When clicking the 'Test my shields' button, ShieldsUp will inform you about its attempt to contact the 'Hidden Internet Server' [sick] within your PC. Matter of fact, ShieldsUp will send a NQUERY NetBIOS UDP packet with Broadcast, Query and Request flags set. Upon receiving an answer (or not), ShieldsUp will determine if your Shields are 'up'.
This is - obviously - not a very accurate method.' And - also obviously - not really a 'Hidden Internet Server' either.
Now, there's a twist to this test. I set up a machine laden with vulnerabilities. Beginning from a few installed backdoors (BackOrifice, Sub7) and other vulnerabilities, I did not even spend the few minutes to close down the most obvious security holes. ShieldsUp, however, happily reported:
- Unable to connect with NetBIOS to your computer. All attempts to get any information from your computer have FAILED. (This is very uncommon for a Windows networking-based PC.) Relative to vulnerabilities from Windows networking, this computer appears to be VERY SECURE since it is NOT exposing ANY of its internal NetBIOS networking protocol over the Internet.
Which is simply wrong. There is nothing I could have done to stop even unsophisticated intruders from attacking and breaking into my machine - a small script like ShieldsUp, however, is simply fooled by Windows' inconsistent behavior on UDP responses.
A textbox just below the results asks me to perform another check of my system, this time by probing my ports. A click on the button and I am there.
Again, the script presents me with a number of results. At this point, it starts probing my system with a number of connect() calls, which essentially seek to establish a connection to a few ports on my system. This time, oh wonder, it recognizes the fact that NetBIOS is open, but overlooks the installed Spyware and Backdoor programs.
It also gracefully overlooks a grave security problem I introduced by installing a freely available third party application which essentially allows anyone on the net to browse my machine's hard drives and down- and upload files.
I also had a web server installed. A small program which can be downloaded from download.com or similar sites allows my computer to export pictures to the net. My friends or casual visitors would then be able to browse this photo album with a regular web browser. The source code for said program is freely available. It's a very short program which basically implements a 'crippled' web server and some extra features. After reading the source code, I am sure there is not much an attacker could exploit.
GRCs 'nanoprobes' diligently connect() to the server and then wander on. The port test, however, tells me my HTTP port is closed. Strange. Very strange. A look at the logs I am sniffing from this connection shows my web server responded - still the test program reports it to be closed. I repeated the exercise with both Windows and Unix based web servers and got an overall hit rate of less than thirty percent. In other words, more than often the test program would not detect my open web server.
There is no such thing as 'stealth' on the Internet. Ports are either open (they respond accordingly), closed (they do not respond accordingly) or are non-existent (nothing comes back at all). Gibson calls the latter 'stealth', which is as wrong as could be.
A false sense of security even here. Just for Mr Gibson's records: my FTP port is not stealth - it's just not responding with an ICMP_DESTUNREACH when probed.
I received a clean bill of health from ShieldsUp!. Despite having a computer which is most likely the least secure computer ever tested by those scripts. A day later, I tried the same with the help of a friend's NeXT cube and was swamped with 'you are sooo insecure' messages. Regardless the fact that said friend's NeXT cube is about the safest place to store data I can imagine, it responds to every port probe and connect() attempt with a TCP or UDP stream saying 'go away' in its packet payloads. Gibson tends to exaggerate. His supposedly superior system does not divert in much parts from what is already available out there in hundreds if not thousands of other incarnations. The boldest claim, however, can be spotted on his Ports page.
- If you have used ShieldsUP! in the past, you may have just noticed that the Port Probe system is much faster than ever before. This is the result of the emerging deployment of our much-anticipated NanoProbe Technology. It is finally becoming real.
There is nothing 'nano' about Gibson's probes. In fact a simple traffic sniffer reveals they are merely ICMP and TCP/UDP based connect and scan attempts.
