[ale] how can a firewalled PC POSSIBLY be attacked?

Ron Frazier (ALE) atllinuxenthinfo at techstarship.com
Wed Jan 23 11:08:19 EST 2013 

Hi all,

I appreciate all who've responded to this to shed a little light on it for me.  It's very complex, and each answer seems to open up new questions.  I guess I'll have to review the OSI model that I learned about years ago and look at some of the low level protocols.

Tell me if the following are true.  Assume I'm at my home network.  Even though it's more complex than this, say I had one wifi router with 4 port switch connected to the cable modem.  Suppose I wanted to run wireshark to monitor things.  All PC's, tablets, dvr's, etc are attached via wifi.  The printer is attached to the 4 port switch using a wire.

* If I attach my laptop to the switch with a wire and run wireshark, I would see only the traffic to / from my pc's ip address and nothing else, except for broadcast traffic like ARP, etc, and then only what the switch is programmed to forward.  I would not, for example, see traffic destined for the printer unless I'm sending it.

* If my laptop is attached via wifi, then wireshark will see everything ANY PC on the same wifi ssid is sending or receiving, including traffic to / from the printer or to / from the internet.

* The only way to monitor everything on the network would be to attach a HUB to the cable modem, attach wireshark to the hub with a wire, then attach the wifi router to another port on the hub.  But, no, then I'd only see traffic to / from the internet.  Traffic routed solely by the wifi router, between devices, or to the printer, would not be seen.  Also, the PC would be directly exposed to the internet and would be in potential danger.

* What I'm getting from the prior discussion about firewalls is that, if any packets come into the NIC, and it triggers an interrupt presumably, then certain parts of the system software, the tcp/ip stack, are triggered to deal with the packet even if it's a low level protocol like ARP.  Higher level software in the system, like the firewall, doesn't even see it, and can't filter it.  However, vulnerabilities may exist even at that low level that could allow the PC to be compromised.

* Regarding what Windows or Mac does, you COULD disassemble the executables in the networking stack to see what happens, although it would be incredibly tedious and complicated and time consuming to do so.

By the way, I think it's a stretch to say no Windows PC is safe (enough) on the internet.  Even if 1/3 are infected, as stated on the Going Linux podcast, which is truly horrible if true, then the other 2/3 are not infected, which amounts to about 700 million users.  And, most of those are probably not even configured properly for maximum safety.

I do all the following on my PC's, whether Windows or Linux as applicable.  I think I'm fairly safe.  I'm sure I could always do better.  If you think I'm missing something critical, let me know.  I will admit that very few users have done all these things, thus, they are more vulnerable.

a) I'm behind a NAT firewall (router), set to block all unrequested traffic, to the extent that I have control over it.
b) OS firewall is on.  On Linux, I use Firestarter to configure iptables.  Again, block everything except what I request.
c) Av is on.  MSE on Windows.  ClamAV on Linux.  I haven't figured out all the ins and outs of ClamAV yet.
d) System and AV patches are kept up to date.
e) Addons like flash are kept mostly up to date.
f) DEP, data execution prevention, is on for all processes.  I don't know where, or if, you can set this in Linux.  Pretty sure it's on.
g) Autoplay is OFF, so when I put in a memory stick or cd, NOTHING happens.
h) Real time av protection on file access is active on Windows.  As far as I know, it's not available on Linux.
i) Weekly av scans are run.  A couple of times / year, a rootkit scan is run by booting Windows Defender Offline from a CD or memory stick.
j) Visual Basic and Java are disabled in LibreOffice.
k) Javascript is disabled in Adobe Reader.
l) MAPI automation is disabled in my email client.
m) Although I rarely use IE, the internet security zone is set to the highest level of security.  I normally user Firefox.
n) Noscript disables all scripting, JavaScript, Java, Flash, for all websites that I don't specifically trust, like my bank.
o) I only trust a site, if I must to make it work, if I must use it, and I have some separate reason to think it's credible.
p) I try not to open suspicious or unknown email at all, and certainly not attachments.
q) I try not to click links in email, unless I confirm where the link is going, and that appears credible.
r) Wifi router admin password is not the default.
s) Wifi router access password is beefy 63 character random string.
t) Wifi router is using WPA2 AES encryption.  Some bugs were found in TKIP.  WEP is notoriously weak.
u) Wifi router remote admin is off.
v) Wifi router UPNP is off.
w) Wifi router WPS is off.
x) Wifi router QOS is off.  Not a big deal, but some bugs were found in some routers related to this.

Well, that's all I can think of at the moment.  Hopefully, that's enough.  Did someone say I wasn't paranoid enough.

I'm more concerned when I'm in a restaurant or something, since I don't have control over their router.  I'm sure there is a nat firewall.  However, I'm still on the same lan as everyone else on the wifi.  The only thing I know to do there, other than what I've already done to the pc, is to crank up hotspot vpn, which I have a subscription to.  At the moment, I know how to do that in Windows, but not in Linux.

It would be interesting to know if the wifi nic responds to any local lan traffic once the vpn is up.

Sincerely,

Ron



Matt Hessel <matt.hessel at gmail.com> wrote:

>Really good question, and on a subject I work very closely in..
>
>The concept of a computer running with a firewall up (software)
>blocking all incoming traffic is a fun model, but in reality it is
>about as likely to find as the easter bunny or santa claus.  The truth
>is, that networking protocols are chatty by nature - the software
>firewall as mentioned will usually be configured to allow some traffic
>to exit the pc (really it has to, unless you would like to ensure that
>the machine will not be able to talk on a network at all, so why plug
>it in?)
>
>Down at layer 2 of the OSI model, you have stuff the Firewall doesn't
>even care about, there are advertisements that happen for higher level
>protocols to work in TCP/IP, like ARP, RARP, DHCP, in some cases STP.
>All of the link state protocols live down here, and they frequently
>talk, they have to, if you need to send packets anywhere, then it
>needs to ARP for the firewall / gateway /router MAC address, also, for
>you to recieve traffic, the NIC is listening to all the packets on the
>wire, checks the MAC address in the destination to see if it belongs
>to this machine or not.. etc..
>
>above that, if this is running linux or unix OS, you will usually have
>a listener for SSH, or you have Avahi services running and DDNS is
>advertising via multicast --- there is a lot of work you have to do to
>make your computer a virtual hole in the network, and the better you
>do that, the less likely you will be to actually do anything with the
>box..
>
>Back on subject - any traffic that goes out your interface from the
>computer, has to come back in some fashion, Firewalls used to just
>statically allow traffic to tcp/udp port numbers, now they are more
>intelligent and stateful.  the stateful property tracks any outbound
>connection your computer makes to another device, then any incoming
>packets are compared to that session entry,  if the packet shows it is
>returning from the other machine, and in the same sequence and such,
>the firewall will allow it back in - and you don't need to explicitly
>allow this....
>
>That is smart overall, but other smart people have figured out clever
>ways to use this behavior to break stuff.
>
>SNMP is a popular way to monitor network devices and Servers over the
>network, you can get most any statistic from the hosts via some SNMP
>requests to UDP 161... but you can also tell it to do stuff the same
>way, if you can figure out the Read-write community string for it.  --
>that could be hard, except most SNMP traffic (any version 1 or 2c) is
>unencrypted, so my son can look at wireshark and read all the stuff in
>and out, just look for the string with no dots....
>
>better yet, SNMP is UDP which is stateless -- so I can use a program
>on one computer to rewrite the packets I send.. so if there is an
>access list on your server to prevent anyone but the proper management
>box to use SNMP, I will send packets that have the same source ip
>address, and it will gladly do whatever I tell it to.. SNMP does not
>prompt "Are you sure?"
>
>I'll stop rambling on, but this is not really the target that gets
>compromised most of the time.. if you look up the Blackhat conference
>or other hacker conventions, they usually have a contest to crack or
>hack a machine, most of the time the exploit was not some wierd
>windows thing, or linux buffer overflow etc..   It is usually a
>redirection to a compromised webserver, and used a vulnerability in
>Flash or Java (usually flash) that allows the hacker to install a
>trojan horse into the computer, and then he owns it....
>
>Firewalls are more of a security blanket than a guard dog.  They
>normally do not validate the code you recieve, or the sites you visit,
>or even exploitable code that runs over the interfaces... they only
>look at source and destination ip addresses and the port for the
>traffic.
>
>
>
>On Tue, Jan 22, 2013 at 8:28 PM, Ron Frazier (ALE)
><atllinuxenthinfo at techstarship.com> wrote:
>> The discussion on vpn's and security at Emory prompted me to ask
>this.  This was prompted by some statements in another thread that a PC
>could be in danger if attached to unfiltered lan ports on Emory's
>network.
>>
>> Assume you have a PC connected directly to the internet.  It doesn't
>matter if it's linux, windows, mac, or android.  I'm speaking in
>conceptual terms.  Assume the PC is not running any server type
>programs, so it is not listening on any ports.  Assume no one is
>browsing to potentially malicious web pages, or even any web pages. 
>The PC is just sitting there idling.  Assume the PC has firewall
>software running.  The firewall's only job is to drop all packets that
>are not part of a response to an inquiry that this PC has issued.    I
>don't want to debate, at this point, the pros and cons of dropping all
>packets or operating in stealth mode.
>>
>> My question is, conceptually speaking, how can this PC POSSIBLY be
>vulnerable to any remote attack?  How could anything phase it?
>>
>> Then, how does the answer change depending on whether it is linux,
>windows, mac, or android.
>>
>> Finally, if it were behind a hardware firewall, or router, how could
>any unwanted packets get on the lan?
>>
>> Sincerely,
>>
>> Ron
>>
>>
>> --
>>
>> Sent from my Android Acer A500 tablet with bluetooth keyboard and K-9
>Mail.
>> Please excuse my potential brevity.
>>
>> (To whom it may concern.  My email address has changed.  Replying to
>former
>> messages prior to 03/31/12 with my personal address will go to the
>wrong
>> address.  Please send all personal correspondence to the new
>address.)
>>
>> (PS - If you email me and don't get a quick response, you might want
>to
>> call on the phone.  I get about 300 emails per day from alternate
>energy
>> mailing lists and such.  I don't always see new email messages very
>quickly.)
>>
>> Ron Frazier
>> 770-205-9422 (O)   Leave a message.
>> linuxdude AT techstarship.com
>>
>>
>> _______________________________________________
>> Ale mailing list
>> Ale at ale.org
>> http://mail.ale.org/mailman/listinfo/ale
>> See JOBS, ANNOUNCE and SCHOOLS lists at
>> http://mail.ale.org/mailman/listinfo
>
>_______________________________________________
>Ale mailing list
>Ale at ale.org
>http://mail.ale.org/mailman/listinfo/ale
>See JOBS, ANNOUNCE and SCHOOLS lists at
>http://mail.ale.org/mailman/listinfo


--

Sent from my Android Acer A500 tablet with bluetooth keyboard and K-9 Mail.
Please excuse my potential brevity.

(To whom it may concern.  My email address has changed.  Replying to former
messages prior to 03/31/12 with my personal address will go to the wrong
address.  Please send all personal correspondence to the new address.)

(PS - If you email me and don't get a quick response, you might want to
call on the phone.  I get about 300 emails per day from alternate energy
mailing lists and such.  I don't always see new email messages very quickly.)

Ron Frazier
770-205-9422 (O)   Leave a message.
linuxdude AT techstarship.com

More information about the Ale mailing list