Is your firewall spying on you? [Zone Alarm gets rumbled]

theinquirer.net ^ | Sunday 22 January 2006 | Paul Hales

[B4Ranch]

Is your firewall spying on you?

Zone Alarm gets rumbled

By Paul Hales, in Jerusalem: Sunday 22 January 2006, 12:39

IT’S OBVIOUS, REALLY, that the best way of penetrating users' PCs to see what they get up to online would be to become a Firewall maker. Like, when I wanted a Firewall and was too tight to pay for one, I turned to Checkpoint’s little freebie Zone Alarm. It sits there between you and the Internet and lets you know when someone’s trying to sneak in through your backdoor or when a program you’re running tries to connect to the Web for no apparent reason. When you’re as techie as me – not very – you just have to trust it.

Of course, Checkpoint’s an Israeli company and as a foreign journalist working in Israel you know the hyperactive security services here would like to keep tabs on you. And you know that they do. It has been confirmed to me by a security sources here that mobile phone conversations I have had have been listened to – and in circumstances which I won’t reveal, the contents of a call I have been involved in have actually been relayed back to me.

It’s part of the game – like the airport interrogation, or the surreptitious copying of your notepad while you’re off having a body search. You know what goes on but you have a job to do and just get on with it – hoping that what you get up to in the legitimate pursuit of your business won’t upset anyone to the extent that they’ll come break your door down and cart you off somewhere.

Now, the handsomely-named Mr Cringely has revealed that a colleague of his at Infoworld noticed that Zone Alarm 6.0 was sneakily sending off data to four different servers. Cringely says that Zone Labs (acquired by Checkpoint in March of 2004) at first denied the activity for a couple of months before deciding the software had a "bug" even though, as he points out, "the instructions to contact the servers were set out in the program’s XML code."

The company says it will fix the "bug" soon. In the meantime you can work around it by adding: # Block access to ZoneLabs Server 127.0.0.1 zonelabs.com to your Windows host file.

The "bug" seems to be present in the retail version of Zone Alarm, so there’s no telling what the freebie gets up to. We called Checkpoint here in Israel to find out, but were referred to a US spokeszoner. Trouble is they’ll all be in bed there on this sunny Sunday morning. µ

[Dallas59]

Thanks!

[snarks_when_bored]

I hadn't seen that little hosts file editor. Looks nice (although Notepad works fine for me).

[B4Ranch]

Check your FReep mail, please.

[The Westerner]

I have a Linksys router. Do I really need Zone Alarm, too? Anybody have a clue?

[thinking]

Download a copy of tcpview, then you can see what is
connected to your PC....

[snarks_when_bored]

A useful article from Wikipedia on the hosts file:

Hosts file

[jayef]

I'm using both. The software tells me how good I am and it pleases me. :-D

[Shadow Deamon]

This is from the ZA help file, perhaps this is what he was seeing:

Joining the DefenseNet community Zone Labs security software users can help shape the future of Zone Labs security products by joining the DefenseNet community protection network and periodically sending anonymous configuration data to Zone Labs for analysis. By joining DefenseNet, you can help us focus our attention on the features and services that you use most often and to introduce new functionality that will provide even smarter security.

Configuration data is not collected from ZoneAlarm or ZoneAlarm Anti-virus users.

Even with the "Alert me before I make contact" preference selected in the Overview|Preferences tab, you will not be alerted before sending configuration data to Zone Labs.

The data collected is completely anonymous and is for Zone Labs internal use only and will not be shared with others. Of the millions of Zone Labs security software users, only a small percentage of users will have their information collected. The frequency of data transmission depends upon the configuration of your computer. For most users, data will be sent once per day.

To send configuration data to Zone Labs, select Yes, automatically and anonymously share my settings in the Configuration Wizard.

If you later decide that you do not want to send anonymous data, select Overview|Preferences, in the Contact with Zone Labs area, then clear the Share my settings anonymously... check box.

[B4Ranch]

I added the entire list from "Blocking ads on the Internet with a list of ad server hostnames and IP addresses." to my hosts file. Here's hoping that cuts down on the garbage that builds up in my Temporary Internet file.

[B4Ranch]

Maybe so.

[Snoopers-868th]

I have XP Pro and use IE. I cannot open a PDF file but I can save it and open it. What is up with that? What was your work-a-round?

[palmer]

lots of solder

[hiredhand]

OpenBSD is one of the most hardened "out of the box" operating systems on the planet. The developers have included a facility called "pf". It's a very configurable firewall package.

I run three of them on a site that I have. One is supporting a private (RFC 1918) LAN behind a static netblock via NAT/PAT for hosts on the LAN.

Another is in front of the netblock and it does everything except for NAT/PAT and traffic redirection because it's running in bridge mode and doesn't even have any IP addresses. It "looks" like a layer two device (switch or hub) to those machines around it.

The third supports a second WAN connection via a RoadRunner broadband connection that my employer (most graciously) provided to me. That one is like the one that does NAT/PAT, except that if the IP address changes, it's set up such that none of the firewalling features are affected.

There is ONE more OpenBSD host on the site that uses pf, but it's simply a SMTP server (PostFix) and runs OpenBSD because of greylisting and spamd (anti-spam system) for e-mail.

It's a rock solid operating system. They tout the fact that they've only had one remote root exploit in a default install in over eight years. No other operating system even comes close to being able to say that, except for maybe OSs like Inferno (Lucent Brick), and VX-Works (used by the Nortel CES). But most people will have never heard of these, nor would they really want to use them anyway.

But OpenBSD is not a user's operating system (IMHO). All of the systems that us people here touch are Linux systems. Debian to be specific. But they're all protected by the OpenBSD firewalls running pf.

The "pf" how-to is linked from http://www.openbsd.org.

[bobdsmith]

Software firewalls suck. Nothing can beat hardware.

It doesn't matter what medium the firewall is built on. Whether it sucks or not has nothing to do with whether it is a software application on a pc or a dedicated device.

[SeaBiscuit]

Thats true, a router is a must, especially for 24/7 cable connections. But, a software firewall is also important, not for incoming which is the router's job, but to keep a check on outgoing connections, though I don't use ZA.

[bobdsmith]

I doubt this is anything serious at all. A well known software product like ZoneAlarm simply cannot send information to somewhere covertly without someone finding out about it pretty quick by simply looking at what data is being sent out. The people who make zone alarm would realise this and so I don't believe they would even think about attempting it.

[SeaBiscuit]

See my post #55. I use the old free version KPF 2.15, highly configurable and uses little resources.

[KillTime]

My firewall: a Hub, an old Pentium III PC, pulled out the CDRom, HardDrive, Video and Sound cards, 8 megs ram, and have two NIC cards. Basically it's a stripped down computer. Then I use http://www.coyotelinux.com/ free firewall. Everything is blocked; everything. The firewall runs off the floppy disk into Ram. Completely invisible from the outside world. I packed up my LinkSys; ppl can still get to ya. Software Firewalls eat system resources, KT recommends to get a real hardware firewall (linksys are pseudo hardware fw...it is really still primarily a software fw) and use your old PC to make a killer FW.

[dynoman]

127.0.0.1 is listed as "loopback adapter" under the firewall and zones area in ZA 6.xx

[dynoman]

Loopback Adapter on IP 127.0.0.1