webvergnügen

jluster.org

ShieldsUp Analyzed

Posted 827 days ago

As users on the global network, we are concerned about our privacy, the safety of data we store and send from our PC and the implications of successful intrusions into our system or network. Over the past years, ingenious people have come up with a number of great and not so great solutions to address this problem, beginning from security and confidentiality awareness trainings over small tools you install on your hard disk to external scanners to assess your actual network and system security.

ASSESSMENTS - UH?

There are many ways to assess the security of a given system, but all assessment approaches must meet at a bottom line: they must be honest, sufficiently conclusive, sufficiently wide and predictive to a certain point. Conducting assessments without any of those bottom line requirements may cause more harm than good.

ENTER: SHIELDS UP!

Shields up is a service offered free on Steve Gibson’s Web site at grc.com.

It is basically a web frontend to a backend logic which will probe your system (based on your HTTP-connection's IP address) for open ports and recommend a number of actions. Upon visiting the web site, you are presented with a bit of information regarding the operations of ShieldsUp and offered two probe methods: Test my shields and Probe my ports.

TEST MY SHIELDS

When clicking the “Test my shields” button, ShieldsUp will inform you about its attempt to “contact the ”’Hidden Internet Server”’ within your PC.

Matter of fact, ShieldsUp will send a NQUERY NetBIOS UDP packet with Broadcast, Query and Request flags set. Upon receiving an answer (or not), ShieldsUp will determine if your Shields are “up”. This is - obviously - not a very accurate method.

And - also obviously - not really a “hidden Internet Server”, either. Gibson’s tendency to over exaggerate his abilities and tools must have, once again, led him to make a bold claim like this.

Now, there’s a twist to this test. I setup a machine laden with vulnerabilities. Beginning from a few installed backdoors (BackOrifice, Sub7) and other vulnerabilities, I did not even spend the few minutes to close down the most obvious security holes. ShieldsUp, however, happily reported:

Unable to connect with NetBIOS to your computer. All attempts to get any information from your computer have FAILED. (This is very uncommon for a Windows networking-based PC.) Relative to vulnerabilities from Windows networking, this computer appears to be VERY SECURE since it is NOT exposing ANY of its internal NetBIOS networking protocol over the Internet.

Which is simply wrong.

There is nothing, I could have done to stop even unsophisticated intruders from attacking and breaking into my machine, a small script like ShieldsUp, however, is simply fooled by Windows’ inconsistent behavior on UDP responses.

In fact, no five minutes after I conducted this test, a random script kiddie attack opened my shares (C: and D:) which I deliberately setup, read the “Gotcha Sucker” textfile, I deposited in C: and left. The tools to do those “wonders” are freely available on the net.

PROBE MY PORTS

Gibson, surprisingly lucid, warns of a false sense of security.

Before You Break Out the Champagne…”, warns a textbox just below the results and asks me to perform another check of my system, this time by probing my ports. A click on the button, and I am there.

Again, the script presents me with a number of results. At this point, it starts probing my system with a number of connect() calls, which essentially seek to establish a connection to a few ports on my system. This time, oh wonder, it recognizes the fact that NetBIOS is open, but overlooks the installed Spyware and Backdoor programs.

It also gracefully overlooks a grave security problem I introduced by installing a freely available third party application which essentially allows anyone on the net to browse my machines hard drives and down- and upload files.

I also had a web server installed. A small program which can be downloaded from download.com or similar sites allows my computer to export pictures to the net, my friends or casual visitors would then be able to browse this photo album with a regular web browser. The source code for said program is freely available, it’s a very short program which basically implements a “crippled” web server and some extra features. After reading the source code, I am sure there is not much an attacker could exploit.

GRCs ‘nanoprobes’ diligently connect() to the server and then wander on. The port test, however, tells me my HTTP port is closed. Strange. Very strange. A look at the logs I am sniffing from this connection shows my web server responded - still the test program reports it to be closed. I repeated the exercise with both Windows and Unix based web servers and got an overall hit rate of less than thirty percent, in other words, more than often the test program would not detect my open web server.

WHAT IS STEALTH?

Well, for starters, Stealth isn’t all that. There is no such thing as “stealth” on the Internet. Ports are either open (they respond accordingly), closed (they do not respond accordingly) or are non-existent (nothing comes back at all). Gibson calls the latter “Stealth”, which is as wrong as could be.

A false sense of security even here. Just for Mr. Gibson’s records: my FTP port is not stealth, it’s just not responding with an ICMP_DESTUNREACH when probed.

OVERALL LOOK

I received a clean bill of health from ShieldsUp!. Despite having a computer which is most likely the least secure computer ever tested by those scripts. A day later, I tried the same with the help of a friend’s NeXT cube and was swamped with “you are sooo insecure” messages. Regardless the fact that said friend’s NeXT cube is about the safest place to store data I can imagine, it responds to every port probe and connect() attempt with a TCP or UDP stream saying “go away” in its packet payloads. Gibson tends to exaggerate. His supposedly superior system does not divert in much parts from what is already available out there in hundreds if not thousands of other incarnations. The boldest claim, however, can be spotted on his Ports page:

“If you have used ShieldsUP! in the past, you may have just noticed that the Port Probe system is much faster than ever before. This is the result of the emerging deployment of our much-anticipated NanoProbe Technology. It is finally becoming real.”

There is nothing Nano about Gibson’s probes. In fact, a simple traffic sniffer reveals the truth about those probes, they are merely ICMP and TCP/UDP based connect and scan attempts. Gibson has reached a state of notoriety for those claims, most recently for his GENESiS project in which he claims to have invented the solution to DoS attacks by describing a system which has been invented and Open Source since 1995 and is part of hundreds of thousands of operating systems worldwide already. Suffice to say, Gibson - again his friendly self - dismisses any criticism by claiming he (the Security Guru) never heard about other inventions in this area. Had Mr. Gibson done the needed research, he might have come up with something really good - he has enough energy, one has to give him that - but apparently he never strays outside his own fan circle and media relations world. Gibson is not a member of any respected security effort or interest group, he is shunned inside the security profession and only lives through media appearances and his charismatic approach which secured him the love and almost sect like dedication of his followers.

GIBSON - THE MAN

Much has been said and written about Steve Gibson, the man behind grc.com and ShieldsUp. If you want to read more about him, see http://www.grcsucks.com to find out about the other side of his claims, presented by real security professionals.

Comments

  1. Anonymous Coward said 443 days later:

    A well explained and defended article, Its good to see information presented in a factual unhyped manner. Hope there is more to come from you.

  2. also anonymous said 184 days later:

    hey - great post! you perfectly prove the rumours of the new steve gibson scientology church. you are right: someone should offer an even better sect to the people!

  3. Anonymous Coward said 325 days later:

    to me this is a complex subject. I think we need more than one approach to it. thanks for the help, and thanks to Steve also; all for free! Reguards, Ted

  4. Anonymous Coward said 404 days later:

    What similar tool-site do you propose ???

  5. Jonas M Luster said 404 days later:

    A good knowledge of the system (or someone who knows it and is willing to help) makes much more sense. This is not unlike the $10 "20 horsepowers in 10 minutes" gas additives. There are replacements, but knowing your car and driving it condicively is more fun.

  6. telamon said 459 days later:

    This is good shit, thank's a lot!

  7. spoongirl said 487 days later:

    Jonas, try nmap (www.insecure.org) there are even some sites that will test you remotely.

  8. bitchucker said 633 days later:

    On the surface Shields Up offers us novices so much help, just glad I did not buy anything from them. Thanks for a clearer explanation of what to be looking for.

  9. Robert W Johnson UUBOB unknownuserbob@aol.com (never read , hardly) said 693 days later:

    Golly, do I feel the glow of Tech experteez after spending the past few hrs using ShieldsUp! to see if my ZoneAlarm Security Suite was set up, and what a bitch discombobulating can be! my new comcast cable 29.99 conn is just up and a bit skittish, but I am learnin’ Thank u-guys!

  10. qonnor said 693 days later:

    don’t you believe it! (UUBOB). that guy knows more than he lets on. he’s the best researcher online. so don’t let his naive act fool you.

  11. disapointed said 701 days later:

    tried, one of Steve - the guru’s solutions, at least I got my money back.

  12. novice said 715 days later:

    The tests on Shields Up! may not be up to par, but the info was in plain common English and taught me more about my computer. It all helps!

  13. James said 784 days later:

    Right! I shouldn’t believe GRC.com at all.

    I seriously considered myself the beginner,

    but I would rather be taught with difficult security concepts!

    False security equals no security at all.

    Thank you for reminding me. I shall refrain from using shield up! to check my firewall.

  14. sillysausage said 785 days later:

    I wonder how many othere silly sausages thought SG was telling the truth. I feel ashamed for believing - and I consider myself to be a healthy cynic. AAAGGHHHH.

  15. Gil Higham said 792 days later:

    I tried Shields-Up and believed it implicitly,after reading your article I feel a bit of a fool,Thank you for the info.

  16. the sawman said 795 days later:

    Gibon’s test does what he says and no more than he claims. You fault him for ShieldsUp not conducting a full computer-wide safety analysis? No one, including Mr. Gibson, ever claimed that ShieldsUp was a comprehensive and complete safety test! Aren’t you the fool! Did you even read the explanatory and supporting pages at grc.com?

    Use something like pcpitstop.com and stop bitching when someone does something for free to help the average joe on the web. Bet you don’t even have the guts to post this message.

  17. tomr said 797 days later:

    to the Sawman. this from GRC site today (17-01-2006) … “ShieldsUp. The Internet’s quickest, most popular, reliable and trusted, free Internet security checkup and information service. And now in its Port Authority Edition, it’s also the most powerful and complete. Check your system here, and begin learning about using the Internet safely”. How is this different from the claim “that ShieldsUp was a comprehensive and complete safety test”? if you prefer to believe Mr Gibson, that’s your priviledge. Those of us who actually look beneath the self-serving tone of his site at his products, and find them less than stellar, have the right so to do.

  18. demerson3 said 799 days later:

    Many of you have a lot of bad stuff to say about Steve Gibson as a security advisor. That’s fine, and I’m glad to be reading both sides of the story. I’ve used ShieldsUp several times, and have usually had an intuitive awareness that it was not an end-all security test, and that my LAN and my debian box might still be vulnerable to a certain type of attack.

    I’m curious to know if anyone has anything positive or negative to say about SpinRite, Steve’s flagship retail product. Intuitively, it seems like hard drive checking and recovery is an arena where Steve might very well have the best product on the market. Any comments?

  19. Zing-Zing said 800 days later:

    Gibson is a crafty one. Right now I don’t think he has much income at all. McAfee used him excellently for years to up-sell his ZoneAlarm (yes McAfee ran that company). Now McAfee sells out again and Gibson has nothing.

    This is a great article. My only question is: how do we get it out there? How do you stop this shameless charlatan? How do you stop the Jim Jones n00bs at GRC.com from drinking the Kool-Aid?

    Congrats again on a great article. And thank you for taking the time to write it and research it. A great effort.

  20. philco said 801 days later:

    Good alternative perspective on Mr. Gibson. When he originated “Shields Up”, there were no user friendly online assessment tools. Now there are tons and he is not in the assessment business. As you are aware he is in the disk repair utilities business. I have used Shields Up in a rudimentary sense, but I have always been realistic in that everything he does is meant to draw you to his disk utilities.

    He is a savvy programmer and has had a sense for what ills the common user and wastes no time in popping out little utilities to raise awareness. His utility to remedy the Zip drive “click of death” saved many, many people much grief when Iomega was sitting on its hands denying it even happened. When ASPI devices were struggling with the transition to Windows, he began (but abandoned) to write an ASPI troubleshooting utility. Adaptec beat him to it and so he laid it to rest.

    His ditty about getting a DDOS attack on grc.com was a classic. He didn’t know what was going on, he wasn’t getting much help, but you have to give him credit. He pushed his ISP, he went out and wrote his own custom bots, and did his research and got it resolved.

    I think his intentions on most of this is sincere, but make no mistake, his ultimate goal is to bring attention to SpinRite. In fact I think long time SpinRite users get irritated because these events side track him from the development of his core product.

  21. Aaron said 805 days later:

    ‘the sawman’: There’s a term in the industry for a portscanner which fails to detect a port that’s open and waiting for connections, and that term is ‘broken’, full stop.

    Just for the hell of it, I threw my laptop outside the firewall (it’s a Linux box, so I didn’t have to worry about counting the seconds between the interface coming up and the malware infestation), fired up Ethereal on it, and watched Shields Up test the first 1024 ports – that range includes open ports for SSH, FTP, HTTP, POP3, SMTP, and a couple of proxies.

    It detected only the pop3 port; all the others it reported as closed. This is a broken portscanner.

    ‘philco’: Considering that he appears to claim approximately equal standing in the disk-recovery and security-auditing subfields, his performance on the security side makes me think his disk-repair products are just that much more crap.

    Even a hint of a doubt is enough to stop me trusting disk-recovery software, because when I’ve got a dead disk with critical information on it I can’t afford to piss around with something that I can’t absolutely be sure will work, and with what I’ve been reading (and demonstrating for myself – see above) I wouldn’t trust Steve Gibson to give me the time of day off my own watch.

  22. MOHS3n said 825 days later:

    hey

Trackbacks

Use the following link to trackback from your own site:
http://blog.netwarriors.org/articles/trackback/942

Your Ad Here

(leave optional data »)