Personal Firewalls Fail the Leak Test

In an attempt to show that personal firewalls may afford their users little
protection against serious threats, a respected PC security expert has
released a new software tool that pokes holes in many of the leading desktop
security packages.


Security-conscious Internet users, especially those on broadband
connections, have made desktop firewall software into a booming business for
companies like Symantec and Network Associates. But according to Steve
Gibson, president of Gibson Research,
almost all of these utilities only provide “pseudo protection” against
attacks. That’s because they put most of their effort into blocking incoming
hacker attacks, while paying only scant attention to what he calls internal
extrusion.


“I really believe the problem of software in your computer misbehaving is
much bigger than the problem of hacker attacks. Most people don’t have any
vulnerabilities; there’s nothing a hacker can do to you. So I argue against
the necessity of any kind of inbound blocking tool,” said Gibson.


To prove his point, Gibson has developed a free utility called LeakTest. The 27-Kbytes
program is a trojan-horse/spyware simulator that attempts to slip past a
personal firewall’s defenses and connect to a server on the Internet.


Not surprisingly, popular intrusion detection programs like BlackIce
Defender
from Network Ice fail to catch the outgoing connection and
report it to the user. But more disturbingly, several firewalls that claim
to offer outbound detection are also fooled by LeakTest. Among them, the
best selling Norton
Personal Firewall
and McAfeeFirewall.


Both are among a small number of desktop firewall programs that attempt to
address the problem of unauthorized outbound leakage, but Gibson says they
fall short and can be easily fooled or bypassed because they come
pre-programmed to allow some applications to pass through the firewall.


“This idea of allowing all these apps pre-approval is ludicrous. It’s
trivial to get permission out of the firewall without notifying the user,”
said Gibson, who observed that only one firewall, ZoneLab’s ZoneAlarm, prevents malware from
masquerading as a trusted program.


“They do a cryptographic signature of the programs you’re allowing. That’s
not hard to do, but they’re the only ones who do it,” he said.


Tom Powledge, Symantec’s product manager for Norton Internet
Security
, said the risks outlined by Gibson are low if users are running
both a firewall and anti-virus software. And he said Symantec knows of no
instances of programs that specifically target Norton Personal Firewall,
which is shipped with NIS.


But in response to Gibson’s critique, Symantec plans to revise the
application integrity checking feature in NIS, with an update available to
users over Live Update by early next week. In the meantime, Powledge said
concerned users can turn off automatic firewall rule creation.


Judging by comments on the LeakTest message board at Gibson’s site, plenty of users are concerned about the
newly exposed porosity of their favorite firewall software. But Symantec’s
Powledge said their fears could have been avoided if Gibson had given
vendors the customary advance notice before releasing LeakTest.


“We were seeing no concern about this, and no exploits have been written.
And while this makes customers aware of a potential issue, it also makes
hackers aware,” said Powledge.


But Gibson, who had an earlier run-in with RealNetworks over the privacy behavior of its RealDownload
product, said he’s learned that unless pressure is brought to bear,
companies are resistant to change.


“These firewalls are not going to get better unless there’s someone saying
and able to prove — and to enable the user to prove — that these things
are junk.”

News Around the Web