9

I'm checking my setup for security holes with some dedicated Linux distros. First thing I did was to scan all ports, and beyond that - it seems like it's pretty much unhackable. Since all ports were closed, I feel safe, but I wonder - am I wrong?

The only way someone could hack my setup would be through some sort of malware of backdoors, which is not very realistic considering I don't download stuff I don't know about nor do I visit suspicious websites... The only concern left for me is Skype, but my ports are still closed, so the most someone could do is jack my Skype account, and even that's a maybe.

So those are my thoughts. How wrong or right am I thinking this way regarding closed ports and potential vulnerabilities excluding something you could download? Let's assume that whoever might want to hack me only knows my IP (which is pretty easy to find out in a lot of situations).

Jack
  • 421
  • 2
  • 4
  • 10
  • 6
    Air gapping exists because closing all ports is insufficient. And if the NSA is after you, even that is insufficient as shown by Stuxnet. – Neil Smithline Sep 11 '15 at 14:05
  • Very interesting to read. It's an extreme case though, so it's not applicable in my situation. But again - very interesting information. Blew my mind - radio waves! – Jack Sep 11 '15 at 15:29
  • This is a machine that you ONLY access physically? You don't SSH into it or anything like that? – Rick Chatham Sep 11 '15 at 18:53
  • I don't (I've only physical access), but the machine is fully online and is being used with software online as well. – Jack Sep 11 '15 at 19:57

2 Answers2

7

You could be breached by:

  • Browser exploit (e.g. this one for IE). There are browser vulnerabilities found all the time.
  • Through a malicious message to exploit a Skype vulnerability. The one here just causes a crash, however sometimes exploits like these can be further developed to enable code execution.
  • A Flash exploit allowing an attacker to gain code execution.

Even though you don't directly visit suspicious websites, any of the trusted websites you visit could have been compromised, or they could be unwittingly hosting content containing exploits like described above. For example, via adverts or via user hosted content on those sites.

Once an attacker has gained code execution, they can often create a "reverse shell" where they make your computer connect outbound to their system - incoming ports are not required. Through this shell connection they can then run whatever commands they want.

You are more secure running Linux because attackers do not target these system en-masse like they would do with Windows. However, exploitation of any client-side vulnerabilities is still possible.

SilverlightFox
  • 34,178
  • 6
  • 73
  • 190
  • 6
    You can also be attacked from any service that your computer calls out to (eg: update services). Even trusted services can sometimes be used to attack machines.` – Neil Smithline Sep 11 '15 at 14:02
  • How would one even be able to use a 'trusted service' to attack a machine? And deriving from that (as well as commenting on the answer) - I believe that similar technique could be used via Skype, because Skype exchanges information, hence if you are texting or calling that person, you are sending data. I'm no expert, but I think one could edit the data being sent to send out a malicious code of some sort. Although I think that would be very advanced technique if at all possible. – Jack Sep 11 '15 at 15:31
  • Although a lot of this seems to rely on software bugs, I believe? As for websites that are trusted... That again - blew my mind. It makes sense. A lot of sense. Can this be done on any browser, even Chrome of Firefox or Internet Explorer 11? As I understand, it doesn't exploit the browser itself, it downloads code and stores it as a file that is then executed and installs a backdoor or something along those lines. But it's not because of the browser, the browser is irrelevant. Or am I wrong here? – Jack Sep 11 '15 at 15:33
  • 1
    @Jack Compromising a trusted service doesn't necessarily require a software bug, although it definitely helps if there is one. At the "soft" end of the scale there's pure social engineering, like ringing someone up pretending to be their sysadmin and asking for their passwords (you'd be shocked how often that works). This attack requires no technical knowledge whatsoever. But most attacks would probably fall somewhere in the middle: exploiting both human behaviour (usually negligence or gullibility) and faulty code, like it happens with a browser exploit. – biziclop Sep 11 '15 at 15:37
  • I guess that works like credit card frauds where people get called up and asked for their cc info from a 'bank.' Works only in workplaces though, so use is limited if the hacker wanted to get access to a person who doesn't work at a computer. As for browser, I don't think it's that hard really, most people will click anything. You could even register a domain that looks legit, create a page, link them. They don't have to use a specific browser, you don't have to convince them. So no social engineering here far as I can tell (again - not an expert). I think that such scams are actually easiest. – Jack Sep 11 '15 at 15:48
  • @biziclop I always thought that there are ways to 'just' hack someone by having the IP though. Which I suppose would be the case with open ports. I don't know much about hacking or security for that matter, so just trying to figure it out and understand how everything works, reading up on Google and asking basic dumb questions on places like this. :-) – Jack Sep 11 '15 at 15:49
  • @Jack External "trusted" services are often exploited by replacing them via DNS spoofing. DNS is so central to modern computing that these insidious attacks can rapidly bootstrap themselves into full control of your entire inside network. It's why home routers are under attack these days. Consider, for example, that a system using compromised DNS can trivially substitute any tool, patch, or OS image you might download with one that ensures it will persist. One of the few options for detection here is checking digital signatures with an offline verifier tool... but where did you download that? – Glenn Slayden Nov 01 '16 at 19:46
  • Citation for my previous assertion on home routers being under attack: http://routersecurity.org/index.php – Glenn Slayden Nov 01 '16 at 19:49
2

In theory - yes, your computer can still be hacked even, if all TCP and UDP ports are closed and you don't have any malware running on it. However, odds of getting your computer hacked, if all ports are closed, is way lower compared to a system where a web server is listening on publicly accessible port.

To give an example, there are some protocols that don't have concept of ports in the first place, for example, ICMP, IPv4 or Ethernet. If your Operating System's Networking Stack has a buggy ICMP, IPv4 or Ethernet implementation, then, in theory, such bug might be used as backdoors to gain partial or full control of your computer. See Ping of Death bug that gave attackers control to crash arbitrary computers with vulnerable ICMP implementations even if no UDP or TCP ports were open.

Overall, if a computer can be hacked, then it always is:

  1. an implementation bug (e.g. software engineer made a mistake in his code. See OpenSSL Heartbleed vulnerability or Ping of Death vulnerability);
  2. a design bug (e.g. people designing the protocol did not think carefully enough about authentication aspects; See SSLv3 POODLE attack or WEP protocol vulnerabilities); or
  3. a bug in instructions that administrator uses to provision the host (e.g. using weak passwords; or running certain software that does not enforce authentication in untrusted zone; or simply [un]intentionally running old and buggy software)

When evaluating security, I always recommend other software engineers to think in terms of

How much execution flow of the code running on system attacker can control, before your code will drop this IP packet as malicious. The earlier this drop of malicious packet happens the more secure the system is.

For example, if all ports are closed, then attacker can still "execute" kernel-space code up to TCP and UDP protocol handling where packet would eventually be dropped because there is no open destination port - while very unlikely, there still could be bugs in the IP or TCP handling code in the kernel that no one today is aware of. However, if you have open ports, then this means that attacker could try to leverage bugs not only in the kernel space but also in the user space (ie HTTP implementation - the Web Server listening on port 80)

Also, the other answer mentions potential security bugs in the "client" side code, for example, Web Browser. These are harder to leverage because attacker would need to be in the path between your host and the server it tries to talk to; then intercept HTTP session; and alter communication in hopes to expose a potential bug in your web browser. However, in you question you have premise "knowing only IP address" which I interpret as "Another guy from different physical location trying to hack your computer". However, if this other guy would be in the same L2 broadcast domain then he can spoof ARP to suddenly be in the path between your browser and server; Effectively he could leverage a new set of bugs that exist in your browser.

user2138912
  • 121
  • 3