|
|
|
Update..... @Home is no more. I plan to remove this page soon.
@Home and Bad Information-
I had the interesting experience of being called "crazy" for my views on this particular page. I was also accused of "fear mongering" and not providing any supporting evidence. It has been, and will continue to be my goal here, to provide you with accurate and timely information to allow you to protect yourself. If you have concerns as to my claims or feel that I am misinformed, please email me. Here is some more "supporting evidence" of @Home's lack of security concern:
http://www.net-security.org/text/bugs/998855032,56829,.shtml
You would think that a major interent service provider (maybe the largest in the United States) would be on top of even the most recent security issues that affect their customers. You would also think that they would know what they are talking about when it comes to YOUR security. @Home is apparently treating your security as a minimal concern. Incidentally, it is my opinion that @Home users have been in the past, and will likely be in the future, targeted disproportionately vs. other broadband users due to these problems with their security concepts.
When Steve Gibson of GRC.com was under attack, he attempted to seek help from @Home and this is a summation of that attempt for help:
"I have recorded the IPs and account numbers of more than 100 @home subscribers who have security-compromised Windows machines currently running active Trojan attack Zombies. As we will see below, each of those machines also receives a complimentary copy of the latest version (v2.21) of the incredibly invasive Sub7Server Trojan. This grants the hacker who is controlling the Zombie — the 'Zombie-master' — absolute control over his victims' machines. Among the many invasions the Sub7Server Trojan enables is monitoring every keystroke for the purpose of capturing online passwords, credit card numbers, eBanking passwords and you name it. (Email Sent to @Home by Steve Gibson)
Now, you might think that this would be significant to @home's chief of security, Todd Welch, but it isn't. I tried to talk to him on the phone, leaving a detailed voicemail describing the situation, but I was shuffled off into the system and asked to eMail the IP's to 'abuse@home.com'. Refusing to have the machine IP's disappear and never to know what, if anything, had been done, I called back the next day and got Todd on the phone.
I have no idea why, but he didn't sound at all happy to be talking with me. It was as if he wished this problem would just go away — or that at least, I would. I explained that many of the compromised and Zombie-infected @home machines were showing a machine name of *.sfba.home.com, which I presumed, and he reluctantly confirmed, stood for 'San Francisco Bay Area'." (Exerpted from "The Attacks on GRC.com" by Steve Gibson)
From: Abuse-Team [mailto:abuse-team@corp.home.net]
Sent: Friday, February 02, 2001 9:23 AM
Subject: Re: Port Probe
Thank you for your report of system probes. The @Home Network Policy Management Team receives a high volume of complaints on this issue
(Likely due to inaction on the part of @Home)
and we are sending this message to you with some basic information that may be helpful in understanding what is occurring, and how you can proactively manage your personal computer's security.
@Home's extensive investigation into this issue has shown us that the vast majority of these system probes are originating from computers that have been compromised by various means, usually Trojan viruses
(The first clue that @Home is out of touch..there is no such thing as a Trojan Virus)
We are taking steps to control hacking attempts by increasing the security awareness of our customers and enforcement designed to detect and eliminate those hacking attempts that actually originate on the @Home network. Please note, if you are complaining about an actual system breach, i.e., your computer has actually been penetrated by an @Home subscriber without your permission, please resend your complaint to us with the email subject line, SYSTEM BREACH. If you are not sure if your computer has been breached or not, please continue to read this message.
I'm being hacked!!!
It can be worrisome when your firewall software reports a system probe, but there are several things to be aware of when your firewall sounds the alarm. They relate to how the Internet works, and are explained below. How does all this work anyways? What is actually happening when your firewall reports a system probe? Your computer has just received traffic over the Internet. What that traffic was actually trying to do is more difficult to determine. Your firewall tries to interpret the traffic according to how it is programmed. Since firewall programs are designed to report attacks, it will usually report any unexpected traffic as an attack, even if it is not. In fact, if firewall software is set to a 'high' security level, it may report normal traffic from servers that are a part of the network that you are connected to as an attack. Note, changing the 'security' level of firewall software does not really change the level of protection it affords, it changes the level at which it reports network traffic.
How does that traffic get to your computer?
In order for computers to communicate over the Internet, they are assigned an IP address (IP stands for Internet Protocol). Every person's computer that is connected to the Internet, every website, every server, switch and router that is connected to the Internet in the world has to have a unique IP address. When you go to a website, you type in the URL (Uniform Resource Locator) into your browser, say, www.excite.com, and a server in the network takes that URL, translates it into the corresponding IP address, and your computer connects to that website's IP address. Say you go to check your email. Your computer sends traffic on the Internet to your mail server, and it responds back to you by sending you your email. How does your computer, and the servers you are accessing, know what the traffic you are sending is for? This is accomplished because the traffic not only has a source and a destination IP address, but a source and destination port also. Port numbers are assigned and registered to Internet functions and software that uses them. In the above example, you go to check your email. Your computer sends traffic to the mail server, asking to check if you have any email. You are sending traffic to the mail server's IP address, with a destination port 110. Port 110 is registered as the port with which you (or anyone else on the Internet) use to check your email. Simply put, a system probe is someone sending traffic directed to your computer's IP address, with a destination port.
Trojan Viruses
(Geezus, its Trojan Horse, Trojan, Back door program, Remote administration tool....NOT virus)
As stated before, other programs are registered to use different ports. This includes so-called Trojan viruses. Most viruses that you hear about are designed to disrupt your computer in some way, from interfering with your Operating System to destroying files on your hard drive. Trojan viruses, on the other hand, are designed to hide on your hard drive. They do not want to be discovered because, as opposed to harming your software, they allow other people access to your computer. Once your computer has been compromised with a Trojan virus, it can be "remote controlled" by other people on the Internet. Trojans also have to use a port number to work correctly. For example, the Sub Seven Trojan, which is in common usage at this time, runs on port 27374. So, in order, this is what happens when you get probed for a Trojan virus. We are still using the Sub Seven Trojan as our example:
1) Another computer on the Internet sends traffic to your computer's IP address, directed at port 27374.
2) Your computer receives the traffic.
3) Your firewall software is programmed to understand that traffic to port 27374 is probably a probe to detect if the Sub Seven Trojan is present on your computer.
4) The firewall blocks the traffic and reports to you that you were just probed for the Sub Seven Trojan.
There are two significant things that happened here. First, note that the firewall reported the traffic as being blocked. That means that the firewall did its job and did not allow the traffic through to your computer.
(But yet, @Home recommends here in a second that you NOT use a Firewall..hmm...here's a hint. You WANT to stop attempted connections to your computer if for no other reason than the fact that what someone cannot do today, they may be able to do tomorrow. Keep in mind that if you are already using a firewall and it alerts you to a "probe" or "attack", it is doing it's job and preventing an intrusion to your system. Of course, if you have no services available and no ports open, then you cannot be connected to.)
Secondly,
and this is not as well known, if your computer has not been compromised
by that particular Trojan virus, that probe is harmless. It wouldn't
have affected your computer if the firewall were there or not. If you
are worried that your system was breached, you can be assured that,
as long as your system has not been infected with that virus, and your
firewall reported (blocked) the traffic, your computer is still secure.
What does this mean to me?
Now that we have defined how the Internet works, and what happens when your firewall reports a probe, you are probably interested in how this affects you and your personal computer. A typical Windows user needs three tools to secure their system against the majority of security problems you may encounter on the Internet: a properly-configured
(Updating your system with the latest patches from the appropriate software vendors is one of the best preventative measures.. A good example is the current SirCam worm that is infecting systems...Microsoft has had a patch out for over a month and yet hundreds of people a day are being infected by this worm.)
Operating System, a strong anti-virus program with frequently-updated virus definitions, and some knowledge and discretion.
1) A properly-configured Operating System - The easiest thing you can do to secure your computer from unauthorized access is make sure you are not opening any holes that are easily exploitable. The most common of these is File and Print Sharing. If you have File and Print Sharing turned on in your Network Control Panel, other computers on the @Home Network
(Or anyone else that wants to)
in your area can see and access your hard drive and/or printer . If you want to share hard drives or printers in a home network, you should configure a different network protocol, such as NETBEUI, to do so.
The second Operating System-related issue is with Windows NT and 2000. If you are not running these operating systems, you may skip to the next item. These operating systems, if you do a default install, will open several services, such as FTP (File Transfer Protocol), Email, and HTTP. The running of such services can allow others access to your computer, as well as being a violation of the @Home Acceptable Use Policy (http://www.home.com/aup/). You should re-configure NT or 2000 to not have any services running.
(This should read: Turn off services you are not using. Incidentally, running a software based firewall would also prevent any connection attempts..this is one of the reasons that this is a good idea!)
2) A strong anti-virus program - Most computers come with an anti-virus program these days. They are effective in protecting your computer from Trojan and other types of viruses, but only if the virus definitions are up to date. An anti-virus program has two components, the program itself, and the virus definitions. The virus definitions are what tell the program how to look for viruses. Since there are new viruses that come out on an almost-daily basis, if your definitions are not updated, eventually your anti-virus software will become useless.
(It already is for all intents and purposes...thats why INTELLIGENCE and COMMON SENSE are more important to your security then any program you could own. Software is only one part of an overall defense which also includes education and common sense. Additionally, not all anti virus programs can detect Trojans. You should also make it a priority to update the scanning engine as frequently as they are updated)
You can configure your anti-virus software to update the virus definitions as frequently as you wish (we recommend monthly, if not more frequently)
(Try daily..many AV vendors release frequent updates. EZ Antivirus, for example, sometimes updates their string file several times a day)
and automatically. Check the help file or web site for your particular anti-virus program. It should be free to update your virus definitions as long as the program is current. If you are not running any anti-virus software at all, we highly recommend that you obtain and install some as soon as possible. There are too many such viruses out there to seriously consider being on the Internet without one for very long.
3) Knowledge - As the old saying goes, "Forewarned is forearmed." Now that you have some idea of what's actually occurring, and security issues as they relate to you, you can make some choices about how you want to protect your computer and what you should protect it from. The easiest way to protect yourself from Trojan viruses, however, is to use extreme caution in opening files that are sent to your computer, including attachments to email, or files sent through an instant messaging service, or IRC. Even if a file is being sent to you by someone that you know, they may themselves be infected with a virus and not know it.
(Better advice would be to ensure that you are recieving all of the Microsoft Critical Updates that include patches for the known security issues and exploits. Many of todays viruses and trojans rely on exploits to do their dirty work. The current Code Red worm is a prime example of how unpatched exploits can be used by people with malicious intent.)
Do I need a firewall?
As stated above, taking the precautions we outlined will secure your computer from most, if not all, of the security issues it may encounter while using the Internet. You may have noted that we did not recommend that you run any firewall software. Is a firewall really needed in the Internet environment? On first thought, it may appear so, but consider these points. You may have heard that you need a firewall if you have an "always-on", broadband connection. Does having such a connection equal an enhanced risk to your computer? No, you do not have any significantly higher risk than a dial-up customer.
(BS. How many @Home dial up customers are being used as Zombies in Denial of Service Attacks? Ask Steve Gibson about that.. **Interestingly enough, the person that accused me of the fear mongering indicated that a full 20% of the people that were used in the DDoS attack against GRC were dial up users. This simply proves my point in regards to needing a firewall on a broadband connection**.)
As we stated before, if your computer is secured against Trojan viruses, a probe on a Trojan port cannot compromise your computer. The firewall is not affording you any protection to these types of probes because there is none needed.
(WRONG!..A firewall is not just protection for a few ports...its job is to make your computer essentially "invisible" to those seeking to break in)
All it is doing is reporting to you that other computers on the Internet are sending traffic to your IP address. The only potentially-higher risk you have is that if you leave your computer connected to the Internet 24 hours a day, you will receive more scans simply because your computer is on the Internet longer than other people's computers would be.
(And because the script kiddies know that @Home users are suckers and they are being told to not run firewalls...Trojans are easy to get and once installed, are easy to access. Remember, almost 500 "zombie" machines [compromised customers] were being used against GRC.com with the majority of them being @Home customers. Road Runner came in second.)
Again, however, if your computer is secured as we recommended, these probes cannot penetrate your computer. If you are concerned about this, you can simply disconnect the modem from your computer until you are ready to use it again, or turn your computer off.
(Or run a Firewall program so that you dont have to do wiring when you want to use your computer)
You may have heard sthat you need a firewall because of the prevalence of Trojan viruses. While it is true that these Trojans are out there and they can be very malicious, a strong anti-virus program can actually detect and, if your hard drive has such a virus, remove the Trojan.
(More BS. Viruses are NOT Trojans and Trojans are NOT viruses....they are apples and oranges. It is recommended that in addition to a good anti virus program such as EZAnti Virus [formerly InoculateIT] or F-Prot, that you also use a scanner specific to Trojan Horse programs such as "The Cleaner".)
A firewall can't do this.
(A firewall such as Zone Alarm or Tiny Personal Firewall WILL alert you to the outbound connection that the Trojan attempts to make. This is the most prevalent way that people learn of having a Trojan on their system)
That is why we stress running anti-virus software; a firewall is your personal choice to run, but is not critical to a computer's security.
(Is it any wonder that @Home users are being slapped around by the kiddies?)
Are you running Linux?
Linux is a UNIX-based Operating System that is an alternative to the MS Windows family of Operating Systems.
(As a general rule, if someone cannot properly secure, run or otherwise administer a Windows system, they sure as hell are not going to be able to deal with Linux which is NOT common user friendly, which begs the question: Why bring up Linux at all? )
There are some very common xploits for Linux (WU-ftpd, SunRPC) that will allow others access to your Linux-based computer. If you are not familiar with Linux and know how to secure it from these and other security issues, we would recommend that you use an Operating System that you are more familiar with.
(You first)
@Home Network Policy Management Team
All images and text are copyright 2000, 2001, 2002 by
Steve Sprague. No part of this site can be reproduced without my consent.