[ale] how can a firewalled PC POSSIBLY be attacked?

David Tomaschik david at systemoverlord.com
Wed Jan 23 16:17:31 EST 2013 

You've already gotten a good response from Brian, but I'd like to add a few
things below...


On Wed, Jan 23, 2013 at 11:07 AM, Ron Frazier (ALE) <
atllinuxenthinfo at techstarship.com> wrote:

> **
> Hi David,
>
> Thanks for the info.  I want to get some clarification on a couple of
> things.  See below.
>
> Sincerely,
>
> Ron
>
>
> On 1/23/2013 12:57 PM, David Tomaschik wrote:
>
> On Wed, Jan 23, 2013 at 8:08 AM, Ron Frazier (ALE) <
> atllinuxenthinfo at techstarship.com> wrote:
>
>> Hi all,
>>
>> I appreciate all who've responded to this to shed a little light on it
>> for me.  It's very complex, and each answer seems to open up new questions.
>>  I guess I'll have to review the OSI model that I learned about years ago
>> and look at some of the low level protocols.
>>
>> Tell me if the following are true.  Assume I'm at my home network.  Even
>> though it's more complex than this, say I had one wifi router with 4 port
>> switch connected to the cable modem.  Suppose I wanted to run wireshark to
>> monitor things.  All PC's, tablets, dvr's, etc are attached via wifi.  The
>> printer is attached to the 4 port switch using a wire.
>>
>> * If I attach my laptop to the switch with a wire and run wireshark, I
>> would see only the traffic to / from my pc's ip address and nothing else,
>> except for broadcast traffic like ARP, etc, and then only what the switch
>> is programmed to forward.  I would not, for example, see traffic destined
>> for the printer unless I'm sending it.
>>
>
>  It's actually all traffic destined to your PC's MAC address and the
> broadcast MAC (FF:FF:FF:FF:FF:FF).  Switches are Layer 2 devices, they
> don't know about IP.  (Yes, some devices are branded as "Layer 3 switches",
> but it's unlikely that you have one of those in your house.)
>
>
>>
>> * If my laptop is attached via wifi, then wireshark will see everything
>> ANY PC on the same wifi ssid is sending or receiving, including traffic to
>> / from the printer or to / from the internet.
>>
>
>  Yes, but it's not straightforward.  With WEP or unecrypted wifi, it's
> just as easy as running Wireshark -- all packets are visible to all
> clients. With WPA-PSK, there's a per-client, per-session key, but if you
> have the PSK, you can derive the client and session keys *IF* you captured
> the handshake: http://wiki.wireshark.org/HowToDecrypt802.11  With WPA
> Enterprise (802.1x) the keys are derived more securely, and you'd need
> access to the keystore to decrypt other client's packets.
>
>
>
> Let's say I'm at my house, or at the local coffee shop.  All the wifi is
> running WPA PSK.  I know the password.  I log onto the wifi and start
> wireshark.  I'm able to observe and capture other machines logging on,
> whether they're mine or someone else's.  I am thus able to capture their
> logon handshake sequences.  Are you saying that I would then be able to
> decrypt, on the fly, all the wifi traffic traversing to and from that SSID,
> except that which is using SSL or a VPN, etc.?  That's very disconcerting
> for the coffee shop scenario.
>

Yes, that's exactly the case.  WPA PSK is a "Pre Shared Key" so anyone with
that key can decrypt any other traffic with that key.  Because of the way
the session key is generated (the only parameters other than the PSK used
are transmitted in the clear) anyone who captures the handshake + has the
PSK can re-generate the session key.  Known session key = decryptable
traffic.


> Let's say I'm at a place with open wifi, like McDonalds.  You have to
> agree to their TOS to get on, but there's no password.  In that case, then,
> all the traffic in the room is clearly visible, and readable, and copyable,
> including mine, unless I'm using SSL or a VPN.
>
>
Yes.


> Just to clarify that.  Let's say I go log on at McDonalds.  I start up
> Google, type in "horse", link to a wikipedia article, then display a
> picture of a horse.  Anyone within radio range of the hotspot could monitor
> and observe everything I'm doing, correct?
>
>
Yes.  See "Cookie Cadger" and "Firesheep".


> What about email?  My Eudora OSE client settings for POP and SMTP are set
> to SSL / TLS.  But there is a check box that says Secure Authentication,
> and that is off. On my tablet, the menus are different.  There is a
> settings option that I have set to SSL always.  But, there is also an
> authentication option which is set to plain for getting mail and login for
> sending mail.  Does that mean that my email can or cannot be snooped on?
>

SSL and TLS protect the entire channel.  Unless you accept an invalid cert,
someone has a valid cert (i.e., compromised CA), or there is a flaw
discovered in SSL/TLS, the data within that channel is relatively safe.
 (Modulo side channel attacks, but I don't know of any practical side
channels on SSL/TLS.)


>
> If I'm using the browser, once I establish an HTTPS connection, with my
> bank, for example, I'm assuming that connection is no longer snoopable,
> even if I'm at McDonalds.  Correct?
>

In theory, yes.  Of course, you have to make sure everything you're doing
is over SSL (HTTPS).  For one, just going to "www.bank.com" (without typing
https://) often lands you on an HTTP version of the page, and then when you
log in it goes to SSL.  The problem being that it's trivial to intercept
your HTTP request and rewrite it so the submission ALSO goes over HTTP.

Worse yet is mixed-mode content, which Brian alluded to, but I don't think
he sees it as a big threat.  On any given website, there are requests for
the body of the page (the main request) and additional requests for any JS
or images used on the page.  Sure, your credentials are in that main
request and should be relatively safe, but there's a LOT of risk from the
mixed-mode content.  Unless cookies are properly protected (i.e., set to
https only) they will be sent over those HTTP channels as well, and often
that's enough to impersonate a session (Firesheep and Cookie Cadger as
examples, again).  Even if the cookies were done correctly, having
javascript sent in the clear is bad -- anyone who is MITMing the connection
can modify the JS and send you malicious JS with the "origin" of your banks
website.  In other words, that JS can send cookies elsewhere, log
keystrokes, etc.


>
> I'm also assuming that NONE of my traffic is snoopable once I bring up a
> VPN.  Correct?
>
>
If your VPN sets up the default route to go over the VPN -- not all do.
 (Though commercial services sold for privacy/security generally do.
Corporate VPNs are sometimes set up as "split tunnel": only traffic to the
corporate network goes through the VPN, saving their bandwidth.)


>
>
>> * The only way to monitor everything on the network would be to attach a
>> HUB to the cable modem, attach wireshark to the hub with a wire, then
>> attach the wifi router to another port on the hub.  But, no, then I'd only
>> see traffic to / from the internet.  Traffic routed solely by the wifi
>> router, between devices, or to the printer, would not be seen.  Also, the
>> PC would be directly exposed to the internet and would be in potential
>> danger.
>>
>
>  You could also use a PC with 2 NICs in bridging mode, but you still need
> to be between the two machines whose traffic you want to see.  If you have
> a nice router (or use something like OpenWRT/DD-WRT) you might be able to
> put one NIC port into "mirror" or "monitor" mode where the switch copies
> all packets to that port.  Something like this works:
> http://www.myopenrouter.com/article/10917/Port-Mirroring-Span-Port-Monitor-Port-with-iptables-on-NETGEAR-WGR614L/
> (Actually uses iptables rather than the built-in switch, but the concept is
> the same.)
>
>
>>
>> * What I'm getting from the prior discussion about firewalls is that, if
>> any packets come into the NIC, and it triggers an interrupt presumably,
>> then certain parts of the system software, the tcp/ip stack, are triggered
>> to deal with the packet even if it's a low level protocol like ARP.  Higher
>> level software in the system, like the firewall, doesn't even see it, and
>> can't filter it.  However, vulnerabilities may exist even at that low level
>> that could allow the PC to be compromised.
>>
>
>  Yes, every packet not dropped by the NIC will be processed in some
> fashion, generally by at least the Ethernet/Wifi stack and the firewall
> code itself.
>
>
>>
>> * Regarding what Windows or Mac does, you COULD disassemble the
>> executables in the networking stack to see what happens, although it would
>> be incredibly tedious and complicated and time consuming to do so.
>>
>> By the way, I think it's a stretch to say no Windows PC is safe (enough)
>> on the internet.  Even if 1/3 are infected, as stated on the Going Linux
>> podcast, which is truly horrible if true, then the other 2/3 are not
>> infected, which amounts to about 700 million users.  And, most of those are
>> probably not even configured properly for maximum safety.
>>
>> I do all the following on my PC's, whether Windows or Linux as
>> applicable.  I think I'm fairly safe.  I'm sure I could always do better.
>>  If you think I'm missing something critical, let me know.  I will admit
>> that very few users have done all these things, thus, they are more
>> vulnerable.
>>
>> <snip>
>>
>> Well, that's all I can think of at the moment.  Hopefully, that's enough.
>>  Did someone say I wasn't paranoid enough.
>>
>> I'm more concerned when I'm in a restaurant or something, since I don't
>> have control over their router.  I'm sure there is a nat firewall.
>>  However, I'm still on the same lan as everyone else on the wifi.  The only
>> thing I know to do there, other than what I've already done to the pc, is
>> to crank up hotspot vpn, which I have a subscription to.  At the moment, I
>> know how to do that in Windows, but not in Linux.
>>
>> It would be interesting to know if the wifi nic responds to any local lan
>> traffic once the vpn is up.
>>
>
>  Sure it will.  It will still process packets.  After all, it doesn't
> "know" anything about a VPN.
>
>
>
> So, if I'm connected to the wifi at a coffee shop and I have the VPN up
> and running, no one can snoop on my traffic.  However, if there is a
> vulnerability to attack in the networking stack or the firewall, then that
> vector is still there and the VPN doesn't protect me from that?
>

That's correct.


>
>
>
>> Sincerely,
>>
>> Ron
>
>
>
>
>  --
> David Tomaschik
> OpenPGP: 0x5DEA789B
> http://systemoverlord.com
> david at systemoverlord.com
>
>
> --
>
> (To whom it may concern.  My email address has changed.  Replying to former
> messages prior to 03/31/12 with my personal address will go to the wrong
> address.  Please send all personal correspondence to the new address.)
>
> (PS - If you email me and don't get a quick response, you might want to
> call on the phone.  I get about 300 emails per day from alternate energy
> mailing lists and such.  I don't always see new email messages very quickly.)
>
> Ron Frazier
> 770-205-9422 (O)   Leave a message.
> linuxdude AT techstarship.com
>
>
>


-- 
David Tomaschik
OpenPGP: 0x5DEA789B
http://systemoverlord.com
david at systemoverlord.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.ale.org/pipermail/ale/attachments/20130123/ebd403d2/attachment-0001.html>

More information about the Ale mailing list