RE: Raw Sockets in WinXP

From: Jeff Smith (JSmith@Dentrix.com)
Date: 07/30/01 

Message-ID: <6D0985BC4DDFD31187C100D0B7473DCC3A5F01@DTXMAIL>
From: Jeff Smith <JSmith@Dentrix.com>
To: "'Gregory_DeGennaro@csaa.com'" <Gregory_DeGennaro@csaa.com>, SECURITY-BASICS@securityfocus.com
Subject: RE: Raw Sockets in WinXP 
Date: Mon, 30 Jul 2001 12:28:27 -0600

Code Red made me look great to my superiours. Everyone include the CEO
heard about "Code Red" and when I told them I had it patched over a month
ago they looked pretty happy. The number one point in security, IMHO, is
education. Both general users and also SysAdmins. It seems more and more
hobbiest are getting into the game though. I have over 6 friends (ranging
from a pizza delivery guy, to a biochemist). They all have a dedicated
connection with tons of services running. Like I said before it is a hobby
to them. They want the web, ftp, smtp servers. Here is the kicker though.
It is a hobby and therefore does not get a lot of time for "security". I
have convinced them that security is fun by run a few exploits across their
computers.
Anyways long story short most web servers on the net are hobbiest (number
wise not traffic wise). Most hobbiest do not care about securtity because it
too hard or too boring. My questions to the security guru's out there are
  1) Who is responsible for the safety if the internet.
    a) ISP's because they are providing the service and we as a whole cannot
truct the "common" user.
    b) The user because, well it is their computer and they better know how
to use it properly. People are expected and are even licenced to drive a
car.
    c) The security industry. A knowledgable group of people to police the
internet looking for violation of security policies

  2) What can we as security group do to get what most of us consider common
sense out the the mom and pop's.

  3) What role do operating system manufacturer in personal internet
security. Should they decided if I can craft my own packet? Should they do
in depth analysis before releasing a product that make email virus trival to
spread?

Just some thoughts.

|--------------------------------------------------------------------|
| Jeff Smith opinions expressed in this email are not |
| IT Specialist neccasarily the opinions of Dentrix Dental |
| Dentrix Dental Systems Systems of its affilates. |
|--------------------------------------------------------------------|

 
-----Original Message-----
From: Gregory_DeGennaro@csaa.com [mailto:Gregory_DeGennaro@csaa.com]
Sent: Tuesday, July 24, 2001 5:36 PM
To: Jeff Smith; Gregory_DeGennaro@csaa.com;
SECURITY-BASICS@securityfocus.com
Subject: RE: Raw Sockets in WinXP

Jeff,

I do agree with you on this. If mom, pop, and kiddie
are on the Internet, then they should learn how to drive
or survive on the Internet due to threats of hackers,
crackers, pedophiles, and the other would be computer
and social assassins. Maybe, they will have a license
in the future or special area for them and banish AOL and
affiliates since a lot of this crap comes from their networks.
 
Except, who was at fault for this Code Red worm. Many people in the
industry
blame the Sys Admins for not patching their servers. So blaming and
punishing
mom, pop, and kiddie for their ignorance may not be the answer.

I told my wife to NOT open anything suspicious. If she does,
 she will have to buy me a new computer for the time and effort it
will take me to get everything working again. I am the one that
 updates the .dats and takes care of the *nix firewall/ids at home.

All I know, is when I first received my first virus 4-5 years ago, it took
$250.00 from my wallet. Never again will I let that happen, if I can help
it.

BTW, it was a burnt CD that my former roommate had used in my computer.

Greg

-----Original Message-----
From: Jeff Smith [mailto:JSmith@Dentrix.com]
Sent: Tuesday, July 24, 2001 4:12 PM
To: 'Gregory_DeGennaro@csaa.com'; 'SECURITY-BASICS@securityfocus.com'
Subject: RE: Raw Sockets in WinXP

The problem raw sockets as I see it this. Let say I am "h4ppy h4ck3r" and
I get 30 people to run my cool "Joke" porgram that is actually a transport
to my latest DDOS tool. Before raw socket I would have had to install a new
network driver to spoof the packets, now because of the lax TCP stack I can
fake anything I want straight from my tool. The poor people that were
infected would never know. Now lets say i right a new *nix joke program and
get 30 people to run it. First off I cannot think any 8nix user that would
run an untrusted program. Most Linux user anyways like to compile the
programs themselves. I view it as an educational issue. *nix is harder to
use therefore the people who use it are more aware of what they are doing.
(I know this is a generalization) Windows 9x/ME tend to draw a more mom and
pop type of crowd. They dodn't care about TCP stacks, fragmentation, secotr
size, etc. "MOST" windows user what to read their email, surf the web, open
elf bowling, and the latest flash program. If the windows community does
not want to learn about the dangers that is fine, but when they bring down
Yahoo or eBay or UnclebobsWebSiteOFun.Com they should be held accountable.
If I shoot a gun in the air and the slug kills someone 2 miles away and I
still responisble even though I didn't mean to hurt them.

Jeff Smith
IT Specialist

-----Original Message-----
From: Gregory_DeGennaro@csaa.com [mailto:Gregory_DeGennaro@csaa.com]
Sent: Monday, July 09, 2001 12:43 PM
To: rob@robhughes.com; john@iplicjian.demon.co.uk;
SECURITY-BASICS@securityfocus.com
Subject: RE: Raw Sockets in WinXP

I have to agree, Mr. Gibson is worry to much about raw sockets. He appears
to be the only one. Besides that, when has Microsoft products ever been
secured. Especially, since the *nix (and Apple) crowd tends to hate
Microsoft. No computer is ever safe and should be protected as well as
monitored to deter unauthorized accesses.

Like you said, the *nix community has been spoofing addresses for years.
What major difference will these raw sockets make? Besides, I am more
concerned with the hackers that use an *nix box than those script kitties
that use a WindowsXX box.

" The best firewall, is a pair of wire cutters!! ... :-)"

-----Original Message-----
From: Robert D. Hughes [mailto:rob@robhughes.com]
Sent: Friday, July 06, 2001 2:16 PM
To: John I. Stephen; Security Mailing list
Subject: RE: Raw Sockets in WinXP

He won't be able to do anything *to* an XP box. That isn't even the issue.
The issue is that he'll be able to use raw sockets to spoof source
addresses,
something win2k, Linux, *BSD and every other non-toy OS allows now. I do
agree that given the ignorance (well, hell, let's call it what it is:
idiocy,
or the refusal to learn) of the average user when it comes to anything like
raw sockets, virii, or any other security related issue as they blithely
open
attachments "just to see what it is", we'll see some increase in the
background noise, but its still nowhere near the end of the world, as this
Mr. Gibson would have you believe.

-----Original Message-----
From: John I. Stephen [mailto:john@iplicjian.demon.co.uk]
Sent: Thursday, July 05, 2001 11:08 AM
To: Security Mailing list
Subject: Raw Sockets in WinXP

Steve Gibson's recent mailshot landed in my in-box and I have just spent 30
minutes going through his article on Raw Sockets in WinXP
(http://grc.com/dos/winxp.htm) and his notes from the subsequent conversion
with Microsoft (http://grc.com/dos/xpconference.htm).

Some of you have very strong views as to Steve's knowledge of the subject of
security and have suggested that all he is doing is ranting for publicity
reasons. However, if the text of Microsoft's response is accurate, no one
there is suggesting that he is wrong, merely that Microsoft see no point in
securing Raw Sockets as a determined 'malicious hacker' would always find a
way-in.......(might as well leave my car unlocked and the front door
unlocked by that reasoning).

Assuming that a user has not deployed a personal firewall, malicious code
monitoring, nor anti-virus software, do you agree that the RISK will greatly
increase as a result of access to raw sockets? What will a malicious code
write be able to do against XP users which he cannot presently do against
the 95/98/ME population?

John