Is safe Internet use impossible?

Discussion in 'Port Explorer' started by Corey K, Apr 19, 2003.

Thread Status:
Not open for further replies.
  1. Corey K

    Corey K Guest

    The more I learn about computer security, the more I wonder if its possible to secure a machine and still be an internet junkie?! I have 4 of the major IM clients, a news ticker or two, and lots of games that I like to run. It's beginning to seem to me that I simply cannot secure my machine and still enjoy all the internet has to offer. Should I quit wasting my time now and make an image of my machine, so I can reformat everytime I'm infected with something? Or, will I actually be able to learn everything I need to know (theoretically) to keep my machine functional yet secure? o_O
     
  2. Patrice

    Patrice Registered Member

    Joined:
    Apr 15, 2003
    Posts:
    571
    Location:
    Antarctica
    Hi Corey K!

    Don't see it that pessimistic! I love to game as well and I love to use sharing tools. Certainly not the best if you are concerned about security. But there's a simple solution to all that. I'm using two computers. The one for working (very secure) and the other for gaming and sharing stuff (less secure). For me this is the best solution to handle security and fun. If my second computer would be attacked and crashes I don't care much. To reinstall Windows is done quite quickly.

    My suggestion to you is, that you use two or three computers. One for working, the others for sharing or gaming. And this hasn't to be expensive! I'm using a relatively old computer for sharing files & gaming. There's certainly an old computer somewhere around you. Just try it out once, it simplyfies your life a lot.

    Best regards!

    Patrice
     
  3. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,312
    Location:
    Netherlands
    Hi Corey K,

    Making images or backups is never a bad idea. That said, IMO a computer should be used for the purpose it was bought for.
    There is no 100% security, certainly not when you´re online, but you will find that there may be ways of securing the things you like to do, a little more.
    For example: you will find that Trillian is a little more secure then the IM clients you are probably using separately.
    If you have any specific questions as to how we can help you improve security and still have fun, don´t hesitate to ask. Lots of helpful people around here. :)

    Regards,

    Pieter
     
  4. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Yeah, security can be a happy experience too, if you know you have the proper tools, configured fine and knowing what to look for. Update the tools and windows, browsers, scanners, don't panic but as Pieter says ask and get educated and be happy on internet.
    Who cares for a portscanner if you know to be protected, you scan your system for (im)possible infections and enjoy internet even more!
     
  5. Corey K

    Corey K Guest

    Thanks for the suggestion. Lemme expand on it a little. First off, I'm poor and live in So-Cal... Contradiction, I know. However, I do happen to have a small parts graveyard here, and have three working systems. I don't really have any super-sensitive data to protect, the problem is that any trojan attacks, web-pop ups and the like are limiting my experience.
    Tonight (its almost 6 am) I was wakened by some kind of pop-up based invader in my machine. I have my system plugged into a 600watt Sony system as the core component in my makeshift home-entertainment setup. This pop-up was a speech recording that presented a "Work from Home" sales pitch to me at approximately 3:30 am. This is really NUTZ! I mean, what else can they do? Invading my privacy, HELL, this is almost construable as a form of criminal Assault! Speech! aka a sound file! How did they pull that off? Not just a pop-up that dropped me outta my online game to see some grey dialog box with an "OK" button...SPEECH! To add to the insult, and my growing "fear", my VERY stable Win2k system rebooted(or crashed, but it rebooted nonetheless) shortly thereafter. THATS when I got up and came to scan my system. My system doesn't lock and reboot like that. Especially when its not attended.
    I just don't know.
    I've been considering setting up one of my older machines as a proxy server for my link to the internet. I know that research into the ins and out of Proxies could take weeks, so before I start: Do you think its possible to set up a proxy to host my home network's dial-up (and future broadband) connection? Well, I know its possible, but all those little programs I like need ports left open! Those are the ports the web pop-ups are coming in on aren't they? Is it possible to code some sort of filter to only accept packets from those programs' hosted IPs? Has anyone even thought of that yet? Sort of an authenticated connection/or tunneling simulator, if you will, for various programs...
    AIM, Yahoo! and MSN Messenger and ICQ... these all have distinct ports, I have learned, and when I TCPView-End their processes the pop-ups "appear" to stop... (may be a coincidence, I haven't completely determined, yet)
    All that aside, I am thinking that a proxy server may simply be a redundant weakpoint once I have enabled all the ports that need to pass through.
    I'm sorry if my knowledge of the topic is limited and confusing. I am highly intelligent and can learn about all this stuff if I set out to, but I'm wantin to know if I shuold even bother. Kinda like, "If we change the way we live, the terrorists have already won!" aka that's why people pay Security companies for their work. Well, I can't afford to pay anyone for this stuff. (So, with that said, is there a key product I should try to purchase? Or, a key subject I should study in depth?)

    Maybe I could explore setting the IMs up on a proxy and writing some sort of script to notify me when I receive a message?

    I'm rambling, and you folks are less than obligated to respond, but I thank-you, just the same. Thank-you VERY much for lending your knowledge.
    Corey
     
  6. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,312
    Location:
    Netherlands
    Hi Corey K,

    I think this might be what you have in mind: http://www.dubbele.com/
    Not my field, but others will happily jump in. :)

    Regards,

    Pieter
     
  7. Corey K

    Corey K Guest

    thanks. Again rekindling my Linux/UNIX curiosity... (usually abandoned due to lack of software that I care to use...) If I decide to run a firewalled proxy server, I think that's what I'll use.
    Thank-you.
    Corey
     
  8. Corey K

    Corey K Guest

    Isn't there some kinda log file I can look at to determine why my system crashed/rebooted? Win2k. Also, is there a source for info on decyphering it?

    Oh yeah! Almost forgot... one thing I've wanted to know for months now... Is there a reference somewhere online for what processes are what in Win2k? I mean... what are all those processes? Which ones are normal... that sorta thing. Is there a reference for what each file is/does on the Win2k Cd-rom?

    Corey
     
  9. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,312
    Location:
    Netherlands
    Hi Corey K,

    The info on the crash may be found in your System log: Control Panel > Administrative Tools > Event logs

    Starting processes: http://www.pacs-portal.co.uk/startup_pages/startup_full.htm

    Services Win2K: http://www.blackviper.com/WIN2K/servicecfg.htm

    How to backup the regsitry before tinkering

    I´ll pass on the files on the Windows CD. :D

    Regards,

    Pieter
     
  10. Corey K

    Corey K Guest

    "Bitchin!" Thanks a ton, Pieter! Now I know what I'll be doin with my Saturday! Heh.
     
  11. Acadia

    Acadia Registered Member

    Joined:
    Sep 8, 2002
    Posts:
    4,048
    Location:
    SouthCentral PA
    In my opinion you will never make any computer 100% safe. Every time you drive a car you risk getting killed. Every home owner risks burglary. But do we stop engaging in these activities, NO! We mustn’t let the creeps out there make us live in fear and stop doing the things we enjoy. Simply enjoy, and I really mean that, making your pc as safe as possible (it’s fun!). Practice safe hex, don’t store sensitive information on your pc (credit card and social security numbers, etc.), use recommended security software, and frequent Wilders and other help groups. Good luck and enjoy.

    Acadia.
     
  12. Patrice

    Patrice Registered Member

    Joined:
    Apr 15, 2003
    Posts:
    571
    Location:
    Antarctica
    Hi Corey K.!

    What about a router in front of your three computers? I think you don't need to set a proxy. With the router you got the possibility to make your computers invisible to others. I'm having three computers as well, and I decided to put a router in front of them. I'm pretty happy with it. And after all it's not that expensive and time consuming.

    The router I'm using is from Linksys -BEFSR41. The settings aren't that difficult. If you wanna know more about that, let me know!

    Best regards!

    Patrice
     
  13. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Patrice, You beat me to it! The price of the little linkies is relatively low now and the additional functionallity like fast networking, NAT etc. makes it a really good buy. I have had mine for two years now & would not be without it.
    Add a good free firewall such as Sygate or ZA for outbound protection and away you go :D Always remembering that the even best security is not 100% so in my view image backups are also imperitive

    Reading through a site like Wilders will soon guide the security unintiated in the right direction. ;)
     
  14. Patrice

    Patrice Registered Member

    Joined:
    Apr 15, 2003
    Posts:
    571
    Location:
    Antarctica
    Hi Pilli!

    Yeah, they help to make life easier! Besides the router I use NAV 2003, TDS-3 and Look'n'Stop. These are my main defensive system, sure I got plenty other smaller tools as well.

    I bought a router because I was very unhappy with the situation, that some ports on the computers were visible... A software firewall is nice, but if you have several computers, you need to do a lot of settings (and not every one inside the network wants to deal with a firewall...). That's why I decided to set a router in front of the whole network. Pretty simple, pretty smart such a device!

    Have fun!

    Patrice
     
  15. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Patrice, You will find PE is an excellent addition as well - Watching every outbound connection & process:

    Have to get this thread back on track :D

    Do you know ...
    ... who or what is connected to your computer?
    ... which process is using a particular port?
    ... if any of your personal data is being sent out to the Internet?
    ... if any programs on your computer are listening, waiting for somebody to connect?
    ... which programs on your computer are running as invisible servers (possibly trojans)?
    ... which programs on your computer transmit information to the Internet without you knowing?
     
  16. Corey K

    Corey K Guest

    Pilli
    For starters, I'm not totally blind at this point... I've got some exploring under my belt... what I have done is install TDS-3 and I download the latest radii about weekly. The latest radius installed, TDS-3 found nothing this morning. I've really read up on the program and, correct me if I'm wrong, but it seems to me that they pretty much cover the ENTIRE scope of Trojans. If the day ever comes that I have an extra $100 lying around, I'd like to purchase their whole suite... however, by that time there may be nanorobotic fruit flies phasing through my electromagnetic window screen force fields and landing on my telepathic network interface to infect me, so for now I've got what I've got. LOL... no it'll be sooner than that!
    I'm versed with popping up TCP-View to see whats goin on when I hear unsolicited hard disk activity. Thanks to Pieter's post this morning, I am working on identifying all SYSTEM connections, and I intend to use some trial and error to map all my regular programs' connections one at a time.
    Has someone somewhere written a comprehensive dictionary-form port map? I've seen port map lists, but not explainations for the gibberish they displayed. I'm working on that one, but again, correct me if I'm wrong, but couldn't anyone with any malicious or just plain invasive intent, simply rename the process to something else that hasn't been named yet? Or worse yet, rename it to something that IS a name of a legitimate process my system may run? Perhaps they would name it something that I don't have loaded at start-up, but later on may be executed. Would that cause a crash or any sort of error that could be traced? Could they name it something really common that my computer always has running and would the computer merely consider it unworthy to mention that this is a second copy of a process with the same name?
    Personal data on the internet? Of course! Bank records, ssn, phone numbers, dating service personal info, you name it! BUT! I gotta net worth of about a buck! Who cares, right? Where the hell is it going... bastards! TDS-3 would detect a key-logger and/or the Trojan that would have HAD to be used(?) to place such a keylogger, and every site I put personal info on establishes an SSL connect first. That's secure isn't it? I have 128 bit installed, if they want to decypher my love letters and my .29c bank balance (no kidding, REALLY... I'm laughing all the way to the recycling center to cash in some aluminum cans for food right now...) then they earned it in my twisted opinion. OK. So, is it that secure? As long as there's no trojan and no keylogger and the info is sent via SSL I'm safe right? (no one has physical access... period)
    There are programs listening. AIM, MSN, Yahoo and ICQ run at all times,
    if I didn't keep them on, that would limit my main communications medium with everyone from my parents 150 miles away to my brother 3000 miles away to my friend in the next town. Those programs have little icons in TCP-View that identify them, and I have TraceRted them at times for entertainment/curiosity and found nothing that seemed unusual, to an amateur's eye. Should I keep a closer eye on them. I do not communicate with folks at random. And I know what an IM process looks like. I am sure that none of my pop-ups are coming from people I IM to. As far as the others, I'll be learning about them shortly.
    What I'm thinkin about mostly, however, is how they get those dialog boxes to pop up on my screen? Techno-mechanically, how do they do it? I figure my best guess is that they are using the ports that one of the IM programs listen on. But, how do they get it to pop up a box like that? I am assuming that they flood random IP addresses with packets containg the tiny programs sent to the same ports on all. Is that whats happening? And if so how do the boxes get executed to pop up? And how on earth did they get a sound file on here at 3:30 am?
    I should be able to shut down a lot of unnecessary ports/standard windows services here over the next few days; such as Telnet, SMTP, FTP and the like. Do you know if I will lose any functionality being that there is no server functionality intended for my machine? If I want to add such accesories later, I will research individual security relating to each of them as I wish to add them. For now, I am a gamer, communicator, bank-balance-checker, and general web-surfer.
    I have also downoaded all of Microsoft's security updates.
    Can I install something like Zone Alarm and have it start out blocking every single port, or at least have it warn me to every single packet going in or out, and then one at a time, allow the traffic as I identify it as safe? Which brings me back to my suspicion that the pop-ups are coming in on IM ports which I would lik to keep open. But, is that how Zone Alarm works? Do you recommend any other firewall programs? I'm gonna look into NAV 2003 and Look 'n' Stop right now. Never heard of 'em.
    OK, so, to help answer my question, you give me six questions, I give you SIXTY back... heh heh... if anything I said here sounds like maybe I only mention two points of a key technology that has three important points or any similar missing details, please let me know that I missed something.
    You folks are great! I never imagined I'd get much help anywhere, let alone ALL of this so soon! Thank-you... I've learned more in a few hours than I've learned in months past. good luck answering this post, as I've come to believe you all will...
    thanks again,
    Corey
     
  17. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,838
    Location:
    New England
    Hi Corey,
    These are very real possibilities, which is why AV/AT scanners check things the way they do for just such occurrences.

    Of course, "knowing your system" is key to being able to spot changes to it. I see there was a link to the blackviper site above, (which at the time I'm posting this appears to be down, but it comes and goes sometimes), that will help you to disable any unnecessary services you have running on W2K, which will make it easier to see all the rest.

    When you've trimmed a few things down, you can also run StartupList 1.52.1, downloadable from http://www.lurkhere.com/~nicefiles/, to help get a handle on what all starts on your system when you boot. (It's quite a surprise to see all the places things start from on a Windows system ;) )

    It may help you find either additional unneeded things, which you can disable, or even the start ups of trojans and the like. Using this program repeatedly over time will help you recognise changes to your system startups, which may help you identify the cause of problems, too. Most malware needs to start-up at system boot, so this is a useful tool, among many others, to get a handle on things.
     
  18. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Wow! Cory K Some post! :eek:
    Has someone somewhere written a comprehensive dictionary-form port map? I've seen port map lists, but not explainations for the gibberish they displayed.

    I am sure someone has :) Have you tried Googling for it?

    correct me if I'm wrong, but couldn't anyone with any malicious or just plain invasive intent, simply rename the process to something else that hasn't been named yet? Or worse yet, rename it to something that IS a name of a legitimate process my system may run? Perhaps they would name it something that I don't have loaded at start-up, but later on may be executed. Would that cause a crash or any sort of error that could be traced? Could they name it something really common that my computer always has running and would the computer merely consider it unworthy to mention that this is a second copy of a process with the same name?


    You are correct, For instance the QAZ Trojan uses Notepad.exe, Sygate Pro 5 Has driver & dll protection, I believe Tiny personal firewall & Kerio both use MD5 file protection, I am sure most firewalls now offer this type of protection.
    TDS3 startup scan does a lot of integrity testing if everything is selected.

    I am sure that none of my pop-ups are coming from people I IM to. As far as the others, I'll be learning about them shortly.
    What I'm thinkin about mostly, however, is how they get those dialog boxes to pop up on my screen? Techno-mechanically, how do they do it? I figure my best guess is that they are using the ports that one of the IM programs listen on. But, how do they get it to pop up a box like that? I am assuming that they flood random IP addresses with packets containg the tiny programs sent to the same ports on all. Is that whats happening? And if so how do the boxes get executed to pop up? And how on earth did they get a sound file on here at 3:30 am?


    Not sure about W2K services, I would to reboot into it to find out but does W2K have the Messenger service as found in XP - This is not IM messaging but an Admin service. I belive that there is an exploit on this service that allows adds etc. to be placed on ones PC - If W2K has this service you can diasable it.
    You might also try Spybot Search & destroy and AdAware 6 to see if some form of spyware is running.

    Think that is all I can manage tonight and I hope it is of some help - I am sure others will chip in with more useful information.
     
  19. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,312
    Location:
    Netherlands
    The messenger service runs on 95, 98, Me win2k and XP.

    Using the Messenger Service anyone in the world can send pop up messages to your computer, you can disable the Messenger service. Its easy to reverse at a later time.

    For Windows 2000 and XP this is a way to disable it:

    * Go to start and click Run
    * Type services.msc
    * Double-click on Messenger.
    * In the Messenger Properties window, select Stop, then choose Disable as the Startup Type.
    * Click OK.

    This service is indeed being used to spam IP ranges, but I don´t think this would account for the soundfile.

    Regards,

    Pieter
     
  20. DolfTraanberg

    DolfTraanberg Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    676
    Location:
    Amsterdam
    Hmm, about the messenger service, you don't have to stop it, just stop port 139 udp/tcp listening on the Internet.
    Dolf
     
  21. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,312
    Location:
    Netherlands
    Hi Dollefie,

    That is another way to get rid of the popups, but if you are not on a network that uses the messenger service, why not save on the running process as well?

    Regards,

    Pieter
     
  22. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Taken from a thread in the MS NG's by Jupiter:

    Quote:

    This will not work if you have AOL.
    AOL is not compatible with Windows XP Internet Connection Firewall
    (ICF)
    If you have AOL, you should contact AOL and/or get a 3rd party
    firewall.
    For Messenger Service ads:
    You need to install or enable a firewall:
    http://support.microsoft.com/default.aspx?scid=KB;EN-US;Q330904&
    Disabling Messenger Service can be a good idea, but it does not solve
    the real problem.
    The ads are not the real problem, the ads are only a symptom.
    The real problem is open ports that allow unwanted traffic into the
    computer.
    Disabling Messenger does nothing for the open ports.
    The firewall controls the traffic.


    Disable Messenger Service:
    Start/Control Panel, click Administrative Tools, click Services.
    Go down to "Messenger".
    Right click "Messenger" and select Properties.
    Then under Start-up select DISABLE
    Click OK and follow prompts

    Run Ad-Aware (free version) or Spybot to check for spyware:
    http://www.lavasoft.de/
    Or
    http://spybot.eon.net.au/


    For internet pop-ups, try one of these:
    http://www.panicware.com/
    http://www.bysoft.se/sureshot/stopthepop/index.html
    http://www.popupbuster.com/PopUpBuster/
    http://www.kolumbus.fi/eero.muhonen/FS/
    http://www.endpopups.com/
    http://www.adshield.org/
     
  23. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hi all, one remark, we are not confusing msn messenger with this windows system messenger, as you say it can run also on win9* systems?
    I've never seen it happening on win9* systems till recently somewhere in a network, where i'm not sure which of the messengers is the popup nasty there and how to solve it.
    Think their host is a NT.
    If you say it's just telling them to block port 139 that would be great of course, while i thought on a 9* system it not appearing had to do with settings somewhere, but in the control panel i don't see a windows messenger service or i might overlook it.
     
  24. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,312
    Location:
    Netherlands
    Hi Jooske,

    Different name and removal instructions for Windows 95, 98, and ME

    * Under Control Panel, select Add/Remove.
    * Select Windows Setup.
    * Select System Tools.
    * Click Details.
    * Uncheck WinPopUp.
    * Click OK.
    * Reboot

    Regards,

    Pieter
     
  25. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    This is a good instruction i'll tell the sysop of that network!
    I see i have it checked/installed and still no popups, so probably that has to do with the blocked 139, right?
    Thanks a lot in name of many users!
     
Thread Status:
Not open for further replies.