Get a damn firewall !!!!!!!!!!!!!!!

[Eug]

<< BlackIce doesn't catch traffic going out. Maybe it should be called &quot;BlackIce Half Firewall&quot; >>

BI is just as effective as ZA in preventing outside access and hence will block these trojans from installing themselves from a remote site. What BI doesn't do is block outgoing traffic once it's installed (say if someone brought over an infected disk, or someone turned BI off for a while on a computer with shares open).


<< for a second there i thought you knew something i didnt. theres a BIG difference between coping a file to somebodies hard drive and executing a file on somebody's computer. so try again. >>

That's actually quite funny. It's interesting to note that when I was running firewall software, I used to get hit all the time by PCs sniffing around my ports. Interestingly, most of those PCs had IP which where on my same network, and had computer names like Susan_upstairs or Office_PC or Desktop_Home or something like that. In other words, most of these were simply infected PCs - their owners had left their ports wide open and were running no firewall, hardware or software.

But yes, hardware firewalls are cheap. Single port ones are $60 US, while multi-port ones are only $100. Many of you spend more than that on your speakers, but IMHO this is much more important.

 

[Russ]

<< BI is just as effective as ZA in preventing outside access and hence will block these trojans from installing themselves from a remote site. >>



Wrong. Read the article linked in the first post in this thread.



<< I performed one final test: As I had with ZoneAlarm, I attempted to connect to the Sub7Server Trojan running inside the &quot;Sitting Duck&quot; machine on the IP and listening port number the Trojan was advertising all over the Internet . . . and it worked perfectly. I received Sub7's &quot;PWD&quot; prompt asking me to login. >>



Referring to Black Ice.

Russ, NCNE

 

[konichiwa]

<< Are you REALLY that dense? If the hacker can login to your share, he can do EXACTLY the same things you can do from your own keyboard, including planting trojans and executing files. >>

Actually, IIRC, that's not true. The reason so many people have sharing bound to their internet connection and non password'ed fileshares is because windows does that by default. Windows doesn't allow execute permissions, however -- so simply having a vulnerable NetBIOS port won't let crackers execute programs (assuming they've just logged onto your NetBIOS and aren't using more sophisticated exploits). IIRC, however.

 

[coopa]

i tink that all this &quot;HaXor&quot; stuff is bull-hunky. why would someone waste there time to get into my computer? if they did they couldent really do nothing either.

i'm not stuped, i could stop an attack... aneyone with halve a brian could. who needs a firewal?

heck hear is my ip adrress, you cant do nothing...


32.69.111.130

 

[konichiwa]

<< why would someone waste there time to get into my computer? if they did they couldent really do nothing either >>

They don't want anything on your computer, they want your bandwidth for a DDoS attack.

 

[V]

WoW! It took me like an hour to read. I use my routers firewall

 

[Russ]

konichiwa,

Next time you're on your network, browse over to another PC, pick an exe file and run it. It may not work correctly on your local machine, but it will sure as hell will open on the accessed machine.

The only difference is that the hacker is coming from a different physical segment. If the share is accesible, he can still do the same things you can do on your own private network.

Hell, they don't even have to do it manually. It can all be done without any human intervention at all.

Russ, NCNE

 

[Eug]

<< Wrong. Read the article linked in the first post in this thread. >>

I did. What Steve Gibson did was install the Sub7 trojan himself, then activate BlackICE Defender. Knowing that BlackICE Defender does not block outgoing traffic, Gibson's test is invalid. He could have simply said something like, &quot;As expected, BID is ineffective in some situations, ie. when a trojan is installed by the user by accident, from an infected disk. BI fails to alert to user to suspicious outgoing traffic, whereas ZA does.&quot; Instead he chose to rig the test so that BID would fail and didn't explain why it failed. To test the functionality of BID would be to put two separate computers on a network, and then install the trojan on one and BID on the other. If the trojan managed to install itself on the BI enabled computer, then BID is a failure. However, as the company BI has stated, BID WOULD have blocked the trojan in this latter test situation.

For those of you who haven't read it:

I did not have a current copy of BlackICE Defender around, but I felt that this was an important test. So I laid out $39.95 through Network ICE's connection to the Digital River eCommerce retailer and purchased the latest version (v2.5) of BlackICE Defender hot off the Internet. I had already removed all traces of ZoneAlarm and restarted the machine, so I installed BlackICE Defender, let everything settle down, and restarted the machine with my packet sniffer running on an adjacent PC.

As far as I could tell, BlackICE Defender had ABSOLUTELY NO EFFECT WHATSOEVER on the dialogs being held by the Zombies and Trojans running inside the poor &quot;Sitting Duck&quot; laptop. I knew that BlackICE Defender was a lame personal firewall, but this even surprised me.

The Zombie/Bot happily connected without a hitch to its IRC chat server to await further instructions. The Sub7 Trojan sent off its eMail containing the machine's IP and the port where it was listening. Then it connected and logged itself into the Sub7 IRC server, repeating the disclosure of the machine's IP address and awaiting port number. No alerts were raised, nothing was flashing in the system tray. The Trojans were not hampered and I received no indication that anything wrong or dangerous was going on.

 

I understand network security. I used to be a pain the a$$ when I was like 13.
Got in a bit of trouble, nothing major, just learned how to do it right.

If your home machine was used in a distributed attack and you had no clue, you do not deserve to have bandwidth in your house.
The signs of your machine being compromised are so apparant its funny that so many people fall victim. But of course that is coming from a technical background standpoint.

If a machine is compromised, putting a firewall up after that will have virtually no effect to the average user.
DoS attacks cannot be stopped unless the attackers bandwidth is cut.

The bottom line is there is no way to keep un-savy computer users safe on the internet. The internet is not intended for use with morons!

 

[Russ]

Eug,

Apparently you didn't read far enough. He also logged in to the machine and Black Ice didn't utter a peep.

Russ, NCNE

 

[SSP]

Whenever I tried to play Asheron's Call online, or Age of Empires on the LAN it would crash the App.



You need to add the program to ZA's list, then enable internet access. I play CS and AOE2 with ZA on all the time.

 

[Eug]

<< Apparently you didn't read far enough. He also logged in to the machine and Black Ice didn't utter a peep. >>

Yes, after the trojan was already installed and running.

Again, I'm not saying I actually use BID or that it's the greatest program in the world. I'm just saying that his reviews are biased and misleading. I'm glad he's around to toot the horn of security, but I just wish he'd be more pragmatic about it. I hate having to sift through so much rhetoric.

 

[Russ]

Eug,

You're missing the point. Zone Alarm DID prevent the external access after the trojan was installed. He's not biased, he's reporting FACTS.

Russ, NCNE

 

[Eug]

I'm not missing the point at all. BI openly states that their software doesn't work that way and I know ZA is better (esp. considering it's $0 ). What I'm talking about is his biased rants. I'm not sure if you were around last year when Gibson was on another one of his rants about BID. This is just another rehash. Interestingly, my uneducated guess is if you installed that trojan on a computer behind a home hardware firewall, the home hardware firewall would &quot;fail&quot; as well. Are you telling me that ZA is inherently better than a hardware firewall too? I seem to remember you yourself telling me a while back that a hardware firewall is good enough. (Don't get me wrong... I do appreciate the help and advice from back then though. )

But we can agree to disagree.

 

[josphstalinator]

Next time you're on your network, browse over to another PC, pick an exe file and run it. It may not work correctly on your local machine, but it will sure as hell will open on the accessed machine.

omg your an idiot

browsing to an exe on a networked computer is NOT the same as running the exe from that computer, its the same as running it from YOUR computer

and if you dont believe me then TRY IT!

write a simple program that adds a string to the registry, then put this program on a networked computer and run the exe then check which computer has the registry entry

 

[Russ]

josphstalinator,

You just get stupider with each post. Do you EVEN know how a trojan works? It is a SCRIPT. It can be executed from ANYWHERE if access is granted.

Move on to something else. You are COMPLETELY lost here.

Russ, NCNE

 

[Batti]

coopa, that's not very bright.

Eug, hardware firewalls are susceptible to exactly the same thing as BID. That's why defense in layers makes sense - ZoneAlarm behind a Linksys, for instance.

 

[Russ]

Eug,

Actually, a home hardware firewall would block the kind of external access he used to test the software solutions. NAT alone would block it. BUT, it does, indeed, allow outgoing connections.

Depending on the cost and sophistication of the device, it can also block access from the inside to the outside. But, these are more then the average user can afford.

Bottom line is, though, that the very best hackers can get in to just about anywhere.

Russ, NCNE

 

[Eug]

<< Eug, hardware firewalls are susceptible to exactly the same thing as BID. That's why defense in layers makes sense - ZoneAlarm behind a Linksys, for instance. >>

Yeah that's why, as I mentioned in the other firewall thread in General Hardware, when I'm feeling paranoid I run Norton Internet Security behind my Linky, and keep my virus checker up to date and always active. I find both ZA and NIS a bit of a pain sometimes though. I also have been playing with a program called Active Ports, which is nice because it's also free. I'm still learning about all the different ports though.

EDIT:



<< Actually, a hardware firewall would block the kind of external access he used to test the software solutions. NAT alone would block it. >>

I presume you talking about the logging in from the outside part, but not the preceding actions by the trojan.


<< Depending on the cost and sophistication of the device, it can also block access from the inside to the outside. >>

I'm sure you've guessed I'm talking about the cheapie home stuff. Hopefully this stuff will improve. I'm already disappointed that many of the routers don't have the ability to exclude MAC addresses (esp. considering I'm running wireless, at &quot;only&quot; 40+24 bit encryption).

 

[josphstalinator]

You just get stupider with each post. I suppose that the hacker wouldn't have the corresponding and necessary files on the system from which he's launching?

your making absolutely no sense

if you think your right then i challenge you. i challenge you to write a program that when run accross a network will add a string to the registry of the computer that houses the program

the only rule is that the computer you browse to must be a windows pc and not be running any other software except default windows crapola

 

[Descartes]

<< Next time you're on your network, browse over to another PC, pick an exe file and run it. It may not work correctly on your local machine, but it will sure as hell will open on the accessed machine. >>





<< You just get stupider with each post. I suppose that the hacker wouldn't have the corresponding and necessary files on the system from which he's launching? >>



Umm... no? josphstalinator is absolutely correct. If you are trying to launch an application that injects a trojan into a given service, executing this application from a remote box is not equivalent to executing it locally, as you are alluding. Depending on what's launching this process (it could be a surrogate, for instance), it will inherit the permissions for that given service, thereby further limiting it's execution. The key to remote execution is to run the application by way of a local service, like running the sproc xp_cmdshell as part of sql server or something. A direct execution of a process inherits the context of the executor, not the context of the environment where it's executed.

 

[josphstalinator]

You just get stupider with each post. Do you EVEN know how a trojan works? It is a SCRIPT. It can be executed from ANYWHERE if access is granted.

the trojan must be running on the victim pc in order to accept commands!!!! the only way a program can be run is if the user executes it!!! there is no way to execute a file on somebody elses computer!

 

[sharkeeper]

Try this test.

If you firewall only blocks inbound traffic but has DC (Don't Care) rule for outbound you may be in for a surprise! If you're concerned with unwanted programs &quot;calling home&quot; then you need a FW like ZA on your workstations even if you're behind a router/N32, etc.

You would be surprised at how many programs &quot;leak&quot; out to the net. It's utterly ridiculous.

Cheers!

 

[Eug]

sharkeeper, that LeakTest was the basis of Gibson's first BID rant. What many people found odd was that he singled out BID.

 

[FrancesBeansRevenge]

<<

You would be surprised at how many programs &quot;leak&quot; out to the net. It's utterly ridiculous.

>>



Absolutely. Which is another reason why ZA is VERY useful. IMHO no program should access the internet unless I explicitly give it permission to. On my ZA application list I have a few (legitimate) programs that I have DENIED network access to simply because they have no business accessing the internet.