Is Microsoft’s Firewall Secure?

March 8, 2008 – 3:33 PM

Some say Win XP SP2 enhancements cause conflicts, don’t protect as claimed.

Security experts and vendors this week welcomed the introduction of Windows Firewall, part of Windows XP Service Pack 2 (SP2), as a valuable way of protecting PCs. But while the firewall is an improvement, it falls short of the standard of protection expected of commercial firewalls, according to some industry observers.

Windows Firewall–which replaces the old Internet Connection Firewall–marks the first time all up-to-date PCs will have a firewall switched on by default, an important step in stopping the spread of viruses, according to industry analysts. However, the software suffers from two major flaws, critics say: it does not block outbound traffic, and it can be switched off by another application, possibly even by a clever worm.

Jumping the Wall

Most commercial firewalls include a feature to stop all but authorized applications from sending data to the Internet; this stops malicious code from sending unauthorized communications, and also prevents PCs from being hijacked and used to send spam or participate in distributed denial-of-service attacks. Windows Firewall, however, filters only incoming traffic, allowing any application to send outbound packets, a fact which some industry observers have said makes it less useful for serious protection.

“It still isn’t as robust as many third-party host-based firewalls,” writes Jeff Fellinge, information security officer at media company aQuantive, in a recent analysis of the firewall.

More seriously, rival firewall makers claim that the API used to manage the Windows Firewall could also be used by attackers to modify the software or turn it off. Major firewall makers, including Zone Labs, McAfee, and Symantec are preparing SP2-compatible versions of their applications which disable Windows Firewall when they are installed, and enable it again when they are uninstalled.

But if an installer can switch off Windows Firewall, so could an attacker, argues Zone Labs, maker of the popular ZoneAlarm firewall. The company says its own products are locked down in such a way that third-party applications can’t disable firewall protection without uninstalling the software.

Defining Roles

Microsoft admits that, in some cases, malicious code could indeed switch the firewall off. However, this isn’t so much a flaw as a limitation on the role firewalls should play in a company’s security system, according to Microsoft.

“An attacker could misuse that (administrative) capability,” says David Overton, a Microsoft technical specialist. “But you’re already in a compromised state, if you’re at that point.” He says Windows Firewall is designed to stop malicious transmissions to the PC, rather than protecting the PC once it’s been infected.

If malicious code makes it past the firewall, it is the role of anti-virus software to protect the machine, Overton adds. Likewise, it is not the firewall’s place to stop malicious code from sending outbound packets–Microsoft contends that companies should use perimeter technologies to examine outbound traffic.

“The firewall is a management process, not a silver bullet,” Overton says. He says Microsoft’s user testing showed that asking users to approve every application trying to communicate with the Internet tends to backfire.

“If you flood the user with messages like that, they say ‘yes’ all the time,” he says.

Rival firewall makers say they have various ways of dealing with this problem. McAfee, for example, has a “white list” of trusted applications, designed to reduce the number of messages a user receives.

http://www.pcworld.com/news/article/0,aid,117380,00.asp

802.11n – Wi-Fi’s next big thing

March 8, 2008 – 3:32 PM

A group of technology companies including Texas Instruments, Broadcom, and STMicroelectronics is pushing their proposal for the eventual 802.11n Wi-Fi standard that they claim will offer speeds “up to 10 times the speed of the current generation”. Glenn Fleishman over at Wi-Fi Networking News cuts to the chase: “An array of four receive and four transmit antennas in a MIMO configuration (4 x 4) would use 40 MHz of bandwidth, or about twice that used in current 802.11b and g, to achieve speeds up to 540 Mbps (raw throughput).” Of course as usual with Wi-Fi hardware, your mileage may vary.

http://www.broadbandreports.com/shownews/51965

Bogus Spyware Removal Apps

March 8, 2008 – 3:31 PM

Newsday is running a piece on bogus spyware applications that mimic successful free applications (like Spybot and AdAware), but either don’t work, or worse: install spyware themselves. The article quotes Eric Howes, a BBR security forum regular, who maintains a list of 75 such suspect products, with more being added daily. Howes also points out the lengths to which over-eager entrepreneurs will go to get their products noticed (like phony review sites, Google rank manipulation, etc.).

http://www.broadbandreports.com/shownews/51512

Scam Alert: Juice Boost

March 8, 2008 – 3:28 PM

From the scam of a lifetime department: A spammer in our Broadband Tweaks forum is pushing a referral scam service called Juice Boost, which promises users 2Mbps speeds for free, anywhere there’s a phone line, using “State-of-the-art data compression, byte stream and ultimate data burst technology”. The service also promises you’ll never see a blank page, a piece of spam, or a worm again, or the company will pay you.

While our users might smell a rat immediately, would your parents? Grandparents? According to the website, the technology, which is currently in beta, “Works with any PC or MAC of the lowest specification believable”. So those of you still running a 133Mhz relic won’t be excluded from the party.

Of course it’s simply dial-up compression software with a coat of paint at the foundation of a pyramid scam, but the promises made by the technology include some of the most outlandish and amusing claims we’ve ever seen.

While users who visit the site won’t see these claims, users who respond to a particular referral code – usually provided in e-mail or message board spam – will. We’ve omitted that code to keep the referrer from making any money for links. You can however buy their product on e-bay if getting ripped off was on your action-item list for today.

Here’s some of the promises you’ll see when you log in from a referrer:

“Speed up a dialup connection to over broadband speeds for FREE.”

“Speed up a broadband connection to 2MB for FREE.”

“Save money by disconnecting broadband and using JUICE for FREE.”

“Make your Internet experience more pleasurable.”

“You will never see another dead, blank or irrelevant page ever again and if you do, we will pay you ?500 GBP*.”

“You will NOT get another spam email EVER, but if you do we will pay you ?100 GBP* in compensation.”

“You are guaranteed to get a minimum connection speed of 2MB with 100% uptime. If we fail to meet either or both we will pay you ?500 GBP* per failure.”

“YOU will NEVER receive a virus or worm in your email inbox again as we operate up to the millisecond software to stop the same, but if you do get one we will pay you ?500 GBP* compensation.”

“JUICE is able to block every porn and adult site on the Internet if you choose to filter it and if we fail you we will pay you ?200 GBP* per reported instance.”

“That’s how confident JUICE is,” the site proclaims. “We can STOP your child from chatting to people who pretend to be children in chat rooms by using amazing breakthrough IP filtration and parenthesis technology.”

Parenthesis technology! Where do we sign up?

http://www.broadbandreports.com/shownews/51256

Data Driven Attacks Using HTTP Tunneling

March 8, 2008 – 3:27 PM

While many systems administrators are turning to firewalls and routers to control content on port 80, HTTP (hypertext transfer protocol), as well as intrusion detection and prevention, attackers can use HTTP tunneling to bypass access control restrictions. Tunneling involves encapsulating traffic in HTTP headers; a tunneling program receives the HTTP traffic, strips out the headers, and forwards the traffic. TCP (Transmission Control Protocol) and UDP (User Datagram Protocol) packets can be sent in this way. An attacker, once inside a network, can install an HTTP tunnel program to covertly access other parts of the network using other ports and services, such as Telnet (TCP port 23). An attacker could also gather intelligence about a network without alerting administrators with a visible port scan. Penetration testers can use HTTP tunneling to find holes that would otherwise go unnoticed, since most networks inspect inbound traffic with few restrictions on outbound traffic.

http://www.securityfocus.com/infocus/1793