Internet Security Zone Blog

by Laura Yecies

Today, I’m very excited to announce the launch of ZoneAlarm ForceField. We first released ZAFF into beta last fall, and now it’s now ready for primetime. On behalf of the entire ZoneAlarm team, I’d like to extend a very sincere thank you to everyone in the ZA community for your valuable insight and testing help…this is a major milestone not only for our company but in the fight against cybercrime. We look forward to your feedback.

As tempting as it is to delve into all the product details of this new virtualized browser/Web security solution, I think I’d rather talk to you today about a few of the reasons why we built ForceField.

In the past year or so, we’ve seen the consumer threat environment shift rather dramatically. Like the evolution of viruses and spyware, attack vectors have also evolved. The prime target used to be your operating system. So a good firewall, combined with antivirus and anti-spyware, was pretty sufficient protection against hackers looking for vulnerable PCs.

Now, armed with a new arsenal of Web-based attack strategies, hackers no longer need to seek you out. You’ll find them all on your own.

It’s rather easy to accidentally compromise your PC while innocently surfing the Web. Here’s how:

Search Portals: When you search for something on your favorite search engine, like Google or Yahoo, do you automatically assume that all the results are legitimate, safe Web sites? Hackers have found ways to seed search engines with malicious Web sites, or dummy pages that automatically redirect you to a Web site that can automatically download hundreds of pieces of malware without your knowledge. One of the strategies behind ZoneAlarm ForceField was to create an environment where you can make mistakes. You can accidentally click one of these links, and the malware will be contained in your virtualized, ForceField protected browser (and unable to harm your PC).

Random Web sites: Your favorite Web site, yes, the one you visit every day, could send malware your way next time you drop in. And they may not even know it. You see, these perfectly legitimate and responsible sites can become hacked themselves. A vulnerability in an ad server or database can allow a hacker to use the Web site as an otherwise trusted conduit to deliver a malicious payload onto your PC. As I write this, one such SQL Injection attack, using the worm “winzipices.cn,” is believed to have compromised over 4,000 Web sites around the world.

We’re also receiving reports of demographic attacks: hackers compromising specific Web sites that cater to a desirable audience…for example wealthy or older surfers. Like with the search engine attacks, by using ForceField you can confidently surf as usual. Even if your favorite Web site has been hijacked, you stay safe.

Social networking/Web 2.0: Social networking sites, by their very viral nature, are an irresistible attack vectors for hackers. Alicia Keys’ fans learned that the hard way last year when her MySpace page was infected. Facebook, with all its fun apps, proved compelling to adware distributor Zango. Not only can these communities be exploited to spread malware, but they can also fall prey to what we call “man in the middle” attacks. This is where a hacker basically inserts himself in the middle of your upload or other file sharing to steal your password or other sensitive personal information.

Social networking is a great way to stay connected with friends and family and build online communities, but always take precautions and be careful what you share. It’s a lot harder to delete personal information off the ‘Net than to post it.

Gaming/Virtual Worlds: Virtual worlds and games like Second Life and World of Warcraft are a blast. My kids love them. But one security researcher recently claimed that he could compromise your PC if your avatar wandered into his “realm.” If he could see you, he could take over your PC remotely. While we haven’t seen real world reports of this type of breach, we believe it can be done.

So what’s a security-minded Netizen to do? Besides using a comprehensive Web security solution like ForceField (in tandem with your PC security), make sure *all* your applications are patched regularly. Don’t forget your Java, IE, Flash, Quicktime etc. They’re easy to overlook but crucial to an overall Web security strategy. We’ll be posting more tips in the coming days, but in the meantime, we’re interesting in hearing your experiences on Web-based attacks. Have you fallen victim? What steps do you take to avoid falling in a hacker trap on the Web?

Security expert Bruce Scheier grabbed the headlines with his comment, "A lot of the software on this show floor is just snake oil...", referring to the Infosec security show in London.

http://www.infoworld.com/archives/emailPrint.jsp?R=printThis&A=/article/08/04/22/Lots-of-security-software-is-snake-oil_1.html

He said that in the context of saying "Anti-virus is easy. Anti-virus products actually work."

The phrase "snake oil" is too sensational a phrase and I'm disappointed in him for saying it. It implies a lot of the software vendors are incompentent and simply out to cheat their customers, fly-by-night charlatans. They are not.

There are several definitions for snake oil, but the theme of all of them is:

- something of little or no value,

- misrepresented,

- with the intent to deceive.

Schneier would read these three points and say, "Aha! But I'm right on all three!" I don't doubt he could go from booth to booth at any Security trade show and poke holes in the products, building an argument that they have (or will have) "little or no value". I'm sure he could be doctrinaire and find enough of a gap between function and marketing to label "misrepresentative". He could then say that if the vendors know about the imperfections and their sales sound bites are too simplistic, then that constitutes an intent to deceive. Rubbish.

Those in the Security industry and those who keep themselves informed know that Information Security is a very complex problem. Bruce Schneier learned this in his career. In the 90s, Schneier learned that Cryptography was the simple part, building a secure system that used Cryptography was the really hard part. I agree with him when he says that anti-virus does the easy part, but someone has to attack the harder problems. The result is security products that work until the criminals look for and find ways around them. When that happens, the security vendors catch up and deliver a new product that works until the criminals launch a fresh attack. Were the security vendors incompetent? No, they did the best they could to solve one part of a hard problem. Was there an intent to deceive? No, they know the war is not won. Do they create the problem? No, criminals do.

A fairer comparison is to the medical industry. Consider any of the many horrible diseases that threaten humanity and look at the response of medical researchers and companies. With no cure for AIDS in sight, drugs are found that lessen symptoms and prolong life. It would be plainly cruel to scorn this work by calling it "snake oil". When diseases became resistent to common drugs, no rational person claimed those drugs were snake oil.

I have been a security developer for a long time now. I've worked for several security companies and met with people working in many many more. I know the mindset, the work ethic, the game plan. Each company wants to ship a better product than the other because that's  good business. That's how you make money. Each company wants their product to be chosen so, like writing a resume, they put the best face on it and use comparison charts to show how they are the best. Rarely have I encountered a security product that deserved the name "snake oil" and the companies that shipped it did not last.

That, Mr. Schneier, is how capitalism works.

Going surfing? It’s dangerous out there - wear layers.

Is the Internet really dangerous? As you surf, are you *really* at risk? The answer is YES, but nothing hits a point home like a modern-day example.

The example comes from our old “friends” at Zango (formerly 180Solutions). Those who follow ZoneAlarm events will remember the court case 180Solutions brought against us just a couple years back for protecting our customers from installing their application. They eventually dropped the complaint after we refused to back down (http://download.zonealarm.com/bin/free/pressReleases/2006/pr_1.html), but that didn’t stop Zango from continuing their tricky tactics.

 

It all starts with a secret crush

So you’re on Facebook, and there in the top right you see what any breathing human would consider a titillating, intriguing message: “1 secret crush invitation.” Oh, and a little red heart. Gentlemen, ladies – how many of you will take notice and click through? Could you use a little company? Perhaps the next Mr. or Mrs right?

But in this case, its no secret admirer. It’s a “corporate admirer,” and the only company you’re going to get out of the deal is a sneaky little piece of adware that downloads to your computer and watches you. (Fortinet, who discovered the exploit, has the details nicely recorded here: http://www.fortiguardcenter.com/advisory/FGA-2007-16.html.) 

 

Social engineering ends in heartbreak

This practice Zango used is called social engineering. It can hit you anytime, anywhere. It’s the way that hackers get you to willingly download crap to your PC. This crap can by anything from bothersome adware that slows your PC and flashes banner ads, to programs that record anything you type such as credit card numbers. 

You could even end up with a vicious rootkit, keylogger or spyware program that just all-out takes control of your PC to attack your friends and family, attack the government, send illegal porn, and other very bad things. Estimates say that about 25% of us have at least one of these types of program on our PC.  

 

Get protection – layers of protection

We all need to do a lot to protect ourselves, those around us, and the Internet-at-large. In the above Zango case, I believe its incumbent upon Facebook to qualify the widgets that are offered through their service. And it’s incumbent upon companies that are creating really cool, open services like Facebook and widgets to consider security implications along with all the fun.

And here’s what we should do: Simply protect ourselves with a lot of layers of security. This way, even if a threat gets by one or even several layers, there will always be another layer (or several) to catch it.

In the Zango example, ZoneAlarm products protect in a number of ways. Here’s how:  

 

ZoneAlarm ForceField

This is the product designed specifically to protect you as you surf the Web. (It’s currently in beta as a free download.)

ForceField caught Zango variants with two of its layers. First, it found a Zango URL variant that was dangerous (below) through its spy site blocking:

Next, it found a variant of the Zango executable as it downloaded to the PC through its dangerous download detection (below).

 

ZoneAlarm Internet Security Suite

This is the single firewall-based product designed to protect you and your PC from everything that gets thrown at it. It caught Zango variants with three of its layers:

First, like ForceField, it caught Zango at the Web site source through its spy site blocking feature (below).

 

Next, its antivirus caught and eliminated the variant as soon as it was downloaded to the PC (below).

 

The final layer was ZoneAlarm’s program control, which catches malicious applications through a behavioral approach (below).

- JordyB
 

 

I recently met John Sebes, co-founder of the Open Source Digital Voting Foundation. What are they doing? In his words, while the rest of the world was running around in a panic about the problems with electronic voting machines, he decided to do something about it.

Their goal is to design a voting system that will be secure, reliable, able to do a vote recount and will be open-source so people and inspect the design. It will earn the public's trust.

If you are a designer, you can help with the design.

If you are a developer, you can work on it.

If you are a believer in fair elections, you can contribute to bring this idea to fruition.

This article is an eye-opener:

http://www.labnol.org/software/browsers/view-stored-password-firefox-internet-explorer/1906/

In short, it shows how easy it is to retrieve the passwords you let your browser remember for you. Funny that I was prompted to let the browser remember my password as I logged in to make this blog.

We don't normally put promotional stuff here, but since this is a 24 hour opportunity, we thought you might want to know.  You can download and use ZoneAlarm Anti-Spyware for free.  And it's not just anti-spyware freeware, but our full product that won top billing at CNET which has the full anti-spyware deep scan and removal as well as the professional grade Firewall and OSFirewall.  Here are the details:

Offer Page:  http://www.zonealarm.com/patchtuesday/
Media Alert:  http://download.zonelabs.com/bin/free/pressReleases/2007/pr_7.html

UPDATE: OFFER EXTENDED (from Allison, our Director of PR)

As you've probably already seen, today you can download ZoneAlarm Anti-spyware, free. No strings attached. You get the full product, complete with the legendary ZoneAlarm firewall, the rootkit-blocking OSFirewall, Spy Site Blocking, and a year of A/S updates.

We've had some server challenges because of traffic, and so we're extending the offer to 5 p.m. PST tomorrow to accommodate everyone. We sincerely apologize for the inconvenience.

All of us here on the ZoneAlarm team believe more people need to take proactive security precautions by installing essential PC protection AND pay attention to updating their operating systems and browsers when critical security patches are made available. We know it's a pain to download a patch, install it and sometimes even have to restart your PC. But it's important. You can't be complacent because it's an inconvenience. Because...as vulnerabilities are announced and patches released, hackers go straight to work developing exploits and start hunting around the Net in search of unprotected PCs.

Here in the San Francisco Bay Area, when the air gets particularly dirty a "Spare the Air" day is declared. Many public transportation companies such as the commuter trains will offer a free ride to get people off the road. That's the idea behind this ZoneAlarm Anti-Spyware Patch Tuesday offer...the more people who have tough security and an updated PC, the fewer targets for attackers and the Internet becomes a safer place as a whole.

So you get ZoneAlarm Anti-Spyware for free until tomorrow only at www.zonealarm.com/patchtuesday.

And don't forget to also download the free ZoneAlarm ForceField beta to add a "bubble of security" around your browser. It's a cool virtualization-based product that traps drive-by malware and phishing attacks, and prevents keyloggers from tracking your typing. Once you install it on your PC, you'll never want to shop or bank online again without it.

An investigation of Absolute Poker is underway over allegations of cheating by an insider.

http://www.4flush.com/gamblingnews/online-gambling-news/gaming-associates-confirms-possible-absolute-online-poker-audit-will-cheating-be-revealed/343/

http://tech.yahoo.com/blogs/null/53599

http://freakonomics.blogs.nytimes.com/2007/10/17/the-absolute-poker-cheating-scandal-blown-wide-open/

http://forumserver.twoplustwo.com/showflat.php?Cat=0&Number=12523924&page=0&fpart=1&vc=1

Absolute Poker, established in 2003, is ranked the 4th largest online poker destination by 4Flush.com, an information site for online gambling. Absolute Poker is based on the Kahnawake Mohawk Indian reservation that spans the US-Canadian border south of Montreal. While this location has been infamous as a route for smuggling, cheating in online gambling could ruin any company that does not exercise considerable vigilence.

Looking at player responses to the scandal, it surprises me how many people aren't bothered by the event and plan to continue to play poker online.

There's a website we all know that offers a "Security Key" to provided an added layer of security, beyond the email address and password. While this is great in principle, it is undermined by giving users a way around it if they "lose" their Key. PhoneFactor, on the other hand, is a lot harder to lose and abuse.

The Security Key I'm thinking of displays a 6-digit number that changes every 30 seconds or so. The website at which you type the number code knows what number your key is supposed to be showing, so it knows when you type in the right number. To the rest of us, the numbers appear to be totally random and the next number can't be figured out based on the numbers that have been shown so far. That's a good layer of security because if you type in the right number, it's pretty clear you must be holding the Security Key. A hacker around the world might fool someone into giving their email address and password (phishing) but if the website then demands a 6-digit code, they don't have it.

If it ended there, I would be a big fan of the Security Key and I'd buy one. But it doesn't end there. The website has to handle the predictable case that someone will lose their Security Key. The website I'm thinking of has the answer in their FAQ. If you lose your Key, you can still log in, they'll just ask some security questions. What kind of question would that be? Typically, they are "What's your mother's maiden name?" or "What's the last 4 digits of your credit card?".

Now those are answers that are in reach of hackers half-way around the world! My mother's maiden name is no secret. A hacker that can trick someone into giving their password on a phishing site might also trick them into entering the credit card they use. The difficulty of getting these answers is much much less than the difficulty of guessing a continually changing 6-digit number. So in the end, the layer of protection added by the Security Key is no better than the layer of protection added by typing in answers to "security questions".

Take a look at PhoneFactor now.

Step 1: Enter your usual username and password.

Step 2: Instantly, you receive a phone call. Answer and press #.

A hacker around the world can't press # on your phone, so they can't use your account. It's a lot harder to lose your telephone than a Security Key and if you do, you've got a lot more motivation to replace it anyway and not just switch to "security questions". So there are three real benefits to chosing PhoneFactor:

1) You don't have to buy a Security Key,

2) You don't have to carry around a Security Key, and

3) The website doesn't need a weaker substitute that neuters the whole system.

The recent story about "The Pudding" is notable:

http://www.dslreports.com/shownews/The-Pudding-Listens-In-On-VoIP-87838

A new startup named The Pudding is offering users free calls via broadband, if they allow the company's software to "listen" to the conversation and display ads related to what's being discussed. The company insists that their technology isn't much different than what Google does with Gmail, with the exception that speech recognition technology is often flaky.

Hmm. Just the thought alone of a computer out there trying to figure out what I'm saying gives me the creeps. And what legal obligations will follow? If the system thinks you said something criminal, does the Government have the right to demand to hear it? You can't object because you already agreed to allow your call to be listened to. You've sold your privacy for 3 cents/minute. In the U.S.A., laws were made to protect the privacy of telephone calls. In legal terms, there is an "expectation of privacy". Here, there is none. For 3 cents/minute.

Have you seen the bumper stickers that say "Freedom isn't Free"? It means we must be vigilent about protecting our rights or they will be taken from us. We must be prepared to make sacrifices so the next generation enjoys the rights we have. Even with Internet telephone calls, Freedom isn't free, but at 3 cents a minute, it's pretty affordable.

http://www.jajah.com/

At the recent Marconi Society symposium, a speaker asked the sardonic question (I'll paraphrase), "Who did more harm, the author of the Morris worm or the programmer who limited Unix passwords to 8 characters?" He was implying that forcing short passwords made them easily guessable - a bad thing. The problem of password limits is not gone.

Websites today limit passwords to artificially short lengths. Today, I was limited to 12 characters. While that appears sufficient, it is too short for some purposes. Hackers or thieves who get password files (the passwords will be encrypted) will be able to discover the passwords if they try hard enough. The detailed answer takes math, but I'll include it (in a different font) for those who don't shudder at the thought:

12 character appears to be enough. With each character in your password you have (worst case) 256 possible choices. That's 2**8 choices (2 to the 8). In practise, it's fewer, but let's consider the worse case for now. With 12 characters, that's (2**8)**12 = 2**96 possible 12-character passwords. If you include all 11-character passwords, etc. that almost doubles the total, so let's say 2**97 possible passwords total.

It appears too hard to be worth trying. A hacker trying all possible passwords would try each one "brute force" and it would take on average half (2**96) before he stumbled on the right one. With the password, he drains your bank account, in my case $100 ;-)

That sounds like a lot of passwords to try, too many to make this approach practical: if 2**56 possibiities takes a day, 2**96 possibilities would take a trillion days. So we're safe with 12-character passwords, right? Let's think again.

But it's not as hard as it looks. There really aren't 256 possible characters to use in passwords, it's more like 94 (the alphabet in upper and lower case, and normal keyboard characters like !, @ and #). This results in 2**74 possible passwords to search, on average, a reduction by a factor of a million. If you used only lower case and numbers, that's only 2**62, which means these passwords can be cracked in 64 days! Hackers have botnets (thousands of computers that they can control) and plenty of time.

The point is that passwords should be long, random and hard to guess, otherwise, well, it's going to be guessed. If they are hard to remember, store them somewhere safe where you can look them up. The more important the login account, the stronger the password. Banking passwords are more serious than FaceBook.

And if you come to a site that limits you to 6, 8 or 12, tell them "bigger is better".

You can now see the video of the live product demo online and learn first hand what DEMO said about ZoneAlarm ForceField at DEMOfall 07 in San Diego.

Check Point Software Technologies, Ltd.