Category: Reviews
Link: Unprotected PCs will be attacked instantly (http://www.macbytes.com/link.php?sid=20041205013247)
Posted on MacBytes.com (http://www.macbytes.com)

Approved by Mudbug

whoa.

*double-checks firewall settings*

That's really interesting and should be a wake-up call to many people.

But unfortunately, the very people (i.e. my XP-using broadband-subscribing best friends sister & her kids) who would be vulnerable are the least likely to hear anything about this story.

Glad to see the Mac was not compromised. :D

That's really scarry. :D :D

as before said: :D

...One I posted about a customer and will tell you again, the guy was never a computer user an heard a lot of good things about internet and music and videos and whatever he could do in the free time, I told him to buy a mac but as always he heard a lot of BS about macs and decided an XP based PC... voilá, bought, plugged, started, connected, less than 3 min he got sasser ... :p it was saturday and he had to wait till monday to find me and organize his PC... good start!

Why is this news. We all know that ANY type of computer that is put on the net can be attacked. This is nothing new.

It's still messy how we're getting attacked as nearly much as the XP SP1 machine was. What does it mean?

Sure, the OS X machine was sound even with all of those attacks, but how can those other OSes receive much less attacks?

It's still messy how we're getting attacked as nearly much as the XP SP1 machine was. What does it mean?

Sure, the OS X machine was sound even with all of those attacks, but how can those other OSes receive much less attacks?

I'm not sure, but I think that some firewalls can hide their PC in stealth mode. So you become sort of invisible to everyone out there.

I think (but dont know) that the standard firewall in OSX doesn't have Stealth. So they can see us and try to get in. But, of course, fail miserably. :D

I'm not sure, but I think that some firewalls can hide their PC in stealth mode. So you become sort of invisible to everyone out there.

I think (but dont know) that the standard firewall in OSX doesn't have Stealth. So they can see us and try to get in. But, of course, fail miserably. :D

'stealth' is in Tigers firewall and it is **** (just like on windoze).

As for the number of attacks, they seem to have deducted those the firewall cought as they no longer where an danger.
But then the number for OSX should have been 0 from the start.
Of course a lot of the things those personal firewalls report aren't attacks either.

wow, this really is scary..

i'll have show the rest of my windows-pc-using family :rolleyes:

/asif

Sure, the OS X machine was sound even with all of those attacks, but how can those other OSes receive much less attacks?
The attack attempts were surely still there (at least the probing will still happen), but the firewall suppressed them.

Really, I think it's just plain stupid to try to connect any computer directly to the Internet these days. At the very least, throw a little NAT router in front, that pretty much eliminates all the attacks of the type described in the article.

So I assume they set the Mac up WITHOUT using OS X's built-in Firewall? (Macs may ship with ports closed but I've never seen one with the Firewall On out of the box. A simple one-click activation though.)

Related (from August):
http://news.com.com/Study%3A+Unpatched+PCs+compromised+in+20+minutes/2100-7349_3-5313402.html?part=rss&tag=5313402&subj=news.7349.20

Hardware firewall.

An absolute necessity. Even if you only have one computer in your home, buy a cheap gateway router. Otherwise, how are you going to download Microsoft's service packs before the first attack hits?

I thought the OS X comes with the firewall on out of the box... I could be wrong, but at any rate, it's very easy to turn on.

So I assume they set the Mac up WITHOUT using OS X's built-in Firewall? (Macs may ship with ports closed but I've never seen one with the Firewall On out of the box. A simple one-click activation though.)

Related (from August):
http://news.com.com/Study%3A+Unpatched+PCs+compromised+in+20+minutes/2100-7349_3-5313402.html?part=rss&tag=5313402&subj=news.7349.20

Hardware firewall.

An absolute necessity.No doubt. I can't think of any good reason not to have one.

I almost switched to PC's a year ago in a rage over Apple's atrocious customer service and a horrible experience, and I am SO glad I didn't. Wow. WOW.

heh, XP SP2 + FF/TB (1.0) + H/W Firewall (e.g. router); I haven't gotten anything.

*knocking on wooden desk here*

However, I am really starting to feel sad for many of my friends who are still stuck on using XP SP1, and some don't even HAVE SP1 (*shock*). Those are the users who are compromised and become zombie machines for the next DDoS attack.

so, do i now have to activate all firewall options in system preferences? i just activated "personal file sharing" and "itunes music sharing".

others are deactivated.

cyberintrusions are fast becoming an ingrained part of the Internet. Compromised PCs fueled a 150% surge in suspicious security activity per machine per day in the third quarter of this year, compared with a year ago
In the olden days you only needed a six month old hard disk copy of a piece of reputable virus software and the ocasional password.

I predict we are just 3 years away from each user will need to submit a DNA test in order for them to write an 'if' statement in Excel!

Personally I HW firewall at home using the AirportEx and I'd have to admit that the one we have at work on the XP boxes seems to be pretty strong.

so, do i now have to activate all firewall options in system preferences? i just activated "personal file sharing" and "itunes music sharing".

others are deactivated.

Which means that you have just the two open, all the other ports are closed.

The default state with the firewall turned on is closed, you don't have to "activate" a port to close it.

So anyone care to do a FAQ tutorial for me? I looked around for information on how to set up the firewall in the AEBS for good security and I just have no idea what I'm doing. I've got my OS X firewall going, but I'm not sure exactly what the AEBS is doing.... :(

I thought the OS X comes with the firewall on out of the box... I could be wrong, but at any rate, it's very easy to turn on.

Just got a new iMac G5 (which is great, by the way) and the firewall was definitely off. I was a bit surprised, but then turned it on. It does block Airtunes and such without a bit of tweaking, so maybe they thought it was better to have almost all of the ports turned off rather than having a general firewall running. (You can easily enable the iTunes related network activity, by the way).

I have hardware firewall and the software firewall set up, and I'm running a Mac, so I'm feeling pretty safe at the moment. My son recently destroyed our five year old home PC with adware that brought on a virus that brought in more adware. We were moving to a Mac anyway, but this helped us feel much better about it (it will also provide a hammer to crush any game compatibility whining). My current greatest fear is that my 75 year old father in law is going to come down with this crap and I'm going to have to help him fix things from 1,500 miles away.

Apple doesn't want to tout this too hard because of the hubris and because there isn't enough wood at 1 Infinite Loop to keep everyone within close knocking distance. Word of mouth on security together with the iPod mania is generating a great wedge for Apple. At work, I had to decide with buying a couple of new Dells or moving stuff over to Macs. The security side of things finally swung me over to Macs. (I should say back over, as I was an original Macintosh 128 user and a Mac+ owner).

So anyone care to do a FAQ tutorial for me? I looked around for information on how to set up the firewall in the AEBS for good security and I just have no idea what I'm doing. I've got my OS X firewall going, but I'm not sure exactly what the AEBS is doing.... :(
The best way to explain how to set this up is to give a small lesson on what these routers actually do.

Most gateway routers (and I assume AEBS is similar) use NAT (Network Address Translation) to allow everybody on your home LAN to share a single internet connection. In this configuration, the router's WAN port is configured with your ISP-assigned IP address. Typically this is by running a PPPoE or DHCP client, but manual configuration is usually also possible.

The LAN-side of the router (including the wireless port) typically works entirely with IP addresses from RFC 1918 (http://www.ietf.org/rfc/rfc1918.txt) private address space. Commonly, the address block 192.168.1.* is used, although some vendors are different and the choice of address block is sometimes configurable. One address will be reserved for the router itself (192.168.1.1 on mine), one for a local-broadcast address (192.168.1.255 on mine) and the rest available for hosts (192.168.1.2 through 192.168.1.254 on mine.) You may either statically configure the hosts for particular addresses or you may set up the router to act as a DHCP server that can dyanamically assign addresses to your hosts.

When computers on your LAN send packets to the WAN (which is normally the internet) the router rewrites the addresses in the IP header so everybody on your LAN appears to be using the same (ISP-assigned) IP address. Obviously, if you have more than one computer, the router needs to remember which of your hosts intiated each connection, so it knows where to deliver the incoming packets for those connection (since they will all be sent to the same ISP-assigned address.) It does this by snooping all the TCP control messages and maintains a table of LAN-side address/port combinations that map to WAN-side address/port combinations. This table is updated every time a TCP connection is created or destroyed.

Now, if a packet arrives from the WAN and there is no matching entry in this table, the packet is discarded. The router has to do this, because it has no way of knowing which host on your LAN to send it to.

This simple fact (the previous paragraph) is what makes plain old NAT a reasonably good firewall. Attempts by computers on the internet to intiaite connections with your LAN will always fail, because the router has no mapping table entry to know what to do with those packets.

Of course, the real world isn't quite as simple as this.

Some protocols (like active-mode FTP) request the remote site to initiate a connection to you. When you give a "get" command, your host starts listening on a port, and tells the remote node to create a connection to that port. This obviously won't work with NAT in the way, because there is no mapping for that incoming connection, and NAT is going to change the port numbers. One workaround (in this example) is to use passive-mode FTP, which has the local host creating all connections. Another is that the router can have some application-specific knowledge about the FTP protocol, snoop the FTP control-channel packets, rewrite some of them, and add/remove mapping entries.

Modern routers have application-specific knowledge for a variety of common protocols. This is not normally a security breach, because these mapping are only created in response to requests from computers on your LAN, which is usually considered a trusted source.

Now, if you're running a server (say, a web server) on your LAN and you want to allow the internet to connect to it, you obviously need a mapping to allow those connections. Something that will map a WAN-port (80 for web servers) to LAN-port 80 on one of your local hosts. You can usually configure these through the router's setup utility. Every mapping you create, however, is a potential security hole, so you want to make sure you only create them for services that you explicitly want to make available to the internet. And you want to make sure the server software is kept up to date with all of its latest security patches.

Obviously, if you configure your own port mappings, you need to configure a static LAN-side IP address on the computer. Otherwise that computer's address may change to something incompatible with the mapping.

Recently, a spec called Universal Plug-N-Play (UPNP) was invented to allow LAN-side servers to use dynamic addresses. With this spec, the computer's operating system can direct the router to create port mappings when server software starts listening for connections. IMO, UPNP is a big security hole. I make a point of disabling it on my routers.

FWIW, here's my home LAN configuration. I have one (and only one) port mapping on my firewall. I map WAN-port 22 (SSH login) to my Mac's port 22 so I can do a remote-login from work. On the computers themselves (there are six nodes on my LAN), I don't run any firewall software. This way, the computers can freely access each other, but none can be accessed from the internet.

As long as I keep my SSH server up to date with the latest security patches (which Apple is pretty good about updating), the result is a LAN secure from external break-in. (Of course, a firewall does nothing about virusses/worms received in e-mail. But a firewall is only supposed to be one piece of a security solution, not all of it.)

Shamino, thank you so much! I knew some, but not all of what you wrote, and you did a really nice job of making it understandable. :)

So if I can mooch a few more questions :p, I still don't quite understand a couple of things. Right now I have my AEBS in DHCP+NAT mode, and I have not input *any* port mappings on the server myself. Am I correct that all of these port mappings refer to LAN-incident transmissions, that is, ones that come from the WAN into the LAN? Is the AEBS set up so that if I do not manually create these port mappings, no activity can be initiated from outside the LAN? So does this mean it's basically in a fairly high security mode from the start?

Regarding ports that let LAN-incident transmissions through, such as an FTP or telnet initiated from the WAN, it seems like I want to have this kind of protection in the hardware firewall, since there are other devices on the network, like my ReplayTV, which do not have software firewalls, and I do not have any kind of service where I need to initiate from the WAN (well, at some point I'm curious to see if I can gateway into the LAN and access the replaytv from out of home using DVArchive, but.... :D ). So for traditional home stuff that's all initiated in the LAN and not the WAN, do I basically not need any ports open at all?

And is it correct to think of the hardware firewall security overriding the software, in the sense that even if a port is setup to accept an incoming transmission on the software firewall, if the hardware firewall blocks it, it will never get to the computer? (Unless of course it starts in the LAN)

One last question. On my PC, I used ZoneAlarms, and one nice feature it had was to notify me whenever a previously unauthorized program tried to send an internet transmission. Mostly this caught spyware. Well, that PC is clean now, and uses Firefox :) so that issue is mostly gone. But is this kind of thing very necessary on MacOS X? I guess there isn't that much spyware out there....

too scary to admit the fact..

So if I can mooch a few more questions :p, I still don't quite understand a couple of things. Right now I have my AEBS in DHCP+NAT mode, and I have not input *any* port mappings on the server myself. Am I correct that all of these port mappings refer to LAN-incident transmissions, that is, ones that come from the WAN into the LAN? Is the AEBS set up so that if I do not manually create these port mappings, no activity can be initiated from outside the LAN? So does this mean it's basically in a fairly high security mode from the start?
Correct. By default, there should be no port mappings, because the manufacturer can't possibly know what services you're running or what computers they are running on.

Without mappings, compuers on the WAN side of the router can not initiate connections to computers on the LAN side.

It is still possible, however, for a malicious program (say, something received in e-mail or embedded in another app) to intiate outbound connections or connect to other computers on your LAN. In the former case, most routers are configured to allow all outbound connections. In the latter, LAN-to-LAN traffic doesn't necessarily even go through the router, and it can't filter what it doesn't see.
Regarding ports that let LAN-incident transmissions through, such as an FTP or telnet initiated from the WAN, it seems like I want to have this kind of protection in the hardware firewall, since there are other devices on the network, like my ReplayTV, which do not have software firewalls, and I do not have any kind of service where I need to initiate from the WAN (well, at some point I'm curious to see if I can gateway into the LAN and access the replaytv from out of home using DVArchive, but.... :D ).
Creating port mappings to allow specific services through is a mixed blessing. The router will redirect connections to only one computer on your LAN (the one you configure). But if the server on that computer is not secuire, a creative hacker could gain control of that computer and proceed from there to attack other computers on your LAN.

Which means you only want to create these mappings for programs you trust, and you want to make sure to keep them patched with the latest security updates. This will minimize the chances of this kind of attack happening.
So for traditional home stuff that's all initiated in the LAN and not the WAN, do I basically not need any ports open at all?
That would be correct. Some people like to open up one or two UDP ports for QuickTime streaming, but I don't bother. QT can stream over TCP as well - not as efficiently, but good enough that I prefer to keep those ports closed.
And is it correct to think of the hardware firewall security overriding the software, in the sense that even if a port is setup to accept an incoming transmission on the software firewall, if the hardware firewall blocks it, it will never get to the computer? (Unless of course it starts in the LAN)
Think of it like an office building. You've got a lock on the building's door. Then each office's door has its own lock. Then each filing cabinet and drawer has its own lock. If a thief can't get through the front door, then the quality of the filing cabinet's lock doesn't matter. But if you think he may get through the front door and the office door, you'll want to have that last lock.

Similarly, if an attack is blocked by the HW firewall, it won't matter if you have a software one installed. But you can't be certain that it will block all attacks, hence the need for some level of security in your operating system and application software.
One last question. On my PC, I used ZoneAlarms, and one nice feature it had was to notify me whenever a previously unauthorized program tried to send an internet transmission. Mostly this caught spyware. Well, that PC is clean now, and uses Firefox :) so that issue is mostly gone. But is this kind of thing very necessary on MacOS X? I guess there isn't that much spyware out there....
Hardware firewalls can't block this sort of thing - they only know about TCP connections, not applications. They can't tell if the HTTP request going out is from your web browser or from a spyware daemon.

Software firewalls (like ZoneAlarm) can detect this. I don't think the one built-in to MacOS has this support, however.

If you feel you want/need this on your Mac, however, there are programs that can do this. Several people on newsgroups like to recommend Little Snitch (http://www.obdev.at/products/littlesnitch/). I haven't used it, so I have no opinion to give. I just know that others seem to like it.

Thanks again! I might try Little Snitch. I guess I'm not so concerned about this on my mac, because there aren't as many opportunities for spyware. But it might be nice to run it for a while just to make sure. :)

I'm not surprised. I saw a TV special where a tester hooked a new PC onto the internet and within 5 minutes it had been compromised.