Re: Zonealarm exports sensitive data

From: Dino Amato (slayer67at_private)
Date: Wed Mar 01 2000 - 04:15:50 PST

Next message: Elias Levy: "Administrivia"

Previous message: Mikael Olsson: "Re: How the password could be recover using FTP"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

in version 1.96 they have fixed this they said so that loggin is disabled by
default.
>From release notes.

RELEASE 1.9.6 (this release)

. Issue:  ICEcap reporting can be inadvertently turned on without user
  user knowledge.

  Resolution:  Fixed.  ICEcap reporting has been disabled on this
  release.  The entries inadvertently added in blackice.ini are
  automatically removed by this version of BlackICE.

----- Original Message -----
From: Lampe, John W. <JWLAMPEat_private>
To: <BUGTRAQat_private>
Sent: Monday, February 28, 2000 1:30 PM
Subject: Re: Zonealarm exports sensitive data


> Actually blackICE defender version 1.8.2.6 does not send anything
> "sensitive" in nature.  What I captured was such:
> 1) 3 way handshake
> 2) GET http://advice.networkice.com/advice/Intrusions/>
> 3) Error 302 ("Object Moved")
>     Location: <same as above but add "/" after <number>  >
> 4) GET http://advice.networkice.com/advice/Intrusions/>/
> 5) page is sent.
>
> Can you tell me which version you're running?
>
> John Lampe
>
> ----------
> From: Brett Glass[SMTP:brettat_private]
> Reply To: Brett Glass
> Sent: Friday, February 25, 2000 8:17 PM
> To: BUGTRAQat_private
> Subject: Re: Zonealarm exports sensitive data
>
> It should be noted that BlackICE Defender, a competitive product,
> does precisely the same thing if one clicks on the "AdvICE" button.
> Since the attack information displayed by the program's graphical
> interface is quite brief (there's more in the log files, but
> only sophisticated users will know how to find and read them),
> users are strongly motivated to click the button.
>
> I do not know whether the URLs sent by either product are being
> used to gather statistics on the frequency of attacks or as a
> means of piracy detection. They certainly could be, if the vendors
> had a mind to do so.
>
> --Brett Glass
>
> At 12:40 AM 2/25/2000 , Andrew Daviel wrote:
>
> >ZoneAlarm by zonelabs.com can export possibly sensitive data if
> >the "More Info" button is clicked from an alert.
> >
> >ZoneAlarm is a personal dynamic firewall for Windows 9x/NT.
> >When a rule is triggered (typically an inbound connection to
> >an unregistered or alarmed service) an alert box appears with a brief
> >description of the event and a button labelled "More Info". When this
> >is clicked a URL is passed to the user's Web browser sending information
> >to Zone Labs' server for more detailed explanation.
> >
> >Currently (version 2.0.26) the information passed includes:
> >Source Address and Port
> >Destination Address and Port
> >Operating system version
> >Firewall version
> >Whether the connection was blocked
> >The lock status of the firewall
> >
> >All this information is sent in clear as an HTTP GET request (port 80).
> >
> >It could possibly be seen on the Internet in transit or in proxy logs,
and
> >may include information about machines on an internal network inside a
> >corporate firewall. The request itself could be blocked by ZoneAlarm, but
> >it is likely that the setting for the Web browser would allow it to
access
> >the external network (Internet).
> >
> >It is fairly simple to edit the .EXE file to disable this feature, or
> >to redirect it to a local server.
> >
> >(IMO the benefits from using the product outweigh the risks of this data
> >leak....)
> >
> >Andrew Daviel
> >Vancouver Webpages etc.
>
>
>
> Thanks,
>
> John Lampe
>

Next message: Elias Levy: "Administrivia"
Previous message: Mikael Olsson: "Re: How the password could be recover using FTP"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:38:39 PDT