The following is a comment from a customer posted to the
well-regarded RISKS mailing list:
Date: 17 Oct 1999 03:48:31 GMT
From: "tlb" <tomeuchre@yahoo.com>
Subject: BlackICE Defender Security woes
I just recently purchased the BlackICE Defender program to protect my
computer against internet hackers and other co-workers. While scanning the
unprotected, unencrypted raw logs of the program, what do you think I found?
The SMTP dialog between my mail program and my Mail server, complete with
the account and password right out there in the open. Quite ironic that a
company selling a product to ensure security and system integrity actually
created a gaping hole. braz@mnw.net (a 2-day user of BlackICE Defender --
the product won't see 3 days on my machine).
RISK is a complicated thing to measure. Everything we do entails some risk.
Breathing, drinking, eating, walking, crossing the street, etc. all entail risk.
When analyzing behavior, one must weigh the various risks on either side (not
breathing is rather riskier than the alternative).
The product is an "intrusion detection system" for the PC with a
built-in "personal firewall". It scans network traffic looking for signs
of intrusions, and blocks hostile traffic. This system includes a huge
number of risks and counter-risks that go beyond the simple situation described
in the posting above. The product ships in such a state that we believe
the average home user will be the best off, realizing the average home user
won't really want to configure the system properly. Likewise, the system
includes extensive configuration options that allow experts to configure the system
and balance the tradeoffs of risks on either side (in the example above,
the user could simply turn off evidence logging).
The discussion below describes how we've thought through these risks:
RISK:
In the default configuration, Defender filters ports below 1024, but doesn't filter ports above that level. The trade-off is that if the firewall blocks high ports, the average consumer will perceive that lots of applications no longer work, and will uninstall the product rather figure out the correct port settings. On the other hand, filtering low ports locks down inadvertent "features" they installed but really don't want (File sharing, SNMP, personal web server, etc.).
RISK:
The intrusion detection subsystem automatically locks out an intruder when it detects an intrusion. For example, if it detects one of the numerous hacks against Microsoft's Personal Web Server (PWS), it reconfigures the firewall subsystem to block the hostile IP. This means that if someone spoofs the IP address during an attack or if the system has a false-positive, incorrect firewall filters will be set and communications will break. For this reason, only obvious attacks that are near impossible to spoof trigger this response.
RISK:
Furthermore, automatic rules can cause problems over time as more and more get set; therefore Defender "times out" such rules (by default, after 24-hours). This means the intruder is locked out only temporarily. Again, this is a careful weighting of the risks on either side.
RISK:
As the original poster noted, suspicious traffic is saved to the disk. If one is already engaging in the RISKy behavior of using clear-text passwords, this could exacerbate the problem. However, when people are hacked they generally have no idea how -- the only real solution is to capture the network traffic. Defender tries to save only suspicious looking traffic, but the RISK is that additional traffic could be inadvertently captured.
RISK:
Defender will scan the suspected intruder. Numerous risks here. Spoofed addresses will cause innocent people to be scanned, as well as misleading who the intruder is. This scan notifies the intruder that such a system exists, which means they can analyze the detection system and either try to go around it or attack it directly.
RISK:
Defender contains a very extensive protocol analysis module. Historically, on average the more complex a system, the more security vulnerabilities are found within the system. This means attackers can abuse the security system in order to compromise the computer. Most major firewall vendors (and other security software providers) have experienced such things in the past. Though is sounds bad, history has also proven that on the balance, security software does reduce risk overall, and that such problems have been minor.
RISK:
The product does a good job of detecting and blocking hackers. This causes two opposite problems: some users have a false sense of security, because they believe
Defender "solves" the problem. Other users are shocked to discover how often hackers are probing their machine, and become very paranoid.
Summary:
An example reconfiguration might contain the following choices:
- filter on all ports
- lock out the intruder only for an hour
- trigger automatic filters on most all intrusions, even those easily spoofed
- save the last gigabyte of ALL traffic (not just the suspicious traffic)
- scan intruders with simple scans that are similar to normal traffic
Other people choose opposite settings. Some don't want the firewall
component (just the intrusion detection), so they filter on no ports.
Some want the intruder to be locked out forever (and manually clean
up incorrect entries), or not be locked out at all. Some (like the original
poster) don't like the idea of logging network traffic to the disk
in raw form. Some don't want to reveal the presence of the system, and
therefore don't scan the intruders.
