Potential FD-ISR network security gotcha!

All screen shots from FirstDefense-ISR Manual (Version 3.20 Build 202)

Make sure your read/understand the last two sentenses in the "Notes" screen shot!

Gee, pretty dang neat ISRControl.exe (106,496 bytes) and ISRCopyCtrl.dll (110,592 bytes) will fit on a floppy or a USB drive.

Mike

 

Well, either I did not explain the gotcha or everyone is protected!

So, how about an example...

1) Physically logon to my 2nd machine (that does not have FD-ISR installed)
2) Copy two files: ISRControl.exe, and ISRCopyCtrl.dll
3) Run program ISRControl.exe and connect to my 1st machine (RUSTY)
4) Delete "Archive of Primary Snapshot"

Code:

C:\TEMP>[B][COLOR="Red"]ISRControl.exe[/COLOR][/B]
FirstDefense-ISR Control [Professional Version 3.20.202]

Enter "help" for a list of commands or "exit" to quit.

>[b][COLOR="Red"]connect rusty mike password[/COLOR][/b]

RUSTY>[b][COLOR="Red"]list[/COLOR][/b]
Snapshots:
   nlite              (2)  05-May-07 12:40PM 05-May-07 09:30PM   0.43Gb
  *Primary Snapshot   (0)  04-May-07 05:53PM 07-May-07 12:37PM   4.53Gb
   Secondary Snapshot (1)  02-May-07 07:56PM 04-May-07 05:50PM   4.53Gb
Archives:
   Archive of Primary Snapshot           05-May-07 09:38PM    4.98Gb
   Archive of Secondary Snapshot         03-May-07 08:05PM    4.68Gb

RUSTY>[b][COLOR="Red"]aremove "Archive of Primary Snapshot"[/COLOR][/b]
Remove archive "Archive of Primary Snapshot" (Y/N)? [b][COLOR="Red"]Y[/COLOR][/b]

RUSTY>[b][COLOR="Red"]list[/COLOR][/b]
Snapshots:
   nlite              (2)  05-May-07 12:40PM 05-May-07 09:30PM   0.43Gb
  *Primary Snapshot   (0)  04-May-07 05:53PM 07-May-07 12:37PM   4.53Gb
   Secondary Snapshot (1)  02-May-07 07:56PM 04-May-07 05:50PM   4.53Gb
Archives:
   Archive of Secondary Snapshot         03-May-07 08:05PM    4.68Gb

RUSTY>[b][COLOR="Red"]exit[/COLOR][/b]
Goodbye.

And, "Archive of Primary Snapshot" was on my 2nd partition!

Code:

E:\$ISR-ARX>dir
 Volume in drive E is STUFF
 Volume Serial Number is 34A0-005F

 Directory of E:\$ISR-ARX

05/07/2007  12:54 PM    <DIR>          .
05/07/2007  12:54 PM    <DIR>          ..
05/03/2007  08:15 PM     5,029,595,324 Archive of Secondary Snapshot.arx
               1 File(s)  5,029,595,324 bytes
               2 Dir(s)  148,198,789,120 bytes free

E:\$ISR-ARX>

Mike

 

So what are you saying in english? I don't work on or have my archive on a network.

 

I don't understand anything of this, but I don't have a network either.
How can I try or test something, which I don't have and don't need ?

 

Pretty much. My firewall prevents me from accessing ports that I haven't explicitly opened -- even on my home network.

Though if someone can physically log onto one machine on my network, they can probably log on to any -- so they wouldn't need to delete it remotely, they could simply do it from the machine that holds the snapshots.

 

@Horus37

It was an example... IF I can get network access to your PC (local or internet), I can destroy/change any/all of your snapshots/archives!

@Peter2150

IF I can get network access to your PC (local or internet), I can destroy/change any/all of your snapshots/archives!

@EricAlbert

Yes you do, the internet... IF I can get network access to your PC (local or internet), I can destroy/change any/all of your snapshots/archives!

@flimbag

IF I can get network access to your PC (local or internet), I can destroy/change any/all of your snapshots/archives!

What I am attempting to say (using two very small files), I can do everything the FD-ISR GUI can do, if I can get to your PC via a network!

For example, I can do the following to your FD-ISR system...

Code:

1) create/update an archive
2) remove one or all of your archives
3) rename/change the description of any snapshot/archive
4) boot to another snapshot
5) change your configuration
	5a) enable/disable pre-boot screen
	5b) change the pre-boot Hotkey
	5c) change which archive is booted next
	5d) change 10 options [B]stored in the Registry[/B] 
	5e) change 10 options stored in the $OPT file
6) run the Copy/Update on any snapshot or archive
7) export a snapshot to a file or set of files
8) freeze the active snapshot
9) revert the previously frozen snapshot to its last frozen state at the next boot
.
.
.

Please do not tell me this can not happen... aren't all of us paranoid about security here at Wilders?

Also, all those commands can be in a small batch file. So, I come to your house for a beer, and you say something that really zisses me off. I ask you for another beer. I put my USB drive in your PC and double-click on ahole.bat.

Mike

 

That is all I am trying to say. I notice lots of the members warn about all kinds of stuff... I was attempting to do the same... sorry.

In the Help file, under "How do I Remote Control FirstDefense-ISR?", you have done this?

Code:

To disable remote control of a computer, set RemotePortNumber to zero.

Mike

 

I emailed Raxco yesterday about my problems, Now they have quit selling FDISR?

I hope that doesn't have anything to do with the problems I pointed out about not copying icons correctly. I've only seen 3 people have that problem. However, I am concerned now with this new network access gotcha thing where someone can access my fdisr snapshots. I wonder if someone can test this theory out and try and hack someones archives or snapshots from another computer thru the interent. Any volunteers?

 

So is this a huge security hole or what? Are you saying you can hack my computer from over the internet now? How about we get peter to volunteer to get hacked by flinchlock and see if his theory works?

 

I volunteer too, but let me first backup my system.

 

Good luck guessing my admin name and password. It's set to the max character length. Plus I have a router with NAT and SPI and active x, java filterting on plus I have a firewall. Plus you'd have to wade through a mountain of security software I have, plus if my computer gets messed with it emails me through my phone and my email account via an alert. It has an emergency locator software installed incase stolen so I can trace it down like lojack. Let's not forget the hard drive itself has a bootup password on it then I have a windows password on it then I have an administrator password on it then I have a screen saver password on it set at 1 minute. Did I forget to mention the video camera set up on it that monitors motion in the room and the battery backup on my surge protector? However you'd have to bypass my electronic security wired into my house plus get past the dog. Think I'm kidding?

 

Users who have that many security issues probably have never heard of ISR anyway.

 

Same here. Just getting a feeler probe to signal my machine is like signalling to a solid iron wall a foot thick, just isn't going to happen EVEN IF my firewall failed which is set to restart immediately if shutdown for any reason. They would have to use more effort then is at their disposal to even get close, and even then mine is wired like Fort Knox gold vault with sensors, interrupters, and auto-shutdowns the moment something/anything is been recognized as compromised.
Plus, in worse case scenario i get drunk & happy at the same time and decide to shut down ALL that security and they get in, once in they cannot ever escape out.

 

Code:
To disable remote control of a computer, set RemotePortNumber to zero.



Ok so in order to disable the remote control of my computer how do I set the remoteportnumber to zero?

 

Is the ice not broke up yet there on those inland lakes? Michigan i know. LoL

It "might" become possible to accomplish that "BUT" you also have to remember, notwithstanding stored Images, something would have had to reach ARCHIVES before they were already stationed to other drives in divers locations completely unplugged from the active machine. This practice eliminates 100% completely, any opportunity to circumvent against choice snapshots because all one would have to do is simply reapply the ARCHIVES to some new primary snapshot, even after a fresh install then they're right back in the business again.

Still network and/or intenet access to my own PC is IMPOSSIBLE since i been around the internet block for too many years. I incorporate a self-disconnect every so many minutes that immediately switches IP addy. Besides, my FD-ISR snapshots AND archives are also constantly monitored for any changes outside the Copy/Update routine just like other select critical areas on my disk. Plus i use POWER SHADOW to cover/recover mine. Result? IMPOSSIBLE!

Heck, for that matter, anyone could also sit in my chair and completely delete ALL the snapshots and archives manually that rest in my MAIN drive and after their done, i can just go and collect from my closet another Hard Drive with "ALL" my archives stored and start again from there. My guess at best is that it may consume a little of one-half hour to less than 45 minutes before EVERYTHING is completely restored again. FAILPROOF!

 

According to the help files this is how you stop remote control of your own computer from someone else.

"For remote control, FirstDefense-ISR uses sockets bound to the ports 48288 and 48289. You can change port numbers by using the command: CONFIG RemotePortNumber [<port>] - Where <port> is the first of the two port numbers to use - the second is always <port>+1.

To connect to a remote computer with a non-default port use :<port> following the computer name. For example: CONNECT Test:12345

To disable remote control of a computer, set RemotePortNumber to zero."


So to get the command line interface up in interactive mode to configure the remote port to 0 you need to do this:

To open the FirstDefense-ISR Command Line Interface in Interactive Mode, select the Start Button, and then navigate to Programs, FirstDefense-ISR, and finally FirstDefense-ISR Control.
You should see a command line box appear, with the version number and the '>' prompt.

From this point on, a command is issued by typing-in the command at the '>' prompt. There is no mouse support within the command line interface.




HOWEVER, when I do this I don't se the first defense isr control icon or a way to get the command line box to appear? What am I missing?

 

I just do not get it. I point out a potential network security issue with FD-ISR, by actually reading the Help file. I then get comments like this, "So what are you saying in english?", "I don't think it's that big a deal.", "I don't understand anything of this". Did you people read the Help file?

All you do is tell me there is no forking way, bla, bla, bla. That has nothing to do with what I pointed out. The Help file documents how to access FD-ISR via a network and what you can do to disable it.

"Is the ice not broke up yet there on those inland lakes?" Or to say it another way: It will be a cold day in hell before I ever point out any possible security problem with any program.

 

For one thing I've been aware of the remote control possibility but since no one I know uses it near me and I'm not on a network then I didn't need to read in depth about it since I wasn't going to ever use it. Hence, since I didn't MEMORIZE the manual and you bring up a command line interface I've never used nor seen nor know how to even operate it all looked foreign. What's so hard about understanding that? I'd still like to know how to get the command line interface to work as I don't even see those remote control files in my FDISR program folder where the help files says they should be but aren't. HMMMM

Second it is something to be aware of what you point out since some people do operate a loose open operating system, but on here, a security website I would find it not the norm to leave such a hacker friendly target. Even with a loose systme you still need the IP /name of the computer and the password. Not many people leave off an admin password. If they do well then well I guess they get owned. I don't know. Why not try to hack someone willing to let you do it and see how far you can get? Not saying it's not possible. It's just not possible on my setup. I'm too hardenen down and backed up and with security galore. Your theory depends on a open vulnerable setup with no security software on it and no passwords setup. Highly unlikely setup but possible. Glad that someone looks into these things as we all can learn something but it's geared more towards the someone that thinks all they need is FDISR to bail them out of trouble. You do need some security software. Plus reminding people to shut off the remote control is important. I'm trying to figure out how to bring up the command line as we speak. Can't find the way to do it from the way the manual says to do it. I must be missing some software from FDISR yet I'm running the latest build.


edit: Ok I found that going thru the start menu is the way to go not directly diving down thru the c: drive into the program folder itself. LOL Ok I'm on the right page now.

 

Ok now that I've figured out how to disable the remote port is this the correct syntax to use in this exact order and no brackets or any special characters other than this:

CONFIG RemotePortNumber 0


then hit enter, right?

When I do this the answer given by the computer is just a single "0"

it looks like this:
CONFIG RemotePortNumber 0
0



That extra zero underneath is the "answer" i get when I hit enter. Is it now set to disable remote port ?