RE: GCI filtering port 139?

It should NOT be assumed to be fine.

An excellent book that every potential security expert should
read is called "The Codebreakers". It is out of print now but
can be found on eBay and periodically on Amazon used books.

Some exploits exist that can compromise a system vulnerability
even before the source IP is extracted and the IP packet
evaluated and potentially approved for forwarding. I am not
sure about Linux but there are certainly ones that exist in XP.
And if they are confirmed to exist in XP then at least the
potential exists in Linux.

If a worm writer were to discover such a vulnerability in Linux
and were to naturally incorporate a pseudo-random destination IP
probe then the machine in question would be completely vulnerable
without the worm author ever having any specific knowledge about
that machine.

And lastly, the COM21 cable modem network is a layer-2 network.
That means network-wide broadcast traffic and quite likely the
box in question is advertising its shares for the rest of the
unfiltered modems to see. And since it is a layer-2 network,
bidirectional IP spoofing works just fine. Also note that all
Windows networking traffic is completely unencrypted.

Hopefully 'nuff said.

-Christopher Erickson

> -----Original Message-----
> From: aklug-bounce@aklug.org
> [mailto:aklug-bounce@aklug.org]On Behalf Of
> Beau V.C. Bellamy
> Sent: Wednesday, December 29, 2004 1:24 AM
> To: aklug@aklug.org
> Subject: Re: GCI filtering port 139?
>
>
> But generally requires specific knowledge to exploit. It's
> really hard to
> probe for the ip it responds to. You could always use social
> engineering to
> narrow it down, but that still leaves you with having to be
> on a routable
> network for the spoof. IP filtering is definatly not a 100%
> solution, but it
> certainly helps. It'll stop most hackers who would otherwise
> go for other,
> easier machines, but not the dedicated ones who know the
> addressing sceme
> he's using. IP filtering can be very effective especially
> when used with a
> proactive IDS. The way I see it, it's just as secure as
> using telnet and
> smtp. Unless a malicious tech at your ISP is sniffing
> traffic, you should be
> fine.
>
> - Beau
>
> On Wednesday 29 December 2004 00:01, Christopher Erickson wrote:
> > IP filtering is a rotten form of security.
> >
> > Way too easily circumvented and/or exploited.
> >
> > -Christopher Erickson
> ---------
> To unsubscribe, send email to <aklug-request@aklug.org>
> with 'unsubscribe' in the message body.
>
>

---------
To unsubscribe, send email to <aklug-request@aklug.org>
with 'unsubscribe' in the message body.
Received on Wed Dec 29 07:57:31 2004