 Number 207 - August 2000 |
| Firewalls on Dialup Lines | |
| by Ken Fermoyle, Sacramento's May 2000 Sacra Blue | |
|
At the last [SACTO]
meeting, both Frank Leonard and Milt Hull said that they saw no need for
firewalls for dialup service or even DSL with dynamic IP addresses. I
disagreed but perhaps not strongly enough. A member has reported a
severe attack on her dialup service that makes me feel it is very
important to put a firewall into place.
In my real life (outside of SPCUG), I am currently involved with encryption and security issues. Doing the research to make a product secure tends to make you paranoid. Thus when I learned that the Denial of Service (DoS) attacks were launched from home computers in addition to big university computers, I decided I needed protection. My research led me to select ZoneAlarm, (www.zonelabs.com) a free personal firewall. In my daily use, I find that I get probed three or four times a day. ZoneAlarm shields me from the attacks but informs me that they happened. [We have this in our disk library - ed] One of our members, Nancy Linsley, bought BlackICE based upon product reviews to protect her system when family members are camped on the Internet. Like me, she got occasional hits on her firewall. Then she got a severe attack and asked Frank, Milt, and myself for advice via e-mail. [We have used BlackICE ($40) since last summer - ed] BlackICE has more sophisticated logging and reporting than ZoneAlarm. Her first severe attack was a level 59 attack, rated as a serious attack. Further study showed this to be a "SubSeven Port Probe." Clicking the information icon described the attack as an attempt to deliver a trojan. This means the attacker would not be able to run the program, but if you did, the attacker could do almost anything. All of these attacks occurred on Nancy's Compuserve account. We theorize that Compuserve and AOL users are more vulnerable because they have a higher concentration of new users. They may be targeted more for this reason. BlackICE traced the IP and DNS of all probes and identified the account that was launching the attack. Unfortunately, it is highly likely that the attacker stole access to the account because of a bad password. So while the attacker could be stopped from using the account, we would not stop the attacker from using another stolen account. These attacks are not likely to be targeted at anyone personally. Robot programs that randomly pick accounts and test them for vulnerabilities usually make these attacks. When they find one, they either tag it for future use or insert some sort of program to open the door wider. Firewalls are designed to prevent these attacks from actually getting past the firewall. I think we have reached a point that a firewall is a necessity, not an option. I consider a firewall as important as a virus detector. The Internet can be dangerous if you do not practice safe computing. Just like virus detectors, you need to check periodically for updates to the firewall to get the latest protection available. |
What Can We Do?
BlackICE caught the attacker in this case. Now that we know the account name of the attacker, what can we do? I guess informing the attacker's ISP manager might close down the account, but I suspect he will move on to another account and continue his rotten activities. Who could police this kind of stuff anyway? If it were a local ISP attacking you, maybe the local police could do something but they may not have any qualified investigators to track down the culprit (at least not yet). If it is not local but still in the state, maybe the state police could help. Ultimately, I suspect that the FBI will end up as the web cops. They have jurisdiction across state lines and are already tracking down virus authors. Maybe the FBI could set up an address where people could file reports of probe attacks. This could give the FBI a database to find the worst offenders. Historically, the FBI is more concerned with solving crimes rather than preventing them. Your firewall may catch someone attempting to break into your computer, but it does so by preventing him or her from doing so. Thus, no crime may have been committed, or has it? I suspect that it may take an attack against a senator or congressman to get things really moving. I have no real advice on what to do when you detect an attack. Just be happy that they did not get past your firewall. It Gets Worse After sending us the e-mail asking how to handle an attack, Nancy was bombarded. She caught a picture of the attack in a screen capture of the history box of BlackICE. She was being attacked at a rate of about one a minute. Her investigation led to a LOCAL ISP. It turns out that they were testing some monitoring software that got out of control. I do not care if it is good guys trying to get into my system or bad guys - I do not want anyone in my system. The next morning after a cold boot, her dialup network did not work. Nancy restored her registry to a backup she had made two days ago and everything was okay again. (Okay, quick quiz: when is the last time you did a registry backup?) I am not sure if this indicates a failure by BlackICE. If you are bombarded, log off. I have noticed that my attacks usually come in pairs, so I would define five attacks in as many minutes to be bombarding. Firewalls May Introduce Problems Nancy reports that she has had problems printing web pages while running BlackICE. I have found it difficult to get Norton anti-virus updates while ZoneAlarm is running. I have heard complaints of being unable to get to certain web sites. So far, I accept the problems as minor inconveniences. You are vulnerable any time you are on the net. Protect yourself with a firewall. Consider a firewall just as important as a virus detector. Now both Frank and Milt are believers, too. Milt and I are attempting to book someone knowledgable on firewalls to come out and speak to the group in the future. It is a little tough because the companies tend to be very small but we will keep on trying. |
|
Number 207 - August 2000
|
|