dear dr marat,
black ice defender does not prevent signals leaving the pc as i
understand it while zone alarm prevents such traffic. thus any program
that gets on your machine my some means will be stopped by zone alarm
but not black ice defender.
yours
charles amass
smith
Kirk Marat wrote:
>
> ----- Original Message -----
> From: "Woodrow Conover" <woody_at_acornnmr.com>
> To: <ammrl_at_chemnmr.colorado.edu>
> Sent: Saturday, March 16, 2002 11:31 AM
> Subject: RE: Windows and port scans
>
> > Michael Strain wrote:
> > > Don't assume that the only security threats to Windows are from e-mail
> > > viruses and worms. Back-Orifice being a famous example.
> > >
> > > While it is true that UNIX systems on the net will log
> > > numerous scans everyday, it is also true that Windows systems
> > > are also scanned...you are just less likely to actually
> > > detect the scans... and the ensuant compromises.
> >
> > Very true. If you install ZoneAlarm on a windows computer, it detects
> > and shows you all port scans. There are just as many port scans of a
> > Windows box as a Linux box.
> >
> > ZoneAlarm would be a good thing to put on any Windows machine
> > connected to the internet. It does a good job of keeping the
> > port scanning script kiddies out of a Windows box. ZoneAlarm
> > will not stop email viruses.
> >
>
> Yes, Michael and Woody are quite right. The scanners usually hit a
> whole address range and therefore the Wintel boxes as well. We use
> something called Black Ice Defender, which I think is very similar to
> Zone Alarm and functions like TCP wrappers on a UNIX/LINUX box.
>
> Here are some sample log entries from my WIN 2000 machine:
>
> Time, Event, Intruder, Count
> 18/03/2002 01:56:40 AM, FTP port probe,
> ABoulogne-110-1-2-78.abo.wanadoo.fr, 2
> 17/03/2002 08:52:42 PM, HTTP port probe, PASTOR, 3
> 16/03/2002 07:42:24 PM, SMTP port probe,
> CTPP-p-144-134-37-224.prem.tmns.net.au, 1
>
> Note that my friends at wanadoo.fr are still at it...
>
> The program even digs up as much information as possible about the intruder:
> IP: 63.209.85.76
> Node: PASTOR
> Group: UPA
> NetBIOS: PASTOR �
> MAC: 005345000000
> DNS: dialup-63.209.85.76.Dial1.LosAngeles1.Level3.net
>
> What the scanners are usually looking for are known openings - usually
> buffer overflow vulnerabilities - in the daemons that are generally installed
> as default on UNIX systems (e.g. ftpd, telnetd, httpd, smtpd,etc.). The problem
> we have run into is that the owners of these systems often don't even know that
> these services are running. These services are less often installed on Windows
> systems (and certainly not as default) and this therefore USUALLY makes them
> less of a security problem. UNIX is designed as a fully multi-tasking
> multi-user
> OS with remote access and sysadmin built right in, and this is what makes it
> so powerful - and such a tempting target.
>
> Back Orifice actually required software to be installed on the target machine
> in order to allow the remote access, usually arriving as a Trojan horse with
> other software. It could not, by itself, be installed by a remote attacker.
>
> Cheers
> -Kirk
>
> Kirk Marat, Ph. D.
> Dept. of Chemistry
> University of Manitoba
> Winnipeg, MB, R3T 2N2, CANADA
> ph. (204) 474-6259 FAX: (204) 474-7608
> kirk_marat_at_umanitoba.ca
Received on Mon Mar 18 2002 - 19:28:17 MST