Langa Letter: Good And Bad Online Security Check-Ups - InformationWeek
04:21 PM
Fred Langa
Fred Langa

Langa Letter: Good And Bad Online Security Check-Ups

Fred Langa found some great sites for testing system and network security. Discover what you can learn about your system security just by pointing and clicking.

The idea is simple, elegant, and wonderful: You enlist the aid of a trusted external Web site to mount a safe, fake hack attack on your system, server, firewall, or online intrusion-detection system. The external site probes your online defenses, in much the same way a malicious hacker might.

But because the "attacking" site is benign, no harm befalls you. Instead, the site reports to you any security weaknesses it finds, so you can shore up those vulnerable points and prevent a real attack from succeeding.

A number of online sites perform just these kinds of tests, free or for a very modest cost. They'll probe your online defenses in depth, and help you pinpoint trouble spots. (We mentioned several in passing in the last column, "How Much Protection Is Enough?"). But some online security test sites fail to deliver.

Smells Like A Scam To Me
If you're attuned to cheesy, fear-mongering marketing tactics, you won't be surprised to learn that some security test sites overplay supposed vulnerabilities in your system in an attempt to drive sales of related security software.

Its security test page states, "Internet security is and always will be an important issue for anyone online. Click on the TEST SECURITY link below and if access is granted, your system is NOT SAFE."

The "Test Security" link brings you to a page that states "Access Granted," and then displays the contents of your hard drive. To the uninitiated, it looks as though the "security test" has found a way to peek at your files. Wow, better buy some security software, right?

Wrong. Beneath some page redirection and DHTML smoke and mirrors, the "test page" doesn't test anything at all. It simply issues a "file://c:/" command to your browser, which then locally (and harmlessly) displays your hard-drive contents. Nothing is sent to or from the remote site; the process is entirely self-contained within your PC. You can accomplish the same thing a lot less mysteriously simply by typing "file://c:/" in the address bar of your browser. Try it!

But again, to the uninitiated, it's frightening to see your hard-drive contents appear in your browser window.

You might think this a harmless prank, but I don't. That's because the site is using this ruse to scare users into buying a copy of Black Ice Defender, a personal firewall, supposedly to prevent this "vulnerability." (If you examine the site's sales URL, you'll see that the site owner is an "affiliate" of Network Ice, the publishers of Black Ice Defender. The site owner retains a percentage of any sales generated from the site.)

But no firewall--none at all--can or should prevent a browser from harmlessly displaying local files. Even with Black Ice (or any other firewall), a local "file://c:/" command still will display your local hard-drive contents, as it ought to.

So, unless there's something going on there that I'm totally missing (and I don't think I am), this "security test," from start to finish, is a scam designed to drive affiliate sales of a product that can't and won't address the security "problem" the site uncovers because the problem is fake to begin with!

1 of 3
Comment  | 
Print  | 
More Insights
Oldest First  |  Newest First  |  Threaded View
How Enterprises Are Attacking the IT Security Enterprise
How Enterprises Are Attacking the IT Security Enterprise
To learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Register for InformationWeek Newsletters
White Papers
Current Issue
2017 State of the Cloud Report
As the use of public cloud becomes a given, IT leaders must navigate the transition and advocate for management tools or architectures that allow them to realize the benefits they seek. Download this report to explore the issues and how to best leverage the cloud moving forward.
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on for the week of November 6, 2016. We'll be talking with the editors and correspondents who brought you the top stories of the week to get the "story behind the story."
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll