An Expert to Tell Me Just How (In)Secure My System Is

Hello. Let me set this question up with a back story: I’m a semi-regular on a chat site. Granted, it’s 2013 and chat sites aren’t what they used to be. There are some really good people on this particular site though. Of course, there are also some not so good people. Like every chat room in history, there’s a person or two who go around, talk about their basic-to-advanced hacking skills, and torture anyone who they decide that they don’t like. Well, in this case, a person told a more-packed-than-usual room my IP address, and then said “I’m not going to Ping you or do a NetBIOS attack; I’m just proving a point”. Rather than shut up and leave, I immediately pointed out how ridiculous the conversation was, and made it clear that I had no time for a (let’s say) “skill” measuring contest. I came away thinking this person was basically bored/harmless. Then, after telling a friend the story, she assured me that she’d witnessed him post people’s computer files, private photos, her actual home address, etc.

I replaced my old antivirus/firewall combination with Domodo the next day. From what I can tell, it’s a significant step up. I did the ShieldsUp test after that, and as I’m sure everyone’s heard before, the Ping test came back a failure. I read up on that topic here on the forum. I learned the ShieldsUp test actually tests the modem’s firewall settings, not Comodo’s. I tampered with my modem (an ISP-issued Netgear model) for a long time, and found that there’s apparently no way to turn on Ping blocking with that model. Other than not being able to pass ShieldsUp’s Ping test, here’s where everything stands now: I passed the Unsolicited Packets test without any problems. My FTP port is closed to connections. Other than that port, all of my others come back stealth, including the infamous NetBIOS port. My over all router settings seem fairly secure. I have my Comodo firewall set to safe mode. I have the Stealth Ports feature set to “Alert Incoming Connections”. I have “Block ICMP In from Any Where ICMP Message is ECHO REQUEST” set as a Global Rule. I have both “Block fragmented IP traffic” and “Do protocol analysis” checked in Firewall Settings.

So, if anyone who knows more about computer security than myself can help me out here, I’d really appreciate it. From everything that I’ve told, does my system sound fairly secure? In a worst case scenario, what kind of attack am I still open to (particularly with Ping still open on my router)? Thank you.

EDIT: Alright. Nearly 20 views later, I’ll listen to non-experts too. Someone, offer a “Your computer sounds safe to me”. Or a “Yeah, you seriously need a better router”. Give the layman some closure.

Assuming the person in question isn’t an Admin at your chat site or has compromised that site in some way, the most common way that sort of thing (stealing someone’s files) happens is the human factor, better known as social engineering.

Simply posting a URL for you to have a look at can reveal your IP address, even if the wannabe hacker doesn’t control that site. How? Look at this topic. This user attempted to insert what is called a web bug into three posts (we’ve merged them into one topic now). Assuming he had access to the target site of the invisible GIF, which he probably did, he could log the IP address of everybody that looked at the post (until I broke the URL’s and made them visible). This probably wasn’t a malicious act, but rather a marketing analysis thing. In any event, we stopped it. But, that’s how easy it would be to obtain someone’s IP address… other than your browser telling anybody and anything that asks (it has to really, no IP… no communication).

However, back to my stated assumption…

… I find this somewhat disconcerting. Why on earth would the chat sites Admin’s tolerate this? This doesn’t smell, or sound, right to me.

What’s your Netgear model, do you know? Modem/Routers not blocking this by default is not uncommon, mainly since blocking ECHO REQUEST will break most (if not all) multi-player games. Games, and many chat client applications, need this. You can’t really be attacked by this anyway, it’s only used to verify that “something” is on the other end of the IP address and that it is responding to ECHO REQUESTS. Since I do play games, I happily (and safely with CIS) leave ECHO REQUESTS on.

Do protocol analysis: This would only be useful if you already suspected that your system has been compromised (ie. there’s already malicious software running on your system), otherwise it is likely to negatively impact system and/or network performance if you run high-packet loads (ie. torrents) for no gain. This isn’t for inbound attacks/probes anyway (not much point sending your system stuff that it cannot understand and/or respond to).

In most cases you’d be much better off switching CIS to Proactive Security mode (used to be called Paranoid mode) which is, by its nature, very noisy… with lots of alerts and pop-ups.

First of all, a huge thanks for the reply.

As for why the site’s admins tolerate that kind of behavior, I can’t answer that. It’s definitely not like this forum. I’d say “relaxed environment” is a nice way to put it. There are silent names that sit in the room with admin or moderator status, but the only time that they’re ever noticed is when someone’s suddenly kicked for, say, spamming. I’ve never seen anyone kicked or banned for threats or subject matter.

The thread you posted about the web bug was interesting. I’m trying to think of a way that the same thing could happen through this chat room. I know I’ve never clicked on any links that this person has posted. I also know that he listed other chatters’ IP addresses right before mine. Each person can upload their own image file to be used as an avatar next to their name in the room. Or post Youtube videos for the entire room to see (which I’ve never clicked on). That’s the closest thing that I can think of to the hidden URL example.

I think my Netgear model is a… 7550. It’s a Frontier ISP branded version. As far as I can tell, there’s no real manual online. You’re expected to call the ISP with problems. There are no decent settings for blocking Ping, as I already got frustrated over. The firewall section has several preset options - High, Medium, Low, or Custom. If I switch from Low to Medium, I notice very few differences on the surface, except notably that the chat site in question won’t load anymore. All of my other favorite sites still do, and messenger programs like Skype seem to. I thought that was interesting.

Okay, remembering that my IP address was available to this person (for whatever reason), ECHO REQUEST can only be used to verify that someone’s on the other end (and, I assume, possibly annoy me with Ping flooding), and I had the other ShieldsUp results that I mentioned (Passing the Unsolicited Packets test without problems, FTP port closed, every other port stealth), what would the likelihood be that this person or another could do anything to my computer? I’ve put a lot of time into this over the last day or two, and would like to come away feeling safe enough to not think about it. Comodo’s certainly helped.

Do you personally think that I should switch to noisy Proactive Security mode? Or is that just for my own piece of mind (the older “Paranoid mode” might fit in this case)? I suppose I’ll un-check the Protocol Analysis and leave everything else the same for now.

(FINAL?) UPDATE: Through my router settings, I made my FTP port stealth. Now, if I set the router firewall settings to “Medium” (which I found turns off ECHO REQUEST), I finally get the “perfect TruStealth rating” that I’ve been wanting. If I change the router firewall settings to “Low” (which turns ECHO REQUEST back on and makes certain sites more usable), I obviously fail the ShieldsUp Ping test. I realize ECHO REQUEST is much more useful than harmful, but I’d prefer people like the one I mentioned to know as little about me as possible. With CIS running in Proactive Security mode and now all of my ports hidden, is there truly NOTHING damaging that this guy can do through Ping and having my IP address?

Also, what’s the best way to be sure that my system hasn’t been compromised? A Comodo Cleaning Essentials full scan?

It depends on your level of comfort and familiarity with such things. In Proactive mode, you run the distinct risk of chasing Operating System phantoms and/or inadvertently stopping/impacting vital system functions, all of which can feed the paranoia-beast in the short term. Remember proving a negative, which is exactly what you might be doing here, is a well known tricky proposition even under the best of conditions.

CIS’s firewall component is well recognised as being one of the (if not The, by many) top software firewalls available (either free or paid). In paranoid (Proactive) mode, you introduce CIS’s HIPS component fully active… which can be noisy and does require a certain level of competency/awareness to use (if the user is to remain sane ;)) properly… which is top notch by any measure.

Chiron, a Mod here, produces some very good articles on such things. eg How to Know If Your Computer Is Infected.

There’s also a good number of linked articles under: Virus/Malware Removal Assistance.

And, of course, you can post on these forums.

An important point: Do I run CIS in Proactive mode? No, I trust CIS to protect me in Safe mode (aka. what you crazy? I’ve got other things to do!). The real issue is, will I let CIS down? Because if anybody is the ■■■■■ in the armour here, it’s me (the user). Of all the risks and probabilities, I’m the most likely vector here. If my system was compromised, I think that it is highly likely that I would have personally authorised that (either directly or indirectly). Someone is much more likely to try and use social engineering* than an zero-day** on me… or anybody else.

*Unlikely to work on me. Whilst I’m not currently paranoid, I am a deeply suspicious individual at the best of times. ;)

**This can be slightly confusing on face value, but zero-day attacks only work (and have value) because they are not widely used. I’d be considered a high-risk target because I’m running CIS. Attack me with a zero-day and, in effect, you give that zero-day to Comodo. And that’s, of course, assuming the zero-day is able to defeat CIS anyway, which would not be a certainty. But either way, no more zero-day.

With CIS running in Proactive Security mode and now all of my ports hidden, is there truly NOTHING damaging that this guy can do through Ping and having my IP address?

Haha. So can I take it that your answer still falls pretty close to this…?

You can't really be attacked by this anyway..

The “can’t really” didn’t sound so definitive at the time. I realize that I’m staying on some of the same topics while you’re introducing more pressing ones, but besides half of these terms being completely alien to me a few days ago, I just want to be sure that all bases are covered before I move on.

Comodo Cleaning Essentials and Ad-Aware have only turned up a few minor spyware-related threats.

I’ve been running Proactive Mode with a few things tweaked, and everything seems to be working well so far.

The links you gave have a lot of helpful information. I’ll have to keep coming back to those for awhile.

And I get what you’re saying about social engineering. I’m sure you get a lot of single-digit posters who don’t even consider the possibility that their systems have been compromised through information that they’ve disclosed themselves. Even though I can’t think of any ways that would have happened here, I’ll be more suspicious of the possibility going forward, for sure.

she assured me that she'd witnessed him post people's computer files, private photos, her actual home address, etc.

Theres got to be more to the story then that. (Lets assume the person doesnt have back door access to the chatroom). The worse they can do is knock you off or read intercepted unencrypted private messages. I personally havent seen anything new in years

So I can get a better picture of what your using
What windows do you use? xp vista 7 8
Also do you use IM? if so which one

Why do we keep assuming that the person doesn’t have backdoor access to the chat room? Is that really so unlikely? Also, I’d only seriously considered the “knocking me off” part. What do you mean when you say intercepting “unencrypted private messages” – the chat room, social networks, instant messenger?

O/S: Windows Vista. Despite hearing bad things, I’ve never had a bad experience until this week.

Messengers: Skype

And rightly so, in this field one cannot be so definitive (there’s just too many variables). It really wouldn’t be a very sound, or sensible, assumption/stance. I’ve been in development for… a really long time and by my mid thirties I’d started substituting “improbable” for “impossible”. Mainly since the “impossible” seemed to occur too frequently to qualify as such. :slight_smile:

Fair enough.

What do you mean when you say intercepting "unencrypted private messages" -- the chat room, social networks, instant messenger?
http://www.theguardian.com/technology/2013/oct/11/skype-ten-microsoft-nsa