how-to block ads
|
Lilla1
join:2002-04-22
Fall City, WA
| [Kerio 2.x] Kerio 2.15 w good rules fails 50% of tests at...
Yikes! Kerio 2.1 passes just 50% |
Windows XP with excess services disabled per BlkViper.com
All Windows Critical Updates applied
»www.firewallleaktester.com/tests.htm
I tried several of the tests they indicate that Kerio 2.1 failed. I failed all that I tried. I tried these:
- ToolLeaky. Failed.
- Thermite. Failed.
- CopyCat. Failed.
Is there any way we can improve our Kerio 2.15 rules to get a better score on these test?
Thanks,
Lilla | |
BlitzenZeus
Burnt Out Cynic
Premium,MVM
join:2000-01-13
Beaverton, OR
 ·Verizon FIOS
 ·Verizon Online DSL
2 edits | Re: [Kerio 2.x] Kerio 2.15 w good rules fails 50%
Kerio 2x's development has been discontinued for a while, and leaktests usually deal with something other than the firewall features. I don't have time to go through all of the leaktests available, but many of them deal with things a real firewall does not deal with normally, a 3rd party program like a sandbox would have to run that protection. 3rd party sandboxing applications, or programs that have sandboxing built in are the ones that pass the most tests.
I don't see leaktests as an issue from the leaktests I've seen, these are problems in other software like how IE will proxy program communications, and faults in the operating system. Only a true sandbox can prevent all of these from happening, but sandboxing applications are very hard to use correctly, you could even disable your operating system if you were not careful.
I don't loose any sleep over leaktests 
--
My hourly rates:
$25 per hour.
$35 per hour if you want to watch.
$45 per hour if you want to help.
$75 per hour if you tried to fix it, and failed. | |
ghost16825
Use security metrics
Premium
join:2003-08-26
2 edits | reply to Lilla1
These leaktests aka scaretests are pure crap
Smells like it ...that's because it is |
PCAudit : dll injection in explorer to port 80 again - Solution: Make sure explorer.exe doesn't have any internet access whatsoever. DNS Cache Client service does not need to be enabled.
AWFT : - test 1 - tricky business almost hangs itself fails to do anything
test 2 - though the web browser to default site (remote port 80) or your choice of site
test 3 - through explorer.exe again, choice of site
test 4 - through browser
test 5 - through browser
test 6 - through browser
Thermite - IE only through port 80 firewall sees it
Copycat - did nothing
Mbtest - crashed itself
Wallbreaker test 1 - IE through.. let me guess port 80 again
test 2 - port 80
test 3 - port 80
(Kerio detects all traffic in IE no matter what)
DNSTest - Sounds like bullshit at it's absolute finest. Tried with DNS Cache disabled. Sent DNS requests to my DNS server. Watch out everyone! Now that's what I call a leak!
Ghost - through IE port 80 again. Kerio picks up IE activity of course.
---------------------------------------------------
Summary:
Kerio sees all this activity really, because they all use the web browser for the dirty work.
explorer.exe should almost never need internet access
DNS Client Service is not necessary, there is very little to gain by using it.
Log, log, log non-standard port ranges/rare remote ports in your browser if you're paranoid. eg. Anything to XXX.XXX.XXX:666 should ring alarm bells.
Accept that anything to remote port 80 is to a web server for a legitimate reason most of the time.
Don't forget that this is all done through a web browser not anything else. Patch all your IE holes if you use it as a web browser.
DNSTest is perhaps the most misleading one of them all. Someone tell me that it isn't ridiculous. | |
BlitzenZeus
Burnt Out Cynic
Premium,MVM
join:2000-01-13
Beaverton, OR
·Verizon FIOS
·Verizon Online DSL
1 edit | The hole in IE was built-in, any program can proxy their communications through IE just like software proxy. This is the huge security hole in IE that Microsoft has not fixed in years, and why IE is only permitted to windows update/office update/microsoft sites in general on my computer.
As I've said before Microsoft Security is an oxymoron, their own browser was listed as a security risk by CERT recently also, and people were suggested to use alternative browsers. IE in general is a security risk, if it wasn't for their use of windows/office update, and access to Microsoft beta software I would not be using IE at all, along with it being completely blocked.
--
My hourly rates:
$25 per hour.
$35 per hour if you want to watch.
$45 per hour if you want to help.
$75 per hour if you tried to fix it, and failed. | |
paranoidxe
Premium
join:2002-03-29
Ogden, UT
| Funny...Kerio passed PCAudit just fine on this machine.
Thermite looks like it locally creates the file instead of remotely.
Copycat failed to connect to put c:\exploited.txt on my machine using Kerio 2.1.5..so yet another inaccurate claim.
Wallbreaker fails too if internet explorer is not already setup to use port 80 and allowed access.
PCAudit2 failed as well, I denied it access easily..again when Internet Explorer is NOT setup to access port 80.
I think the Test is pretty bogus myself..the "exploits" it uses seems to only "exploit" the port that is already open on most computers anyway..Port 80.
--
"Its better to look stupid for 5 minutes and ask a question, than to be stupid for the rest of your life."4g63.20m.com (textsource.org) | |
gkweb
join:2003-06-09
76800
| reply to Lilla1
Re: [Kerio 2.x] Kerio 2.15 w good rules fails 50%
Hi,
i am the author of the website.
Withouth any offense intended, even if my testing and my website are bashed apparently, I see here many confusion, about what the leaktests are meant to test.
A leaktest is not meant to bypass an overall computer security, but just one feature of one kind of product.
Basically, a leaktests is trying to hijack a fully trusted application.
If you fully trust all of your softwares, and that you allow them any traffic, then a malware trying to hijack one of them should be detected by the personal firewall, blocked, and asked to the user, that isn't too much complicated, and that is precisely what the firewalls _passing_ the leaktests are doing, catching them in a fully trusted environment.
This is in such environment that you can see which firewall detects, and which one does not.
That's the test page at this step :
»www.firewallleaktester.com/tests.htm
To understand what are my criteria, averything explained on the following study :
»www.firewallleaktester.com/documents.htm
(leaktest.pdf)
Then, and I agree here with Ghost, because none of teh firewalls can prevent a trusted application hijacking, because so none can pass them all, you have to tighen up your security to block them, even indirectly.
The leaktests are meant to bypass trusted applications as I said, but if you trust none of your software, then it is a lot harder for them to go throught, but please note that here I am referring to your overall security (not only the firewall) that the leaktests has never claimed to pass. I think I have explained eveything about that there :
»www.firewallleaktester.com/advices.htm
To test the leaktests, as fully explained on the leaktests paper, is not to block everything on his computer, to throw them, and to see what happens, but I won't write again what I have aleady written.
My point isn't to scare anyone and to say that you can't do anything about it, on the contrary, I am trying to show the weaknesses on a particular firewall component, and to bring solutions, such as the sandboxes, again explained on both the advices page and on the pdf document.
I think that before the criticism of a test page, it's better to read the link provided just under the table which explain the test criteria, and then to take a look at the whole site to see quickly that me and Ghost aren't saying necessarely opposite args.
I do not whish to start a war or a flame, I just wanted to defend my tests results, to explain them. I respect all of you, everyone is entitled to is own opinion, and after all that is explained, even after to have read all the link above, you can still disagree, but I hope this time you'll see that we have just different point of view and criteria, and that it is not someone who is out of his mind (me) and someone else who is right.
I try to help as much as I can people, and I am sorry if you feel that I wanted to attack anyone or any software.
Best regards,
gkweb. | |
Lilla1
join:2002-04-22
Fall City, WA
| reply to BlitzenZeus
Re: These leaktests aka scaretests are pure crap
Thank you BlitenZeus for your posts, informative and helpful as always. And thanks again (I cannot say it enough) for the GREAT BZ ruleset you have given us.
Thank you to Ghost, and gkweb for your excellent posts. It's always good to read both sides of an issue. Those tests did scare me pretty good, and reading Ghost's post has quieted my fears about my trusted Kerio 2.15 with BZ ruleset.
I appreciate the discussion in this thread. It has helped me to understand a bit more about security. I am thinking now more about the concept of taking a layered approach to security. The role of the firewall layer vs. the role of the browser layer. This is a something I need to learn more about.
BlitenZeus, I read with interest the limited use you make of IE, and I am now thinking that I might at least consider the idea of adding a 2nd browser.
Which alternate browser would you guys recommend, Opera, Mozilla FireFox, other? I would prefer one that is free.
When people say their IE6 is fully patched, does that mean something beyond Microsoft Critical Updates? So far that is all that I do.
Thanks to all,
Lilla, BZ ruleset groupie | |
BlitzenZeus
Burnt Out Cynic
Premium,MVM
join:2000-01-13
Beaverton, OR
·Verizon FIOS
·Verizon Online DSL
1 edit | Opera is not free, unless you don't mind an adbar you can easily block through Kerio. Otherwise there are open source browsers like Mozilla, and Firefox. Mozilla is a suite with a e-mail client, etc... Firefox is just a pure browser, but its considered beta if you really care. I prefer Firefox, and its been working great for me, however its a bit different so it will take a little bit to get used to from IE.
IE has always had unpatched exploits for it going around, I don't consider it safe for common use unless your willing to disable most, if not all of its features in the name of security. When you restrict too many settings you can't visit many legit websites, but with programs like Firefox you don't have to worry about all of these security exploits trying to install things behind your back so you can leave features enabled without worry. You just need IE for sites that require IE for their proprietary technologies like ActiveX(HacktiveX), and Visual Basic Scripting which are the source of most of their exploits. Basically Windows Update, Office Update, etc...
--
My hourly rates:
$25 per hour.
$35 per hour if you want to watch.
$45 per hour if you want to help.
$75 per hour if you tried to fix it, and failed. | |
gwion
wild colonial boy
Premium,ExMod 2001-08
join:2000-12-28
Pittsburgh, PA
| reply to Lilla1
Re: [Kerio 2.x] Kerio 2.15 w good rules fails 50%
Damn! Firewalls are FIREWALLS. They should be, anyway. We don't expect our spreadsheet to open DBF files, do we??? WHY do so called "experts" try and tell us we ought to expect our "packet filter" to block cookies, for Christ's sake? Pile of crap, put bluntly. Windows mentality (make it all simple, all under one roof, no matter HOW much you have to eviscerate it doing so) carried from the sublime to the ridiculous. By the way, not jumping you, guys ... I'm jumping these Beotian IDIOTS who define a firewall as a "security suite, one shot kills all." They're frankly morons, in my eyes. They comprehend what's going on as well as I comprehend the atomic structure of my coffee. Just pour a cup and enjoy - install this and solve all your security, privacy and erectile dysfunction problems with one simple pill. Bullshit.
And yes, if the shoe fits, for those sites that keep reciting, "we see a cookie, your firewall should stop that" WEAR IT. You're boobs, guys. That's crap, and you're boobs, and what upsets me is you're propagandizing the community to believe (innocently enough) crap purveyed by boobs. A "firewall", at base, is a packet filter. And it's as much characterized by its limitations as by its capabilities. As far as I'm concerned, those sites that create "FUD" over idiotic stuff like cookies and browser headers and such are working against us. NOT with us. They're creating an expectation that's inelegant, interdependent, and highly fallible. And those who demonstrate OS and app flaws that bypass firewalls without offering any real help defeating the problem aren't "on our side;" they're jerks, and they're helping the other side with their "your firewall's worthless" bullshit. And that's exactly and all their case is... BULL... uh, you get it  ...
The "win32 mystery package just click here and it does it" metaphor's the most hurtful metaphor ever circulated about computing. If I can't verify what something does and how, I call it etherware, not "phenomenal and revolutionary."
Again, not jumping anyone here... I'm jumping the idiot contingent out there who spread fear, uncertainty and doubt, and offer nothing whatsoever useful thereafter, and try and portray themselves as "contributing" to the security community... they don't contribute, they're the problem. Nothing like perpetuating ignorance to compound any problem.
Welcome to the BBR Kerio/Tiny forum... grab a candle, the good folks here hand around MATCHES later on, so you can light them. We don't give away fish, we teach fishing, here. Wet a line with us... welcome aboard...
I just had to get that off my chest... thanks for listening.
As far as those leak t6ests, there are no known in the wild exploits based on them (and they've been around at least as long as I've been at BBR), they're totally addressable by sandboxing (e.g.: Tiny, properly configured), and they for the most part demonstrate inexcusable security flaws in windows, not in our firewalls. Firewalls tend to not address that kind of stuff, because it isn't exactly supposed to be possible in a properly hardened OS... uh... as far as windows goes, I would STILL like an answer from MS as to why IE can be so easily hijacked by any app that wants it to traverse a firewall so easily??? Anyone at MS want to address this question? I call this "feature" the ultimate in moronical design. But it's still there, has been forever, has no user or admin control whatsoever, and is completely ignored by virtually everyone... It's irresponsible, idiotic and ridiculous, and the only thing MORE irresponsible is the way people gloss it over within the security community; a firewall shouldn't have to stop that sort of thing - it never should happen.
As far as DLL injection and all that, well, that's application layer sandboxing, not network layer firewalling... so the ball's back in the court of those leak testers. If they have the "MaD sKIllZ" to be doing those borderline-cracker leaktests, why don't they "like, contribute something, dudes", and devote as much time PATCHING holes in the hull as they spend POINTING at 'em and demanding someone else fix 'em... Big favor... demonstrate the holes in my OS and firewall. What I want is a FIX, not a demo, though...
... of course, we are sometimes given to believe that smug arrogance is the hallmark of some security type hackers. Guess we couldn't expect any more, then, from these dopes.
Give a man a fish and he eats for a day. Teach fishing and he eats for life.
I call on these so-called "whitehats" to prove their hats aren't really a dull grey, and start teaching some fishing, damnit. Stop telling me why they don't bite on my bait and tell me what you use... or just shut up and sit down; any jackass can kick down a barn; it takes master carpenters to build one.
--
Semper Eadem
Enjoy every sandwich... Warren Zevon | |
ghost16825
Use security metrics
Premium
join:2003-08-26
| reply to gkweb
Hard to believe, but my attack really wasn't intended to be on your website gkweb, but on the author of the application DNSTest and perhaps some of the other leaktest authors.
I thought the definition of "leaktest" was something which bypassed a firewall completely, completely unseen by the firewall regardless of whether such traffic was allowed or not. Sure, if there's anything which does such a thing call it a leaktest and make sure it is publicised everywhere. (Some of the raw sockets type tests maybe). But suggesting massive security implications for everyone (as your website makes it out to be) - surely this is misleading. Most exploit implicit firewall rules and it would probably be more factual to try and describe in depth how these programs work and then let users decide how serious it is. This would be better than simply agreeing that the sky is falling and giving most of these authors kudos which they do not deserve. | |
Lilla1
join:2002-04-22
Fall City, WA
1 edit | reply to Lilla1
Re: [Kerio 2.x] Article: Why You Should Dump IE
Interesting Article by LockerGnome: Why You Should Dump IE
»tinyurl.com/2grga
He used FireFox too! And used IE in same limited way that BZ uses it.
Lilla | |
BlitzenZeus
Burnt Out Cynic
Premium,MVM
join:2000-01-13
Beaverton, OR | Just check out this thread, this is where the article was born.
»Browser Security Issues | |
Lilla1
join:2002-04-22
Fall City, WA
| reply to Lilla1
Re: [Kerio 2.x] Kerio 2.15 w good rules fails 50%
BZ, interesting link, thanks.
I am posting this using Mozilla Firefox, it's v0.9.1
Initial impression is good. I'm doing OK so far. Got some learning to do though.
I disabled Java, and left JavaScript enabled, as you said.
- SpywareBlaster says Mozilla Firefox is not installed. I created a user.js profile (empty) but no change. Will have to figure out what's wrong there.
- When I save a webpage (like this one), it doesn't offer to save as .mht (single file) like IE6, I'll miss that. Having two files adds a lot of clutter. Oh well, not a biggie.
- I've adjusted my Kerio 2.15 rules in the manner you outlined.
Thanks for all the pointers,
Lilla | |
BlitzenZeus
Burnt Out Cynic
Premium,MVM
join:2000-01-13
Beaverton, OR
·Verizon FIOS
·Verizon Online DSL
1 edit | It should be safe to leave java on all the time, that is if you even have Sun Java installed at this point. Just drop by »www.java.com if you want to install java for Firefox.
Since its still in development you could submit your suggestions in the mozilla forums I believe, or even make some add-ons yourself if you have the knowledge and time
Drop by Mozilla Update to check out the extensions, and themes you can install for Firefox. The extensions are part of the features you can install, if you want them.
»update.mozilla.org/?application=firefox
--
My hourly rates:
$25 per hour.
$35 per hour if you want to watch.
$45 per hour if you want to help.
$75 per hour if you tried to fix it, and failed. | |
Lilla1
join:2002-04-22
Fall City, WA
| reply to Lilla1
I found the answer to my question, SpywareBlaster is working on a fix to the matter of not recognizing Firefox .9, should be out soon per...
»www.wilderssecurity.com/showthre···=firefox
BZ, thanks the the tips.
I've never installed Java in IE so won't need it in FireFox either.
I don't care about themes & such. It looks just fine to me already. A clean classic look. | |
gkweb
join:2003-06-09
76800
2 edits | reply to Lilla1
Just to point out few things :
@gwion
edited : Is your post against me or is it general ?
Firstly, I seem to not be understood, I am not telling everyone that a firewall, unlike it has been said I was saying should block cookies, spam, and other related stuff, I am against this idea, and again, I have written it on my site and the sudy I have written.
So it doesn't really encourage me to continue the discussion with people who don't even read my site, but just add free critisism. I am the first in my site to say that a firewall is before all a vanilla packet filter (yes if you read it, that is exactly the term i am using...), so saying to me what i am myself saying is meant to ... ?
Then, everything else you are saying, again, I am saying it, just take a look at the "advices" page on my site.
edited : sorry if your post isn't toward me, I have difficulties to understand who is the target
@Ghost
Sorry to have misunderstood you :-/
quote:
I thought the definition of "leaktest" was something which bypassed a firewall completely, completely unseen by the firewall regardless of whether such traffic was allowed or not. Sure, if there's anything which does such a thing call it a leaktest and make sure it is publicised everywhere.
A leaktest targetting IE and passing yes by port 80 will it not be allowed and unseen ?
Anyway, you have necessarely applications on your side allowed to do a kind of traffic, and the leaktests just show
that these allowances can be hijacked, the fact it is often IE targetted is just because it is more easy to do, the leaktests aren't malwares, they are proof of concept, a real malware would be tricker of course.
quote:
(Some of the raw sockets type tests maybe). But suggesting massive security implications for everyone (as your website makes it out to be) - surely this is misleading.
Without offense intended, I disagree here. I have seen a lot of people having firewalls and AV and being overwhelmed by a lot of spyware coming from nowhere, and being unnoticed by the firewall, while a very simple sandboxe (Process Guard Free ?) would alert you of a single executabel trying to launch.
So I don't see that it is "surely" misleading, just a matter of point of view.
quote:
Most exploit implicit firewall rules and it would probably be more factual to try and describe in depth how these programs work and then let users decide how serious it is.
again, I am trying to achieve that too, I know tehre is may be a lot of things to read on my site and you didn't read everything, I can understand, but I can tell I am trying to do that too. Page "categories" and also in the pdf document.
quote:
This would be better than simply agreeing that the sky is falling and giving most of these authors kudos which they do not deserve.
About the author who may not deserve all kudos, I won't disagree because may be few didn't try anything else than to attack the firewalls, and to make advertise for themselve, but that is not fortunaly the case of all of them.
Then, where did I say the sky is falling ?
What I try to achieve, is just at least to make people aware of existing exploits which are, even if you might don't know it (not you as *you*, you as *everyone*) used for many in the wild.
Once people are aware of potential vulnerabilities, many not used many other used, then they can at least tighen up their security just by tighen up their filtering rules and their firewall settings, this is a part of my "advices" page. Then for those who want to do more, I show a way to do it.
Again, I'm sorry to be blind, but I don't see what's wrong when helping people, I just provide information, then people can be aware of, and it is not what matters most that people agree with my tests or not, at least they are aware of the potential danger, and I have achieved my goal.
No the sky isn't falling, that's not what i am trying to show, I am just trying to say that the sky is not completly blue, it's not a dreamworld where you can connect and enjoy the internet without a bare minimum security.
Believe it or not, I am not a bad guy saying bullshit, trying to make advertise, and to mislead people for some obscur dark interest or anything else... just trying to expose what is not obvious, and what even spyware that people see everyday can use to trick them, I just want to help, i'm sorry that it isn't obvious.
And while I can accept (of course !) people disagreing, it's difficult on the other hand to understand aggressive people which find the purpose of their life to attack me and to be so direspectedfull (not you Ghost!), and I must admit
this is sometimes discouraging 
regards,
gkweb. | |
NJH
join:2004-04-23
| reply to Lilla1
said by Lilla1  :
BZ, interesting link, thanks.
I am posting this using Mozilla Firefox, it's v0.9.1
Initial impression is good. I'm doing OK so far. Got some learning to do though.
Lilla
Now you have a great browser, have a look at some extensions, particularly Adblock and its forum for suggestions on filters. | |
Lilla1
join:2002-04-22
Fall City, WA
4 edits | reply to Lilla1
Re: [Kerio 2.x] Locking down IE6, and using Firefo
NJH, yes I am happy to be using Firefox too now. I feel like I came late to the party. Thanks for the tips, I will followup on your suggestions.
BZ, as you suggested. I will submit a suggestion to FireFox to add save as .mht (single file).
* So far all visits to Microsoft Updates page have been in the range 207.46.134.30 - 207.46.249.157,
Question: Is it OK to generalize and use 207.46.0.0-207.46.255.255
Currently I am building the address range based upon information gather from each Microsoft Update page visit, but it does get tedious, especially because I use this ruleset on two computers. So, if a generalized range (shown above) will do, I'll use it instead.
Thanks, Lilla | |
Lilla1
join:2002-04-22
Fall City, WA
1 edit | reply to Lilla1
Re: [Kerio 2.x] Kerio 2.15 w good rules fails 50%
gkweb,
I downloaded the program on your site titled
WindowsWormsDoorsCleaner. I am using it. It provides a handy way to verify that assure secure settings are set and have not somehow become reset. Even novice users can use it so I will install it on family computers. I like the way this tool links to the Microsoft article that supports each lock down.
Thank you,
Lilla | |
BlitzenZeus
Burnt Out Cynic
Premium,MVM
join:2000-01-13
Beaverton, OR
·Verizon FIOS
·Verizon Online DSL
| reply to Lilla1
Re: [Kerio 2.x] Locking down IE6, and using Firefo
Lilla, if you have not seen it yet, The Department of Homeland Security has joined CERT in saying that people should not use IE for security risks.
»Dept of Homeland Security: "Don't use IE"
--
My hourly rates:
$25 per hour.
$35 per hour if you want to watch.
$45 per hour if you want to help.
$75 per hour if you tried to fix it, and failed. | |
|
