I recently started installing home networks for a living, but I've
been doing PC tech work on-and-off for years.  A colleague and I were
debating the value of installing a firewall (either hardware or
software) for a customer who had Win98, Trend Micro PC-Cillin
Anti-Virus (seems to run faster on old systems than Norton AV), and
Spy Sweeper.  The user regularly installs Win98 updates, and both
PC-Cillin and Spy Sweeper were set to auto-scan more than once per
week and auto-update.  A cable modem was recently directly connected
to the PC for broadband.  While in that customer's home, we noticed
that the browser had only 3 sites in its history, and along with the
user's comments, it seemed that it was used for a limited number of
safe online activities at reputable sites, none of which involve
banking or other security-critical tasks.  Let's say that the
anti-virus and anti-spyware were strong enough to keep those problems
out, even though we all know that's not entirely true.  The user has
no other computers and doesn't plan to expand.  What risks are posed
to a this type of user by not having a firewall?

It's my understanding that intruders would normally start with a port
scan to reveal vulnerable PCs, and that the user's PC would pop up,
since it has nothing to stealth the ports.  Then the intruder would
use a known Win98 vulnerability to install a rootkit to keep access. 
I've heard that Win98 is inherently insecure (more so than XP), but I
don't know whether Windows Updates will take care of that.  I also
don't know how an intruder could install a rootkit without setting off
the A/V or A/S software.  Also, can an intruder remotely undermine A/V
and A/S without putting detectable malware on the system?  I presume
that files can be seen remotely without any uploads, but since most of
the software (except the security software) is old, CD keys that might
lie in the registry would be of little value to the attacker.  The
processor is old, so it would also be of little value.  It seems that
the most valuable part of the machine would be the broadband
connection, possibly for DDoS attacks.  But that all involves putting
detectable .EXEs on the user's drive, doesn't it?  Again, I realize
that many attackers might use recent viruses or spyware to avoid A/V
and A/S detection, but let's assume that the A/V and A/S are doing a
good job.  I've never worn a black hat, so I've only read about what's
going on from vague technology articles.  I don't want to
over-recommend to price-conscious customers, but I don't want to leave
them vulnerable either.  Please explain the risks in terms of how an
attacker avoids the A/V and A/S and what bad things they have the
capability to do.  A couple decent examples are enough.  If you
explain how the A/V or A/S is disabled, then no further explanation is
necessary, since the possibilities for "bad things" become endless. 
Please provide your search strategy or Web links to backup your
answer.

---

Request for Question Clarification by sublime1-ga on 07 Nov 2005 18:47 PST

fungicord...

From what you've described, this particular user is not at
great risk, since he does limited "surfing". I haven't seen
a lot in the current news about port hacking as a method
currently in vogue, as it were. Most trojans these days 
seem to come from hidden downloads initiated on malicious
sites, which a sparse surfer is unlikely to come across, 
and yes, these would leave visible evidence, though I'd 
recommend the use of the free WinPatrol program to alert
the user of their inclusion in the Startup areas for
Windows, and an AV program which scans for such hidden
downloads as file activity, such as AntiVir's Guard 
component.

Since both AntiVir and WinPatrol, as well as a slew of
very effective anti-spyware programs, are free, I can't
think of a good reason not to install them on any and
every broadband connection, including a system which
is only used for minimal surfing. ZoneAlarm provides
a free firewall which will stealth all the ports, as 
well, so why not include that as a standard install?

A previous answer I provided details how to configure
a "bulletproof" system using freeware. I would consider
it standard procedure for configuring broadband systems.
It contains links to all the freeware I've mentioned
here, and more:
http://answers.google.com/answers/threadview?id=568868

Let me know if this satisfies your interest in asking
this question, or what else you need to know...

sublime1-ga

---

Clarification of Question by fungicord-ga on 07 Nov 2005 20:12 PST

sublime-ga:

I would agree that port hacking has become less common, likely because
of the prevalence of hardware firewalls in routers.  It's also less
common because infecting people with spyware and viruses has become so
easy.  On average, users have become more mainstream and less savvy
about their PCs.  But I'm not sure the old-school techniques went
away.  After installing Norton Personal Firewall on my system, I
received a couple port scan detections over the course of a year--but
then I use my system a lot.  Plenty of sites still mention port scans
and firewalls though.  Symantec's free Security Check
http://security.symantec.com/default.asp?productid=symhome&langid=ie&venid=sym
offers a port scan as part of its routine.  You mention Shields Up! at
https://www.grc.com/x/ne.dll?bh0bkyd2 in your "Assess your
vulnerability" section, which performs a port scan.  That site also
lists common port scanners in its section title "Am I really in
danger?" http://www.grc.com/su-danger.htm.  Is it paranoia?  Maybe,
but an article with nothing to sell at
http://www.pcworld.com/news/article/0,aid,117557,00.asp is less than a
year old and says, in part, "...most home users don't have any
firewall protection in place. That leaves connected PCs exposed to all
manner of intrusion and attack."  I'm trying to clarify "all manner" a
little bit.

As for installing extra free A/V programs, A/S programs, and software
firewalls, the disadvantage is that it all consumes system resources
(software firewalls are notorious for adding latency to Internet
connections).  And when a Win98 machine has only 64MB or 128MB of RAM,
it needs all of the system resources it can get.

Sublime, if you can justify your answer with stat pages showing the
declining prevalence of port scanning or articles showing that
firewalls are overkill on non-networked PCs, or that show a firewall's
advantages as being limited to protection against people gaining
access to pull sensitive data or install viruses or spyware, you can
post it as an official answer.

---

Request for Question Clarification by sublime1-ga on 07 Nov 2005 22:16 PST

fungicord...

While I do believe that port-scanning is less popular these
days, and I'm also inclined to believe that businesses are
much more likely to be targeted than home users, I don't 
mean to suggest that it doesn't pose enough of a threat to
take preventive measures. As I said, given the availability
of free and effective software firewalls such as ZoneAlarm,
I would consider it standard procedure to install a firewall
of some sort. The biggest threat facing a home user is 
probably that of having their system become a middleman in
a DOS attack against a website by way of a planted trojan.

As for system resources, especially with Windows 98, I would
make it a standard recommendation to increase the RAM to 256MB.
RAM for computers which are likely to be running Windows 98
should be available pretty cheaply. Additionally, Windows 98
has a little-known setting which allows the OS to make better
use of available RAM: Right-click on the My Computer icon,
select Properties, go to the Performance tab, click on File
System under the Advanced Settings heading, and on the Hard 
Disk tab, select Network Server as the typical role of this
computer. This and other tips can be seen on this page from
SpecterWeb:
http://specterweb.com/tips2.htm

With an increase in RAM, installing a free software firewall
such as ZoneAlarm is no big deal. If, however, the correct
RAM is difficult to come by, or, for some reason, the cost
is prohibitive, I would recommend using a hardware firewall
in the form of the Asante Router I recommended in the answer
I referred you to. This costs approximately $30, and may be
cheaper than additional RAM. In addition, it doesn't drain
system resources as a software firewall can do.

Let me know where this takes you...

sublime1-ga

---

Clarification of Question by fungicord-ga on 08 Nov 2005 23:42 PST

sublime,

I'm afraid we're veering into a discussion of how to upgrade a PC to
make it secure on the Net.  That's not really my question. 
Jibranilyas's comment started to move in the right direction, but the
only link he provided discussed what happens when a totally
unprotected PC gets infected with Sasser and other worms, which would
be squashed by the A/V.  For an example of the type of information I'm
looking for, please consider something a knowledgeable friend said to
me regarding this issue:

A Win98 PC cannot be protected by a hardware firewall.  Win98 does not
care about ports and is flawed such that the router must guess when a
port is needed for incoming traffic.  For example, when a user opens
their email and it auto-checks every few minutes, Win98 will not tell
the router when incoming communications are expected and when to shut
down.  So as long as Outlook periodically checks for mail, that port
will be open to every worm that scans the email port, and browsers
will leave port 80 open, etc.  XP is port-aware, and when the user
isn't actively sending or receiving, the port is closed.  A PC will
get infected using Win98.  It's a lost cause.

This is in stark contrast to the comments from both you and
Jibranilyas with regard to port security.  My friend could be wrong
though; I'm not sure.  If you could verify his comments with Web
resources, that would qualify as a 5-star answer, even though it
doesn't address the original question.  If you can refute his comments
with links, that would also qualify.

But otherwise, the question is still about the risks to a user's PC
from sources other than viruses and spyware when a firewall is not
installed.  Alternately, the question is about the risks to a user's
PC from viruses and spyware that successfully go undetected by an
up-to-date A/V and A/S setup, or that undermine those tools without
removal (not including brand new viruses or spyware).  Links or search
strategies are needed.

---

Request for Question Clarification by sublime1-ga on 09 Nov 2005 01:10 PST

I took the heart of your voluminous question to be:

"I don't want to over-recommend to price-conscious customers,
 but I don't want to leave them vulnerable either."

Both jibranilyas-ga and I have provided you cost-effective
solutions to address this concern.

You seem to be trying to obtain proof that it's a "lost
cause", though to what end, I cannot comprehend.

I no longer have a Windows 98 installation with which
to experiment, so I can't currently prove to myself
that installing ZoneAlarm or a hardware firewall will
produce a stealth condition for all ports at Steve
Gibson's ShieldsUp! site, but I remember that being
the case when I used Windows 98.

You're interested in the risks of not having a firewall,
which is certainly researchable, but I'm personally more
interested in educating people that there's simply no 
reason to be without a firewall.

Perhaps another researcher will take on your cause...

sublime1-ga

---

Clarification of Question by fungicord-ga on 09 Nov 2005 19:56 PST

frde-ga,

Your comment, "Due to weaknesses in MS's design, (about which Steve Gibson waxes
lyrical), software outside the network can probe ports on the
machine(s) and MAKE THE MACHINE DO WHAT IT TELLS IT TO DO."

This is what interests me.  Clearly a machine that can be controlled
from afar has a serious weakness.  When you say this, I think of all
of the MS Critical Security patches that have said something along the
line of, "...allowing complete control the machine, including
execution of code."  I think of remote login capabilities, raising a
rogue user account to admin status, moving files, concatenating text
files in EXEs, etc.  Are these the things that are made possible by a
lack of a firewall?  The part I don't understand in the whole security
chain is how visibly closed ports or open ports create a
vulnerability.  I'm certainly very much in favor of firewalls myself. 
But this question was posted in an effort to educate myself a little
more as to exactly what leverage a missing firewall gives to an
intruder.  I know that when an FTP client tries to connect to a
machine that is also running an FTP client, it simply doesn't connect,
regardless of an open port.  If I open an email client and type a
user's home IP address in the POP3 server address, it doesn't connect
even if the user is checking their mail (assuming it's a regular user
with no servers running).  I believe that the port exposure poses a
threat, but I don't know what threat.  Frde, please expand on the
notion of probing ports for external control that I quoted from you.

fungicord, 

I concur with most of the suggestions by sublime1. Increasing RAM to
256MB will be fruitful. Regarding your question on the firewalls, I do
recommend a software firewall in a security baseline, but considering
a presence of anti-virus and antispyware and the user doesn't surf
much ....i would say that its not imperative to have a software
firewall, but won't hurt if you've got enough RAM. There are many
ready-made "Antivirus disabler" available that can turn off the
popular suites like Norton, McAffee, TrendMicro, etc. However, I would
highly recommend a router to be placed between the WAN (cable or dsl)
and the computer as even a basic D-Link router has some firewall or
filtering functionality. Any thing coming in to the network from
outside has to be passed through the router which be default has all
the vulnerable ports closed. here are few advantages

-If win98 PC has a telnet port open, the router will have that port
closed for incoming traffic, unless you specifically set port
forwarding on the router.

-The port scans on your external IP will be performed on the router,
rather than the win98 pc, which is known to be vulnerable.

-Router serves as a hardware firewall, which is faster than software
firewalls. The customer won't have to answer frequent pop-ups as seen
on zone alarm and other software firewalls. Also, software firewalls
take up system resources.

[You can get a 4-port (non wireless) router under 30$ (good investment)]

Being said that, A lot of the malware now comes from the web. If you
can get your customers Firefox and block the installation of ActiveX
and other plugins, that will be great. If they insist to use Internet
Explorer then just block the activex installations as those
executables can take over the system. Win98 remains vulnerable. Check
the following link to see a win98 computer without a firewall ...
you'll see how quickly it can get infected...
http://www.bbcworld.com/content/clickonline_archive_14_2005.asp?pageid=665&co_pageid=3
or search on "Jacques' Hack Attack" -- ofcourse on google :)

Considering price and ease of use to the customers, a simple d-link
router/firewall won't hurt and plus its a one time expense as compared
to antivirus subscriptions, which have to be renewed every year.

Jibran Ilyas

jibranilyas,

Thanks for your comments.  They're really starting to get to heart of
my question.  I had forgotten about the issue with opening a telnet
port and having that provide a security problem with incoming telnet
sessions.  I suppose the same is also true if the user were to open an
FTP session.  If I thought these were likely events for a limited
surfer, then I might ask for more info about how those situations are
exploited, but it's not realistic for someone who only does a few
things online.  That video link reminded me that port scanning isn't
limited to a person with a piece of manually-activated software
probing the Net.  It might be that it's mostly malware doing the
scanning, and that's why it's included in security checks.  It seems
that the biggest risk for an idle PC like the one I described is a
brand new "outbreak" threat similar to Sasser, Blaster, or Mydoom
because the lack of a firewall will allow it to be seen very quickly
by millions of infected PCs that are automatically scanning for other
victims.

But that's really outside the scope of my question, which excludes the
"outbreak" scenario.  The anti-virus disabler that you mentioned is
definitely interesting.  I wasn't able to find anything on it.  (i.e.
"antivirus disabler" in Google produced only 19 matches, and bad ones
at that.)  I know there are worms such as Bigbear and other virus-like
things out there that will disable software firewalls and antivirus
software, but will they do it without detection on an up-to-date PC? 
Are there manual versions of such things that do it remotely?  If you
post an answer with either direct links to software or reputable
articles that discuss those tools directly, then that satisfies my
question.

You also mention "The port scans on your external IP will be performed
on the router, rather than the win98 pc, which is known to be
vulnerable."  Can you discuss that vulnerability in a way that shows
the risks?  Let's say that an intruding piece of software can open the
email port.  How is a user at risk despite the A/V and A/S that are
both active in memory?  Please remember that reputable links or a
Google strategy is needed for any posted answer.

I think you need to make a clear distinction between how malware gets
onto the machine and the basic functionality of a firewall.

Due to weaknesses in MS's design, (about which Steve Gibson waxes
lyrical), software outside the network can probe ports on the
machine(s) and MAKE THE MACHINE DO WHAT IT TELLS IT TO DO

In simple language it can ring a doorbell and Windows obligingly opens
the front door and invites the visitor in.

This is entirely different from things like port 80 requesting data,
or a mailer sending/receiving Emails or your system starting an FTP
session.
For example, unless you have a little webserver on your network,
anything knocking on Port 80 is just going to be ignored, similarly
someone might try to initiate an FTP session from outside, but unless
you have installed an FTP server it will be wasting its time.

Disabling the doorbell can be done by a hardware router or a Firewall
- to me it is a no brainer to opt for the hardware solution
- and check all is secure using Steve Gibson's site

The secondary function of a Firewall is to detect and block things
trying to call OUT from your system.

Put crudely it will warn you if you have some malware, but in my
opinion that is shutting the stable door after the horse has bolted.
Anyway, it is pretty easy for something to pretend to be a browser or
a mailer or an FTP client, which would make it very difficult for a
Firewall to detect that something funny is going on.
For example, malware could easily hijack the browser and download more
of its malware.

Once you have malware on the system, then if the AV setup does not
spot it, you have had it.

I am not an expert on networks or TCP/IP, although I once wrote a
little WebServer and an Emailer, and am quite familiar with setting up
TCP/IP links.

I totally agree with Sublime-ga, not spending $30 on a hardware port
blocker is plain irresponsible, especially with an 'always-on' line.

Personally I doubt the value of a software Firewall. It is just one
more thing to go wrong.

To conclude, people who probe ports and write malware are plain
malicious, they might or might not be interested in stealing data
- it is much more likely that they just want to shaft the machine.

@fungicord-ga 

As you know, Windows 3.1 was re-christened Windows For Workgroups
- my understanding is that it all dates back to that

What had formerly been a standalone operating system suddenly acquired
inbuilt Networking Server capabilities.

In itself, that is not so bad, but MS failed to pin it down, so on a
badly protected machine it is possible to get in via a TCP/IP
connection and use the machine as a Server.

I've heard chilling stories of people in Chat rooms being displayed
the directories of their Hard Disks.

To make this worse, in the 1980s there was some debate about what the
'N' stood for in 'NT' - some people said that it stood for 'New'
others said it stood for 'Network' - which kind of figures as it is
supposed to be a bottom up re-working of the DEC VAX operating system.

Reading: http://www.grc.com/su-explain.htm
Gives a much more technical explanation
- but sometimes a simple version gets the point across.

I also share your suspicion of automated Windows Updates, I'm also not
at all keen on any kind of client side Scripting or ActiveX embedded
in HTML.

One other word of warning, Radio Networks can be configured so that
they are encrypted, but they need not be, which means that one can
often get into the Home/Office Network down the road - a friend of
mine who has an office in fairly remote countryside regularly uses a
local Radio Network system for testing ...

"If you explain how the A/V or A/S is disabled, then no further explanation is
necessary, since the possibilities for "bad things" become endless. 
Please provide your search strategy or Web links to backup your
answer."

The way many exploits work is through buffer overflows.  Let's assume
for example that you have a service running and it expects to receive
10 characters. When data is sent to the service it reads it in and
stores the data in memory.    When the data is written it is stored in
a memory buffer of a specific size...say 10 characters in this case. 
Poorly written code will do this without regard to the data's size. 
So, lets say you send 11 characters instead of 10.  When the data gets
written to the buffer it overflows the buffer.  When this happens, the
attacker basically gets to overwrite portions of memory.

Most buffer overflows will crash the service in question causing a
denial of service.  However, since the program's execution stack is
also in memory, it is sometimes possible for the attacker to inject
code into the execution stack, thus allowing the attacker to execute
code of their choice.  A/V or A/S software is screwed here because
there is no executable to scan.  At this point the attacker can
basically do anything the user can, including disabling or even
deleting the antivirus software.

If a computer is put on the net, it should always have a firewall. 
Vulnerable Windows machines will be hacked in an average of under an
hour:

http://isc.sans.org/index.php

If you do PC Tech support/consulting you do your client a disservice
by not strongly recommending them a cheap broadband router which will
prevent these attacks without consuming any system resources.  The
cost of one of these is probably a fraction of your hourly rate.  You
could, and should, bring one with you to use when you fix/patch their
machine anyway.  If they don't have one, just sell the one you bring
to them right on the spot.

I noticed you asked for links to support my answer.  Buffer overflows
are a very widely discussed topic in computer security.

A simple Google search for "buffer overflow" will pull up tons of
pages on the subject.  A good number of these are security advisories
for all the different computing platforms (buffer overflows affect all
computer software...mac, windows, linux, etc, etc...).

feldersoft,

Thanks for commenting on my question.  I was aware of buffer overflows
as a method of service-crashing, but didn't know that they could be
used to overwrite the memory of other programs.  I seem to recall that
Win NT/2000/XP fixed this issue by keeping programs in their own
memory area and disallowing writes to other areas of memory
(especially the OS), which is supposedly a major reason why NT-based
systems are so much more stable.  But my question is centered around a
Win98 scenario, so I'll stick to that.  There are only two remaining
pieces of the puzzle: Does Win98 have services running by default that
could accept buffer overflows from the Net (assuming that the user is
patching regularly)?  Also, do A/V and A/S software run in reasonably
predictable areas of memory such that a person inserting a buffer
overflow could overwrite or modify them?  My assumption would be no,
since each machine has different programs loaded at startup, and so
has different programs resident in memory in different orders.  But if
the OS services are always resident in lower memory addresses, and A/V
and A/S software are always loaded early due to their need for
low-level control, then it may be that A/V and A/S are usually in very
convenient locations for a large, blind overflow that wipes them out. 
But I'm just guessing.

feldersoft,

btw, when you reply to my last comment, you can post your comments as
an answer, as you have mostly answered my question already.

I'm not a ga researcher so I can't post as an answer.

"I was aware of buffer overflows
as a method of service-crashing, but didn't know that they could be
used to overwrite the memory of other programs"

Not necessarily other programs.  Successful buffer overflow exploits
typically overwrite the execution stack of the service exploited. If
the service being exploited runs with system or administrator level
privileges, the exploit code will too.  Since all services under
Windows pretty much run with these privileges, any successful exploit
can compromise the machine.  This is partially why under Linux it's a
good idea to run processes under unprivileged user accounts.

"There are only two remaining
pieces of the puzzle: Does Win98 have services running by default that
could accept buffer overflows from the Net (assuming that the user is
patching regularly)?  Also, do A/V and A/S software run in reasonably
predictable areas of memory such that a person inserting a buffer
overflow could overwrite or modify them?"

You never really know which services are vulnerable to attack, and
often times Microsoft doesn't always patch things.  Also, Microsoft is
dropping support for 98, and not all things necessarily are getting
patched. In fact even in with XP not all things get patched.  For
example, 29% of known Internet Explorer vulnerabilities are unpatched
and 12% are only partially patched (good reasons to use Mozilla
Firefox btw).

http://secunia.com/product/11/ 

Now think, this is just one piece of software.

Finally, the user may run a program that is susceptible.  Simply
relying on patching alone is not a good strategy.  You may be safer
this way than without patching, but eventually a 0 day (i.e. a black
hat releases it without notifying Microsoft) exploit is going to get
you.

As for the A/V software, it's not about predictable places in
memory...it's about exploit code launching a shell process and simply
disabling or deleting the A/V software.  Think if the user can do it,
the exploit code can do it.  It's that simple.

Thanks for all the info, feldersoft.  That's exactly what I needed to
know.  I was especially enlightened by the secunia.com link.

My understanding now is that the greatest risks of not having a
firewall are 1) the PC's ports are visibly closed and reveal the PC's
presence on the Net, making it a target, and 2) unsolicited
communication is allowed with core Windows services and other
programs, many of which have unpatched security problems due to vendor
delays or abandonment.  This allows an intruder to use a memory buffer
overflow to modify the execution stack of services or program code
that has administrator-level permissions, which in turn allows the
execution of the intruder's code at the admin level, which can include
the disabling of A/V and A/S software.  The A/V and A/S programs will
not interfere because they are being uninstalled as if by the user. 
The intruder can also use this code-execution opportunity to transfer
in backdoors, rootkits, etc. to allow extended control.

It also sounds to me as if all this could be prevented if a user were
to create a "user level" account and use that for their day-to-day Web
browsing, though I'm not sure whether the Windows services would still
run at the admin level.

Creating a user level account is a good idea because it means things
like trojans and what not may not have as much of an impact if
executed.  However, Windows services will still run at system or
administrator level.  In addition, running Windows in
non-administrator mode is a real pain.  You cannot install software,
you cannot do things like change your IP, and you cannot install
updates.  In addition Windows 98 has no concept of a non administrator
user.

In a corporate setting, running as non admin works great.  This is
because the users don't need to mess with the system config and don't
need to install software.  On a home system, not so great.

Hi, I didn't read the entirety of your correspondance, so forgive me
if this was already mentioned, but Microsoft is (as of 01/01/2006 I
think) discontinuing support for Windows 98. This means no more
security fixes. This might affect your perception of what needs to be
done.