Langa Letter: Good And Bad Online Security Check-Ups - InformationWeek
04:21 PM
Fred Langa
Fred Langa
Building Security for the IoT
Nov 09, 2017
In this webcast, experts discuss the most effective approaches to securing Internet-enabled system ...Read More>>

Langa Letter: Good And Bad Online Security Check-Ups

Fred Langa found some great sites for testing system and network security. Discover what you can learn about your system security just by pointing and clicking.

The idea is simple, elegant, and wonderful: You enlist the aid of a trusted external Web site to mount a safe, fake hack attack on your system, server, firewall, or online intrusion-detection system. The external site probes your online defenses, in much the same way a malicious hacker might.

But because the "attacking" site is benign, no harm befalls you. Instead, the site reports to you any security weaknesses it finds, so you can shore up those vulnerable points and prevent a real attack from succeeding.

A number of online sites perform just these kinds of tests, free or for a very modest cost. They'll probe your online defenses in depth, and help you pinpoint trouble spots. (We mentioned several in passing in the last column, "How Much Protection Is Enough?"). But some online security test sites fail to deliver.

Smells Like A Scam To Me
If you're attuned to cheesy, fear-mongering marketing tactics, you won't be surprised to learn that some security test sites overplay supposed vulnerabilities in your system in an attempt to drive sales of related security software.

Its security test page states, "Internet security is and always will be an important issue for anyone online. Click on the TEST SECURITY link below and if access is granted, your system is NOT SAFE."

The "Test Security" link brings you to a page that states "Access Granted," and then displays the contents of your hard drive. To the uninitiated, it looks as though the "security test" has found a way to peek at your files. Wow, better buy some security software, right?

Wrong. Beneath some page redirection and DHTML smoke and mirrors, the "test page" doesn't test anything at all. It simply issues a "file://c:/" command to your browser, which then locally (and harmlessly) displays your hard-drive contents. Nothing is sent to or from the remote site; the process is entirely self-contained within your PC. You can accomplish the same thing a lot less mysteriously simply by typing "file://c:/" in the address bar of your browser. Try it!

But again, to the uninitiated, it's frightening to see your hard-drive contents appear in your browser window.

You might think this a harmless prank, but I don't. That's because the site is using this ruse to scare users into buying a copy of Black Ice Defender, a personal firewall, supposedly to prevent this "vulnerability." (If you examine the site's sales URL, you'll see that the site owner is an "affiliate" of Network Ice, the publishers of Black Ice Defender. The site owner retains a percentage of any sales generated from the site.)

But no firewall--none at all--can or should prevent a browser from harmlessly displaying local files. Even with Black Ice (or any other firewall), a local "file://c:/" command still will display your local hard-drive contents, as it ought to.

So, unless there's something going on there that I'm totally missing (and I don't think I am), this "security test," from start to finish, is a scam designed to drive affiliate sales of a product that can't and won't address the security "problem" the site uncovers because the problem is fake to begin with!

1 of 3
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
How Enterprises Are Attacking the IT Security Enterprise
How Enterprises Are Attacking the IT Security Enterprise
To learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Register for InformationWeek Newsletters
White Papers
Current Issue
Digital Transformation Myths & Truths
Transformation is on every IT organization's to-do list, but effectively transforming IT means a major shift in technology as well as business models and culture. In this IT Trend Report, we examine some of the misconceptions of digital transformation and look at steps you can take to succeed technically and culturally.
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll