Is Your PC Safe From the Enemy Within?
Does your firewall have a hole in it? New updates fix a
potentially disastrous flaw.
Cameron Crouch and Seán Captain
From the April 2001 issue of PC World magazine
Posted Tuesday, February 27, 2001
Most software firewalls adequately protect you from outside hackers
who try to access your files or otherwise probe your PC. But what if
the danger comes from within? Several personal firewall vendors
have released updates addressing your vulnerability to intruders
who get in when you unsuspectingly run a malicious application that
masquerades as a friendly one.
The problem garnered public attention thanks to PC security guru
Steve Gibson, whose Gibson Research Web site
grc.com
is best known for
ShieldsUp, a test designed to expose a firewall's vulnerability to
external attacks. Gibson's latest offering, dubbed LeakTest, is a free,
easy-to-run download that will tell you whether your firewall can
detect and stop an internal Trojan horse program--innocent-looking
software that is spread via e-mail or download. Antivirus software
can alert you to known Trojan horses, but if a new one gets
through, your firewall is supposed to provide a second line of
defense. Unfortunately, most personal firewalls failed LeakTest
when it was released in December.
Apps in Disguise
All firewalls are meant to block unauthorized attempts to access a
PC from the outside. But many legitimate applications running on
your computer open it to outside access. Firewalls have to let you
receive e-mail and Web pages, for example.
So how does a firewall know when an app is legitimate? Most rely
on the name of the executable file--for example,
netscape.exe--together with the port number assigned to an
Internet connection created by a specific application. A malicious
Trojan horse could fool the firewall into thinking it was a legitimate
app by renaming itself when it ran and using an appropriate port.
Safe Simulation
LeakTest safely simulates such an attack strategy. After you
download the 27KB program, Gibson recommends changing its name
to that of a popular executable Internet application such as Internet
Explorer or Eudora. When you run the program, it uses the FTP
protocol to attempt to connect to one of Gibson's servers. If it
succeeds, it confirms your PC's vulnerability (but doesn't send any
personal data), Gibson says.
No LeakTest-style Trojan attacks are known to have occurred
outside a lab. Still, most major firewall vendors now have updates
that address the problem (see "Patching Up your Firewall").
pcworld.com
When the test was released, only one major firewall, Zone Labs'
ZoneAlarm, passed. Vendors whose products were fooled by
LeakTest include McAfee.com, Network Associates, Sygate, and
Symantec. Almost all of them offered free updates by early February.
These patches change the way the firewall identifies apps that
users have authorized to access the Web. Instead of relying on
name and port, the firewalls look at content or code.
Getting this extra protection may inconvenience people. To fully
update Norton Personal Firewall, for example, you may have to run
Live Update, its downloadable upgrade service, more than once.
Symantec also turned off Norton's automatic rule-creation feature,
which results in users being pestered by pop-up authorization
request windows.
But all firewalls--even ZoneAlarm--rely first on the user's good
judgment. And that means not authorizing suspect software.
The bottom line: When it comes to protecting your data, caution is
king. It's better to put up with a strict firewall now than to cry later
when some stranger downloads all your personal finance files.
Product/Version that passes LeakTest
pcworld.com
McAfee.com Personal Firewall
www.mcafee.com; $20 per year
Update due by March
Network Associates McAfee Firewall
www.mcafee-at-home.com; $29
Version 2.15; patch due by March
Network ICE BlackICE Defender
www.networkice.com; $40
No update required1
Source Velocity PC Viper
www.sourcevelocity.com; free
Version 3.1.6 or later
Sygate Personal Firewall
www.sygate.com; $40
Version 2.1, built 475 or later
Symantec Norton Personal Firewall 2001
www.symantec.com; $50
Version 2.05 or 2.55
Tiny Personal Firewall
www.tinysoftware.com; free2
Version 2.07 or later
Zone Labs ZoneAlarm
www.zonealarm.com; free
No update required3
Zone Labs ZoneAlarm Pro
www.zonealarm.com; $40
No update required3
1Watches for harmful patterns of data into and out of a PC, not the applications sending or receiving them. Company says product did not pass LeakTest because it deemed the pattern of data transmission nonthreatening.
2$39 for business use.
3Identifies trusted applications by their content.
pcworld.com |
