Langa Letter: Good And Bad Online Security Check-Ups
Fred Langa found some great sites for testing system and network security. Discover what you can learn about your system security just by pointing and clicking.
The idea is simple, elegant, and wonderful: You enlist the aid of a trusted external Web site to mount a safe, fake hack attack on your system, server, firewall, or online intrusion-detection system. The external site probes your online defenses, in much the same way a malicious hacker might.
But because the "attacking" site is benign, no harm befalls you. Instead, the site reports to you any security weaknesses it finds, so you can shore up those vulnerable points and prevent a real attack from succeeding.
A number of online sites perform just these kinds of tests, free or for a very modest cost. They'll probe your online defenses in depth, and help you pinpoint trouble spots. (We mentioned several in passing in the last column, "How Much Protection Is Enough?"). But some online security test sites fail to deliver.
Smells Like A Scam To Me
If you're attuned to cheesy, fear-mongering marketing tactics, you won't be surprised to learn that some security test sites overplay supposed vulnerabilities in your system in an attempt to drive sales of related security software.
Its security test page states, "Internet security is and always will be an important issue for anyone online. Click on the TEST SECURITY link below and if access is granted, your system is NOT SAFE."
The "Test Security" link brings you to a page that states "Access Granted," and then displays the contents of your hard drive. To the uninitiated, it looks as though the "security test" has found a way to peek at your files. Wow, better buy some security software, right?
Wrong. Beneath some page redirection and DHTML smoke and mirrors, the "test page" doesn't test anything at all. It simply issues a "file://c:/" command to your browser, which then locally (and harmlessly) displays your hard-drive contents. Nothing is sent to or from the remote site; the process is entirely self-contained within your PC. You can accomplish the same thing a lot less mysteriously simply by typing "file://c:/" in the address bar of your browser. Try it!
But again, to the uninitiated, it's frightening to see your hard-drive contents appear in your browser window.
You might think this a harmless prank, but I don't. That's because the site is using this ruse to scare users into buying a copy of Black Ice Defender, a personal firewall, supposedly to prevent this "vulnerability." (If you examine the site's sales URL, you'll see that the site owner is an "affiliate" of Network Ice, the publishers of Black Ice Defender. The site owner retains a percentage of any sales generated from the site.)
But no firewall--none at all--can or should prevent a browser from harmlessly displaying local files. Even with Black Ice (or any other firewall), a local "file://c:/" command still will display your local hard-drive contents, as it ought to.
So, unless there's something going on there that I'm totally missing (and I don't think I am), this "security test," from start to finish, is a scam designed to drive affiliate sales of a product that can't and won't address the security "problem" the site uncovers because the problem is fake to begin with!
How Enterprises Are Attacking the IT Security EnterpriseTo learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Infographic: The State of DevOps in 2017Is DevOps helping organizations reduce costs and time-to-market for software releases? What's getting in the way of DevOps adoption? Find out in this InformationWeek and Interop ITX infographic on the state of DevOps in 2017.
2017 State of IT ReportIn today's technology-driven world, "innovation" has become a basic expectation. IT leaders are tasked with making technical magic, improving customer experience, and boosting the bottom line -- yet often without any increase to the IT budget. How are organizations striking the balance between new initiatives and cost control? Download our report to learn about the biggest challenges and how savvy IT executives are overcoming them.