[Date Prev][Date Next][Subject Prev][Subject Next][ Date Index][ Subject Index]

Re: firewalling

** Reply to message from flash  on Tue, 13 Dec 2005 13:49:00
+0100


> ≪I thought this was just the default list, not the active list? On my
> NT5 system, this file is dated 2001. ≫ There is a default list, with
> some
> arbitrary date, and many standard apps. The list is up-dated by
> installation routines. That's how the OS knows what port numbers to
> enter into a TCP header when you hit the 'send' button in any particular
> app.

On all my computers, this file is unchanged since the day the operating system
was installed (and these boxes are crammed with utils that communicate on odd
port numbers). This is just M$'s list of "well-known ports". Apps call any
ports they want. Absent a software firewall, the computer could care less. A
router can disable ports, but that's different -- that's external.

> ≪what's to prevent any trojan from using an ordinarily kosher port, as
> long as your app isn't using it?≫ Nothing.

My point precisely.

> That's why we need firewalls
> and anti-virus scanners and eternal vigilance.

Vigilance, yes. Firewalls and scanners ... maybe. If you know what you're
doing, if you don't let them get inside, and you keep current on security
updates (exploitable holes in M$ code), then you're very unlikely to have a
problem. Firewalls and virus scanners are a gigantic brake on computer
performance. Absolutely gigantic. (So are some of those security updates.
XP's SP2 slowed everything down enormously. With fast machines, you're not
supposed to notice.)

> If you see up to a dozen or so sessions active or
> listening, this is normal for Win NT5, even when you are not surfing or
> transferring files [see attached screenshot]. If you see many dozens of
> sessions even when you are not surfing or transferring files, this is
> suspicious activity and may indicate that malicious code is trying to
> replicate itself in the local LAN or contact an outside server to
> (possibly) transmit keyboard scans or otherwise compromise your
> security.

But "seeing" the problem doesn't *fix* the problem. You need to know *which*
application specifically, located exactly *where* on your hard disk, is
communicating, so you can kill it. NETSTAT under Win2K provides zero
connective tissue to that information, so you're just left in high anxiety.
Moreover, time is of the essence. You need the PID, and the only way to get
that in a networking thread is with Windows function GetProcAddress; NETSTAT
calls it but *doesn't report it*(!) until Win5.1 -- M$ programmers are idiots.
Therefore, you need external utils such as the ones I mentioned, and you also
need to understand the contextual identity of the app component before you kill
it, lest you make a serious mistake (usually the communication is benign and
the app is authorized -- i.e. you installed it).

You said that "most malicious code is not part of the TCP/IP header structure".
But even if code is part of the header (e.g. the old buffer overflow exploit on
the TZ environment variable under Outlook), and especially if it isn't, it
takes a local collaborator program that you've installed -- or your own
fingers! -- to trigger that code. If people use GUI mailers like Outlook or
Tbird, with their presumptions of "intelligence", they're just asking for heat.
These programs have holes, and they act unbidden; we discovered one
misconstruction, based on a built-in assumption, last month right here (Tbird
and Apple Mail changing the content of transmitted Emails).

I think that while this is a real problem, the solutions are way overkill, and
the best solution -- using your head -- is seldom emphasized. I run a
manually-launched scan once a month (maybe). Never find anything. Never use
the on-access scanner. Do an immense amount of adventurous computing. I think
the concern is largely driven by corporations and online commerce, lest they
lose their data or the trust of buyers, and by the security industry, which is
making tons of money. By Microsoft, which wants to maintain the myth that "you
don't need to know nuthin". You can't go wrong buying Cisco and Alcatel stock.
Most serious, it's created a sheep-like acceptance in the corporate world of a
fascist computing regime -- which fits nicely with everything else that's
happening in society. Just sit down at an institutional workstation and try to
do anything interesting! Lots of luck. Employees just shrug. "That's the way
it is."

The funny part of all this is, the only files that my scanner routinely
identifies as viral are XPL programs that I've written myself. You see what
we're up against? XyWrite contra mundi.

-----------------------------
Robert Holmgren
holmgren@xxxxxxxx
-----------------------------