 |
 Robin Keir, the creator of the 'FireHole', talks about his program and Internet Security
November 23, 2001
The creator of the FireHole, a tool that proves that outbound filtering feature used by today's firewalls should be improved, answers PC Flank' questions
PC Flank:
Hi, tell PC Flank users about yourself. What is your occupation and
education? How did you get into security "business"?
Robin Keir:
I'm a self-taught programmer, dating back to my early teenage years where
we had a paper output teletype hooked up to the city's mainframe computer
via a 300 baud modem! I progressed through using various micro computers
and computer-related jobs and worked as a games programmer for several
years before becoming interested in network programming. My interest in
network programming naturally lead to computer security and I wrote a
couple of tools for the Windows platform in my spare time and placed them
on my website. One of these programs, "SuperScan", a simple TCP port
scanner attracted a lot of attention, in particular it caught the eye of
the guys at Foundstone, a now well-known computer security firm. That's
how I "got into the security business". I love the work and I haven't
looked back.
PC Flank:
Why did you decide to create the "FireHole"?
Robin Keir:
Originally it was for my personal satisfaction and interest only, just to
prove that it could be done. Ever since Steve Gibson's LeakTest program
I'd realized there were most likely many other methods of easily defeating
the outbound monitoring ability of firewalls. In fact at that time I
definitely knew of a couple of other ways around the firewall but didn't
think it worthwhile making a fuss about. As I keep pointing out to people,
if you have a malicious program running on your computer it can have full
control over your firewall and is only limited by the proficiency of the
programmer, so the best a firewall vendor can do is try to plug the most
obvious problems.
PC Flank:
How do you see the future of the "FireHole"? Do you plan to continue
discovering new vulnerabilities?
Robin Keir
I've made a few small tweaks to the program in recent days but I doubt
I'll work on it much more. As I mention at the end of the page on my
website (http://keir.net/firehole.html) there are plenty of other techniques that I am aware of and no doubt several more than I am not
aware of. I could go ahead and make a kind of compendium of exploits but
at the end of the day it doesn't really prove any more than the original
FireHole did, that there is always going to be a "way out".
PC Flank:
What would your recommend to firewall developers to improve outbound
filtering feature?
Robin Keir:
I think maybe a little more effort needs to be placed on detecting a
malicious program's ability to communicate at lower levels than standard
network APIs provide. Several firewalls do not recognize raw socket
communications and others don't track even lower level (but
correspondingly less likely to occur in the wild) methods for sending
packets out. Common techniques used on large corporate firewalls can also
work on personal firewalls, such as sending data out on ports that are
traditionally used exclusively for other purposes such as name lookups on
UDP port 53. As previously mentioned there are many other simple
techniques that I'm sure they should already be aware of but have chosen
to ignore. Other than this they should concentrate on carefully monitoring
commonly used Internet enabled applications such as the web browser and
email programs by tracking how they can be transparently controlled by
other applications without the user's knowledge. I'm not sure how they'd
do this though.
PC Flank:
Should we consider the security hole (discovered by the FireHole) a
firewall vulnerability? Or maybe it is a browser security hole (or both
firewall and browsers)? Who in your opinion should address the
vulnerability
(firewalls’ developers, antivirus vendors or browsers' creators?)
Robin Keir:
I suppose it is more of a firewall vulnerability than anything else, but
even that is debatable. FireHole uses standard well-known Windows
functions to perform its job and so it is rather difficult to distinguish
between normal application behavior and undesired outbound communication.
It is definitely not a browser vulnerability. The only reason the web
browser is used by FireHole is that it is the most commonly used network
aware application likely to be used on a PC. I could just as easily have
used the system's email client or an instant messenger program to hide the
network activity.
Vulnerabilities like the one demonstrated by FireHole are best addressed
by a combination of safeguards. Since a firewall cannot hope to combat
every kind of outbound communication trickery, users should use antivirus
software to prevent and detect the malicious programs before they even get
a chance to run on your PC.
PC Flank:
What software do you use to secure your own PC? What's your favorite
security tool?
Robin Keir:
For my home PC network (OK, 3 PCs don't make much of a network I know!) I
am using a hardware Linksys router behind my cable modem. On my main PC
(Windows 2000 Professional) I run Tiny Personal Firewall, primarily for
the outbound detection ability (how ironic) since pretty much nothing bad
makes its way inbound through the router. For my needs I find TPF to be
the best compromise between stability and configurability and so could be
considered my favorite security tool (unless you want to include the
network scanner I have been developing for the last 6 months or so!).
I use NOD32 for my antivirus needs. It is very fast, accurate, stable and
above all doesn't require a 30 meg download and use 50% or your system's
resources (other AV vendors take note!).
I've also been playing around with SurfinGuard Pro to help monitor web
applications and potentially damaging programs. It works quite well so
far.
PC Flank:
How do you see the future of Internet Security? What is going to be
the major threat to Internet users?
Robin Keir:
Internet security is an evolving process. Just when you thought you were
secure along comes a new worm, or an email virus, or a new web server
vulnerability. Users have to stay on guard, up-to-date and educated. If
they can't manage to do that themselves then others should manage it for
them by providing them with easy to use tools and regular automatic
updates of their software and operating systems. It may sound conceited
but working in the computer security field I am constantly amazed at the
ineptitude of people who connect their systems up to the Internet without
a thought to security. If people placed the same emphasis on security to
their networked computers as they did to say their cars, by installing
alarms, locks and having it checked up on a regular basis, we'd all
benefit.
The next major threat to Internet users? When Microsoft buys AOL ;-)
Ignoring that, I think we'll see more worms making the rounds taking
advantage of more vulnerabilities in web servers, operating systems and
Internet applications. There is a concern that since so many systems have
been exploited by recent worm attacks (CodeRed, Nimda etc), blackhat
hackers have acquired a huge army of known vulnerable machines that they
now have at their disposal, all of which can be pointed to take down any
single system of their choosing such as a website or a router, at a
moments notice. That is a disturbing thought.
Robin Keir
http://keir.net/
Discuss this interview on the Forum
|
|
