Slashdot Mirror

No, if it were any competent personal firewalling system, the user would be alerted and be given the option to accept or deny traffic from that application.

Of course, you wouldn't know anything about this, would you?

Using ZoneAlarm just deny wmp any access to the net, and add the content server to the Local Zone. Bit of an arse, but you may be glad...

Perhaps a firewall?

Interesting -- I wonder if they wrote their own policy server, or are OEM'ing someone else's stuff? There are several vendors who have products in this space: Zone Labs Integrity, Sygate Secure Enterprise, Symantec Enterprise Security Manager, F-Secure Policy Manager, and probably some others I've forgotten.

The tricky thing is writing a server that integrates well with existing back-end security and authentication infrastructure: having a bunch of standalone systems really sucks from a management point of view. Depending on how the client/agent/firewall (in software or firmware, as on a NIC) is structured, it may be possible to mix and match vendors in the future. (For example, another vendor's server monitoring these 3com NICs.)

The protocols themselves don't really need to be proprietary to the point of precluding interoperability: most are based on good solid Internet/IETF standards like IPSec, SSL, TCP, XML, etc. (Full disclosure: I was the system architect for Zone Labs Integrity.) If the protocols could be standardized, I could easily see ZLI serving policy to the various firewall-enabled gadgets out there, as the server is easily extensible.

I guess I just want to see things interoperate, but that's probably just because I'm an old Unix hacker....

Interesting -- I wonder if they wrote their own policy server, or are OEM'ing someone else's stuff? There are several vendors who have products in this space: Zone Labs Integrity, Sygate Secure Enterprise, Symantec Enterprise Security Manager, F-Secure Policy Manager, and probably some others I've forgotten.

The tricky thing is writing a server that integrates well with existing back-end security and authentication infrastructure: having a bunch of standalone systems really sucks from a management point of view. Depending on how the client/agent/firewall (in software or firmware, as on a NIC) is structured, it may be possible to mix and match vendors in the future. (For example, another vendor's server monitoring these 3com NICs.)

The protocols themselves don't really need to be proprietary to the point of precluding interoperability: most are based on good solid Internet/IETF standards like IPSec, SSL, TCP, XML, etc. (Full disclosure: I was the system architect for Zone Labs Integrity.) If the protocols could be standardized, I could easily see ZLI serving policy to the various firewall-enabled gadgets out there, as the server is easily extensible.

I guess I just want to see things interoperate, but that's probably just because I'm an old Unix hacker....

The solution is here now for windows users. You can get a firewall that runs on your machine, and allows you to specify exactly what programs are allowed to connect to the internet and how. No more html e-mails and web bugs. No more spyware issues, and best of all, you are protected from hackers out on the internet scanning for insecure machines. And best of all, it's FREE!

Get ZoneAlarm from Zone Labs. Simply restrict outlook to be only able to connect to your mail ports. Then all that html spam is blocked automatically at your firewall. In fact, it's sorta fun to watch what evil things are trying to escape get shot down by your firewall :)

Oh, and you don't have to be a system administrator to use it. It's easier than entering your personal info in outlook.
---

Two Words: Ad-aware and Zone Alarm. Ok, i guess that's three words.

Ad-aware is a free program that searches and destroys crapware. It's automatic and seems to do a great job.

If it misses something, Zonealarm will let me know before the crapware calls home.

I once installed Kazaa. It installed and worked fine... And then, about three days later some Gator agent tried to access the 'net to download and install Gator. It even waited a few days so I'd be less likely to suspect Kazaa as the culprit!

You might have tried something like this already, but if not download or buy a package that monitors programs that try to access anything through TCP/IP and warns you when a program is trying to do something you haven't authorized over the network.

Zone Alarm from Zone Labs is another free firewall that performs this job splendidly for my Win2K set up.

If you are going to use Windows software from untrusted (i.e. most everyone, especially M$) sources you must take steps to protect yourself. First, trust your gut. Does the developer "smell funny"? Is the software from a startup company with no visible means of revenue? I tend to trust programs created by individuals or small teams that demonstrate some passion for what they do (EAC, or LAME for example)

Then, get Technological on their ass. Start with a personal firewall that monitors all outgoing traffic. Zone Alarm is the one I trust - gut feelings, and I've read some negative things about Black ICE. Amaze and astound your friends as you block requests from RealPlayer, Windows Update, and other "legitimate" programs that like to access the net without asking permission.

Then get Ad Aware and get that sinking feeling as you see the total number of unauthorized programs, components, and services on your system.

Finally, install Proxomitron to make make your browser behave a bit more politely by re-writing the html it sees before it sees it (and find yet another reason to love Shonen Knife. They're way kawaii!)

Forewarned and fore-armed (hairy ones, even), you stand a much better chance of maintaining control of your system.

I work with a virus removal group on the undernet that works from the channel #dmsetup. We often locate new stuff all the time. Below Im pasting all my links I usually give out to users. Included are keepers of the gates of hell (stuff you use before you get infected.) and some stuff that gets out out of hell (what you use after your girlfriend opened that attachment)

Cleaners and virus scanner suites

Housecall online antivirus scanner
PC-Cillin virus scanner suite
Central command Virus Scanner Suite
Puppet's Cleaner
Puppet's Cleaner Alternate Site
Mcafee virus removal suite
Norton Antivirus, virus removal suite
Frisk software's f-prot antivirus suite for windows dos and linux

Firewall software

Zone Alarm Firewall
Conseal Firewall

Various tools used to get out of hell or figure out what hell you are in.

Boot disk images
Dmsetup.org
Common port usage/abuses

I'm actually appalled at the number of applications that "phone home" while you're on the internet - sending back to the companies that created them information about themselves and the computer they are running on. Were it not for Zone Alarm, they would be doing this in secret without me ever knowing it.

At any rate, at least MS says that they do this. There are a lot of others. Even if you are using an Linux or BSD firewall, as I do, those probably are set up to allow you do send any sort of communication out without checking. Something like Zone Alarm will tell you what applications are trying to access the internet by themselves. Its been highly enlightening ever since I started using it.

In the case of something that runs over port 80 like IE, I'm not sure how you could use the internet while preventing it from sending back info to its parent company. I guess you would have to use something that promises not to have spyware built into it.

Recent Microsoft OS sending random packets after 10 minutes' inactivity? Worrying...

I assume you're not running Seti@home or anything? Or spyware (software which spies on you/your Internet connection; basically any free Windows download manager or accelerator, and anything with built-in ads)?

Try downloading ZoneAlarm (http://www.zonelabs.com) and setting it to be as paranoid as possible. It tells you when stuff tries to access your LAN or the Internet (including which program it was, although some spyware uses Internet Explorer embedding to disguise its Internet use as coming from IE)

If that fails, you could install a packet filter on your Mac (I assume OS X must have some equivalent of Linux's ipchains and iptables?) and see where the packets are going...

No more anonymous IPs or email addresses. It sounds like just another personal firewall - I'm happy with ZoneAlarm and probably won't switch. Too bad.

One problem: That's a gateway and not a firewall. It would still allow malicious packets in and out of your network and be vulnerable to other type of attacks. Perhaps if you added ZoneAlarm or something to it, it would provide better security.

10. Can I run ZoneAlarm and ZoneAlarm Pro on Windows XP?

Beta versions are unsupported. ZoneAlarm and ZoneAlarm Pro will be compatible with the final released version of Windows XP.

2.6.214 or later should work with XP. The current version on their web site is 2.6.231. Check the download page.

Zone Alarm has ALREADY been updated to be XP compatible

It has? Where can I find the update? I could not find any mention of it on their web site.

"We've been working closely with Microsoft - BlackIce is widely used inside Microsoft - in order to make sure it works well," Rob Graham, founder of NetworkIce told us.

According to Steve Gibson, Black Ice is fairly ineffective (Scroll down to "Personal Firewalls and IRC Zombie/Bot Intrusions
") against actually protecting the system. Now I personally don't want to have Black Ice built into my operating system. I'd like the ability to use Zone Alarm at the very least. I prefer to use Tiny Personal Firewall, because it allows me to allow/deny connections on different protocols and ports as well as do MD5 checksums of programs.

Who knows, MS might make Black Ice in WinXP decent, but I at least what the freedom to choose my own security setup.

Actually ZoneAlarm is an ok piece of software however Tiny Software's Tiny Personal Firewall is a much much better piece of software. The firewall in addition to allowing applications access to the net allow you to setup specific permit and deny rules based on localport, remote port, local address, remote address, application, protocol, and much more. I look at it as a much improved version consisting of a hypothetical merge of ZoneAlarm with Conseal PC firewall and like products. In addition Tiny Software's product is in use by the US Airforce on 500,000 desktop machines. Oh ya it's also free for personal use.

FEATURES AT A GLANCE

Multi-layer security protection (NDIS & TDI) Since the DSE resides on each computer in the network, it communicates directly with the operating system and negotiates what applications are even allowed to transmit and/or receive data.

MD5 Signature Support As the DSE mandates what applications can bind for communication, it can also check for an MD5 digital signature for permitted applications. This ensures that Trojan horse applications cannot gain access by using the name of a permitted application.

Stateful filtering based on SRC/DST IP address, port & application The DSE maintains a record of all sent packets and can therefore compare incoming packets to the record table to determine if they were requested. Additionally, the DSE can restrict applications to certain ports or destination IP addresses.

Remote access to logs and statistics The DSE contains a separate statistic view that displays all active sessions and includes the status, port, remote IP, application or service and the time associated with each session. Logs may be viewed from the statistics view or sent directly to a syslog server for analysis and reporting.

Suspicious activity monitoring and Intrusion detection The Tiny DSE contains a highly configurable reporting mechanism that can report specific intrusion attempts, or any other type of communication deemed suspicious, to a syslog server or to the CMDS server through an SSL connection.

Actually ZoneAlarm is an ok piece of software however Tiny Software's Tiny Personal Firewall is a much much better piece of software. The firewall in addition to allowing applications access to the net allow you to setup specific permit and deny rules based on localport, remote port, local address, remote address, application, protocol, and much more. I look at it as a much improved version consisting of a hypothetical merge of ZoneAlarm with Conseal PC firewall and like products. In addition Tiny Software's product is in use by the US Airforce on 500,000 desktop machines. Oh ya it's also free for personal use.

FEATURES AT A GLANCE

Multi-layer security protection (NDIS & TDI) Since the DSE resides on each computer in the network, it communicates directly with the operating system and negotiates what applications are even allowed to transmit and/or receive data.

MD5 Signature Support As the DSE mandates what applications can bind for communication, it can also check for an MD5 digital signature for permitted applications. This ensures that Trojan horse applications cannot gain access by using the name of a permitted application.

Stateful filtering based on SRC/DST IP address, port & application The DSE maintains a record of all sent packets and can therefore compare incoming packets to the record table to determine if they were requested. Additionally, the DSE can restrict applications to certain ports or destination IP addresses.

Remote access to logs and statistics The DSE contains a separate statistic view that displays all active sessions and includes the status, port, remote IP, application or service and the time associated with each session. Logs may be viewed from the statistics view or sent directly to a syslog server for analysis and reporting.

Suspicious activity monitoring and Intrusion detection The Tiny DSE contains a highly configurable reporting mechanism that can report specific intrusion attempts, or any other type of communication deemed suspicious, to a syslog server or to the CMDS server through an SSL connection.

By default, under this scenario, your PC becomes a TCP/IP read-only device. By running applications like Gibson's Zone Alarm you can -- right now -- severely limit the use of TCP/IP by applications on your PC

I didn't know Steve Gibson wrote Zone Alarm. When did this happen? What happened to Zone Labs?!

By default, under this scenario, your PC becomes a TCP/IP read-only device. By running applications like Gibson's Zone Alarm you can -- right now -- severely limit the use of TCP/IP by applications on your PC

I didn't know Steve Gibson wrote Zone Alarm. When did this happen? What happened to Zone Labs?!

The biggest security problems are the "install everything" idea and the "default password idea". If, for example, my desktop machine was cracked and all my mp3s erased because I was running bind (no, i'm not), I would feel pretty stupid. We need the users to take the time to read the documentation (which has to be there) to be able to only install what they need.

Also, default passwords on anything that can be a gateway to system access - such as the default password on certain Red Hat servers that cause a problem a while ago - have to go. Even Mandrake Linux, which is made for new users, asks for passwords instead of saying "you root password is wordpass. If you ever find the time, you just might want to think about changing it, but it's ok if you don't".

Another thing computers need in their default install is more security. Why don't consumer operating systems come with firewall installed by default? Zone Alarm is an excellent firewall that I used on Windows that stealths the system (in fact, unless you specifically allow a program to act as a server, it will not even respond to incoming packets attempting to open a connection). It also asks you for permission to allow each application to access the internet, and uses checksums to make sure it's still the same program. The users also need to know more - yesterday my dad got asked to allow "scam32.exe" to access the Internet, and said yes. Although frequent updates (for those who can do it) would allow the program to detect known viruses and slow the infection rate, it's very hard to set up an automatic security system (of course, there is always the option of default-denying based on a list of known safe applications, but that would have to be a well-maintained and large list to satisfy all the users).
---
btw, sorry for the bad paragraph spacing. Slash doesn't seem to understand that I want two line-breaks!
---

2a) That's what a good firewall--like the free-as-in-beer Zone Alarm--is for. When it asks to connect to the Internet, you tell it "No way, Jose!" and "Remember this answer".

2b) You can uninstall the spyware afterward without affecting the performance of the Satellite at all.

--

ZoneAlarm from Zonelabs is a great FREE (as in beer) firewall. Steve Gibson has some good things to say about it after thorough testing.

Couldn't MS write a firewall for XP? or perhaps shops selling it could reccomend a visit to zonelabs site everytime someone buys it.

Making matters worse, these email bugs have moved beyond the domain of "get-rich quick" and porn spam. Even companies you might consider legitimate have been doing this. One would think financial institutions would be particularly concerned about privacy, but I have found email bugs lurking in mail from both E*Trade and American Express.

While these bugs aren't very effective against those of us who use pine, mutt, etc., they set a dangerous precedent. If users tolerate applications retrieving untrusted data from the net without notification or permission, we could see even worse abuses like this in the future.

Unfortunately pressuring application vendors to respect our privacy is not always fruitful. And with closed-souce applications, you often have no idea what they are up to. I was glad to see that some of the Windows "personal firewall" programs such as ZoneAlarm offer features that alert users to unexpected outgoing connections made by applications. Users can define notification policies based on their own privacy concerns. I haven't run across similar software for Linux, although it wouldn't be hard to write. And it isn't quite as important on Linux since fewer users download/buy untrusted binary-only programs.

Cheers,
Fyodor

Concerned about your network security? Try the Free Nmap Security Scanner.

Don't forget another really common problem. Trojans. Since the majority of people using Yahoo! email would be using windows 95/98/ME they would be succeptible to those stupid email attachments and such. I would imagine that the majority of these people are not even doing something as simple as running ZoneAlarm and do not have an Antivirus program so their machines are wide open. I would think that the client is the least secure part of the puzzle. Hushmail definitely works much better, providing the people sending and receiving the messages have not had their computers compromised.

Also, to answer your questions, they technically do use SSL according to the article:

Yahoo's new system works like this: Once a message is composed, it travels, unencrypted, to Yahoo, which sends it through a secure connection to SecureDelivery.com. There, the message and any attachments are scrambled. SecureDelivery then sends the recipient the address to a Web page, secured by Secure Sockets Layer ( SSL) and hosted by SecureDelivery.com, where the message can be picked up and descrambled for up to seven days.

So they use SSL in a somewhat half-assed way.

Y'know, this kind of crap doesn't help the Geek Community At Large overcome the image of being a bunch of fanatical morons

Hemos took a lot of liberty with my submission including changing the title as well as cutting of some technical analysis at the end of my submission.

Basically the gist of my submission was that Microsoft is taking a heavyhanded and incorrect approach to attempting to solve the problems with Outlook viruses and the like. Specifically, instead of coming up with some Draconian all-or-nothing security policy why not introduce more granular access levels to Whistler?

For example, I currently run ZoneAlarm and it prompts whenever a program I haven't given permission tries to access the Internet (in fact I found a Trojan this way). ZoneAlarm has three permission settings Always Deny, Always Allow, and Always Ask. I wouldn't mind seeing such functionality moved to the OS and made even more granular so that programs have very explicit permissions as to what they can do (similar to java.policy files). Outlook should not be able to tweak the registry nor delete files (via the ILOVEYOU virus) regardless of whether it is signed by Microsoft or not.

Basically I am proposing something similar to Access Control Lists for executables on the OS, after all, there already is a central repository of information (the registry) so adding that data shouldn't be too hard.

Second Law of Blissful Ignorance

Can the originator of this Ask Slashdot confirm/deny JArneaud's/MS KB's theory that this behavior should cease with a client with a working remote dns entry?

Jeeze... Why not just tell him to get Zone Alarm. It''s free, reliable, easy to configure and use...

I'd expected more mature responses to MSFT being hacked than childish attacks either blaming NT like the above post or claiming that MSFT being hacked is good for Open Source like others I've seen. Frankly *nix and Windows are roughly equivalent in default security (except for OpenBSD) and only through the machinations of a good sys admin is either OS properly secured.

For those that believe *nix is somehow more inherrently secure than Windows here are a few sources that may refute that claim The major security issues in Windows are Outlook (disable preview pane, be careful with attachments) and Internet Explorer (disable Javascript). Doing that and using a firewall like ZoneAlarm is most of the securing that a typical Windows box needs. On the other hand due to the use of insecure C libraries (str* functions, *scanf functions, etc) most of the services that are enabled by default in a typical Linux install are insecure (especially RedHat the primary consumer Linux OS in the U.S.). Take a quick look at security sites like Attrition.org, CERT, SANS, rootshell, SecurityFocus, etc and check the results. Defacements of Linux sites has been rising at a steady rate and now there are more defacements of Linux sites than NT sites. CERT regularly has more Linux and Unix security advisories than for Windows. The SANS (System Administration, Networking, and Security) Institute top ten list of security holes has more entries for *nix than Windows. A quick search of the terms "linux" and "windows" on Rootshell's seearch engine come up with 84 downloadable exploits for Linux versus 39 for Windows.

The above post is not intended to be flamebait (I run Win2K but plan to reinstall Linux on my second machine so I am a Linux user) but as a counterpoint to the above post which was rated +5 when I replied to it.



Second Law of Blissful Ignorance

Jay

Or if you must use Windows with file sharing you can always use Zone Alarm...free for personal use.

It won't catch everything (calls through the IE interface, whatever it's called ?!), but it stops most things - no, my DVD player is not allowed to talk over the net to those 'PC friendly' people.

This is total bullshit on so many levels. But one stands out for sure. With DHCP, the users aren't guaranteed they'll get the same address when their lease expires, but they usually do get the same address. A friend of mine has a cable modem through @home and he's had the same IP for the last 3 months. Their lease time is set for 2 weeks too.

Cable modem providers need to hand out a "tell it like it is" pamphlet, and start pushing personal firewall software. There are way too many clueless users out there, and a pamphlet designed to scare the living daylights out of them is just what they need. I suggest ZoneAlarm. It's free and is way better than just about all other personal firewall products, even the ones you have to pay for.

As for other operating systems, there is probably a way to configure a standard firewall to let data exit the system only on a need-to-go basis, minimizing the chance of access through a back door.

Of course, this may not ensure rock-solid security, and if there are backdoors in firewalls themselves, then this is not a Good Thing (tm), but I guess it's at least one way of countering the problem.
--

Here ya go
The best thing is it's free. as in freeware. I have herd good things about it, but wonder how good it is. We are running it now on 5 or so boxes, and routinely get 30-40 hits a night. wonder if it's missing anything.

I don't know what all IE might be transferring someplace on the 'net. Something strange happened to it on my system, though. After installing ZoneAlarm (ZoneLabs) on my system, I set IE to have local access but not Internet access. Since that time, it won't load the startup page, which is on a web server on a system about ten feet away. If I switch it to have Internet access, it will load fine. Netscape works fine no matter which way I have it set.

One solution might be to have a kind of application firewall inside the OS, which lets you determine which apps should be allowed socket communications

I use a firewall, wich, by pure coincidencre, registered today. It's Zone Alarm Pro and they have a [less featured, but functional] free for personal use. It's a very good one, IMO, as it detects when a program opens the winsock, and asks you if you should let that program access the net. It can remember your choice. I recommend it.

So I got curious to see how it'd react to this. Downloaded the demo document from the article and, after opening the document, it told me Word was trying to access it.

I simply didn't allow word to access the net (word was trying to contact 127.0.0.1, probably to IE).

As I didn't grant access to word, it logged:
ACCESS,2000/08/30,16:50:12 -3:00 GMT,WINWORD.EXE was temporarily not allowed to connect to the Internet (127.0.0.1).,N/A,N/A
and the bug didn't work.

A friend of mine uses the Windows programs Blackice and ZoneAlarm but I'm curious as what (preferably free) programs one can use to detect port scans and intruders under Linux and BSD?

I have heard of Tripwire. Does any one have any experience running that one?

I'd like to see a browser for Win9x that would actually *tell* me what info it was sending out. I already run Zone Alarm to tell me when programs such as RealPlayer are trying to connect to the 'net without my asking, but I.E. and Netscape still love to announce my operating system, etc., to every webpage I visit. Not to be too paranoid, but I like to know when such info is being sent, you know? I mean, why is it necessary to give more info than necessary out? IP I get, but... oh well.

Oh, and I can't deny that I'd like it even better I could configure the info it sent, so the next one of those pages that repeats your info back to you would say something like:

Operating System: MS-DOS version 0.01a
Browser: Screwyou v. 1.1.5
... if only for the fun of wondering if anyone bothers to log these things.

For anyone who hasn't seen it mentioned before, ZoneAlarm by ZoneLabs is a fairly decent (for Windows) program... It lets you allow/disallow network/Internet connectivity on a per-program basis... the first time an application attempts to use the Internet connection, ZoneAlarm prompts you and asks if you want to allow the access. I used it for a short while and it got to be annoying with all the 'net programs I was installing... but for normal home use it works wonderfully. And since it's free for non-commercial use... you'd have to be nuts to not use it if you needed an outbound firewall...

This is also another good reason to use a program such as ZoneAlarm (free) or other similar individual firewalls and proxies. Just because you're stuck on Windows doesn't mean you should forfeit all of your privacy.
---
icq:2057699
seumas.com

For those of you running Windows9x, you'll find that ZoneAlarm is a good firewall. Access Zone Labs here.

Also protects against .vbs worms, it claims. That, I'm not so sure about. But it does appear to be effective against a number of attacks, holes, etcetera.

Absolutely essential for anyone with a 24/7 connect.

--

You should recommend to anyone (particularly not geeks) you hear is getting a DSL/Cable or any "always on" connection to go to www.zonelabs.com and get ZoneAlarm. It's free (beer) and it's really easy to use and it will alert you anytime any program tries to get out to the internet (in very easy to understand terms: "Program XXX is trying to contact the internet, do you want to let it?" -- along with a check box not to be bugged by that program again. Plus it does the blocking job of incoming probes too. Not and industrial strength firewall, but fine for home use. Plus, the new version has a nice "mailsafe" feature for vbscript trojans.
---

Howdy,

I just installed RA last night on win2k, funny coincidence. ZoneAlarm from ZoneLabs started warning me as soon as I restarted that something was up. First, Real Jukebox wanted to access the internet. Now way, Sorry. Then something called main_program (I think, this is from memory) tried to access the internet. Again, no way.

At this point I started to uninstall all the crap that I didn't ask for. When I got to the Zip download thing, after I hit the uninstall program they provided, main_program wanted to access the internet again. jeez, these people are desperate for stats I guess.

So not only does is keep track of download stats, it also wants to know when you install and un-install the app.

--mark

Results: I was getting probed at an average of once every 20 minutes from a variety of locations. Urk! (Please note, my ip starts with a 24, which tends to indicate an @home or roadrunner cable modem service)

Side note: If you want to test your machine, go to Steve Gibson's SheildsUP!. It's a bit slow at the moment (and posting this ain't gonna make it faster). Personally I wish I had known about this site before this insanity started.

-----

Has anyone used this? (It's a Widows Only deal)
Does anyone know of a better freeware solution? (Question open to ALL operating systems)
Thank You.

-----