Security crusader punches holes in firewalls

In response, firewall vendors are scrambling to plug the holes detected by Gibson's Trojan, dubbed LeakTest, or are clarifying their software's capabilities.

LeakTest, available as a free download from Gibson Research, exploits what Gibson claims is a common weakness in most firewalls: the way they exempt "trusted" Internet applications from firewall restrictions.

Only one major firewall vendor -- ZoneAlarm -- does not use a method that Gibson claims LeakTest can exploit. Other vendors, including Symantec, McAfee.com, and Sygate, say they're working on modifications now.

Identifying friendly programs

The problem is in the common approach firewall programs use to block dangerous incoming traffic. Typical attacks come from hackers trying to access user files, or to fell a machine by flooding it with meaningless data -- known as a denial-of-service attack.

Most often, firewalls identify approved applications by name and their choice of ports. That's not enough, Gibson says. Like its mythical namesake, a Trojan horse program attacks from within, breaching a PC's defenses by simple trickery. Similar to viruses, Trojans masquerade as harmless or even useful programs that people exchange by e-mail or download. Once installed, Trojans open specific Internet connections, called ports, that hackers can exploit.

Since many legitimate programs -- such as Web browsers, e-mail clients, and instant messengers -- also open ports, the firewall's job is to distinguish trustworthy applications from nefarious ones. Gibson maintains any Trojan horse can easily be renamed and choose appropriate ports to disguise itself as a trusted application.

"There was no protection against one program pretending to be another just by changing the file name," Gibson says. He says he proves it with LeakTest, inviting anyone to download the 26K program and rename it from a list of programs trusted by Symantec's Norton Personal Firewall. When run, LeakTest initiates a connection with Gibson's server to test whether data escapes the firewall. The communication only confirms the firewall's vulnerability and does not transmit any personal data from the tester's PC, Gibson says.

Gibson got 'em, vendors say

Gibson's test indeed exploits a weakness in firewall products, say representatives of several major vendors.

Norton Personal Firewall 2001 can't distinguish between the real version of a program like Microsoft Internet Explorer and a renamed Trojan, such as the infamous Back Orifice 2000, says Tom Powledge, Symantec's senior product manager for consumer products.

"In this case, [Norton Personal Firewall] would not block it," says Powledge of LeakTest and other crafty Trojans.

McAfee.com's security architect Sam Curry agrees that McAfee.com Personal Firewall could also be fooled, since it "simply looks at the name of the executable." Both Powledge and Curry say they do not know of any actual malicious attacks based on Gibson's model. "But yes, it could be done," Curry says.

He adds that his company's firewall is based on the same architecture as the McAfee Firewall, sold by McAfee.com's former parent company, Network Associates.

Unlike the McAfee and Norton programs, Sygate Personal Firewall 2.1 does not have a built-in list of approved applications. However, one provision allows any applications through certain ports generally (but not necessarily) reserved for "legitimate" activities.

Representatives of another popular vendor, Network ICE, acknowledge that its intrusion detection/blocking program BlackICE would also fail Gibson's test, although they claim it would not fall prey to a truly malicious program.

BlackICE was not designed to identify programs that access the Internet, says Greg Gilliom, chief executive officer. Instead, it checks content of the actual data packets passing to and from the computer. BlackICE would permit LeakTest, because it is not doing anything harmful, Gilliom says.

"LeakTest is just a normal FTP client. As far as we're concerned, there's nothing malicious about that." But BlackICE would block a program that transmits suspicious packets, he says. For example, Gilliom says BlackICE Defender can identify the encryption patterns of Back Orifice 2000.

Gibson says the firewalls are too easily vulnerable. He modified his Trojan so it doesn't simply impersonate an approved application, but gives the firewall a new rule allowing entry of any application.

"There is nothing to prevent a Trojan from making its own entry" in the Application Lookup Engine (ALE) of Norton Personal Firewall, Gibson says. He expects most firewalls that predefine trusted applications share the flaw.

Only firewalls from Zone Labs were able to fend off LeakTest, Gibson says. The company's ZoneAlarm and ZoneAlarm Pro passed the test, he says, because they have a fundamentally different way to identify a trusted application. As a default, ZoneAlarm prohibits all traffic. It recognises no applications as trusted, verifying them one by one as they first run.

Unlike many other firewalls, however, ZoneAlarm does not identify applications by name or choice of ports. Instead, it examines a program's actual code using a cryptographic standard called an MD5 checksum.

"It is conceptually infeasible to get any other program to produce the same MD5 signature," Gibson says.

Watch for online updates

Other firewall vendors are reexamining how their programs verify a program's identity. McAfee.com is already working on an MD5 checksum function for future versions of its firewall, Curry says. The company is also developing a patch to address Gibson's findings.

"Steve [Gibson]'s concerns are valid, and we are going to address them," Curry says. He advises users to check the McAfee.com for a patch this week.

Sygate Personal Firewall 4.0 will be a totally new version of the software and will incorporate the MD5 checksum, says John De Santis, Sygate chief executive officer. The company expects to post a patch for its 2.1 product that eliminates blanket permission for certain ports (but will not yet include the MD5 checksum) on its site this week.

A new firewall from Tiny Software was still in beta version during Gibson's tests, but it implements an MD5 checksum engine. It originally included a list of preapproved apps, but Tiny is reconsidering that approach in light of Gibson's criticism, says Brandon Talaich, Tiny's vice president of marketing. The version of the firewall's Trusted Application Mechanism will identify programs by their MD5 signatures.

Symantec is currently considering several methods, including an MD5 checksum, to more thoroughly verify a program's identity.

"We are going to address all the issues that were brought up by the LeakTest," Powledge says. Symantec has not decided whether to offer an interim fix or wait for a comprehensive update. But Powledge advises concerned customers to disable the program's automatic firewall rule generation. (A document on Symantec's site explains how.) Likewise, McAfee's Curry says uses of the McAfee.com Personal Firewall should watch the site for an update. "As an ASP, we can roll out upgrades like this to our entire user base very quickly," Curry notes.

Gibson keeps watch

And Zone Labs is neither bragging nor relaxing. No security product is 100 per cent safe, says Gregor Freund, president.

"You have to create a balance," Freund says. "Steve [Gibson] points out where that balance should be." Can the program be fooled? Users certainly can, he adds. The firewall will allow a program if the user authorises that program, but it trusts the customer's judgement.

"People have to understand that downloading a piece of software -- if they have no idea what it is or what it does -- is taking a risk," Freund adds.

For his part, Gibson expects to keep watching. He's already working on LeakTest 2.0, expecting everyone to quickly fix the flaws LeakTest 1.0 uncovers.

Join the PC World newsletter!

Error: Please check your email address.

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Sean Captain

PC World
Show Comments

Essentials

Lexar® JumpDrive® S57 USB 3.0 flash drive

Learn more >

Microsoft L5V-00027 Sculpt Ergonomic Keyboard Desktop

Learn more >

Mobile

Lexar® JumpDrive® S45 USB 3.0 flash drive 

Learn more >

Exec

Lexar® Professional 1800x microSDHC™/microSDXC™ UHS-II cards 

Learn more >

Audio-Technica ATH-ANC70 Noise Cancelling Headphones

Learn more >

HD Pan/Tilt Wi-Fi Camera with Night Vision NC450

Learn more >

Lexar® JumpDrive® C20c USB Type-C flash drive 

Learn more >

Budget

Back To Business Guide

Click for more ›

Most Popular Reviews

Latest News Articles

Resources

PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?