Posted: Thu 31 Jan 2013, 14:01
As rcrsn51 points out, this is primarily a network insecurity, but system crackers can use any hole to compromise everything else.
Part of the problem is that the OS, (like XP originally,) opens ports in firewalls in order to use UPnP. One common cause system vulnerability to network attacks is that ports get opened for one purpose, then stay open. After a while the firewall begins to look like Swiss cheese.
Another aspect is that people configuring things so they can use them inadvertently open still other vulnerabilities. (When your system passes tests on the Shields-Up site, it offers little for a remote attacker to exploit.) Simply getting a networked printer to work can be such a frustrating experience that people in a hurry to print a report or school assignment may drastically compromise their network security. An attacker who knows what people commonly do in response to problems installing a particular printer can greatly speed up his rate of productive attacks by looking for systems where that printer model advertises its presence.
Routers play a key role, and more often than not, they are poorly configured. I keep finding routers with remote management enabled -- and the default password still present! What happens after this error is not limited by simple explanations. You may end up doing all your banking via Mexico. Most routers now have the ability to update firmware via the Internet. Some can support sophisticated Open Source firmware like DDWRT. (If an attacker can install this they can do just about anything. Fortunately, attackers with this kind of skill are rare.) Even without modifying firmware, an attacker who gains control of a router can create vulnerabilities, then lock you out.
I have a (non-wireless) router nearby which was converted to a brick by a remote update attempt. The person who gave it to me didn't even know remote firmware updates were possible.
@Wognath, there is generally no need for UPnP unless you are installing network devices. Best to leave it disabled on your computer at other times.
I've heard any number of arguments over cracking systems via the Internet versus LAN vulnerabilities. These tend to focus on vulnerable devices rather than people, getting the questions backwards.
I just had to explain to some friends that the network password on their home network, which they had been giving to friends who wanted to use their iPhones or Android phones for Internet access, also gave access to the whole LAN. An error in configuring sharing there will compromise your private data. Even if your next door neighbor is a fine upstanding sort, he might naively give your password to his deadbeat teenage hacker son.
The next level of debate involved the "guest" network I set up on their wireless for friends who just wanted Internet access at their house. They originally had the default password "guest". This might be OK if you were sure there were no pedophiles next door. Otherwise, you might find the police at the door with a search warrant some day. (It turned out they were concerned about one neighbor.)
They now have fairly weak passwords on the "guest" network. I'll remind them to change these once in a while. Access to private information is protected by stronger passwords. Nothing provides absolute security, but making it require effort to crack a system, without unduly inconveniencing everyone honest, will usually work. Make life too difficult for honest people, and they will disable security measures.
Part of the problem is that the OS, (like XP originally,) opens ports in firewalls in order to use UPnP. One common cause system vulnerability to network attacks is that ports get opened for one purpose, then stay open. After a while the firewall begins to look like Swiss cheese.
Another aspect is that people configuring things so they can use them inadvertently open still other vulnerabilities. (When your system passes tests on the Shields-Up site, it offers little for a remote attacker to exploit.) Simply getting a networked printer to work can be such a frustrating experience that people in a hurry to print a report or school assignment may drastically compromise their network security. An attacker who knows what people commonly do in response to problems installing a particular printer can greatly speed up his rate of productive attacks by looking for systems where that printer model advertises its presence.
Routers play a key role, and more often than not, they are poorly configured. I keep finding routers with remote management enabled -- and the default password still present! What happens after this error is not limited by simple explanations. You may end up doing all your banking via Mexico. Most routers now have the ability to update firmware via the Internet. Some can support sophisticated Open Source firmware like DDWRT. (If an attacker can install this they can do just about anything. Fortunately, attackers with this kind of skill are rare.) Even without modifying firmware, an attacker who gains control of a router can create vulnerabilities, then lock you out.
I have a (non-wireless) router nearby which was converted to a brick by a remote update attempt. The person who gave it to me didn't even know remote firmware updates were possible.
@Wognath, there is generally no need for UPnP unless you are installing network devices. Best to leave it disabled on your computer at other times.
I've heard any number of arguments over cracking systems via the Internet versus LAN vulnerabilities. These tend to focus on vulnerable devices rather than people, getting the questions backwards.
I just had to explain to some friends that the network password on their home network, which they had been giving to friends who wanted to use their iPhones or Android phones for Internet access, also gave access to the whole LAN. An error in configuring sharing there will compromise your private data. Even if your next door neighbor is a fine upstanding sort, he might naively give your password to his deadbeat teenage hacker son.
The next level of debate involved the "guest" network I set up on their wireless for friends who just wanted Internet access at their house. They originally had the default password "guest". This might be OK if you were sure there were no pedophiles next door. Otherwise, you might find the police at the door with a search warrant some day. (It turned out they were concerned about one neighbor.)
They now have fairly weak passwords on the "guest" network. I'll remind them to change these once in a while. Access to private information is protected by stronger passwords. Nothing provides absolute security, but making it require effort to crack a system, without unduly inconveniencing everyone honest, will usually work. Make life too difficult for honest people, and they will disable security measures.