Security·4,716 discussions

Be aware of potential threats from port knocking

Locked

Do you have any experience with port knocking and the types of back doors associated with it? Do you frequently use freeware or shareware? Do you agree that it’s potentially insecure? Share your comments about protecting your network from port knocking, as discussed in the March 19 Security Solutions e-newsletter.

If you haven’t subscribed to our free Security Solutions e-newsletter, sign up today!
http://nl.com.com/acct_mgmt.jsp?brand=techrepublic

Topic

Firewall

In reply to Be aware of potential threats from port knocking

I agree with all the points you make. I think we will have to watch closely for this threat in the future. However there is no need to be too worried – I think you should have mentioned that such scepticism towards software that may contain trojans need only really apply to machines connected directly to the internet. Inside a firewall of course a machine would be beyond reach of ‘port knocking’ activity. I think that current personal firewalls would protect against this threat already. So such a policy is definitely important for firewalls, and machines in the DMZ, but for others it will be less important.
I would imagine that it would be possible for firewall products / antivirus / anti-malware programs to check for processes that may be ‘listening’ for the port knocks you describe. Hopefully we will see this kind of functionality being integrated into products soon, to protect machines that are in the DMZ.

Agree 100%

In reply to Firewall

Thanks for filling in the blanks Ed. Our internal networks have gotten more secure. However, it’s the home user with little or no firewall protection and the machines in our DMZ that aren’t filtered properly that are poised to do all the damage.
Mike Mullins

Need to educate casual users

In reply to Agree 100%

Yes, the biggest threat to networks as a whole is always going to be machines belonging to users not up to speed with security. There needs to be a way to get a simple message to the masses : get a firewall! I wonder if anybody is in the position to commission TV ads or suchlike to get the idea across?

Cover your tracks

In reply to Be aware of potential threats from port knocking

I use free and share-ware all the time. After the initial download I scan the file with my A/V software. After the app is installed I run Adaware AND Spy-Bot to see what “extras” were put on my PC in the process. A fun little exercise is to run the spy-killers right before the install so you know exactly what was deposited by the free/share application when you run it afterwards. Most of the time they do not add any unwanted spies but sometimes…

true but…..

In reply to Cover your tracks

As the author pointed out. it can lie dormant until the perpotrator activates it. Suppose it’s brand new and the perpotrator distributes 10,000 copies of a given freware containing such a payload. AV and anti-spyware does not yet have a signature file to recognize this particular string of code. then 2 weeks down the road he/she activates all 10,000 at once. Guess what…..too late. what’s done is done.

Curious

In reply to Be aware of potential threats from port knocking

I’m not a network admin so I’m coming at this from a home user point of view. I use a firewall, keep my anti-virus up to date, and am generally a security minded individual who tries to stay educated about the latest threats and how to combat them.
I’m troubled by something in the article – how can a dormant trojan be activated by port knocking if it’s not listening on any ports?

passive

In reply to Curious

perhaps some kind of passive sniffing. If you install a sniffer on your machine and take a capture, you’ll see traffic hitting you on a number of different ports. This does not mean that your OS is “listening” on these ports. but the sniffer still sees the contents of the packet and reads what port (TCP/UDP) it is destine for.

what happen

In reply to Be aware of potential threats from port knocking

I have MaFee:(virus scan) (firewall plus) (privecy service) (anti spam) (secure IE)and last week I was infected 2 times by virus: NetSky.c@mm,could it be port knocking.???? Iam still wondering, I hope that this can be useful to others who have security tools.

Reply To: Be aware of potential threats from port knocking

In reply to what happen

How often do you check for updates? The many variants are coming out weekly. If you use automatic update, check the frequency. A default could be weekly, or even monthly, and that’s not frequent enough anymore.

Also, there is a time lag (albiet short) between discovery and the various vendors adding it to their signature files. Unfortunately, we can only depend on vendors before the thing runs rampant. I routinely check my signatures at least every other day. If it’s more than 3 days old, I will do a manual check and update if new one is available (i.e., came out between the automated updates).

Reply To: Be aware of potential threats from port knocking

In reply to Be aware of potential threats from port knocking

The hardware firewalls I have used allow one address (computer), behind the firewall, in a DMZ. By setting a non-existent ip address in the DMZ, port scanners will not get any response, open or closed. The scan utility times out without a response and moves on. Even a “closed” response is a hit on a valid address and the scanner may try again later in case it is open then.

A “Shields Up” scan at http://www.grc.com will check your ports. By default, it checks the first ~1053 ports (most common). You can also check specific ports and other things. If it doesn’t get an “open” or “closed” on the ports, you get a “Stealth” rating.

Reply To: Be aware of potential threats from port knocking

In reply to Reply To: Be aware of potential threats from port knocking

These are home use firewalls.

something must be listening

In reply to Be aware of potential threats from port knocking

Surely something must be listening for the port taps. Maybe it’s not replying so a port scan will not catch it but a simple “netstat” should see all ports listening on the station.

please see “passive”

In reply to something must be listening

http://techrepublic.com.com/5208-6230-0.html?forumID=4&threadID=149215&messageID=1591177

Port Knocking

In reply to please see “passive”

Ok, so when you download the freeware or shareware, they record your IP. Big deal. All of you make so much fuss that this is a big deal for home users.

How many home users have a static IP? I have DSL and I tell it to never disconnect but it does almost daily.

And if the Trojan were to somehow transmit the “new” IP, that would be detected by the simplest of firewalls.

freeware/shareware aren’t the only trouble makers

In reply to Be aware of potential threats from port knocking

This emphasis on freeware is total crap! There are known cases of commercial software shipping with viruses. There are even known cases of hotfixes from Microsoft being infected. It doesn’t matter where you get your software, there is the potential for trouble. Only the truely ignorant would place such a large emphasis on freeware/shareware.

Your final thoughts are also complete crap! Saying that you don’t have anything against freeware/shareware, followed by saying that you only use them while they serve their purpose then you replace them with something for which you’ve paid isn’t exactly a compliment. BTW, I hope you pay for the shareware you use. As for your comment about getting programs from people you don’t know, I very much doubt that you personally know all the people involved in creating all the commercial apps that you use.

As for my final thoughts, I leave an exercise for the student. Consider the history of the two most popular web servers. If you have even the slightest clue, then I won’t need to say anything more.

What I want to know is when is TechRepublic going to replace you with somebody that acutally knows something about security? Most of your articles are total crap and some are even dangerous since they distract people from implementing real security solutions. With people like you, it is no wonder that the US federal government constantly receives failing grades for computer security. See House Panel Slams Federal IT Security for one of the latest reports.

[Author]

Replies