Serious Security Breach From Tt&t T-net

[george]

We got this email from a non-member, and I publish it here. I have not have time to verify this info, though:

/Admin

Serious Security Breach from TT&T T-Net

Dear Sirs

Although this is not really a letter but I thought I should pass on this information to your readers as some of them I guess would be TT&T T-Net internet users.

We recently had a problem with some computers as we found that the firewalls were not protecting them as they should be.

We tried two different firewalls Zone Alarm and Norton Personal Firewall, both of these products are supposed to stealth all the computers ports to prevent being visible to hackers on the internet.

We found that the ports on the computer had been de-stealthed and were visible to users/hackers on the internet.

More alarmingly we also found that port 23, by far the easiest port to hack even for a ten year old, was wide open! and neither of the firewalls would shut it down or stealth it.

We use http://www.grc.com security probes to test the security of our machines and that is how we found out why the ports were un-stealthed and port 23 open. The cause is TT&T T-Net the ISP is unstealthing the ports and opening port 23. How do we know? Because afterwards we dialed up using Loxinfo and ran the same tests and the results from the security probe from GRC were that the computer was in full stealth mode as it should be, that is completely protected.

We tested TT&T T-Net again and sure enough the ISP had unstealthed the ports and opened port 23.

I cannot stress how dangerous this is and it makes your computer easy to hack and for someone to take full control of your system, indeed your port 23 is visable to all who use the internet, with no protection it can be hacked in 10 seconds and your network to, if it is vulnerable.

We have attached the two tests the IP for TT&T T-Net being 202.129.8.225 and Loxinfo's being 203.146.32.48

I have also included some information about how vulnerable port 23 is.

I think you should publish this information as a matter of urgency and also approach T-Net to find out why they are unstealthing ports and opening port 23. This seems all a bit sinister to me as there is no technical reason for doing it, unless the company wants backdoor access to all it's customers machines? and I might add for what purpose?

-- James Williams Bangkok

[organic]

Just checked mine and port 23 was open, the only one detected BTW. Firewall is Symantec Personal. Port 23 is the telnet port - what could they be using that for? Moreover how are they managing to unblock it?

[Yohan]

1-

I am not afraid of any hackers. More important is the question, what will you do, if your computer fails due to hardware problems, like disc-failure. It is the same situation, your data are destroyed or not recoverable.

I keep a daily backup on DAT tapes, and MO-disks and have removable Harddisc-trays.

Should there be any problems, I change the tray with the prepared new harddisc and restore the data by tape - finished.

2-

If you are not running server like services, which are requiring to call up your computer from the internet-side, it is the best to choose dynamic IP, and use a router between your private network and the internet.

3-

It is more dangerous to be attacked by virus-email or by browsing www-pages -....just disable the Microsoft TELNET related services. It will not work, even if the port is open....

In my case, running Linux and Novell software, nobody entered my private system so far, despite requested tests by my radio-amateur-friends...

[lopburi3]

Am no computer expert but are you sure this is not a proxy sever that you are connecting through by any chance?

[Firefoxx]

Isn't TT&T's internet private IP-based? Doesn't that mean that any attempts to hack it would be directed at the TT&T gateway, and not your own computer? And the gateway would not have those ports blocked. Or it could be like lopburi said, a proxy (transparent to the user) was tested.

This would explain why connecting via another ISP makes the port closed, while connecting via TT&T would have open ports. I really cannot see any other way that zonealarm and NPF would be manipulated from outside. I really think that they've gotten misleading results.

[Darknight]

First of all...

These products are not the name Firewall worthy....

We tried two different firewalls Zone Alarm and Norton Personal Firewall, both of these products are supposed to stealth all the computers ports to prevent being visible to hackers on the internet.

Second off all

This is thailand ..... even banks have open holes in their networks. what do you expect??

Third of all

Do you really think your computer is that important that somebody will "Hack" it ?? get a life, hackers are only intrested in "Real targets" ....

[organic]

Do you really think your computer is that important that somebody will "Hack" it ?? get a life, hackers are only intrested in "Real targets" ....

Not true, I've had intruder attempts in the past. If not script kiddies who'll try it on with anyone or anything, there are viruses out there that'll scan through ranges of IP addresses and ports looking for a way in.

This one, though, I think those who've suggested it's an open port on a proxy may well be right, I've tested my firewall within my own network and there's no problem.

[Firefoxx]

It doesn't matter if your computer is important or not. Script kiddies hack just for the sake of it. "Hackers" on the other hand will mostly stick to "important" targets. Script kiddies just download the latest hack tool to exploit the latest vulnerability and flood the internet with their probes. That's why your computer is hit at least 10 times/day with probes if you leave it on. To say they're interested in hacking your computer is saying that a tactical nuke is interested in killing one person. It's random carpet bombing, and once in a while it will find a victim. What is done to the victim (zombie mail servers, proxies, porn, identity theft, keyboard logging, etc) is up to the script kiddie. I really thought this was common knowledge to the computer-literate.

People use the products AS firewalls, and perhaps this guy wanted to warn others, since MOST people (not uber-geeks) DO use these products, and it WILL apply to them (if it were true, that is).

[MadFrankie]

First of all...

These products are not the name Firewall worthy....

We tried two different firewalls Zone Alarm and Norton Personal Firewall, both of these products are supposed to stealth all the computers ports to prevent being visible to hackers on the internet.

Second off all

This is thailand ..... even banks have open holes in their networks. what do you expect??

Third of all

Do you really think your computer is that important that somebody will "Hack" it ?? get a life, hackers are only intrested in "Real targets" ....

hmmz... Kids messing about with port scanners will trash your computer without thought

[grrr]

The port 23 (telnet) that he says is open is ABSOLUTELY not your computer (you being a TT&T ADSL user), but a gateway/firewall on the TT&T network. If you are using a router (not sure about the USB modem as I don't have one) you already have a firewall due to NAT (which gives your computer a fake IP address).

[MadFrankie]

The port 23 (telnet) that he says is open is ABSOLUTELY not your computer (you being a TT&T ADSL user), but a gateway/firewall on the TT&T network. If you are using a router (not sure about the USB modem as I don't have one) you already have a firewall due to NAT (which gives your computer a fake IP address).

not sure u could/should actually call it a firewall

[camerata]

I think you should publish this information as a matter of urgency and also approach T-Net to find out why they are unstealthing ports and opening port 23. This seems all a bit sinister to me as there is no technical reason for doing it, unless the company wants backdoor access to all it's customers machines? and I might add for what purpose?

I wonder why "you" (thaivisa.com) are supposed to approach T-Net about this, whereas he (presumably a customer) hasn't? And then there is the all-too-familiar "they're out to get us" paranoid assumption at the end. If TT&T are actually responsible for the unstealthing of the ports, it is far more likely to be incompetence than malicious intent. As a customer, what could this guy possibly lose by asking TT&T for an honest answer? Jeez...

[Firefoxx]

This sounds more and more like a case of an ordinary user finding something that he's not familiar with and sounding the alarm. I've seen it happen pretty often, usually with virii attacks.

I don't think that TT&T will be able to answer this guy's query, they're understaffed as it is and it's doubtful they'll have any English speaking techs. I think that the originator (whoever he is) should find someone who is actually knowledgeable about firewalls, proxies, and networking, and have HIM perform the test.

This all just sounds too weird to be true. Firewalls just don't work this way. Yes, even the firewalls that people keep saying shouldn't be called firewalls.

[Darknight]

This sounds more and more like a case of an ordinary user finding something that he's not familiar with and sounding the alarm. I've seen it happen pretty often, usually with virii attacks.

I don't think that TT&T will be able to answer this guy's query, they're understaffed as it is and it's doubtful they'll have any English speaking techs. I think that the originator (whoever he is) should find someone who is actually knowledgeable about firewalls, proxies, and networking, and have HIM perform the test.

This all just sounds too weird to be true. Firewalls just don't work this way. Yes, even the firewalls that people keep saying shouldn't be called firewalls.

Indeed firefox,

Firewalls are called checkpoint, watchguard or cisco pix. All the rest is substandard crap.

Networks are very poor in thailand on matters of security. Most technicians only have a basic understanding of Tcp/IP , let alone security configurations for multi tiered networks like most providers have or should have.

If you have a problem with a provider take another one, their all equally bad.

And yes i know what i'm talking about...