Ignorance is Big Business

Week of December 10, 2001

Several major online journalists have been sitting on the story of the month - perhaps the year - and doing nothing about it. No one wants this one out in the open. There's too much money to be lost.

The Story

The story is that for some time now, home PC users (what The Register affectionately refers to as 'Harry Homeowner') have been without the protection the free personal firewalls would have seemed to be offering. As anyone who has heard about the raw sockets hysteria knows, Microsoft has up until recently had only an incomplete implementation of Berkeley Sockets on its Windows platforms. It was incorrectly assumed that only with Windows 2000 and the all-new Windows XP would home PC users be dangerously vulnerable. However this matter was corrected almost immediately. For several years now, alternate methods of creating Internet traffic on Windows computers have been available, the perhaps most well-known of these being the Torino packet capture library.

With the Torino packet capture library - or a number of similar libraries, all easily accessible for download on the Internet - it has been possible for years to create applications which could run right under the noses of the major free personal firewalls. These free personal firewalls, regardless of their ability to monitor traffic at the lowest possible level, have all assumed that Internet communications would originate in the Microsoft Windows implementation of Berkeley Sockets. And because of this assumption, programs using alternate methods such as the Torino library have been able to pass underneath these free personal firewalls completely unnoticed.

It has been possible for years now for malicious software to exploit this hole and to generate illicit and totally unseen traffic on millions of computers around the globe. How prevalent this has been no one will know until a personal firewall is finally able to see traffic of this type and bring it to the attention of the computer user. At the time of writing, no major free personal firewall is yet able to do this.

The Discovery

The discovery came about in the aftermath of the release of the LaBrea tarpitter in September 2001. Tom Liston of the Hackbusters approached radsoft.net with the project of creating a similar tarpit application for home PC users. Shortly into the research for this application, Tom Liston discovered that the major free personal firewalls were not stopping traffic. The LaBrea@Home packets were going out and in under the noses of these firewall applications.

This news was kept under wraps until the stories of the Too Leaky and Firehole exploits broke. Even then, no one realised the ramifications of the discovery. The thought was only that inasmuch as others had brought firewall vulnerabilities to the attention of the public, that this matter be made known as well.

A number of well-known online reporters were brought into the story and all expressed their understanding that this was big news. Yet several weeks later, the matter was silently dropped.

Finally, a totally uncomprehending Tom Liston submitted his report to BugTraq, along with a demonstration application which proved his discovery to be true.

Outbound!

Outbound! is an application developed jointly by the Hackbusters and radsoft.net which proves that the major personal firewalls cannot stop Internet traffic, or even in many cases see it passing by. It is freely available at the Hackbusters site - http://hackbusters.net. With Outbound! anyone can test their personal firewall - and most often see how the traffic generated passes right by, unnoticed.

Ignorance

But ignorance is money. As long as news of this hole remains in obscurity, several major vendors seem to think they will profit. While some vendors that were contacted readily admitted the hole, others tried every trick in the book to dodge the issue. And in the aftermath of the BugTraq article, other free personal firewalls are being tested - with similar results. All seem to have made a quiet assumption that Internet traffic has to begin in Microsoft's implementation of Berkeley Sockets.

You can help spread the word. The major news organisations seem afraid to carry this story. But the story is important. If you are running a personal firewall, you should check with Outbound! to see if you are truly protected or not. Unfortunately, the outcome is rather given. But at least you will have seen with your very own eyes.

What to Do

How can home PC users in the face of this discovery better protect themselves? A difficult question. No known personal firewall can currently protect at this level. The only possible advice is to play it safe and give no application one's implicit blind trust - certainly not a personal firewall.