- open Letter to Steve Gibson, from Gibson research (www.grc.com) - Dear Steve, Dear Internet Citizen, (it is actually a open letter based on the communities discussion of LeakTest from Gibson Research Cooperation. But it is more addressing the fundamental problem of firewalls, less the exploits used in LeakTest.) amused by the discussions in all the public Newsgroups and Web Boards, I wanted to make sure, that about all those Fuzz about LeakTest 1.0 on http://grc.com/lt/leaktest.htm we should not forget someting: LeakTest 2.0 and LeakTest 3.0 and LeakTest x.0 WILL successfully show the weakness of Personal Security Products. I have no doubt that Steve will have the Time and Skill to find new ways to subvert the Protection a Desktop Firewall Offers. And this is not, because Steve is such a Good Programmer (I think he is), or because the Desktop Firewall Vendors have so default insecure products (looks like they have, don't u think?). It is because the Race is already lost! There is no theoretical way to secure a desktop system. (Let alone a practical one). Here is my detailed explanation for this, and at the end you will find some suggestions for potential "solutions". But first you have to accept the statement (stop caressing your Persnal Firewall and grinning). Some of the statements below are based on the asumptin, that a Firewall product is installed by the same user, the same way as the user will install any software (clicking setup.exe), and that this means, that the user will also install the bad/sneaky software that way. I call this piece of Software Malware. In the future malware will exploit the following "features" of current desktop installations. (The only reason why malware is not yet using those sophisticated methods is, because it was not yet needed for a malware author to spend so much time into developing methods to do so. But as the personal firewalls get less insecure, they will go on): (1) future malware, do not use the API the personal firewall is intercepting. This means, If the PF is intercepting the WinSock API, then Malware will no longer use it. The Malware can simply access more low level functions, it can even deliver it's own IP stack and talk directly to the Modem or Network Card. Agreed. Some of the more low level APIs will be protected by new generations of the personal firewals or the malware would not work with any brand of hardware, anymore. Let me make a prediction: LeakTest 9.0 will force the vendors to protect the low level network drivers and therefore generate a big new marked for DriverShields or how you call the software. (2) malware, use the remote control or scripting features of the Operating System (COM, COM+, DCOM, CORBA, AppleScript, ..) or Applications (netscape -remote, VBA, ...) to trick authorized applications into making the call to the internet and communicate. Therefore impersonating the network without beeing detected by application checks (cause the application is not faked or altered). I predict that the feature set of personal firewalls will grow and even start to intercept the communication inside of a PC system.. but hey.. think about it.. who wants to understand messages like: (joking) "Unknown first IPC attempt from shared lib dsfntsys.dll to in-process surrogate context of Obeject MSIE.loadPage". And think about this: a lot of personal firewalls by default allow Office to Access the Internet.. why is this? A simple script virus can therefore use this clerance to leak information. If you think about it.. wont you expect a PersonalFirewall to forbid a Malware Program like Melissa to send Mails? Yes.. but this means you have to forbid your Mail Client to send mails... damned situation, isnt it? And now the worst: (3) malware can simply modify the database of trusted applications, can add new rules or simply automatically press the "OK" button of personal firewalls authorize dialogs. They can even uninstall the personal firewall or alter its program code. This can be done at runtime in Memory or on Disk. Every time a new Exploit of one of those 3 points is found, the Firewall Vendors will look sorry, will tell their customers that they do everything possible to circumvent the tread and after an update they will be "the most secure product". NO. This is wrong! They WILL NOT BE a secure product. They where never a secure product and they do know they are not. But they just will sell an upgrade and be happy with the situation. A protection against this, could be a Operating System which will actually protect itself and the installed applications from that kind of modifications. Java tried to make a Start. Java Programs run in an Sandbox which is supposed to be secure. So is ActiveX Scrpting supposed to only use Secure Objects. But the History tells us, that even that simple task of building a small sandbox for Web Applets is impossible to do for the vendors. All kinds of Javascript, Web Spoofing, ActiveX unsecureness or Java Sandbox Exploits are known. How can we expect a Operating System which can do it? (And is still userfriendly!) The current Operating Systems like Dos,Win95,98,ME or some MacOS does NOT provide enough protection so that a program which is installed on the computer can change or modify or disable other programs. This means it is a lost battle on those Systems. forget it.. dont bother to download LeakTest 3.0... it will work. Operating Systems which offer Discretionary Access control, or Even Labled Access control (which means data access is controled by labling it and enforcing access) can help a great deal in this situation. You ask where the problem is? Well, user friendlyness in the first place: Have you ever tried to own a NT or Win200 System where you dont have Admin rights? Right, it is not very user friendly and a Big Job to set up the system in that way. And then you also have the problem, that most of the Software you would like to run (like e.g. that sexy Pam Anderson Screen Saver) will most likely ask you for Admin Permissions (and not only to install itselv, but to also modify the personal Firewall). So how do you stop that Software from messing with your Personal Firewall? You will not. So with LeakTest 10 or something Microsoft will most likely admit that it is a lost battle on the ld single user systems and it is a complicated configuration issue on Win 2002. This is also true for Linux Systems, btw. You might actually find more users which run Software as unpriveledged users on Linux, but you also find more and more ppl which find this Task of maintaining different users complicated. So, in summary: The battle between malware and desktop firewalls will go on and on, and the users are the losers of this race. The software manufacturers are the big winers. The reason for it is, that most ppl are unaware of this fact and that a bit more education can improve their security more, than a false sense of security by a green Z in the Taskbar. My plea to Steve, I would like to ask you, to mphasise this point on your web page. U did a lot of good work to educate the average PC user in those topics. You also helped the internet a great deal with getting less messed up. Crackers will have to work more hard to get into systems. This is good, since a compromised system on the Internet is a powerfull weapon. Script Kiddies can easyly destroy the network connectivity of Big Dot-Coms (like Yahoo) with the power of those unattended Home PCs. Users: - if you install malware on your system, your system is lost, regardless of what kind of protection software you install. So dont install every untrusted software. Better be save than sorry. - if you have important data on your system, dont use it on internet - no malware detection software nor personal firewall will change that, ever - there are some technical solutions ranging from using non-priveledged accounts to real secure operating systems (like the militaries) but all of those solutions are currently not mainstream, cost a lot of time, money and the user experience wont be as easy as usual (you may see something like: "you are not allowed to drag this text from word into your email application cause it is untrusted...") I suggest to discuss this open Letter in <news:comp.security.misc> Greetings Bernd -- The Freefire Project - <http://www.freefire.org> Free Solutions for IT Security. - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.]
