Internet Connection Security for Windows Users
by Steve Gibson, Gibson Research Corporation

November 08, 2001
BlackICE Technical Support Latest Response
A recent BlackICE purchaser was understandably concerned over my negative evaluation and recent experiences with BlackICE Defender. So he wrote to BlackICE Technical Support about his concerns and reportedly received the following reply:

Dear Customer, BlackICE Defender is not just a firewall. Its primary function is that of an intrusion detection system. BlackICE Defender is, in reality, a "hybrid" between intrusion detection and firewall protection. As such, it uses several entirely different methods to secure your system than the methods used by other "firewall only" products. The underlying technology of any "firewall only" product is the same. No matter which product you are using, the method used to protect the system is identical: block the traffic at the port level. BlackICE Defender combines firewall technology with intrusion detection technology. This means that BlackICE uses more than one method to protect your system. BlackICE monitors/inspects the actual traffic, as well as employing port blocking, in order to detect malicious traffic and provide more complete security for your system.

BlackICE does not currently prevent outgoing connections or traffic except in cases where these connections are caused by unsolicited incoming traffic, or are otherwise deemed "dangerous/suspicious" traffic by the BlackICE program. When the user (you) initiates an Internet connection, BlackICE assumes that you are aware of the exchange of information, and approve of it. In most cases, this assumption is correct (when you ask for information from a particular website for example).

The leaktest is a specific program designed to test the "User-Initiated Outbound Blocking" feature of certain personal firewalls. It is not a generic hacker test, nor it is a test of your computer's security. In fact, leaktest does not do anything malicious. If it was a hacker program, we would add it to the list of detected Trojans, just like we detect Back Orifice and SubSeven.

Because the user initiates the connection with the GRC site, BlackICE will not prevent information from being exchanged between your system and GRC, any more than it would prevent information exchanges between your system and any other website. (To do so would drastically interfere with your ability to "surf" the Internet freely.) What happens is this:

1) You contact the GRC site and ask it to perform the "leaktest".
2) The site asks you for certain information. This is the same information that any other website asks for when you ask it for information (when you do a search on Yahoo, when you download something from a friend's website, when you ask for a price from a travel site, etc.).
3) Your system sends the information it was asked for. (This information is rather like confirming your "return address". It is needed to allow the exchange to proceed smoothly.)

Under normal circumstances, you would then receive the information you asked for, and think nothing further about what just happened. With leaktest however, what you receive is this "dire warning" about how your system has been "compromised", when it was really just doing what it was designed to do!

Firewalls with outbound blocking only protect against Trojan horse programs, and then they only work if the user knows enough to recognize the program as a dangerous program. Standard personal firewalls without intrusion detection cannot stop 100's of other hacker attacks that do not use Trojan horses.

BlackICE looks at the actual incoming TRAFFIC (not just the name of the program) to determine whether that traffic is dangerous/suspicious.

BlackICE monitors incoming and outgoing traffic on your system, and analyzes that traffic looking for anything malicious that could compromise your system. This is the primary task of an Intrusion Detection System, and is something that simple firewalls cannot provide.

We have been considering adding "User-Initiated Outbound Blocking" (which is what leaktest is meant to check for) to BlackICE for some time. However, no date has been set for this addition. Part of the problem is that we want to be able to give our customers as much information about the outgoing transmission as possible (to keep novice users from having to "guess" about what to allow and what to block). This requires creating a user interface that is somewhat more sophisticated than the simple interface that most firewalls provide for this feature.

You should know that the "threat" that the leaktest program supposedly exposes can be GREATLY reduced by using "safe computing practices". These include not running any program sent to you by an unknown or unfamiliar source; not running programs sent to you by friends and acquaintances that you did not specifically request; exercising caution when downloading shareware or freeware programs, particularly from "catch-all" or "warez" sites; using passwords on all shared resources; and installing and regularly updating a good virus-protection program. Most (if not all) of theses programs gain access to a system by "conning" the USER into downloading them onto the system. Informing and educating yourself about these programs is still the first (and best) line of defence.

The "Shields Up" test that is available on the same GRC website is a much more comprehensive test of your system's security. Other excellent scan sites are http://www.dslreports.com/ and http://www.hackerwhacker.com:4000/startdemo.dyn?answer=firewall. Please let us know if you have further questions.

Regards,
Trish M.
BlackICE Technical Support
Support-L1@networkice.com
Knowledge Base: http://advice.networkice.com/Advice/Support/KB/
FAQ: http://www.networkice.com/html/faqs.html

November 8, 2001
My Reply to This BlackICE Customer
Hi Dave,

Thanks for forwarding ISS/NetworkICE's latest response. It's a much more thorough and clear reply than they have generated before. At one point I saw "Trish M." quoted as asking: "Why does everyone believe everything Steve Gibson says?" <<grin>>

What they are essentially saying now — in your note from them — is that BlackICE Defender responds only to outbound replies initiated from external intrusion attempts.

I have two problems with this: First, any good firewall will prevent external intrusion. PERIOD. So why would there be a successful external intrusion attempt that was able to reach some software running in your computer in the first place? The truth is, if you don't allow a Trojan to get into your machine then even a PC *without* a firewall is completely safe against external attacks. It's not as if any computer can somehow be "penetrated" by aiming a sharp pointy Internet packet at it unless you have a firewall. That's just not the case. In my opinion, the threat from "internal extrusion" of personal and private information (something inside connecting outside) is actually much greater than from "external intrusion". Sure, PCs on the Internet are being scanned all the time, but so what? There's no way for them to get in — even without any firewall on a properly configured machine. Being "Stealth" is cool, but *any* firewall does that for you.

Second, BlackICE is stating that they are not doing anything about "The Spyware Problem" ... where some malicious software (malware) in your machine decides to send stuff out or even to connect up to remote servers in order to wait for orders. If you don't think "Spyware" is a problem for computer users, take a look at what Google has on "Spyware" ...

http://www.google.com/search?q=Spyware

... and look at all of the types of Spyware now being handled by our favorite anti-spyware program, LavaSoft's "Ad-Aware": Adware, Alexa 1.0-5.0, Aureate v1.0,2.0 + 3.0, Comet Cursor v1.0 and v2.0, Cydoor, Doubleclick, DSSAgent, EverAd, EzUla, Expedioware, Flyswat, Gator, Hotbar 1+2, OnFlow, TimeSink v1.0,v2.0 and v5.0, Web3000, Webhancer, Transponder, Wnad and more... (updated regulary)

Finally, the ZoneLabs people who make the FREE ZoneAlarm firewall receive about 5,000 pieces of eMail PER DAY from people using ZoneAlarm when that bi-directional personal firewall detects something evil in their computer trying to "phone home". By comparison, the BlackICE Defender folks probably receive many fewer pieces of such eMail — if any at all — since, as explained in Trish's note, BlackICE lets any such Spyware freely communicate outbound without any supervision, detection, or blocking.

Given the terrific completely free personal firewalls that offer much better protection than BlackICE Defender, it's difficult to forgive BID for its lack of outbound protection.

All the best,
Steve Gibson.

To return to the previous page, press your browser's BACK button.

You are invited to browse these LeakTest pages:

LeakTest
How to Use LeakTest 1.x

Personal Firewall Scoreboard

Firewall Vendor Responses

Vulnerability Disclosure Policy
Hardware Firewalls/NAT Routers

Tracking Firewall Updates

Frequently Asked Questions

LeakTest News & History

Jump to top of page
Gibson Research Corporation is owned and operated by Steve Gibson.  The contents
of this page are Copyright (c) 2016 Gibson Research Corporation. SpinRite, ShieldsUP,
NanoProbe, and any other indicated trademarks are registered trademarks of Gibson
Research Corporation, Laguna Hills, CA, USA. GRC's web and customer privacy policy.
Jump to top of page

Last Edit: Oct 06, 2003 at 14:29 (5,099.89 days ago)Viewed 9 times per day