Potential FD-ISR network security gotcha!

Discussion in 'FirstDefense-ISR Forum' started by flinchlock, May 3, 2007.

Thread Status:
Not open for further replies.
  1. flinchlock

    flinchlock Registered Member

    Joined:
    Jan 30, 2005
    Posts:
    554
    Location:
    Michigan
    All screen shots from FirstDefense-ISR Manual (Version 3.20 Build 202)

    Make sure your read/understand the last two sentenses in the "Notes" screen shot!

    Gee, pretty dang neat ISRControl.exe (106,496 bytes) and ISRCopyCtrl.dll (110,592 bytes) will fit on a floppy or a USB drive. :eek:

    Mike
     

    Attached Files:

  2. flinchlock

    flinchlock Registered Member

    Joined:
    Jan 30, 2005
    Posts:
    554
    Location:
    Michigan
    Well, either I did not explain the gotcha or everyone is protected!

    So, how about an example...

    1) Physically logon to my 2nd machine (that does not have FD-ISR installed)
    2) Copy two files: ISRControl.exe, and ISRCopyCtrl.dll
    3) Run program ISRControl.exe and connect to my 1st machine (RUSTY)
    4) Delete "Archive of Primary Snapshot" :eek:

    Code:
    C:\TEMP>[B][COLOR="Red"]ISRControl.exe[/COLOR][/B]
    FirstDefense-ISR Control [Professional Version 3.20.202]
    
    Enter "help" for a list of commands or "exit" to quit.
    
    >[b][COLOR="Red"]connect rusty mike password[/COLOR][/b]
    
    RUSTY>[b][COLOR="Red"]list[/COLOR][/b]
    Snapshots:
       nlite              (2)  05-May-07 12:40PM 05-May-07 09:30PM   0.43Gb
      *Primary Snapshot   (0)  04-May-07 05:53PM 07-May-07 12:37PM   4.53Gb
       Secondary Snapshot (1)  02-May-07 07:56PM 04-May-07 05:50PM   4.53Gb
    Archives:
       Archive of Primary Snapshot           05-May-07 09:38PM    4.98Gb
       Archive of Secondary Snapshot         03-May-07 08:05PM    4.68Gb
    
    RUSTY>[b][COLOR="Red"]aremove "Archive of Primary Snapshot"[/COLOR][/b]
    Remove archive "Archive of Primary Snapshot" (Y/N)? [b][COLOR="Red"]Y[/COLOR][/b]
    
    RUSTY>[b][COLOR="Red"]list[/COLOR][/b]
    Snapshots:
       nlite              (2)  05-May-07 12:40PM 05-May-07 09:30PM   0.43Gb
      *Primary Snapshot   (0)  04-May-07 05:53PM 07-May-07 12:37PM   4.53Gb
       Secondary Snapshot (1)  02-May-07 07:56PM 04-May-07 05:50PM   4.53Gb
    Archives:
       Archive of Secondary Snapshot         03-May-07 08:05PM    4.68Gb
    
    RUSTY>[b][COLOR="Red"]exit[/COLOR][/b]
    Goodbye.
    And, "Archive of Primary Snapshot" was on my 2nd partition!

    Code:
    E:\$ISR-ARX>dir
     Volume in drive E is STUFF
     Volume Serial Number is 34A0-005F
    
     Directory of E:\$ISR-ARX
    
    05/07/2007  12:54 PM    <DIR>          .
    05/07/2007  12:54 PM    <DIR>          ..
    05/03/2007  08:15 PM     5,029,595,324 Archive of Secondary Snapshot.arx
                   1 File(s)  5,029,595,324 bytes
                   2 Dir(s)  148,198,789,120 bytes free
    
    E:\$ISR-ARX>
    Mike
     
    Last edited: May 7, 2007
  3. Horus37

    Horus37 Registered Member

    Joined:
    Jan 4, 2007
    Posts:
    328
    So what are you saying in english? I don't work on or have my archive on a network.
     
    Last edited: May 8, 2007
  4. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,039
    Hi Flinchlock

    I don't think it's that big a deal. Right now of course my FDISR is on my c: drive, but when I delete an archive thats showing, it deletes it from my D drive. It deletes it from where ever it is set in the options. I am sure that's what the command line interface is doing, just you are doing it accross the network.

    Pete
     
  5. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    I don't understand anything of this, but I don't have a network either.
    How can I try or test something, which I don't have and don't need ? ;)
     
  6. flimbag

    flimbag Registered Member

    Joined:
    Mar 23, 2005
    Posts:
    48
    Pretty much. My firewall prevents me from accessing ports that I haven't explicitly opened -- even on my home network.

    Though if someone can physically log onto one machine on my network, they can probably log on to any -- so they wouldn't need to delete it remotely, they could simply do it from the machine that holds the snapshots.
     
  7. flinchlock

    flinchlock Registered Member

    Joined:
    Jan 30, 2005
    Posts:
    554
    Location:
    Michigan
    @Horus37
    It was an example... IF I can get network access to your PC (local or internet), I can destroy/change any/all of your snapshots/archives!

    @Peter2150
    IF I can get network access to your PC (local or internet), I can destroy/change any/all of your snapshots/archives!

    @EricAlbert
    Yes you do, the internet... IF I can get network access to your PC (local or internet), I can destroy/change any/all of your snapshots/archives!

    @flimbag
    IF I can get network access to your PC (local or internet), I can destroy/change any/all of your snapshots/archives!

    What I am attempting to say (using two very small files), I can do everything the FD-ISR GUI can do, if I can get to your PC via a network!

    For example, I can do the following to your FD-ISR system...
    Code:
    1) create/update an archive
    2) remove one or all of your archives
    3) rename/change the description of any snapshot/archive
    4) boot to another snapshot
    5) change your configuration
    	5a) enable/disable pre-boot screen
    	5b) change the pre-boot Hotkey
    	5c) change which archive is booted next
    	5d) change 10 options [B]stored in the Registry[/B] 
    	5e) change 10 options stored in the $OPT file
    6) run the Copy/Update on any snapshot or archive
    7) export a snapshot to a file or set of files
    8) freeze the active snapshot
    9) revert the previously frozen snapshot to its last frozen state at the next boot
    .
    .
    .
    Please do not tell me this can not happen... aren't all of us paranoid about security here at Wilders?

    Also, all those commands can be in a small batch file. So, I come to your house for a beer, and you say something that really zisses me off. I ask you for another beer. I put my USB drive in your PC and double-click on ahole.bat.

    Mike
     
    Last edited: May 8, 2007
  8. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,039
    IF you can gain that kind of network access to my PC you don't need FDISR to do horrendus damage. Delete *.* would be a good start and there are even worse.

    I still don't see the FDISR thing as a problem. You need to have network access protected for a whole host of reasons.

    Pete
     
  9. flinchlock

    flinchlock Registered Member

    Joined:
    Jan 30, 2005
    Posts:
    554
    Location:
    Michigan
    That is all I am trying to say. I notice lots of the members warn about all kinds of stuff... I was attempting to do the same... sorry.

    In the Help file, under "How do I Remote Control FirstDefense-ISR?", you have done this?
    Code:
    To disable remote control of a computer, set RemotePortNumber to zero.
    Mike
     
  10. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,039
    No actually I haven't as I haven't had the need, but I am sure it would work on my computers.
     
  11. Horus37

    Horus37 Registered Member

    Joined:
    Jan 4, 2007
    Posts:
    328
    I emailed Raxco yesterday about my problems, Now they have quit selling FDISRo_O?

    I hope that doesn't have anything to do with the problems I pointed out about not copying icons correctly. I've only seen 3 people have that problem. However, I am concerned now with this new network access gotcha thing where someone can access my fdisr snapshots. I wonder if someone can test this theory out and try and hack someones archives or snapshots from another computer thru the interent. Any volunteers?
     
  12. Horus37

    Horus37 Registered Member

    Joined:
    Jan 4, 2007
    Posts:
    328
    So is this a huge security hole or what? Are you saying you can hack my computer from over the internet now? How about we get peter to volunteer to get hacked by flinchlock and see if his theory works?
     
  13. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    I volunteer too, but let me first backup my system. :D
     
  14. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,039
    Horus

    Relax, it's not a big deal. They could only do this if you had no firewall router or any kind of protection period, in which case they wouldn't need to mess with FDISR, they'd own the machine.

    Pete
     
  15. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,873
    Location:
    New England
    And, of course, as flinchlock's example session shows above, they need the username and password of an admin rights user on your PC, as well...

    fdisr-remotecontrol-dialog.jpg

    So, first they need to know your IP address. Next, you have to not have any router or firewall protection. And finally, they need to know your PC's admin username and password.

    Now true, many people have no router, no software firewall protection, and either have a blank admin username and password, or have an increibly simple pair to guess, but, if that's the case, there are probably many other exposures to worry about on such a PC.
     
  16. Horus37

    Horus37 Registered Member

    Joined:
    Jan 4, 2007
    Posts:
    328
    Good luck guessing my admin name and password. It's set to the max character length. Plus I have a router with NAT and SPI and active x, java filterting on plus I have a firewall. Plus you'd have to wade through a mountain of security software I have, plus if my computer gets messed with it emails me through my phone and my email account via an alert. It has an emergency locator software installed incase stolen so I can trace it down like lojack. Let's not forget the hard drive itself has a bootup password on it then I have a windows password on it then I have an administrator password on it then I have a screen saver password on it set at 1 minute. :ninja: Did I forget to mention the video camera set up on it that monitors motion in the room and the battery backup on my surge protector? However you'd have to bypass my electronic security wired into my house plus get past the dog. Think I'm kidding?
     
    Last edited: May 9, 2007
  17. cthorpe

    cthorpe Registered Member

    Joined:
    Jun 30, 2006
    Posts:
    168
    Location:
    Texas
    Users who have that many security issues probably have never heard of ISR anyway.
     
  18. EASTER.2010

    EASTER.2010 Guest

    Same here. Just getting a feeler probe to signal my machine is like signalling to a solid iron wall a foot thick, just isn't going to happen EVEN IF my firewall failed which is set to restart immediately if shutdown for any reason. They would have to use more effort then is at their disposal to even get close, and even then mine is wired like Fort Knox gold vault with sensors, interrupters, and auto-shutdowns the moment something/anything is been recognized as compromised.
    Plus, in worse case scenario i get drunk & happy at the same time and decide to shut down ALL that security and they get in, once in they cannot ever escape out. :D
     
  19. Horus37

    Horus37 Registered Member

    Joined:
    Jan 4, 2007
    Posts:
    328
    Code:
    To disable remote control of a computer, set RemotePortNumber to zero.



    Ok so in order to disable the remote control of my computer how do I set the remoteportnumber to zero?
     
  20. EASTER.2010

    EASTER.2010 Guest

    Is the ice not broke up yet there on those inland lakes? :D Michigan i know. LoL

    It "might" become possible to accomplish that "BUT" you also have to remember, notwithstanding stored Images, something would have had to reach ARCHIVES before they were already stationed to other drives in divers locations completely unplugged from the active machine. This practice eliminates 100% completely, any opportunity to circumvent against choice snapshots because all one would have to do is simply reapply the ARCHIVES to some new primary snapshot, even after a fresh install then they're right back in the business again.

    Still network and/or intenet access to my own PC is IMPOSSIBLE since i been around the internet block for too many years. I incorporate a self-disconnect every so many minutes that immediately switches IP addy. Besides, my FD-ISR snapshots AND archives are also constantly monitored for any changes outside the Copy/Update routine just like other select critical areas on my disk. Plus i use POWER SHADOW to cover/recover mine. Result? IMPOSSIBLE!

    Heck, for that matter, anyone could also sit in my chair and completely delete ALL the snapshots and archives manually that rest in my MAIN drive and after their done, i can just go and collect from my closet another Hard Drive with "ALL" my archives stored and start again from there. My guess at best is that it may consume a little of one-half hour to less than 45 minutes before EVERYTHING is completely restored again. FAILPROOF!
     
    Last edited by a moderator: May 9, 2007
  21. Horus37

    Horus37 Registered Member

    Joined:
    Jan 4, 2007
    Posts:
    328
    According to the help files this is how you stop remote control of your own computer from someone else.

    "For remote control, FirstDefense-ISR uses sockets bound to the ports 48288 and 48289. You can change port numbers by using the command: CONFIG RemotePortNumber [<port>] - Where <port> is the first of the two port numbers to use - the second is always <port>+1.

    To connect to a remote computer with a non-default port use :<port> following the computer name. For example: CONNECT Test:12345

    To disable remote control of a computer, set RemotePortNumber to zero."


    So to get the command line interface up in interactive mode to configure the remote port to 0 you need to do this:

    To open the FirstDefense-ISR Command Line Interface in Interactive Mode, select the Start Button, and then navigate to Programs, FirstDefense-ISR, and finally FirstDefense-ISR Control.
    You should see a command line box appear, with the version number and the '>' prompt.

    From this point on, a command is issued by typing-in the command at the '>' prompt. There is no mouse support within the command line interface.




    HOWEVER, when I do this I don't se the first defense isr control icon or a way to get the command line box to appear? What am I missing?
     
  22. flinchlock

    flinchlock Registered Member

    Joined:
    Jan 30, 2005
    Posts:
    554
    Location:
    Michigan
    I just do not get it. I point out a potential network security issue with FD-ISR, by actually reading the Help file. I then get comments like this, "So what are you saying in english?", "I don't think it's that big a deal.", "I don't understand anything of this". Did you people read the Help file?

    All you do is tell me there is no forking way, bla, bla, bla. That has nothing to do with what I pointed out. The Help file documents how to access FD-ISR via a network and what you can do to disable it.

    "Is the ice not broke up yet there on those inland lakes?" Or to say it another way: It will be a cold day in hell before I ever point out any possible security problem with any program.
     
    Last edited: May 11, 2007
  23. Horus37

    Horus37 Registered Member

    Joined:
    Jan 4, 2007
    Posts:
    328


    For one thing I've been aware of the remote control possibility but since no one I know uses it near me and I'm not on a network then I didn't need to read in depth about it since I wasn't going to ever use it. Hence, since I didn't MEMORIZE the manual and you bring up a command line interface I've never used nor seen nor know how to even operate it all looked foreign. What's so hard about understanding that? I'd still like to know how to get the command line interface to work as I don't even see those remote control files in my FDISR program folder where the help files says they should be but aren't. HMMMM

    Second it is something to be aware of what you point out since some people do operate a loose open operating system, but on here, a security website I would find it not the norm to leave such a hacker friendly target. Even with a loose systme you still need the IP /name of the computer and the password. Not many people leave off an admin password. If they do well then well I guess they get owned. I don't know. Why not try to hack someone willing to let you do it and see how far you can get? Not saying it's not possible. It's just not possible on my setup. I'm too hardenen down and backed up and with security galore. Your theory depends on a open vulnerable setup with no security software on it and no passwords setup. Highly unlikely setup but possible. Glad that someone looks into these things as we all can learn something but it's geared more towards the someone that thinks all they need is FDISR to bail them out of trouble. You do need some security software. Plus reminding people to shut off the remote control is important. I'm trying to figure out how to bring up the command line as we speak. Can't find the way to do it from the way the manual says to do it. I must be missing some software from FDISR yet I'm running the latest build.


    edit: Ok I found that going thru the start menu is the way to go not directly diving down thru the c: drive into the program folder itself. LOL Ok I'm on the right page now.
     
    Last edited: May 9, 2007
  24. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,039
    Hi Flinchlock

    I agree, and I don't think the point was not to point out or ask about a concern. All I was trying to say, is this is nothing to worry about, because of what you would need to access someone's computer via the internet.

    Another example. When I was testing the IT edition of ShadowProtect they have a neat feature, that I can install something from the CD on to computer B, and then boot computer A from the CD, assign a username and password, and then completely control Shadowprotect's operation on computer A from computer B. It's kinda cool. In theory the same vulnerability exits, but in reality again it doesn', as someone would need to be able to access my network, get the software..... etc.

    And please don't stop pointing these things out. That is important, just realize when some says it's not a threat, it may not be, and try and understand why. That way everyone learns.

    Pete
     
  25. Horus37

    Horus37 Registered Member

    Joined:
    Jan 4, 2007
    Posts:
    328
    Ok now that I've figured out how to disable the remote port is this the correct syntax to use in this exact order and no brackets or any special characters other than this:

    CONFIG RemotePortNumber 0


    then hit enter, right?

    When I do this the answer given by the computer is just a single "0"

    it looks like this:
    CONFIG RemotePortNumber 0
    0



    That extra zero underneath is the "answer" i get when I hit enter. Is it now set to disable remote port ?
     
Thread Status:
Not open for further replies.