fab-c
12-08-00, 01:17 PM
Knowledge Is Power (KIP)
First of all, visit grc.com/su-firewalls.htm, read the entire page (a great read), and download Leaktest. Only two current firewalls will fully protect you from this test-trojan: ZoneAlarm (ZAF/ZAP) and Tiny Personal Firewall with MD5 checking enabled.
Here are some nice Gibson quotes.
"Leaktest can be named anything you like while it easily bypasses the Sygate firewall. Rename it Dracula, or just leave it named Leaktest. For this test, you must depress and hold either of your keyboard's "Shift" keys when you click on and release the "Test" button. The Leaktest window title will immediately change to confirm that it has recognized your request for "stealth mode" operation."
". . . Sygate's firewall is so poorly written that, so far, it is the only firewall I have found which can so easily be completely circumvented with just a few simple lines of code regardless of the name of the penetrating program."
"This means that any Trojan horse or spyware program running in your computer will have unrestrained access to your Internet connection UNTIL you respond to the Sygate firewall dialog box and say 'no'."
"As you have seen, the Symantec/Norton firewalls stand out due to their horrible and incredibly unsafe default "Automatic Rule Creation" feature. The Sygate firewall stands out due to its uniquely (so far as I know) and incredibly poor protection. And BlackICE Defender wasn't even mentioned here because, although it is a noisy inbound blocking firewall, it offers ABSOLUTELY NO PROTECTION and control against outbound Trojan, virus, and spyware communications. (Leaktest merrily communicates out through BlackICE Defender without any trouble.)"
ZoneAlarm is the only firewall he has tested that passes Leaktest even when renamed to a trusted application, placed in the application's directory and run (and even when the same is done and Leaktest is run in stealth mode). Although not officially tested by Gibson yet, Tiny Personal Firewall with MD5 cheking enabled does fully pass, just as ZoneAlarm (ZoneAlarm has this crcryptographic signature testing enabled without an option to disable it) does.
And for all you people running more than one firewall, Gibson had this to in a newsgroup discussion:
"For what it's worth, I *COMPLETELY* agree with you. Windows was
NEVER DESIGNED to have a firewall installed. The Networking layers
are a total mess ... and it's somewhat AMAZING that two firewalls
don't completely crash the system."
That was in response to this:
"That doesn't necessarily mean that ZA missed it. There could have been a
conflict between the two programs and BID picked it up instead. ZA may well
have picked it up if BID hadn't interfered. Of course, there's no way to
prove it....but history has shown (with other applications) that running
two at once isn't a good idea. Try running two active virus scanners at the
same time and you'll see what I mean."
In the meantime, Symantec is reportedly informing curious PC industry reporters that they will immediately update their installed base of Norton Internet Security products in response to the vulnerabilities revealed by Leaktest. Symantec's "Live Update" system will be used to provide these updates to their users.
Gibon's goal is not to start a flame war, but to bring attention to the faults of our best defense against hackers, our personal firewalls. By doing this it is expected that manufactures will open their eyes and make adjustments just as Norton is doing.
I quote [from Gibson]:
"These firewalls are not going to get better unless there's someone saying and able to prove -- and to enable the user to prove -- that these things are junk."
Still, don't be fooled into thinking you are fully protected from trojans with ZoneAlarm or Tiny PF.
Quoted from a user:
"I know of one program that DISABLES Zone Alarm. It is called "StayOn Pro".
It says that it will prevent ur ISP from disconnecting ur connection but i
found out that i does a lot more than that. It allows everything in the
Program List of ZA to connect to the internet and become a server. Scared
the life outta me. You can find it at ZDNet/downloads. Try it guys and girls
just for the fun of it ]"
Also, there is currently a "test-trojan" out called 711 that apparently disables ZoneAlarm.
I recommend Tauscan (www.agnitum.com/products/tauscan/) to compliment your virus scanner. (BTW, I think their program named "Jammer" is pretty useless today with a full-fleded, easy-to-use firewall availble for free that offers superior protection--ZoneAlarm. If Jammer were free, it might be worth a look.) A properly updated, good virus scanner, and a properly updated, good trojan scanner is all you really need. Closed ports -are- safe, and although stealthed ports are "preferably", I wouldn't go as far as to say you're at risk if your ports are only closed. The fact is that only "script kiddies" target low-profile home users. The real hackers are big game hunters. Most of the people in security discussions on the Internet are overly paranoid. With the removal of NetBIOS entirely, you are realistically not at any risk of inbound bust-ins. Steve Gibson says: "Essentially NONE of the 'noise' that is picked up by wolf-
crying 'intrusion detectors' like BlackICE Defender represent true
targeted attacks. It's just needlessly terrifying, though it is
educational. If a user has an updated Windows Sockets layer, has
unbound his insecure NetBIOS protocols from the TCP/IP transport, and
is not running any Internet servers which open listening ports, then
the need for a firewall to block 'attacks' is MUCH reduced"
Still, with ZoneAlarm being FREE, I say download it, set it, and FORGET IT! Don't worry about getting a log analyzer or getting all involved with it. Having an old version of ZoneAlarm is nothing like having old virus definitions--but you can check for upgrades every so often if you so desire.
download.wrq.com/fileinfo.asp?filename..
-Final version of AtGuard now available for free (legitimately).
>Since AtGuard doesn't perform EXE fingerprinting -- ever -- it's
> ALWAYS possible to blow through it from the SAME directory as the
> approved program, yes??
>
>
Steve,
Reply from a user:
"Absolutely -- without fail! That's why I don't give *any* program carte
blanche in my ruleset. The only apps approved are the ones actually
running at the time. If I stop Gravity, for instance, I uncheck its
'allow' rule if I stay connected. If I am using Gravity only, the allow
rule for my browser is unchecked. If anything -- or something
*pretending* to be anything -- wants out, it has to ask.
Admittedly, I am probably 1 in 100,000 AtGuard users to do this. The
vast majority of users will set (or have rules set for them - NIS) allow
rules and be WIDE open to exactly what your leaktest proves."
------
Just so you know.
BTW, go to www.lockdown2000.ic24.net/index.html. (http://www.lockdown2000.ic24.net/index.html.)
Lockdown 2000 is a hiliarious piece of junk--and I mean JUNK!
Check out the history bit on the author, Mr. Paris, and his previous scams. www.primenet.com/~lippard/pchelp/LDfac.. (http://www.primenet.com/~lippard/pchelp/LDfac..) pertains to the actual code of this of this program. After decrypting the code, the author said this about the program's trojan check: "The trojan check especially is a complete joke." Of course he exposed plenty more dirt. This included "It's also clear that the progress bar Lockdown displays while doing its "System Check" runs far more slowly than does the check itself! The progress bar is there for show. The actual check is very rapid, because there isn't much to it." This stemmed from curiosity as to why LockDown is so damn slow!
Knowledge Is Power (KIP)
*some parts have been mildly edited once.
First of all, visit grc.com/su-firewalls.htm, read the entire page (a great read), and download Leaktest. Only two current firewalls will fully protect you from this test-trojan: ZoneAlarm (ZAF/ZAP) and Tiny Personal Firewall with MD5 checking enabled.
Here are some nice Gibson quotes.
"Leaktest can be named anything you like while it easily bypasses the Sygate firewall. Rename it Dracula, or just leave it named Leaktest. For this test, you must depress and hold either of your keyboard's "Shift" keys when you click on and release the "Test" button. The Leaktest window title will immediately change to confirm that it has recognized your request for "stealth mode" operation."
". . . Sygate's firewall is so poorly written that, so far, it is the only firewall I have found which can so easily be completely circumvented with just a few simple lines of code regardless of the name of the penetrating program."
"This means that any Trojan horse or spyware program running in your computer will have unrestrained access to your Internet connection UNTIL you respond to the Sygate firewall dialog box and say 'no'."
"As you have seen, the Symantec/Norton firewalls stand out due to their horrible and incredibly unsafe default "Automatic Rule Creation" feature. The Sygate firewall stands out due to its uniquely (so far as I know) and incredibly poor protection. And BlackICE Defender wasn't even mentioned here because, although it is a noisy inbound blocking firewall, it offers ABSOLUTELY NO PROTECTION and control against outbound Trojan, virus, and spyware communications. (Leaktest merrily communicates out through BlackICE Defender without any trouble.)"
ZoneAlarm is the only firewall he has tested that passes Leaktest even when renamed to a trusted application, placed in the application's directory and run (and even when the same is done and Leaktest is run in stealth mode). Although not officially tested by Gibson yet, Tiny Personal Firewall with MD5 cheking enabled does fully pass, just as ZoneAlarm (ZoneAlarm has this crcryptographic signature testing enabled without an option to disable it) does.
And for all you people running more than one firewall, Gibson had this to in a newsgroup discussion:
"For what it's worth, I *COMPLETELY* agree with you. Windows was
NEVER DESIGNED to have a firewall installed. The Networking layers
are a total mess ... and it's somewhat AMAZING that two firewalls
don't completely crash the system."
That was in response to this:
"That doesn't necessarily mean that ZA missed it. There could have been a
conflict between the two programs and BID picked it up instead. ZA may well
have picked it up if BID hadn't interfered. Of course, there's no way to
prove it....but history has shown (with other applications) that running
two at once isn't a good idea. Try running two active virus scanners at the
same time and you'll see what I mean."
In the meantime, Symantec is reportedly informing curious PC industry reporters that they will immediately update their installed base of Norton Internet Security products in response to the vulnerabilities revealed by Leaktest. Symantec's "Live Update" system will be used to provide these updates to their users.
Gibon's goal is not to start a flame war, but to bring attention to the faults of our best defense against hackers, our personal firewalls. By doing this it is expected that manufactures will open their eyes and make adjustments just as Norton is doing.
I quote [from Gibson]:
"These firewalls are not going to get better unless there's someone saying and able to prove -- and to enable the user to prove -- that these things are junk."
Still, don't be fooled into thinking you are fully protected from trojans with ZoneAlarm or Tiny PF.
Quoted from a user:
"I know of one program that DISABLES Zone Alarm. It is called "StayOn Pro".
It says that it will prevent ur ISP from disconnecting ur connection but i
found out that i does a lot more than that. It allows everything in the
Program List of ZA to connect to the internet and become a server. Scared
the life outta me. You can find it at ZDNet/downloads. Try it guys and girls
just for the fun of it ]"
Also, there is currently a "test-trojan" out called 711 that apparently disables ZoneAlarm.
I recommend Tauscan (www.agnitum.com/products/tauscan/) to compliment your virus scanner. (BTW, I think their program named "Jammer" is pretty useless today with a full-fleded, easy-to-use firewall availble for free that offers superior protection--ZoneAlarm. If Jammer were free, it might be worth a look.) A properly updated, good virus scanner, and a properly updated, good trojan scanner is all you really need. Closed ports -are- safe, and although stealthed ports are "preferably", I wouldn't go as far as to say you're at risk if your ports are only closed. The fact is that only "script kiddies" target low-profile home users. The real hackers are big game hunters. Most of the people in security discussions on the Internet are overly paranoid. With the removal of NetBIOS entirely, you are realistically not at any risk of inbound bust-ins. Steve Gibson says: "Essentially NONE of the 'noise' that is picked up by wolf-
crying 'intrusion detectors' like BlackICE Defender represent true
targeted attacks. It's just needlessly terrifying, though it is
educational. If a user has an updated Windows Sockets layer, has
unbound his insecure NetBIOS protocols from the TCP/IP transport, and
is not running any Internet servers which open listening ports, then
the need for a firewall to block 'attacks' is MUCH reduced"
Still, with ZoneAlarm being FREE, I say download it, set it, and FORGET IT! Don't worry about getting a log analyzer or getting all involved with it. Having an old version of ZoneAlarm is nothing like having old virus definitions--but you can check for upgrades every so often if you so desire.
download.wrq.com/fileinfo.asp?filename..
-Final version of AtGuard now available for free (legitimately).
>Since AtGuard doesn't perform EXE fingerprinting -- ever -- it's
> ALWAYS possible to blow through it from the SAME directory as the
> approved program, yes??
>
>
Steve,
Reply from a user:
"Absolutely -- without fail! That's why I don't give *any* program carte
blanche in my ruleset. The only apps approved are the ones actually
running at the time. If I stop Gravity, for instance, I uncheck its
'allow' rule if I stay connected. If I am using Gravity only, the allow
rule for my browser is unchecked. If anything -- or something
*pretending* to be anything -- wants out, it has to ask.
Admittedly, I am probably 1 in 100,000 AtGuard users to do this. The
vast majority of users will set (or have rules set for them - NIS) allow
rules and be WIDE open to exactly what your leaktest proves."
------
Just so you know.
BTW, go to www.lockdown2000.ic24.net/index.html. (http://www.lockdown2000.ic24.net/index.html.)
Lockdown 2000 is a hiliarious piece of junk--and I mean JUNK!
Check out the history bit on the author, Mr. Paris, and his previous scams. www.primenet.com/~lippard/pchelp/LDfac.. (http://www.primenet.com/~lippard/pchelp/LDfac..) pertains to the actual code of this of this program. After decrypting the code, the author said this about the program's trojan check: "The trojan check especially is a complete joke." Of course he exposed plenty more dirt. This included "It's also clear that the progress bar Lockdown displays while doing its "System Check" runs far more slowly than does the check itself! The progress bar is there for show. The actual check is very rapid, because there isn't much to it." This stemmed from curiosity as to why LockDown is so damn slow!
Knowledge Is Power (KIP)
*some parts have been mildly edited once.