News
Commentary
2/16/2006
04:21 PM
Fred Langa
Fred Langa
Commentary
Connect Directly
RSS
E-Mail
50%
50%
Repost This

Langa Letter: Good And Bad Online Security Check-Ups

Fred Langa found some great sites for testing system and network security. Discover what you can learn about your system security just by pointing and clicking.

The idea is simple, elegant, and wonderful: You enlist the aid of a trusted external Web site to mount a safe, fake hack attack on your system, server, firewall, or online intrusion-detection system. The external site probes your online defenses, in much the same way a malicious hacker might.

But because the "attacking" site is benign, no harm befalls you. Instead, the site reports to you any security weaknesses it finds, so you can shore up those vulnerable points and prevent a real attack from succeeding.

A number of online sites perform just these kinds of tests, free or for a very modest cost. They'll probe your online defenses in depth, and help you pinpoint trouble spots. (We mentioned several in passing in the last column, "How Much Protection Is Enough?"). But some online security test sites fail to deliver.

Smells Like A Scam To Me
If you're attuned to cheesy, fear-mongering marketing tactics, you won't be surprised to learn that some security test sites overplay supposed vulnerabilities in your system in an attempt to drive sales of related security software.

Its security test page states, "Internet security is and always will be an important issue for anyone online. Click on the TEST SECURITY link below and if access is granted, your system is NOT SAFE."

The "Test Security" link brings you to a page that states "Access Granted," and then displays the contents of your hard drive. To the uninitiated, it looks as though the "security test" has found a way to peek at your files. Wow, better buy some security software, right?

Wrong. Beneath some page redirection and DHTML smoke and mirrors, the "test page" doesn't test anything at all. It simply issues a "file://c:/" command to your browser, which then locally (and harmlessly) displays your hard-drive contents. Nothing is sent to or from the remote site; the process is entirely self-contained within your PC. You can accomplish the same thing a lot less mysteriously simply by typing "file://c:/" in the address bar of your browser. Try it!

But again, to the uninitiated, it's frightening to see your hard-drive contents appear in your browser window.

You might think this a harmless prank, but I don't. That's because the site is using this ruse to scare users into buying a copy of Black Ice Defender, a personal firewall, supposedly to prevent this "vulnerability." (If you examine the site's sales URL, you'll see that the site owner is an "affiliate" of Network Ice, the publishers of Black Ice Defender. The site owner retains a percentage of any sales generated from the site.)

But no firewall--none at all--can or should prevent a browser from harmlessly displaying local files. Even with Black Ice (or any other firewall), a local "file://c:/" command still will display your local hard-drive contents, as it ought to.

So, unless there's something going on there that I'm totally missing (and I don't think I am), this "security test," from start to finish, is a scam designed to drive affiliate sales of a product that can't and won't address the security "problem" the site uncovers because the problem is fake to begin with!

Previous
1 of 3
Next
Comment  | 
Print  | 
More Insights
The Agile Archive
The Agile Archive
When it comes to managing data, donít look at backup and archiving systems as burdens and cost centers. A well-designed archive can enhance data protection and restores, ease search and e-discovery efforts, and save money by intelligently moving data from expensive primary storage systems.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Elite 100 - 2014
Our InformationWeek Elite 100 issue -- our 26th ranking of technology innovators -- shines a spotlight on businesses that are succeeding because of their digital strategies. We take a close at look at the top five companies in this year's ranking and the eight winners of our Business Innovation awards, and offer 20 great ideas that you can use in your company. We also provide a ranked list of our Elite 100 innovators.
Video
Slideshows
Twitter Feed
Audio Interviews
Archived Audio Interviews
GE is a leader in combining connected devices and advanced analytics in pursuit of practical goals like less downtime, lower operating costs, and higher throughput. At GIO Power & Water, CIO Jim Fowler is part of the team exploring how to apply these techniques to some of the world's essential infrastructure, from power plants to water treatment systems. Join us, and bring your questions, as we talk about what's ahead.