All firewalls are meant to block unauthorized attempts to access a PC from the outside. But many legitimate applications running on your computer open it to outside access. Firewalls have to let you receive e-mail and Web pages, for example.
Most software firewalls adequately protect you from outside hackers who try to access your files or otherwise probe your PC. But what if the danger comes from within? Several personal firewall vendors have released updates addressing your vulnerability to intruders who get in when you unsuspectingly run a malicious application that masquerades as a friendly one.
So how does a firewall know when an app is legitimate? Most rely on the name of the executable file–for example, netscape.exe–together with the port number assigned to an Internet connection created by a specific application. A malicious Trojan horse could fool the firewall into thinking it was a legitimate app by renaming itself when it ran and using an appropriate port.
The problem garnered public attention thanks to PC security guru Steve Gibson, whose Gibson Research Web site is best known for ShieldsUp, a test designed to expose a firewall’s vulnerability to external attacks. Gibson’s latest offering, dubbed LeakTest, is a free, easy-to-run download that will tell you whether your firewall can detect and stop an internal Trojan horse program–innocent-looking software that is spread via e-mail or download. Antivirus software can alert you to known Trojan horses, but if a new one gets through, your firewall is supposed to provide a second line of defense. Unfortunately, most personal firewalls failed LeakTest when it was released in December.
LeakTest safely simulates such an attack strategy. After you download the 27KB program, Gibson recommends changing its name to that of a popular executable Internet application such as Internet Explorer or Eudora. When you run the program, it uses the FTP protocol to attempt to connect to one of Gibson’s servers. If it succeeds, it confirms your PC’s vulnerability (but doesn’t send any personal data), Gibson says.
No LeakTest-style Trojan attacks are known to have occurred outside a lab.
When the test was released, only one major firewall, Zone Labs’ ZoneAlarm, passed. Vendors whose products were fooled by LeakTest include McAfee.com, Network Associates, Sygate, and Symantec. Almost all of them offered free updates by early February.
These patches change the way the firewall identifies apps that users have authorized to access the Web. Instead of relying on name and port, the firewalls look at content or code.
Getting this extra protection may inconvenience people. To fully update Norton Personal Firewall, for example, you may have to run Live Update, its downloadable upgrade service, more than once. Symantec also turned off Norton’s automatic rule-creation feature, which results in users being pestered by pop-up authorization request windows.
But all firewalls–even ZoneAlarm–rely first on the user’s good judgment. And that means not authorizing suspect software.
The bottom line: When it comes to protecting your data, caution is king. It’s better to put up with a strict firewall now than to cry later when some stranger downloads all your personal finance files.
We use and recommend ZoneAlarm.