The magic words....
"By luring victims to a malicious link".............
Paris because even she knows malicious links can get you in to a whole lot of trouble.
On Tuesday, hacker Samy Kamkar demonstrated a way to identify a browser's geographical location by exploiting weaknesses in many WiFi routers. Now, he's back with a simple method to penetrate hardware firewalls using little more than some javascript embedded in a webpage. By luring victims to a malicious link, the attacker can …
Lord Lien
I bow to your superior knowledge. How do you know when a link is malicious before you visit it and get the pox?
Is it because you don't visit any links? Is it because you visit only websites that are impossible in the lifetime of the universe to be compromised?
I too am paranoid, but also know how ANY website can harbour mischeif. ANY website can be compromised (even if not the server, then their DNS can be made to point elsewhere). The excuse that something ONLY works if you click a malicious link just means that someone has to place the link where you will click it... and you do click links somewhere.
sorry nurse, I'll take the pills now
Even if the site itself and its DNS have not been compromised, the old "embed my moody exploit in an advert and tout it through the ad servers" ploy should do the trick quite nicely. Especially as he reckons that it can be made to work without anyone having to click anything.
The number of shonky ads circulating is probably the best reason for adblock these days.
hardware firewall?. Router?, gateway?
this is pretty basic and simple, ftp ports aren't blocked by default, being as they are a pretty much essential part of being able to use the internet for downloading materiale from servers/sites etc.
At this point, i begin to question, are we actually mistaking what we can actually do with the 'net, as designed, for something that's hacking, ie altering what is supposed to happen for something that isn't.
I'm pretty much sure, Dan, that you would be highly annoyed if your port 25 didn't work, that being your SMTP port, shared with your ISP, enabling you to get/send your email, now if that was affected in any way, would you describe that as a hack?, an ISP block attempt? or maybe it's a BUG/FLAW?
This would be news, if it was something that happenened naturally, unfortunately, it's an artificially engineered situation, and as such, has no shock or awe value, the novelty of hacking to create fear has been dissipated by it's sheer abundance.
Here was me hoping that 2010 might be different from the last 4/5 years, seems that journalists don't seem to get bored with it, even if readers do.
Meh!
I stopped using port 25 for SMTP years ago, heck I've not been using plain text e-mail for years too. Okay I know there is always the chance that SSH encrypted mail could be comprimised and the security is only as good as it's weakest link.
I dare say that this problem isn't because the routers run Linux, for starters, Linux is just the kernel. Could maybe be down to the default settings of how the router handles ports (can't remember name of the package, it's too early in the morning and I haven't had my McDonalds breakfast yet!)
Rob
"ftp ports aren't blocked by default, being as they are a pretty much essential part of being able to use the internet for downloading materiale from servers/sites etc."
Ok, then try connecting to any port on my machine and see what happens...
The firewall will allow _outgoing_ connections to the ports but not incoming -- unless, of course, I have an FTP server running and the port forwarded. In that case, without this exploit, you'd still nto be able to connect to to any other port.
Before:
20:45 (2) "jamie" jamie@catflap% te 78.150.115.214 555
Trying 78.150.115.214...
^C
After:
20:45 (3) "jamie" jamie@catflap% te 78.150.115.214 555
Trying 78.150.115.214...
telnet: connect to address 78.150.115.214: Connection refused
telnet: Unable to connect to remote host
Though I normally run with "forward all ports to 10.20.30.45" by default anyway, so I'm not bothered.
Could be bad for the windows users though!
20:49 (4) "jamie" jamie@catflap% te 78.150.115.214 22
Trying 78.150.115.214...
Won't send login name and/or authentication information.
Connected to 78.150.115.214.
Escape character is '^]'.
SSH-2.0-OpenSSH_5.2p1 FreeBSD-openssh-portable-5.2.p1_2,1
I also use and love NoScript. But as a web developer I can tell you it's trivial to develop a website entirely in Javascript that displays a simple "This site requires Javascript enabled" message to a NoScript user. If that user has been given the impression that the site contains something he or she wants, they'll automatically reach for that NoScript Options button and select "Allow shitsite.com" without a second thought.
Granted, you might be savvy enough to think "Why does simply showing me some info require Javascript?" but depending on how badly you want that info, even you might be prepared to at least "Temporarily allow..." just one time to see what it is. Furthermore, this attack involves form submission. It's far from unusual for forms pages to require Javascript for dynamic option updating and on-enter form validation, and even a tech-savvy user thinking he's signing up for some useful service would be taken in.
NoScript is only as good as the person using it, and with its use becoming more prevalent, the blackhats will become ever more creative in finding ways of meat-hacking people into selecting that much-desired "Allow shitsite.com" option.
In network security parlance, a hardware firewall is usually a term used to describe a firewall that is tied to a particular piece of hardware, such as a PIX.
Checkpoint on the other hand can be run on a variety of platforms so can be considered a software firewall, but then people usually use this term to refer to client based firewalls so go figure :)
It doesn’t work on my D-Link DGL-4300, but its application-level gateway (ALG) doesn’t even support IRC. I tried the suggested alteration for FTP, but couldn’t get it to work. That’s probably not too surprising. As Greg Oestreicher has pointed out, the attacks use some of the same concepts as those in Soungjoo Han’s piece in phrack #63. Han concludes that only a careless firewall would fall for the FTP-echo attack, even if it were packet-aligned.
At least my router makes up in security what it lacks in functionality. Its ALG has caused me more problems than it has solved. The options are all on by default and I needed to turn off both SIP and RTSP, after quite some head scratching. This is why NAT traversal using UPnP is a slightly better fudge.
NAT != firewall
Firewall != security (especially for badly configured values of firewall)
The above is something I have tried to smack into people who should know better many times over the years. Even my government employer takes this stupid approach of assuming a blocking internet traffic on most ports makes it safe. People seem to forget that once something is breached, the outer perimeter doesn't stop anything.
Title says it all really. You should configure your firewall so that it will only allow traffic on ports that you know you need. Especially in Windows-land, many people seem to view a firewall as a one-way system that stops the bad stuff OUTSIDE getting INSIDE. It also works the other way. Most people at home only need ports 80,443, 25, 53 and a couple of others (POP/IMAP?) open. All other ports should be closed off so that if your machine does try and send anything out, it won't actually get very far.
In short, do not assume your internat network can do no wrong. Of course, this isn't a magic bullet but it would go a long way to restricting this kind of stuff, along with stopping the spread of zillions of other virus' and worms.
I have limited my 3Com firewall with NAT to only allow HTTP connections on port 80 and HTTPS on 443.
So how come my kids still manage to use instant messaging apps like those that come with MSN, Facebook, Web Messenger, etc on their windose machines ?
Is all this [IRC/ICMP traffic ?] being run over port 80 at the router ?
File and Printer Sharing is disabled in Services on each machine, as is FTP and TELNET. Can they be truned on sureptitiously by such an exploit ?
Is my router still vulnerable to the exploit ?
ALF
Only allowing ANY connections to 80 and 443? If so then you almost certainly would not be able to browse the internet. You need to allow UDP (any sometimes TCP) port 53 also for DNS. As this would not seem to be the case then this suggests you've not locked your router down as much as you think you have.
If you've got some clever rule that only allows 80 and 443 for HTTP protocol (ie your router is performing packet inspection) then unless IRC etc is also running on HTTP then the packet inspection rule will not block it. I've never used it, but I'm pretty sure Facebook chat and similar DOES work over HTTP port 80 (it's just a web page and a bit of javascript running on the browser).
ICMP is a protocol and not a service, and most ICMP stuff can be blocked without causing problems (you might need to allow 'time' - I think some SMTP servers can have issues if this is blocked, but I may have got this wrong - I don't have the necessary info at hand). Generally, you need to set your TCP, UDP and ICMP firewall rules seperately.
Most routers work as the DNS server for the network anyway, and nobody said anything about blocking the *router's* access to port 53. Facebook chat and webmessenger are both web apps that run entirely over 80/443. MSN itself can be proxied over port 80, and possibly just sets itself up to do this if necessary.
Can't see any benefit in blocking outgoing ports whatsoever myself - if I was going to write something malicious I'd already have written it to use port 80 so I could run it through corporate firewalls
"Can't see any benefit in blocking outgoing ports whatsoever myself"
You don't see any need to prevent internal network data from leaking out onto the internet? An interesting point of view.
Leaving aside the very obvious security considerations for now, it is this thinking that has resulted in the small but significant amount of noise on the internet at large, consisting of stuff like Windows broadcast requests searching for other machines (which it will never find), and other stray broadcast message. All of these messages should never leak out; they should be contained on the local network. And before you say "it doesn't matter", well, yes it does! It wastes bandwidth and causes load on other internet-based kit that has to deal with this stuff.
And contrary to what you say, many expoits rely on ports other than 80 being open.
"Only allowing ANY connections to 80 and 443? If so then you almost certainly would not be able to browse the internet. You need to allow UDP (any sometimes TCP) port 53 also for DNS."
For most home NAT-based routers, you do NOT need to allow UDP/TCP 53 for DNS to pass through, because they contain their own DNS server, which will make the external requests.
Easy to check: run ipconfig /all or whatever command your OS uses to enumerate DNS servers. If the only DNS server listed is the ip address of your router, then it is running a server, and UDP/TCP 53 does not need to be opened.
No end of locks on a door will stop people coming in through open windows ( pun wasn't intended ! ).
People need reminding that things are often not as secure as they think they are. I'm often smugly told by certain fanbois that their network is more secure than mine because its firewall is stateful and won't let traffic in which wasn't initiated outbound. When asked how this prevents rogue applications and malware on their system from establishing such an outbound connection the naive answer is this simply will never happen ;-)
I have a software firewall running on my PC which lets me control which applications are making connection or being connected to but I know that doesn't protect me from anything which piggybacks onto something I have to have allow such as browsers to port 80.
The only secure PC I have is the one in a cupboard which isn't powered up.
"People need reminding"
They certainly do.
I was working in the City a few years back and a server chap boasted how he had an uber-secure linux system at home that was uncrackable. So myself and the Security bod decided to take up his little challenge.
We were helped by the fact he decided to leave his laptop unlocked that lunch-time it has to be said.
When he got back from lunch we told him we'd put a little hello file from both of us in his root directory, whereupon he immediately vpn'd to his home device to check. The key-logger we had installed was busy sending us info which my commpratriot was using to perform the deed whilst I chatted to the numpty.
Needless to say he was a bit miffed when he found a little text file in his root directory (he didn't even check the timestamp (which was about 3 seconds before-hand)).
We didn't let him know how we'd done it for three glorious days, and he didn't have much hair to start with. When we finally put him out of his misery he claimed we had cheated !
Ah, heady days :D
Are you trying to insinuate that this is in some way a FF/Mozilla bug? Why not an IE logo, or are the MS lawyers too dangerous? At the moment a glance at the headline gives the impression that FF is the source of this vulnerability and that is manifestly not the case; please change it.
I rather like this little attack, which would fail on my linux router because I haven't installed the IRC connection tracker, ftp would do though.
What the article failed to mention is that all 3 protocols (IRC, FTP, SIP) use 2 or more connections, where the second connection ports are negotiated in the first connection. NAT lets the first connection go because it's outbound, and very few people drop outbound connections by default.
The feature getting abused here is the one routers use to look at traffic in the original connection to find information about the second connection, so the router can create NAT table entries for it. What this shows is that if you can control one end of the management connection for any of those 3 services, you can probably open arbitrary ports through the NAT to whatever host you've got the connection with on the inside. Opening ports to other hosts would be unlikely with this particular attack, but of course once you've compromised one host within the LAN, the rest are free for the taking.
What this all comes back to is: Host based firewall aren't just for paranoid nutjobs any more! Defense in depth is your friend, don't rely on any one form of protection for anything you consider to be valueable.
But people will never learn that.