Bugtraq mailing list archives

Re: Zonealarm exports sensitive data

From: bugtraq () NETWORKICE COM (Robert Graham)
Date: Mon, 28 Feb 2000 17:24:01 -0800


This is a standard problem throughout the industry: how do you provide a
great user experience without intruding on the user's privacy? We've put a
lot of time and effort traversing this minefield. We've generally erred on
the side of privacy -- we know a lot less about our paying customers than
companies like ZoneAlarm knows about their free customers.

For example, the button that queries our website for help looks like a
hyperlink (underlined/blue). I know this is a minor issue, but we wanted to
make it very clear to customers that clicking on the link takes them to our
website, with all the privacy concerns that entails.

The information included is the minimum necessary to create a good user
experience with the minimum of privacy loss. We do send which port was
probed, but we do NOT send the IP addresses. Let's say that you've
configured your webbrowser to go through a proxy server: we will then have
absolutely zero clue as to who you are or where you came from.

We will know, however, what intrusion you are looking for help on and a
couple of pieces of information about it. Note that we are an intrusion
detection system rather than a firewall, so this is often more than simple
port information. We do generate reports from this in order to figure out
what parts of the product need improving. E.g.:
http://advice.networkice.com/advice/intrusions/common/

Now, in order to create the best experience for our customers we do indeed
want more information than this. The product has built into it the ability
to report to a centralized console. (This is used for centralized mgmt in
corporate environments). We plan someday to make this available for our home
customers when we get the privacy issues worked out.

Robert Graham
CTO/Network ICE

-----Original Message-----
From: Bugtraq List [mailto:BUGTRAQ () securityfocus com]On Behalf Of Brett
Glass
Sent: Friday, February 25, 2000 5:17 PM
To: BUGTRAQ () securityfocus com
Subject: Re: Zonealarm exports sensitive data

It should be noted that BlackICE Defender, a competitive product,
does precisely the same thing if one clicks on the "AdvICE" button.
Since the attack information displayed by the program's graphical
interface is quite brief (there's more in the log files, but
only sophisticated users will know how to find and read them),
users are strongly motivated to click the button.

I do not know whether the URLs sent by either product are being
used to gather statistics on the frequency of attacks or as a
means of piracy detection. They certainly could be, if the vendors
had a mind to do so.

--Brett Glass

At 12:40 AM 2/25/2000 , Andrew Daviel wrote:

ZoneAlarm by zonelabs.com can export possibly sensitive data if
the "More Info" button is clicked from an alert.

ZoneAlarm is a personal dynamic firewall for Windows 9x/NT.
When a rule is triggered (typically an inbound connection to
an unregistered or alarmed service) an alert box appears with a brief
description of the event and a button labelled "More Info". When this
is clicked a URL is passed to the user's Web browser sending information
to Zone Labs' server for more detailed explanation.

Currently (version 2.0.26) the information passed includes:
Source Address and Port
Destination Address and Port
Operating system version
Firewall version
Whether the connection was blocked
The lock status of the firewall

All this information is sent in clear as an HTTP GET request (port 80).

It could possibly be seen on the Internet in transit or in proxy logs, and
may include information about machines on an internal network inside a
corporate firewall. The request itself could be blocked by ZoneAlarm, but
it is likely that the setting for the Web browser would allow it to access
the external network (Internet).

It is fairly simple to edit the .EXE file to disable this feature, or
to redirect it to a local server.

(IMO the benefits from using the product outweigh the risks of this data
leak....)

Andrew Daviel
Vancouver Webpages etc.

Current thread:

Re: How the password could be recover using FTP Explorer's registry!, (continued)
- - - Re: How the password could be recover using FTP Explorer's registry! Mikael Olsson (Feb 26)
    - Re: How the password could be recover using FTP Explorer's registry! Jeffrey Paul (Feb 28)
    - lynx - someone is deaf and blind ;) Michal Zalewski (Feb 27)
    - EZ Shopper 3.0 shopping cart CGI remote command execution suid () SUID KG (Feb 27)
    - Re: EZ Shopper 3.0 shopping cart CGI remote command execution Alex Heiphetz (Feb 28)
    - W2K & ~25000+ temp files = crash + corruption? Clifford Hammerschmidt (Feb 28)
    - ALERT!: TendMicro InterScan (DOS & intrusion) Veille Technologique (Feb 28)
    - Advisory: Foundry Networks ServerIron TCP/IP sequence predictability Andrew van der Stock (Feb 27)
  - Zonealarm exports sensitive data Andrew Daviel (Feb 24)
    - Re: Zonealarm exports sensitive data Brett Glass (Feb 25)
    - Re: Zonealarm exports sensitive data Robert Graham (Feb 28)
  - Re: Wordpad vulnerability, exploitable also in IE for Win9x Curtis Anderson, CNE, MCSE (Feb 25)
  - Troj_Trinoo and ZZ Simple Nomad (Feb 25)
    - man bugs might lead to root compromise (RH 6.1 and other boxes) Michal Zalewski (Feb 26)
    - Re: man bugs might lead to root compromise (RH 6.1 and other boxes) Mark Whitis (Feb 27)
    - Re: man bugs might lead to root compromise (RH 6.1 and other boxes) H D Moore (Feb 27)
    - Re: man bugs might lead to root compromise (RH 6.1 and other boxes) Michal Zalewski (Feb 28)
    - Re: man bugs might lead to root compromise (RH 6.1 and other boxes) H D Moore (Feb 28)
    - DOS in TrendMicro OfficeScan Veille Technologique (Feb 28)
    - TrendMicro OfficeScan tmlisten.exe DoS Jeff Stevens (Feb 25)
    - Re: Troj_Trinoo and ZZ Simple Nomad (Feb 26)

(Thread continues...)