[ale] how can a firewalled PC POSSIBLY be attacked?

Ron Frazier (ALE) atllinuxenthinfo at techstarship.com
Wed Jan 23 14:07:01 EST 2013 

Hi David,

Thanks for the info.  I want to get some clarification on a couple of 
things.  See below.

Sincerely,

Ron

On 1/23/2013 12:57 PM, David Tomaschik wrote:
> On Wed, Jan 23, 2013 at 8:08 AM, Ron Frazier (ALE) 
> <atllinuxenthinfo at techstarship.com 
> <mailto:atllinuxenthinfo at techstarship.com>> wrote:
>
>     Hi all,
>
>     I appreciate all who've responded to this to shed a little light
>     on it for me.  It's very complex, and each answer seems to open up
>     new questions.  I guess I'll have to review the OSI model that I
>     learned about years ago and look at some of the low level protocols.
>
>     Tell me if the following are true.  Assume I'm at my home network.
>      Even though it's more complex than this, say I had one wifi
>     router with 4 port switch connected to the cable modem.  Suppose I
>     wanted to run wireshark to monitor things.  All PC's, tablets,
>     dvr's, etc are attached via wifi.  The printer is attached to the
>     4 port switch using a wire.
>
>     * If I attach my laptop to the switch with a wire and run
>     wireshark, I would see only the traffic to / from my pc's ip
>     address and nothing else, except for broadcast traffic like ARP,
>     etc, and then only what the switch is programmed to forward.  I
>     would not, for example, see traffic destined for the printer
>     unless I'm sending it.
>
>
> It's actually all traffic destined to your PC's MAC address and the 
> broadcast MAC (FF:FF:FF:FF:FF:FF).  Switches are Layer 2 devices, they 
> don't know about IP.  (Yes, some devices are branded as "Layer 3 
> switches", but it's unlikely that you have one of those in your house.)
>
>
>     * If my laptop is attached via wifi, then wireshark will see
>     everything ANY PC on the same wifi ssid is sending or receiving,
>     including traffic to / from the printer or to / from the internet.
>
>
> Yes, but it's not straightforward.  With WEP or unecrypted wifi, it's 
> just as easy as running Wireshark -- all packets are visible to all 
> clients. With WPA-PSK, there's a per-client, per-session key, but if 
> you have the PSK, you can derive the client and session keys *IF* you 
> captured the handshake: http://wiki.wireshark.org/HowToDecrypt802.11  
> With WPA Enterprise (802.1x) the keys are derived more securely, and 
> you'd need access to the keystore to decrypt other client's packets.

Let's say I'm at my house, or at the local coffee shop.  All the wifi is 
running WPA PSK.  I know the password.  I log onto the wifi and start 
wireshark.  I'm able to observe and capture other machines logging on, 
whether they're mine or someone else's.  I am thus able to capture their 
logon handshake sequences.  Are you saying that I would then be able to 
decrypt, on the fly, all the wifi traffic traversing to and from that 
SSID, except that which is using SSL or a VPN, etc.?  That's very 
disconcerting for the coffee shop scenario.

Let's say I'm at a place with open wifi, like McDonalds.  You have to 
agree to their TOS to get on, but there's no password.  In that case, 
then, all the traffic in the room is clearly visible, and readable, and 
copyable, including mine, unless I'm using SSL or a VPN.

Just to clarify that.  Let's say I go log on at McDonalds.  I start up 
Google, type in "horse", link to a wikipedia article, then display a 
picture of a horse.  Anyone within radio range of the hotspot could 
monitor and observe everything I'm doing, correct?

What about email?  My Eudora OSE client settings for POP and SMTP are 
set to SSL / TLS.  But there is a check box that says Secure 
Authentication, and that is off. On my tablet, the menus are different.  
There is a settings option that I have set to SSL always.  But, there is 
also an authentication option which is set to plain for getting mail and 
login for sending mail.  Does that mean that my email can or cannot be 
snooped on?

If I'm using the browser, once I establish an HTTPS connection, with my 
bank, for example, I'm assuming that connection is no longer snoopable, 
even if I'm at McDonalds.  Correct?

I'm also assuming that NONE of my traffic is snoopable once I bring up a 
VPN.  Correct?

>
>     * The only way to monitor everything on the network would be to
>     attach a HUB to the cable modem, attach wireshark to the hub with
>     a wire, then attach the wifi router to another port on the hub.
>      But, no, then I'd only see traffic to / from the internet.
>      Traffic routed solely by the wifi router, between devices, or to
>     the printer, would not be seen.  Also, the PC would be directly
>     exposed to the internet and would be in potential danger.
>
>
> You could also use a PC with 2 NICs in bridging mode, but you still 
> need to be between the two machines whose traffic you want to see.  If 
> you have a nice router (or use something like OpenWRT/DD-WRT) you 
> might be able to put one NIC port into "mirror" or "monitor" mode 
> where the switch copies all packets to that port.  Something like this 
> works: 
> http://www.myopenrouter.com/article/10917/Port-Mirroring-Span-Port-Monitor-Port-with-iptables-on-NETGEAR-WGR614L/  
> (Actually uses iptables rather than the built-in switch, but the 
> concept is the same.)
>
>
>     * What I'm getting from the prior discussion about firewalls is
>     that, if any packets come into the NIC, and it triggers an
>     interrupt presumably, then certain parts of the system software,
>     the tcp/ip stack, are triggered to deal with the packet even if
>     it's a low level protocol like ARP.  Higher level software in the
>     system, like the firewall, doesn't even see it, and can't filter
>     it.  However, vulnerabilities may exist even at that low level
>     that could allow the PC to be compromised.
>
>
> Yes, every packet not dropped by the NIC will be processed in some 
> fashion, generally by at least the Ethernet/Wifi stack and the 
> firewall code itself.
>
>
>     * Regarding what Windows or Mac does, you COULD disassemble the
>     executables in the networking stack to see what happens, although
>     it would be incredibly tedious and complicated and time consuming
>     to do so.
>
>     By the way, I think it's a stretch to say no Windows PC is safe
>     (enough) on the internet.  Even if 1/3 are infected, as stated on
>     the Going Linux podcast, which is truly horrible if true, then the
>     other 2/3 are not infected, which amounts to about 700 million
>     users.  And, most of those are probably not even configured
>     properly for maximum safety.
>
>     I do all the following on my PC's, whether Windows or Linux as
>     applicable.  I think I'm fairly safe.  I'm sure I could always do
>     better.  If you think I'm missing something critical, let me know.
>      I will admit that very few users have done all these things,
>     thus, they are more vulnerable.
>
>     <snip>
>
>     Well, that's all I can think of at the moment.  Hopefully, that's
>     enough.  Did someone say I wasn't paranoid enough.
>
>     I'm more concerned when I'm in a restaurant or something, since I
>     don't have control over their router.  I'm sure there is a nat
>     firewall.  However, I'm still on the same lan as everyone else on
>     the wifi.  The only thing I know to do there, other than what I've
>     already done to the pc, is to crank up hotspot vpn, which I have a
>     subscription to.  At the moment, I know how to do that in Windows,
>     but not in Linux.
>
>     It would be interesting to know if the wifi nic responds to any
>     local lan traffic once the vpn is up.
>
>
> Sure it will.  It will still process packets.  After all, it doesn't 
> "know" anything about a VPN.

So, if I'm connected to the wifi at a coffee shop and I have the VPN up 
and running, no one can snoop on my traffic.  However, if there is a 
vulnerability to attack in the networking stack or the firewall, then 
that vector is still there and the VPN doesn't protect me from that?

>
>     Sincerely,
>
>     Ron
>
>
>
>
> -- 
> David Tomaschik
> OpenPGP: 0x5DEA789B
> http://systemoverlord.com
> david at systemoverlord.com <mailto:david at systemoverlord.com>
>

-- 

(To whom it may concern.  My email address has changed.  Replying to former
messages prior to 03/31/12 with my personal address will go to the wrong
address.  Please send all personal correspondence to the new address.)

(PS - If you email me and don't get a quick response, you might want to
call on the phone.  I get about 300 emails per day from alternate energy
mailing lists and such.  I don't always see new email messages very quickly.)

Ron Frazier
770-205-9422 (O)   Leave a message.
linuxdude AT techstarship.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.ale.org/pipermail/ale/attachments/20130123/05b38995/attachment-0001.html>

More information about the Ale mailing list