Return-Path: <sentto-279987-3818-1005231743-fc=all.net@returns.groups.yahoo.com> Delivered-To: fc@all.net Received: from 204.181.12.215 [204.181.12.215] by localhost with POP3 (fetchmail-5.7.4) for fc@localhost (single-drop); Thu, 08 Nov 2001 07:03:08 -0800 (PST) Received: (qmail 21037 invoked by uid 510); 8 Nov 2001 15:01:22 -0000 Received: from n5.groups.yahoo.com (216.115.96.55) by 204.181.12.215 with SMTP; 8 Nov 2001 15:01:22 -0000 X-eGroups-Return: sentto-279987-3818-1005231743-fc=all.net@returns.groups.yahoo.com Received: from [10.1.4.55] by n5.groups.yahoo.com with NNFMP; 08 Nov 2001 15:02:22 -0000 X-Sender: fc@red.all.net X-Apparently-To: iwar@onelist.com Received: (EGP: mail-8_0_0_1); 8 Nov 2001 15:02:22 -0000 Received: (qmail 26389 invoked from network); 8 Nov 2001 15:02:22 -0000 Received: from unknown (216.115.97.172) by m11.grp.snv.yahoo.com with QMQP; 8 Nov 2001 15:02:22 -0000 Received: from unknown (HELO red.all.net) (65.0.156.78) by mta2.grp.snv.yahoo.com with SMTP; 8 Nov 2001 15:02:21 -0000 Received: (from fc@localhost) by red.all.net (8.11.2/8.11.2) id fA8F2Vj06294 for iwar@onelist.com; Thu, 8 Nov 2001 07:02:31 -0800 Message-Id: <200111081502.fA8F2Vj06294@red.all.net> To: iwar@onelist.com (Information Warfare Mailing List) Organization: I'm not allowed to say X-Mailer: don't even ask X-Mailer: ELM [version 2.5 PL3] From: Fred Cohen <fc@all.net> X-Yahoo-Profile: fcallnet Mailing-List: list iwar@yahoogroups.com; contact iwar-owner@yahoogroups.com Delivered-To: mailing list iwar@yahoogroups.com Precedence: bulk List-Unsubscribe: <mailto:iwar-unsubscribe@yahoogroups.com> Date: Thu, 8 Nov 2001 07:02:31 -0800 (PST) Reply-To: iwar@yahoogroups.com Subject: [iwar] [fc:Personal.Firewalls.Spring.Security.Leaks.-.Update] Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Personal Firewalls Spring Security Leaks - Update By Brian McWilliams, Newsbytes, 11/8/2001 <a href="http://www.newsbytes.com/news/01/171949.html">http://www.newsbytes.com/news/01/171949.html> Software firewalls deployed by millions of PC users offer only "illusory" protection against Trojan horses and other malicious programs, security experts warned today. Techniques for defeating the outbound data filters in popular personal firewalls such as Zone Alarm and Norton Personal Firewall have been independently posted on the Web by several researchers. Using the methods described, a rogue program could upload private user data without being detected by the firewall, the experts claim. To evade a firewall's guards against unauthorized data leaks, the new techniques include commandeering a legitimate program such as Microsoft's Internet Explorer and forcing it to send out data on behalf of the attacker. "If a firewall is going to allow some program to transmit and receive data over the Internet, and that program allows other programs to control its actions, then there's no point in blocking anything at all," wrote Bob Sundling in text accompanying the source code of TooLeaky, a firewall test program he developed to demonstrate the problems. FireHole, a similar testing tool, also has been made available on the Web by its author, Robin Keir, lead network security programmer with Foundstone, a computer security consulting firm. Both TooLeaky and FireHole sneak past personal firewalls and upload harmless test data to an external site. According to Gregor Freund, chief operating officer for Zone Labs, FireHole exploits a known security flaw in Windows referred to as SetWindowHookEx, which allows an application to insert code into another program. Freund said that Zone Labs will release an update to Zone Alarm next week that will provide limited protection against the bug on Windows NT, 2000, and XP systems. A more complete fix will be incorporated in the next full release of Zone Alarm, version 3.0, which is due in January. Freund said users can easily defeat the technique used by TooLeaky by configuring Zone Alarm to require Internet Explorer to ask permission every time it accesses the Internet. Keir told Newsbytes that other techniques are likely to be discovered for defeating outbound filtering, and that the development suggests that blocking leaks is "a race the firewall makers will never win." Nonetheless, Keir said he still believes personal firewalls are valuable for their ability to block incoming attacks. A third firewall test utility, YALTA, creates a virtual device driver that sends data to any Internet address without being detected by firewalls, according to a description of the program, which stands for Yet Another Leak Test Application. The new firewall testing utilities represent a second generation of such programs, building upon a tool developed by Gibson Research Corp. After GRC president Steve Gibson released LeakTest a year ago to highlight what he called "internal extrusion" flaws in personal firewalls, many vendors made changes to improve the outbound filtering techniques used in their firewall products. Product manager Tom Powledge told Newsbytes that Symantec was studying the new firewall bypass techniques and would likely revise Norton Personal Firewall to defend against them. But Powledge noted that computer users require anti-virus software and safe computing practices to prevent rogue programs from establishing a beachhead. "Once a hacker has code running on your computer, they have a tremendous amount of power. We've always said that effective Internet security is a combination of tactics," said Powledge. The firewall leak discoveries come the same week as an independent testing agency announced the results of its first certification tests of personal firewalls. ICSA Labs said three products passed its battery of tests, which included "restriction of outgoing network communication." All three of the ICSA certified products, Zone Alarm, Norton Personal Firewall, and Tiny Software's Tiny Personal Firewall, can be defeated by the new outbound attacks in some circumstances, according to the authors of TooLeaky and FireHole. An ICSA representative said the firm was still testing the new tools and had no immediate comment. More information on FireHole is at http://keir.net/firehole.html . The TooLeaky home page is at http://tooleaky.zensoft.com . YALTA is available at <a href="http://www.soft4ever.com/security_test/En/index.htm">http://www.soft4ever.com/security_test/En/index.htm> . Gibson's LeakTest site is at http://grc.com/su-leaktest.htm . ICSA's Personal Firewall certification page is at <a href="http://www.icsalabs.com/html/communities/pcfirewalls/cert_prods.shtml">http://www.icsalabs.com/html/communities/pcfirewalls/cert_prods.shtml> . ------------------------ Yahoo! Groups Sponsor ---------------------~--> Universal Inkjet Refill Kit $29.95 Refill any ink cartridge for less! Includes black and color ink. http://us.click.yahoo.com/Vv.L9D/MkNDAA/ySSFAA/kgFolB/TM ---------------------------------------------------------------------~-> ------------------ http://all.net/ Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
This archive was generated by hypermail 2.1.2 : 2001-12-31 20:59:59 PST