Remote Denial of Service Vulnerability in BlackICE Products

A bit more info. The staff responsible for the development of TPF have seemingly departed Tiny and launched Kerio Technologies International. Tiny are to eventually replace TPF with a PF licensed from McAfee.

This, by the way, is nothing other than hearsay. However, if you follow the WinRoute links on Tiny's homepage it leads you to the Kerio site so maybe it's correct.

I've just installed KPF and have encountered no problems thus far.

 

Wow, just checked out TPF

Guys, I must apologize. I just downloaded and checked out Tiny and it is light-years better than ZA from an administrative/customizable standpoint! Tiny is perfect for someone that knows what they're doing. Heck, even if they don't know what they're doing just leave it setup in default fashion.

 

I agree wholeheartedly

 

I was thinking about trying TPF also.

But then I did some re-thinking.

Would TPF and NIS live together peacefully or not was one thought.

Knowing that I am on a three machine LAN and NIS seems to be protecting both it and the Internet nicely was next.

Also being on Cable I don't believe it would be in my best interest to leave myself unprotected for an instant.

Next came the realization that I already have the $$ invested.

But, I am giving some serious thought as to what to try IF I get around to build another machine. ( being held up $$ wise )

So right now It does not seem to be broke and I don't dare try to fix it. Not paying attention to that thought has been my downfall more then once.

But if things do breakdown I have some very good ideas as to what to ( or not to ) try.

BillyBob

 

Yes. But running two PF's together really is a waste of resources. If you're happy with your current setup, I'd say stick with it.

BTW, still no issues with the Kerio installation!

 

Hi All

I have had TPF for a while now and was waiting for KPFbeta to settle down a bit. Now is seems to be on beta5 and maybe its the time to upgrade.

Kerio was formed by the Czech programmers who worked on it originally while working for Tiny. The whole thing blew up over a month ago, and the Tiny/Kerio List was awash with posts on the breakup, but it now seems clear that Kerio will continue developing the original Tiny and Tiny will make a dumbed down version of a firewall with Mcafee - I know who à will stick with...

and finanlly...

Brett, this question must have been asked a million times before:

for a millionth and one time - what does the "carbonundum thingy" mean???

t2ul

tHe jAcKAl

==================
- life is a terminal illness -
==================

 

I've encountered no problems at all with the most recent version of KPF.

Don't let the bast**** grind you down.

 

For whatever reason, SG seems to have a personal thing for BID. His major complaint is that it won't block outgoing packets, which it's not designed to do. And, he has a love affair with ZA because it DOES.

My point has always been, would the people who are most likely to have a Trojan on their boxes have any security software at all?

Viruses are installed (primarily) by the user through incautious opening of infected executable files, or (rarely) by not keeping current with security updates for communication software. People who do not know about (or cannot be bothered with) even the most basic security precautions are NOT bloodly likely to have a firewall of any kind.

SG's rants about security are valid, but he's preaching to the choir. The people who most need to read such info don't go to his site and in all probability never heard of it.

This is why his gripes about BlackICE ring hollow. Anyone with enough savvy about computer security to install a PF is very unlikely to have anything on his/her machine that needs to be stopped from phoning home.

Complaining that a PF will not block trojans from calling out is rather like complaining that one's windows are not strong enough to prevent a burglar from leaving with his loot. The question is, how did the burglar (or the Trojan) gain entry in the first place?

PFs are not digital prophylactics. Safe computing is 99% the responsibility of the user, and shouldn't rely on some piece of software to play nanny.

 

SG can say all he wants to about ZA, BID, NIS or any other AV/Firewall. But how well it works Still depends a great deal on the USER and how he sets it up.

The best in the World improperly set up is USELESS.

DoctorDoom

What do you mean by Outgoing Packets ?

Are you referring to something like WMP7 & Real Player always wanting to connect to the net so they can see what we have on our machines ?

If that is what you are referring to then NIS tells them NO WAY JOSE !!.

BillyBob

 

Internet communication is done through "packets ", defined thusly:

Packet

Outgoing packets are the ones sent from our "client" machines to the Internet. They can originate from perfectly legitimate sources such as browsers, from "adware" that's installed along with "free" programs, or from unwelcome digital lifeforms such as Trojans (named, BTW, for the Trojan Horse because they conceal dangerous payloads in attractive or innocent-looking files).

Brute-force PFs such as ZA announce every attempt by any program to connect to the internet, whether it's proper or not. This leaves the choice up to the user, who more often than not is not going to know for certain that such and such a program SHOULD be allowed to go outside.

Better safe than sorry, probably, but PFs that block outgoing traffic will pass it according to the filename of the accepted program. This explains why some viruses install files with legit Windows names such as iexplore.exe. Once a firewall is told that a particular file is okay, any file with that filename is granted access.

Another factor with simple firewalls is that when they are told that this or that port should be allowed to accept traffic, anything that comes their way addressed to the port will pass through unimpeded.

For example, port 80 is used for TCP connections on servers. If a firewall leaves port 80 open... Code Red showed what happens. A machine infected with Red sends out packets to blocks of IP numbers, addressed to port 80. When it finds one, and the machine isn't patched, it infects the target machine, and that one proceeds to probe port 80 on other machines.

The firewall assumes that anything addressed to port 80 is legitimate.

BlackICE Defender is not a firewall per se, but rather is an "Intrusion Detection System ". Unlike a firewall, an IDS trusts NOTHING, even if it's addressed to a standard port.

An IDS analyzes every packet as it arrives, looking for patterns that earmark malicious code. If it finds one, it's dealt with, period.

If I may be permitted a simile, a firewall is a security system that blocks every doorway to a building except a few selected ones, but allows anyone to go through them. An IDS stations guards at them, checking the credentials of everyone that arrives to see if they belong inside.

BID is a semi-firewall in that it can block ports as required (total stealth on SG's "nanoprobes" and opaque to HackerWhackers more extensive scan), and functions as an IDS on any that are allowed to receive data. BID also checks outbound packets for code that indicates that it comes from a trojan or other suspicious souce for which it has been given patterns.

BID does NOT report any attempts by programs to access the Net. That's SG's gripe. But, it's not designed to do so. If someone needs that facility, run ZA along with BID and get it all.

I use BID in combination with a relatively old program called Guard Dog (from the 95 era) that DOES flag every program that tries to connect to the web, even those that try to sneak through via another one that has been granted access. It also serves a number of other functions such as monitoring for suspicious activity (trying to format a drive, e.g.), cookie blocking, personal data blocking, etcetera.

 

Thanks DD

I have not digested it all yet but I will work on it.

A question.

Isn't this a reason why File and Printer Sharing should not be bound to TCP/IP ?

And now I see ICQ has added File Sharing to its list.

Also doesn't ( or didn't ) ICQ hold a port open ? 139 I think.

WOW !!!!

I just made a change in NIS reporting setting. And if I do not know what is try to get out of this gage It sure ain't NIS fault


BillyBob

 

From ICQ:

ICQ Tour > Firewall Settings Center

It would seem that ICQ isn't fussy about what it uses.

Re port 139:

Port 139

Unless a person has a real use for printer/file sharing, this port should be closed, period. This can be done without a firewall.

Go to Control Panel > Network. Click File and Print Sharing. Click to clear the check box for the sharing options you want to remove, and then click OK.