Are Chinese Hackers Attacking Your PC?
A security expert notes an alarming trend, and provides guidance to protect yourself against it.
Cyber security was all over the news as Defense Secretary Robert Gates approved the creation of a new department in the U.S. government, called U.S. Cyber Command, to handle the security of computer networks run by the Department of Defense.
Just that morning, I had installed a new router on my LAN, a Linksys WRT54GL.
An article in The Wall Street Journal brought these two things together for me. A story about the new US CyberCommand department said "The Pentagon initiative will reshape the military's efforts to protect networks from attacks by hackers, especially those from China and Russia."
A router protects a LAN from just these types of attacks, so I checked the activity log in my new router to see how it was doing in this respect.
The activity log in my previous router (an ancient Belkin WiFi G model) never showed anything interesting. The only blocking of unsolicited incoming connections that it reported were all from a 10.x.x.x IP address. IP addresses starting with 10 are reserved for internal use only, so this was a computer within my ISPs network. No big woop.
Things were completely different, though, with the new router. Its incoming activity log, for whatever reason, doesn't show any blocking of IP addresses that start with 10. Instead, it showed that it blocked connections from public IP addresses.
And they were all in China.
Below is the incoming log from the router after almost a full day of operation. It had blocked five unsolicited inbound connection attempts, from three different IP addresses.
There are a number of online services that report on the physical location of an IP address. To the best of my understanding, they are reliable when it comes to reporting on the country of origin and the ISP, but are a bit hit or miss when it comes to locating the city for an IP address.
I often check my own, dynamically assigned public IP address, and every service has correctly identified my location as being in New York State, but the city has, at times, been off by a few hundred miles at times.
What are the Defensive Computing lessons here?
Everyone should do their computing behind a router, even someone with only a single computer. The firewall protection offered by a router is well worth the price of admission. If you have a router, it can't hurt to review the configuration settings to insure that the firewall is enabled and blocking unsolicited incoming connections.
You can test how well the firewall in your router is protecting your LAN with Steve Gibson's Shields Up!. The best status for individual TCP/IP ports from Shields Up! is green, for "stealth" mode. Closed ports are OK too. Open ports are a potential way into your network for bad guys.
Another security setting in routers has to do with responding to TCP/IP Ping commands. Not responding is the safer setting, it's a small step in hiding online. If the bad guys don't think you exist, hopefully they won't try to knock on your door looking for an opening.
Finally, it is safer to turn off Universal Plug and Play (UPnP) in the router. UPnP is a protocol that lets software re-configure the router firewall on the fly.
In addition to the router firewall (often referred to as a hardware firewall), individual computers are safer running a firewall program - this goes for Windows, Macs and Linux. A software firewall (the term refers to a firewall application that runs on your computer) offers both a second level of protection against anything the router doesn't block, as well as protection from other computers on the same network.
In a hotel or public WiFi hotspot, a firewall program on your computer may be your only line of defense. Recently, I blogged about this, suggesting that you travel with a router. Many companies offer small portable routers.