Question GRC shields up test

[gn842a]

I always get solid green squares when I "test my ports!" (all of them) at the GRC web site but I always fail (and this has been going on for years both at home and at work) because my computer responds to pings.

I haven't found a way to configure my ESET antivirus (which I'm not using now) and my Windows Defender system to pass the GRC requirement. Six or seven years ago it was easy. Then something happened and it no longer was enough to have just a router.

Anyhow the instructions are complicated and when I've tried them they don't seem to work. I would be interested in comments related to

1. Is this in fact something to worry about and
2. How to go about it. Perhaps there is a security utility that makes it easier

thanks
Greg N

 

[kanewolf]

Your PC shouldn't be directly accessible, IMO. It should be your router that is being scanned by Shields Up.

 

[gn842a]

Your PC shouldn't be directly accessible, IMO. It should be your router that is being scanned by Shields Up.

Well here's what it says. I have never figured out a way to block the ICMP Echo....

Solicited TCP Packets: PASSED — No TCP packets were received from your system as a direct result of our attempts to elicit some response from any of the ports listed below — they are all either fully stealthed or blocked by your ISP. However . . .
Unsolicited Packets: PASSED — No Internet packets of any sort were received from your system as a side-effect of our attempts to elicit some response from any of the ports listed above. Some questionable personal security systems expose their users by attempting to "counter-probe the prober", thus revealing themselves. But your system remained wisely silent. (Except for the fact that not all of its ports are completely stealthed as shown below.)
Ping Reply: RECEIVED (FAILED) — Your system REPLIED to our Ping (ICMP Echo) requests, making it visible on the Internet. Most personal firewalls can be configured to block, drop, and ignore such ping requests in order to better hide systems from hackers. This is highly recommended since "Ping" is among the oldest and most common methods used to locate systems prior to further exploitation.

 

[digitalgriffin]

Well here's what it says. I have never figured out a way to block the ICMP Echo....

Solicited TCP Packets: PASSED — No TCP packets were received from your system as a direct result of our attempts to elicit some response from any of the ports listed below — they are all either fully stealthed or blocked by your ISP. However . . .
Unsolicited Packets: PASSED — No Internet packets of any sort were received from your system as a side-effect of our attempts to elicit some response from any of the ports listed above. Some questionable personal security systems expose their users by attempting to "counter-probe the prober", thus revealing themselves. But your system remained wisely silent. (Except for the fact that not all of its ports are completely stealthed as shown below.)
Ping Reply: RECEIVED (FAILED) — Your system REPLIED to our Ping (ICMP Echo) requests, making it visible on the Internet. Most personal firewalls can be configured to block, drop, and ignore such ping requests in order to better hide systems from hackers. This is highly recommended since "Ping" is among the oldest and most common methods used to locate systems prior to further exploitation.

I ran shields up after I installed BitDefender Box2. It oddly failed on some very curious ports that are only used by Windows, yet no windows machines were running. The only devices active on my network were the printer, android devices, amazon echo, a vacuum robot, and routers. I thought it "odd". Yes I checked that there were no rogue devices were connected.

 

[gn842a]

I ran shields up after I installed BitDefender Box2. It oddly failed on some very curious ports that are only used by Windows, yet no windows machines were running. The only devices active on my network were the printer, android devices, amazon echo, a vacuum robot, and routers. I thought it "odd". Yes I checked that there were no rogue devices were connected.

All I know is that he is a highly esteemed security expert and has been offering this service for a long time. I've always passed the port test but starting around 2013 or 14 my computers failed the ping stealth part and I haven't had much luck turning off the ping response.

Greg N

 

[digitalgriffin]

well you need a little background information. The standard "ping" itself is not a typical "Port" command. It's part of ICMP which is a whole host of low level network services. (https://en.wikipedia.org/wiki/Internet_Control_Message_Protocol) They all run on what looks like "Port 0" and some of these services are routinely used to keep networks humming along at a smooth pace (This includes your ISP which might ping your devices to see if you are online for diagnostics and performance improvements)

Now the problem with this is it lets hackers know there is a computer on the other side when the ping responds. They can then run a standard attack suite to see if you have any glaringly open holes. If you don't respond, they may assume you aren't online, or you're locked down hard (which makes their job not worth it)

So it really is a trade off of network performance support versus a hacker knowing you are there. Ping is pretty innocuous and impossible to attack. The only way it can be used against you is to let the hacker know there's a computer on the other end of the address. And many versions of windows will ignore incoming ping request from gateways. (There are other windows services which run on other ports which have their own version of ping exposed to the outside world) That doesn't mean your gateway or router won't respond though.

 

[gn842a]

Well FWIW I followed the various instructions here

https://social.technet.microsoft.co...icmp-echo-ping-response-?forum=w7itprogeneral

and got nowhere. Every time I try to block ping I can't. I appreciate digitalgriffin's explanation. Certainly in the days when I was 100% Greider certified I never had any issues with the ISP. About the only thing I ever "get" from ISP is a router reset when things aren't working.

So I guess it's academic. I thought I was a genius (well, a genius at following instructions) when I got the Win 10 search bar to stop returning internet results but this ICMP ping thing has defeated my repeated efforts over the years to turn it off.

To be fair, I haven't fallen victim to any hacker attacks either. But I do think that this particular feature is just plain disabled. Maybe you and mess with it in Win Enterprise.

I'll try a reboot but unless I come back chanting victory y'all can figure it didn't work out. Thanks, Greg N

 

[britechguy]

Just as an additional data point, I have not "passed the Shields-Up! ping test" in years and years now.

I long ago discounted that particular warning. All of the easy-access ports are locked down tight as a drum.

I am far more concerned about making sure that common and easy attack surfaces are closed or invisible than I am about every remotely possible "with huge effort and many contortions" being closed or invisible.

Most compromises on computers are much like many crimes in real life: based on ease of opportunity.

In addition, there has to be some sort of payoff for the attacker (other than perverse amusement or an attempt to get ransom). My home computer is not a particularly high priority target because there is no real payoff. It's a very low-value target.

In the final analysis, virtually all infections/compromises are the result of direct action by the end user. Developing safe web browsing habits is the first and best line of defense. Quietman7, a security expert who is an active contributor on Bleeping Computer, has written extensively on what you (any you) need to do to develop safe interaction habits with cyberspace. The following four are, in my opinion, must-reads:

• Users Themselves Are The Most Substantial Weakness In The Security Chain (just that single message)
• What you must understand regarding computer security (also just this single message)
• Best Practices for Safe Computing
• Reflections on Antivirus/Antimalware Testing & Comparisons

 

[gn842a]

In the final analysis, virtually all infections/compromises are the result of direct action by the end user. Developing safe web browsing habits is the first and best line of defense.

I do indeed know people who are totally clueless. Those include the very young and the very old. But the attackers are getting more and more sophisticated. Let us say a user is 99.99% savvy in staying away from bad files. One in ten thousand will get through. Distribute that over 100 million users, that's 10,000 penetrations. Might be per day or per year.

I have seen some malicious spam lately that made me do a doubletake. Not so many Nigerian princes around.

But I think many users are more on the order of 99% savvy or 99.9% savvy than they are 99.99% savvy.

Back in the early 00s I put up a new computer with an AV on it and was surprised that I was drawing a virus attack (the software called my attention to it) every five minutes or so. It was like a mass of lethal killers crowding in on me. I went to talk to a store about it and they said I needed a router. This was the first I'd heard of it. I'd done the previous 15 or 20 years without. And I read reports of bad guys using scanners to look for ten to twenty million accounts a night.

So my image of the internet is a vastly hostile place. When I went "stealth" and "ping free" it was a great relief. So I remain paranoid about people hammering at my system.

Greg N

 

[digitalgriffin]

I do indeed know people who are totally clueless. Those include the very young and the very old. But the attackers are getting more and more sophisticated. Let us say a user is 99.99% savvy in staying away from bad files. One in ten thousand will get through. Distribute that over 100 million users, that's 10,000 penetrations. Might be per day or per year.

I have seen some malicious spam lately that made me do a doubletake. Not so many Nigerian princes around.

But I think many users are more on the order of 99% savvy or 99.9% savvy than they are 99.99% savvy.

Back in the early 00s I put up a new computer with an AV on it and was surprised that I was drawing a virus attack (the software called my attention to it) every five minutes or so. It was like a mass of lethal killers crowding in on me. I went to talk to a store about it and they said I needed a router. This was the first I'd heard of it. I'd done the previous 15 or 20 years without. And I read reports of bad guys using scanners to look for ten to twenty million accounts a night.

So my image of the internet is a vastly hostile place. When I went "stealth" and "ping free" it was a great relief. So I remain paranoid about people hammering at my system.

Greg N

If security is paramount to you, a more advanced solution like PFSense with Snort plugin might be for you. The problem with it is a lot of game ports have to be manually configured. It doesn't work well with UPnP port request (UPnP is a security vulnerability, but many games use this mechanism to open ports on your router for communication to servers.)

 

[britechguy]

Well, my image of the internet is at complete variance with yours.

Virtually every scheme I encounter depends on social engineering and pretty significant stupidity/naivete. Using a very basic sniff test (so to speak) where you simply do not ever respond to unsolicited messages from unknown sources, never click through on links that are "just presented" without your having done anything to present them, never responding to anything regarding your machine being infected that's not generated by your own security software, and a couple of other basic steps wipes out 99.99999% of the threats before they even have the chance to threaten.

The internet/cyberspace is no more threatening to me than the real world is, and the basic instincts and actions my parents taught me as a child, transferred to this milieu, are and have been my first line of defense for decades.

 

[digitalgriffin]

Well, my image of the internet is at complete variance with yours.

Virtually every scheme I encounter depends on social engineering and pretty significant stupidity/naivete. Using a very basic sniff test (so to speak) where you simply do not ever respond to unsolicited messages from unknown sources, never click through on links that are "just presented" without your having done anything to present them, never responding to anything regarding your machine being infected that's not generated by your own security software, and a couple of other basic steps wipes out 99.99999% of the threats before they even have the chance to threaten.

The internet/cyberspace is no more threatening to me than the real world is, and the basic instincts and actions my parents taught me as a child, transferred to this milieu, are and have been my first line of defense for decades.

Let me talk to you via mIRC and see how your tune changes. :^) Or turn on your UPnP.

Malformed data headers, or open port services are just asking for trouble.

 

[britechguy]

Seriously, and no snark intended, because I'm not taking offense at what you've said, "Why would I, or anyone else, actually do that?"

I haven't had a UPnP enabled device (and that's even by default) for longer than I can remember now, for starters.

And when's the last time you used mIRC?

It is very easy for "the average user" to keep themselves safe from the vast majority of nefarious actors, using all the usual tricks, simply by developing safe interaction habits with cyberspace and having a basic sniff test when something unusual happens.

When that's combined with running a good security suite, with realtime scanning, you've screened out virtually everything.

When both of the above are combined with taking routine full system image backups and separate user data backups (which far too many still do not do, but should) on external media that is only connected during the taking of a backup or restoration from same, you're virtually bulletproof.

I've been doing tech support for home users and small office settings for over a decade now as a one-man business, and every smoldering heap I've had to try to put back together has, after a few delicate questions, been able to be traced back to someone doing something utterly boneheaded. On a very great many of those occasions the victim recognized their own stupidity about a tenth of a second late rather than having taken a few seconds before acting.

It is not difficult, at all, to keep yourself safe when traveling cyberspace. That's what makes it all the more astounding to me, at this point in history and after so many common infection and social engineering vectors have been repeatedly in the news, that so many people still keep falling for them.