Hi,
I have tried to find good websites on how to block unwanted internet
traffic like hamachi, msn messenger, skype etc...
Thanks for suggestions on good sites covering this issue
regards
geir
Post removed (X-No-Archive: yes)
Post removed (X-No-Archive: yes)
Post removed (X-No-Archive: yes)
"ASMx4"
news:8ek8n25018vqlvm85t7e9o1tskt707g2oa@4ax.com...
> On Mon, 04 Dec 2006 11:17:07 GMT, Leythos
>
> >In article <4ti5dqF148dhqU1@mid.individual.net>, geir022@gmail.com
> >says...
> >> Hi,
> >>
> >> I have tried to find good websites on how to block unwanted
internet
> >> traffic like hamachi, msn messenger, skype etc...
> >>
> >> Thanks for suggestions on good sites covering this issue
> >
> >Get a firewall, one that isn't just a NAT Router pretending to be a
> >firewall, and you can block all of those.
>
> After follwing Leythos "Brilliant" suggestion, go here...
> http://www.iss.net/security_center/advice/Exploits/Ports/
> ...for a list of ports used by various applications. Then, block those
> ports at your new firewall. Voila, no more MSN, Hamachi, Skype and
> whatever else you choose to block.
Not the best advice I've ever seen. I believe the base hould be block
everything, then allow only the services that are erquired. Once you
start blocking unwanted services one-by-one, your ruleset will become
too large to be easily interpreted.
Me.
"Me"
news:Lk0dh.1327$3S1.231@newsfe1-gui.ntli.net...
>
> "ASMx4"
> news:8ek8n25018vqlvm85t7e9o1tskt707g2oa@4ax.com...
>> On Mon, 04 Dec 2006 11:17:07 GMT, Leythos
>>
>> >In article <4ti5dqF148dhqU1@mid.individual.net>, geir022@gmail.com
>> >says...
>> >> Hi,
>> >>
>> >> I have tried to find good websites on how to block unwanted
> internet
>> >> traffic like hamachi, msn messenger, skype etc...
>> >>
>> >> Thanks for suggestions on good sites covering this issue
>> >
>> >Get a firewall, one that isn't just a NAT Router pretending to be a
>> >firewall, and you can block all of those.
>>
>> After follwing Leythos "Brilliant" suggestion, go here...
>> http://www.iss.net/security_center/advice/Exploits/Ports/
>> ...for a list of ports used by various applications. Then, block those
>> ports at your new firewall. Voila, no more MSN, Hamachi, Skype and
>> whatever else you choose to block.
>
> Not the best advice I've ever seen. I believe the base hould be block
> everything, then allow only the services that are erquired. Once you
> start blocking unwanted services one-by-one, your ruleset will become
> too large to be easily interpreted.
And more worse, you always forget ports.
arja
Post removed (X-No-Archive: yes)
Sebastian wrote:
"Now when will people stop following this "outbound filtering" nonsense?"
---
Okay, you've probably answered this many times before but would you please
once more concisely elaborate as to what a non-technical person (average
computer user) should employ for safe guarding his/her pc.
If outbound filtering is so ineffective then it seems to me that M/S got it
right in the first place by offering their Windows Firewall in SP2.
If you concur, what *could* be implemented to archive some kind of outbound
filtering to compliment the Windows Firewall.
(I do on-line banking and apart from practicing safe-hex use good quality
av/a-s/ software and presently use Jetico v1 (free) ).
Kayman.
"Sebastian Gottschalk"
news:4tk7bhF13sddtU1@mid.dfncis.de...
> arja wrote:
>
> > And more worse, you always forget ports.
>
> And even worse, you can run all of these protocols over any port you want.
> Now when will people stop following this "outbound filtering" nonsense?
Sebastian is quite correct. It is possible to run any TCP service on any
TCP port or any UDP service on any UDP port.
However, in the original post, it was asked how it would be possible to
block services such as Hamachi, MSN Messenger, Skype, etc.
I doubt it would be hugely possible to convince Microsoft to change the port
their connection server sits on, the same goes for Skype, etc.
It is not flawed to want to block outgoing traffic at the firewall based on
a port ruleset. If I were to block ports 6666-6669 I will be blocking access
to IRC. Yeah, sure, I could set up a server running on a different port,
some ARE configured on a different ports BUT if the default is minimum
allowed, it is unlikely that unwanted services will be accessible and those
that are will likely be hugely limited.
It is a false statement to say that outbound filtering is nonsense. As I am
sure Sebastian is aware, the best security is that of layers and least
privilege. Outbound filtering is just another layer.
It is worth remembering Sebastian's warning that services can run on any
port and if your security profile requires steps to mitigate this risk, then
steps can be taken.
Hope this helps,
Bogwitch
--
Posted via a free Usenet account from http://www.teranews.com
Post removed (X-No-Archive: yes)
"Sebastian Gottschalk"
news:4tk7bhF13sddtU1@mid.dfncis.de...
> arja wrote:
>
>> And more worse, you always forget ports.
>
> And even worse, you can run all of these protocols over any port you want.
> Now when will people stop following this "outbound filtering" nonsense?
Never because it often provides usefull information in case of an infection.
arja
Post removed (X-No-Archive: yes)
Post removed (X-No-Archive: yes)
Post removed (X-No-Archive: yes)
"Sebastian Gottschalk"
news:4tlfpnF14le1iU1@mid.dfncis.de...
> Bogwitch wrote:
>
> > "Sebastian Gottschalk"
> > news:4tk7bhF13sddtU1@mid.dfncis.de...
> >> arja wrote:
> >>
> >>> And more worse, you always forget ports.
> >>
> >> And even worse, you can run all of these protocols over any port
you want.
> >> Now when will people stop following this "outbound filtering"
nonsense?
> >
> > Sebastian is quite correct. It is possible to run any TCP service on
any
> > TCP port or any UDP service on any UDP port.
> >
> > However, in the original post, it was asked how it would be possible
to
> > block services such as Hamachi, MSN Messenger, Skype, etc.
> >
> > I doubt it would be hugely possible to convince Microsoft to change
the port
> > their connection server sits on, the same goes for Skype, etc.
>
> Very wrong. MSN Messenger trivially traverses via HTTP, Skype does
both
> allow any port as well as SOCKS traversal, Hamachi allows any port...
Point taken.
> > It is not flawed to want to block outgoing traffic at the firewall
based on
> > a port ruleset. If I were to block ports 6666-6669 I will be
blocking access
> > to IRC. Yeah, sure, I could set up a server running on a different
port,
> > some ARE configured on a different ports BUT if the default is
minimum
> > allowed, it is unlikely that unwanted services will be accessible
and those
> > that are will likely be hugely limited.
>
> So you don't even know what a IRC Bouncer is.
You are quite correct. However, I do now. Thanks for bringing that to my
attention! That doesn't change the fact that many services run on
particualr ports and it would be up to the service provider to change
the listening port. I guess IRC was a bad example!
> > It is a false statement to say that outbound filtering is nonsense.
As I am
> > sure Sebastian is aware, the best security is that of layers
>
> Ah, "layered security", the buzzword that twists everything with
"defense
> in-depth".
Do you have a problem with layered security, defence in depth, or both?
> > Outbound filtering is just another layer.
>
> Yes, a layer of insecurity or non-security.
Are you saying that you can see NO justification for outbound filtering,
under *ANY* circumstances? I agree that in many situations, outbound
port filtering may provide a false sense of security, but if the
implications are known, it can provide an additional layer of security.
> > It is worth remembering Sebastian's warning that services can run on
any
> > port and if your security profile requires steps to mitigate this
risk, then
> > steps can be taken.
>
> Indeed. What the hell of an administrator is this guy if he both
> technically and by policy allows the users to run arbitrary programs?
And probably the main point, but without knowing the architecture,
security model, business requirements, etc. it is a difficult one to
call.
Don't forget, some software will allow the user to install under a user
context if the Administrator context is not available.
Bogwitch
Post removed (X-No-Archive: yes)
"Sebastian Gottschalk"
news:4tlfs4F14le1iU2@mid.dfncis.de...
> arja wrote:
>
> > "Sebastian Gottschalk"
> > news:4tk7bhF13sddtU1@mid.dfncis.de...
> >> arja wrote:
> >>
> >>> And more worse, you always forget ports.
> >>
> >> And even worse, you can run all of these protocols over any port
you want.
> >> Now when will people stop following this "outbound filtering"
nonsense?
> >
> > Never because it often provides usefull information in case of an
infection.
>
> OK, at first you may provide me with a "personal firewall" that
provides
> useful information. At next, you may present one that provides
information
> in case of an infection.
>
> And then we might discuss how serious Intrusion Detection Systems are
> implemented.
I hesitated to reply to this, but since you're in the business of
providing good information I thought I might share.
Now, please be aware that I'm now talking about a home Internet
connected PC, not sat behind a firewall, as I used to have set up.
I use the system regularly, I use MS apps, and I go to 'dodgy' sites in
order to collect infectious material. Not a standard user.
I used AtGuard, a reasonably good firewall (and, dare I say, IDS) It
provides useful information in so far as I could see the purported IP
address of intrusion attempts. It provided useful information if a piece
of malware infected my system as I could (using outbound port blocking)
see what connections the malware was trying to make, therefore,
providing useful information in the case of infection.
One particular piece of malware infected explorer.exe and attempted to
spew spam out on port 25.
Now, I'll have to admit at this point that I did not allow ANY software
to freely spew on port 25, but AtGuard would have picked it up anyway as
explorer.exe should not be communicationg over the Internet, let alone
on port 25. Hence an infection detection.
Sure, it took further research to identify the culprit DLL, which was
then submitted to my AV companies of choice as it was not detected by
them.
OK, so as I said before, it is not a standard user setup, but it is a
case that required an outbound port blocking firewall and it worked as
required.
Incidentally, I still use AtGuard when users where I work bring software
they have a genuine business requirement to use, to check it to see what
connections the software attempts to make.
I would be interested to hear how you would perform the task described.
I am happy with the results I have achieved, but I'm sure that would be
alternative and better ways to get there.
Bogwitch
Post removed (X-No-Archive: yes)
Sebastian Gottschalk
news:4tlnnsF12l7vnU1@mid.dfncis.de:
> Bogwitch wrote:
>
>> Do you have a problem with layered security, defence in depth, or
>> both?
>
> I have a problem with "layered security", as it's just a buzzword
> describing a misnterpretation of the concept "defense in depth".
I understand what you are saying. I've spent too much time in management
and have adopted a managemnet style speak.
> And I have a problem with your messed-up quoting style. :-)
Believe it or not, I actually like the interface provided by OE. I have
switched reader lest I offend.
>> Are you saying that you can see NO justification for outbound
>> filtering, under *ANY* circumstances? I agree that in many
>> situations, outbound port filtering may provide a false sense of
>> security, but if the implications are known, it can provide an
>> additional layer of security.
>
> I'm saying the outbound filtering is just a mere completition of the
> general traffic filtering concept, but hardly provides any security.
> It allows you to enforce proper usage of legitimate communication, but
> can hardly disallow non-legitimate one.
My point is, for an average administrator, who might not be a security
expert, dealing with average users, an outbound port blocking firewall
will provide SOME security.
>> Don't forget, some software will allow the user to install under a
>> user context if the Administrator context is not available.
>
> Or you can transfer the installation of such a software from another
> computer. Or you can modify the software to run properly without
> administrator access. Some software doesn't need any installation at
> all.
>
> But well, where's your argument? Of course and enforcement of a
> no-exec policy is not done by assuming that software needs installers
> who enforce such policy, but rather by globally denying exec rights to
> all normal users and whitelist relevant applications.
Sorry , I wasn't looking for a fight! :-)
For sure, denying exec rights is the better option. However, the
usability of such a system would be reduced. The company I work for has
tried to implement a deny exec policy, albeit applied restrospectively,
which effective caused a DoS. In short, deny exec is not always
practical.
Bogwitch.
Sebastian Gottschalk
news:4tlph3F14h0nnU1@mid.dfncis.de:
> Bogwitch wrote:
>
>> I used AtGuard, a reasonably good firewall (and, dare I say, IDS) It
>> provides useful information in so far as I could see the purported IP
>> address of intrusion attempts.
>
> But I guess you can't tell me how you define "intrusion attempts", or
> how AtGuard does define such, and why one should even bother about the
> common internet noise...
OK, AtGuard records all port connection attempts. I would define an
intrusion attempt as a scan of seval service ports, YMMV.
>> It provided useful information if a piece
>> of malware infected my system as I could (using outbound port
>> blocking) see what connections the malware was trying to make,
>> therefore, providing useful information in the case of infection.
>
> Very unlikely. No self-respecting firewall creates its own connection,
> at least without verifying that is has properly shut down all network
> filtering software - it just sits there, waits for you to open your
> webbrowser, and then hijacks this connection.
I think you have mis-understood.AtGuard detects when any software
attempts an outbound connection and, according to rules, would allow or
block the attempt. Also, according to rules, it would log the connection,
wether allowed or not. Hence, if malware is hijacking the browser, the
connection would be recorded and identifiable by the DST IP *NOT* being
that of the requested server.
>> One particular piece of malware infected explorer.exe and attempted
>> to spew spam out on port 25.
>
> WTF? explorer.exe is write-protected to normal users. You're running
> as an administrator? Now you should really stop trying to tell me
> something about security.
As I explained, I am using this system to collect malware. Yes, I am
running with administrative permissions, this is intentional and yes I do
understand the ramifications of my actions. If I were not running with
admin privs, I would not collect the same quantity of malware.
>> Now, I'll have to admit at this point that I did not allow ANY
>> software to freely spew on port 25, but AtGuard would have picked it
>> up anyway as explorer.exe should not be communicationg over the
>> Internet, let alone on port 25. Hence an infection detection.
>
> I admit that I block outgoing port 25 as well, but hardly for the sake
> of intrusion detection and more for some stupid ISPs filtering it as
> well and redirecting it to their Smarthosts. My mail is usually
> delivered via SUBMISSION on Port 587.
I don't block for intrusion detection, I block because I don't trust OE!
> At any rate, how do you justify that AtGuard makes your system
> vulnerable in first place? Not just potentially by the added
> complexity, but also known privilege escalating as well as even
> remotely Denial of Service?
Again, we are speaking at crossed purposes. Did you mean do I justify
that Atguard makes my system _LESS_ vulnerable? If so, the priv
escalating is not an issue. This is a single user system. Also, I am not
hugely concerned about DoS because I can reboot.
>> OK, so as I said before, it is not a standard user setup, but it is a
>> case that required an outbound port blocking firewall and it worked
>> as required.
>
> Nah, it worked by coincidence.
How so? It detects outbound connections, which is what I want.
>> Incidentally, I still use AtGuard when users where I work bring
>> software they have a genuine business requirement to use, to check it
>> to see what connections the software attempts to make.
>
> Huh? I have the 'netstat' command for that, and some people prefer
> graphical versions like TcpView from Sysinternals. Using a packet
> filter is totally superfluos for such a task.
I am not aware of netstat or TCPView keeping a log of connections. If a
connection is only made for a very short time, would I catch it with
netstat or TCPView? I don't think I would. Additionally, netstat and
TCPView would not *BLOCK* the connection whilst logging it - I don't want
to be responsible for squirting malware or spam all over the place!
Bogwitch
arja
> "Sebastian Gottschalk"
>> arja wrote:
>>> And more worse, you always forget ports.
>>
>> And even worse, you can run all of these protocols over any port you
>> want. Now when will people stop following this "outbound filtering"
>> nonsense?
>
> Never because it often provides usefull information in case of an
> infection.
That is outbound *monitoring*, whereas Sebastian was talking about
outbound *filtering*. It is undisputed that outbound monitoring can give
you pointers in case of an infection, but that has nothing to do with
the fact that outbound *filtering* is not reliable and should thus not
be regarded as a security measure.
cu
59cobalt
--
"Personal Firewalls are crap. Throw away any personal firewall. Personal
Firewalls are bad[tm]."
--Malte von dem Hagen on security-basics
Kayman
> Sebastian wrote:
>
> "Now when will people stop following this "outbound filtering" nonsense?"
Could you *please* fix your quoting? It is common practice to prefix
quoted text with ">" or "> " instead of putting it in quotes. Most
newsreaders will display prefixed text in a different color, thus making
it easier for the reader to distinguish between quoted text and your
text.
> Okay, you've probably answered this many times before but would you
> please once more concisely elaborate as to what a non-technical person
> (average computer user) should employ for safe guarding his/her pc.
There's a lot of things you can do, e.g.:
- Use a system (and filesystem) that does support privilege separation.
- Use a normal user account. Use the admin account only to accomplish
admin tasks.
- Keep your system and all the software on it up-to-date, preferrably
through automated updates.
- Install a virus scanner and keep it up-to-date.
- Avoid IE and OE like the plague. Use some other web-browser, mail-
client and newsreader instead.
- Disable autostarts for removable media.
- Configure your software correctly. Most so-called "phone homes" are
misinterpreted valid, though probably unnecessary requests.
- Don't install software you don't trust.
- Don't open attachments from mail if you didn't request that
attachment.
....
> If outbound filtering is so ineffective then it seems to me that M/S got it
> right in the first place by offering their Windows Firewall in SP2.
Yes. Well, sort of. It would have been even better if they had decided
to run services only when they are needed, and allow to bind them only
to the interfaces they're needed on. Mac OS X gives a good example of
how this can be done.
cu
59cobalt
--
"If a software developer ever believes a rootkit is a necessary part of
their architecture they should go back and re-architect their solution."
--Mark Russinovich
Bogwitch wrote:
> As I explained, I am using this system to collect malware.
Any experience with rootkits? Some tips on detection, software or technique?
Currently I'm using Sysinternals rootkit revealer, any other suggestion?
Post removed (X-No-Archive: yes)
Post removed (X-No-Archive: yes)
Post removed (X-No-Archive: yes)
Sebastian Gottschalk wrote:
> @lf wrote:
>
>> Bogwitch wrote:
>>> As I explained, I am using this system to collect malware.
>> Any experience with rootkits? Some tips on detection, software or technique?
>>
>> Currently I'm using Sysinternals rootkit revealer, any other suggestion?
>
> Yes: get a serious, working software. Seriously, once I sufficiently
> securely configure a Windows box, Rootkit Revealer stops working for
> multiple issues/defects.
I noticed that. I don't need it for my Windows box.
> There are various other tools that provide better analysis points. System
> Virginity Verifier, VICE, Rootkit Detector 2, Gmer, Ice Sword, DarkSpy,
> Flister, knlps and IAT Hooks Analyzer.
Thx on info.
> At any rate, these are only good for verifying an assumed compromise or for
> analyzing suspicious system behaviour. General detection is no good idea
> (rather try to prevent it in first place), and cleaning (as offered by
> some) is an even more stupid idea.
I know but I have to say to somebody why I'm formating his/her disk, and
reason have to be "visible".
Post removed (X-No-Archive: yes)
Post removed (X-No-Archive: yes)
Hi @al,
"@lf"
> Bogwitch wrote:
> > As I explained, I am using this system to collect malware.
>
> Any experience with rootkits? Some tips on detection, software or
technique?
>
> Currently I'm using Sysinternals rootkit revealer, any other
suggestion?
I've not come across any rootkits as yet. Not without the delivery
system being caught by the AV, anyway.
Regular checks on the system include running InCtrl5 to look for basic
system changes and an offline scan once a week for any alternate data
streams and a full hash check of all system files.
Hopefully I should pretty much catch anything hiding there.
Bogwitch.
Sebastian Gottschalk
news:4tm42lF14andmU1@mid.dfncis.de:
> Bogwitch wrote:
>
>> Sebastian Gottschalk
>> news:4tlnnsF12l7vnU1@mid.dfncis.de:
>>
>>> Bogwitch wrote:
>>>
>>>> Do you have a problem with layered security, defence in depth, or
>>>> both?
>>>
>>> I have a problem with "layered security", as it's just a buzzword
>>> describing a misnterpretation of the concept "defense in depth".
>>
>> I understand what you are saying. I've spent too much time in
>> management and have adopted a managemnet style speak.
>
> But the problem is the misinterpretation. "Defense in depth" means to
> provide protection measures on all layers *as long* as one measure
> doesn't negate another one*, f.e. by increased complexity - the common
> interpretation of "layered security" completely ignores this important
> point.
It's all semantics, I find the term layered security actually describes a
process better than Defence in Depth, each to their own.
>>> And I have a problem with your messed-up quoting style. :-)
>>
>> Believe it or not, I actually like the interface provided by OE. I
>> have switched reader lest I offend.
>
> Well, despite the insecurity and the totally messed up postings, I'd
> say the UI sucks as well. Did you ever try Thunderbird, Forte Free
> Agent or 40tude Dialog?
I tried to use Forte, quite some time ago and I did not like it. I've not
revisited since. I've not tried Thunderbird ar 40tude Dialog but if I get
the time, I will check them out.
>> My point is, for an average administrator, who might not be a
>> security expert, dealing with average users, an outbound port
>> blocking firewall will provide SOME security.
>
> Not if the user is malicious, means: he actively tries to circumvent
> your measures for his own benefin. And he usually finds competent
> helpers to do it for him or to tell him how to do so.
Accepted. Still, if your user was truly malicious, is there much you can
really do?
> Indeed it does provide good security against non-malicious user
> mistakes as well as software-induced errors. But that wasn't on
> discussion.
>> For sure, denying exec rights is the better option. However, the
>> usability of such a system would be reduced.
>
> Actually one can experience quite the contrary: The set of legitimate
> applications is usually quite limited (web browser, mail program,
> office suite, some database applications), and exactly therefore it's
> quite feasible.
>
> The most common complaints you'll receive are like "oh, I can't run
> this Nude Anna Kurnikova screensaver that I downloaded" and "damn, but
> I want to run this flash movie this guy sent me via e-Mail" and many
> other non-serious stuff.
>
>> The company I work for has tried to implement a deny exec policy,
>> albeit applied restrospectively, which effective caused a DoS.
>
> Of course, you should know what you're doing. Without proper
> management, almost any security measure will turn into a disaster.
Actually, the largest complaint was the inability to add workstation
shared printerns. Not one complaint about random screensavers but we have
a strong policy in place! :-)
Bogwitch
Sebastian Gottschalk
news:4tm639F14d0fbU1@mid.dfncis.de:
> Bogwitch wrote:
>
>> OK, AtGuard records all port connection attempts. I would define an
>> intrusion attempt as a scan of seval service ports, YMMV.
>
> You would define a connection-reply problem on various ports a scan as
> well. Anyway, why would someone care for such nonsense?
It's interesting to see what connection attempts are made after
connection to a rogue website, often sites on dynamic DNS are most
interesting.
>> I think you have mis-understood.AtGuard detects when any software
>> attempts an outbound connection and, according to rules, would allow
>> or block the attempt. Also, according to rules, it would log the
>> connection, wether allowed or not. Hence, if malware is hijacking the
>> browser, the connection would be recorded and identifiable by the DST
>> IP *NOT* being that of the requested server.
>
> Wrong. It would not identify anything because the DST IP is of course
> the requested server - just you won't see that request.
You were talking about malware hijacking a browser session, once a
session had been establised. Using AtGuard I can point my browser at a
web address I know (e.g. 1.1.1.1) and tell AtGuard to talk to that
address. If the browser then requests a page from a different address,
AtGuard will then ask me again, listing the DST address.
>>>> One particular piece of malware infected explorer.exe and attempted
>>>> to spew spam out on port 25.
>>>
>>> WTF? explorer.exe is write-protected to normal users. You're running
>>> as an administrator? Now you should really stop trying to tell me
>>> something about security.
>>
>> As I explained, I am using this system to collect malware. Yes, I am
>> running with administrative permissions, this is intentional and yes
>> I do understand the ramifications of my actions.
>
> Definitely you don't. Ever heard something of VMs?
I have. My hardware is of a low enough spec to prevent a VM running.
>> I don't block for intrusion detection, I block because I don't trust
>> OE!
>
> Then why do you have OE installed?
Because, as I said, I like the UI. I know enough about OE and I have
sufficient controls around it to make it safe for me to use.
>> Again, we are speaking at crossed purposes. Did you mean do I justify
>> that Atguard makes my system _LESS_ vulnerable? If so, the priv
>> escalating is not an issue. This is a single user system.
>
> If you were not so dumb to run with admin rights, privilege escalation
> would definitely be an issue even on single user machines.
I think I've explained why I run as admin, just to reiterate. I run as
admin to allow malware to infect my system.
>> Also, I am not hugely concerned about DoS because I can reboot.
>
> And after the reboot the DoS will keep going on...
Unlikely, I'm on dynamicIP.
>>> Nah, it worked by coincidence.
>>
>> How so? It detects outbound connections, which is what I want.
>
> It does not detect outbound connections. It detects outbound
> connections from non-trusted programs.
Depends how AtGuard is configured. I have it configured to alert me of
any outbound connections attempts and to leg them. It is also configured
to silently log any inbound connection attempts.
>> I am not aware of netstat or TCPView keeping a log of connections.
>
> Then you may try PortQry and PortReporter from Microsoft, which are
> essentially just daemons recording these information all the time,
> whereas 'netstat' only displays information momentarily.
>
>> If a connection is only made for a very short time, would I catch it
>> with netstat or TCPView?
>
> In TcpView it would show up flashing in green and then in red.
>
> In any case, it would should up as a connection in TIME_WAIT state.
Thanks for the info. I will investigate the tools. However, AtGuard gives
me the alerting, logging and blocking functionality I require.
>> Additionally, netstat and TCPView would not *BLOCK* the connection
>> whilst logging it
>
> Of course, because this would be a useless trial.
Why? I don't want the malware to perform it's evil deeds.
>> I don't want to be responsible for squirting malware or spam all over
>> the place!
>
> You are, especially since you're throwing around with pseudo
> arguments.
OK, nothing directly from my machine. :-)
Bogwitch
"Ansgar -59cobalt- Wiechers"
bericht news:4tlre4F14bj1qU2@mid.individual.net...
> arja
>> "Sebastian Gottschalk"
>>> arja wrote:
>>>> And more worse, you always forget ports.
>>>
>>> And even worse, you can run all of these protocols over any port you
>>> want. Now when will people stop following this "outbound filtering"
>>> nonsense?
>>
>> Never because it often provides usefull information in case of an
>> infection.
>
> That is outbound *monitoring*, whereas Sebastian was talking about
> outbound *filtering*. It is undisputed that outbound monitoring can give
> you pointers in case of an infection, but that has nothing to do with
> the fact that outbound *filtering* is not reliable and should thus not
> be regarded as a security measure.
As earlier stated 100% security is just a wish and has nothing to do with
reality.
That is no reason for doing nothing or stating that only incoming filtering
is useful.
arja.
Post removed (X-No-Archive: yes)
Post removed (X-No-Archive: yes)
Post removed (X-No-Archive: yes)
arja
> "Ansgar -59cobalt- Wiechers"
>> arja
>>> "Sebastian Gottschalk"
>>>> Now when will people stop following this "outbound filtering"
>>>> nonsense?
>>>
>>> Never because it often provides usefull information in case of an
>>> infection.
>>
>> That is outbound *monitoring*, whereas Sebastian was talking about
>> outbound *filtering*. It is undisputed that outbound monitoring can
>> give you pointers in case of an infection, but that has nothing to do
>> with the fact that outbound *filtering* is not reliable and should
>> thus not be regarded as a security measure.
>
> As earlier stated 100% security is just a wish and has nothing to do
> with reality.
I wasn't talking about "100% security", but about reliability, which is
not the same.
> That is no reason for doing nothing or stating that only incoming
> filtering is useful.
The lack of reliability *is* a reason.
cu
59cobalt
--
"Personal Firewalls are crap. Throw away any personal firewall. Personal
Firewalls are bad[tm]."
--Malte von dem Hagen on security-basics
Sebastian Gottschalk
news:4tmf7gF14it16U2@mid.dfncis.de:
> Bogwitch wrote:
>
>> Accepted. Still, if your user was truly malicious, is there much you
>> can really do?
>
> Treating him as such?
If I had a malicious user, I would sack him. Simple as that. The problem
is, you do not know who your malicious user is/ are. The best you can hope
for is detection after the event.
I suspect the security concerns of my organisation and the security concers
of yours are wildly different.
Bogwitch.
Sebastian Gottschalk
news:4tmfhlF14nurvU1@mid.dfncis.de:
> Bogwitch wrote:
>> You were talking about malware hijacking a browser session, once a
>> session had been establised. Using AtGuard I can point my browser at
>> a web address I know (e.g. 1.1.1.1) and tell AtGuard to talk to that
>> address. If the browser then requests a page from a different
>> address, AtGuard will then ask me again, listing the DST address.
>
> And the malware will silently insert an image load request into about
> any legitimate website. Anyway, AtGuard won't ask you, since it can't
> know what you typed in the adress bar, but just what was requested -
> which is already a different destination.
The way I have AtGuard configured on this machine, it WILL ask me about
EVERY connection attempt.
>> Because, as I said, I like the UI. I know enough about OE and I have
>> sufficient controls around it to make it safe for me to use.
>
> Looking at the current vulnerabilities, this is obviously a lie.
No it's not. Look, I'm surfing to all sorts of peculiar places, I pick up
malware left right and centre. I have security controls to ensure I
detect the malware and I do not cause any harm, discomfort or irritation
to others. Never have, never will.
>> I think I've explained why I run as admin, just to reiterate. I run
>> as admin to allow malware to infect my system.
>
> Just to reiterate: That's a totally broken concept.
Works for me
>>>> Also, I am not hugely concerned about DoS because I can reboot.
>>>
>>> And after the reboot the DoS will keep going on...
>>
>> Unlikely, I'm on dynamicIP.
>
> Well, then why did you reboot?
Sorry, I thought a change of IP would be implied if I said 'reboot'
>> Thanks for the info. I will investigate the tools. However, AtGuard
>> gives me the alerting, logging and blocking functionality I require.
>
> And the vulnerabilities you require.
>
>>>> Additionally, netstat and TCPView would not *BLOCK* the connection
>>>> whilst logging it
>>>
>>> Of course, because this would be a useless trial.
>>
>> Why? I don't want the malware to perform its evil deeds.
>
> The malware will perform its evil deeds beside AtGuard or any other
> useless trial of blocking. Didn't you say that you run with admin
> rights? AtGuard won't even get to see any connection attempt from the
> malware.
Might I suggest you actually understand the software before you tell me
what it can and what it can't do?
Bogwitch.
Post removed (X-No-Archive: yes)
Sebastian Gottschalk
news:4toe9oF14jqhqU1@mid.dfncis.de:
> Bogwitch wrote:
>
>> The way I have AtGuard configured on this machine, it WILL ask me
>> about EVERY connection attempt.
>
> If the malware has admin rights, it can trivially bypass AtGuard. You
> WON'T get ANY connection attempt to see.
Bring it back to the _REAL_ world, Sebastian, please name ONE piece of
malware that is AtGuard aware.
>> Might I suggest you actually understand the software before you tell
>> me what it can and what it can't do?
>
> May I suggest you doing the same?
I *DO* understand the software. You don't, otherwise you would not be
spouting the inaccuracies you have thus far.
Anyway, back to the subject. I can see real world uses for an outbound
port blocking firewall, particularly a personal firewall.
Bogwitch.
Post removed (X-No-Archive: yes)
Sebastian Gottschalk
@mid.dfncis.de:
> Bogwitch wrote:
>
>> Sebastian Gottschalk
>> news:4toe9oF14jqhqU1@mid.dfncis.de:
>>
>>> Bogwitch wrote:
>>>
>>>> The way I have AtGuard configured on this machine, it WILL ask me
>>>> about EVERY connection attempt.
>>>
>>> If the malware has admin rights, it can trivially bypass AtGuard. You
>>> WON'T get ANY connection attempt to see.
>>
>> Bring it back to the _REAL_ world, Sebastian, please name ONE piece of
>> malware that is AtGuard aware.
>
> Agobot. Nuff said.
Fair enough, if I was running AtGuard using it's default installation
executable name, I might be worried. Since 'iamapp.exe' isn't descriptive
enough for me, it is renamed to something more to my liking. Nor are my
network shares open, nor am I getting files via IRC or p2p. Not
concerned.
> BTW, security is about something called *reliability*.
>
>>>> Might I suggest you actually understand the software before you tell
>>>> me what it can and what it can't do?
>>>
>>> May I suggest you doing the same?
>>
>> I *DO* understand the software.
>
> But you don't understand Windows. AtGuard might do what it wants, the
> Windows kernel remains the ultimate authority in the system, and if the
> malware runs with admin rights, it has full access to the kernel. This
is
> cat-and-mouse game, whereas AtGuard is always the loser on the long
run.
What can I say? It must be magic that has allowed me to use AtGuard in
such a way, and without doing any damage. Gosh, aren't I lucky? And with
me being a complete biff when it comes to Windows.
Bogwitch.