XP OS vulnerabilities after April 8, 2014

[Flasche]

as the hacker would never get on my system

The hacker thing has been talked about already, there is really no reason for a hacker to attack you.

I just learned my gateway uses NAT only and has the hardware firewall disabled. I can enable it, but I know it's disabled by default to prevent connection issues. I know NAT isn't a firewall, but it is a form of security. Am I safe with the NAT-only gateway and the built-in Windows software firewall? I think so, but I want to hear your thoughts. NAT takes my real IP address and translates it into a fake IP address when making external connections to the Internet, and the Windows firewall offers solid protection from inbound traffic, which is fine, as the hacker would never get on my system to send outbound traffic.

If you want firewall recommendation this might help http://www.msfn.org/board/topic/171591-looking-to-upgrade-my-software-firewall-recommendations/#entry1075333 . http://malwaretips.com/threads/question-do-i-need-a-third-party-firewall.15882/ . Personally I think 3rd party is better than what M$ offers.

[submix8c]

Did I mention I have both a Gateway (AT&T) with NAT (-not- necessarily a "form of security") -with- Firewall Enabled -and- a 3d Party Firewall?

I have Server Services and allow Ports21+80 on the Gateway -and- the 3d Party. With its Firewall (Gateway) disabled I get lots of "hits" on my Software Firewall (on the PC). It does -not- matter whether MS or 3d Party, those open ports are begging to be blasted, even through NAT. You will notice that most -real- experts agree that a Hardware Firewall far surpasses a Software Firewall. Don't be fooled by such statements as this (found ALL OVER the WWW) -

http://www.webopedia.com/TERM/N/NAT.html

Provides a type of firewall by hiding internal IP addresses

Uhhh, also look at what NAT is and you'll see why this is -not- necessarily true. All this will do is "protect" you from a DIRECT IP attack, while NAT will gladly pass "whatever a slick hacker" wants to pass to you (through NAT). Notice it -also- says a "TYPE of firewall" and NOT "a firewall".

Did I mention that MS Firewall stinks and only prevents (-most-) INBOUND Ports? "I just installed this 'free' software and now I get all kinds of popups. How come?".

[vipejc]

Just for fun I enabled the Windows Firewall log for a few hours and tracked all the dropped packets. I had no idea somebody was trying to attack my computer almost every second! Now I really see why a firewall is critical to any computer connected to the Internet. NAT alone would be a security risk, but unlike what you said, the Windows Firewall closes ALL inbound ports, so a hacker can't get in the system.

[Flasche]

Here http://www.techsupportalert.com/best-free-firewall-protection.htm . This is a nice intro to firewalls. Here's a quote.

Basic firewall protection is critical for securing your PC. Simple firewalls (like the default Windows firewall) limit access to your system and personal information, and silently protect you from inbound threats. We review basic third-party firewalls that have marginally better security than the Windows firewall, such as simpler features for monitoring programs that request outgoing Internet connections (we call this "outbound protection"). The default Windows firewall has only limited outbound protection.

[Flasche]

Forgot to say. If security is your worry you might like M$ EMET. http://support.microsoft.com/kb/2458544 .

[TrevMUN]

I am also an XP fan but you can't fight the progress....

even if you can't be attacked by hackers: new manufacturers don't offer support for XP (they don't bother to create drivers anymore).

it's already happening if you look at Intel's chipsets for Haswell... also ATI Radeon is not releasing drivers for it.

I feel sorry too but there is nothing we can do I think.

I was asking about this on the XP64 forums, and it was said that chipset drivers aren't necessary to run the OS on that sort of equipment. You'd just be missing out on optimization.

I'm less concerned about squeezing every last drop of performance out of my current hardware than I am upgrading to new standards. I'm willing to forgo drivers so long as the OS still runs on the hardware just fine.

[submix8c]

Well,

but unlike what you said, the Windows Firewall closes ALL inbound ports, so a hacker can't get in the system.

...ever heard of "stealth mode"? And see Post#34 - there ARE OutBound connections - call them "Phone Home".

[vipejc]

Well,

but unlike what you said, the Windows Firewall closes ALL inbound ports, so a hacker can't get in the system.

...ever heard of "stealth mode"? And see Post#34 - there ARE OutBound connections - call them "Phone Home".

No, what's stealth mode? And I know the XP Firewall doesn't protect against outbound connections, but if you don't let a hacker in, it's not an issue.

[submix8c]

Technet "Stealth Mode" -

http://technet.microsoft.com/en-us/library/dd448557%28v=ws.10%29.aspx

Take a look also here (look for the "Stealth Mode" paragraph) -

http://www.bleepingcomputer.com/tutorials/understanding-and-using-firewalls/

http://www.linuxtopia.org/LinuxSecurity/LinuxSecurity_Firewall_How.html

Basically, a hacker can detect "you are there", regardless of blocks. A "closed port" is not the same as "you can't even see me".

At the risk of "hacking off" jaclaz ( ) try this -

https://www.grc.com/default.htm

Scroll down to "Shields Up!" and select "All Service Ports". Bear in mind, the it's using my external Dynamic IP provided by my ISP (the one the Router sees) and my Firewall (3d Party) does NOT have "Stealth Mode" set. I get a different result if the Firewall has "Stealth Blocked Ports" enabled. -AGAIN-, I have FTP/HTTP ports passing through the Router and have some "special" settings in the Firewall itself (for e.g. Local File Sharing, etc.). -ALSO- note that i do NOT have my Main PC on the Router in the DMZ.

Does that help? Please report back any results you may have with the Windows Firewall, if you don't mind. (Not in the mood to fire up a "vanilla" XP machine right now).

edit - forgot to mention that you can find out more via this Google

"stealth mode" firewall

edit2 - AH! I also do NOT have "full" Stealth set on my Router, also an ATT 2wire, as noted in the following -

http://www.wilderssecurity.com/threads/no-firewall-will-stealth-my-ports-no-router-stealth-mode.334217/

(forgot the setting was there - duh!)

HTH

Edited April 25, 2014 by submix8c

[jaclaz]

At the risk of "hacking off" jaclaz ( ) try this -

Naah, having survived (as well as the Internet and all the rest of people ) the Christmas of Death :

http://radsoft.net/news/roundups/grc/20011223,00.shtml

http://radsoft.net/news/roundups/grc/20011224,00.shtml

https://web.archive.org/web/20011128173700/http://www.theregister.co.uk/content/4/19332.html

https://web.archive.org/web/20011206001238/http://grc.com/dos/grcdos.htm

https://web.archive.org/web/20011211112259/http://grc.com/dos/winxp.htm

you'll need something more "substantial" to hack me off .

jaclaz

P.S. : and before anyone asks, yes, I survived (just like all the rest of the world) also the end of Antivirus effectiveness in 1992:

https://web.archive.org/web/20010805135801/http://vmyths.com/rant.cfm?id=348&page=4

http://spth.virii.lu/40hex7/40HEX-7.005.txt

Edited April 25, 2014 by jaclaz

[dencorso]

But we're still struggling to survive the Eternal September (and usenet news already isn't much more than a fond memory, BTW)...

[vipejc]

Technet "Stealth Mode" -

http://technet.microsoft.com/en-us/library/dd448557%28v=ws.10%29.aspx

Take a look also here (look for the "Stealth Mode" paragraph) -

http://www.bleepingcomputer.com/tutorials/understanding-and-using-firewalls/

http://www.linuxtopia.org/LinuxSecurity/LinuxSecurity_Firewall_How.html

Basically, a hacker can detect "you are there", regardless of blocks. A "closed port" is not the same as "you can't even see me".

At the risk of "hacking off" jaclaz ( ) try this -

https://www.grc.com/default.htm

Scroll down to "Shields Up!" and select "All Service Ports". Bear in mind, the it's using my external Dynamic IP provided by my ISP (the one the Router sees) and my Firewall (3d Party) does NOT have "Stealth Mode" set. I get a different result if the Firewall has "Stealth Blocked Ports" enabled. -AGAIN-, I have FTP/HTTP ports passing through the Router and have some "special" settings in the Firewall itself (for e.g. Local File Sharing, etc.). -ALSO- note that i do NOT have my Main PC on the Router in the DMZ.

Does that help? Please report back any results you may have with the Windows Firewall, if you don't mind. (Not in the mood to fire up a "vanilla" XP machine right now).

edit - forgot to mention that you can find out more via this Google

"stealth mode" firewall

edit2 - AH! I also do NOT have "full" Stealth set on my Router, also an ATT 2wire, as noted in the following -

http://www.wilderssecurity.com/threads/no-firewall-will-stealth-my-ports-no-router-stealth-mode.334217/

(forgot the setting was there - duh!)

HTH

Thanks for all that firewall info. Stealth mode is safer because a computer that can't be seen is safer than one that can be seen, but my gateway uses NAT, which means my internal IP address is translated into the external public IP address of the ISP, which is in a stealth mode, meaning I'm very safe from probing attacks. I took the GRC tests and my system passed all tests except the one where it responded to pings. This isn't a big concern, because even if a hacker tries to hack my computer, they're not getting in. They'll be like a person with a plastic hammer hitting a concrete-walled fortress. LOL But one thing I don't understand is I have the Windows XP Firewall set to not "Allow incoming echo requests" under the ICMP settings, so why is my computer responding to pings?

Edited April 26, 2014 by vipejc

[submix8c]

I think you misunderstand this stuff.

Thanks for all that firewall info. Stealth mode is safer because a computer that can't be seen is safer than one that can be seen, but my gateway uses NAT, which means my internal IP address is translated into the external public IP address of the ISP, which is in a stealth mode, meaning I'm very safe from probing attacks. I took the GRC tests and my system passed all tests except the one where it responded to pings. This isn't a big concern, because even if a hacker tries to hack my computer, they're not getting in. They'll be like a person with a plastic hammer hitting a concrete-walled fortress. LOL But one thing I don't understand is I have the Windows XP Firewall set to not "Allow incoming echo requests" under the ICMP settings, so why is my computer responding to pings?

1 - NAT translates your EXTERNAL to the INTERNAL, not the other way around, as you "think"

2 - NOW you say your Router is set to Stealth (now that you know what it is), which is good

3a - You misunderstand PING. Reread the text after another test -OR- read this (still applies) -

http://pic.dhe.ibm.com/infocenter/powersys/v3r1m5/topic/p7hcgl/ping.htm

3b - The Router MUST allow that so your ISP can "find" you to assign an IP (an assumption on my part). It WILL be opened on the Router and then Closed (or at least SHOULD be). In all other cases (Ports) you are "invisible".

3c - The setting on your PC Firewall on you INTERNAL IP is applicable regardless. The GRC test is testing your EXTERNAL ROUTER IP Address, and NOT your INTERNAL PC IP Address. I thought I made it clear about MY settings and "how stuff works" (I gave you links to learn about that).

3d - Your XP Firewall does NOT do Stealth Mode (ref. the MS TechNet article link), so yep, it's NOT "invisible".

3e - IOW, someone OUTSIDE can "see" your EXTERNAL IP (an attack on a Router is kind of foolish), but they would be BLOCKED at the PC (Internal IP) but still "there".

Be aware of requirements for WWW/FTP/FileSharing ports. I personally had a little "learning curve" to set myself up for this stuff on my INTERNAL IP PC 3d Party Firewall. I see no reason to provide you with my paricular settings since you aren't "serving" anything and (apparently) connect to the Router -AND- any Local LAN PC's would have to have their Windows Firewall set up to allow intercommunications for (at minumum) File Sharing (look at the other settings in it).

Side note: It's entirely possible to make a simple "base" (even an OLD one) PC with One NIC In and One Or More NICs Out and use it as a router by installing a DHCP/NAT Server type of OS (Linux or any flavor of MS Server). I've done that on my Server before. In THAT case it would STILL have to respond to a Direct Cable Modem (not a router) request in order for the Modem to assign the Dynamic (single) IP.

You're protected as well as can be. Just do some more "light reading" so you'll understand better.

HTH

Edited April 26, 2014 by submix8c

[vipejc]

I think you misunderstand this stuff.

Thanks for all that firewall info. Stealth mode is safer because a computer that can't be seen is safer than one that can be seen, but my gateway uses NAT, which means my internal IP address is translated into the external public IP address of the ISP, which is in a stealth mode, meaning I'm very safe from probing attacks. I took the GRC tests and my system passed all tests except the one where it responded to pings. This isn't a big concern, because even if a hacker tries to hack my computer, they're not getting in. They'll be like a person with a plastic hammer hitting a concrete-walled fortress. LOL But one thing I don't understand is I have the Windows XP Firewall set to not "Allow incoming echo requests" under the ICMP settings, so why is my computer responding to pings?

1 - NAT translates your EXTERNAL to the INTERNAL, not the other way around, as you "think"

2 - NOW you say your Router is set to Stealth (now that you know what it is), which is good

3a - You misunderstand PING. Reread the text after another test -OR- read this (still applies) -

http://pic.dhe.ibm.com/infocenter/powersys/v3r1m5/topic/p7hcgl/ping.htm

3b - The Router MUST allow that so your ISP can "find" you to assign an IP (an assumption on my part). It WILL be opened on the Router and then Closed (or at least SHOULD be). In all other cases (Ports) you are "invisible".

3c - The setting on your PC Firewall on you INTERNAL IP is applicable regardless. The GRC test is testing your EXTERNAL ROUTER IP Address, and NOT your INTERNAL PC IP Address. I thought I made it clear about MY settings and "how stuff works" (I gave you links to learn about that).

3d - Your XP Firewall does NOT do Stealth Mode (ref. the MS TechNet article link), so yep, it's NOT "invisible".

3e - IOW, someone OUTSIDE can "see" your EXTERNAL IP (an attack on a Router is kind of foolish), but they would be BLOCKED at the PC (Internal IP) but still "there".

Be aware of requirements for WWW/FTP/FileSharing ports. I personally had a little "learning curve" to set myself up for this stuff on my INTERNAL IP PC 3d Party Firewall. I see no reason to provide you with my paricular settings since you aren't "serving" anything and (apparently) connect to the Router -AND- any Local LAN PC's would have to have their Windows Firewall set up to allow intercommunications for (at minumum) File Sharing (look at the other settings in it).

Side note: It's entirely possible to make a simple "base" (even an OLD one) PC with One NIC In and One Or More NICs Out and use it as a router by installing a DHCP/NAT Server type of OS (Linux or any flavor of MS Server). I've done that on my Server before. In THAT case it would STILL have to respond to a Direct Cable Modem (not a router) request in order for the Modem to assign the Dynamic (single) IP.

You're protected as well as can be. Just do some more "light reading" so you'll understand better.

HTH

So again I ask why is the Windows XP Firewall responding to ping requests when I have it set to not "Allow incoming echo requests" set under ICMP settings? Shouldn't this setting make me invisible and simulate stealth mode?

[submix8c]

NO! Stealth Mode is NOT a Block, It's a TOTAL IGNORE! AGAIN, you are TESTING the ROUTER (External) IP (did you not note the IP GRC gave you?) and NOT The COMPUTER (Internal) IP (LOCAL assigned IP by the Router's DHCP Service). AGAIN, you do NOT have STEALTH on XP - READ THE TECHNET LINK!

HTH