Posted 827 days ago
As users on the global network, we are concerned about our privacy, the safety of data we store and send from our PC and the implications of successful intrusions into our system or network. Over the past years, ingenious people have come up with a number of great and not so great solutions to address this problem, beginning from security and confidentiality awareness trainings over small tools you install on your hard disk to external scanners to assess your actual network and system security.
ASSESSMENTS - UH?
There are many ways to assess the security of a given system, but all assessment approaches must meet at a bottom line: they must be honest, sufficiently conclusive, sufficiently wide and predictive to a certain point. Conducting assessments without any of those bottom line requirements may cause more harm than good.
ENTER: SHIELDS UP!
Shields up is a service offered free on Steve Gibson’s Web site at grc.com.
It is basically a web frontend to a backend logic which will probe your system (based on your HTTP-connection's IP address) for open ports and recommend a number of actions. Upon visiting the web site, you are presented with a bit of information regarding the operations of ShieldsUp and offered two probe methods: Test my shields and Probe my ports.
TEST MY SHIELDS
When clicking the “Test my shields” button, ShieldsUp will inform you about its attempt to “contact the ”’Hidden Internet Server”’ within your PC.
Matter of fact, ShieldsUp will send a NQUERY NetBIOS UDP packet with Broadcast, Query and Request flags set. Upon receiving an answer (or not), ShieldsUp will determine if your Shields are “up”. This is - obviously - not a very accurate method.
And - also obviously - not really a “hidden Internet Server”, either. Gibson’s tendency to over exaggerate his abilities and tools must have, once again, led him to make a bold claim like this.
Now, there’s a twist to this test. I setup a machine laden with vulnerabilities. Beginning from a few installed backdoors (BackOrifice, Sub7) and other vulnerabilities, I did not even spend the few minutes to close down the most obvious security holes. ShieldsUp, however, happily reported:
Unable to connect with NetBIOS to your computer. All attempts to get any information from your computer have FAILED. (This is very uncommon for a Windows networking-based PC.) Relative to vulnerabilities from Windows networking, this computer appears to be VERY SECURE since it is NOT exposing ANY of its internal NetBIOS networking protocol over the Internet.
Which is simply wrong.
There is nothing, I could have done to stop even unsophisticated intruders from attacking and breaking into my machine, a small script like ShieldsUp, however, is simply fooled by Windows’ inconsistent behavior on UDP responses.
In fact, no five minutes after I conducted this test, a random script kiddie attack opened my shares (C: and D:) which I deliberately setup, read the “Gotcha Sucker” textfile, I deposited in C: and left. The tools to do those “wonders” are freely available on the net.
PROBE MY PORTS
Gibson, surprisingly lucid, warns of a false sense of security.
Before You Break Out the Champagne…”, warns a textbox just below the results and asks me to perform another check of my system, this time by probing my ports. A click on the button, and I am there.
Again, the script presents me with a number of results. At this point, it starts probing my system with a number of connect() calls, which essentially seek to establish a connection to a few ports on my system. This time, oh wonder, it recognizes the fact that NetBIOS is open, but overlooks the installed Spyware and Backdoor programs.
It also gracefully overlooks a grave security problem I introduced by installing a freely available third party application which essentially allows anyone on the net to browse my machines hard drives and down- and upload files.
I also had a web server installed. A small program which can be downloaded from download.com or similar sites allows my computer to export pictures to the net, my friends or casual visitors would then be able to browse this photo album with a regular web browser. The source code for said program is freely available, it’s a very short program which basically implements a “crippled” web server and some extra features. After reading the source code, I am sure there is not much an attacker could exploit.
GRCs ‘nanoprobes’ diligently connect() to the server and then wander on. The port test, however, tells me my HTTP port is closed. Strange. Very strange. A look at the logs I am sniffing from this connection shows my web server responded - still the test program reports it to be closed. I repeated the exercise with both Windows and Unix based web servers and got an overall hit rate of less than thirty percent, in other words, more than often the test program would not detect my open web server.
WHAT IS STEALTH?
Well, for starters, Stealth isn’t all that. There is no such thing as “stealth” on the Internet. Ports are either open (they respond accordingly), closed (they do not respond accordingly) or are non-existent (nothing comes back at all). Gibson calls the latter “Stealth”, which is as wrong as could be.
A false sense of security even here. Just for Mr. Gibson’s records: my FTP port is not stealth, it’s just not responding with an ICMP_DESTUNREACH when probed.
I received a clean bill of health from ShieldsUp!. Despite having a computer which is most likely the least secure computer ever tested by those scripts. A day later, I tried the same with the help of a friend’s NeXT cube and was swamped with “you are sooo insecure” messages. Regardless the fact that said friend’s NeXT cube is about the safest place to store data I can imagine, it responds to every port probe and connect() attempt with a TCP or UDP stream saying “go away” in its packet payloads. Gibson tends to exaggerate. His supposedly superior system does not divert in much parts from what is already available out there in hundreds if not thousands of other incarnations. The boldest claim, however, can be spotted on his Ports page:
“If you have used ShieldsUP! in the past, you may have just noticed that the Port Probe system is much faster than ever before. This is the result of the emerging deployment of our much-anticipated NanoProbe Technology. It is finally becoming real.”
There is nothing Nano about Gibson’s probes. In fact, a simple traffic sniffer reveals the truth about those probes, they are merely ICMP and TCP/UDP based connect and scan attempts. Gibson has reached a state of notoriety for those claims, most recently for his GENESiS project in which he claims to have invented the solution to DoS attacks by describing a system which has been invented and Open Source since 1995 and is part of hundreds of thousands of operating systems worldwide already. Suffice to say, Gibson - again his friendly self - dismisses any criticism by claiming he (the Security Guru) never heard about other inventions in this area. Had Mr. Gibson done the needed research, he might have come up with something really good - he has enough energy, one has to give him that - but apparently he never strays outside his own fan circle and media relations world. Gibson is not a member of any respected security effort or interest group, he is shunned inside the security profession and only lives through media appearances and his charismatic approach which secured him the love and almost sect like dedication of his followers.
GIBSON - THE MAN
Much has been said and written about Steve Gibson, the man behind grc.com and ShieldsUp. If you want to read more about him, see http://www.grcsucks.com to find out about the other side of his claims, presented by real security professionals.
Use the following link to trackback from your own site: