Network Question: What do hackers hack?

A few days ago I read an article about gnutella security, the gist of the article being that people should only connect to gnutella through a firewall if they are concerned about security. The logic goes that when you connect to gnutella you are making your IP address known to thousands of nodes on the network, thus making youself into a Very Big Target for malicious hackers, especially if you remain connected for more than a few hours at a time.

Fair enough. I’ve been playing around with gnutella lately and I’m concerned about security, so I downloaded a free personal firewall from http://www.tinysoftware.com and installed it on my home PC running win2k. I’ve been having lots of fun fooling around with the settings and restricting my allowable network connections to the absolute bare minimum: Outgoing TCP connections on ports 80, 110, and 6346 (for my web browser, e-mail program, and gnutella client respectively). Everything works great! No longer am I merely surfing the Internet: I’m cruising it with my very own armored battleship. I feel very safe now, even though I’m still a little unsure about what I had to fear in the first place.

Without my cyber-prophylactic, was I in serious danger of being hacked? Although my knowledge of networks is patchy to say the least, I’m pretty sure that a hacker can’t just magically connect to my computer without some kind of program on my end waiting to receive that connection. Browsing through the administration screen of my firewall I notice that Windows 2k accepts a few connections of itself (There’s something called Local Security Authority System Service, and something else called LDAP). Are these back doors for hackers to get into my computer and steal my files? Or do I need to have certain programs with security holes running before I can be hacked? What kind of programs would be security risks? Do I even need this firewall thingy if I only run my web browser, e-mail client, and gnutella client? Are these programs themselves security risks?

Nitpick:

Hackers are deeply knowledgeable in one or more subjects, or write good code. They may or may not also be “Crackers”.

Crackers make malicious use of various skills and code to suit their own needs and desires, are frequently poorly-educated “Script Kiddies”, and are generally despised by true “hackers”.

The media in general, and tech media in particular, seem unwilling to make that distinction, probably from sheer laziness.

The article I read used the term “hacker” as a blanket word meaning “anybody who wants to break into your computer and wreak havoc”, so I hope you’ll excuse my ignorance.

Not terribly surprised that the article was slipshod in it’s labling of Crackers. As I’ve said, it’s common. I certainly don’t blame you for not knowing the standard industry usage, if your only source has been the media, but I will try and put that correction out there whenever possible. Too bad so few tech reporters are members of the SDMB.

Now that we’ve covered semantics, let’s try to provide some answers here.

ZoneAlarm is also very good. Of course, I swear by my hardware firewall…

You are doing very well. What you had to fear was many things. Try going to this scary page for some examples.

You do have such a program - called “Windows 2000”. And no, I’m not being facetious. Windows 2000 itself has enough security mishaps and weaknesses in it alone, without needing any other software. Just like NT before it.

Yes, IMO and that of most IT professionals, you do need the firewall - at all times. And no, the reputable firewall programs are absolutely not security risks.

Want to find out what you are seeing in your firewall logs too? Go to this firewall forensics FAQ page for more info.

Thanks Anthracite! I’m downloading Zone Alarm right now. I’ve seen it recommended on several sites and I’m curious to see how it compares to Tiny.

BTW, that forensics FAQ is just what I’ve been looking for. I look forward to perusing it.

You might have some trouble with Gnutella behind a firewall… I’m not familiar with the protocol, but I know that with Morpheus, AIM, and ICQ, file transfers are impossible when the sender and recipient are behind different firewalls. That would cut you out from exchanging files with a lot of cable modem users–who are usually the ones with the files you want! :wink:

Your Gnutella client may have the ability to listen for connections on a specified port range. If so, you should configure it to do so, and set up your firewall so those incoming ports are allowed.

Yes I just discovered this. If the gnutella sender and receiver are both behind different firewalls then the transfer will fail. Luckily my firewall allows me to grant permissions on a program-by-program basis so I can give my gnutella client carte blanche to establish or receive any connections it wants, which makes the firewall transparent to the gnutella client. I can’t think of any problem with doing this, as long as I trust my gnutella client not to do anything naughty behind my back…

Actually, gnutella itself is a massive hole in your firewall. If it’s receiving and using all the connections it wants (as you have it set), that’s a perfect way for someone to sneak something onto your computer. It could, for instance, let your computer be set up as a zombie in a distributed denial of service attack – as far as your firewall would know, it’s just be normal gnutella traffic. Your firewall setup may prevent this, but it’s hard to be sure.

BTW, the differentiation between hacker and cracker is an artificial one and only used by older remnants of the hacker community. Calling the people who break into your computer hackers is accepted by most people; those who do hacking merely differentiate between “white hat” and “black hat” hackers.

Uh, cite? I don’t think that’s standard usage, especially around here.

Between a Doper called Derleth and Anthracite’s sig line,
I’m shocked no one has mentioned this. Microsoft manuals are
strangely written, filled with information that is incomprehensible to most people, and capable of driving readers to madness. A program named Windows, and a man named Gates, inernet portals, do you see what I’m getting at? Clearly Microsoft serves Cthulhu and seeks to bring about his return. The operating system will, when the stars are in the proper alignment, open windows onto R’yleh and dead Cthulhu shall rise and enter the gates to our world.

I’d switch to Linux except for 2 things:
1 I know that at least one flavor, Red Hat, serves Hastur (That’s Hastur The Unspeakable, not Hastur the Doper.)

2 I don't feel like going through the trouble of installing it and reconfiguring my system.

With the graphical user interface installation now has, setting it up isn’t that tough. I did it overnight on my laptop, and now I’m mounting drives like a fool.

:smiley:

(Invoke my name and bear my puns!)

Yep. In my understanding, basic to the concept of true hacking is the willingness to put in long, obsessive hours with something to understand how it works. Larval stage is the accepted term for such behavior.

Even if you’re running a secure OS and you don’t have any holes in other programs you’re running, you’re still vulnerable to a “denial of service” attack. This is where someone sends you a lot of pings (usually from several different source computers) that your computer would, by default, try to answer, with the result that your computer gets overloaded and crashes in some manner. Of course, a personal computer isn’t likely to be the target of such an attack, unless there’s someone out there who dislikes you specifically, since it doesn’t really net the attacker anything.

Assuming the Gnutella client can’t be trusted. But if you’re running untrusted programs that you suspect might be trojans, you have bigger problems than whether your ports are blocked!

Limewire, for example, by default configures itself to share everything in your “My Briefcase” folder as well as your media files. You can modify LimeWire ‘options’ appropriately.

It’s a good idea to monitor uploads.

A bit OT, but DoS attacks usually don’t use ping. Ping is trivially easy to filter at the firewall and not essential for normal operation. DoS attacks typically use a SYN flood, where the attacker sends a request for a TCP session using a spoofed IP address so the resulting handshake from the server is misdirected. The server keeps the connection open for a certain amount of time waiting for the response, which chews up resources quickly if lots of requests get queued. You can’t filter these as easily because real connections use the same handshake.

Also, not to belabor the semantic point, but among hackers, the word “hacker” is considered a compliment, i.e. someone skilled at solving problems in elegant and creative ways. This community uses “cracker” to refer to the no-talent script kiddies and others who do malicious things. If you use the word “hacker” in place of “cracker”, you’ll be understood by the majority of the population, but you’re labeling yourself as a newbie as far as the real hackers are concerned. The blackhat/whitehat terminology is popular in some media circles, but I’ve never heard it used in the community aside from the “Blackhat Briefings” conference.

Now to respond to the actual OP, check out the site:
http://grc.com/
This is the same site that Anthracite cited[sup]*[/sup], but different page. Gibson’s “Shields Up” routine will query your machine for open ports and protocols. It’s a great way to see if Windows is covertly sharing your filesystem with the world.

[sub]* How many sites would Anthracite cite if Anthracite could cite sites?[/sub]