Every so often, someone on one of the security mailing lists to which I subscribe will post a frothing rant from someone who has discovered their own personal â€śmagic bulletâ€ť which solves all their security woes. This time, itâ€™s a guy who was convinced that Microsoftâ€™s recent out-of-band Internet Explorer patch MS08-078 is actually a conspiracy by Microsoft (and the government, of course) to invade your computer.
Okay, now aside from the point that, technically, Microsoft â€śpwnsâ€ť your computer if you run their OS, and they donâ€™t need to install patches to continue to do so; aside from the Ballmer defence (â€śIf we were actually evil, donâ€™t you think weâ€™d be doing a better job at it?â€ť; aside from that and many other considerations, what evidence did this guy have that the patch is a conspiracy?
Gibson Researchâ€™s ShieldsUp site reported that his system was â€śFully Stealthedâ€ť.
[For those of you non-geeks reading the blog, that means that his firewall was closed up so tight that his system was not responding to any attempt to connect.]
Many other people have made, or will make, the obvious note that the patch is for a browser client bug, whereas the firewall ignoring all incoming requests only protects against server-related bugs, so Iâ€™ll leave it to those people to discuss that.
My concern is that Gibson is still pitching the idea that â€śFully Stealthedâ€ť is a good idea.
TCP/IP, the network protocol on which much of the Internet is currently based, is designed around certain error reporting mechanisms that keep the system able to route around trouble.
One of these mechanisms is the TCP RST (reset) flag. The reset flag a great tool, as it says in a single bit â€śI received this packet, but I can completely guarantee that itâ€™s not meant for meâ€ť. Another similar mechanism is the â€śICMP Host Unreachableâ€ť response, which says â€śYou appear to be trying to send a packet through me to another machine, but although Iâ€™m not a bad place to send that packet through, I canâ€™t seem to reach that machine just nowâ€ť.
When youâ€™re â€śFully Stealthedâ€ť (or completely non-responsive, if you prefer), itâ€™s like youâ€™re a black hole, and neither the TCP RST flag nor the ICMP Host Unreachable errors are returned from your system.
Thatâ€™s great, right, because it means that your attackers canâ€™t tell youâ€™re there? Itâ€™s like youâ€™re a black hole, no one can see you, right?
That sounds good in theory, except that even black holes can be seen, because they donâ€™t act like the empty space that might otherwise be there.
Similarly, a â€śFully Stealthedâ€ť machine gives away its presence by occupying an IP address that will not respond at all when you try to contact it. Very much like a black hole, itâ€™s clear that itâ€™s there, because if there was nothing there, the upstream routers would be passing back ICMP Unreachable messages.
OK, so maybe they know that Iâ€™ve got a machine here, at this IP address, but itâ€™s safe, because itâ€™s Fully Stealthed â€“ Stealth just sounds so cool, especially since itâ€™s a verbed noun! Itâ€™s alright that I look like a hole to the rest of the Internet, because nobody can do anything to me!
The attacker can pretend to be you, because thereâ€™s nothing youâ€™re going to say about it.
Let me qualify that â€“ of course, the attacker canâ€™t use your password if he doesnâ€™t know it, nor can he use your private keys. But he can use another thing that some sites use as part of the proof that you are who you claim to be.
He can use your IP address.
A few things prevent this normally:
So, number 1 and 3 arenâ€™t always a barrier â€“ number 2 is definitely a barrier if the attacker needs to maintain the connection for more than a few fractions of a second, as the RST from the spoofed IP address will cause the server to drop the connection and ignore what the attacker is trying to do.
So, this is a valuable protection that a â€śfully-stealthedâ€ť firewall is going to throw away for you â€“ the ability to spot when someone is spoofing your IP address, and to respond back to say â€śuh, that isnâ€™t me â€“ stop talking to himâ€ť.
A firewall should behave as if the machine is present but disinterested, and should actively refuse misguided connection attempts and responses, not merely ignore them. Thereâ€™s a big difference between the two behaviours. Donâ€™t use the sensationalist terminology of a poor substitute for an expert as a replacement for understanding of your risks and threats.