dslreports logo
 
    All Forums Hot Topics Gallery
spc
uniqs
184

2kmaro
Think

join:2000-07-11
Oklahoma City, OK

2kmaro to EmilioG

to EmilioG

The Word From Diamond Computer Systems

As mentioned earlier, ausnetwanderer and EmilioG managed to track down the correct Diamond Computer Systems (DCS) people. I sent them an email and have received their response. Those are published (with minor editing of non-essential comments and personal names) below.

Before you read them, let me make a couple of points:
1) Yes, they did indeed discover a weakness.
2) This was only discovered 10 weeks ago, by them, not by Gibson.
3) They are trying to give ZoneLabs enough time to fix the problem (if it can be fixed) before making the facts known to the world.
4) The problem seems to be one that would allow a program (trojan/worm) on your system to slip out through the firewall, rather than letting something into your system from some outside attack.
5) If #4 is true, then quite simply, strong anti-virus protection methods might very well be that added level of security you need - if it is of this nature, then ZoneAlarm would not have 'failed' to protect you from an attack, but it would be made less effective because of a virus active on your computer. And how do we end up with a virus active on our computers, class? Yes - 90% or more of the time we invite them in!!

Ok, with all of that behind us, here are copies of the emails exchanged. BTW: Lets NOT cover DCS up with emails asking 'how, how, how' - doesn't sound like they're going to tell until they are ready, and perhaps agreements they have in place with ZoneLabs won't even let them.

-------
Initial E-Mail to DCS
---------

Gentlemen,
I have seen the name Diamond Computer Systems associated with the engineering of a method of penetrating the ZoneAlarm software firewall produced by Zone Labs. I understand the method is also exploitable against all or most other software firewalls. This statement was attributed to Mr. > Steve Gibson of the Gibson Research Center.

Can you confirm or deny that you are the organization referenced? If you are the source of this method of penetration, can you provide ANY information about its operation or what users can do to protect themselves from the weakness?

... I am a moderator at the DSLReports broadband support site (www.dslreports.com). ZoneAlarm is used by a very large number of individuals who frequent that web site and they are extremely interested in this development.

Thank you in advance for any assistance and information you can provide regarding this matter.

--------
Their Response (edited)
--------


Thanks for your email.

Yes, we can confirm that during standard anti-trojan testing on a machine that had ZoneAlarm on it, we have inadvertantly discovered a couple of vulnerabilities - not something we were looking for, but the vulnerabilities seemed to find us. We have been in contact with Zone Labs for over 10 weeks regarding these matters, and the only person outside of DiamondCS that is aware of these problems is Steve Gibson of GRC. Can I ask how you found out about these vulnerabilities?

The public will be informed shortly as to the nature of these vulnerabilities, and hopefully ZoneLabs will have a fix out by then. (We've given them over 10 weeks...)

Best regards,

--------
My Reply (edited)
--------

The information was provided by Steve Gibson to a regular visitor/member of DSLReports Security issues forum. You may visit (and are INVITED) the site at http://www.dslreports.com the specific discussion thread for this matter is at http://www.dslreports.com/forum/remark,288028;root=security,1;mode=flat

I do appreciate your quick response and any further information that you can provide that would not put you in jeopardy of any aggrements you have in place with either Steve Gibson or Zone Labs would be very much appreciated.

Thank You Again,

jaykaykay
4 Ever Young
MVM
join:2000-04-13
USA

jaykaykay

MVM

I guess you kind of blew the lid off their cover by your question. Hope something is being done and that in this 10 week period that they have had, that they have been able to figure out a patch of some sort. All I can say is wow. How did they think they were still negotiating in secret. This world is too small what with the internet and lots of savvy users who won't just sit back and ask no questions. Well done with your letter to them, and the same with the post of their response. Thanks.
--
JKK

Age is a very high price to pay for my maturity, so
if I can't stay young, I can at least stay immature!

2kmaro
Think

join:2000-07-11
Oklahoma City, OK

2kmaro

I think Mr. Gibson may have a little explaining to do - did you notice the question "where did you get this from" or words to that effect!
GaryK
Premium Member
join:2000-08-29
Miami, FL

GaryK

Premium Member

That jumped right out at me, 2k. Methinks Steve will have some explaining to do.

BTW, your diplomatic skills are considerable. You really know how to word an email in such a way that you cannot be ignored or fed BS. One of those thumbs-up votes is from me.

Thanks!
--
-tb/gary.
"The person who says it cannot be done should not interrupt the person doing it."
Chinese Proverb
Trail Blazer was formerly known as tblazer

Wildcatboy
Invisible
Mod
join:2000-10-30
Toronto, ON

Wildcatboy to 2kmaro

Mod

to 2kmaro
Good job 2kmaro, It confirmed what I've been suspecting for a while. Software firewalls have few major vulnerabilities, one being the reboot issue we discussed and the other is the effects that a virus or a Trojan can have on a firewall when it is already on the computer. For example a Trojan can shut down your firewall before getting out. This can be fixed to a certain degree by renaming your firewall file name unless the Trojan is smart enough to look for files with a certain size.

The other thing that made me feel a bit better about Gibson was the fact that he's known this only for about 10 weeks and if he gave Symantec about a year it would just be fair to give ZA a few weeks before the announcement. By the way I have a feeling that Gibson was looking for an excuse to get the word out, otherwise he wouldn't respond to Emilio the way he did. I guess he is getting tired of keeping the secret and looking bad as a result.

Well, thanks to you 2k, now I know this is almost a non-issue, since it is more about what a Trojan can do than it is about how safe ZA is. As you put it once 2kmaro, I can go back to sleep now.
--
You can catch the Devil, but you can't hold him long.
GaryK
Premium Member
join:2000-08-29
Miami, FL

GaryK

Premium Member

said by Wildcatboy:
For example a Trojan can shut down your firewall before getting out.
My programming skills are perhaps a little rusty. But doesn't the Windows API offer a way for a running application to see if the request to terminate it was generated by the application itself and ignore it if it wasn't? If so, then that's the patch ZA and others are probably working on.
--
-tb/gary.
"The person who says it cannot be done should not interrupt the person doing it."
Chinese Proverb
Trail Blazer was formerly known as tblazer

2kmaro
Think

join:2000-07-11
Oklahoma City, OK

2kmaro

Basically you're thinking of the equivalent of the "On Close" event for a process. However, you can basically override that with the proper series of API calls from the other program (says basically, "I don't care what you are doing or how badly you want to live, die dammit, die!"). I'd have to dig way deep to see if that can be overridden (never had to before - if it needed killing that bad, I always let the thread die).

Having answered that to a small degree, now I get to put up another huge page plus post. More stuff from DiamondCS.
2kmaro

2kmaro

Here we go - picks up where the last monster left off:

Alright - another long one with edited copies of emails received from DiamondCS. Here is the short of it all:

* Full disclosure is coming soon, one way or the other!
* Although the initial alert was made by DiamondCS to ZoneLabs 10 weeks ago, Steve Gibson and the President of ZoneLabs didn't get involved with it until about a week or 10 days ago.
* The vulnerabilities appear to be similar to what Gibson achieved with LeakTest against the other software firewalls. Same general idea - get through it from the inside out!
* There are no formal, legally binding agreements between ZoneLabs, DiamondCS and/or Steve Gibson - this is all being handled by "gentleman's agreements".

Where I've edited below, it is indicated with italic text, if I add any side comments, they will be underscored, and where I think a point needs to be emphasized, I've added bold text. Any editing I've done has not changed the meaning, but has been done to keep names and similar information private where they are not already known (as with Steve Gibson).

From DiamondCS
Thanks *,
I just had a quick read through that thread on your forum, very interesting. It is clear that there is a bit of confusion, which is fair enough when nobody other than myself and name deleted / DiamondCS, Steve Gibson / GRC, and Zone Labs knows about it. I'm happy to answer any questions you have, but I can't go into the actual exploit details just yet, out of courtesy to Zone Labs. We follow CERT vulnerability disclosure-policy, although we often allow more than 45 days for fixes (hey, we know how busy they are . We have not made anything public yet, for the sake and benefit of the public - Zone Labs haven't fixed the problem yet, so do you want the exploit released before the fix, whereby trojans will start exploiting these techniques? It is now ten weeks since Zone Labs were notified of the first of two vulnerabilities, and pending one final email from them, that vulnerability will be disclosed immediately to the public, with a harmless demonstration executable. It is unfortunate that Zone Labs have not attempted to engineer a fix yet, as we have offered them solutions only to have them turned down for a matter of 'convenience over security', but that is their choice and now that they have had fair time and a fair chance to fix the problem, it's over to the public to let them decide.

The second exploit made itself apparent to name deleted / DiamondCS just a few days ago, and both Zone Labs and Steve Gibson have been made aware of this. This one was very simple, and it found name deleted - name deleted didn't find it. Within a matter of minutes we then had a batch file capable of bringing down both ZoneAlarm and ZoneAlarm Pro. We've been in close liason with Steve over the last week or so regarding the situation and he has been very helpful to both Zone Labs and us at DiamondCS, so hopefully Zone Labs will get their act into gear and attempt to engineer a fix - but so far, nothing.

For the record, we are a young company established in 1986 originally building hardware systems, but since 1997 have been developing anti-trojan, pro-security software - all of it free, except for just two programs. We are based in Perth, Western Australia, and our homepage is
http://www.diamondcs.com.au
We don't make firewall software and we are in no way in competition with Zone Labs. We don't go looking for vulnerabilities, but during anti-trojan testing we often come across vulnerabilities in other software, as was the case with both of the two ZoneAlarm/ZA Pro vulnerabilities. But when we discover vulnerabilities, it is our responsibility to report them to the vendor to have them fixed. Some vulnerability-hunters disclose such things to the public within a week of the discovery, but they seem to be the ones who have no genuine interest in securing Windows, just an interest in making a name for themselves. We don't hunt vulnerabilities, and we make our name through our software, not vulnerability disclosure, but these are vulnerabilities that the public must be made aware of, and we will certainly do that over the coming weeks. I hope that explains the situation a bit more.

Best regards,
DiamondCS

One more point for the record ...
There are absolutely no contracts, written agreements or signed documents of ANY kind between Zone Labs and DiamondCS, or DiamondCS and Steve Gibson / GRC. Steve Gibson is assisting in 'moderating' the situation and helping both Zone Labs and us - we called him in when Zone Labs responded with an email along the lines of "we won't be fixing it due to a matter of convenience over security". For some strange reason, now that Steve is watching from the side Zone Labs have lifted their heads and are taking notice of the problems.

Best regards,
DiamondCS

President of ZoneLabs became directly involved (by carbon-copied email) when Steve Gibson came into the picture early last week. So far I have not received any email from him, but I am still in correspondance with another senior ZoneLabs person.

From 2kmaro
Can you answer one question without compromising your position? Is the weakness as I'm guessing on the outbound side (from within a user's computer) or from the outside in as from an attacking system? I'll understand if you cannot provide the answer to this.

From DiamondCS
Both vulnerabilities are local, not remote attacks, and they both demonstrate how a trojan could get out to the Internet by 'circumventing' ZA/ZAPro - similar to what LeakTest is demonstrating, but LeakTest typically gets stopped by ZoneAlarm/ZAPro.

Best regards,

[text was edited by author 2000-12-28 02:08:41]

Ausnetwanderer
join:2000-11-03
Down Under

Ausnetwanderer to 2kmaro

Member

to 2kmaro
I have just visited Gibson Research and found a reference to the Leaktest release here in the "newsgroup" on Leaktest. Navigating this newsgroup is a bit of a nightmare but I suggest that there is an enormous amount of info there and maybe checked out by someone with more experience than I with newsgroups. Outlook Express had 600+ listings in groups with over 6000 not downloaded.
There was a program written and documented there called "nozone" which was able to breach ZA. In the interests of security this thread was removed from the newsgroup. Information about it's removal is in the ZoneAlarm posts.
Maybe the time has come for ZoneLabs to come out of the closet on this. The cat is already out of the bag.
Enjoy
John

2kmaro
Think

join:2000-07-11
Oklahoma City, OK

2kmaro

Now, one more and I'll step back out of the way again. I've sent an email to support@zonelabs.com and the body of it is repeated here. I urge anyone who feels the same as I do (a little inconvenience is worth the added security) to also send them an email. If you don't think you can come up with good words, or just like mine and want a speedy message, feel free to copy and edit for your own:

-----------
For The Record

I am both a personal and business user of ZoneAlarm. I have three personal systems at my residence protected by ZoneAlarm. I have many systems at my workplace protected by licensed copies of ZoneAlarm.

I have been recently made aware of the fact that there are known security risks associated with ZoneAlarm and ZoneAlarm Pro and that you are aware of these issues. I believe that at this time you have been aware of them for some 10 weeks. I am under the impression that the present corporate position is not to effect 'repairs' to the software based on some type of 'effectiveness versus convenience' argument. I, as a user of several copies of your software, will state that I am willing to suffer some inconvenience to achieve a more secure operating environment both at home and at work.

Without being made aware of the specific type(s) of exploitable weaknesses, I cannot make any other judgment than the one just expressed. However, the small amount of information that I have been able to obtain does indicate that these weaknesses can be exploited during the day-to-day, normal operation of the systems. To knowingly leave a 'hole' in the firewall under those circumstances is not what I'd call being treated properly or fairly by Zone Labs.

These matters are going to be made public soon, and your 'stock' is going in the toilet right along with all the others exposed recently via Steve Gibson's LeakTest. Either you have the toughest software firewall on the block or you don't - and the toughest DOES NOT have any known exploitable weaknesses in it.

Thank you for your time and attention to this matter. Bottom line, short explanation: I HEAR YOU HAVE A PROBLEM, PLEASE FIX IT RIGHT AWAY!!

Thank You
A ZoneAlarm User
GaryK
Premium Member
join:2000-08-29
Miami, FL

GaryK

Premium Member

I for one will send out an email to ZoneLabs first thing in the morning.

Other than an email campaign I wonder if there is anything we can do as a group to try and spur ZoneLabs into action? Maybe I will have thought of something by morning.

Thanks again, 2k.
--
-tb/gary.
"The person who says it cannot be done should not interrupt the person doing it."
Chinese Proverb
Trail Blazer was formerly known as tblazer
donaldk
Premium Member
join:2000-10-19
Halifax, NS

donaldk to 2kmaro

Premium Member

to 2kmaro
I do not know the exact fundamentals off all the problems discovered with ZoneALarm (way too much too read) but the reboot issue and the 10 or so sec window of attack opportunity i may have an idea. I do not know how to program myself (I do not have the time to learn right now) but if ZoneAlram were to incorporate a VXD like structure and start up and soon as TCP/IP is also loaded in the boot process. I am saying something like WPCRSET (by H-Oda)which uses a VXD which runs in real mode and changes the PCI registers on my VIA chipset to tweak it a bit. And it runs on the boot before the GUI shows up and I know this because if it is improperly setting the registers I get a Windows Protection Error on boot but after disabling WPCRSET the protection error goes away. So lets say Windows is loading still in real modem, the ZoneAlarm VXD loads and latches on to MSTCP and blocks everything but when the GUI shows up and Windows switches into protected mode then the user's preferences are loaded along with the rest of ZoneAlarm. Then Windows gets to the desktop and ZoneAlarm should pop its logo in the System Tray to allow the user to control it and also make the warnings show up like an ICQ style where the icon flashes and a small chime is made and the user can double click to find out the attack/error info. It is a stupid idea I have... maybe you guys could consider it and if it is good forward it to ZoneLabs as I do not have time.

2kmaro
Think

join:2000-07-11
Oklahoma City, OK

2kmaro

donaldk - simple thing to do: cut your message out and paste it into an email - send it to support@zonelabs.com then you've done your job. Best you do it, because if they needed to ask questions, I sure wouldn't be able to answer them for you. If you wanted, you could CC to me (2kmaro@home.com) and I'll forward to a higher contact I have within the ZoneLabs structure.

EmilioG
Whats This?
Premium Member
join:2000-09-19
New York, NY

EmilioG to Ausnetwanderer

Premium Member

to Ausnetwanderer
Here are two emails I received from Steve Gibson and Zone Labs'. Steve has been very forthcoming since I started contacting him, which of course led to my "discovery" of this problem.

Hi (again) Emilio,

>Dear Steve; Thanks for the reply. I appreciate your candor and
>dedication to security on the web.

You are, of course, quite welcome.

>The company that you mention, Diamond computer systems, are they Diamond
>computer systems out of Australia, makers of TDS Trojan scanner and other
>security software? or is it another company? Could you give me their web
>address.

Yes. TDS is the product I mentioned. Rather than giving you their URL, I
would be doing you a MUCH bigger favor by showing you how to find any
company's URL. I use the excellent "GOOGLE" search engine almost without
exception: http://google.com/ Then search for: Trojan Defense Suite

>Question; I know you waited a year and you told Symantec in that same
>time before you wrote about them and other's with the release of Leaktest,
>so why didn't you include any news of possible or real security
>vulnerabilities in Zone Alarm? Did you just discover the problem and are
>giving them (Zone Labs') the same courtesy and are waiting a response the
>way you did with Symantec or is there another reason?

Actually, it was the TDS folks who discovered the problem and are working
with Zone Labs. I have just added a Q&A to the leaktest FAQ page which
addresses your question. Please see that page: http://grc.com/lt/faq.htm

>Can you give me an idea as to what the problem is with Zone Alarm without
>going into specific detail? doesn't the public that puts so much faith
>into Zone Alarm (8 million downloads') deserve to know something?

As you'll see from my answer to the question on that page, this is NOT the
sort of problem/issue that I intend to become involved in ... because it's
just too open-ended.

I have also just started an online discussion of this issue ... in a new
discussion group: 'ten-forward.vulnerability' Please feel free to join in
the discussion.

>I thank you again for your reply and I wish you Happy Holidays and
>wonderful New Year,

And likewise. All the best to you and yours!!

______________________________________________________________________
Steve.

From: "Support"
To: "Emilio Gonzalez"
Subject: Re : Zone Alarm and vulnerabilities (#7225-000006-4109\64109)
Date: Wednesday, December 27, 2000 1:44 PM

Hi Emilio. It appears you are asking for us to comment on a conversation you had with Steve Gibson about a vulnerability or "flaw" that is not explained in your mail.

Can you be as specific as possible as to the alleged vulnerability you are referring.

Thanks,

Zone Labs Support

(#7225-000006-4109\64109)

ORIGINAL MESSAGE:
-----------------

From: "Emilio Gonzalez"
Posted At: 13:03:30.407 12/27/2000
Posted To: Multiple recipients of list info_list
Subject: Zone Alarm and vulnerabilities

I recently wrote to Steve Gibson of GRC.com and he told me about a
vulnerability in all firewalls, including Zone Alarm that was discovered by
Diamond computer systems.
Would some be so kind as to comment on this and reply as soon as possible.
Is there a fix in the works? What type of flaw has been discovered and what
can be done in the meantime? I would appreciate any information on this
matter and I thank you in advance. I am an end user of Zone Alarm 2.1 for
private home use. I am not in the PC industry in any way. I thank you for
your attention to this in advance.
Regards,Emilio

As you can see, Zone Labs was quite surprised or concerned. I'm sure by now they have all the details because this has now broken far and wider. I was talking about this for a little while now and thanks to Steve Gibson and Diamond CS, the details are slowly coming to light. God knows if Zone Labs would have said or even thought about doing something until someone started complaining. I don't want to speculate too much.

So now I see what I've always believed is true...question everything. We also see that Steve Gibson is not a sell out but someone who is actually a third part and is trying to do the right thing. So Thanks Steve and thanks Diamond CS, which BTW seem to have a very good Trojan scanner and other security programs.

*Be sure to check out the FAQ link above in Steve Gibsons reply.

HERES one official response on one of the vulnerability issues in ZA in the GRC discussion forum.

--
Regards, Emilio

Its failings notwithstanding, there is much to be said in favor of journalism
in that by giving us the opinion of the uneducated, it keeps us in touch with
the ignorance of the community.
-- Oscar Wilde

-----------------------------7d037a13c50
Content-Disposition: form-data; name="do"

Preview

[text was edited by author 2000-12-28 04:08:21]

[text was edited by author 2000-12-28 05:21:56]

2kmaro
Think

join:2000-07-11
Oklahoma City, OK

2kmaro

And everything between Gibson and DiamondCS checks - regarding who discovered the problem, when and to what degree Gibson is involved in it. Apparently, because of his notariety, DiamondCS felt they'd get more action out of ZoneLabs than they'd had luck with previous to all of that.

At least you got some kind of answer from ZoneLabs! Nothing but the standard 'we got your email' notice from them to me so far!
GaryK
Premium Member
join:2000-08-29
Miami, FL

GaryK

Premium Member

It sounds like ZA is saying that our vulnerability is actually quite limited but only if we've done our homework in terms of securing our systems. I mean, who here actually has TCP/IP bound to Windows NetBIOS? And if they have file and/or printer sharing enabled they surely have password protected shares, right? Comments please?
--
-tb/gary.
"The person who says it cannot be done should not interrupt the person doing it."
Chinese Proverb
Trail Blazer was formerly known as tblazer

rtoday
join:2000-11-05
California

rtoday to 2kmaro

Member

to 2kmaro
Best thread on DSLR at the moment. My up-votes to the excellent info provided. It's good to know that 2k, wildcatboy, emilio, trailblaszer, ausnetwanderer, and the others are on our side. Consider if they weren't ... yikes!

I'll continue reading with much interest. Thanks!

wheelert$93
T L C

join:2000-06-01
Lynden, ON

wheelert$93 to GaryK

to GaryK
said by Trail Blazer:
I mean, who here actually has TCP/IP bound to Windows NetBIOS? And if they have file and/or printer sharing enabled they surely have password protected shares, right? Comments please?
Possible.. Yet, think of all the users that aren't up to speed on networking and have 4 computers hooked into a router. Or worse yet, have 2 NICs in a machine and are using it to network the others through a hub. Do you think the shares are password protected? Maybe. Are they protected with a decent password? Doubtful. And keep in mind, security on Win9X is basically a joke to begin with. Many individuals purchase these routers with no prior experience with network security and what needs to be done to secure a network. I'm sure there are many 'mini' networks out there that are wide open.
--
"Rome did not create a great empire by having meetings. They did it by killing all those who opposed them."

rtoday
join:2000-11-05
California

rtoday

Member

Wheelert - Good point about hidden and strong password protection on shares. Do you or does anyone have a url for a writeup suitable for general reading on so-called "strong" passwords? I had one once, but it seems now defunct. Thanks.

wheelert$93
T L C

join:2000-06-01
Lynden, ON

wheelert$93

Unfortunately, many individuals pick passwords that are easy to remember and are associated in some way to them. Birthdates, SSNs, license plate numbers, names of family members and pets, etc., are all commonly used. These are also easily broken.

Passwords should NEVER be just a word. A mixture of alpha-numeric characters, at LEAST 6 characters in length is best. For example, 18VSO3ZFQ would be an excellent password. It means absolutely nothing and is a random mix of letters and numbers.

A good site regarding security of your systems and networks is The SANS Institute.

--
"Rome did not create a great empire by having meetings. They did it by killing all those who opposed them."

rtoday
join:2000-11-05
California

rtoday

Member

Thank you once again.

paul613
join:2000-04-19
College Park, MD

paul613 to rtoday

Member

to rtoday
It clearly stated that users of PPPoE and DHCP were NOT at risk.
This limits the problem to those with static IP addresses and ALL OF THE OTHER SET OF VARIABLES LISTED.
And for those who do have the setup described, would be the same type of user who should and likely would have a hardware firewall in place.

For a user to have a internal network which required TCPIP to be bound to Netbios, and have file and print sharing enabled, they would likely(and should be)be using an DSL router. Most dsl/cable routers have built in hardware firewall protection. This added to a software firewall application would eliminate the risk of this particular problem.
So if I understand(many of you will correct me if I am wrong I am sure) it to be at risk your setup would be as follows:

Static IP from provider -- assigned to external DSL/cable modem---connected to a HUB(not router) as a shared resource---Mulitiple pc lan each with an IP address (static again) that is public--WITH TCPIP Bound to NETBIOS; With FILE and Print Sharing on With NO(or weak) security.

WHO has this setup? And if you do you could do several things to protect yourself.
1. Get a router with built in hardware firewall(most of them have this feature)
2. PASSWORD PROTECT ALL SHARED RESOURCES.
3. Unbind TCPIP from netbios
4. Unplug the modem from the hub UNTIL all pc's have booted and have firewall up and running.(if you have situation were users maybe coming on pc's at different times and can't unplug modem from hub YOU NEED A ROUTER! SEE number 1)

So it seems that anyone who is at risk would easily and without too much effort be able to eliminate the problem all together very quickly.

--
Don't take life too seriously, you will never get out alive!
[text was edited by author 2000-12-28 10:13:02]

rtoday
join:2000-11-05
California

rtoday

Member

Nice summary, Paul. Thank you.

coxta
Ultramundane
Premium Member
join:2000-07-15
LALALALALALA

coxta to wheelert$93

Premium Member

to wheelert$93
A quick addition to your password suggestions: 1. use upper and lower case letters, 2. use diacritical or puncutation marks, 3. change your passwords frequently.

2kmaro
Think

join:2000-07-11
Oklahoma City, OK

2kmaro

Quick comment - I believe it was either B or Wildcat boy that mentioned recently that there are password breakers that can come up with a password for most situations in under an hour. For maximum protection, besides the suggestions that coxta makes, also use the maximum number of characters permitted for the length of the password. Each additional character increases the difficulty of of guessing tremendously. Ok - on to next long post: What to expect in the next 24 hours!

id3dwiz
join:2000-10-07
Rego Park, NY

id3dwiz

Member

I'm using windows 2000 pro, with FAT 32.
I've heard that NTFS is much better security wise.
What do you recommend?
GaryK
Premium Member
join:2000-08-29
Miami, FL

GaryK to rtoday

Premium Member

to rtoday

Some strong password links...

Purdue University
Tufts University
US Navy
Microsoft
SANS Institute
--
-tb/gary.
"The person who says it cannot be done should not interrupt the person doing it."
Chinese Proverb
Trail Blazer was formerly known as tblazer

2kmaro
Think

join:2000-07-11
Oklahoma City, OK

2kmaro

Zone Labs President Responds!

In the following E-Mail, it may help to know that Gregor Freund is the President and Founder of Zone Labs and Conrad Herrmann is the Chief Technology Officer for Zone Labs. Information about them may be found at http://www.zonelabs.com/management.htm
--------------
E-Mail from DiamondCS
Due to recent responses from Zone Labs and then Steve, both vulnerabilities will be fully disclosed to the public in approximately 24 hours from the time of this email - we're just waiting upon confirmation from Zone Labs Gregory Freund & Frederick Felman that their latest email to us from Conrad Hermann is their official stance. All will be revealed tomorrow, but at this stage it appears Zone Labs won't be fixing either of the vulnerabilities - Steve isn't impressed, neither are we.

Best regards,
DiamondCS
end
------------

Ok, with that in front of us, here is the email that I received from Gregor Freund:

-------------
E-Mail from Gregor Freund, President of Zone Labs
Thanks you for this and your other message. I appreciate the opportunity to address your concerns and apologize for the delay getting back to you - I just came back from a vacation.

Up front: No security is absolute and one hundred percent. This is true for both cyber security as well as the "real world". You can put seat belts in a car, throw in air bags and crush zones and you will still have accidents that you just can't survive. The same principle is true for house or car alarms. Security measures are always a balance between protection, convenience, cost etc. For example I fly small airplanes who have 6-point seat belts which are much better then anything you would find in a car. The reason you don't find them there is that they are inconvenient to put on and restrict your movement so most drivers just wouldn't use them and end up being less secure instead of more. Every security vendor is selling tools to reduce your vulnerability, not to completely eliminate it.

Having said this we set our standard for appropriate security very high. None of the "generic" attacks to break through ZoneAlarm have ever succeeded and believe me, people have tried. In order to compromise a protected system you would have to either break through the integrated firewall or the MailSafe feature in order to run a malicious application on a victim's PC. For the sake of argument let's assume that is possible. If that malicious application then tries to communicate over the Internet (for example to steal your confidential data) we can and will stop it.

That leaves the possibility to attack the ZoneAlarm program itself. We have seen some lab attempts to do this but nothing in the "wild". Of course any of our competitors are subject to the same potential vulnerability. With version 2.1.44 we have changed the software so that even most of those attacks will fail. You still can unload the ZoneAlarm program (there is nothing under Windows that can stop this) but the underlying service will continue to enforce your security settings.

We are currently testing a new version that further improves the security margin. That version will be available towards the end of January. The goal is that ZoneAlarm can not be sabotaged provided that you
- Run on a semi-secure version of Windows (NT, 2000 or Whistler)
- Don't run in administrative mode
- Use the password feature
Under Windows 95/98/ME those margins will be a bit narrower. Please understand that we need the appropriate time to test the new code. Rushing out some pseudo-fix without sufficient quality assurance will have the opposite effect - users would run into all kinds of troubles and might eventually uninstall ZoneAlarm - not exactly an improvement of their online security.

You should also note that any of the potential attacks in this context would succeed with conventional firewalls such as CheckPoint or SonicWall. These products don't have any application-level protection at all and for example they all have to allow outgoing traffic on port 80.

We are extremely proud that we help eight million users to significantly improve their online security and have protected hundreds of thousands of them from serious harm. We take the resulting obligation very seriously and will do everything in our power to continuously improve our products in order to justify the trust of our users.

Best Regards,
Gregor Freund
President, Zone Labs, Inc.
end
-----------

With all of that I'm not quite sure of what to say to Zone Labs. We all know that no product is 100% anything. We also should know by now that in the Windows family, the home user software is the least secure.

The potential of a new virus with smarter technology has also been discussed here in the Security forum of DSLR. These risks would appear to apply equally to all software firewalls. Our best defense against this 'attack from within' will be to make sure that our Anti-Virus and anti-trojan efforts are always kept at a high, up-to-date level.

The most disappointing thing to me at this point is that while other software firewall vendors (Symantec most notable) responded to the LeakTest challenge almost immediately (with no fixes released yet that I know of), Zone Labs appears to feel this problem does not warrant their immediate attention.

I'm sorry, but in 20 years of building software to use in things like automated air traffic control systems, weather radar systems and general 'run of the mill' business applications my philosophy has always been that if you have a problem in the basic function of a product you fix it! The basic function of a software firewall is to stop unauthorized passage through that firewall. Am I missing something here?

In defense of Zone Labs, I could say (and should say) that as long as no malicious program gets on your system then there isn't a problem. That pretty much puts them all back in the same arena, perhaps still giving basic ZoneAlarm the edge by virtue of price and ease of use.

Will the revisions to Norton Personal Firewall, Sygate Personal Firewall and others like them be more secure than Zone Alarm - I cannot say. At least they will have made an improvement to themselves. Me - well, I'm headed down to BestBuy very shortly to start learning how to set up a router right!

In parting, I'll post my reply email to DiamondCS for you all to read:
----------
My Response to DiamondCS
Thank you for this update. That is very disappointing. Steve isn't impressed, you aren't impressed and I most certainly am not either. This seems to be a case of 'we have all these millions of users', we've got them hooked, now we get to leave them with an incomplete product. Perhaps Gregor and group have been taking program design lessons from the Microsoft School of Program (non)Design!

From what I have deduced from your comments and discussions with others, it would appear that a strong defense against this weakness will be a high-quality anti-virus application and awareness of good anti-virus procedures. This still leaves the risk of a new virus in place. I will be adding a router to my home system to increase the security level to some degree, and now will also take a look at some of those free tools you mentioned are available from DiamondCS, along with your other products to see which may have value in this area.

And, of course, I will give consideration to going with one of Zone Labs competitors once they have plugged the holes found with Steve's LeakTest. A sad state of affairs for such an otherwise outstanding product to have come to.

I would appreciate notification of where to read the announcement and obtain a copy of the test executable when these are available.

Thank You for all of your kind assistance these last three days.
end
---------

And to end it all - my reply to Mr. Freund

My reply to G.Freund
Thank you for your response. At this point I'm not really sure of what to say about it all. I do know that many people are taking this even more seriously than the results of Steve Gibson's LeakTest. The perception of most is that you have a discovered vulnerability and are not doing anything about it. Somehow you are going to have to overcome that perception.

You mention the 8 million users that have downloaded ZoneAlarm. Well, I feel like I've recommended it to about half of those numbers, and to each that I've recommended it to I feel some responsibility for any weakness it might have. MOST of those 8 million users are not using a secure OS such as NT, 2000 or Whistler. That is reality. Most of them are on various flavors of Windows as 98, 98SE, and ME. There are a great number of these users who are living on fixed incomes or are students and the added burden of coming up with another $100 or $150 to put a router on a single system is an almost unreasonable expectation for those. Those that are educated about security enough to realize the need for it in these categories are depending heavily on their software firewall to provide security.

It would appear that the only patch for this problem at this time for non-secure versions of Windows would be strong anti-virus software, kept up to date and good anti-virus operating habits? Am I correct in this assumption?

Also, you mentioned that even in shutting down ZoneAlarm that the service would continue to run -- is that a true statement if the user is operating with Windows 98/98SE/ME? I would presume not given the way that those operating systems provide the equivalent of Administrator priviledge to all users.

The part that makes all of this difficult for me to accept as presented is that I have been a programmer for most of the past 20 years. I have developed software still in use for automated air traffic control systems, weather radar systems, along with numerous business applications. It has always been my philosophy that if there was a fault in a basic function of a program, that fault should be fixed, period. It doesn't appear at this point that Zone Labs operates under that philosophy. I interpret the basic function of a software firewall to be to prevent unauthorized passage of traffic thru the firewall. Here we have a known potential for a breach, DiamondCS has indicated that they have provided solutions to Zone Labs and yet you state that in the 10 weeks since notification that Zone Labs has maintained a position of 'no, we aren't changing right now'. That is a tough piece of meat for me to chew right now.

Maybe I'm looking at all of this too hard and maybe from the wrong angle, but this is the way I see it at this point in time. I realize the risk may be very small, but it is a known risk that others have said there is a remedy for. Doesn't prudence dictate applying the remedy?

You may want to take a look at the comments provided on this subject over the past 2 or 3 days at DSLReports Security forum. The site address is http://www.dslreports.com and the discussion thread is at http://www.dslreports.com/forum/remark,288028;root=security,1;mode=flat;start=0

As you may recall, my nickname at the site is 2kmaro.

Thank you for taking the time to once again respond to me personally. Please give continued, strong consideration of addressing this issue with a software change at the earliest possible moment.
end

-------
Kirk Out.

--
The only virus on my computer is Windows.

Wildcatboy
Invisible
Mod
join:2000-10-30
Toronto, ON

Wildcatboy to 2kmaro

Mod

to 2kmaro

Re: The Word From Diamond Computer Systems

I heard my name 2kmaro is quite correct. I did say that before. Statistically 18% of all passwords can be cracked in less than 10 minutes. Alpha numeric passwords such as the one Wheelert mentioned 18VSO3ZFQ are generally good. This one can be broken on a 400 MHZ machine in about 5.5 hours. Most 14 digit alphanumeric passwords can be cracked in less than 48 hours in fact 80% of all passwords can be cracked in that time. For the most secure passwords choose 14 digit passwords with all possible characters such as H3+3d?(]B4`@~| This will take a maximum of 480 hours on a pentium 300. Change your password every 15 - 20 days.

By the way id3dwiz ( come to think of it your name can be used as a password too )you are correct NTFS is better. If you have the system that supports it and not using it, you are doing yourself a disservice. It's very easy to convert but hard to master the permissions. Make sure you understand how file and user permissions work.

And finally to go back on the subject, the vulnerability of ZA most probably wouldn't be solved by having a router because the nature of the problem has less to do with firewalls than it does with Trojans. Remember if you have a good AV program to keep the Trojan out you are totally safe from that vulnerability even if you don't have a firewall in place at all. No Trojan, no attempt of getting out of your computer. Cheers.
--
You can catch the Devil, but you can't hold him long.
GaryK
Premium Member
join:2000-08-29
Miami, FL

GaryK

Premium Member

ZoneLabs seems to be saying that this is not really a problem with ZA. The problem is you've got a trojan in your system. So deal with the problem instead of blaming ZA for whatever damage this trojan does. Did I correctly understand that exchange of emails 2k shared with us?

If so then part of me can rationalize that argument.

But the other larger part of me seems to think that if this is something ZA can help its users/customers avoid then they should. If nothing else it's one more marketing claim they could make until their competitors catch up.
--
-tb/gary.
"The person who says it cannot be done should not interrupt the person doing it."
Chinese Proverb
Trail Blazer was formerly known as tblazer