Re: Why hasn't Symantec addressed nastier Messenger spoofs
From: Walter Dnes (waltdnes@waltdnes.org)Date: 10/27/02
- Next message: Jajones20: "Re: rapping, gun noises"
- Previous message: : "Re: Laptop Security - Hardware, Software, or Both?"
- In reply to: Jim Kutz: "Why hasn't Symantec addressed nastier Messenger spoofs"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: Walter Dnes <waltdnes@waltdnes.org> Date: 27 Oct 2002 05:33:36 GMT
On 23 Oct 2002 20:36:10 -0700, Jim Kutz, <jimkutz@earthlink.net> wrote:
> My question relates to the following:
> Flynn says this might "one day" happen, but AP reports that the
> capability to broadcast such messages exists today in
> DirectAdvertiser, sold by Zoltan Kovacs through an outlet in Floridda,
> which has already sold 200 copies.
And he's making money hand-over-fist for a very simple application.
Windows users, type "net help send" (without the quotes) in a DOS
Window for more info. Note that you can substitute an IP address for a
machine name. This allows a batched application.
> Kovacs does not provide a current demo of DirectAdvertiser for
> testing, so anyone who wants to test it for abuse potential has to
> pay him $699.
>
> The AP article also states that "Users can disable Messenger through
> their operating system's control panel, although doing so could
> interfere with some anti-virus and other applications that send such
> messages."
>
> Norton / Symantec has been silent on whether Norton Internet Security
> ( with antivirus ) requires that Messenger be left on in order to
> 'break over' other apps.
They bleeping-well better not. Windows messanging uses ports 135 and
possibly 137. 138, and 139.
> A few [but not many] Internet providers say they use this type of
> messaging to send messages such as "system going down in 5 minutes",
> so they're not encouraging users to disable it. [ The vast majority
> of ISPs don't bother notifying customers when they're going down, but
> some corporate and university intranets do, and so do a few gaming
> servers.
A corporate intranet behind a corporate firewall is OK, but not when
your machine is exposed directly to the internet.
> The logical place to trap spoofs would be in a personal firewall, but
> none of the major PC firewall providers have announced plans for
> such a feature, two months after the threat appeared. If a company
> DOES offer coverage on that, it should be able to grab some market
> share -- because although the majority of personal firewall users
> aren't clueless enough to be spoofed, a majority have at least one
> family member who is.
I hope this doesn't sound like I'm talking down to you... block
incoming ports 0..1023.
> My third question is, if Symantec does introduce a filter to warn or
> disable concerning these popups, will it also be able to 'let
> through' pop-ups from approved local apps or remote sites?
Do they have a packet-filter (sometimes called a "personal firewall")
that can block port ranges, and make exceptions for specific addresses ?
> Once again Microsoft has 'scored' for its partner companies, by
> providing yet another enabled-by-default method to shove ads onto
> people's desktops, and security be damned. And of course if you try
> to turn off the ads, something may break in your apps. What I'd like
> to see is a "Microsoft-backdoor-free" sticker on their competitors
> software, guaranteed not to need Windows features needing an endless
> stream of "critical updates" -- after which your older, software may
> no longer work
This is one instance where there is no need to attribute to malice
that which may be sufficiently explained by stupidity. MS WFWG (Windows
For Work Groups) the business predecessor to Windows95, was intended for
use in an office setting, where the co-workers trust each other. In
that context, certain features make perfect sense. Then Microsoft
discovered the Internet. MS simply ported its office LAN software to
the internet. In the context of a hostile environment, being wide open
is a *BAD* idea.
A couple of recommendations...
1) With one exception, the average desktop and home end user machine
has no business whatsoever listening to *INCOMING* UDP or TCP traffic on
ports in the range 0..1023; period; end of story. It doesn't matter
whether you're running Windows or linux. Note that you can safely *SEND
TO* a low port address on a server. If you're running a server and know
what you're doing, it's a different story, but doesn't apply to the vast
majority. The one exception is when you're logging on to your ISP via
DHCP. Wait until connected, before blocking DHCP.
2) With one exception, block all incoming SYN-flagged packets. Some
"personal firewalls" refer to this as your machine being a server. The
one exception is regular commandline FTP. This does not apply to
passive mode FTP ( which is used by browsers when accessing URL's like
ftp://ftp.bad.example.com ). Given that most home users don't know how
to use the commandline FTP client in Windows, it's no loss to block all
SYN-packets.
Note that peer-to-peer (aka "P2P" file-sharing) networks are
glorified anonymous ftp servers, with all the attendant security risks.
You have an app listening to the net for connections.
-- Walter Dnes <waltdnes@waltdnes.org> I'm not repeating myself; I'm an X Window user, I'm an ex-Windows user Palladium ain't done till linux won't run
- Next message: Jajones20: "Re: rapping, gun noises"
- Previous message: : "Re: Laptop Security - Hardware, Software, or Both?"
- In reply to: Jim Kutz: "Why hasn't Symantec addressed nastier Messenger spoofs"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
