Re: Just want to keep the crap out!!
Available news archives: comp.lang.tcl - comp.lang.python - comp.security.firewalls - sci.crypt - comp.lang.php - comp.lang.javascript
Google
 
Web news.hping.org


comp.security.firewalls archive

Re: Just want to keep the crap out!!

From: DigitalVinyl <DigitalVinyl@internet.com>
Date: Sat Mar 25 2006 - 21:10:43 CET



Ansgar -59cobalt- Wiechers <usenet-2006@planetcobalt.net> wrote:



>DigitalVinyl wrote:


>> "dawg" <don't look@worldnet.att.net> wrote:


>>> Since I know nothing about software firewalls I obviously hosed my PC


>>> when playing with the stupid thing. My Tiny Firewall 2.0.13.


>>> I am on a fixed(very fixed) income and would like some advice on a


>>> cheap hardware solution. Yeah right. Probably asking for too much


>>> ,huh?Thanks


>> 


>> Any soho router will provide the majority of protection through


>> hardware NAT. (various irate counter replies I'm sure will follow)


>


>I bet that's because you know you're wrong.


>


>> While NAT attacks theoretically exist, nobody is targetting your


>> device so focusedly to exploit these concepts and back into an


>> existing outgoing connection and then exploit that specific type of


>> connection for your specific OS correctly for whatever connection


>> service happened to be using that sequential port.


>


>There is absolutely no need to exploit a specific device or OS.


>


>http://www.enyo.de/fw/security/java-firewall/


>


>cu


>59cobalt



Here we go... this is not a NAT attack... they are not attacking the


NAT capability.  This is a basic man-on-the-inside style attack and


has NOTHING to do with NAT protection. If you had no NAT and just a


stateful firewall, this attack would be the same. There are **many**


attacks that START with a hostile piece of code on your PC already


(often brought to the PC by the user). This is not an attack initiated


from outside.



Attack Requirements


====================


This is a passive attack. The ATTACKER MUST LURE THE VICTIM TO A


CAREFULLY CRAFTED WEB PAGE. The victim's web browser MUST download and


EXECUTE the embedded Java applet. The victim's computer MUST OFFER


SOME VULNERABLE NETWORKING SERVICE, and a stateful firewall must


prevent access to this service from the Internet. 



This in not an inbound attack at all. The attacker is brought onto the


PC ***BY THE USER'S ACTIONS*** and from the inside creates an


opportunity to bring more in. This attack is about going to a hostile


web site and your browser executing code that makes you vulnerable. If


you didn't have java, if you didn't go to a suspect site, it wouldn't


happen. Furthermore, so what??  You open a connection to port 445? Now


what? Is your PC automatically compromised? No. "The victim's computer


MUST OFFER SOME VULNERABLE NETWORKING SERVICE" 



>From that sites description this boils down to a Java flaw of security


design. Java standard considers the default-allowed FTP to be


harmless--which isn't necessarily true. 



Yet another hysterical post about how scared everyone needs to be of


the world rather than learn what is a realistic danger and what is


not.



You made my point beautifully.


Received on Mon May  1 01:02:28 2006