NSAKEY:Is there a microsoft/NSA backdoor on all Windows PCs?

Post by **Harry Waldron** » February 15th, 2008, 12:22 pm

Below are some brief thoughts on both points.

1. Technically some things noted above could be potentially misused, e.g., maybe not the NSAkeys, but the stealth update as noted in this link:

http://www.pcworld.com/businesscenter/a ... cerns.html

Still, I think we're okay, as MS would not want to incur the damages to their reputation, loss of sales, and privacy invasion lawsuits. Encryption uses both public and private keys usually and with 1024bit encryption we're fairly safe from unauthorized uses of these keys.

2. There are also hardware based firewalls (which I feel are superior, as they pre-filter things away from your PC altogether and don't rely on the OS foundation to work). Also in the corporate world, I've worked with advanced multi-tier commercial firewalls (using non-MS operating systems) where any secret port or service would not be able to make it to or from it's destination.

Having previously worked more than a decade in IT security, these concerns are actually realized in some of the malware attacks circulating. There are keyloggers, backdoors, phishing attacks, and other methods that can be used to extract sensitive information. So I fear the bad guys much more so than any software vendor as they are actually doing this. Thus, keep your PC free of malware and be avoid storing sensitive information on your PC or sharing it via email.

johann_p · Post by **johann_p** » February 15th, 2008, 3:21 pm

chrizoo wrote:true, but there is no such thing as "closed source network traffic packets", you might not be able to make any sense of the content, but you would still detect them right and know the origin (the process for outgoing packets and the IP for incoming packets) ?
... a bit like cars with black-shaded windows : you cannot see the driver, but you see a car passing and it's number plate tells you its origin.

Unless the traffic look like perfectly legitimate traffic, e.g. from/to the browser, to some update site etc.

I am not saying anything like this actually happens. But there are many things imaginable and many doable in theory or in principle.

Post by **Harry Waldron** » February 16th, 2008, 4:55 am

johann_p wrote:I am not saying anything like this actually happens. But there are many things imaginable and many doable in theory or in principle.

Johann makes an excellent point. Thankfully independent security professionals can "trust but verify" to ensure any vendor does not secretly perform actions that might compromise an individual's rights of privacy and general security. With the skills of HD Moore and other talented security researchers, any hidden agents that might "phone home", would surely be detected by now (as the genesis of this was around 2000 or so). In the specific case of the NSAKEY, it's not on my list of things to worry about.

Grumpus · Post by **Grumpus** » February 18th, 2008, 10:06 am

It's nice if you can find a traffic monitor which differentiates between the different signals and the directions they are taking. It's also good to see everything you can and have the ability to block "IN" as well as "OUT". With "loggers", Rootkits, "spoofing" and redirects to "spoofed" sites being a constant issue it's good to see your own IP as the functional one and reassuring to see your connection is to your ISP's servers and none others.
A recent issue I found was a stronger DSL signal through the discovery process of the Network manager was redirecting my connection to another ISP's servers instead of my contracted ISP. I wouldn't have caught it with out a traffic monitor or until the other ISP threw me off. It allowed me to find the issue, remove and block the setup which was causing the problem.

chrizoo · Post by **chrizoo** » February 19th, 2008, 2:32 pm

What traffic monitor applications do you guys use ?

Grumpus · Post by **Grumpus** » February 21st, 2008, 7:22 am

Depends on your operating system.
It helps to find one that doesn't allow access by clients or tracked IPs when running or give your IP away when on line or when turned on. Look around but be careful.

chrizoo · Post by **chrizoo** » February 21st, 2008, 8:04 am

Ok, what do you use on your OS? I have XP, any recommendations there ?

Grumpus · Post by **Grumpus** » February 21st, 2008, 9:43 am

If you do a Google for IP traffic monitor you come up with a number of different ones which will be applicable to XP.
No recommendations for Windows systems maybe someone else has one?

chrizoo · Post by **chrizoo** » February 21st, 2008, 10:12 am

I know some, I was just curious what you use.

More generally speaking there were 2 question I was asking myself :

(1) We cannot monitor with our own eyes the incoming/outgoing connections 24/7, so the application has to "alert" us in some way, but I'm not sure if it's easy to set up rules for "suspicious traffic" ... ??

(2) Is it (theoretically) possible, that Windows - or any other OS for that matter - is designed to hide/obfuscate connections to Redmond, NSA, etc., in such manner that the IP traffic monitor would not catch these connections ?

Grumpus · Post by **Grumpus** » February 21st, 2008, 2:36 pm

There's going to be some form of "masking" or "spoofing" of IPs regardless of what you try to do. Unless you actually need to leave the computer physically connected to the internet I suggest a positive "stop." A hardwire disconnect since no wireless system will ever be fully secure in spite of what anyone on the planet says differently. One of the draw backs to DSL, Cable and FIOS is the inability to disconnect the hardwire connections without some form of Rube Goldberg contraption. The more exotic the connection becomes the more difficult it is to break the contact simply. Dial up remains the simplest form of disconnect as long as wireless is not involved.

Secondly the firewall is meant to stop infiltration but rarely stops all, some but not all, because of this very same "masking." IP discovery softwares lean on records of ownership but there are gaps in time when the records are updated which allow indiscriminate parties to utilize these IPs and go undiscovered. Were the record to indicate a large system a single IP could cause someone to block an entire range needlessly. If that rascal is bouncing from IP to IP in a range and the range records are viable you then face the problem of losing that sector of the internet for security sake if you block the range. I've fallen victim to this subterfuge on numerous occasions and may be so duped at present.

There's also incomplete records in some of the discovery softwares and though it's changed from time to time some countries fail to comply with the intent. Sort of "Why make it easier?" Particularily if there's some form of intelligence gathering or other shenanigans going on.

Usually you can use some simple deterrents by not allowing remote logins or having a sound or signal generated when an attempted login occurs and succeeds or fails. It's one of the reasons it pays to review logs which cover a days activities. You may find IPs which never popped up in the traffic monitor, registered a hit against the firewall and went completely unnoticed until the review. Then you can only hope whatever breach occurred it was a failure and you block the offending party using whatever means at your disposal from future access.

It helps to keep a small IP monitor in view when on line if for no other reason to see who it is who may be knocking on the door. Usually you'll see hits on 1026.1027,1028 and 445 but lately I've noticed a number of hits against the 6000 range of ports, lower numbered admin ports and some of the other ports like the webcache and ssh ports. Mostly these are coming from Far East identified ranges. Close the ports you don't need and keep remote access to the absolute minimums.
You could also be careful of "suite" softwares which have search, internet and fax capabilities as the access to them may also be utilized at times by nefarious or curious pixies.

Post by **Harry Waldron** » February 22nd, 2008, 11:03 am

^ Excellent post ... A good bi-directional firewall, patching all software, and AV protection can help protect you. Best practices also tie-in as well. A hardware solution (e.g., gateway/server PC or router with built-in firewall) might be preferable for keeping malicious in-bound traffic out of your PC altogether.

You might not want to know what's trying to attack from the Internet. I read an article once about how plugging in a hi-speed modem would show constantly blinking lights. This is incoming activity before you key anything in, as the computer idles. These are randomly constructed IP based malicious attacks circulating in-the-wild.

FatJohn · Post by **FatJohn** » February 22nd, 2008, 1:25 pm

chrizoo wrote:2 question I was asking myself

(1) http://en.wikipedia.org/wiki/Intrusion_detection_system
(2) http://en.wikipedia.org/wiki/Intrusion_ ... techniques