xp security vulnerabilities?

[joe]

OK - please don't flame me for a newbie dumbass question but I have been
searching the net for a while now without finding a clear answer to the
following, and I am hoping you can help.
I have recently changed from Win98SE to WinXP corp pro, running Norton
Internet Security 2003. Under Win98 I had Atguard and BlackIce running in
addition to NIS and I came up undetected at every security test site I could
find. I understand that WinXP has some (many?) holes and was wondering:
1. How important is it to install the SP's from MS, and what "surprises"
should I expect from them?
2. What additional software should I have and/or what settings should I
change in WinXP to be invisible on the net?
3. Does Steve Gibson know what he's talking about or not?

I have also recently changed from dial-up to DSL, hence my increased
concern.

TIA

 

[Haus]

Hello
I guess they all have holes if they are connected to the internet and
someone with the right know how wants in.
here is a firewall it's free and XP also has a firewall you can turn it on.
http://www.zonelabs.com/store/content/catalog/products/sku_list_za.jsp?lid=home_zainfo

It is always a good idea to download all the critical updates for your
security and safety.
http://v4.windowsupdate.microsoft.com/en/default.asp

 

[John]

OK - please don't flame me for a newbie dumbass question but I have been
searching the net for a while now without finding a clear answer to the
following, and I am hoping you can help.
I have recently changed from Win98SE to WinXP corp pro, running Norton
Internet Security 2003. Under Win98 I had Atguard and BlackIce running in
addition to NIS and I came up undetected at every security test site I could
find. I understand that WinXP has some (many?) holes and was wondering:
1. How important is it to install the SP's from MS, and what "surprises"
should I expect from them?
2. What additional software should I have and/or what settings should I
change in WinXP to be invisible on the net?
3. Does Steve Gibson know what he's talking about or not?

I have also recently changed from dial-up to DSL, hence my increased
concern.

TIA

The short answers are:

1. Pretty important, they fix the holes in the operating system. Dunno
what surprises you can expect, neither does anyone else.

2. Why not just go to grc.com or sygate.com and test your defences
there. Either will tell you if you're invisible.

3. I think Steve Gibson knows what he's talking about. Microsoft hasn't
been able to make a laughing stock of him have they?


The longer version:

I'll offer my opinions even though I'm an just an educated layman,
rather than a professional, in this area.

You should start by assessing your security worries.

-what happens if somebody breaks into your house and steals the entire
computer? Will this just be a minor setback, insurance recovery, off to
the store to get a new machine? Or will it be the end of your
accounting records for your contracting business?

By answering this kind of question you can decide on backup issues like
offsite copies and so on.

-are your security worries related to stuff that can happen to you from
the internet, or are you also trying to secure your computer from other
people who have physical access to the machine?

if you want to secure your machine from damage from the internet all you
need to do is to:

-buy and configure a firewall, either a hardware router or a software
one. Most will keep you "stealthed" while on the net. There are online
test sites available.

-buy and keep uptodate a good antivirus package, run regularly, *all*
files checked.

-visit microsoft.com to get the necessary updates to keep the operating
system at the latest and greatest state.

-be *real* careful about what email you open. Ideally you winnow
through it while it is still on the server and reject the spam/uninvited
mail, stuff with attachments *on the mail server*. You only download
the legitimate messages. This whole area is difficult because you can't
know for sure if the message you're getting from your daughter is one
she sent you - or one some virus sent you after hijacking her system.

-consider using another web browser, one without all the ActiveX stuff
that can do significant damage to you just by you opening a web page.
You need Internet Explorer to get the updates though.

I think this gives you the best available defence.

Yes, I think Steve Gibson knows a lot about the internet and how to
avoid avoidable risks. I think it's smart to follow his advice.

If you do all that you're pretty safe, except for the buffer overflow
weaknesses that are probably fairly pervasive in all Windows operating
systems - there's a list of them on the Symantec site. I view this
buffer overflow assault as a variation of the "flying wedge" football
offense. I don't think it's possible to ever be completely safe from
getting "burned to the ground", so better keep your valuable files off
the machine, safe and sound. I use a CD/RW setup and copy important
files to it. You can keep the resulting CD at the bank if you want. If
the computer is just for recreation, surf away, all you're risking is
another days work to set it all up again - you can fix all the screwups
you made setting it up the first time.

if you are also worried about keeping your computer/files safe from
people who have physical access to the machine then you get into another
whole area about password access to the machine, file permissions and
all that. That's a big subject. I'm not the guy to ask but there are
good books. Try "Windows 2000 - The Complete Reference" by Kathy Ivens
and Kenton Gardiner, for starters. It has quite a bit about the NT file
system, security, networking, system configuration. Difficult reading
but do-able. You can have all the passwords in the world though and if
the "perp" can just steal the whole machine you're screwed. If he can't
because it's bolted down, maybe he can just steal all the disk drives
out of it.

It's important to assess your risk factors and make sure you're never
going to be screwed, no matter *what* happens next. Because none of us
really have a clue, what's going to happen next.

Just my 2 cents.

John

 

[joe]

Thanks for the tips John. Some additional info is below:

The short answers are:

1. Pretty important, they fix the holes in the operating system. Dunno
what surprises you can expect, neither does anyone else.

2. Why not just go to grc.com or sygate.com and test your defences
there. Either will tell you if you're invisible.

3. I think Steve Gibson knows what he's talking about. Microsoft hasn't
been able to make a laughing stock of him have they?


The longer version:

I'll offer my opinions even though I'm an just an educated layman,
rather than a professional, in this area.

You should start by assessing your security worries.

-what happens if somebody breaks into your house and steals the entire
computer? Will this just be a minor setback, insurance recovery, off to
the store to get a new machine? Or will it be the end of your
accounting records for your contracting business?

By answering this kind of question you can decide on backup issues like
offsite copies and so on.

Not a problem - regularly backed up to CD.

-are your security worries related to stuff that can happen to you from
the internet, or are you also trying to secure your computer from other
people who have physical access to the machine?

The only problems relate to access from the internet.

if you want to secure your machine from damage from the internet all you
need to do is to:

-buy and configure a firewall, either a hardware router or a software
one. Most will keep you "stealthed" while on the net. There are online
test sites available.

"all you need to do is buy and configure a firewall" - this goes to the
heart of my question. As I said, I am using the firewall in Norton Internet
Security 2003 but I'm not convinced it's enough. While running Win98, I had
many instances where Atguard or BlackIce would block intrusions which NIS
missed. What I'm asking is for people's opinions on what are the best
firewalls or settings to keep myself invisible?

-buy and keep uptodate a good antivirus package, run regularly, *all*
files checked.

Always done

-visit microsoft.com to get the necessary updates to keep the operating
system at the latest and greatest state.

Still not convinced that MS are on top of it all.

-be *real* careful about what email you open. Ideally you winnow
through it while it is still on the server and reject the spam/uninvited
mail, stuff with attachments *on the mail server*. You only download
the legitimate messages. This whole area is difficult because you can't
know for sure if the message you're getting from your daughter is one
she sent you - or one some virus sent you after hijacking her system.

Always done

-consider using another web browser, one without all the ActiveX stuff
that can do significant damage to you just by you opening a web page.
You need Internet Explorer to get the updates though.

I think this gives you the best available defence.

Yes, I think Steve Gibson knows a lot about the internet and how to
avoid avoidable risks. I think it's smart to follow his advice.

If you do all that you're pretty safe, except for the buffer overflow
weaknesses that are probably fairly pervasive in all Windows operating
systems - there's a list of them on the Symantec site. I view this
buffer overflow assault as a variation of the "flying wedge" football
offense. I don't think it's possible to ever be completely safe from
getting "burned to the ground", so better keep your valuable files off
the machine, safe and sound. I use a CD/RW setup and copy important
files to it. You can keep the resulting CD at the bank if you want. If
the computer is just for recreation, surf away, all you're risking is
another days work to set it all up again - you can fix all the screwups
you made setting it up the first time.

if you are also worried about keeping your computer/files safe from
people who have physical access to the machine then you get into another
whole area about password access to the machine, file permissions and
all that. That's a big subject. I'm not the guy to ask but there are
good books. Try "Windows 2000 - The Complete Reference" by Kathy Ivens
and Kenton Gardiner, for starters. It has quite a bit about the NT file
system, security, networking, system configuration. Difficult reading
but do-able. You can have all the passwords in the world though and if
the "perp" can just steal the whole machine you're screwed. If he can't
because it's bolted down, maybe he can just steal all the disk drives
out of it.

No problems with people having physical access.

 

[John]

"all you need to do is buy and configure a firewall" - this goes to the
heart of my question. As I said, I am using the firewall in Norton Internet
Security 2003 but I'm not convinced it's enough. While running Win98, I had
many instances where Atguard or BlackIce would block intrusions which NIS
missed. What I'm asking is for people's opinions on what are the best
firewalls or settings to keep myself invisible?

I used the Sygate personal firewall for a while. I think it's good. It
kept me invisible as per www.grc.com and the Sygate site using the
default settings. What bothered me was it kept asking me if it was ok
to let svhost.exe connect to ???. I didn't really know the answer.

Then I bought a linksys router for about 90 bucks (Canadian) and I
really like it. No memory overhead. I used both for a while but
eventually the Sygate configured itself in such a way from the answers I
gave it about what to allow that it just blocked everything. So. Now I
just have the hardware router. www.grc.com told me that port 113 was
not "stealthed" but I followed the simple directions on that site to
"stealth" it, so now I'm completely stealthed again. If anything gets
past it, say from an email attachment, I'm relying on my antivirus to
find and stomp it. I also use a couple of utilities from sysinternals -
one is called "autorun" - to show me what "automatic startups" are
configured in the registry. The other is "process explorer" to show me
what processes are running - with the capability of stopping them (I
hope). If not, I hope that deleting the autorun entry and shutting the
machine off will get the job done.

Still not convinced that MS are on top of it all.

I didn't say that downloading the patches fixed everything, just that it
gave you the best available defence. Whaddya gonna do?

Obviously they are not "on top of it all". I think they overlooked
security in favour of "easier sales" and let things get away from them.
I bet it's not a real picnic at Microsoft these days.

 

[Robert Moir]

OK - please don't flame me for a newbie dumbass question but I have
been searching the net for a while now without finding a clear answer
to the following, and I am hoping you can help.
I have recently changed from Win98SE to WinXP corp pro, running Norton
Internet Security 2003. Under Win98 I had Atguard and BlackIce
running in addition to NIS and I came up undetected at every security
test site I could find. I understand that WinXP has some (many?)
holes and was wondering:
1. How important is it to install the SP's from MS, and what
"surprises" should I expect from them?

Vital in my opinion.

2. What additional software should I have and/or what settings should
I change in WinXP to be invisible on the net?

"Invisible on the net" is a myth. You'll want to keep some kind of firewall
running sure enough but you need to balance a need to get work done with a
need to stay safe. A good firewall and virus scanner is a good start but
there is no substitute for good common sense.

3. Does Steve Gibson know what he's talking about or not?

Ask 10 people that question and you might get 10 different answers. My
Opinion: He has one or two facts but he buries them in BS and hyperbole. His
site is helpful to beginners perhaps but I don't know anyone in the security
industry who takes him very seriously.

Ask yourself this question - Steve went on about how Raw Sockets in XP would
cause the Internet to explode as soon as XP was released; How old is XP? And
if you can read this reply, did the Internet blow up or not?


--
--
Rob Moir, Microsoft MVP for servers & security
Website - http://www.robertmoir.co.uk
Virtual PC 2004 FAQ - http://www.robertmoir.co.uk/win/VirtualPC2004FAQ.html

Kazaa - Software update services for your Viruses and Spyware.

I have also recently changed from dial-up to DSL, hence my increased
concern.

If you intend to be connected for long periods of time I'd suggest getting a
DSL router/modem that includes a built in firewalling facility of some kind.

 

[John]

Ask 10 people that question and you might get 10 different answers. My
Opinion: He has one or two facts but he buries them in BS and hyperbole. His
site is helpful to beginners perhaps but I don't know anyone in the security
industry who takes him very seriously.

Ask yourself this question - Steve went on about how Raw Sockets in XP would
cause the Internet to explode as soon as XP was released; How old is XP? And
if you can read this reply, did the Internet blow up or not?

Well, Steve Gibson doesn't need me to defend him so I won't. I think
his point about the raw sockets issue was that it gave the bad guys the
capability to launch *untraceable* attacks on the web. That seems to be
true don't you think? I haven't heard any reports about any of these
guys being located and arrested anyway. Without arrests and penalties
you have chaos, no?

As far as whether the web has "blown up" or not - lots of people would
argue that it is in the process of happening now. You shouldn't need a
properly configured firewall, up to date virus definitions and a direct
line to windowsupdate.com to be able access the web *for a few minutes*
without getting your system destroyed.

 

[Bruce Chambers]

Greetings --

Actually, there is no such thing as WinXP "Corporate Edition."
That is a term applied exclusively to pirated (iow, stolen) copies of
the Volume Licensed WinXP Pro by the "warez" aficionados. I trust
this is not what you're really using.

Even with all of its "holes," WinXP is far and away more secure
than Win98 ever could be. But it's not perfect, so you're wise to
ask.

There are several _essential_ components to computer security: a
knowledgeable and pro-active user, strong physical security of the
computer, a properly configured firewall, reliable and up-to-date
antivirus software, and the prompt repair (via patches, hotfixes, or
service packs) of any known vulnerabilities.

Perhaps you should hear what computer security specialists have to
say about Steve Gibson's "security" expertise. You can start here:
http://www.grcsucks.com/


Bruce Chambers
--
Help us help you:



You can have peace. Or you can have freedom. Don't ever count on
having both at once. -- RAH

 

[Bruce Chambers]

Greetings --

Perhaps you should hear what computer security specialists have to
say about Steve Gibson's "security" expertise. You can start here:
http://www.grcsucks.com/


Bruce Chambers
--
Help us help you:



You can have peace. Or you can have freedom. Don't ever count on
having both at once. -- RAH

 

[Bruce Chambers]

Greetings --

Because Gibson's Shields Up! checks only a very few of the more
than 65,000 ports available, and even skips one of the ones exploited
by messenger service spam, you should also test your firewall at:

Symantec Security Check
http://security.symantec.com/ssc/vr_main.asp?langid=ie&venid=sym&plfid=23&pkj=GPVHGBYNCJEIMXQKCDT

Security Scan - Sygate Online Services
http://www.sygatetech.com/


Bruce Chambers
--
Help us help you:



You can have peace. Or you can have freedom. Don't ever count on
having both at once. -- RAH

 

[John]

Greetings --

Perhaps you should hear what computer security specialists have to
say about Steve Gibson's "security" expertise. You can start here:
http://www.grcsucks.com/


Bruce Chambers
--

I'm sure all the *leading* security specialists spend a lot of time at
www.grcsucks.com. That suggestion gives you a whole bunch of
credibility.

John

 

[Robert Moir]

Well, Steve Gibson doesn't need me to defend him so I won't. I think
his point about the raw sockets issue was that it gave the bad guys
the capability to launch *untraceable* attacks on the web. That
seems to be true don't you think?

No. Show me how raw sockets are involved in this.
Explain to me why the internet didn't blow up before XP was even invented,
because *news flash* every flavour of unix I can think of all had raw
sockets support.

I haven't heard any reports about
any of these guys being located and arrested anyway. Without arrests
and penalties you have chaos, no?

Which "these guys" are you talking about? People are getting arrested for
lawbreaking involving the internet all the time.

As far as whether the web has "blown up" or not - lots of people would
argue that it is in the process of happening now. You shouldn't need
a properly configured firewall, up to date virus definitions and a
direct line to windowsupdate.com to be able access the web *for a few
minutes* without getting your system destroyed.

Well thats good - because I personally can surf the internet for as long as
I like without any of those things.

--
--
Rob Moir, Microsoft MVP for servers & security
Website - http://www.robertmoir.co.uk
Virtual PC 2004 FAQ - http://www.robertmoir.co.uk/win/VirtualPC2004FAQ.html

Kazaa - Software update services for your Viruses and Spyware.

 

[joe]

I read through that site quite a while ago, which is what lead me to ask for
people's opinions here.

 

[John]

No. Show me how raw sockets are involved in this.
Explain to me why the internet didn't blow up before XP was even invented,
because *news flash* every flavour of unix I can think of all had raw
sockets support.

Maybe because none of the virus launching low lifes can afford the
mainframe or sparcstation that Unix requires? How about Linux, does it
offer raw sockets support?

Which "these guys" are you talking about? People are getting arrested for
lawbreaking involving the internet all the time.

I don't know who they are. That's the whole problem. Neither does
anyone else. I don't read *all* the news everyday, but I pay attention.
I haven't heard about anyone getting arrested for launching one of these
very destructive viruses for quite a while. I'm not talking about
running investment scams etc over the net, only about launching
destructive viruses on the net.

Well thats good - because I personally can surf the internet for as long as
I like without any of those things.

Good for you.

 

[Robert Moir]

Maybe because none of the virus launching low lifes can afford the
mainframe or sparcstation that Unix requires? How about Linux, does
it offer raw sockets support?

Yes, as does free & net BSD, both free, both available for years. Both run
on a PC. Oh. And Mac OSX, which requires only a home computer as well.

I don't know who they are. That's the whole problem. Neither does
anyone else. I don't read *all* the news everyday, but I pay
attention. I haven't heard about anyone getting arrested for
launching one of these very destructive viruses for quite a while.
I'm not talking about running investment scams etc over the net, only
about launching destructive viruses on the net.

Well I guess you've been looking in the wrong places. There were arrests
made for people behind some of the blaster varients, for example.

Again - show me how raw sockets were used by any of these people. Or maybe
start asking yourself if Steve Gibson is a know nothing hysterical blowhard
who gets things wrong, because he predicted that raw sockets would mean the
end of the internet and that hasn't happened yet.

Oh yeah - his "Shoot the Messenger" program is potentially dangerous too.

 

[John]

Yes, as does free & net BSD, both free, both available for years. Both run
on a PC. Oh. And Mac OSX, which requires only a home computer as well.


Well I guess you've been looking in the wrong places. There were arrests
made for people behind some of the blaster varients, for example.

Again - show me how raw sockets were used by any of these people. Or maybe
start asking yourself if Steve Gibson is a know nothing hysterical blowhard
who gets things wrong, because he predicted that raw sockets would mean the
end of the internet and that hasn't happened yet.

Oh yeah - his "Shoot the Messenger" program is potentially dangerous too.

Apparently Steve Gibson went a bit too far with his "raw sockets"
claims. I didn't know Linux had the capability as well.

I think Steve Gibson has been a net benefit though - by making people
aware of some of the risks and how to avoid them. I think it's a good
thing to improve the basic security of the machine by eliminating
services that are not required and using a router or a software firewall
as he suggests.

His claims and the language he uses is a bit "over the top" but I
thought that was just part of living in the USA.

 

[cquirke (MVP Win9x)]

Be careful with running multiple apps that do the same things, as they
can get in each other's way. Thinking multiple add-on firewalls,
multiple "underfootware" antiviruses etc.

Vital in my opinion.

Some are definitely vital, with the RPC hole at the top of the list.
I'd also apply SP1a (if it's not in place), the latest cumulative for
IE 6 SP1, and the newly-released patch for ASN.1 hole.

I'd go further, though, and apply risk management over and beyond MS
patches. MS patches block code flaws, but IMO as big a risk is posed
by design flaws that MS thinks are a "good idea", such as hidden
shares that provide access to the startup axis etc.

My general strategy:
- what you down't need, wall out
- what you may need, evaluate before risking
- what you risk, virus check first

This is at variance with MS's general approach of:
- make everything work
- spread a veneer of password/user security over the spiky bits
- assume that no-one out there will use these features for "evil"

"Invisible on the net" is a myth. You'll want to keep some kind of firewall
running sure enough but you need to balance a need to get work done with a
need to stay safe. A good firewall and virus scanner is a good start but
there is no substitute for good common sense.

Agreed; see the second step in the first list. Both you, and your PC,
have to have "common sense"; watch out for scenarios where stupid
software design says "yes" for you (IE's "Allow 3rd-party
enhancements", "install on demand" etc.) or denies you the information
you need to make an informed choice (e.g. "hide file name extensions")

Ask 10 people that question and you might get 10 different answers. My
Opinion: He has one or two facts but he buries them in BS and hyperbole. His
site is helpful to beginners perhaps but I don't know anyone in the security
industry who takes him very seriously.

He codes obsessively brilliantly, but his Englsh programming is poor -
full of big red exclamation marks etc. that make him look like an
amateur. I think WAN networking is not his primary core compitency
(he's more of a disk dude) and that shows at times.

Ask yourself this question - Steve went on about how Raw Sockets in XP would
cause the Internet to explode as soon as XP was released; How old is XP? And
if you can read this reply, did the Internet blow up or not?

Well, I'd not be *too* complacent about that, given we are still
swamped with "why does my system keep restarting blah blah rpc blah
blah nt authority lovesan nachi msblast yadda yadda" posts 6 months
after the initial outbreak. While Win9x users just keep on truckin',
wondering what all the "more secure" fuss is about.

Steve's problem was he got too specific - focussing purely on IP
spoofing rather than taking a broader line on why XP was set to
integrate so tightly with the mother of all infected networks.

RPC exists to allow arbitrary PCs to run processes on your PC, and it
can't be turned off without the PC losing the ability to pick it's own
nose. Does that sound like a smart design decision to you?

So of course when defects within this subsystem get whacked, you can't
turn it off. You are supposed to download the fix via the same
infected infosphere that is crashing your RPC service all the time,
and because MS's duhfault setting is to "Restart the Computer"
whenever the RPC service fails, the whole thing falls over every time.

It's said that XP's built-in firewall blocks RPC attacks. Well, I
dunno... I've just seen a PC that I set up to run this firewall, it's
used by a newbie who doesn't fiddle (there are no forensic signs of
fiddling either), the firewall's still set, and the PC was infected
with variants B, E and F of Lovesan/Blaster. Hm.

-- Risk Management is the clue that asks:

"Why do I keep open buckets of petrol next to all the
ashtrays in the lounge, when I don't even have a car?"