RE: Network Traffic Violations

[David Lang <dlang () diginsite com>]

-----BEGIN PGP SIGNED MESSAGE-----

I am getting a cable modem in the next few weeks, several of my friends
already have them and they report theat there is NO security provided by
the cable company. This is fine with me as I plan to setup a 485/25 that I
have around as a firewall to protect myself.

David Lang


On Fri, 11 Sep 1998, Ted Doty wrote:

> Date: Fri, 11 Sep 1998 18:04:49 -0400
> From: Ted Doty <ted () iss net>
> To: Rick Smith <rick_smith () securecomputing com>
> Cc: firewall-wizards () nfr net
> Subject: RE: Network Traffic Violations
>
> At 12:01 PM 9/11/98 -0500, Rick Smith wrote:
>
> [snip]
>
> > So, if Windows sharing uses LAN broadcast, then the LAN broadcast won't be
> > relayed unless the cable modem is really bone headed (not impossible, of
> > course). Since the local workstation can not find out its address on the
> > Internet, it can't fashion packets to automatically talk to other cable
> > modems in its "neighborhood" without some sort of broadcast.
> >
> > So, does anyone remember how the reported problem worked? How does this
> > situation compare to it?
>
> I'm afraid I can't remember the details, either, however:
>
> 1. I wouldn't count on the cable companies to implement any security
> mechanisms correctly.  A rather dated document at catv.org described Media
> One's "solution" - filter out the computer name, but not block access to
> the share.  The report concluded:
>
>       "Obviously, MediaOne officials have not spent enough quality time
>        discussing this problem. Not only should cable operators forbid
>        the use of file-sharing, but explore ways to permanently disable
>        the option from Windows95 during cable modem installations. The
>        issue with file-sharing is dangerous to the provider [liability],
>        the subscriber and the industry."
>
>       [6/9/97, www.catv.org/bbb-report/1997/arch-607.html]
>
> Sounds like they're just blocking NetBios Name Table queries with router
> access lists. If they bothered to turn it on.
>
> 2. If you have IP services enabled (duh - it's an ISP connection) then
> someone could connect to port 139.  You would have to do more than just
> double click on Network Neighborhood, but not much:
>
>       ping (your subnet - get the address from your DHCP)
>       C:\> NET VIEW \\(IP address you found)
>
> I haven't checked this out personally, tho.  Anyone have a cable modem at home?
>
> - Ted
>
> -----------------------------------------------------------------------
> Ted Doty, Internet Security Systems        | Phone: +1 678 443-6000
> 6600 Peachtree Dunwoody Road, 300 Embassy Row | Fax:   +1 678 443-6479
> Atlanta, GA 30328  USA                     | Web: http://www.iss.net
> -----------------------------------------------------------------------
> PGP key fingerprint: 362A EAC7 9E08 1689  FD0F E625 D525 E1BE

-----BEGIN PGP SIGNATURE-----
Version: PGP for Personal Privacy 5.0
Charset: noconv

iQEVAwUBNf1Mvj7msCGEppcbAQGBUggAn1/nK1lszcpbHAqcc6DjKKT9SRqf5+Qz
aELhKNUIPO8dl2CgkBfeWmDhB2FCocIA+dh4qDbpYCXDLGDIiNRnCdRsBiIgx46H
1ReCov5qA8KvXjd8Ywhe+vU4+anTbzpp3Jhu4G86M07e1j9SqSaka7wiwLvJxBg+
R7s2ik/sy6zkRWzJioEeUj3xb/o/+3WEI6ersMdb15BPrRdWhTbCfAOGonEh6gBV
z1aO0ccDYjQh2wPapZ3NQV5Y8GzeLfD2jFSoCWvC9dOD8XQHey9ALCBBdWCQpMVv
gLc5esdNi8yDaQrwozeFotOHOhAIINcG/io4NDVfAYMLwcWDH/SS7A==
=nrMl
-----END PGP SIGNATURE-----