Feeds

Personal firewalls are ‘futile’

Harry Homeowner at risk

  • alert
  • submit to reddit

Beginner's guide to SSL certificates

Security researchers have highlighted a potential shortcoming with personal firewall products.

To alert users of the presence of a Trojan or privacy threatening program running on their systems, personal firewalls have been adapted so they monitor and block outbound traffic (as well as blocking inbound network traffic).

If a malicious program becomes active a user will be alerted and the application will be blocked by a personal firewall (unless a user is daft enough to agree that it should be able to access the Internet, of course).

This would normally stop a Trojan sending out data (which might be your passwords) disguised as HTTP traffic on port 80.

However if a malicious program modifies a DLL used by Internet Explorer to make an outbound connections to port 80 on its behalf then this protection is bypassed.

Security researcher Robin Keir, has developed a proof-of-concept tool, called FireHole, which illustrates how the trick can fool personal firewalls (such as Zone Alarm, Norton Personal Firewall and Black Ice Defender).

The technique (along with other similar tricks) relies on a rogue program getting onto a user's system and executing in the first place, as Keir points out, but his work dispels the notion that a personal firewall on its own will stop Trojans in their tracks.

"If you can't stop it [a Trojan executing] then it is game over - the rogue program has your computer completely under it's control," said Keir.

Keir's findings are backed up by another security researcher, Bob Sundling, who said "the added protection provided by outbound filtering is entirely illusory" after he developed a program called TooLeaky to illustrate his point.

Eric Chien, chief researcher at Symantec's Anti-Virus Research Centre, said the technique "doesn't make personal firewalls useless" but rather illustrates the point that there is no such thing as complete protection.

"Combined with AV, the average home user is relatively safe," said Chien, who added that the technique has yet to be used in anger by either virus writers or hackers.

"In general if such a thing were created, we would add detection for it in antivirus," he added. ®

Tips to stay protected from Trojans


  • Keep antivirus programs up-to-date

  • Lock down email clients with the correct security zone settings

  • Avoid opening attachments that might contain executable content

  • Consider restricting the ports that your web browser and other commonly used applications can talk on

  • Remember WinXP's built-in firewall does not attempt to manage or restrict outbound connections at all, though it does block port scanning and the like



External Links

How to bypass your personal firewall outbound detection (by Robin Keir)
Personal firewalls are pants (by Bob Sundling)

Choosing a cloud hosting partner with confidence

More from The Register

next story
SMASH the Bash bug! Apple and Red Hat scramble for patch batches
'Applying multiple security updates is extremely difficult'
Apple's new iPhone 6 vulnerable to last year's TouchID fingerprint hack
But unsophisticated thieves need not attempt this trick
Oracle SHELLSHOCKER - data titan lists unpatchables
Database kingpin lists 32 products that can't be patched (yet) as GNU fixes second vuln
Who.is does the Harlem Shake
Blame it on LOLing XSS terroristas
Researchers tell black hats: 'YOU'RE SOOO PREDICTABLE'
Want to register that domain? We're way ahead of you.
Stunned by Shellshock Bash bug? Patch all you can – or be punished
UK data watchdog rolls up its sleeves, polishes truncheon
Ello? ello? ello?: Facebook challenger in DDoS KNOCKOUT
Gets back up again after half an hour though
SHELLSHOCKED: Fortune 1000 outfits Bash out batches of patches
CloudPassage points to 'pervasive' threat of Bash bug
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.