The hardest part of security is knowing your vulnerabilities. If you're
a typical PC Week reader, you're reasonably knowledgeable about security.
But have you ever tried to hack into your own system? Many of us don't
have the multiple machines and connections necessary to conduct our own security
test. And those of us who do are often shy about launching port scans
and server probes, even against ourselves, perhaps for fear of being
detected and bumped off by our ISPs. (Isn't it funny that the thousands of
people trying to break into our systems don't have the same compunction?)
Even with the right tools and connections, it's difficult to determine
just how tight your machine is. Worse, the tools that you use to secure
your machine can actually work against you. Some people, for instance,
equate port monitors/listeners, such as Lockdown
2000, with firewalls. They're not even remotely similar. A port
monitor actually opens TCP ports on your system, inviting snoops to
attempt connections, then gleefully slams the door on them and proudly
tells you what a good little watchdog it is. A firewall keeps the ports
closed unless you initiate activity, such as an FTP connection, so that
the snoop never even knows your system is there.
I've seen a number of sites that will ping and probe your machine for
open ports and other weaknesses, but none as complete as Steve Gibson's
new ShieldsUp site at http://www.grc.com/shieldsup/.
Steve is the author of SpinRite, a uniquely powerful disk data recovery
and crash protection utility that has saved my bacon a couple of times.
His programming skill and attention to detail are widely respected, and
they're evident here.
The ShieldsUp site, at your request, attempts to connect to your
machine, using the NetBIOS protocol, which many users inadvertently leave
bound to their TCP/IP device. The only thing that's worse for your
security is to have file and print sharing turned on, with no password. If
your system is vulnerable, it tells you. If it's secure, it tells you. The
site (I trust Steve on this one) doesn't retain any of the information
from the scan. A few pages farther in, ShieldsUp does a port scan on your
system, looking for common vulnerability points. It judges the degree of
exposure that your system may have to common attacks.
The tests are invaluable, but the real heart of Steve's site is the
wealth of information. Steve's style is histrionic, with liberal use of
caps, bolds, different typefaces and exclamation points galore. He has
important stuff to tell you, and he wants to make sure you're paying
attention.
Finally, he's maintaining statistics on insecure sites, including
wide-open directories and machines that his site could connect to. I've
done the same from my machines and have seen plenty in my cable system's
domainentire drives available for browsing, printers, personal Web
servers. If it weren't so much trouble to track down their e-mail
addresses, I'd send all of these folks a wake-up message. Or I'd send them
to ShieldsUp for a diagnostic and a good education.
Bill Machrone is vice president of technology for Ziff-Davis. He can
be reached at bill_machrone@zd.com.
See
more Up Periscope columns.
.gif){kind=spacer}
.gif){kind=spacer}
