to their trash can.

Completely agree, 100%. I'd never expect a home user to have a need
for a true hardware firewall. (I also noted in my original reply to
the list that a router like those mentioned would be plenty for his
mother.) The NetGear is a good choice. I'm usually one to recommend a
LinkSys, however NetGear is my 2nd choice. =)

My argument wasn't that home users needed a true hardware firewall. It
was that LinkSys, NetGear and D-link don't make true hardware
firewalls. Terminology, nothing more. ;) I've been in this industry
far to long to let something like that get by. Too many people already
have it confused.

I would also like to emphasize a point you made - if it's not possible
for them to use correctly (even if it is just a router), then having
it is a waste. You could have the best tools in the world at your
disposal, but if you have no clue how to use them, it's meaningless.
Very good point.

> I also generally advise they get a copy of ZoneAlarm
> or BlackIce to complement the hardware, and to make sure they have an
> anti-virus program on their machines.

Don't get me started on BlackICE! =) It's an IDS, not a true software
firewall. (Google it for more info - Steve Gibson has a good write up
on it.) ZoneAlarm is a good choice. So is Kerio. Both are free, easy
to use, and work. Aside from the freebie class, I'm a big fan of
Sygate. I do NOT like Norton Internet Security and McAfee anything.
Both are resource hogs and frankly are unnecessary. Why pay so much
for something you can get for free?

> I also try and preach the wonders
> of Firefox/Mozilla and Thunderbird--unfortunately, most people fear lots
> of change--and they're comfortable with Outcrack (as I call it) and
> Internet Exploder. Why? "They just work" is usually the answer they give
> me. I can configure Firefox to look scarily like IE and Thunderbird to
> have 90% of the functionality of Outcrack (generally features in that
> 10% are stuff they never would use anyway), and yet they'll still go
> back to IE & OE. It's the old "lead a horse to water, but can't make
> them drink" bit :-/

Amen. I swear by FireFox/Mozilla products and have since the old
Netscape days. Luckily, I started converting those whom I had
influence over years before IE started having all the recent problems.
(Just back when it was having the other problems. =P ) When the time
came that it simply wasn't safe to use IE anymore, they switched
without much fuss. The only thing missing when it comes to
functionality is something no one should of started relying on in the
first place - ActiveX. One of the organizations I support based an
application on the .NET framework and was using an ActiveX applet to
do some client side scripting. Unfortunately nothing but IE will work
for them. If you have any suggestions, I'm quite willing to listen. ;)

> Yes I've run PIXs and Nokia firewalls in the past. However, I see them
> (and their peers) as "enterprise-grade" and *way* overkill for Ma and Pa
> Kettle.

Again, see my first paragraph. I wasn't trying to convince Tom, Dick,
and Harry to go out and get a SonicWall. I was only stating that there
is a big difference between NAT and a hardware firewall. Not only
would it be way overkill, but it would also be a waste as they coudl
never figure out how to use it properly. A poorly configured firewall
is worse then none at all - it gives a false sense of security. A
problem often overlooked by too many that should know better!

One firewall that could be considered both a hardware and software
firewall (and even an enterprise class one at that) is the Linux based
Smoothwall. It's free to download and only needs two NICs (minimum)
and a old PC to be fully functional. In case you aren't familiar with
it, It serves as router as well as a firewall. (Providing NAT/DHCP if
required, but also utilizing IP chains and such for complex rules.)
I've been using it successfully at my shop for a few years. It also
offers a web cache feature that saved us hours of update downloads. On
top of all that, it has a simple web-based interface for the n00b user
PLUS a telnet/ssh command line for the advanced. Updating is a snap,
simple configuration can be done by anyone that would have a need for
Smoothwall, and you can't beat the price.

Many people have a computer in a closet somewhere that has plenty of
power. The one running a 12 system network on a 3mb sDSL line at the
shop is a Pentium 200 with 128MB RAM. We popped in an old 1.2GB hard
drive and 2 new 3COM 3C905-TX NICs. (The networking parts are
important so we didn't skimp.) It has multiple levels of security and
can be used in a multitude of ways. It also has all the features of
the big boys (though I've hardly scratched the surface of it) and
works like a charm. Defanitely check it out if you haven't already:
http://www.smoothwall.org (Google it for myraids of configuration
tips, scripts and tweaks.)

> Thanks for the reply :)

Likewise. =) I always appreciate intelligent conversation.

--
Peace. ~G



On Mon, 4 Oct 2004 13:07:39 -0500, dana () dtn com <dana () dtn com> wrote:
>  
> Well, now you both are wrong... 
>  
> Many of the low end "NAT boxes" are "proper" firewalls. 
>  
> Routers often can be configured as firewalls, indeed, the first firewalls
> were routers. 
>  
> Servers are also often configured as firewalls. 
>  
> VPN and PKI, while often incorporated into firewalls (including these "NAT
> boxes") is not a requirement for something to be a firewall. 
>  
> Here's something for you to read: 
> http://www.ora.de/catalog/fire/chapter/ch04.html 
>  
> http://media-server.amazon.com/media/mole/MANUAL000000672.pdf
>  
>  
> Dan Anderson, CISSP, SCSA
>  
>  
>  
>  
>  "Randy Williams" <randyw () techsource com> 
>
> 10/01/2004 09:31 AM 
>  
> To "'GuidoZ'" <uberguidoz () gmail com> 
>  
> cc <bulliver () badcomputer no-ip com>, <security-basics () securityfocus com> 
>  
> Subject RE: Windows 98 box is 'owned' 
>  
>  
>  
>  
>  
>
>
> Greetings,
>  
>  I stand corrected!  Yes, GuidoZ is quite right; the products that I was
>  mentioning were simple NAT boxes, and NOT proper firewalls.  I have fallen
>  prey to my own attempt to convey complex ideas to the uninitiated with
> broad
>  terms, please accept my apology.
>  
>  RandyW
>  
>  -----Original Message-----
>  From: GuidoZ [mailto:uberguidoz () gmail com]
>  Sent: Friday, October 01, 2004 1:15 AM
>  To: Randy Williams
>  Cc: bulliver () badcomputer no-ip com; security-basics () securityfocus com
>  Subject: Re: Windows 98 box is 'owned'
>  
>  While these are all good points, I'd like to make a clarification on one
>  thing.
>  
>  > 1)  Complete re-install of the OS with the addition of both a software
>  > firewall (ZoneAlarm) and a Hardware Firewall (Linksys, Dlink, etc).
>  
>  Linksys, Dlink, etc are routers, not firewalls. While they function
>  similar to a hardware firewall (providing NAT and blocking the systems
>  behind them from direct access), they are NOT a substitute for a real
>  hardware firewall (SonicWall, AlphaShield, etc) when required.
>  Although, I believe a router would be plenty for your mother. =)
>  
>  People frequently toss around the term "hardware firewall" (including
>  vendors), applying it to ANY device that provides NAT translation. In
>  my eyes, it takes a lot more then NAT to make a firewall. Additional
>  protection such as SPI, Content filtering, VPN, PKI, etc make up a
>  true hardware firewall.
>  
>  --
>  Peace. ~G
>  
>  
>  On Thu, 30 Sep 2004 16:51:32 -0400, Randy Williams
>  <randyw () techsource com> wrote:
>  > Greetings Darren,
>  >
>  > This is a common problem to say the least; there are a couple of things
>  that
>  > you could do that could help out your Mother.
>  >
>  > 1)  Complete re-install of the OS with the addition of both a software
>  > firewall (ZoneAlarm) and a Hardware Firewall (Linksys, Dlink, etc).
>  >
>  > 2)  Clean the system with Adaware, Spybot - Search & Destroy, the A/V of
>  > your choice, fully patch the OS, install a good software firewall, and
>  spend
>  > some time showing your Mom some basic computing tips.  Then, if that
>  fails,
>  > install the hardware firewall for her and see how it goes.
>  >
>  > Without constant monitoring though, the PC WILL become infected again,
>  it's
>  > just a matter of time.
>  >
>  > RandyW
>  >
>  >
>  >
>  > -----Original Message-----
>  > From: Darren Kirby [mailto:bulliver () badcomputer no-ip com]
>  > Sent: Wednesday, September 29, 2004 11:04 PM
>  > To: security-basics () securityfocus com
>  > Subject: Windows 98 box is 'owned'
>  >
>  > Hello all,
>  >
>  > I am writing this on behalf of my Mom. She was complaining that her
>  computer
>  >
>  > was sluggish, and that her HD space was getting used up faster than it
>  > should. So I went over and fired up my trusty Linux live cd and had a
>  look.
>  >
>  > Anyway, I found a directory right in C: named 'Downloads', and inside
> were
>  > about 50 or so files, which were all warez, porn, windows exploits and
>  > cracker 'howto's. Quite obviously this computer is owned, and is being
>  used
>  > as a warez server. I deleted the files, booted win, but they reappeared
>  > after
>  > about 10 minutes. The strange thing is that these files are ALL 29k, and
>  all
>  >
>  > have filenames like:
>  >
>  > Adobe Photoshop crack.exe
>  > Smashing the Stack.txt.exe
>  > Eminem - full album.mp3.exe
>  > Office 2003 full.exe
>  > ...
>  > On further inspection I found an identical directory at
>  > C:/windows/Downloaded
>  > Program Files/. God only knows how many trojans and other nasties are
>  > sprinkled around...
>  >
>  > So I yanked the power cord out of her adsl modem, and told her not to
> plug
>  > it
>  > back in unless she was checking her mail. Bad advice for sure, but try
>  > telling your mom that her computer is rooted by punk kids and it is too
>  > cracked to have safe internet access at all. Seems that a complete OS
>  > reinstall is in order, but it seems to me that if they can own her box
>  once
>  > they can own it again just as easy, which leads me to this list...I would
>  > like to try some investigating, and try to figure out where the backdoor
>  is,
>  >
>  > what exactly they are doing...and of course how to prevent it.
>  >
>  > Some background on myself...I am a Linux sysadmin, and have a great deal
>  of
>  > experience with UNIX operating systems...however, I have never run a
>  windows
>  >
>  > box, and have only used one in the 'point-and-drool' sort of way. So I
>  > really
>  > know nothing of how the underlying OS works (or doesn't...).
>  >
>  > So I guess I am just asking for some opinions of the situation, and
>  perhaps
>  > some links to docs about this type of attack, and how to prevent it.
> Also,
>  > any software along the lines of chkrootkit or other forensic tools, but
>  for
>  > windows would be a big help.
>  >
>  > TIA
>  > -d
>  > --
>  > Part of the problem since 1976
>  > http://badcomputer.no-ip.com
>  > Get my public key from
>  > http://keyserver.linux.it/pks/lookup?op=index&search=bulliver
>  > "...the number of UNIX installations has grown to 10, with more
>  expected..."
>  > - Dennis Ritchie and Ken Thompson, June 1972
>  
>  
>  
>  
>