Internet Security Zone Blog

By John Gable, Director of Consumer Products

ZoneAlarm blocks a web site that you want to visit.  For example, some users have noted that ZoneAlarm blocks them when they go to TinyURL.com.  Why would ZoneAlarm do this, and what do I do if that happens?

Spyware has occasionally been downloaded from TinyURL.com or a partner site (TinyURL often redirects users to other sites).  To protect you from this threat, ZoneAlarm warns you about it and blocks that specific Web site.  But people might still want to use TinyURL.com anyway – after all it’s a useful tool for posting short urls on Twitter.  Well, you still can.

Go to www.tinyURL.com.  If the site is blocked, you should see a balloon pop up in the lower right corner of your screen.  If you click on it, you will go to an interface where you can add tinyURL.com as an exception which allows you to access the site.  You can also manually get to that interface within the product by doing the following:

1)       Right click or double click the ZoneAlarm icon in your system tray.

2)       In the ZoneAlarm control screen, click Anti-virus/spyware, and then click “Spy Site Blocking”.  If it has blocked you from a website, it will show you the name of the web site with an X showing that it was blocked.

by Albert Sweigart, Consumer Security Development

The well-known security researcher Dan Kaminsky pushed for the adoption of DNSSEC (Domain Name System Security Extensions) in his recent presentation at the Black Hat DC conference. Kaminsky is famous for a critical flaw he found in the Domain Name Service protocol last summer. DNS is the protocol that translates domain names (such as zonealarm.com) to the numeric Internet Protocol address (such as 209.87.209.206). By exploiting the flaw, Kaminsky discovered a DNS server can be tricked into resolving the domain name to a different IP address. This would allow the attacker to trick someone visiting YourOnlineBank.com to a fake replica of the website that they control. The user would unwittingly give their online bank password to the attacker’s fake website.

That vulnerability has been patched since, but the DNS protocol itself in many ways remains fundamentally insecure:

• DNS is not a secure protocol by itself, and software applications do not rely on it for security. The use of cryptography imposes some computational expense on the server and cause scalability issues. Secure Sockets Layer, the technology that most consumers interact with by seeing the tiny lock icon next to the URL bar in their web browser, mitigates this problem somewhat. A fake website would not be able to reproduce the proper SSL certificate, and web browsers display warnings about accessing web sites with invalid SSL credentials. However, users are amazingly resistant to such warnings, and the “click the button to make the message box go away” mentality causes many users to ignore these warnings.

• Unfortunately, a more common attack would just be not employing SSL at all. Redirecting a user from YourOnlineBank.com (which uses SSL) to the fake replica website (which does not use SSL) would not produce any browser warnings. The cannier user may notice the lack of the “https” in the URL before entering their password, but most would not.

• With the domain name system vulnerable, a website’s “forgotten password” feature also becomes an easy targets to hackers. By hijacking the YourOnlineEmail.com, an attacker could then go to Facebook, Ebay, or any number of online web services and request a new password sent to a user’s email address (such as BObama@YourOnlineEmail.com). This password would then be intercepted by the attacker when it is sent not to the real YourOnlineEmail.com, but the fake one in the control of the attacker. The real user is never involved or aware of the attack at any point.

DNSSEC is a proposed protocol (introduced in RFC 2065) that would secure the DNS protocol using public key encryption, but its adoption has been slow due to many factors. It is notoriously complicated to implement and maintain. Without a demand from applications, there is little incentive to add DNSSEC.

DNSSEC also has a political problem with the international community and more libertarian proponents of the Internet. The DNSSEC protocol would place the root authority to authenticate the entire domain name system with the U.S. Department of Commerce, including the domain name system of 187 different countries. This centralization of authority would also give the government the power to disable domain names, or perform DNS hijacks themselves.

Kaminsky has always been lukewarm to the idea of DNSSEC, but despite its problems and complexity Kaminsky is for securing the DNS protocol. A fix at this level of the Internet could potentially solve an entire class of security problems. The pressure placed on networks and DNS servers by business and consumer interests provide too large of an incentive to ignore this issue forever. And while the work to simplify the administration of DNSSEC is still far in length, Kaminsky has pointed that the implementations of proposed alternatives to DNSSEC (such as DNSCurve) are far behind.

By James Grant, Team Lead and Senior Developer

I was recently traveling and wanted to keep in touch with both work and the world. I packed my laptop and was off. On arrival, the hotel clerk proudly told me that the hotel offered free Internet over Wi-Fi, no encryption to worry about. Great! I guess...

Confession: I get a little paranoid about security so I'm thinking through all the ways this could go wrong: the person in the next room is going to see all my Internet traffic because it is going over the airwaves like a cell phone call; the person in the next room will try to hack into my computer; the person in the next room will see my email address and I will get more spam. I need a new room! But wait, everyone in the hotel can see my traffic-- as well as anyone driving by! Well, the good news is that not everything you do on the Internet puts you at risk.

Using email

The first thing I wanted to do was check email at work. My company uses a VPN to support email access, so I can do that safely. I am free to use a public Wi-Fi link because a snoop will not try to decrypt my VPN traffic to read the emails. The VPN is the strongest link in the chain, not the weakest link.

The next thing I wanted to do was check my personal email at Gmail. There I have to be a bit more careful. I deliberately go to https://gmail.google.com (instead of http://...)because then Gmail gives me an encrypted connection (safe). If I just typed gmail.google.com, my login would be encrypted, but the emails I read and wrote would be unencrypted and any snooper could see them! Remember: whenever you see "https" at the start of the link in your browser, it means you're a lot safer than "http".

Checking online news

With that done, I wanted to check the news. Now I personally don't care who knows what news articles I read, so I freely went to my favorites:

www.news.google.com, www.theregister.co.uk.

Using Facebook

Then I wanted to check what was happening at Facebook. Darn. That's where I caught myself and chose to wait. Facebook encrypts the actual login, but after that it isn't as safe. Snoopers could learn the email address I use to log in as well as my profile ID (every Facebook member has a unique profile ID).

They also might be able to get my "session token": information that lets them connect to Facebook as if they were me. I could be wrong, like I said, I get a little paranoid. So I did not connect to Facebook over the unencrypted Wi-Fi.

Banking and other private activities

What else would I not recommend in a public setting?

- banking - even if the connection is encrypted, I reveal what bank I use

- online investments - same as banking, only more money at stake

- private activities: IM, political activities, porn (no, I'm

not confessing anything here. It's you, Dear Reader, I am thinking of!)

Avoid all of these things on unencrypted Wi-Fi, unless you use a service like Anonymizer Anonymous Surfing. With a service like Anonymizer, everything works the same but your network traffic gets routed through their server using an encrypted connection. Snoopers can't tell where you're going or what you're sending.

What about public computers?

A final note about using a public computer (library, conference, hotel, etc.) I would not log on to any account of mine on a public computer, even if it were an encrypted https: website. The computer might have a virus or other tool for logging everything you type. Think of a public computer as having the public looking over your shoulder.

By Jordy Berson, Group Product Manager, Check Point Software

A vulnerability in Adobe Acrobat is being used to steal business and government secrets.   This exploit entices its victims to open a PDF document, upon which a Trojan is transferred invisibly to the victim's PC.  The Trojan secretly records the keystrokes and allows hackers remote access to the victim's computer. This vulnerability has so far been targeted at business executives and government officials.  I don't know what's scarier - the attacks that target people like you and me directly to steal our identity, or knowing that our goverment and business officials are being spied on. 

The general idea is this: You're surfing the Internet, you land on a Web site, and BAM! Malicious software secretly downloads to your PC.  Most of the time you don't even have to click on anything or even stay on the site for more than a moment.  But when you leave the site, you take an invisible threat away with you that steals your identity and your privacy.

The Adobe attack is just the latest chapter in a dramatic but predictable story. Nearly every week for the past year, it seems a new drive-by exploit is discovered.  Web surfers fall victim.  Identities are stolen.  Secrets are passed.  Virus companies catch up...too late as usual. 

Any Web site will do.  These types of exploits have been hosted on compromised mainstream sites such as Miami Dolphins and Tom's Hardware and on popular banking sites where you'd never expect them, as well as on riskier sites such as free download sites.  The point is that these threats can affect you no matter where you surf and no matter how careful you are.  

How likely are you to hit a drive-by? A study by Google concluded that over 1% of all Web searches contain at least one malicious URL which could be a drive-by.  So out of 100 Web searches, you'll hit at least one of these.  And that's just one of the methods to get you. Phishing sites and other social engineering tactics can land you on a malicious Web site too. And if you do stuff like downloading free screensavers and music and you spend a lot of time social networking, your risks are higher.

So what do you do?  Hide your love away...

Hackers love people who run old versions of their software.  And you don't want to be loved by hackers! When you run outdated software on your PC, you make it dead easy to get hacked.  You're almost asking for it.  So please update all your software now...right now.  And especially if anybody is using an older version of IE or Firefox (or whatever browser you run)...upgrade immediately!  You should be on IE 7 and Firefox 3.  

...and get a good traffic cop.  The traffic cop is one of the few technologies out there that can stop drive-by downloads.  And this one is *the* only one at this time that works automatically (the others require you to change the way you download files and manage your file system). It's our own ZoneAlarm ForceField.  In the time its been out, its stopped 100% of drive-by downloads that we've been able to test - theoretical and actual. It does a lot of other stuff too. Try it for free and please tell me what you think of it.  Love it or hate it, I'd love to know. It's less than 5MB.

Thanks!

http://www.zonealarm.com/security/en-us/trial-download-zonealarm-forcefield-browser-security.htm

Read the Adobe Security Bulletin here.

By John Gable

ZoneAlarm Director of Product Management

Hardly anyone knew about it.

The Los Angeles Angels website was recently hacked overnight with a drive-by download. It tried to download “AntiVirus 2009”, a well known fake security program that actually installs malware, onto visitors' systems. The Angels fixed the problem the next day, but damage was done.

I don’t mean to pick on the American League West Champions. This happens much too often, not just in major league baseball, but also the National Football League (Miami Dolphins), job sites (Monster.com), financial institutions (Bank of India) and plenty more.

What else don’t you know about?  Did you know about …

• the virus/spyware that hit Check Free, the online bill pay service used by many major banks and others, which infected around 160,000 users?

• the latest Internet Explorer 7 vulnerability that gives hackers a hole to silently install malicious software onto your PC?

• the Waledac botnet Valentine email and e-card attack?

I suggest there are 3 good reasons most people don't hear about such incidents.

1. Hackers want to be invisible.  Gone are the “good ole days” when a hacker wanted to become famous. The "I Love You" virus was a big problem, but at least you knew if you were infected. Now hackers go to great lengths to make sure you don’t know anything is happening as they take over your PC.

2. Web sites that have been hacked don’t exactly spend marketing funds to tell the world what happened. Responsible sites, like Check Free, quickly contact any potential victims to help them. But the last thing most sites want is to scare you away.

3. Same logic applies to software vendors, even security companies. Plus, sometimes they don’t want to advertise vulnerabilities because they don’t want to educate hackers how to break in.

Special kudos to the companies that do a good job at communicating threats. Adobe just issued a security bulletin about a buffer overflow issue with Adobe Reader 9 and Acrobat 9.

I’m happy to report that our new ZoneAlarm Extreme Security, which integrates our latest PC security suite with our web browser security and more, is the only security suite that blocked any of the threats I listed above from the very first moment they hit the Web (someone else might have stopped the LA Angeles attack - but I can verify that others missed all the other attacks).

In fact, ZoneAlarm Extreme Security blocks all of them. See our Stops Attacks Others Miss page for more details.

Do you think people need to know about these Web attacks or is ignorance bliss?

by John Gable

Another Valentine's Day special.

You may have been reading how the Waledac botnet, a successor to the Storm botnet, has come to haunt your Valentine's Day.

This botnet is running a Valentine’s Day "campaign" soliciting people with phony Valentine’s themed e-mails and greeting cards. When users click through to a Web site to receive their messages, malicious software is silently and automatically downloaded to their computer. The malicious software can do any number of nasty things such as logging and transmitting everything a user types, stealing their credit card numbers and online passwords, and turning their computer into a launch pad to attack others.

With over 1000 variants in just one day, this is very hard to stop.  Perhaps impossible to stop for typical antivirus software that relies on lists of known threats.

by Laura Yecies

It’s now been 2 weeks since the Patch Tuesday mess that knocked many of you offline. Since ZoneAlarm updates have been released, Microsoft has released a revised security bulletin and knowledge base article, and things have largely returned to normal, I wanted to offer you an apology, plus an explanation of events and outline the steps we’re taking to reduce the risk of this happening again.

First, the apology. This should not have happened, and everyone here at Check Point is very sorry for your inconvenience.

What happened? As you probably now know, Microsoft issues new security patches on the second Tuesday of each month for its Windows operating system and Internet Explorer browser. This is called “Patch Tuesday.” Two weeks ago, one of the security updates wasn’t compatible with ZoneAlarm, causing many of our customers to lose Internet access.

(What’s particularly ironic is that we have long tried to tell all of you how important it is to patch your PC as soon as Microsoft releases these updates, and I always try to reiterate that point here in this blog. And I still will – these security updates are critical to your overall PC safety…please don’t allow this experience to change your patching habits.)

But I digress.

In this case, since it was a Windows patch and not an update issued by ZoneAlarm that instigated the crisis, we learned of the conflict from you – through our customer service line, forums etc. Immediately, our engineering team sprung into action, and in less than 24 hours released a new, tested and QA’ed version to resolve it. Our team posted a work-around to the Web site within hours, and our developers in San Francisco worked through the night to create a permanent solution. This is no easy feat, and while I’ve thanked them personally, I also wanted to acknowledge their outstanding commitment publicly.

So here’s what we’re going to do: We’ve assigned a team of top engineers to install any new updates on a new test bed currently being engineered specifically to catch compatibility issues between Windows or Internet Explorer and all ZoneAlarm products. This will happen in real-time on Patch Tuesdays.

In addition, we’re working with Microsoft to try to open up new communication avenues. While it’s not a panacea, more open and coordinated communication is a positive step forward.

Thank you for your understanding, and a special thank you to everyone in the ZoneAlarm user community who helped us spread the word once we had a workaround identified and posted. Your help was invaluable.

Safe surfing,

Laura

The recent story about "The Pudding" is notable:

http://www.dslreports.com/shownews/The-Pudding-Listens-In-On-VoIP-87838

A new startup named The Pudding is offering users free calls via broadband, if they allow the company's software to "listen" to the conversation and display ads related to what's being discussed. The company insists that their technology isn't much different than what Google does with Gmail, with the exception that speech recognition technology is often flaky.

Hmm. Just the thought alone of a computer out there trying to figure out what I'm saying gives me the creeps. And what legal obligations will follow? If the system thinks you said something criminal, does the Government have the right to demand to hear it? You can't object because you already agreed to allow your call to be listened to. You've sold your privacy for 3 cents/minute. In the U.S.A., laws were made to protect the privacy of telephone calls. In legal terms, there is an "expectation of privacy". Here, there is none. For 3 cents/minute.

Have you seen the bumper stickers that say "Freedom isn't Free"? It means we must be vigilent about protecting our rights or they will be taken from us. We must be prepared to make sacrifices so the next generation enjoys the rights we have. Even with Internet telephone calls, Freedom isn't free, but at 3 cents a minute, it's pretty affordable.

http://www.jajah.com/

You can now see the video of the live product demo online and learn first hand what DEMO said about ZoneAlarm ForceField at DEMOfall 07 in San Diego.

Check Point Software Technologies, Ltd.

Third day, same socks - it wasn't intentional. And it could be worse - these are my running socks that wick moisture and breathe…exceptionally well. But despite the ongoing activities and the practicing and the excitement of DEMOfall 07, I've got to get to Walgreens at some point today for more socks!  Otherwise I will need a ZoneAlarm ForceField around my feet when I'm up on stage demo'ing ZoneAlarm ForceField tomorrow afternoon.