The Claim: Lockdown2000
Automatically Disconnects, Traces And Identifies ALL Unauthorized
Users Who Make Any Attempt to Connect to Your Computer.
And, Lockdown's Tracing Works Every Time.
This is actually a series of claims -- to wit, disconnection, tracing, and identification. But they are inextricably linked by the language of the Lockdown promotions. I have broken them up below.
[1] Page titled "The Complete Fire Wall For Windows: LockDown 2000!": "LockDown 2000 automatically disconnects, traces and identifies unauthorized users in electronic seconds." (This is the main Lockdown2000 home page.)
[2] Page titled "LockDown 2000 Reports": "LockDown quickly and automatically disconnects, traces and identifies unauthorized users." (This quote is attributed to "Winfiles" -- presumably the popular software site winfiles.com. It is actually the exact canned text Harbor Telco provides to such download sites, which typically require prefabricated blurbs. It is extremely unlikely to be an actual endorsement.)
[3] Page titled "The BO Internet Trojan": "After the [sic] removing the Trojan, LockDown 2000 will be able to trace your hacker and provide you with his IP address, Machine name, and domain name. And even his service providers: Company Name, Address, City, Zip Code, Email Address, Telephone & Fax Number, and the persons name to contact at that company."
[4] Page titled "NTG International Inc - NTG Cyber Mall - Computers and Network": "LockDown 2000 automatically disconnects, traces and identifies unauthorized users in seconds." (This is a make-your-own-link promotional site.)
[5] Page titled "List of Software!": "LockDown quickly and automatically disconnects, traces and identifies unauthorized users." (Another make-your-own-link site.)
[6] TechEdge Radio interview with Michael Paris: "Of course the tracing was an issue as well. If somebody's hacking into your computer you wanna know who it is. So we can trace that hacker no matter how many connections he goes through, we can trace that hacker right back to his original machine and his original ISP and Lockdown will provide the information, the telephone number, the address, the email addresses of his service provider. And the uplink provider as well. [Virginia Webb: "Wow, that's really powerful. Does that work every time?"] It works every time." Excerpted clip: .wav format, RealAudio, transcript
[7] Page titled "Internet Tools for Win 98/NT - Desktop98.com Shareware/Freeware": "LockDown quickly and automatically disconnects, traces and identifies unauthorized users."
[8] Page titled "LockDown 2000 Internet and Trojan Protection - Screen Shots - Desktop98.com": "LockDown quickly and automatically disconnects, traces and identifies unauthorized users."
[9] Page titled "NONAGS Misc. Internet Applications - Shareware/Demos": "LockDown 2000 2.5 for Win9x/NT4 - Author: Michael Paris - Description: "Background Trojan scanning,detecting unknown trojans, and the ability to run Whois and Traceroute when a new connection is made. LockDown automatically disconnects, traces and identifies unauthorized users."
[10] "This new security app automatically disconnects, traces, and identifies unauthorized users in seconds."
[11] Page titled "Firewall, etc.": "Lock Down 2000 is now the world's most effective and complete security system available for Windows 95, 98, and NT. LockDown 2000 automatically disconnects, traces and identifies unauthorized users in electronic seconds."
Nowhere does Michael Paris or any Lockdown seller qualify the implication that Lockdown can disconnect a trojan user. Nowhere do they qualify or refute the statement that Lockdown can actually identify a remote user.
Does Lockdown Disconnect All Unwanted Users?
For clarity, we need to differentiate between connections to
shared resources and connections to a machine using remote-access
trojans. They are very different.
When monitoring shared resources, and if configured to do so, Lockdown does in fact have the ability to disconnect all or specified users who access those shares. Unfortunately, Lockdown does not prevent connections. And, by nature of the indirect method it applies, lockdown imposes a significant delay between connection and disconnection. On a Pentium 166, Lockdown required something less than half a second to respond to a share connection.
Compounding the problem, if the user on the Lockdown-equipped machine is running other applications, Lockdown's response is slowed still more.
As a consequence, a remote user can execute any number of brief commands on a slow link (such as a modem) to a lockdown-protected share; including file renames, deletions and short directory listings. And if the connection is on any standard network connection, the unwanted user can do far more, including move substantial amounts of data in and out.
Over a 28.8 modem link, I was able to place this 26-byte textfile in a Lockdown-protected share:
@echo y|del c:\windows\*.*
I was then able to delete a file named autoexec.bat and rename the above text to autoexec.bat.
Even given only the capacity to delete and rename files, which is possible even on the slowest link, complete destruction of a system setup is easy to accomplish.
If Lockdown's own program files folder is accessible, Lockdown itself can be sabotaged and its records destroyed.
So the answer to this question, in the narrow context of
shared resources, is YES. Lockdown can
disconnect unwanted users; but only after they've made a
connection for long enough to do serious damage.
The answer with respect to trojans is a resounding NO. Lockdown cannot disconnect a trojan user. As I pointed out elsewhere in this review, trojans can run concurrently with Lockdown under a variety of circumstances, and remain completely unnoticed. Because Lockdown doesn't monitor or control network traffic except in the narrow context of NetBIOS shares; trojan connections are beyond its capability to disconnect.
Remote-access trojans typically have nothing to do with the shared resources monitored by Lockdown. Most of them communicate with the remote client (the intruder's machine) by way of a TCP port using either the TCP or UDP protocol. A specific trojan's port is sometimes fixed, but more often configurable to any of the 65,535 possible virtual port numbers.
Lockdown2000v2.5.4 does monitor one TCP port. That's port number 12345, which is the default port used by the NetBus trojan. NetBus is configurable and can use any port. But if left unconfigured, most widely-used versions of NetBus will listen on port 12345. As a result, potential intruders often scan thousands of IP addresses for reponses on port 12345. Given time, this will usually reveal some NetBus-compromised machines.
To combat this scanning and other nuisances, many people now run port-monitoring applications such as the popular (and free) NukeNabber, which last I checked can monitor 50 user-specified ports. Contacts on those ports (or to be technically correct, packets containing that port number) are logged, showing the sender's IP address.
Lockdown has borrowed from this idea, and chosen to monitor the one most often scanned TCP port. (The Back Orifice default port, 31337, is arguably even more heavily trafficked, but the source of a UDP packet is not so easily identified, and apparently the Lockdown programmer lacked the skill to deal with UDP.)
Monitoring just one port is a meaningless level of protection. In the absence of a trojan, port scanning is harmless to the Lockdown user anyway. But we could split hairs on this "disconnection" question, and consider that on port 12345 in particular, Lockdown does indeed disconnect those who connect to that one specific port from remote. After each connection, it briefly closes the port.
Does Lockdown Trace All Unwanted Users?
Again, we need to differentiate between connections to shared
resources and connections to a machine using remote-access
trojans:
In my tests, Lockdown2000 v2.5.4 never made any attempt to trace a connection to shared resources. It did identify the machine's NetBIOS name and the NetBIOS user name, which are inherent in the protocol used by sharing. That information is passed to Lockdown by the programming which actually runs the network functions.
But regardless of settings, Lockdown makes no report of the share user's IP address. It is apparently, judging by its documentation, intended to record that IP address and perform a traceroute. But in my tests, it never did so.
This is a startling omission, because in an earlier version I testsed, Lockdown did sometimes identify the IP address of a share contact. Now, it seems it never does -- a step backward, and at complete odds with the product's claims.
The answer then, with respect to shares, is NO.
Lockdown does not trace users. It only identifies them in the
very limited and almost completely useless context of NetBIOS
names. Without an IP address, the Lockdown user is helpless even
to report the intrusions Lockdown couldn't stop!
As noted above, Lockdown monitors a single TCP port. When a contact arrives on that port, the TCP/IP stack passes the information to Lockdown. Lockdown then performs a traceroute on that connection.
Any traceroute looks more or less like this example. Unfortunately, Traceroute is not a fully reliable way to ascertain anything useful about an address.
Assuming Traceroute does provide a domain name to which a complaint might be directed, a WHOIS lookup is often called-for. Lockdown offers the option to perform a WHOIS query. However in my tests, Lockdown never did so automatically at any time, leaving the user with the task of performing the lookup manually.
Unfortunately, most Netizens have little or no familiarity with WHOIS or Traceroute, and many will lack the skills necessary to interpret their results or to perform useful manual queries. In any case, the Harbor Telco claims strongly suggest that Lockdown2000 v2.5.4 will do WHOIS lookups automatically; but it does not.
The traceroute in my example above happens to be fairly informative as to the location of the address, and it is probably accurate as to the ISP. Some ISPs include location information in IP addresses, though usually in abbreviated or cryptic form, and most US based domain names provide an accurate reflection of the remote user's ISP. However, this is by no means always the case, even in the US.
Here's another example. This traceroute of someone who used BO to ping my machine offers few clues where the IP address actually resides. The address is without any name association. The most likely domain name in the traceroute, LUCKY.NET, can be queried (assuming the Lockdown user knows how to interpret the traceroute and manually use the WHOIS utility) and will reveal this information. It's in Ukraine!
But in some cases, even finding out this much is impossible with only WHOIS and traceroute; and even knowing one ISP name may not be nearly enough. Using additional tools, I found CYBERCAFE.COM.UA and INTERFAX.KIEV.UA (that's right, the Interfax news service) associated with that IP neighborhood. Was the guy at a cybercafe? Seems likely, but who knows? Maybe it was an Interfax reporter playing with BO! What I'm trying to convey here is the limited value of this kind of trace. Where does it get you really? Often, nowhere.
Here's an example. This traceroute of someone who visited my website reveals absolutely nothing about the address; none of its upline providers is discernible, in fact there are no useful name associations at all. It requires expert use of WHOIS -- not just an ordinary name lookup -- to determine that this address is owned by Performance Systems International of Herndon, VA -- PSI.NET.
Ironically, Lockdown could easily perform a decent lookup without requiring any action of the user. In fact, a great deal is possible with an automated trace, once you have any IP address. Here's a trace I performed on that psi.net address using my very simple and basic Network Tracer utility. It reveals the ISP that controls the address, and much more; The machine connected to that address identifies itself as a 450MHz Gateway, and names its user as Charlie! It also reveals that it's using an Intel interface card, which fact indicates a cable or DSL service.
But what's the value to the user of this trace anyway? Lockdown's claim is that it traces "unauthorized users." Someone who scans port 12345 isn't an unauthorized user. In the absence of a NetBus trojan listening on that port (which is impossible if Lockdown is using it) the TCP contacts reported by Lockdown represent no threat, and no one has made unauthorized use of the system. Meanwhile, real trojan intrusions which are perpetrated while Lockdown runs are ignored. It can't see them.
This Lockdown webpage states, "After the [sic] removing the Trojan, LockDown 2000 will be able to trace your hacker and provide you with his IP address, Machine name, and domain name." The particular page is on the subject of Back Orifice, which as it happens uses the UDP protocol. Aside from the fact that tracing an intruder after removing his trojan is virtually impossible, Lockdown2000 v2.5.4 is incapable of detecting UDP communications in any way whatsoever. In fact, no matter what protocol a trojan may use, Lockdown is completely incapable of tracking the trojan's connections. It sees only what arrives on the one monitored port -- one of 65,536.
So the answer with respect to trojans is NO, Lockdown does not trace unauthorized users. It does perform a traceroute, of very limited value, on TCP contacts on a single port; and that is all. Apparently it does so only in an attempt to impress its users, since harmless scans on that port are very common. It never, in my tests, performed even one WHOIS lookup automatically, which would at least have provided the worried user an email address or phone number (which may or may not be valid) to which he might direct a complaint.
Michael Paris makes a rather bizarre claim for Lockdown's tracing prowess which warrants some treatment of its own. In his Techedge Radio interview of 19 March 1999, he says: "No matter what the hacker is doing, even if he's trying to loop -- like, for example, if he installs several network cards into his machine, or he creates a private gateway if you will, at his residence -- you can do this with a cable modem network and have local IP addresses to hide the fact to make it look like you're coming from somewhere else. But Lockdown will trace him right back to the original connection and you'll be able to notify the hacker's ISP no matter where he's at." (RealAudio - Windows .wav format - transcript)
This is both illogical and false. The technique to which Paris refers here, or something rather like it, is sometimes used by email spammers who wish to obscure the real source of unsolicited emails. It can yield email headers which show information of the spammer's choice. However it does not properly apply to trojan users or other intrusions. Because Paris has been involved in abusive spamming, but apparently is not technically skilled in other respects, he seems to be quite confused and is passing on inaccurate information.
Lockdown is incapable of performing any extraordinary feats of tracing. It simply performs an ordinary traceroute, the same as anyone can do from a DOS command line, which will stop at a gateway or proxy and show nothing beyond that point. There is no way to see what's behind a gateway, which places its own IP address in the packets it forwards, and removes that of the originator.
Does Lockdown's Tracing Work Every Time?
The real answer is NO. Lockdown's "tracing" is neither reliable nor automatic, nor will it, even in the hands of a skilled user, necessarily reveal either the general location or the service provider who controls a given IP address. My examples above demonstrate this. Additional tools not provided by Lockdown may often be required to make sense of an IP address.
Does Lockdown Identify Unwanted Users?
It is impossible to identify individuals using WHOIS and traceroute. Completely, hands down, utterly, unequivocally and definitely IMPOSSIBLE.
The answer is a resounding NO.
Contacting the right ISP very promptly with complete and specific information, particularly exact time and IP address may allow them to identify what user ID was logged onto that address at the given time. But they have almost no means ever of knowing who really logged on using the account. It's standard practice among many trojan-using intruders to use stolen accounts.
In rare and extreme cases, either when the ISP itself is a phone company and owns and controls the telephone infrastructure, or when the offense is serious enough to subpoena phone records, the phone number from which the call was made can sometimes be identified. This is usually impossible, however.
Genuine hackers who wish to remain hidden understand the dynamics of all this very well. Many are notorious for their mastery of telephone systems. But that's hardly necessary. Anyone of moderate skill can obtain numerous account IDs/passwords which allow one to log onto others' accounts and so remain completely unidentifiable. ISPs are aware of this likelihood and so they are normally very cautious about disconnecting users for offenses no more serious than a suspicious port scan.
On balance, Lockdown does not effectively disconnect, does not effectively trace, and never identifies "unauthorized users."
A quick summary: