News
Commentary
2/16/2006
04:21 PM
Fred Langa
Fred Langa
Commentary
Connect Directly
RSS
E-Mail
50%
50%

Langa Letter: Good And Bad Online Security Check-Ups

Fred Langa found some great sites for testing system and network security. Discover what you can learn about your system security just by pointing and clicking.

The idea is simple, elegant, and wonderful: You enlist the aid of a trusted external Web site to mount a safe, fake hack attack on your system, server, firewall, or online intrusion-detection system. The external site probes your online defenses, in much the same way a malicious hacker might.

But because the "attacking" site is benign, no harm befalls you. Instead, the site reports to you any security weaknesses it finds, so you can shore up those vulnerable points and prevent a real attack from succeeding.

A number of online sites perform just these kinds of tests, free or for a very modest cost. They'll probe your online defenses in depth, and help you pinpoint trouble spots. (We mentioned several in passing in the last column, "How Much Protection Is Enough?"). But some online security test sites fail to deliver.

Smells Like A Scam To Me
If you're attuned to cheesy, fear-mongering marketing tactics, you won't be surprised to learn that some security test sites overplay supposed vulnerabilities in your system in an attempt to drive sales of related security software.

Its security test page states, "Internet security is and always will be an important issue for anyone online. Click on the TEST SECURITY link below and if access is granted, your system is NOT SAFE."

The "Test Security" link brings you to a page that states "Access Granted," and then displays the contents of your hard drive. To the uninitiated, it looks as though the "security test" has found a way to peek at your files. Wow, better buy some security software, right?

Wrong. Beneath some page redirection and DHTML smoke and mirrors, the "test page" doesn't test anything at all. It simply issues a "file://c:/" command to your browser, which then locally (and harmlessly) displays your hard-drive contents. Nothing is sent to or from the remote site; the process is entirely self-contained within your PC. You can accomplish the same thing a lot less mysteriously simply by typing "file://c:/" in the address bar of your browser. Try it!

But again, to the uninitiated, it's frightening to see your hard-drive contents appear in your browser window.

You might think this a harmless prank, but I don't. That's because the site is using this ruse to scare users into buying a copy of Black Ice Defender, a personal firewall, supposedly to prevent this "vulnerability." (If you examine the site's sales URL, you'll see that the site owner is an "affiliate" of Network Ice, the publishers of Black Ice Defender. The site owner retains a percentage of any sales generated from the site.)

But no firewall--none at all--can or should prevent a browser from harmlessly displaying local files. Even with Black Ice (or any other firewall), a local "file://c:/" command still will display your local hard-drive contents, as it ought to.

So, unless there's something going on there that I'm totally missing (and I don't think I am), this "security test," from start to finish, is a scam designed to drive affiliate sales of a product that can't and won't address the security "problem" the site uncovers because the problem is fake to begin with!

Previous
1 of 3
Next
Comment  | 
Print  | 
More Insights
The Business of Going Digital
The Business of Going Digital
Digital business isn't about changing code; it's about changing what legacy sales, distribution, customer service, and product groups do in the new digital age. It's about bringing big data analytics, mobile, social, marketing automation, cloud computing, and the app economy together to launch new products and services. We're seeing new titles in this digital revolution, new responsibilities, new business models, and major shifts in technology spending.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest - August 20, 2014
CIOs need people who know the ins and outs of cloud software stacks and security, and, most of all, can break through cultural resistance.
Flash Poll
Video
Slideshows
Twitter Feed
InformationWeek Radio
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.