Why "Stealth" is better than "Closed"...

Your comments, suggestions are very welcome to strengthen the explanation..

Why "Stealth" is better than "Closed"...

There has been an on-going thread in grc.shieldsup about the relative 
merits of "Stealthing" ports.

Some folks here argue the point that a "Closed" port is just as secure 
as a "Stealthed" port. I've been arguing that "Stealth" is better than 
"Closed", and I've now put together what I think is a comprehensive 
explanation as to why that is.

I argue that the vast majority of visitors to GRC to run ShieldsUp are 
people who just want to know if their security is safe, in terms of 
their firewall settings. These are people who don't _need_ to learn the 
intricate details of TCP and UDP packets and they certainly don't want 
to learn about the registry

and how to make changes to it. They aren't clueless or stupid or dummies 
and some of the other names they've been called here. They don't want to 
become security experts just so that they can use their computers 
safely. They just want to use their computer for work, for relaxation, 
to email and chat to their friends and relatives. That's why Steve 
Gibson set up ShieldsUp in the first place and why he chose to use 
"Stealth" as its strategic concept.

When ports are stealthed, it's most often accomplished by the correct 
use of a NAT router or a software firewall. This kind of "Stealthing" is 
a blanket approach - all ports are stealthed and all ping requests are 
ignored. ShieldsUp is a powerful tool which helps people, the majority 
of whom are not security experts, to be reassured that their critical 
ports are not accessible to hackers or bots trawling the Internet with 
malicious probes. ShieldsUP is what first drew me to GRC, as I began to
learn the intricacies of firewalling.

When people have problems in achieving "full stealth" with ShieldsUp, 
some of them ask for help in the grc forums, and the regulars here do a 
wonderful job in putting them on the right path to solve their problems. 
Yet, there are those among us who pipe up that "Closed" is just as good 
as "Stealthed". Yes, that's true for an individual port, but not true in 
terms of "Stealth" as a blanket approach to all ports and pings. People 
who want to be "Stealthed" get confused by these mixed messages.

With the blanket approach to "Stealth", all ports become invisible to 
unsolicited packets. Not just the closed ports but ports left "open" by 
Microsoft's operating systems. Those vulnerable ports used by NetBios, 
by SMB, by DCOM, by RPC, by DNS Cache, by Remote Desktop, for example. 
These ports cannot be manipulated by malicious, unsolicited probes when 
blanket "Stealth" is being used.

What happens if we remove the "Stealth" blanket? Well, the "closed" 
ports remain inaccessible, but the "open" ports are revealed. If the 
unstealthed computer is fully patched, that doesn't mean that it is 
invulnerable. We've seen the infections caused by "zero day" exploits 
against the ports left "open" by operating systems.

We should all encourage and help visitors to GRC and ShieldsUp to 
achieve a total "Stealth" rating.

----------

Did you know some things about "Stealthing"?

Fewer malicious probes are sent to "Stealthed" home computers or routers 
by bots as observed in the last few weeks.

Replying to "Echo Request" pings by unstealthed routers or computers may 
trigger a sequence of malicious probes to be sent to them that otherwise 
would not be sent.


-- 
Le Flake
 From deepest, darkest Ontario
0
Le
7/3/2006 1:46:52 PM
grc.techtalk 27358 articles. 1 followers. Follow

44 Replies
913 Views

Similar Articles

[PageSpeed] 11

While scribbling with crayons on the grc.techtalk walls, I heard Le
Flake say:

> Your comments, suggestions are very welcome to strengthen the explanation..
> 
> Why "Stealth" is better than "Closed"...
> 
> There has been an on-going thread in grc.shieldsup about the relative 
> merits of "Stealthing" ports.
> 
> Some folks here argue the point that a "Closed" port is just as secure 
> as a "Stealthed" port. I've been arguing that "Stealth" is better than 
> "Closed", and I've now put together what I think is a comprehensive 
> explanation as to why that is.
[...]

You're technical arguments are well said and accurate, IMO... 

I've always advocated "Stealth" as one of the elements of a layered
defense. Even if we only consider that most scanning bots will typically
not log stealthed systems, or that many "script kiddies" will simply
bypass them in favor of easier known to exist systems, "Stealth" is well
worth the small effort  it usually takes to implement. The fact that it
may not offer "perfect" invisibility in some cases does not negate it's
value in my opinion.
 
-- 
Dutch

GRC Newsgroups/Guidelines/No Regrets
http://www.grc.com/groups/techtalk:155486
0
Dutch
7/3/2006 3:00:45 PM
On Mon, 03 Jul 2006 09:46:52 -0400, Le Flake wrote:

> Your comments, suggestions are very welcome to strengthen the explanation..
> 
> Why "Stealth" is better than "Closed"...
> 
> There has been an on-going thread in grc.shieldsup about the relative 
> merits of "Stealthing" ports.
> 
> Some folks here argue the point that a "Closed" port is just as secure 
> as a "Stealthed" port. I've been arguing that "Stealth" is better than 
> "Closed", and I've now put together what I think is a comprehensive 
> explanation as to why that is.

I also support the "Closed" is just as secure as "Stealthed" from the stand
point of some one/thing being able to get into your computer without being
invited.

[...] for full text see above

> What happens if we remove the "Stealth" blanket? Well, the "closed" 
> ports remain inaccessible, but the "open" ports are revealed. 
[...]

I disagree with the above sentence, based on the following explanation of
"Closed / Stealthed".

Liken your computer to your home, with the ports representing the doors and
windows to the outside world. The hacker/bot scanning your IP block
represents a burglar walking down your street trying the doors/windows of
each house. With "closed" the doors and windows of your home are locked so
the burglar can't just walk in, the same as the computer ports being
closed.  Any one can walk up to a door or window and try to come in,
because your house can be seen by all who pass by. Similar to a computer
answering an unsolicited "echo request", it can be seen to all on the
internet. But what if you could make your house invisible to all who pass
by. The burglar wanting to get inside would not know you were there and
continue on looking for a more attractive (susceptible) target. A
"stealthed"  computer does *not* reply to "echo requests", thus making it
invisible to others on the internet.  [1]

> We should all encourage and help visitors to GRC and ShieldsUp to 
> achieve a total "Stealth" rating.

While "Stealth" is the optimal condition, I feel it is over rated at times.
 
> ----------
> 
> Did you know some things about "Stealthing"?
> 
> Fewer malicious probes are sent to "Stealthed" home computers or routers 
> by bots as observed in the last few weeks.

Most likely due to a bot doing a quick scan to locate potential targets for
a more thorough scan/attack later.

> Replying to "Echo Request" pings by unstealthed routers or computers may 
> trigger a sequence of malicious probes to be sent to them that otherwise 
> would not be sent.

Most likely due to the action I mention above.

[1] I would love to take credit for this analogy which was given by Don
Hoover, one of the Guru's on the ZA forum. 

-- 
Disciple - Team Z
If we live in the Spirit, let us also walk in the Spirit.  Gal.5:25
0
Disciple
7/3/2006 3:58:39 PM
Disciple wrote:
> On Mon, 03 Jul 2006 09:46:52 -0400, Le Flake wrote:
> 
>> Your comments, suggestions are very welcome to strengthen the explanation..
>>
>> Why "Stealth" is better than "Closed"...
>>
>> There has been an on-going thread in grc.shieldsup about the relative 
>> merits of "Stealthing" ports.
>>
>> Some folks here argue the point that a "Closed" port is just as secure 
>> as a "Stealthed" port. I've been arguing that "Stealth" is better than 
>> "Closed", and I've now put together what I think is a comprehensive 
>> explanation as to why that is.

> 
> I also support the "Closed" is just as secure as "Stealthed" from the stand
> point of some one/thing being able to get into your computer without being
> invited.
> 
> [...] for full text see above
> 
>

> What happens if we remove the "Stealth" blanket? Well, the "closed" 
>> ports remain inaccessible, but the "open" ports are revealed. 
> [...]
> 
> I disagree with the above sentence, based on the following explanation of
> "Closed / Stealthed".
> 

You can disagree, but the explanation I posted talks to Stealth vs 
Closed vs Open, which is the whole point of my posting.

> Liken your computer to your home, with the ports representing the doors and
> windows to the outside world. The hacker/bot scanning your IP block
> represents a burglar walking down your street trying the doors/windows of
> each house. With "closed" the doors and windows of your home are locked so
> the burglar can't just walk in, the same as the computer ports being
> closed.  Any one can walk up to a door or window and try to come in,
> because your house can be seen by all who pass by. Similar to a computer
> answering an unsolicited "echo request", it can be seen to all on the
> internet. But what if you could make your house invisible to all who pass
> by. The burglar wanting to get inside would not know you were there and
> continue on looking for a more attractive (susceptible) target. A
> "stealthed"  computer does *not* reply to "echo requests", thus making it
> invisible to others on the internet.  [1]
> 

Which is an analogy promoting "Stealth", is it not? As you might see in 
the grc.shieldsup thread, "invisibility" is _sometimes_ conferred on a 
router or computer by using blanket "Stealth". It depends on whether the 
ISP supresses the ICMP responses to tracerts and pings, and where in the 
topography of the ISP's network that supression is performed. In my 
case, a pinging snooper pinging my IP address cannot establish whether 
there is a host at the other end, thanks to my ISP not responding when 
an IP address is not leased or allocated. Not all ISPs do that and 
therefore careful analysis can reveal if a blanket "stealthed" host is 
holding that IP address.

>> We should all encourage and help visitors to GRC and ShieldsUp to 
>> achieve a total "Stealth" rating.
> 
> While "Stealth" is the optimal condition, I feel it is over rated at times.
>  

You are welcome to your opinion, but I disagree whole-heartedly. Read on.

>> ----------
>>
>> Did you know some things about "Stealthing"?
>>
>> Fewer malicious probes are sent to "Stealthed" home computers or routers 
>> by bots as observed in the last few weeks.
> 
> Most likely due to a bot doing a quick scan to locate potential targets for
> a more thorough scan/attack later.
> 

No, not really, most of the bots aren't that clever. From my results, a 
bot will send three [SYN] packets to a "closed" port, but only two to a 
"stealthed" port. FWIW...

>> Replying to "Echo Request" pings by unstealthed routers or computers may 
>> trigger a sequence of malicious probes to be sent to them that otherwise 
>> would not be sent.
> 
> Most likely due to the action I mention above.
> 

Yes, my tests confirm your thoughts in the case of ICMP Echo Requests.

> [1] I would love to take credit for this analogy which was given by Don
> Hoover, one of the Guru's on the ZA forum. 
> 

The analogy is weak, as are most analogies. It doesn't cover the whole 
scenario which is "Stealth" vs "Closed" and "Open". Your guru has 
avoided discussing the basic idea of blanket "Stealth" which conceals 
"Open" ports, left there by the operating system. That is the critical 
point and advantage of blanket "Stealth".


-- 
Le Flake
 From deepest, darkest Ontario
0
Le
7/3/2006 4:45:05 PM
;-) Hi Mr.B....R U still hiding in darkest Ont.???
My understanding *STEALTH* is in reality come from Air Forces. Remember
WYSIWYG.
Thats why, US stealth fighter is build from this simple principal. Indeed
closed = closed, still people tackle closed door first. Some IT have more
time & clue to read all the packets log,
but user like to have simplicity & do not want be a looser <G>. Now my best
to get, is a good
LAYER protection Hard-/& Soft-ware. Like always, your mile age my vary.
C^est la vie !!!

-- 
Regard: Joh@nnes �  :-))
"If U know neither the enemy nor yourself,U will succumb in every battle"


0
Johannes
7/3/2006 5:07:02 PM
Everyone in this thread so far is accurate...

Yes, stealth is preferred.  No way could it be *less* secure (anyone
challenge that assertion?  A profiling assist, perhaps?)

Yes, it's often over-rated.  Having 65,535 stealthed ports (I'm
including port 0 so there's 65,536 total) but just 1 port OPEN or
CLOSED makes the stealthed ports almost meaningless.  I say CLOSED
because such ports very well *could* be vulnerable in a flood-DOS way.
It doesn't mean they are automatically vulnerable, of course, but if
they were STEALTH an attacker wouldn't gain any knowledge of even
possible flood-DOS success.  This is a general advantage of STEALTH -
providing no feedback that anything even feels an affect.

But... If someone thinks in terms of: "The more stealth ports there
are the more secure I am" they are instantly in trouble because it
doesn't work that way.

If I'm running SMTP, POP3, TELNET, SSH ports OPEN and all other ports
are STEALTH - big *&^%*& deal!  No way can I not be thought of as
interesting, regardless. :-)  Thus, stealth would be even more
over-rated in this case.

Just two cents.  Let the debate go on. :D

Bill
-- 
Expert Opinions $5   I Shut-Up $10
0
Bill_MI
7/3/2006 5:53:03 PM
On Mon, 03 Jul 2006 09:46:52 -0400, Le Flake <le_flake@hotmail.invalid>  
wrote:

> Your comments, suggestions are very welcome to strengthen the  
> explanation..
>
> Why "Stealth" is better than "Closed"...

Stealth is better than Closed, IMHO, because:

1. Vulnerable hardware and/or software can be identified, and subsequently  
attacked, as a consequence of their "closed" responses.

OS "fingerprinting" is an established art, used by crackers early during  
their assessment of a target. And how a target replies (with closed  
responses) to various probes can, in some cases, identify its OS and/or  
hardware with significant certainty. And OS fingerprinting can certainly  
be automated so as to find "addresses of interest" for subsequent  
exploration :-).

For example, say that a vulnerability is discovered in Linksys routers  
with certain firmware - e.g. administrative password attack, overflow  
possibility on a telnet port, or ???. So the kiddie automates a scan of  
thousands of addresses - looking for the fingerprints of vulnerable  
Linksys routers - as preparation for subsequent "visits".

A. Now, I don't know if my Linux-powered Linksys is vulnerable or not -  
but I'd just as soon not have it identified through a targeted, drive-by  
fingerprinting.

B. If my tweaked Linky is misidentified as a DLink, and if the follow-up  
exploit is a DLink buffer overflow, I don't need to experience the  
mistaken identity and subsequent flood of acks.


2. "Closed" responses can be used in a reflected DDOS attack. Spoofed  
packets to you and a thousand others from a single, spoofed address could  
result in a thousand "closed" responses sent to a single, somehow  
vulnerable server somewhere.

And not only will I have been an unknowing contributor to the DDOS, but I  
may receive a nasty note from my ISP saying that I was part of that  
attack; that my box may be part of a botnet ( duh ), and that I'm on some  
sort of probation 'til "cleared" by a pc "expert".

3. Does "not-Stealthed" mean that ICMP echo requests will not be honored?  
I'd guess that different software handle that question in different ways -  
and if some firewalls, though "closed", nonetheless respond to echo  
requests, then they are open to ICMP DOS flooding.

4. Stealthing a server is a powerful security technique. A lot of folks  
scoff at it, but those of us who believe in it increasingly use "port  
knocking" to stealth private servers. Why sit there and endure probes and  
punches when you can have the firewall stealthed/the server hidden 'til  
opened/revealed by the knocking sequence - THEN do the SSH or SSL or VPN  
handshake?

Now there is a string of logic that claims:

-that your existence can't be hidden from a determined hacker - which is  
true. But it CAN hide you from an initial solicitation for victims.

-that being "stealthed" doesn't make you any less vulnerable to  
exploitation - which is false, as OS fingerprinting is crucial to a  
studied attack.

-that being "stealthed" doesn't make you any less vulnerable to DOS -  
which is false, as the additional CPU/memory usage for each reply (though  
individually minuscule) can add up to an overload level.

There are numerous other considerations for being stealthed, but I've  
forgotten most of them :-).


-- 
  Vista error#4711: TCPA / RIAA / NGSCP VIOLATION: Microsoft optical
mouse detected Linux patterns on mousepad. Partition scan in progress
to remove offending, unapproved products. Request permission, and
apply for a new key to reactivate MS software at www.ms.com

..
0
Roger
7/3/2006 6:07:27 PM
> Some folks here argue the point that a "Closed" port is just as secure
> as a "Stealthed" port. I've been arguing that "Stealth" is better than
> "Closed", and I've now put together what I think is a comprehensive
> explanation as to why that is.

My opinion of "stealth" is well known. Stealth is silly. I am not going to get
into another open ended debate on the subject, just stating my position. When
somebody finds a way to overcome my unstealthy closed ports, I'll reconsider.
-- 
Crash

"Great spirits have always encountered violent opposition from mediocre minds."
~ Albert Einstein ~


0
Crash
7/3/2006 6:21:12 PM
On Mon, 03 Jul 2006 12:45:05 -0400, Le Flake wrote:

 [...] for full text see above
 
> You can disagree, but the explanation I posted talks to Stealth vs 
> Closed vs Open, which is the whole point of my posting.

I completely missed that, probably due my reading to quickly and partly
because of your opening statement:

>>> Some folks here argue the point that a "Closed" port is just as secure 
>>> as a "Stealthed" port. I've been arguing that "Stealth" is better than 
>>> "Closed", and I've now put together what I think is a comprehensive 
>>> explanation as to why that is.

[...]

> Which is an analogy promoting "Stealth", is it not? As you might see in 
> the grc.shieldsup thread, "invisibility" is _sometimes_ conferred on a 
> router or computer by using blanket "Stealth". It depends on whether the 
> ISP supresses the ICMP responses to tracerts and pings, and where in the 
> topography of the ISP's network that supression is performed. In my 
> case, a pinging snooper pinging my IP address cannot establish whether 
> there is a host at the other end, thanks to my ISP not responding when 
> an IP address is not leased or allocated. Not all ISPs do that and 
> therefore careful analysis can reveal if a blanket "stealthed" host is 
> holding that IP address.

The analogy was a very simplistic description of "stealthed vs. closed",
and aimed at users who would be considered novices.
 
[...]

>> While "Stealth" is the optimal condition, I feel it is over rated at times.
> 
> You are welcome to your opinion, but I disagree whole-heartedly. Read on.

Thank you for respecting my opinion, and for expanding your position.
 
[...]

>> Most likely due to a bot doing a quick scan to locate potential targets for
>> a more thorough scan/attack later.
>
> No, not really, most of the bots aren't that clever. From my results, a 
> bot will send three [SYN] packets to a "closed" port, but only two to a 
> "stealthed" port. FWIW...

I defer to your expertise, this is an area I have not yet had a desire or
need to explore.

>>> Replying to "Echo Request" pings by unstealthed routers or computers may 
>>> trigger a sequence of malicious probes to be sent to them that otherwise 
>>> would not be sent.
>
>> Most likely due to the action I mention above.
> 
> Yes, my tests confirm your thoughts in the case of ICMP Echo Requests.
> 
>> [1] I would love to take credit for this analogy which was given by Don
>> Hoover, one of the Guru's on the ZA forum. 
> 
> The analogy is weak, as are most analogies. It doesn't cover the whole 
> scenario which is "Stealth" vs "Closed" and "Open". 

Yes, most of the time and analogy does come across as being weak. But when
using and analogy to help explain a concept that is foreign to someone else
they can and do have their place. 

> Your guru has avoided discussing the basic idea of blanket "Stealth"
> which conceals "Open" ports, left there by the operating system. That is
> the critical point and advantage of blanket "Stealth".

I totally agree. In that light, "Stealth" vs "Closed" and "Open",
"Stealthed" should be the desired state everyone should strive for. Which,
in terms of the analogy I used, means when "Stealthed" one could leave the
doors and windows wide open and no one would be able to see the
vulnerability. Sorry I could not resist. :) 
-- 
Disciple - Team Z
Who is wise and understanding among you? Let him show by good conduct that
his works are done in the meekness of wisdom. James 3:13
0
Disciple
7/3/2006 7:48:23 PM
Quote:  As you might see in the grc.shieldsup thread, "invisibility" is 
_sometimes_ conferred on a router or computer by using blanket 
"Stealth". Unquote

The expression 'blanket stealth' means nothing to me I'm afraid.
It sounds as, if I had a couple of dozen open ports I could somehow 
blanket all of them, as well as the rest of the ports without having to 
concern myself with each individually or in groups.
It reads as if I can somehow 'throw a blanket' over my open ports making 
them stealthed without their ever being closed.

Anyway I have to admit it doesn't concern me much these days, as I no 
longer run Windows except for 'messing' with.

Se�n
0
ClareOldie
7/3/2006 7:49:00 PM
ClareOldie wrote:
> 
> Quote:  As you might see in the grc.shieldsup thread, "invisibility" is 
> _sometimes_ conferred on a router or computer by using blanket 
> "Stealth". Unquote
> 
> The expression 'blanket stealth' means nothing to me I'm afraid.
> It sounds as, if I had a couple of dozen open ports I could somehow 
> blanket all of them, as well as the rest of the ports without having to 
> concern myself with each individually or in groups.
> It reads as if I can somehow 'throw a blanket' over my open ports making 
> them stealthed without their ever being closed.
> 

That's exactly what it means... and a blanket "stealth" will pass the 
ShieldsUp test... and hide the "open" state of those ports.  Most people 
don't care that Microsoft has left ports open nor do they want nor do 
they need to know how to change an "open" port to a "closed" port. For 
example, the way one closes TCP Port 445 on W2K and XP is definitely not 
for average computer users.

-- 
Le Flake
 From deepest, darkest Ontario
0
Le
7/3/2006 7:57:32 PM
While scribbling with crayons on the grc.techtalk walls, I heard
FourSpeed@MSN.com say:

> On Mon, 03 Jul 2006 14:07:27 -0400, "Roger Parks" <Roger@bogus.bog>
> wrote:
> 
>>For example, say that a vulnerability is discovered in Linksys routers  
>>with certain firmware - e.g. administrative password attack, overflow  
>>possibility on a telnet port, or ???. So the kiddie automates a scan of  
>>thousands of addresses - looking for the fingerprints of vulnerable  
>>Linksys routers - as preparation for subsequent "visits".
> 
> I recently added a router to my one pc.  I also have ZAP.  ZAP has
> worked flawlessly for many years.  I haven't changed the router PW
> from its default pw.  If a hacker succeded in hacking the router, what
> damage can he do?  ZAP is still waiting for him.

The hacker doesn't need to hack anything then, to cause you grief. He
need only change the router password and lock your PC out of the
Internet. You could then reset the router to the defaults of course, but
how long would it take you to realize where the problem is?

-- 
Dutch

GRC Newsgroups/Guidelines/No Regrets
http://www.grc.com/groups/techtalk:155486
0
Dutch
7/3/2006 8:45:28 PM
> On Mon, 03 Jul 2006 16:27:31 -0400, <FourSpeed@MSN.com> wrote:

>> On Mon, 03 Jul 2006 14:07:27 -0400, "Roger Parks" <Roger@bogus.bog>
> wrote:
>
>> For example, say that a vulnerability is discovered in Linksys routers
>> with certain firmware - e.g. administrative password attack, overflow
>> possibility on a telnet port, or ???. So the kiddie automates a scan of
>> thousands of addresses - looking for the fingerprints of vulnerable
>> Linksys routers - as preparation for subsequent "visits".
>

> I recently added a router to my one pc.  I also have ZAP.  ZAP has
> worked flawlessly for many years.  I haven't changed the router PW
> from its default pw.  If a hacker succeded in hacking the router, what
> damage can he do?  ZAP is still waiting for him.

Having ZAP (a second line) is right on, IMHO - though some might suggest  
that you don't need it. But there are a few things he could do - depending  
upon how skilled and energetic he is.

(I certainly don't know the odds that your default password will be "found  
out", or that WAN-based access could be engineered through the HTTP or  
telnet interface. Probably remote, but it does happen - and I tend to lock  
my stuff down tighter than most others :-)

1. Simple WAN mischief.   e.g. Occasionally use the ping tool of your and  
other routers to DOS someone for fun or profit (e.g. nextdoor neighbor,  
FBI, El Jahira, etc.).

2. Check you out.     While ZAP can intercept unsolicited/unauthorized  
activity through the stack, it doesn't really block incoming, non-stack  
packets (that was done by your router, which no longer functions :-) ).

So he could periodically probe your box to see if you had any Trojans  
listening, or unpatched MS vulnerabilities (e.g. DCOM/UDP) which are not  
blocked by ZAP, and which he could activate or inventory for future use -  
depending on the type of infection you had.

3. Simple LAN mischief.    e.g. turn that continuous ping upon your LAN  
after locking you out.

4. Sophistocated WAN/LAN mischief. (This is a reach :-) )   e.g. If you  
have a Linksys (or a few other types), he could load in a custom, Linux OS (I'm  
using one myself). But his could be tricked out with 'nix tools to be some  
sort of superBOT. You'd learn about this when the FBI knocked on your door  
regarding the KiddeePorn server, Terrorist communications, or 
ransom-ware negotiation.

And there are certainly more functions that a slave can perform.

-- 
  Vista error#4711: TCPA / RIAA / NGSCP VIOLATION: Microsoft optical
mouse detected Linux patterns on mousepad. Partition scan in progress
to remove offending, unapproved products. Request permission, and
apply for a new key to reactivate MS software at www.ms.com

..

0
Roger
7/3/2006 9:26:01 PM
"Crash" Dummy wrote:
>> Some folks here argue the point that a "Closed" port is just as secure
>> as a "Stealthed" port. I've been arguing that "Stealth" is better than
>> "Closed", and I've now put together what I think is a comprehensive
>> explanation as to why that is.
> 
> My opinion of "stealth" is well known. Stealth is silly. I am not going to get
> into another open ended debate on the subject, just stating my position. When
> somebody finds a way to overcome my unstealthy closed ports, I'll reconsider.

Like you, I have enough knowledge to close my XP "Open" ports. That's 
important to me because I needed to research the reaction of remote 
computers probing my ports when they receive a "closed" response. I 
can't have a blanket "Stealth" in place to do that, so I face my testing 
computer directly to the Internet without a router or software firewall.

The debate isn't about what folks like you and me can do to be secure. 
It's about the vast majority of users being secure without them having 
to become security experts. That's the crux of this debate and it's not 
silly from that perspective.

-- 
Le Flake
 From deepest, darkest Ontario
0
Le
7/3/2006 10:05:26 PM
My Linksys router, with Remote Admin disabled, is unhackable.
That said, closed, stealthed, or OPEN ports mean nothing as far
as external intrusion goes.

--
________________________________________________
Solo.
Lakeside, CA
research@milnet.info


0
Solo
7/4/2006 2:52:06 AM
Le Flake <le_flake@hotmail.invalid> wrote in
<news:e8b74e$1j0t$1@news.grc.com>:

> I argue that the vast majority of visitors to GRC to run ShieldsUp
> are people who just want to know if their security is safe, in
> terms of their firewall settings. These are people who don't
> _need_ to learn the intricate details of TCP and UDP packets and
> they certainly don't want to learn about the registry

IMO, this makes your case too strongly.  I don't know anything about
the intricate details of TCP and UDP packets, but I believe I
understand the concepts of 'open', 'closed', and 'stealthed' pretty
well.  I think that anyone who comes by here looking for info about
ports and security should leave with at least a basic notion of what
those three things are.  If that can't be done without confusing or
frightening people, I think there's something wrong that can't be fixed
by everyone deciding never to mention 'closed' again.

-- 
�Q�
0
ISO
7/4/2006 3:04:21 AM
On Mon, 03 Jul 2006 09:46:52 -0400, Le Flake wrote:

> Your comments, suggestions are very welcome to strengthen the explanation..

Maybe...

> Why "Stealth" is better than "Closed"...
> 
> There has been an on-going thread in grc.shieldsup about the relative 
> merits of "Stealthing" ports.
> 
> Some folks here argue the point that a "Closed" port is just as secure 
> as a "Stealthed" port. I've been arguing that "Stealth" is better than 
> "Closed", and I've now put together what I think is a comprehensive 
> explanation as to why that is.
> 
> I argue that the vast majority of visitors to GRC to run ShieldsUp are 
> people who just want to know if their security is safe, in terms of 
> their firewall settings. These are people who don't _need_ to learn the 
> intricate details of TCP and UDP packets and they certainly don't want 
> to learn about the registry
> 
> and how to make changes to it.

None of that is necessary, whether shooting for stealth, or just a
secure connection.

> They aren't clueless or stupid or dummies and some of the other names
> they've been called here.

Never called them stupid. Don't recall seeing them called stupid.

<snip>

> When people have problems in achieving "full stealth" with ShieldsUp, 
> some of them ask for help in the grc forums, and the regulars here do a 
> wonderful job in putting them on the right path to solve their problems. 
> Yet, there are those among us who pipe up that "Closed" is just as good 
> as "Stealthed". Yes, that's true for an individual port, but not true in 
> terms of "Stealth" as a blanket approach to all ports and pings. People 
> who want to be "Stealthed" get confused by these mixed messages.

Except that GRC ShieldsUp! is really quite useless at proving that you
have a "blanket stealth" state; unless you want to take the time to test
all 65,535 ports 64 ports at a time. 10,000 repetitions of testing is a
bit much to try with manual configuration of those 64 ports.

> With the blanket approach to "Stealth", all ports become invisible to 
> unsolicited packets. Not just the closed ports but ports left "open" by 
> Microsoft's operating systems. Those vulnerable ports used by NetBios, 
> by SMB, by DCOM, by RPC, by DNS Cache, by Remote Desktop, for example. 
> These ports cannot be manipulated by malicious, unsolicited probes when 
> blanket "Stealth" is being used.

Actually, they could only be manipulated if they were exposed to the
Internet.

> What happens if we remove the "Stealth" blanket? Well, the "closed" 
> ports remain inaccessible, but the "open" ports are revealed. If the 
> unstealthed computer is fully patched, that doesn't mean that it is 
> invulnerable. We've seen the infections caused by "zero day" exploits 
> against the ports left "open" by operating systems.

Wait! Wait! Wait! You were saying why "stealth" is better than "closed";
now you are bringing up "open" ports!

> We should all encourage and help visitors to GRC and ShieldsUp to 
> achieve a total "Stealth" rating.

I opt for helping visitors to understand whether they have any open
ports, or not.

> ----------
> 
> Did you know some things about "Stealthing"?
> 
> Fewer malicious probes are sent to "Stealthed" home computers or routers 
> by bots as observed in the last few weeks.

One Internet connection, among millions, sees that. Two Internet
connections, among millions, don't see that. What three connections,
among millions, are seeing is hardly indicative of what is actually
happening on the Internet.

> Replying to "Echo Request" pings by unstealthed routers or computers may 
> trigger a sequence of malicious probes to be sent to them that otherwise 
> would not be sent.

I see more ICMP requests when I run a dial-up session than I do behind a
router which is responsive to ICMP requests. I see as many ICMP requests
to a router which doesn't respond to ICMP requests as I do to a router
which does respond to ICMP requests.

I am not against "stealth", just opposed to the idea that it is some
kind of security panacea. The goal is to secure the computer against
unauthorized access. If you have closed ports, you have succeeded in
securing your computer. Stealth is just icing on the cake.

-- 
Norman
~Oh Lord, why have you come
~To Konnyu, with the Lion and the Drum
0
Norman
7/4/2006 3:42:18 AM
Norman Miller wrote:
> On Mon, 03 Jul 2006 09:46:52 -0400, Le Flake wrote:
> 
>> Your comments, suggestions are very welcome to strengthen the explanation..
> 
> Maybe...
> 

>> Why "Stealth" is better than "Closed"...
>>
>> There has been an on-going thread in grc.shieldsup about the relative 
>> merits of "Stealthing" ports.
>>
>> Some folks here argue the point that a "Closed" port is just as secure 
>> as a "Stealthed" port. I've been arguing that "Stealth" is better than 
>> "Closed", and I've now put together what I think is a comprehensive 
>> explanation as to why that is.
>>
>> I argue that the vast majority of visitors to GRC to run ShieldsUp are 
>> people who just want to know if their security is safe, in terms of 
>> their firewall settings. These are people who don't _need_ to learn the 
>> intricate details of TCP and UDP packets and they certainly don't want 
>> to learn about the registry
>>
>> and how to make changes to it.

> 
> None of that is necessary, whether shooting for stealth, or just a
> secure connection.
> 

Yes, you use a NAT router and/or a software firewall, each of which can 
then give the benefit of blanket "stealth", stealthing all ports, both 
"closed" and "open". That's the easiest way I know of securing those 
ports left "open" by the Windows operating system.

>> They aren't clueless or stupid or dummies and some of the other names
>> they've been called here.
> 
> Never called them stupid. Don't recall seeing them called stupid.
> 

I never suggested you did. They're names which other folks have called 
computer users who have other priorities in life rather than the 
intricacies of computer and network security.

>> When people have problems in achieving "full stealth" with ShieldsUp, 
>> some of them ask for help in the grc forums, and the regulars here do a 
>> wonderful job in putting them on the right path to solve their problems. 
>> Yet, there are those among us who pipe up that "Closed" is just as good 
>> as "Stealthed". Yes, that's true for an individual port, but not true in 
>> terms of "Stealth" as a blanket approach to all ports and pings. People 
>> who want to be "Stealthed" get confused by these mixed messages.

> 
> Except that GRC ShieldsUp! is really quite useless at proving that you
> have a "blanket stealth" state; unless you want to take the time to test
> all 65,535 ports 64 ports at a time. 10,000 repetitions of testing is a
> bit much to try with manual configuration of those 64 ports.
> 

That would be 1024 repetitions, but I understand the point. Neither does 
  ShieldsUp test the UDP side of things. That's why we use other tools 
and web sites.

>> With the blanket approach to "Stealth", all ports become invisible to 
>> unsolicited packets. Not just the closed ports but ports left "open" by 
>> Microsoft's operating systems. Those vulnerable ports used by NetBios, 
>> by SMB, by DCOM, by RPC, by DNS Cache, by Remote Desktop, for example. 
>> These ports cannot be manipulated by malicious, unsolicited probes when 
>> blanket "Stealth" is being used.
> 
> Actually, they could only be manipulated if they were exposed to the
> Internet.
> 

Exactly. And those Windows holes would be exposed to the Internet if 
they weren't blanket "stealthed" by a NAT router and / or software 
firewall. Theose ports can be made "closed", but it's not simple to do 
so. XP and W2K have "open" ports by default which are tricky to "close", 
especially TCP 135 and TCP 445.

>> What happens if we remove the "Stealth" blanket? Well, the "closed" 
>> ports remain inaccessible, but the "open" ports are revealed. If the 
>> unstealthed computer is fully patched, that doesn't mean that it is 
>> invulnerable. We've seen the infections caused by "zero day" exploits 
>> against the ports left "open" by operating systems.
> 
> Wait! Wait! Wait! You were saying why "stealth" is better than "closed";
> now you are bringing up "open" ports!
> 

Because the point is that blanket "Stealth" stealths both "closed" and 
"open" ports. It's the major benefit of blanket "Stealth".

>> We should all encourage and help visitors to GRC and ShieldsUp to 
>> achieve a total "Stealth" rating.
> 
> I opt for helping visitors to understand whether they have any open
> ports, or not.
> 
>> ----------
>>
>> Did you know some things about "Stealthing"?
>>
>> Fewer malicious probes are sent to "Stealthed" home computers or routers 
>> by bots as observed in the last few weeks.
> 

> One Internet connection, among millions, sees that. Two Internet
> connections, among millions, don't see that. What three connections,
> among millions, are seeing is hardly indicative of what is actually
> happening on the Internet.
> 

The study of unsolicited packet behaviour is not of overwhelming 
interest to most folks, even the gurus here. That leaves you and me 
without lives ;)

We discussed what tools are needed to see some of the anomalies I've 
described. Packet sniffing reveals these anomalies.

Your ISP filters out probes to the very common vulnerable ports, 
particularly TCP 135, doesn't it? Here's a simple test to establish how 
much unsolicited traffic is missed by logs and packet sniffs. Run the 
ShieldsUp "All Service Ports" test. Steve G's Nanoprobe server will send 
out 4,332 probes. How many are logged by the user? There's a tool called 
TinyLogger, a useful add-on to Kerio 2.1.5, the firewall which you and I 
both use. TinyLogger does a whole bunch of analysis on the Kerio 2.1.5 
logs, including the number of probes received from GRC's Nanoprobe server.

<http://eskapism.se/software/?page=tinylogger>

(I use version 0.9.8 because of the sorting capability dropped in the 
final release.)

>> Replying to "Echo Request" pings by unstealthed routers or computers may 
>> trigger a sequence of malicious probes to be sent to them that otherwise 
>> would not be sent.
> 
> I see more ICMP requests when I run a dial-up session than I do behind a
> router which is responsive to ICMP requests. I see as many ICMP requests
> to a router which doesn't respond to ICMP requests as I do to a router
> which does respond to ICMP requests.
> 

Well, my packet sniffs revealed more ICMP pings in unstealthed mode 
compared to stealthed mode. I didn't try dial-up because I'd be lynched 
by other family member for hogging the phone line :(

> I am not against "stealth", just opposed to the idea that it is some
> kind of security panacea. The goal is to secure the computer against
> unauthorized access. If you have closed ports, you have succeeded in
> securing your computer. Stealth is just icing on the cake.
> 

The point is that blanket "stealth" _is_ a security panacea for the 
majority of normal, average computer users. It was for me when I knew 
diddley squat about firewalls and routers. It took me a couple of years 
to learn how to "close" all ports used by Windows XP reliably.

Thanks for the input... :)

-- 
Le Flake
 From deepest, darkest Ontario
0
Le
7/4/2006 12:11:21 PM
On Mon, 03 Jul 2006 09:46:52 -0400, Le Flake sent:

> What happens if we remove the "Stealth" blanket? Well, the "closed" ports
> remain inaccessible, but the "open" ports are revealed.

Nonsensical...

A port is closed (doesn't allow access, and says so), *OR* open (does
allow a connection through), *OR* the psuedo-term of stealth which doesn't
respond at all.  Changing from one to another is a specific thing, going
away from so-called stealth mode doesn't necessarily infer that the
respond will then be open.

If you put a firewall before a vulnerable port, being closed or open
behind it protects it, as long as the firewall works.  But putting a
firewall in place doesn't close open ports.  The only thing that does that
is configuring the service that listens.

If you close the ports, which is what really ought to be done, having a
firewall is a pointless exercise.  It's only real use is to *try* and
protect you against systems that you can't properly configure.

-- 
If you insist on e-mailing me, use the reply-to address (it's real but
temporary).  But please reply to the group, like you're supposed to.

This message was sent without a virus, please destroy some files yourself.

0
Tim
7/4/2006 12:58:46 PM

>> (I certainly don't know the odds that your default password will be  
>> "found
>> out", or that WAN-based access could be engineered through the HTTP or
>> telnet interface. Probably remote, but it does happen - and I tend to  
>> lock
>> my stuff down tighter than most others :-)
>>
>> 1. Simple WAN mischief.   e.g. Occasionally use the ping tool of your  
>> and
>> other routers to DOS someone for fun or profit (e.g. nextdoor neighbor,
>> FBI, El Jahira, etc.).
>
> The router is completely stealthed per shieldsup, as is ZAP.  I have
> the remote capability of the router disabled.  The firmware is the
> latest per linksys.  How is a hacker supposed to get control of the
> router?

Well, first of all, we were discussing "closed" responses - now you're  
talking about "stealth"?

Second, as mentioned earlier, we were using closed responses as a basis  
for scanning for known-vulnerable routers - now you're talking about your  
specific Linksys/firmware?

Third, known-vulnerability means that there is an exploit (and no, I don't  
know if your Linky is vulnerable).

>
> This is one pc that does not have any crap on it.  AVG and M$ Defender
> scan the system daily for such nasties.

There is a thread in grc.security.software called "Anyone using Prevx?  
which  ->  confident  <-  AV/AT users might find amusing. :-)


>
>>
>> 3. Simple LAN mischief.    e.g. turn that continuous ping upon your LAN
>> after locking you out.
>
> Ping going from the router out on the internet, or from the router
> aimed back at me?  I didn't know a router could initiate ICMP or UDP
> packets.

Well, Under simple WAN mischief (above), one would ping "out on the  
internet".

Under simple LAN mischief, one would "from the router aimed back at me".

And yes, many routers (most?) have diagnostic tools including ping.




0
Roger
7/4/2006 1:39:29 PM
Le Flake wrote:
> ClareOldie wrote:
>>
>> Quote:  As you might see in the grc.shieldsup thread, "invisibility" 
>> is _sometimes_ conferred on a router or computer by using blanket 
>> "Stealth". Unquote
>>
>> The expression 'blanket stealth' means nothing to me I'm afraid.
>> It sounds as, if I had a couple of dozen open ports I could somehow 
>> blanket all of them, as well as the rest of the ports without having 
>> to concern myself with each individually or in groups.
>> It reads as if I can somehow 'throw a blanket' over my open ports 
>> making them stealthed without their ever being closed.
>>
> 
> That's exactly what it means... and a blanket "stealth" will pass the 
> ShieldsUp test... and hide the "open" state of those ports.  Most people 
> don't care that Microsoft has left ports open nor do they want nor do 
> they need to know how to change an "open" port to a "closed" port. For 
> example, the way one closes TCP Port 445 on W2K and XP is definitely not 
> for average computer users.
> 

Thanks for the explanation. I have read the rest of the thread and this 
'blanket', IIUC, could be a router (with NAT & SPI) or firewall?

The difficulty I see with these is they have to be configured also. I 
always found it better to secure the OS first. OK I am probably not an 
'average' user - I'm here ain't I?
It is always best to go to the source of the problem, not treat the 
symptoms. That is not to say there is no value in treating the symptoms, 
just it wouldn't be necessary if the source of the problem was treated 
first.



An OT thought - Linux has been hammered over the years because it 
required a level of 'involement' from the user. My Windows experience, 
trying to keep the OS running, has required an equal, & maybe larger 
level of getting 'down & dirty' with the OS than my Linux experience to 
date (admittedly short). Linux is now gone heavily GUI thus alleviating 
its problem, and Vista is supposed to be properly secure 'out of box' so 
that should alleviate MS's problems. It will be interesting to see which 
achieves its goals the sooner.



0
ClareOldie
7/4/2006 1:53:17 PM
While scribbling with crayons on the grc.techtalk walls, I heard
FourSpeed@MSN.com say:

> On Mon, 3 Jul 2006 16:45:28 -0400, Dutch
> <buryit@the.blackholespam.net> wrote:
> 
>>The hacker doesn't need to hack anything then, to cause you grief. He
>>need only change the router password and lock your PC out of the
>>Internet. You could then reset the router to the defaults of course, but
>>how long would it take you to realize where the problem is?
> 
> I have a tendency to forget passwords and such.  Isn't there a better
> way?

Write the password on a sticky note and stick to the bottom of the
router...

-- 
Dutch

GRC Newsgroups/Guidelines/No Regrets
http://www.grc.com/groups/techtalk:155486
0
Dutch
7/4/2006 2:14:34 PM
While scribbling with crayons on the grc.techtalk walls, I heard Le
Flake say:

> Norman Miller wrote:
>> On Mon, 03 Jul 2006 09:46:52 -0400, Le Flake wrote:
[...]
>> I am not against "stealth", just opposed to the idea that it is some
>> kind of security panacea. The goal is to secure the computer against
>> unauthorized access. If you have closed ports, you have succeeded in
>> securing your computer. Stealth is just icing on the cake.
>> 
> 
> The point is that blanket "stealth" _is_ a security panacea for the 
> majority of normal, average computer users. It was for me when I knew 
> diddley squat about firewalls and routers. It took me a couple of years 
> to learn how to "close" all ports used by Windows XP reliably.
> 
> Thanks for the input... :)

Shall we muddy the waters now with the concept that as with "cold",
"closed ports" simply do not exist? ;-)

-- 
Dutch

GRC Newsgroups/Guidelines/No Regrets
http://www.grc.com/groups/techtalk:155486
0
Dutch
7/4/2006 2:23:07 PM
Tim wrote:
> On Mon, 03 Jul 2006 09:46:52 -0400, Le Flake sent:
> 
>> What happens if we remove the "Stealth" blanket? Well, the "closed" ports
>> remain inaccessible, but the "open" ports are revealed.
> 
> Nonsensical...

No...

> 
> A port is closed (doesn't allow access, and says so), *OR* open (does
> allow a connection through), *OR* the psuedo-term of stealth which doesn't
> respond at all.  Changing from one to another is a specific thing, going
> away from so-called stealth mode doesn't necessarily infer that the
> respond will then be open.
> 

If you run a ShieldsUp "All Service Ports" test on a blanket "Stealthed" 
computer, you'll see a grid of green squares, indicating that no 
response of any kind was received by the Nanoprobe server at GRC.

If you then run the same test, but allowing your software firewall to 
trust probes from the Nanoprobe server which will remove the blanket 
"Stealth", you'll get a different result. You'll see the vast majority 
of squares in the grid have changed to blue, indicating that the 
equivalent port on your computer is "closed", you'll see red squares for 
any TCP Port in the range 0-1055 on your computer which are "open" and 
green squares for those ports which are blocked and stealthed for you by 
your ISP. That's what I mean by _revealed_. Or am I missing something here?

> If you put a firewall before a vulnerable port, being closed or open
> behind it protects it, as long as the firewall works.  But putting a
> firewall in place doesn't close open ports.  The only thing that does that
> is configuring the service that listens.
> 

Yes, I know... and I haven't said anything different.

> If you close the ports, which is what really ought to be done, having a
> firewall is a pointless exercise.  It's only real use is to *try* and
> protect you against systems that you can't properly configure.
> 

Again, average, normal people don't want to become computer security 
wizards, do they? Do you really expect them to have to learn how to 
close SMB or DCOM or RPC in Windows XP? What about those folks who are 
set up for file and printer sharing? What are they supposed to do? They 
use a router and / or a software firewall to protect their "open" 
NetBios ports. Why do you think all those professionals who give advice 
on the radio and TV tell everyone to get Anti-Virus software, 
Anti-Malware software and _firewall_? Because they know of the problems 
that will arise if normal users try to close "open" ports themselves.

Thanks for the input...

-- 
Le Flake
 From deepest, darkest Ontario
0
Le
7/4/2006 2:50:39 PM
Dutch wrote:
[snip]
> Shall we muddy the waters now with the concept that as with "cold",
> "closed ports" simply do not exist? ;-)
> 

"cold"? You've lost me here, and I don't have enough hair left on my 
scalp to detect the breeze as it flew straight over my head. :(

Have a happy fourth of July!

(I look forward to progressively even more incoherent posts from you as 
the day progresses ;) Cheers... hic...)


-- 
Le Flake
 From deepest, darkest Ontario
0
Le
7/4/2006 3:06:20 PM
On Mon, 3 Jul 2006 20:42:18 -0700, Norman Miller
<exfenestrate@spammers.invalid> wrote:

>I am not against "stealth", just opposed to the idea that it is some
>kind of security panacea. The goal is to secure the computer against
>unauthorized access. If you have closed ports, you have succeeded in
>securing your computer. Stealth is just icing on the cake.

For users with no hardware device between their system and the
internet (not uncommon for dial-up users), the "icing" has value.

-- 
js
0
john
7/4/2006 3:14:49 PM
On Tue, 04 Jul 2006 08:11:21 -0400, Le Flake wrote:

> Norman Miller wrote:

>> On Mon, 03 Jul 2006 09:46:52 -0400, Le Flake wrote:

>>> Your comments, suggestions are very welcome to strengthen the explanation..

>> Maybe...

>>> Why "Stealth" is better than "Closed"...
>>>
>>> There has been an on-going thread in grc.shieldsup about the relative 
>>> merits of "Stealthing" ports.
>>>
>>> Some folks here argue the point that a "Closed" port is just as secure 
>>> as a "Stealthed" port. I've been arguing that "Stealth" is better than 
>>> "Closed", and I've now put together what I think is a comprehensive 
>>> explanation as to why that is.
>>>
>>> I argue that the vast majority of visitors to GRC to run ShieldsUp are 
>>> people who just want to know if their security is safe, in terms of 
>>> their firewall settings. These are people who don't _need_ to learn the 
>>> intricate details of TCP and UDP packets and they certainly don't want 
>>> to learn about the registry
>>>
>>> and how to make changes to it.

>> None of that is necessary, whether shooting for stealth, or just a
>> secure connection.

> Yes, you use a NAT router and/or a software firewall, each of which can 
> then give the benefit of blanket "stealth", stealthing all ports, both 
> "closed" and "open". That's the easiest way I know of securing those 
> ports left "open" by the Windows operating system.

Based on the questions posed here, I can't agree that NAT and firewall
are "easier" than shutting down services. Just different, and equally
confusing to the non-Geek, techniques.

>>> They aren't clueless or stupid or dummies and some of the other names
>>> they've been called here.

>> Never called them stupid. Don't recall seeing them called stupid.

> I never suggested you did. They're names which other folks have called 
> computer users who have other priorities in life rather than the 
> intricacies of computer and network security.

Heh. I have been called, "Too stupid to use the Internet"; not for a
stupid computer question, but for a completely unrelated to computers
remark about a sociological issue. The sort of thing which inflames
passions, and caused Steve Gibson to shut down 10 Forward. We "Red
State" voters just don't get any respect...

>>> When people have problems in achieving "full stealth" with ShieldsUp, 
>>> some of them ask for help in the grc forums, and the regulars here do a 
>>> wonderful job in putting them on the right path to solve their problems. 
>>> Yet, there are those among us who pipe up that "Closed" is just as good 
>>> as "Stealthed". Yes, that's true for an individual port, but not true in 
>>> terms of "Stealth" as a blanket approach to all ports and pings. People 
>>> who want to be "Stealthed" get confused by these mixed messages.

>> Except that GRC ShieldsUp! is really quite useless at proving that you
>> have a "blanket stealth" state; unless you want to take the time to test
>> all 65,535 ports 64 ports at a time. 10,000 repetitions of testing is a
>> bit much to try with manual configuration of those 64 ports.

> That would be 1024 repetitions, but I understand the point. Neither does 
>   ShieldsUp test the UDP side of things. That's why we use other tools 
> and web sites.

Well, yes. I managed to miscalculate that into a bit of needless
hyperbole...  :P

I used one site, once, which took 24 hours to probe all of the ports. I
haven't checked since. Easier to use TCPView to see what is listening.
And to use the router management interface to see what rules are in
effect.

>>> With the blanket approach to "Stealth", all ports become invisible to 
>>> unsolicited packets. Not just the closed ports but ports left "open" by 
>>> Microsoft's operating systems. Those vulnerable ports used by NetBios, 
>>> by SMB, by DCOM, by RPC, by DNS Cache, by Remote Desktop, for example. 
>>> These ports cannot be manipulated by malicious, unsolicited probes when 
>>> blanket "Stealth" is being used.

>> Actually, they could only be manipulated if they were exposed to the
>> Internet.

> Exactly. And those Windows holes would be exposed to the Internet if 
> they weren't blanket "stealthed" by a NAT router and / or software 
> firewall. Theose ports can be made "closed", but it's not simple to do 
> so. XP and W2K have "open" ports by default which are tricky to "close", 
> especially TCP 135 and TCP 445.

And configuring a NAT box, or firewall is less tricky? I wonder. But the
NAT box isn't really tricky; it is as easy as plugging in cables. And
some don't "stealth" ports, even though they don't forward packets. Why
do you think people come here to ask about their routers not
"stealthing" ports? And why should that be a problem when the ports are
only showing as closed? You can't break through a NAT box from the
outside, whether it "stealths" ports, or not.

>>> What happens if we remove the "Stealth" blanket? Well, the "closed" 
>>> ports remain inaccessible, but the "open" ports are revealed. If the 
>>> unstealthed computer is fully patched, that doesn't mean that it is 
>>> invulnerable. We've seen the infections caused by "zero day" exploits 
>>> against the ports left "open" by operating systems.

>> Wait! Wait! Wait! You were saying why "stealth" is better than "closed";
>> now you are bringing up "open" ports!

> Because the point is that blanket "Stealth" stealths both "closed" and 
> "open" ports. It's the major benefit of blanket "Stealth".

Eh? That makes no sense. "Stealth" blankets nothing. It is a state of
non-response from a port. A NAT device blankets ports. A Linksys BEFSR11
will test as "closed" ports, even when a device behind the NAT has an
open port. Are you saying that a Linksys router, which stealths nothing,
is a greater security risk for that? How? I have yet to hear of anybody
cracking closed ports from the outside; even when the ports are on a
computer directly connected to the Internet, much less on a NAT device
which can't forward them.

The beauty of NAT isn't that it stealths (whether it does (Netgear,
D-Link), or not (some Linksys models)), but that it makes it dead easy
to prevent unsolicited packets from reaching a computer. When a person
want to stealth his windows XP computer, well, it is all fun and games.
A combination of learning how to shut down vulnerable services, and how
to handle a firewall popping up requests for Internet access. Confuses
the hell out of those not interested in being geeks. Much easier to plug
in a NAT box. But the non-geek still has some things to learn. "Stealth"
doesn't shield the user from learning about TCP/IP; it is just another
aspect of TCP/IP which has to be learned.

>>> Did you know some things about "Stealthing"?
>>>
>>> Fewer malicious probes are sent to "Stealthed" home computers or routers 
>>> by bots as observed in the last few weeks.

>> One Internet connection, among millions, sees that. Two Internet
>> connections, among millions, don't see that. What three connections,
>> among millions, are seeing is hardly indicative of what is actually
>> happening on the Internet.

> The study of unsolicited packet behaviour is not of overwhelming 
> interest to most folks, even the gurus here. That leaves you and me 
> without lives ;)

They are the reason you tout "Stealth" as a panacea, are they not?

> We discussed what tools are needed to see some of the anomalies I've 
> described. Packet sniffing reveals these anomalies.
> 
> Your ISP filters out probes to the very common vulnerable ports, 
> particularly TCP 135, doesn't it?

Particularly port 135? Is that a greater threat than port 139?

> Here's a simple test to establish how 
> much unsolicited traffic is missed by logs and packet sniffs. Run the 
> ShieldsUp "All Service Ports" test. Steve G's Nanoprobe server will send 
> out 4,332 probes. How many are logged by the user?

It isn't the blocked packets which are a problem. It is the ones which
get through.

> There's a tool called TinyLogger, a useful add-on to Kerio 2.1.5, the
> firewall which you and I both use. TinyLogger does a whole bunch of
> analysis on the Kerio 2.1.5 logs, including the number of probes received
> from GRC's Nanoprobe server.

Which would do me what good? Practically nothing impinges on Kerio
Personal Firewall from the outside on my rig. Never did when I was
running behind a Linksys BEFSR11, which would only report all tested
ports as "closed" by SU. Some recommend pointing the DMZ of that Linksys
to an unused IP address. I actually did that in the early days. By the
time I figured out that the exercise was pointless, I had moved up to a
different model of router. Currently, I am pingable. However, when I
turn off ICMP response in the router, I don't see a lot of ICMP packets
in the router logs.

>>> Replying to "Echo Request" pings by unstealthed routers or computers may 
>>> trigger a sequence of malicious probes to be sent to them that otherwise 
>>> would not be sent.

>> I see more ICMP requests when I run a dial-up session than I do behind a
>> router which is responsive to ICMP requests. I see as many ICMP requests
>> to a router which doesn't respond to ICMP requests as I do to a router
>> which does respond to ICMP requests.

> Well, my packet sniffs revealed more ICMP pings in unstealthed mode 
> compared to stealthed mode. I didn't try dial-up because I'd be lynched 
> by other family member for hogging the phone line :(

You must remember; we, the pair of us, are just unique statistical point
in the scheme of the Internet. Neither of use should be extrapolating
personal experience to the Internet as a whole. So check with places
like MyNetWatchman and DShield. I don't see where ICMP is as big an
issue as some of the TCP ports. NetBIOS ports and Messenger spam ports
are up there at the top. Messenger spam is far and way the most
significant. ICMP isn't up there that high.

Both can be locked down without a firewall in place. No great deal of
effort to learn how.

>> I am not against "stealth", just opposed to the idea that it is some
>> kind of security panacea. The goal is to secure the computer against
>> unauthorized access. If you have closed ports, you have succeeded in
>> securing your computer. Stealth is just icing on the cake.

> The point is that blanket "stealth" _is_ a security panacea for the 
> majority of normal, average computer users. It was for me when I knew 
> diddley squat about firewalls and routers. It took me a couple of years 
> to learn how to "close" all ports used by Windows XP reliably.

It took me a couple of months to figure out what my NAT router is
capable of doing. Learned that my Linksys BEFSR11, which doesn't stealth
squat, was still reliable.

I set up a couple of services on a Windows XP computer; ones that most
people disable. Why? Because a NAT router makes the issue of open ports
on the LAN a moot issue.

> Thanks for the input... :)

Any time!

-- 
Norman
~Oh Lord, why have you come
~To Konnyu, with the Lion and the Drum
0
Norman
7/4/2006 4:22:22 PM
Norman Miller wrote:
[snip]
>> Exactly. And those Windows holes would be exposed to the Internet if 
>> they weren't blanket "stealthed" by a NAT router and / or software 
>> firewall. Theose ports can be made "closed", but it's not simple to do 
>> so. XP and W2K have "open" ports by default which are tricky to "close", 
>> especially TCP 135 and TCP 445.
> 
> And configuring a NAT box, or firewall is less tricky? I wonder. But the
> NAT box isn't really tricky; it is as easy as plugging in cables. And
> some don't "stealth" ports, even though they don't forward packets. Why
> do you think people come here to ask about their routers not
> "stealthing" ports? And why should that be a problem when the ports are
> only showing as closed? You can't break through a NAT box from the
> outside, whether it "stealths" ports, or not.
> 

Well, in terms of software firewalls, McAfee, Symantec and Zone Alarm 
sell themselves by their easy out-of-the-box install. I have not had to 
configure anything on my latest Siemens Modem/Router except the 
administration password and my userid/password to reach my ISP. Doesn't 
get much simpler than that.

[snip]

> Eh? That makes no sense. "Stealth" blankets nothing. It is a state of
> non-response from a port. A NAT device blankets ports. A Linksys BEFSR11
> will test as "closed" ports, even when a device behind the NAT has an
> open port. Are you saying that a Linksys router, which stealths nothing,
> is a greater security risk for that? How? I have yet to hear of anybody
> cracking closed ports from the outside; even when the ports are on a
> computer directly connected to the Internet, much less on a NAT device
> which can't forward them.
> 

No, a blanket "Stealth" isn't a port by port tool. It identifies 
unsolicited packets and dumps them, without sending any response to the 
originating IP. These packets don't go near any port on the blanket 
"stealthed" computer.

> The beauty of NAT isn't that it stealths (whether it does (Netgear,
> D-Link), or not (some Linksys models)), but that it makes it dead easy
> to prevent unsolicited packets from reaching a computer. When a person
> want to stealth his windows XP computer, well, it is all fun and games.
> A combination of learning how to shut down vulnerable services, and how
> to handle a firewall popping up requests for Internet access. Confuses
> the hell out of those not interested in being geeks. Much easier to plug
> in a NAT box. But the non-geek still has some things to learn. "Stealth"
> doesn't shield the user from learning about TCP/IP; it is just another
> aspect of TCP/IP which has to be learned.
> 

No Norm, no user needs to learn or know anything about TCP/IP to be 
secure. They either get a router or a software firewall which work 
out-of-the-box.

[snip}

> Particularly port 135? Is that a greater threat than port 139?
> 

There's about 12 different exploits available through TCP port 135. A 
honeypot and sniffer reveals what the probes are trying to do.

>> Here's a simple test to establish how 
>> much unsolicited traffic is missed by logs and packet sniffs. Run the 
>> ShieldsUp "All Service Ports" test. Steve G's Nanoprobe server will send 
>> out 4,332 probes. How many are logged by the user?
> 
> It isn't the blocked packets which are a problem. It is the ones which
> get through.
> 

Norm, it's a test to establish if your network logging is "seeing" 
everything there is to see.

-- 
Le Flake
 From deepest, darkest Ontario
0
Le
7/4/2006 6:14:54 PM
Le Flake wrote:
(Snipped - see his post above for unabridged version)

> Tim wrote:

>> If you close the ports, which is what really ought to be done, having a
>> firewall is a pointless exercise.  It's only real use is to *try* and
>> protect you against systems that you can't properly configure.
>>
> 
> Again, average, normal people don't want to become computer security 
> wizards, do they? Do you really expect them to have to learn how to 
> close SMB or DCOM or RPC in Windows XP? What about those folks who are 
> set up for file and printer sharing? What are they supposed to do? They 
> use a router and / or a software firewall to protect their "open" 
> NetBios ports. Why do you think all those professionals who give advice 
> on the radio and TV tell everyone to get Anti-Virus software, 
> Anti-Malware software and _firewall_? Because they know of the problems 
> that will arise if normal users try to close "open" ports themselves.

I'm one of those "normal" users you are talking about, and you are 
absolutely right.
I run a home wi-fi network, but have never had  computer training of any 
sort (they didn't exist when I was at school and weren't used in my 
employment). However I was lucky enough to have been pointed to GRC (God 
bless your cotton socks, Milly!) and am fully protected with A/V, 
Firewall etc..

But as for ports? I haven't any idea how or which to close. Do I really 
need to know? And as you say, I don't think I am "clueless or stupid or 
a dummy" :-)

Keep up the good work,

-- 
TonyP


0
TonyP
7/4/2006 7:33:02 PM
While scribbling with crayons on the grc.techtalk walls, I heard Le
Flake say:

> Dutch wrote:
> [snip]
>> Shall we muddy the waters now with the concept that as with "cold",
>> "closed ports" simply do not exist? ;-) 
> 
> "cold"? You've lost me here, and I don't have enough hair left on my 
> scalp to detect the breeze as it flew straight over my head. :(

Now surely you now that "cold" does not exist except as a word to
describe the absence of "heat". "Heat" on the other hand, *does* exist
as form of energy. "Cold" cannot be measured, "heat" can.

The same concept exists with software "ports", in that you can have an
"open" port, where a service is actively listening, but there are no
"closed" ports as such, only an OS response saying the port is not
"open". "Stealth" on the other hand, is neither in relation to ports,
since the "stealth" mechanism, either directly (softwall), or indirectly
(NAT router/hardwall) simply prevents the OS from responding to port
requests at all.  
 
> Have a happy fourth of July!

And a bang up one it is!
 
> (I look forward to progressively even more incoherent posts from you as 
> the day progresses ;) Cheers... hic...)

Not unless someone spiked my coffee. I haven't imbibed an intoxicant in
nearly 30 years... :-))

-- 
Dutch

GRC Newsgroups/Guidelines/No Regrets
http://www.grc.com/groups/techtalk:155486
0
Dutch
7/4/2006 7:49:44 PM
Dutch wrote:
> While scribbling with crayons on the grc.techtalk walls, I heard Le
> Flake say:
> 
>> Dutch wrote:
>> [snip]
>>> Shall we muddy the waters now with the concept that as with "cold",
>>> "closed ports" simply do not exist? ;-) 
>> "cold"? You've lost me here, and I don't have enough hair left on my 
>> scalp to detect the breeze as it flew straight over my head. :(
> 
> Now surely you now that "cold" does not exist except as a word to
> describe the absence of "heat". "Heat" on the other hand, *does* exist
> as form of energy. "Cold" cannot be measured, "heat" can.
> 

I figured that was what you were hinting, but to assume "makes an _ASS_ 
out of _U_ and ME", so I thought I'd better confirm that with you, Sir.

> The same concept exists with software "ports", in that you can have an
> "open" port, where a service is actively listening, but there are no
> "closed" ports as such, only an OS response saying the port is not
> "open". "Stealth" on the other hand, is neither in relation to ports,
> since the "stealth" mechanism, either directly (softwall), or indirectly
> (NAT router/hardwall) simply prevents the OS from responding to port
> requests at all.  
>  

Exactly so... thank you, where were you when we wanted wisdom? ;)

>> Have a happy fourth of July!
> 
> And a bang up one it is!
>  
>> (I look forward to progressively even more incoherent posts from you as 
>> the day progresses ;) Cheers... hic...)
> 
> Not unless someone spiked my coffee. I haven't imbibed an intoxicant in
> nearly 30 years... :-))
> 

Ah, well, I do imbibe, but not often and not in quantity. My doctor says 
I drink too little alcohol, so we agreed my minimum intake at three 
beers a week. ;)

-- 
Le Flake
 From deepest, darkest Ontario
0
Le
7/4/2006 10:59:31 PM
While scribbling with crayons on the grc.techtalk walls, I heard Le
Flake say:

> Dutch wrote:
>> While scribbling with crayons on the grc.techtalk walls, I heard Le
>> Flake say:
>> 
>>> Dutch wrote:
>>> [snip]
>>>> Shall we muddy the waters now with the concept that as with "cold",
>>>> "closed ports" simply do not exist? ;-) 
>>> "cold"? You've lost me here, and I don't have enough hair left on my 
>>> scalp to detect the breeze as it flew straight over my head. :(
>> 
>> Now surely you now that "cold" does not exist except as a word to
>> describe the absence of "heat". "Heat" on the other hand, *does* exist
>> as form of energy. "Cold" cannot be measured, "heat" can.
> 
> I figured that was what you were hinting, but to assume "makes an _ASS_ 
> out of _U_ and ME", so I thought I'd better confirm that with you, Sir.

Consider it "confirmed" then! You can make an ASS out of U if you want,
but leave ME out of it. Then again "ASSU..." just sounds like a sneeze,
so forget it. :-)
 
>> The same concept exists with software "ports", in that you can have an
>> "open" port, where a service is actively listening, but there are no
>> "closed" ports as such, only an OS response saying the port is not
>> "open". "Stealth" on the other hand, is neither in relation to ports,
>> since the "stealth" mechanism, either directly (softwall), or indirectly
>> (NAT router/hardwall) simply prevents the OS from responding to port
>> requests at all.    
> 
> Exactly so... thank you, where were you when we wanted wisdom? ;)

Maybe it was wisdom that said, "Stay out of it, you already said your
piece in support of stealth." ;-)
 
>>> Have a happy fourth of July!
>> 
>> And a bang up one it is!
>>  
>>> (I look forward to progressively even more incoherent posts from you as 
>>> the day progresses ;) Cheers... hic...)
>> 
>> Not unless someone spiked my coffee. I haven't imbibed an intoxicant in
>> nearly 30 years... :-))
> 
> Ah, well, I do imbibe, but not often and not in quantity. My doctor says 
> I drink too little alcohol, so we agreed my minimum intake at three 
> beers a week. ;)

Nothing wrong with that... :-)

-- 
Dutch

GRC Newsgroups/Guidelines/No Regrets
http://www.grc.com/groups/techtalk:155486
0
Dutch
7/4/2006 11:48:54 PM
TonyP wrote:
> Le Flake wrote:
> (Snipped - see his post above for unabridged version)
> 
>> Tim wrote:
> 
>>> If you close the ports, which is what really ought to be done, having a
>>> firewall is a pointless exercise.  It's only real use is to *try* and
>>> protect you against systems that you can't properly configure.
>>>
>>

>> Again, average, normal people don't want to become computer security 
>> wizards, do they? Do you really expect them to have to learn how to 
>> close SMB or DCOM or RPC in Windows XP? What about those folks who are 
>> set up for file and printer sharing? What are they supposed to do? 
>> They use a router and / or a software firewall to protect their "open" 
>> NetBios ports. Why do you think all those professionals who give 
>> advice on the radio and TV tell everyone to get Anti-Virus software, 
>> Anti-Malware software and _firewall_? Because they know of the 
>> problems that will arise if normal users try to close "open" ports 
>> themselves.

> 
> I'm one of those "normal" users you are talking about, and you are 
> absolutely right.
> I run a home wi-fi network, but have never had  computer training of any 
> sort (they didn't exist when I was at school and weren't used in my 
> employment). However I was lucky enough to have been pointed to GRC (God 
> bless your cotton socks, Milly!) and am fully protected with A/V, 
> Firewall etc..
> 
> But as for ports? I haven't any idea how or which to close. Do I really 
> need to know? And as you say, I don't think I am "clueless or stupid or 
> a dummy" :-)
> 
> Keep up the good work,
> 

There had to be a normal user out there... :) Thank you very much for 
your input...

-- 
Le Flake
 From deepest, darkest Ontario
0
Le
7/5/2006 12:32:56 AM
Norman Miller wrote:
> On Tue, 04 Jul 2006 08:11:21 -0400, Le Flake wrote:
> 
>> Norman Miller wrote:

[snip]

>>>> Did you know some things about "Stealthing"?
>>>>
>>>> Fewer malicious probes are sent to "Stealthed" home computers or routers 
>>>> by bots as observed in the last few weeks.
> 
>>> One Internet connection, among millions, sees that. Two Internet
>>> connections, among millions, don't see that. What three connections,
>>> among millions, are seeing is hardly indicative of what is actually
>>> happening on the Internet.

> 
>> The study of unsolicited packet behaviour is not of overwhelming 
>> interest to most folks, even the gurus here. That leaves you and me 
>> without lives ;)
> 
> They are the reason you tout "Stealth" as a panacea, are they not?
> 

>> We discussed what tools are needed to see some of the anomalies I've 
>> described. Packet sniffing reveals these anomalies.
>>
>> Your ISP filters out probes to the very common vulnerable ports, 
>> particularly TCP 135, doesn't it?
> 
> Particularly port 135? Is that a greater threat than port 139?
> 

Here's a screenshot of my firewall's log at one point this evening. The 
entries in red show probes coming in and being blanket "stealthed" by 
the Omega catch-all rule in the rule set. I then changed the Omega rule 
to an allow-all rule, removing the blanket "stealth"... you can clearly 
see that the TCP probes arrive in pairs when the computer is blanket 
"stealthed" and in threes when the probes are let through to the 
computer where they cause a [RST, ACK] closed response back to the 
probing IP address.

<http://img125.imageshack.us/img125/7125/keriostealthlog2ve.png>

There ya go... I figured out how to get Kerio to show the phenomenon. At 
least _I_ was impressed ;)

-- 
Le Flake
 From deepest, darkest Ontario
0
Le
7/5/2006 3:35:44 AM
On Tue, 04 Jul 2006 08:14:49 -0700, john .s. smith wrote:

> On Mon, 3 Jul 2006 20:42:18 -0700, Norman Miller
> <exfenestrate@spammers.invalid> wrote:

>>I am not against "stealth", just opposed to the idea that it is some
>>kind of security panacea. The goal is to secure the computer against
>>unauthorized access. If you have closed ports, you have succeeded in
>>securing your computer. Stealth is just icing on the cake.

> For users with no hardware device between their system and the
> internet (not uncommon for dial-up users), the "icing" has value.

Where there a software firewall which turned back port probes, as a
Linksys router does, the ports would not be "stealth", but they would
still be protected.

-- 
Norman
~Oh Lord, why have you come
~To Konnyu, with the Lion and the Drum
0
Norman
7/5/2006 7:32:09 AM
On Tue, 04 Jul 2006 20:33:02 +0100, TonyP wrote:

> I'm one of those "normal" users you are talking about, and you are 
> absolutely right.
> I run a home wi-fi network, but have never had  computer training of any 
> sort (they didn't exist when I was at school and weren't used in my 
> employment). However I was lucky enough to have been pointed to GRC (God 
> bless your cotton socks, Milly!) and am fully protected with A/V, 
> Firewall etc..
> 
> But as for ports? I haven't any idea how or which to close. Do I really 
> need to know? And as you say, I don't think I am "clueless or stupid or 
> a dummy" :-)
> 
> Keep up the good work,

If your Linksys router only showed your ports as "closed", assuming you
have one, you would be no less secure for it. OTOH, securing a wi-fi
network is more than a tad trickier than securing a wired LAN.

-- 
Norman
~Oh Lord, why have you come
~To Konnyu, with the Lion and the Drum
0
Norman
7/5/2006 7:34:45 AM
<FourSpeed@MSN.com> wrote in message 
news:qaeka25ldh84408ldktc6anvp3s7c26rue@4ax.com...
> On Mon, 3 Jul 2006 16:45:28 -0400, Dutch
> <buryit@the.blackholespam.net> wrote:
>
>
>>The hacker doesn't need to hack anything then, to cause you grief. He
>>need only change the router password and lock your PC out of the
>>Internet. You could then reset the router to the defaults of course, but
>>how long would it take you to realize where the problem is?
>
> I have a tendency to forget passwords and such.  Isn't there a better
> way?

There are some good password managers.

http://lists.thedatalist.com/pages/Password_Tools.htm

-- 
Robert
GRC Newsgroups/Guidelines/No Regrets
http://www.grc.com/groups/techtalk:155486


0
Robert
7/5/2006 2:45:32 PM
Le Flake:
>>> What happens if we remove the "Stealth" blanket? Well, the "closed"
>>> ports remain inaccessible, but the "open" ports are revealed.

Tim:
>> Nonsensical...

Le Flake:
> No...

Your original point was arguing, amongst other things, that you could have
open ports behind a so-called stealth.  That's just not possible.  You
cannot use those ports with something else in the way.

The beginning "stealth is better than closed" argument is also flawed. 
Closed and responding versus closed without responding isn't more secure.
Different, but not better.
 
>> A port is closed (doesn't allow access, and says so), *OR* open (does
>> allow a connection through), *OR* the psuedo-term of stealth which
>> doesn't respond at all.  Changing from one to another is a specific
>> thing, going away from so-called stealth mode doesn't necessarily infer
>> that the respond will then be open.
 
> If you run a ShieldsUp "All Service Ports" test on a blanket "Stealthed"
> computer, you'll see a grid of green squares, indicating that no response
> of any kind was received by the Nanoprobe server at GRC.

I know that.
 
> If you then run the same test, but allowing your software firewall to
> trust probes from the Nanoprobe server which will remove the blanket
> "Stealth", you'll get a different result. You'll see the vast majority of
> squares in the grid have changed to blue, indicating that the equivalent
> port on your computer is "closed", you'll see red squares for any TCP Port
> in the range 0-1055 on your computer which are "open" and green squares
> for those ports which are blocked and stealthed for you by your ISP.

I also know that can happen.

> That's what I mean by _revealed_. Or am I missing something here?

Well, the way thing were as original worded, read quite differently.  Far
more like the snakeoil sales pitch for firewalls, that they solve all ills.

I've certainly seen cases where firewalls cause various other problems. 
Not responding instead of responding in some way (open or closed) making
it damn near impossible to use IRC or some mail services.  If I were going
to promote firewalls as being the bees knees way to try and protect a
system full of holes, instead of fixing it one way or another, I'd be
evangelising the idea that the firewall ought to respond with a *closed*
answer by default.

>> If you close the ports, which is what really ought to be done, having a
>> firewall is a pointless exercise.  It's only real use is to *try* and
>> protect you against systems that you can't properly configure.
 
> Again, average, normal people don't want to become computer security
> wizards, do they?

A point being missed is we have a lot of security experts in the world who
point these things out, like other computing experts, and somewhere along
the line the software builders pay attention and fix their faulty
products.  For some reason, they don't pay a great deal of attention to
fixing this aspect.  It becomes "your problem", advice being to fix it you
"just install a firewall on your system".

Always offering firewalls, anti-virus, etc., as solutions to problems
doesn't help all the others vulnerable.  Always exclusively focusing
these sorts of arguments at the average user isn't drawing attention to a
vital point that I think should be made with these things.  As far as
I'm concerned, they should *always* also mention that, of course, the
real solution is for the vendor to fix the holes.  Eventually that
attitude will get the publicity as well, which is what's needed to bring
about changes.

If the "average user" gets the message that Windows has lots of security
issues that should be fixed, and *can* be fixed, as well as that a
firewall *may* help them.  That goes a long way towards shifting some
attitudes where they need shifting.

-- 
If you insist on e-mailing me, use the reply-to address (it's real but
temporary).  But please reply to the group, like you're supposed to.

This message was sent without a virus, please destroy some files yourself.

0
Tim
7/5/2006 5:05:50 PM
Norman Miller wrote:
>(Snipped)

> If your Linksys router only showed your ports as "closed", assuming you
> have one, you would be no less secure for it. OTOH, securing a wi-fi
> network is more than a tad trickier than securing a wired LAN.


I have a Belkin wireless modem/router using WPA-PSK.
I can find nothing in the documentation or set-up that even mentions the 
word "port", let alone tells me what is open or closed..!

-- 
TonyP

0
TonyP
7/5/2006 7:37:02 PM
Tim wrote:

> Your original point was arguing, amongst other things, that you could have
> open ports behind a so-called stealth.  That's just not possible.  You
> cannot use those ports with something else in the way.
> 

You can. The ports are open and I can allow an IP address I trust access 
to the open port. Everyone else still sees the port as stealthed.

> The beginning "stealth is better than closed" argument is also flawed. 
> Closed and responding versus closed without responding isn't more secure.
> Different, but not better.
>  

It's your opinion, you're free to express it.

>>> A port is closed (doesn't allow access, and says so), *OR* open (does
>>> allow a connection through), *OR* the psuedo-term of stealth which
>>> doesn't respond at all.  Changing from one to another is a specific
>>> thing, going away from so-called stealth mode doesn't necessarily infer
>>> that the respond will then be open.

I don't understand the point you're trying to make.


>> If you run a ShieldsUp "All Service Ports" test on a blanket "Stealthed"
>> computer, you'll see a grid of green squares, indicating that no response
>> of any kind was received by the Nanoprobe server at GRC.

> 
> I know that.
>  

>> If you then run the same test, but allowing your software firewall to
>> trust probes from the Nanoprobe server which will remove the blanket
>> "Stealth", you'll get a different result. You'll see the vast majority of
>> squares in the grid have changed to blue, indicating that the equivalent
>> port on your computer is "closed", you'll see red squares for any TCP Port
>> in the range 0-1055 on your computer which are "open" and green squares
>> for those ports which are blocked and stealthed for you by your ISP.

> 
> I also know that can happen.
> 
>> That's what I mean by _revealed_. Or am I missing something here?

> 
> Well, the way thing were as original worded, read quite differently.  Far
> more like the snakeoil sales pitch for firewalls, that they solve all ills.
> 

I've explained the term "revealed" and I don't understand why you're 
still arguing. I'll ignore the snakeoil remark if it was aimed at me.

> I've certainly seen cases where firewalls cause various other problems. 
> Not responding instead of responding in some way (open or closed) making
> it damn near impossible to use IRC or some mail services.  If I were going
> to promote firewalls as being the bees knees way to try and protect a
> system full of holes, instead of fixing it one way or another, I'd be
> evangelising the idea that the firewall ought to respond with a *closed*
> answer by default.
> 

Firewalls can malfunction with careless twiddling. That's why I use the 
term "out-of-the-box".

>  
>> Again, average, normal people don't want to become computer security
>> wizards, do they?

> 
> A point being missed is we have a lot of security experts in the world who
> point these things out, like other computing experts, and somewhere along
> the line the software builders pay attention and fix their faulty
> products.  For some reason, they don't pay a great deal of attention to
> fixing this aspect.  It becomes "your problem", advice being to fix it you
> "just install a firewall on your system".
> 

So? Firewalls do the job... that's why we use them.

> Always offering firewalls, anti-virus, etc., as solutions to problems
> doesn't help all the others vulnerable.  Always exclusively focusing
> these sorts of arguments at the average user isn't drawing attention to a
> vital point that I think should be made with these things.  As far as
> I'm concerned, they should *always* also mention that, of course, the
> real solution is for the vendor to fix the holes.  Eventually that
> attitude will get the publicity as well, which is what's needed to bring
> about changes.
> 

I know that: you must have noticed my posts about Least Privilege 
accounts and why all people should use them where possible.

> If the "average user" gets the message that Windows has lots of security
> issues that should be fixed, and *can* be fixed, as well as that a
> firewall *may* help them.  That goes a long way towards shifting some
> attitudes where they need shifting.
> 

A firewall will help them with blanket "stealth"... the average user 
does other things than fret over the security problems left unfixed in 
applications and operating systems.

-- 
Le Flake
 From deepest, darkest Ontario
0
Le
7/5/2006 11:42:30 PM
Le Flake <le_flake@hotmail.invalid> wrote in
<news:e8hipa$1brf$1@news.grc.com>:

> The ports are open and I can allow an IP address I trust access
> to the open port. Everyone else still sees the port as stealthed.

Talk about confusing the newbies!  ;)

-- 
�Q�
0
ISO
7/6/2006 12:13:02 AM
�Q� wrote:
> Le Flake <le_flake@hotmail.invalid> wrote in
> <news:e8hipa$1brf$1@news.grc.com>:
> 
>> The ports are open and I can allow an IP address I trust access
>> to the open port. Everyone else still sees the port as stealthed.
> 
> Talk about confusing the newbies!  ;)
> 

Get it right - not newbies but average users. The reply which concerns 
you was clarifying what I meant by the word "revealing". The to-and-fro 
argument with Tim brought up the point. The thread has to do with 
answering the questions thrown in, and isn't aimed at an average user 
audience.


-- 
Le Flake
 From deepest, darkest Ontario
0
Le
7/6/2006 12:56:09 AM
Le Flake <le_flake@hotmail.invalid> wrote in
<news:e8hn3d$1fo7$3@news.grc.com>:

> �Q� wrote:
>> Le Flake <le_flake@hotmail.invalid> wrote in
>> <news:e8hipa$1brf$1@news.grc.com>:
>>
>>> The ports are open and I can allow an IP address I trust access
>>> to the open port. Everyone else still sees the port as
>>> stealthed.
>>
>> Talk about confusing the newbies!  ;)
>
> Get it right - not newbies but average users.

Isn't your entire argument hinged on the fact that average users are
newbies to port management?

> The reply which concerns you was clarifying what I meant by the
> word "revealing". The to-and-fro argument with Tim brought up the
> point. The thread has to do with answering the questions thrown
> in, and isn't aimed at an average user audience.

God forbid I should joke about it, then.  I'd try winking again, but it
seems the emoticon didn't work the first time.

-- 
�Q�
0
ISO
7/6/2006 1:29:33 AM
"Disciple" <Disciple@invalid.invalid> wrote in message
news:e8berk$1qis$1@news.grc.com...
> On Mon, 03 Jul 2006 09:46:52 -0400, Le Flake wrote:
>
> > Your comments, suggestions are very welcome to strengthen the
explanation..

> > Why "Stealth" is better than "Closed"...

> > There has been an on-going thread in grc.shieldsup about the relative
> > merits of "Stealthing" ports.

> > Some folks here argue the point that a "Closed" port is just as secure
> > as a "Stealthed" port. I've been arguing that "Stealth" is better than
> > "Closed", and I've now put together what I think is a comprehensive
> > explanation as to why that is.

> I also support the "Closed" is just as secure as "Stealthed" from the
stand
> point of some one/thing being able to get into your computer without being
> invited.

Closed port status is only pertinent to the TCP/IP protocol, there are a few
other protocols that are connectionless so once a machine is found by quick
port closed responses then the real fun for the attacker begins, especially
if it's an unprotected windows XP machine sitting there on the net.

> [...] for full text see above

> > What happens if we remove the "Stealth" blanket? Well, the "closed"
> > ports remain inaccessible, but the "open" ports are revealed.
> [...]

> I disagree with the above sentence, based on the following explanation of
> "Closed / Stealthed".

> Liken your computer to your home, with the ports representing the doors
and
> windows to the outside world. The hacker/bot scanning your IP block
> represents a burglar walking down your street trying the doors/windows of
> each house. With "closed" the doors and windows of your home are locked so
> the burglar can't just walk in, the same as the computer ports being
> closed.  Any one can walk up to a door or window and try to come in,
> because your house can be seen by all who pass by. Similar to a computer
> answering an unsolicited "echo request", it can be seen to all on the

The problem with that analogy is that it is making incorrect assertions
about closed doors and windows or even locked doors and windows being secure
against all attacks. If I were a determined burglar I'd use the addresses
with unattended locked windows and doors and pick the locks or brute force
them.

If I can observe an ICMP echo reply and then one or all ports closed I know
there is a machine there and there is _not_ an efficient firewall in place
so I know that any UDP and ICMP related services running on that network
interface will in all likelihood be accepting arbitrary datagrams from the
internet! I could then speculatively send known exploit datagrams for a
variety of services across different platforms and in all likelihood get a
hit or two that I would not have even tried if the machine had been properly
stealthed.

I also believe that the unnecessary act of allowing the TCP stack to parse
the initial SYNC solicitation for the sole purpose of returning a redundant
port closed response is a potential open door for an unknown vulnerability
that a proper stealthed system avoids.

I'm convinced that all ports closed is _less_ secure and far more cracker
(black-hat hacker) friendly configuration than all non-essential
protocols/ports stealthed by a hardware or software firewall between the WAN
NIC and TCP/IP stack.




0
TK
7/10/2006 12:25:40 AM
"Dutch" <buryit@the.blackholespam.net> wrote in message
news:cymf0pi2st2r.dlg@pc-1.12078.com...
> While scribbling with crayons on the grc.techtalk walls, I heard
> FourSpeed@MSN.com say:
>
> > On Mon, 03 Jul 2006 14:07:27 -0400, "Roger Parks" <Roger@bogus.bog>
> > wrote:

<snip>

> > I recently added a router to my one pc.  I also have ZAP.  ZAP has
> > worked flawlessly for many years.  I haven't changed the router PW
> > from its default pw.  If a hacker succeded in hacking the router, what
> > damage can he do?  ZAP is still waiting for him.

> The hacker doesn't need to hack anything then, to cause you grief. He
> need only change the router password and lock your PC out of the
> Internet. You could then reset the router to the defaults of course, but
> how long would it take you to realize where the problem is?

With some routers/modems the default configuration has WAN side web admin
enabled and the settings including the default admin login and password is
stored in a plain-text file accessible via the router ftp server that could
be enabled on WAN side if access to the http admin interface is available.

With such a router/modem I could (but never would personally) login to web
interface, change admin password, and enable WAN side ftp server... save
settings and reboot the router, then download the current and factory
settings files from the ftp server using new password and login name. I
could then transfer the encoded saved new password and login name from
current to factory default configuration files and then re-upload them. From
then onwards until a factory reset is done, admin ownership of that router
would be mine. After the factory reset the router would be useless as the
authentication for DSL would be wiped and the login and password would still
be what I'd set them to until a USB firmware repair if that is even
possible.



0
TK
7/10/2006 1:00:17 AM
Reply:

Similar Artilces:

"Me" is better than "You"
Yes I know, strings are frozen. But let me talk about it, I really can't get through the idea of a PC talkin to me. I consider my PC as an extension of myself, not a dumb companion who addresses Me as You. Yes there are times when I get angry with Him while I work and get wrong calculations etc.., but it really is my fault, Me using wrong istructions and eventually wanting to find someone else to blame, but it's Me. And yes, I consider Thunderbird my mail program, reading my mail on my PC as Me. So I personally like to have Me in the header bar as a compact address ...

.ALLCOL("%COLUMN%", " ", ", ", ", ")
Do you know anyway for me to exclude a subset of columns returned by this function. We have two columns (rec_user and rec_datetime) which are in all of our tables, but when generating triggers I want automatically generate a script which does not include those two columns but does include all other columns in that table. Bruce I should add that I am using PD 9.0.0.580. Bruce "Bruce Lamb" <lamb.bruce@mayo.edu> wrote in message news:6HgI315nCHA.155@forums.sybase.com... > Do you know anyway for me to exclude a subset of columns returned by this > function. ...

Precedence of "where" ("of", "is", "will")?
Nobody on #perl6 today could answer this one. Is: Str | Int where { $_ } the same as: (Str | Int) where { $_ } or: Str | (Int where { $_ }) ? Followup questions, Mr. President: What kind of operators are "where", "of", "is", and "will"? Is there a reason that S03 doesn't list them? What are their precedence(s)? -- Chip Salzenberg - a.k.a. - <chip@pobox.com> Open Source is not an excuse to write fun code then leave the actual work to others. Chip Salzenberg writes: &...

quotes, quotes, quotes...
I am getting this error and I know what is causing it, but I have no idea how to fix it, any help would be great. The script steps through the /var/log/messages file on a linux server and puts The entries into a mysql database. However when it gets to the 'hlt' line in the messages file it just barfs. The single quotes are freaking it out. I know about quotes but not how to use in this situation. Thanks, Paul Error: May 27 17:53:00 localhost kernel: Checking 'hlt' instruction... OK. <----- doesn't like this in the messages file DBD::mysql::st exec...

When is "close" not really "close"
I've had a strange thing occur a couple of times. When I leave at night, I leave my computer on, but close Thunderbird. That way, I can VPN in from home and view the mail store, but still access e-mail through POP3. One night, a week or so ago, I checked POP3 from home and noticed the mailbox was empty. That's impossible; I get about 500 messages a day. So, I took control of my desktop session and looked around. Thunderbird was not visible, but it was still running in the background. I have since determined that if I close it with the "X" icon at upper ...

Is "union" better than "or"?
Hi, I have a table called Customers that has about 1,000,000 records and with last_name indexed. Now I want to retrieve all customer records with last_name start with "BA", "ba", "Ba", or "bA". I have two queries (in order to let the execution plan use the index, the lower(last_name) function is avoid): one is using "union" and the other using "or" as follows: The first query: select convert(numeric(8,0), customer_id) customer_id, lower(first_name) first_name, lower(last_name) last_name into #cust_tmp ...

double quote
hello there...  i tried everything of think but not working the way i wanted to be... not sure what i'm missing...i'm generating a <span> in code behind and then using in javascript.... here is what i'm doing code behind: int i=0string _keywordID = "keyword";string _name = row["visit_info_nm"].ToString().Trim(); String _getElementByID = String.Format("<span id='{0}' OnClick = \"document.getElementById('{1}').value='{2}';\">{3}</span><br>", i, _keywordID, _name, _name); here is what it generate : <span id='1' OnClick = \"document.getElementById('keyword')...

"-" not "_"
I wrote a SQL statement in the data tab. I wrote a bunch of alaises as example ' word-type ' but when I hit the layout tab it converts the "-" to "_". So now my field name is ' word_type '. Is there any way to prevent this? CardGunner Don' use a hypen ( - ).  It isn't a valid character for column names.   See http://searchsqlserver.techtarget.com/expert/KnowledgebaseAnswer/0,289625,sid87_gci1188931,00.html   Here's an excerpt about column names: Letters as defined in the Unicode Standard 2.0 Decimal numbers from either B...

Replacing "\\" with "\"
Hi all I'm getting this value from a CheckBoxList control - a location of file, i have to remove "\\" and replace it with "\" and pass it to Query, how to do it, i tried with Replace, but coud'nt suceed. "\\\\Blaze10xp\\BLZ_SFS_07\\Sample Excel Files\\Excel Files\\report2.xls" thank's in advance - Prakash.C you tried Replace like this? string newstring = oldstring.Replace(@"\\",@"\");Plese, do not forget to click "Mark as Answer" on the post that helped you. Thanx!My blog: Scenes From A Developer Memory yes i tr...

Using "+" or "||"
Using SQLAnywhere 5.5.04, I've gotten into the habit of using "||" in ISQL to indicate a string concatenation. I needed to paste my SQL statement into the PowerBuilder script painter for some embedded SQL, and PB didn't like the "||" very much at all. I changed it to "+" and it seems to be ok. Do these two operators indicate ~exactly~ the same thing? moin, afaik these two's are not the same! if you're using "||" and any term is NULL then in the resultstring the term will be ignored if you use "+" then the resu...

replace the "." with a ","
Oi.... I need to build a small programm in ASP.NET and chose to use C# for it.Now i got everything working but there's one little problem.the first textbox is a double. I need to make it so that when someone enters a "." then it gets replaced by a ","any ideas?Ghan  string blah = "4.2.2.2";blah = blah.Replace(".", ",");Ryan Ryan OlshanASPInsider | Microsoft MVP, ASP.NEThttp://ryanolshan.comHow to ask a question...

"Using" or "With"
Hi all Please can someone enlighten to me as regards the difference with the "Using" and "With" statement when accessing data - which is better, what are the limitations and/or any pointers. Many thanks. Regards DaveDavid WinchesterPlease mark as answer if this is the solution.  using gives you the ability to use the connection and it closes the connection directlly after you finish using it. and there is no need to try- cach - finaly. there is no limitation on using USING keywordMuhanad YOUNISMCSD.NETMy Blog || My Photos || LinkedIn I have a dataobject the re...

"To" and "From" missing
When I print emails, the words "To" and "From" are blank, even though the "To" name and "From name (addresser, addressee) do show up. This is not a problem for other users on my system. Suggestions In mailbox right click, view. On the message window, right click and choose print options. Make sure print header is checked. -- Barry Merchant NSC Volunteer SysOp *** no email unless requested please!! *** > In mailbox right click, view. On the message window, right click and > choose print options. Make sure prin...

Regular Expression to remove "/", "\", "<", ">" and "="
Can anyone please show me the regular expression to reject a string ("<blue", "right>" etc.) which has the following expression in it: "/", "\", "<", ">" and "="  hi, It may Help u.. it is in Class file u may use this expressin in validation controls also. Regex objReg = new Regex(@"^[^,.?/\~|`;:'<>]*$", RegexOptions.Singleline); Regex objReg = new Regex(@"^[^,][^.][^?][^/][^\][^~|][^`][^;][^:][^'][[^<][^>]$", RegexOptions.IgnoreCase);Thanks &...

Web resources about - Why "Stealth" is better than "Closed"... - grc.techtalk

Resources last updated: 12/7/2015 5:36:42 AM