in version 1.96 they have fixed this they said so that loggin is disabled by default. >From release notes. RELEASE 1.9.6 (this release) . Issue: ICEcap reporting can be inadvertently turned on without user user knowledge. Resolution: Fixed. ICEcap reporting has been disabled on this release. The entries inadvertently added in blackice.ini are automatically removed by this version of BlackICE. ----- Original Message ----- From: Lampe, John W. <JWLAMPEat_private> To: <BUGTRAQat_private> Sent: Monday, February 28, 2000 1:30 PM Subject: Re: Zonealarm exports sensitive data > Actually blackICE defender version 1.8.2.6 does not send anything > "sensitive" in nature. What I captured was such: > 1) 3 way handshake > 2) GET http://advice.networkice.com/advice/Intrusions/> > 3) Error 302 ("Object Moved") > Location: <same as above but add "/" after <number> > > 4) GET http://advice.networkice.com/advice/Intrusions/ >/ > 5) page is sent. > > Can you tell me which version you're running? > > John Lampe > > ---------- > From: Brett Glass[SMTP:brettat_private] > Reply To: Brett Glass > Sent: Friday, February 25, 2000 8:17 PM > To: BUGTRAQat_private > Subject: Re: Zonealarm exports sensitive data > > It should be noted that BlackICE Defender, a competitive product, > does precisely the same thing if one clicks on the "AdvICE" button. > Since the attack information displayed by the program's graphical > interface is quite brief (there's more in the log files, but > only sophisticated users will know how to find and read them), > users are strongly motivated to click the button. > > I do not know whether the URLs sent by either product are being > used to gather statistics on the frequency of attacks or as a > means of piracy detection. They certainly could be, if the vendors > had a mind to do so. > > --Brett Glass > > At 12:40 AM 2/25/2000 , Andrew Daviel wrote: > > >ZoneAlarm by zonelabs.com can export possibly sensitive data if > >the "More Info" button is clicked from an alert. > > > >ZoneAlarm is a personal dynamic firewall for Windows 9x/NT. > >When a rule is triggered (typically an inbound connection to > >an unregistered or alarmed service) an alert box appears with a brief > >description of the event and a button labelled "More Info". When this > >is clicked a URL is passed to the user's Web browser sending information > >to Zone Labs' server for more detailed explanation. > > > >Currently (version 2.0.26) the information passed includes: > >Source Address and Port > >Destination Address and Port > >Operating system version > >Firewall version > >Whether the connection was blocked > >The lock status of the firewall > > > >All this information is sent in clear as an HTTP GET request (port 80). > > > >It could possibly be seen on the Internet in transit or in proxy logs, and > >may include information about machines on an internal network inside a > >corporate firewall. The request itself could be blocked by ZoneAlarm, but > >it is likely that the setting for the Web browser would allow it to access > >the external network (Internet). > > > >It is fairly simple to edit the .EXE file to disable this feature, or > >to redirect it to a local server. > > > >(IMO the benefits from using the product outweigh the risks of this data > >leak....) > > > >Andrew Daviel > >Vancouver Webpages etc. > > > > Thanks, > > John Lampe >
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:38:39 PDT