Home » Resources » Software » Reviews » ZoneAlarm Pro 3.0
14 Nov 2001 22:43:17
Tom asks Rob for help.
Subject: Zone Labs
From: Tom Liston
Date: Wed, 14 Nov 2001 22:43:17
To: Rob Rosenberger
Mr. Rosenberger-
I believe that Rick has already run some of this by you, but I'll
ask you to indulge me as I walk though it again.
After the initial release of LaBrea, I started looking into
re-writing it from scratch as a 'single-IP' tarpit for Windows9x/ME.
Mucking around and slinging raw packets is a bit of a task under
Win9x. While Gibson was way off base when he said raw sockets
weren't available on Win9x... well... it ain't a walk in the park
either.
I started off with a command line version of LaBrea, and after a lot
of reading and playing around, I finally got it working. Rick had
offered to assist with the 'GUIfied' version, and so we were in the
midst of gearing up for that when it suddenly struck me that because
this 'tarpit' resided on a 'real' machine (unlike the original
LaBrea) I needed to worry about the OS responding back to inbound
packets 'underneath' me. So I began reading up on firewalling, and
immediately ran into a brick wall: firewalling is a very deep and
difficult thing under Win9x.
At that point, we decided that while we took a bit to try to sort
out firewalling, we would release LaBrea and tell people that it
would require a separate personal firewall to work.
I fired up ZoneAlarm, fired up the command line version of LaBrea9x
and tested it. Sure enough, it worked. But then it dawned on me:
LaBrea9x was sending out packets, and ZoneAlarm hadn't said a word.
To make a long story short (too late...) it turns out that ZA's
vaunted Application blocking is a sham, as is its InternetLock
feature. I've created an application that sends information out
from a ZA (or ZAPro) protected machine, with the InternetLock
engaged.
Going beyond that, another small sample app that I wrote allows for
two way chat, while the ZA InternetLock is engaged.
Zone Labs has been contacted. Michelle Delio has been working as an
intermediary on this, but now has just dropped out of sight... off
on vacation, while everything is hitting the fan.
So, as I did when I was getting ready to release LaBrea, I'll pick
your brain for some advice on whether you think we're heading down
the right road with all of this or if there is something else that
we should be doing. If you're interested, I'd be happy to send you
copies of the correspondence that has taken place with Zone Labs.
Essentially, they at first denied that what we were seeing was
possible-- told us that the test machines were misconfigured, that
ZA had been tested against this sort of thing, that we, essentially,
didn't know what we were talking about.
Today, after about 4 hours of work last night (I can keep track of
this because the demonstration application that we sent them is
designed to prove the flaw by posting two user selected 'secret
words' to the HackBusters website) they've come back and said that
they 'are still investigating the issue and so far had mixed
results' while it's blatantly obvious from my logs that the program
leaked their 'secret' information.
So! Where do you think we should go from here?
-TL
Prev | TOC | Next
|