Port Forwarding Security Risks

[Damage_Inc]

No one has ever been to answer this question for me. In order to play some games online or to host games online it is required to forward some ports in the router.

I am wondering if these ports are completely open all the time or are they only open for the program in question? The way I see it if a hacker wants to get into a PC the easiest way is to start with gameing ports. If this is the case then there is no reason to be behind a router. Are the millions of gamers with ports forwarded vulnerable or more vulnerable?

XP Pro SP2 (current updates)
ZAISS (current updates)

[johnwill]

They are open all the time. However, they're not as much of a security risk as you might think as a rule, since if the game is not running, there is no listener at the other end to compromise.

If you're concerned, you can always enable the Windows firewall on the machine the ports are forwarded to when you're not playing the game.

[Damage_Inc]

Hello, thanks for the responce. You say they arent as much of a risk as I might think. So are you saying no ones ever thought of this before? I find it unlikely. Would you be able to explain a bit about how an open port isnt much of a risk if the game isnt running? I am curious and web searches havent left me with anything relevant.

Could you go into more detail about why a hacker would not specifically target popular open ports on computers? Why they are or aren't much of a risk. As far as my concern, no one else is concerned about it so I dont see any reason to worry as well. However I am curious to the real risks.

[johnwill]

The way that open ports are normally used to gain entry is to use some exploit (weakness) of the application that is connected to that port. If no application is connected to that port, all communications to the port fall on the floor. That makes it difficult to make much headway in gaining access.

[Damage_Inc]

Thank you, johnwill. Your info is appreciated :)

[johnwill]

Glad we could help.

[Girderman]

Quote:

The way that open ports are normally used to gain entry is to use some exploit (weakness) of the application that is connected to that port. If no application is connected to that port, all communications to the port fall on the floor.

johnwill, your assurance of "safety" is based on the times when the game is not being run.

Is it possible that an exploit could be found in the programming of the game/application that would allow access to more than just the game itself ?

It occurs to me that game programmers may not be "security" people, and might have weak protections.

Have you (or anyone else) ever heard of an application (like a game) being used as a means of breaching security and "hacking" into someone's computer ?

[johnwill]

Sure, anything's "possible". I've never heard of that happening, but I'm not a computer gamer, so I don't travel in those circles.

Truthfully, open ports aren't that much of a security issue for the most part, especially the relatively oddball ones that most games use.

My defense against hackers is my router's firewall, current AV and spyware protection, and LOTS of backups that are off-line.

[Damage_Inc]

I have another question along these lines. Even if my firewall is turned off OR (not and) I am on the DMZ and run the game with ports forwarded even then I am safe as long as the game isnt compromised, aka has no exploits.

[Girderman]

My unqualified opinion is yes. How else would the traffic take place ? Something would have to be actively monitoring for when the game is active, and then take advantaged of the open port(s) using the program somehow, given the premise is that the game has no exploits. Guess it could be modified somehow in memory maybe.

There'd be the issue of leaving a signature of the modified file for malware scanners to find, but if this is a (rare) method, seems like that not be a great risk.

I was just (10 minutes ago) reading about how Googles equivalent of "MySpace" (something called "orkut") had an exploit run on it where orkut users opened jpeg files which then installed malware which sniffed out bank account numbers and mailed them off. Also, redistributed the jpeg files to infect other machines.

Quote:

The worm steals users' banking details, usernames and passwords by propagating through orkut. The attack was triggered as users launched an executable file disguised as a JPEG file. The initial executable file that causes the infection installs two additional files on the user's computer. These files then e-mail banking details and passwords to the worm's anonymous creator when infected users click on the "My Computer" icon.

http://en.wikipedia.org/wiki/Orkut

[Fr4665]

what DMZ does is it basically sets that IP with that computer infront of the router not giving it a firewall and the port forwarding doesnt help there because its totaly open to any ports.

Game ports usually start around the 4 digits and up like wc3 with 6112 and counter-strike with 27015. there are no applicable uses for any telnet server or pinger to go through those ports.

one that wants to gain access goes through the ftp port 21 or the http port 80 or some other port that is automatically open when you connect to the net.

watch out when using irc as thers alot of little script kiddies trying to get a hold of your rig using irc ports.

[Cellus]

As John said, it's not so much the open port that is the exploit but the application/utility running behind it that's using it. Some popular applications and utilities use particular ports, and exploits using those ports are trying to exploit those programs.

There are ways to obfuscate those trying to scan you for open ports by holding certain services on a port that differs from the default or by using firewalls.

By the way regarding that exploit on Orkut, it's not exploiting JPEG files but trying to hide from the user the fact that that JPEG is actually an executable. I could have a virus on an executable called [i]readme.txt.exe[/url] and if you did not have full file extensions enabled on Windows Explorer you'd think it was a text file.

[johnwill]

IMO, one of the larger security risks is the ability to hide file extensions, it's something that I disable for anyone I work with right out of the box.

[Girderman]

Quote:

By the way regarding that exploit on Orkut, it's not exploiting JPEG files but trying to hide from the user the fact that that JPEG is actually an executable.

This is new to me. I have heard of "malware being hidden within jpeg files" and understood that to mean that within the 1's & 0's of the actual data there was an executable that would launch when the digital image was opened.

But from what Cellus is saying, it sounds like that is not the case; that the malware is just a "garden variety" virus that happens to have an extra extension to hide the file's true capabilities.

Do I have this right ?

If this is the case, then I would assume that these types of malware will never actually present some kind of image, and so if a file IS an image, one could also assume it was malware free ?

[johnwill]

Many phishing schemes depend on the fact that most users have file extensions hidden, so they send a file that's named something like

bargains.txt.exe

They also make the program icon the same as notepad, so it looks like a text file if you have file extensions hidden. When you double click it, it runs the virus payload.

[Damage_Inc]

Quote:

Originally Posted by johnwill

IMO, one of the larger security risks is the ability to hide file extensions, it's something that I disable for anyone I work with right out of the box.

Ok, how do I do this? :P Is it in XP or my browser? I use FF2.0 primarily and occasionally IE when FF doesnt work.

[johnwill]

Windows Explorer, Tools, Folder Options, and uncheck the option shown.