OT: About Hacker's and Your PC

greenspun.com : LUSENET : TimeBomb 2000 (Y2000) : One Thread

Two things:

Someone on an earlier thread had asked about the ZoneAlarm PC security program. I had tried ZoneAlarm awhile back after a particularly nasty hacker attack that ended in a crashed system and extremely frayed nerves. While the program seemed to be effective it had so many whistles and bells that my system ran slow and regularly suffered from annoying glitches. I uninstalled it before the 30 day trial period had even concluded.

I tried several other security programs and ended up with NukeNabber. Thus far, I'm *thrilled* with its performance. It's a very simple but effective program that quietly runs in the background. When an intruder attempts to compromise your system a loud gunshot .wav file notifies you of their presence. This occured to me last night (the fourth time in as many months) and I immediately disconnected my modem so the Bad Guy wouldn't have the opportunity to do any malicious mischief. (Isn't THAT a polite euphemism? lol)

NukeNabber also has a log file that time stamps the intrusion and provides the necessary routing information to report the incident, which I did in last night's instance. Today I got a response to my incident report that confirmed that their system had been compromised, proving the effectiveness of NukeNabber. NukeNabber definitely gets my "Thumbs Up" in the security department and I encourage you to check it out. (Sorry, no time to dig up a URL)

2) There was an earlier thread that linked to an article about Malicious Code on About.com. The article recommended disabling Java and Javascript as a security precaution (something I had done after the first hacker trashed my system.) At the end of the Malicious Code article there was a small box with several links to related stories. One story looked interesting so I clicked through. All of a sudden I'm zipped onto a new page with "Winner...Winner...Winner..." screaming at me at the top of the screen. The page also asked me to "log in" with my name, address, and password.

I was somewhat taken aback and suspicious of this message because I didn't HAVE an About.com account or password nor was I about to give that information out to an unknown entity so I blew off the "log in" and immediately clicked where indicated to collect my "prize" - an MP3 gizmo. Well, wouldn't you know it but Netscape hung up and the URL never connected. I only had the partial URL that shows up when you pass your mouse over the task bar so I wasn't able to reload and try the connection again.

If, indeed, this was a legitimate prize, I wanted it, dammit, so I used the back button to return to the link that had delivered me to the prize page in the first place. I figured I could click the same story in the links box and return back to the "Winner...Winner...Winner..." message - BUT THE LINKS BOX WASN'T THERE ANY LONGER! Poof. Gone. In it's place was a "Sound Off" request for reader response.

What? What happened to the links box? Was this a real contest? Was I a real "Winner"? Or was this some hacker's attempt at the ultimate irony? I mean, if I was a hacker I'd be LMAO to trap unsuspecting victims as they read an article on security that attempted to STOP them!

So I wrote to About.com's "Guide" about what I had just experienced. He (amazingly) responded within twenty minutes somewhat surprised with what I had told him. He didn't know what was going on. He apparently wasn't aware of any contest, nor was he aware of any links box at the end of the Malicious Code article, so he asked for the specific URL's I had used so he could investigate further. This was early this morning and I haven't heard back from him yet.

This whole Contest incident may be the Real Deal and it may have been an innocent glitch in the system but it still serves as a good example to be CAREFUL out there, people! As we zip around our cyber community with wild abandon we assume that hacker attacks happen to Someone Else. "What would a hacker want with ME?" you may think. "There's nothing in my system of value." Well, the hacker's don't necessarily want anything in *your* system, they just want to use it as a portal to get to OTHER systems and effectively cover their tracks. This was the case in my very first hacker encounter and is probably the norm.

So to anyone who hasn't already done so, disable your Java/Javascript as you surf, install a security program like NukeNabber, and never, never, NEVER "Talk to strangers" by giving out your confidential information to an unidentified entity. I know this is Common Sense but you'd be surprised by the folks who don't bother to take security precautions only to get stung later in the game. I know 'cuz I was once one of them once!


Is this a *real* "winner" or am I a victim of ultimate irony (reading about malicious code and all. )

If this IS a real "winner", could you please direct me to whomever I need to contact to claim my prize? (A full URL would be helpful.)

-- LunaC (LunaC@LunaC.com), February 10, 2000



Are you using a cable or dsl connection? I understand the risk is primarily for cable and dsl users.

Thanks, Tony D.

-- Tony D. (tonyd@number1.com), February 10, 2000.

FWIW, NukeNabber 2.9 is about 2/3 down THIS page:


(The "homepage" link on the entry didn't work for me, and since I've already downloaded TClockEx and SocketWatch this evening, I figure I should try to cut back a little while there's still some space left on my hard drive...)

-- I'm Here, I'm There (I'm Everywhere@so.beware), February 10, 2000.

This seems to be the current 'homepage' -- NukeNabber 2.9b for Windows95/98/NT

-- Tom Carey (tomcarey@mindspring.com), February 10, 2000.

Tony - I've got a regular dial-up modem connection.


-- LunaC (LunaC@LunaC.com), February 11, 2000.

Quick update on ZoneAlarm 2.0.xx:

Apparently, according to what I've read on the message board on Steve Gibson's "Shields UP!" site (LINK), Zone Labs is working on ironing out the bugs that have been reported. I think the current quasi-beta release of ZoneAlarm is up to 2.0.15 as of this writing (LINK_to_Zone_Labs). (2.0 was just released around mid-January of this year.) Steve Gibson hasn't given it a complete thumbs-up yet, but it appears to look promising from his point of view, meaning he may not have to write his own firewall after all.

(Me, I'm still just sitting here looking at my new nifty little clock, marveling at the fact that it's now being kept in sync with time servers all over the world. Don't say it: I desperately need a life.)

-- I'm Here, I'm There (I'm Everywhere@so.beware), February 11, 2000.

This is like the radar vs radar-gun wars that speeders have going with the cops. Whatever you do, something better is coming along next year or next month.

If you want to stay safe, stay disconnected. Don't hook your home PC to the web or to a phone line. If you want to get on the web, have a standalone PC that's used for only that purpose, and that has nothing on it you want protected from view. No letters, no SSNs, nothing you'd mind having plastered on a billboard.

The only way to win the war is to stay out of the fight.

-- bw (home@puget.sound), February 11, 2000.


I checked out NukeNabber. It appears that this software does no more than Jammer [discussed in another thread]. It notifies you when someone is scanning your system, but it does absolutely NOTHING to prevent someone from activating a Trojan horse virus if it exists on your system. The author of the freeware said that a blocker WOULD be included in a new release, however, if you look at "What's new?", you'll see that the author hasn't done anything much since 1998. Nowhere is there anything to indicate that the blocker has been added.

Personally, after using Jammer for about a month, I grew tired of sending E-mail to abuse@blah.blah. The ISP's may/may not have discontinued their service based on my complaints. I'm sure they just moved along to another server.

If Puppet decides to include the blocker, NukeNabber would certainly be worthwhile, but in the meantime I simply ensure that my virus scanner is kept up-to-date and run it frequently to verify that I don't have the Trojan Horse that these folks are looking to activate.

-- Anita (notgiving@anymore.thingee), February 11, 2000.

Anita - I use NukeNabber to prevent hackers from getting into my system in the first place! They can't activate a Trojan if they can't plant it!

-- LunaC (LunaC@LunaC.com), February 12, 2000.


You don't seem to understand how one acquires a Trojan Horse.

Look at one Trojan Horse description provided by Symantec:

Trojan Horse description

Note carefully the paragraph that states:

"Back Orifice 2000, which may be sent as an e-mail attachment to an unsuspecting user, manually installed on a computer, or secretly hidden in programs on the Internet, is a tool consisting of two main pieces: a client application and a server application. The client application, running on one machine, can be used to monitor and control a target machine running the server application. The client can then perform various operations that might compromise the security of the targeted computer, such as execute any application on the target machine; log keystrokes from the target machine, restart or lock up the target machine; view the contents of any file on the target machine; transfer files to and from the target machine; and display the screen saver password of the current user of the target machine. "

Look at Puppet's Q/A regarding what NukeNabber does [and doesn't do.]

Puppet's FAQ

Note carefully the following:

"What does NukeNabber do?

NukeNabber listens on specified ports and for ICMP destination unreachable. Upon seeing a connection, it will wait ~10 seconds and read up to 1k of data. Any more than 1k is simply thrown away and the port is closed. Optionally, a sound is played, a message is sent to your irc client and various reports are generated in an attempt to gather information about the attacker. There are some special conditions such as with ICMP dest_unreach. ICMP does not use ports and so it cannot be "shut down". NukeNabber simply ignores the incoming data for a specified amount of time to avoid being flooded.

What doesn't NukeNabber do?

NukeNabber does not act as a firewall. It will not block potentially damaging packets before they can crash your system. That is why you must be patched for NukeNabber to work. The next planned version of NukeNabber will be able to block ports. "

Puppet goes on to tell you where you can obtain the patches for Windows, and gives other information on what alarms to ignore. Jammer had the same problem with putting out false alarms.

So if NukeNabber only monitors but doesn't block anything what good is it?

It was my intention to make a detector and not a blocker from the beginning. It is my opinion that knowing your attacker is 90% of the battle. The next version of NukeNabber will provide the ability to block ports.

----end of quoted portions of Puppet's FAQ ---------

The FAQ hasn't been updated since 1998, and the latest version mentioned therein is 2.9b. There's a warning on the "patches" page that 3.0 [if you see it somewhere] has a Trojan attached.

How do I protect myself?

Install the patches for your OS. Consider using a firewall or router.

Windows Patch Page

If you look at the Windows patch page, you'll notice that there IS a patch for Windows '95 as well. Ensure that you have these patches on your machine as well as an appropriate virus checker to eliminate Trojans. NukeNabber does NOT prevent anything from being put on your machine. It simply warns you that someone is looking to see if your machine is vulnerable.

As I said in my previous post, Luna, you may choose to keep track of who is checking the vulnerability of your machine, and report them to their ISP's. Personally, I'd rather take the steps to make my machine as secure as possible and not worry about someone poking around.

-- Anita (notgiving@anymore.com), February 12, 2000.


Forgive me. The following was my add to Puppet's FAQ, not one of his quotes.

"Puppet goes on to tell you where you can obtain the patches for Windows, and gives other information on what alarms to ignore. Jammer had the same problem with putting out false alarms."

-- Anita (notgiving@anymore.thingee), February 12, 2000.

Anita - Uh...I never said anything about Trojans, dear. I appreciate your efforts but I'm very well aware of how Trojans access a system, as indicated in the FAQ's you went out of your way to dig up.

First of all, I think even newbies have gotten the message that it's a cardinal sin to open email attachments from strangers. Personally, I don't even open attachments from friends without scanning them first. As for picking up a Trojan "secretly hidden in the net", please reread my original post. I rarely, if ever, surf with Java/Javascript enabled which is the method of choice for sneaking into a system. However there are occasionally circumstances where it can't be avoided and in those instances I scan my system afterwards with a virus checker that also scans for Trojans. So, as you can see, it's unlikely I'll be exposed to a Trojan in the first place and even if I did manage to pick one up, I'd be aware of it and able to rectify it immediately.

Again, if you reread my original post, I was addressing the random hacker that wanders in, attempting to access one's machine to use as a portal. THOSE are the incidents that I use NukeNabber for. And since I practice a certain amount of awareness and I'm not stone deaf, I can hear the warning .wav when an attacker has crossed the perimeter and disconnect the modem before any damage is done. I don't need a program to do that for me, especially when many programs eat up memory, bog down my system and invariably cause annoying glitches or crashes. If that's your cup of tea, have at it! But from my perspective, a little caution and a healthy dose of common sense works just as well and my system is far happier for it!

-- LunaC (LunaC@LunaC.com), February 13, 2000.

Oh, Anita, I almost forgot...where in the world are you surfing the net that you'd be exposed to *so* many system intrusions that the mere act of complaining to your ISP wore you out within a month? I've been on the net for YEARS and I've never experienced as many intrusions as you describe.

As for the "false alarms" you complained about...those originated from a program other than NukeNabber, right? And you've never actually *used* NukeNabber so you don't know it firsthand. You're just ::ahem:: ass-uming that it mimics whatever other program you had been running. Well, let me tell you that I've *never* had a false alarm with Nukenabber. In each and every case NukeNabber notified me of an intruder, it was the Real Deal. So speaking from *personal* experience (rather than comparing apples and oranges) Nukenabber is still a good bet in my book.

And who the hell is this "Puppet" that you idolize and worship?

-- LunaC (LunaC@LunaC.com), February 13, 2000.


Puppet is the author of NukeNabber. The false alarms were posted by HIM and referred to false alarms put out by NukeNabber. In fact, everything I stated was presented by the author of this software. It can all be found in the NukeNabber links.

-- Anita (notgiving@anymore.com), February 13, 2000.

Anita - if that's the case then the Luck of the Gods have been on my side. (for a change! lol)

Since you like your computer locked down tight you might want to check out the new "Black Ice" if you haven't already done so. It monitors the activity at the ports and if it sees anything (and I mean ANYTHING)it notifies you to take action. But here's the real beauty of this one...when you send out a ping it turns the tables on your attacker and locks up *their* machine. While I don't like the way security programs bog down my system I must admit...the concept of delivering Instant Karma has a certain appeal and enticement!

-- LunaC (LunaC@LunaC.com), February 13, 2000.


Since another thread was started regarding hackers and an individual user's PC today, I couldn't help but notice that Black Ice Defender was mentioned both by you and another. I then researched Black Ice. I read multiple articles about the product, including the vendor's description, press releases, newsgroup experiences, etc. In NONE of those did I see anything about the shutdown of the hacker that you suggested in your post. Your ports are simply seen as CLOSED to anyone scanning your system. You can close your ports yourself if you follow the instruction in the link provided by Rocky.

The price for the software is indeed $39.95. Of course if you want to continue with the software, each year another $19.95 is added for "maintenance upgrades."

I can do other things with $40.00, Luna. My system [as indicated by Steve Gibson's software] is tight as a drum without a firewall. I DID have a hole in port 139, and this was perhaps the port through which I received the scans I mentioned previously. WHERE you go on the internet, Luna, is NOT a factor. As soon as you log in someone can start scanning your open ports. The tone of your posts suggest that you're not really so interested in protecting your system as you are in retaliating to someone who dares to look in the windows of which you, yourself, left open.

-- Anita (notgiving@anymore.thingee), February 14, 2000.

If you want to keep out the attacks , run aon an O/S that isn't riddled with security holes, like Linux (Linux DOES have security holes but they are considerably harder to exploit than the windoze ones). Set a tight security policy. Disallow access via unsecure ports. Deactivate un-used / non-critical services. If you insist upon using windoze for every day purposes think about running a linux box as a firewall before your windoze machine.

-- XOR (drwizzard@usa.net), February 14, 2000.

Moderation questions? read the FAQ