1

I have read somewhere that it could be dangerous to use unknown networks because the router owner could open ports and attack programs that would run on the victim's system on precisely those ports.

I asked in the named forum (the link is in german) if a firewall would protect me against such types of attacks and received the reply that it would not.

Now I am a bit confused because I asked here on StackExchange what I should take care of in unknown networks and received a reply that I should just take care of my firewall being setup correctly and encrypting my outgoing network traffic.

WhiteWinterWolf
  • 19,082
  • 4
  • 58
  • 104
Junior J. Garland
  • 677
  • 5
  • 15
  • 1
    Could you put the links corresponding to the appropriate "somewhere" and the "named forum" posts? Maybe there was some formulation issue which could have lead to some potential misunderstanding? – WhiteWinterWolf Aug 01 '15 at 11:00
  • http://forum.chip.de/sicherheitsmassnahmen/laeuft-eigentlich-hacken-1808460.html It is a german forum and i initially asked there how it would work with portscans and how i could become a victim if someone is trying to find vulnerabilities in my system via portscans.The reply aimed, that if all the ports on my router are closed their should be no problem but if there are open ports the program working underneath could become a target and a firefall would not protect me. – Junior J. Garland Aug 01 '15 at 14:10

2 Answers2

2

The router cannot open ports in your computer since the OS is the only responsible to manage it. A software firewall can mitigate some risks, however you are still exposed to the following when connecting to an unknown network:

  • All traffic not encrypted can be easily sniffed
  • You are exposed to DNS related attacks being redirected to malicious websites
  • Man in the middle attacks as well as session hijacking are way easier to be performed
  • Your computer may become a victim of scans to identify open ports, operating systems and supported protocols which your firewall is not protecting. After that the attacker can try to exploit possible vulnerabilities such as installing back doors. Then even disconnecting from that network won't help you anymore...
Junior J. Garland
  • 677
  • 5
  • 15
  • I would like to read more about the fourth possibility aof attack you have named, do you know where could i find more information about it? – Junior J. Garland Aug 01 '15 at 14:31
  • 1
    Finding out open ports can be done with port scanners such as NMAP or HPING3. Vulnerabilities for applications running behind those ports can be found at exploit-db and NVD. –  Aug 01 '15 at 14:48
  • I will check later with NMAP but still i guess i would know if i have opened ports i would have to set this up in my software firewall, is that right? – Junior J. Garland Aug 04 '15 at 12:58
  • You need to configure (block or filter accordingly) the ports found in the NMAP scan in your SW firewall. –  Aug 04 '15 at 14:12
  • What if i am upating my android phone via an untrusted connection. Accordin to your comment an attacker could determine my system version by scanning and exploit a vulnerability even if no ports are opened on my device or did you mean if there are opened ports? – Junior J. Garland Aug 04 '15 at 20:44
2

I have read somewhere that it could be dangerous to use unknown networks

When one mentions "unknown networks", it usually means some public networks like cybercafe, airports, and other public places. As long as you are speaking with your home, then the network is known because you have access to all configuration and under normal circumstances all connected devices are yours or at least known by you.

because the router owner could open ports and attack programs that would run on the victim's system on precisely those ports.

A router owner can only open a port at the router level. It will not open the ports on your machine.

The router owner usually designate the person having access to the router configuration. In the context of your home, the router owner will be you. ISP actions concerning the router stops at publishing updates for the router firmware in order to solve bugs.

Concerning ISP's, as far as I know in all situations where the ISP was mandated by some government to spy over a user, the router was not involved. The ISP instead passively collect your Internet traffic on his side which is both easier and more discreet than trying to tamper with your home router.

To successfully reach your machine, three conditions need to be met simultaneously:

  1. The router must be configured to route traffic coming from the internet to your local machine,
  2. Your local firewall must be configured to accept such incoming traffic,
  3. You must have a software listening on the requested port.

Following your linked exchange, I need to stress a few things:

  • What we are dealing now is really incoming connections. When you use Firefox, the initial connections goes from your local machine toward the Internet, then it is only replies which comes back from the Internet to your local machine. The router is perfectly in measure to distinguish a reply from a new incoming connection, so the fact that you are able to browse the web do not show in any way that anybody could bypass your router. By default, a router allows new connections only in one direction: from your local network to the Internet, and not the other way around.
  • You mentioned a port being opened for file-sharing. Usually file-sharing is done on the local network, sharing the PC file to make them accessible on the tablet or the TV for instance. Such file sharing is not accessible from the Internet since the router will not let incoming connections pass through (step 1) in the above list).
  • In the linked discussion you mention a video you saw on the Internet. Personally I saw a video explaining how to produce pop-corn using a cell-phone... Just do not trust anything you see or read on the Internet: a lot of stuff is just done by people needing to feel valued. Even when the thing becomes viral, even when a lot of people blindly trust it: the fact that a lot of people trust a lie is not sufficient to make it become true.

If you check your router configuration (usually a web interface), you should find options labelled "NAT" or "port-forwarding". These are the option defining whether connections incoming from the Internet should be forwarded to your local machine or discarded. By default all these options are disabled or empty.

I asked in the named forum if a firewall would protect me against such types of attacks and received the reply that it would not.

The actual question from the linked discussion was translated as this:

In relation to the first case study (Port was opened and the used file-sharing program has vulnerabilities that can exploit the attacker) one more question: Offer me the software firewall protection in such cases, or not?

This case study assumes that all prerequisites (the 1 2 3 above) are met to allow the incoming connection, ie. you have specially configured your router, machine and software to be reachable from the Internet. In other words, you are offering a service on the Internet.

In this case, you have specific security measures to take, the most important one being to carefully apply all your system and software update to ensure that all security flaws are corrected as soon as possible.

But indeed a firewall will not block an attacker targeting this service. A firewall main job is to block unauthorized traffic. As soon as you configure it to authorize such traffic, then a firewall will not bring any protection over it.

A firewall cannot distinguish by itself an attacker from a genuine user.

Now I am a bit confused because I asked here on StackExchange what I should take care of in unknown networks and received a reply that I should just take care of my firewall being setup correctly and encrypting my outgoing network traffic.

  • Check that your router's configuration to ensure that "NAT" or "port-forwarding" options are disabled or empty, this alone will be sufficient to bring a reasonable guaranty that nobody from the Internet will be able to reach your local machine.
  • Check that the firewall on your local machine is enabled, usually together with automatic software update enabled to benefit from early patches,
  • If you are often accessing the Internet in a really unknown network (the public places I mentioned in the beginning like cybercafes, airports, hotels, etc.), then you may be interested in VPN's. VPN services (you will find a bunch of them on the Internet with variable price depending on the proposed features) will create a tunnel between your machine and their server to it cannot be intercepted in the middle.
  • Otherwise, simply ensuring that whenever you transmit any sensitive data your are doing it through a SSL/TLS-secured webpage (a padlock appearing at the left of the URL-bar, often accompanied by the URL-bar becoming green for corporate websites) is usually just fine.
WhiteWinterWolf
  • 19,082
  • 4
  • 58
  • 104
  • In my case study the Pc's firewall would not allow incoming connections but a worker of the ISP company or someone that has controll over the router i am connecting to has opened a port on it. I guess if i have ufw set to deny all incoming i would still be protected in that case is that right? – Junior J. Garland Aug 04 '15 at 12:51
  • Yes, a firewall on you PC will deny by default any incoming connections. More importantly, for an Internet incoming connection to reach you PC, the router must not only have an opened port, but should also **forward** the incoming connection to your PC (I do not see any reason at all for the ISP to do this). Otherwise the incoming connection will only reach the router but not go any further (this may used by the ISP to connect to the router and install updates in an automated way). – WhiteWinterWolf Aug 04 '15 at 14:06