XP RAW sockets... hackers heaven?

[omeyehead]

Mr. Gibson makes a valid point on raw socket access. With the average user a computer is point and click. The complexities of the inner workings is not as fun as chat, instant messaging and games. Therefore, it is rarely studied or learned. Can we expect to see effective administrators of these XP home machines? Will the average computer user ever read this article at grc.com? I think not.

[BBA]

Gibson is obviously not an NT person.

I think his whole beef is that normal people doing a local installation have admin rights. The funny thing, it is generally understood that you need to be admin to install the OS locally.

Other than the default administrator account, the only new user that is made administrator during XP ( or any NT installation ) is the user account created during the install process. In a home environment type OS, everyone has admin rights anyway.

I think he's off his rocker. All ports are wide open in Win9x anyway, and the user can't control them at all other than installing a firewall, with XP, it is built in, all one has to do is configure it.



[This message has been edited by BBA (edited 08-16-2001).]

[omeyehead]

BBA:
Here is an excerpt from one of Mr.Gibson's articles:
Beyond their use for supporting simple "ping" and "traceroute" commands, the original Berkeley designers intended Raw Sockets to be used for Internet protocol research purposes only. Because they fully appreciated the inherent danger of abuse of Raw Sockets, they deliberately denied Raw Socket access to any applications not running with maximum Unix "root" privileges. User-level applications were thus prevented from accessing and potentially abusing the Raw Sockets capability. (See asterisk '*' in diagram above.)


Full Raw Sockets were created as a potent research
tool. They were NEVER INTENDED to be shipped in a
mass-market consumer operating system.


Apparently (I ain't no genius on this) denial of service attacks running through raw sockets access is not traceable. So, basically if some childish mind became upset at some comment made by a member at this site, they could DOS with a great degree of anonymity. There are a great many computers currently infected with the subseven trojan. Port scan the AOL IP range its pretty scary! With raw socket access all these computers become virtually anonymous. A malicious person could shut down a website with packet flooding coming from many machines. I currently run Linux and Windows and still being a poor little hick from Texas, have taken some time to learn a little bit about my computer. I think Mr. Gibson is worried that there are many potential new buyers out there that won't.

[Willie]

First of all, Steve Gibson DID NOT CREATE Zone Alarm, he merely ENDORSES it. I have seen it erroneously attributed to him on several different sites, now. <:/ Oh well.

Second, BBA said:
>>I think he's off his rocker. All ports are wide open in Win9x anyway, and the user can't control them at all other than installing a firewall, with XP, it is built in, all one has to do is configure it.<<

You most certainly *CAN* control them! You can fairly easily CLOSE them by simply UNBINDING the NetBEUI procol from any Internet-related "adapter". (And unbind anything else that is not NEEDED.) If it is a single PC with no networking, simply removing the File & Print sharing closes a number of holes. In this case, the ONLY protocol need would be TCP/IP, and the Internet-related "adapters".

The GRC.COM site gives very specific and easy-to-follow instructions for fairly securly closing your WIN9x-based machines from hacking. It is a reasonable level of security that is very effective at keeping the sociopaths' mitts out of your machine.

Running a firewall like Zone Alarm is quite bulletproof... a hacker can't hack what he can't even "see". The disadvantage is that it hogs system resources! The best route (pun intended) with any high-speed access, is a ROUTER. It acts as a hardware firewall, and is virtually impenetrable. The best part is that not only does it NOT use valuable system resources, it permits more than one computer to share a connection, with only a single IP address.

I have a LAN here at home, and tied it into my router. It works flawlessly. I can access the WEB from any of these machines. All it took was a little configuring, and it's very secure.

Willie...

[BBA]

My whole point is that GRC is whining that MS makes the installing account full administrator. Du'h....

I am glad all functionality is included...makes it more like Unix for admin/root accounts.

Whats the problem? He's just whining.

[Willie]

The problem with XP including full access to Raw Sockets is that it will allow non-secured systems to become willing slaves to those sociopaths who upload DDOS-attack bots. Those bots will be able to exploit those features, fully spoofing their real source, making it look like their attacks are all originating from wherever the "BotMaster" chooses!

Look at the mess we've seen with the DDOS attacks that have been staged using plain old WIN9x machines! (Which are incapable of spoofing.) The reason Raw Sockets on home versions of XP is so dangerous (compared to the same features in Linux) is because most people have NO CLUE that they even exist, and therefore make no effort to secure them.

All that needs to happen, is for one of those hackers to upload a bot to that machine, and let 'er rip. DDOS attacks originating from the White House? From Microsoft? From Yahoo? From Amazon? Sure... with unprotected Raw Sockets just sitting there on home users' machines, they can do this with impunity and anonymity.

Is the sky falling? No... at least not yet. But let unrestricted access to Raw Sockets occur in millions of new PC's over the next year, and it could.

Just look at all the hubbub about Code Red! My Cable modem is CONSTANTLY being bombarded by HTTP (port 80) probes! I have "looked back" at the machines sending these probes, and most of them have nothing in the directory that is "exposed" to the WEB. (FTP shows an empty folder, HTTP gives a generic error message that no default page exists, or a page of obscenities assaults my senses.)

These people are NOT intentionally running WEBservers... NT (or 2000) is running them without their knowledge! (Just like the one in WIN9x that is no nicely explained & demonstrated by the GRC.COM's "SHEILDS UP!" pages!) Here is where the hackers are having a field day, and Code Red runs rampant!

And now MS is considering giving them an almost unlimited and invincible "weapon" in XP??? This is NOT good. <

Willie...