Security Questions

  • Thread starter Thread starter jo
  • Start date Start date
J

jo

How does anyone know how much info grc actually collects from punters
doing the Shields Up test?
How do you tell if your firewall is phoning home?
When you OK Adaware to update, how do you know what info it might send
Lavasoft at the same time?
Is Spybot S+D spyware?
How would you know if A squared was a trojan?
What virii is AVG programmed to let through?
Does BHOCop install a very small browser helper?
As for stuff like Google Toolbar and Google Desktop and GMail...

If an app comes along that suggests it can attempt to answer some of
these questions for you, do you :

a) Think about it and try to consider if the app might improve your
security and, more importantly, improve your perceptions as to what
actually constitutes security?

b) Jump up and down and ask for your mummy and ask Mister Norton what he
thinks you should do?

There will probably be those who suggest my wording might be construed
as attempting to innfluence responses in favour of one of the above
options.
These can safely be ignored as sad pedants.
 
How does anyone know how much info grc actually collects from punters
doing the Shields Up test?
Click to expand...

packet sniffer
How do you tell if your firewall is phoning home?
Click to expand...

packet sniffer
When you OK Adaware to update, how do you know what info it might send
Lavasoft at the same time?
Click to expand...

same again
Is Spybot S+D spyware?
nope

How would you know if A squared was a trojan?
Click to expand...

check it out
What virii is AVG programmed to let through?
yikes

Does BHOCop install a very small browser helper?
Click to expand...

one can find out
As for stuff like Google Toolbar and Google Desktop and GMail...

If an app comes along that suggests it can attempt to answer some of
these questions for you, do you :

a) Think about it and try to consider if the app might improve your
security and, more importantly, improve your perceptions as to what
actually constitutes security?
Click to expand...

Like I said check it out and make an informed decision.
There's enough people out there that spend alot of time taking this
stuff apart. Like anything else search for the details or look before
you leap.
b) Jump up and down and ask for your mummy and ask Mister Norton what he
thinks you should do?
Click to expand...

Mr nortons opinions are welcome, but are no more than another piece of
information that goes into the decision making process.


what's your point?
 
jo said:
How does anyone know how much info grc actually collects from punters
doing the Shields Up test?
How do you tell if your firewall is phoning home?
Click to expand...

The overtly paranoid run router, or hardware firewalls.

On the cheap, you can use an old 32 bit box and a free software firewall.

Of course, you ultimately have to trust those, too. ;-)
 
How does anyone know how much info grc actually collects from punters
doing the Shields Up test?
Click to expand...
<snip>

Ethereal should do the job. An interesting thought, so I'm off to
check it out. I got to the scan page, started Ethereal, then clicked
on scan common ports.
DNS sent me 204.1.226.230 and after the handshake there was a bit of
HTTP traffic inluding this sent to grc:

POST /x/ne.dll?rh1dkyd2 HTTP/1.1
Host: www.grc.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7)
Gecko/20040614 Firefox/0.9
Accept:
text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: http://www.grc.com/x/ne.dll?rh1dkyd2
Content-Type: application/x-www-form-urlencoded
Content-Length: 32

Now they know my language, OS and browser as well as my
IP address ;-)

Then 204.1.226.228 started pinging me, sending loads of TCP SYN
packets to different ports and then a few RST's.
During this scan HTTP packets (HTTP Continuation with the ACK and PSH
bits set) still came from 204.1.226.230 and a few TCP ACK's were sent
back to 204.1.226.230:80. Also a couple of .gif files were requested,
but these could'nt be found on the c:\ drive afterwards. No packets at
any time went back to the " GRC Custom Hybrid NanoProbe Engine/1.57
(experimental)" (LOL) at 204.1.226.228.

Then back to 204.1.226.230 to tell me that:
"Your system has achieved a perfect "TruStealth" rating. Not a single
packet — solicited or otherwise — was received from your system as a
result of our security probing tests. Your system ignored and refused
to reply to repeated Pings (ICMP Echo Requests). From the standpoint
of the passing probes of any hacker, this machine does not exist on
the Internet. Some questionable personal security systems expose their
users by attempting to "counter-probe the prober", thus revealing
themselves. But your system wisely remained silent in every way. Very
nice."

The bit I take exception to is "From the standpoint of the passing
probes of any hacker, this machine does not exist on the Internet."
"Any hacker" won't be using grc to scan you. They might use something
like nmap or if you are really unlucky hping2, but they won't be using
grc.

All grc does is send pings, TCP SYN's and RST's. Sending a TCP SYN is
like kicking someones frontdoor rather than giving it a gentle push.
All firewalls will block and log these kind of scans. The firewall
(Kerio 2.1.5) that grc says has "has achieved a perfect "TruStealth"
rating" is easily enumerated on the LAN using hping2.

There are many ways to scan an IP address and grc choose one of the
easiest to detect. Then they try to suggest that you are invisible on
the internet, and immune to the probes of "any hacker". Calling
Shields Up a scanner is like calling notepad a wordprocessor.

Pah. I spit on the "Custom Hybrid NanoProbe Engine", and rename it the
Gibson Wayward Machine.

HiS
 
I snipped it all... Hassan (not his real name) is a wannabe hacker
without very much knowledge of how the Internet works - especially HTTP
;) I looked up his other posts on Usenet to get a reading on this
individual.

He's muddling the GRC scan probes with the HTTP packets setting up and
reporting the test results back to his browser. A clue to his lack of
knowledge or experience comes from his inability to find the "gif
images" that GRC downloaded to his computer. (They're renamed when
placed in his browser's cache).

He's someone who's taking the "express" route to hackerdom by avoiding
the boring bits - such as taking the time to learn the fundamentals.

Skill without knowledge or experience. Always a treacherous combination.
 
How would you answer the question that Hassan I Sahba answered?
Click to expand...

Can you not read ?

From my post ....

"He's muddling the GRC scan probes with the HTTP packets setting up and
reporting the test results back to his browser."
 
jo said:
Mandy Abbett (not his real name) wrote:




How would you answer the question that Hassan I Sahba answered?
Click to expand...

yes i'd like to hear Mandy's answer too, which i'm sure (cough) he can't
give an intelligent response like Hassan's. i also wasn't aware that
network sniffers and hping constituted wannabe hacking. mandy's
inability to follow simple TCP/IP concepts is evidence of his incredible
naivete.

other than a couple of slight technical inaccuracies, i agreed with
Hassan. GRC is just a bunch of hysterical noise. no one in the hacking
community or security industry takes him seriously. his article on
DRDoS is interesting, but most of the content is only fit for script
kiddies like Mandy who can barely get through a point-and-click firewall
install.

to Mandy, once you cover TCP/IP illustrated (all 2100 pages) and
remedial pen test techniques, i will converse with a quasi-scum bucket
such as yourself. until then,
<PLONK!>

michael
 
Mandy said:
I snipped it all... Hassan (not his real name) is a wannabe hacker
without very much knowledge of how the Internet works - especially HTTP
;) I looked up his other posts on Usenet to get a reading on this
individual.
Click to expand...

ok, i guess i have to explain everything to naive persons like Mandy. a
syn packet is the first packet in a three way TCP handshake. syn scans
are half-open, stealth, whatever you want to call them. the scanner
merely looks for the returning syn/ack or rst, which will determine if
the port is closed / "stealthed" i.e. non-rfc compliant / open.

some port scanners use more exotic techniques like null, xmas tree, ack,
etc. this is done either to evade packet filters at the perimeter, or
to enumerate the tcp/ip stack to aid OS fingerprinting, or to make less
log noise.

a traditional full scan, up to the RST stage, would be at application
level. thus more logging is done once the 3 way handshake is complete.
so syn scans and friends still play a role in port scanning in 2004.
however, there are better methods.

nmap would use full connect by default, and syn with the -sS opt. hping
can custom packet craft to whatever the scanner needs. this simply
requires raw sockets i.e. a lower-level as mentioned above. where
Hassan is right is that decoys, idle scan, zombie, ftp-bounce, long
delayed scans, randomization, etc, can be used. MUCH more stealthy than
the GRC scan. let's just say you won't even notice a good port scan
without mil-grade detectors ala H.D. Moore's Navy work (fyi, i'm on a
mailing list with Mr. Moore).

Mandy, you are outclassed and outgunned, per usual.

michael
 
I snipped it all... Hassan (not his real name)
Click to expand...
Well done. You got something right. It's a Hawkwind song.
is a wannabe hacker
Click to expand...
I'm not sure you know what a hacker is.
without very much knowledge of how the Internet works - especially HTTP
Click to expand...
True or not, what brings you to this conclusion?
;) I looked up his other posts on Usenet to get a reading on this
individual. And?

He's muddling the GRC scan probes with the HTTP packets setting up and
reporting the test results back to his browser.
Click to expand...
WTF does this mean? Can you not put together a coherent sentence?
What does "the HTTP packets setting up" mean. How am I "reporting the
test results back to his browser."? I am reading an Ethereal trace. I
assume you know what that is? When I've clearly stated which IP addy
packets were flowing between how am I "muddling" anything.
A clue to his lack of knowledge or experience comes from his inability to find the "gif
images" that GRC downloaded to his computer. (They're renamed when
placed in his browser's cache).
Click to expand...
I didn't find them because they weren't there. They were requested but
not sent. If they were sent I would have seen them in the ethereal
trace, would I not? The stream went like this:

1) My computer sent an HTTP GET /darkbluepixel.gif HTTP/1.1 to
204.1.226.230

2) 204.1.226.230 sent back an HTTP/ 1.1 304 Not Modified

3) My computer sent back a TCP ACK.

Now you've made me google "HTTP/ 1.1 304 Not Modified". On
http://www.jmarshall.com/easy/http/ I found this:

"To avoid sending resources that don't need to be sent, thus saving
bandwidth, HTTP 1.1 defines the If-Modified-Since: and
If-Unmodified-Since: request headers. The former says "only send the
resource if it has changed since this date"; the latter says the
opposite."

and this:

"The If-Modified-Since: header is used with a GET request. If the
requested resource has been modified since the given date, ignore the
header and return the resource as you normally would. Otherwise,
return a "304 Not Modified" response, including the Date: header and
no message body, like
HTTP/1.1 304 Not Modified
Date: Fri, 31 Dec 1999 23:59:59 GMT
[blank line here]"

Now, I didn't know what a 304 Not Modified was before googling but it
took me less than a minute to find out. This means that the .gifs
weren't sent. Agreed? I already knew the .gifs weren't sent, now I
know why.
He's someone who's taking the "express" route to hackerdom by avoiding
the boring bits - such as taking the time to learn the fundamentals.
Click to expand...
You don't know whats in my head. What brings you to this conclusion?
That aside, I can code enough HTML to fulfill my needs, but I don't
know "the fundamentals." Why should I. I learn what I need to get
the job done, when I need it.
Skill without knowledge or experience. Always a treacherous combination.
Click to expand...
One brain cell in either half of the brain. Always a treacherous
combination. :o)

The only thing you directly contest in your post is the .gif files,
which I thought were incidental and only mentioned for completeness,
and which you were wrong about.

So, give us the benefit of your knowledge and experience.
What EXACTLY do you disagree with in my post?


HiS
(Disclaimer: This is not my real name and I have not been dead for
nearly a thousand years.)
 
On Sun, 31 Oct 2004 13:08:02 GMT, postminimalist

ok, i guess i have to explain everything to naive persons like Mandy. a
syn packet is the first packet in a three way TCP handshake. syn scans
are half-open, stealth, whatever you want to call them. the scanner
merely looks for the returning syn/ack or rst, which will determine if
the port is closed / "stealthed" i.e. non-rfc compliant / open.

some port scanners use more exotic techniques like null, xmas tree, ack,
etc. this is done either to evade packet filters at the perimeter, or
to enumerate the tcp/ip stack to aid OS fingerprinting, or to make less
log noise.

a traditional full scan, up to the RST stage, would be at application
level. thus more logging is done once the 3 way handshake is complete.
so syn scans and friends still play a role in port scanning in 2004.
however, there are better methods.

nmap would use full connect by default, and syn with the -sS opt. hping
can custom packet craft to whatever the scanner needs. this simply
requires raw sockets i.e. a lower-level as mentioned above. where
Hassan is right is that decoys, idle scan, zombie, ftp-bounce, long
delayed scans, randomization, etc, can be used. MUCH more stealthy than
the GRC scan. let's just say you won't even notice a good port scan
without mil-grade detectors ala H.D. Moore's Navy work (fyi, i'm on a
mailing list with Mr. Moore).

Mandy, you are outclassed and outgunned, per usual.

michael
Click to expand...

I've been wondering if grc's scan was a half-open or full connect, but
not got round to checking it out yet. Any idea how I would tell from
the Ethereal capture file?

HiS
 
jo said:
How does anyone know how much info grc actually collects from punters
doing the Shields Up test?
Click to expand...

i thought shields up was just a port scan. it may check browser
characteristics as well. gibson's tools are relatively straightforward
in technique.
How do you tell if your firewall is phoning home?
Click to expand...

the important thing is making sure that spyware / trojan can't phone
home. tests like Firehole, etc, can aid this. there is some paidware
from Atelier that does 6 tests.

you can see if the firewall is phoning home with TDImon (free) or
Ethereal (free).
When you OK Adaware to update, how do you know what info it might send
Lavasoft at the same time?
Click to expand...

you'd have to use a sniffer to determine this. this is straightforward,
but takes time.
Is Spybot S+D spyware?
Click to expand...

not that i'm aware of. i use AV + anti-trojan + Spybot + AdAware.
How would you know if A squared was a trojan?
Click to expand...

i relatively trust emisoft. i am on Nautilus' forum and he is a friend
of the emisoft founder. for a trojan to be effective, it would have to
install a server or shell shovel or something of that nature (or really
exotic techniques like hooking servers). this would be readily
identified by AV experts as being a trojan. some BO (back orifice)
cleaners were actually trojans, so it's good to be suspicious.
What virii is AVG programmed to let through?
Click to expand...

none. it just doesn't have the greatest definitions. some AV doesn't
flag on spyware though, and some feel that this is proper AV behaviour.
Does BHOCop install a very small browser helper?
Click to expand...

never heard of it. thus i'm skeptical of it.
As for stuff like Google Toolbar and Google Desktop and GMail...

If an app comes along that suggests it can attempt to answer some of
these questions for you, do you :

a) Think about it and try to consider if the app might improve your
security and, more importantly, improve your perceptions as to what
actually constitutes security?

b) Jump up and down and ask for your mummy and ask Mister Norton what he
thinks you should do?

There will probably be those who suggest my wording might be construed
as attempting to innfluence responses in favour of one of the above
options.
These can safely be ignored as sad pedants.
Click to expand...

you can always use file monitoring, reg monitoring, and Ethereal to
determine what an app is doing. however, often a quick Google can
determine if an app is legit or not.

"people pay me to be suspicious when there's nothing to be suspicious
about" (The Firm).

michael
 
WhItE said:
The overtly paranoid run router, or hardware firewalls.
Click to expand...

NAT router is not a true firewall. the firewalling is a side-effect of
the NAT (doesn't know where to route incoming packets without a ruleset
i.e. NAPT). consumer-grade SPI firewalls may not help much over a NAT
router though, it just depends. i mean a Linksys is not a Checkpoint,
no matter what they may claim.

one thing that most consumer-grade (i.e. Linksys, et. al) can't do is
block malicious outbound traffic. most modern trojans use reverse
connect or lanfiltration techniques. in their simplest form, this can
be done with the free netcat on unix. thus a personal firewall plus
hardware firewall is ideal, whether on dialup or DSL. it's not true
that dialup is not targetted, it's just that the target machines are far
less valuable. for a quick bounce, a hacker could still utilize a
dialup connection (esp if it has high uptime).
On the cheap, you can use an old 32 bit box and a free software firewall.
Click to expand...

Smoothwall, IPCop, and friends. even a distro like SuSE would work
fairly easily. my 8.1 install discs offered NAT routing and firewalling
with a point-and-click GUI config.
Of course, you ultimately have to trust those, too. ;-)
Click to expand...

open-source has a lot of eyes on the code.

michael
 
Back
Top