Make Your PC Hacker-Proof
It was getting late, so Jim Jarrard, president of Cinenet, a stock film footage company in Simi Valley, California, decided to leave his computer on overnight to finish downloading a big file. While Jarrard was gone, a hacker accessed his PC over its DSL Internet connection and loaded a program giving the intruder power to commandeer Jarrard's computer, steal valuable film files, and erase the system's hard drives.
Allan Soifer, an Ottawa, Ontario, electronic mailing list administrator, didn't realize a distant hacker had been scanning his home PC for hours. The hacker had found a way in and needed only a password to access Soifer's files. So he pelted the machine with computer-generated words, hoping for a lucky match. Fortunately, neither of the hackers got the goods.
Jarrard escaped catastrophe because a frozen system and an error message the next morning told him something was wrong. He spent two weeks investigating the problem (and learning more than he wanted to know about hacking) before realizing that he would have to back up his data files and reformat the hard drive to delete the hacker's self-replicating program. Finally, he installed personal firewall software to guard against future attacks.
Soifer was luckier. Before the attack, he had visited
Hackers come in all flavors. Many are simply curious folks who want to find out how a program or system works. They may not do any harm, and some even provide a service by discovering programming bugs and helping fix them. But malicious or criminal hackers use their skills for devious purposes. Criminal hacking incidents can range from obnoxious to destructive. The latter category includes "denial-of-service" attacks--like those that shut down Internet sites EBay and Yahoo last February when hackers bombarded the sites with data and caused the companies' servers to crash. Is your PC likely to suffer such a massive attack? If you're an individual or small-business user, probably not.
Hacking individual PCs remains a fairly rare phenomenon. Your chances of suffering some type of Internet vandalism are rising, however, especially if you have an uninterrupted, dedicated connection like DSL or cable modem. Fortunately, you can take some simple steps to protect yourself. For most Internet users, changing a few settings, installing a good personal firewall, maintaining updated antivirus software, and using common sense will provide reasonable protection for a small cost.
How do malicious hackers cause damage? They have access to increasingly sophisticated automated software tools that scour the Internet for vulnerable PCs. The tools locate an individual machine by its Internet Protocol address, a unique number that identifies a computer on the Net. Most computers equipped with dial-up connections have dynamic IP addresses: The Internet service provider assigns them a new IP address each time their users log on. By contrast, most high-speed connections, like DSL and cable modems, use constant or "static" IP addresses. In the unlikely event that a hacker decides to target you specifically, such a static address makes it easier to track you down.
An IP address identifies a computer but doesn't provide a way inside. To get in, the hacker must find an open port, or connection point. Think of an IP address as a computer's switchboard number and a port as an individual phone extension. Software on your PC creates ports to allow specific networking functions. Web access, for example, generally uses port 80, while FTP runs through port 21. Once they've targeted an IP address, hackers scan the machine for open ports, as happened to Allan Soifer.
Malicious hackers may also trick users into opening ports by sending
So how can Windows users protect themselves? Before you install any new
software, you should perform some simple housekeeping on your operating system
to make it safer. The first step is to check the Microsoft Web site for security
updates and patches. If you have Windows 9x, Windows NT, or Windows 2000 Professional,
point your browser to the
In addition, David Ursino, Microsoft's product manager for the new Windows
Millennium Edition, recommends disabling the File and Printer Sharing option
that provides other computers access to a machine running any version of Windows.
Another way you can protect yourself is to use software that blocks Trojan horse programs. Any good antivirus package is designed to identify Trojan horses, but you must keep it up-to-date to defeat the latest subterfuges. You should also make sure your e-mail program is not set to open attachments automatically. And never open an attachment that you don't recognize or that comes from an unknown source.
These measures alone, though, will guarantee security for only a minority
of PC users. "Unless you've installed your system from scratch, there's no
way of knowing just how secure it really is," says Stuart McClure, coauthor
Personal firewall software goes a step beyond the basic precautions. Like
expensive and complex corporate-level firewalls, these affordable and simple
products promise to repel intruders by monitoring incoming and outgoing Internet
traffic and alerting you to possible dangers. To learn more about how firewalls
The perfect personal firewall would be inexpensive and easy to install and use, would offer clearly explained configuration options, would hide all ports to make your PC invisible to scans, would protect your system from all attacks, would track all potential and actual threats, would immediately alert you to serious attacks, and would ensure nothing unauthorized entered or left your PC. Only two products come reasonably close to meeting that ideal: Network ICE's $40 BlackICE Defender 1.9 and Zone Labs' ZoneAlarm 2.1, which is free for home users and nonprofit organizations. Though neither package is perfect, each has strengths that will make it attractive to particular users. Ultimately, we decided that these two products should share the title of Best Buy.
McAfee.com's Personal Firewall ($40) and Symantec's Norton Personal Firewall 2000 version 2 ($50) fall into the second tier of products. Sybergen Networks' Secure Desktop 2.1 ($30) performed unimpressively in our tests and didn't provide sufficient feedback (or even an indication that it was running). And Aladdin's free ESafe Desktop 2.2 fared poorly because it is essentially an antivirus product with what our tests showed to be a kludgy, leaky firewall tacked on.
Four other products that we examined--Digital Robotics' Internet Firewall 2000 ($40), Delta Design's Net-Commando 2000 ($30), Plasmatek Software's ProtectX 3 Standard Edition ($25), and Tiny Software's Tiny Personal Firewall ($29)--failed to get past our preliminary cut because they exhibited more-serious flaws, such as incomprehensible instructions, weak documentation, or limited functionality.
We assessed the six contending products on three criteria: user-friendliness, ability to work with common programs that access the Internet, and prowess at repelling hacking attempts. In each case we independently installed the firewall on an otherwise unprotected Quantex QP6 350 M2X, a Pentium II-350 machine equipped with 64MB of RAM and running Windows 98 SE.
The best configuration process should be comfortable for a neophyte while giving an advanced PC user the opportunity to tweak the settings. Most of the products we tested offer only three security settings: block all traffic, allow some traffic, and provide no security at all. This scheme works fine if you just surf the Web and check e-mail, but it's too limiting for many users. BlackICE Defender and McAfee.com Personal Firewall have the best configuration options and default settings. BlackICE has the simplest, best-explained security options, and it offers four levels of security for finer adjustment by the user. McAfee.com defaults to a middle "filter" security level that is an excellent starting point for most users. ZoneAlarm ranks near the top, too, but we thought it would have benefited from offering a fourth level of security between its high and medium settings.
Even the best documentation for the firewalls we tested is scarcely adequate, especially since hacking remains a mysterious aspect of computing for most PC users. In particular, none of the products we looked at fully explains its advanced configuration features. If you take into account its reasonably clear and organized online help, BlackICE Defender scores highest in the documentation category. But in this case that's a small honor.
The ideal firewall would also work quietly in the background but alert the user to anything worth reporting, and provide comprehensive logs of events. Unfortunately, most of these products tend to overwhelm the user with data. Firewall novices may be stunned at how often someone "touches" their PC. Most of that contact, however, is innocuous traffic that security expert Steve Gibson calls IBR--Internet background radiation. According to Gibson, who maintains the Shields Up Web site, "All firewalls overreport, and they don't do a useful job of discriminating between IBR and actual attacks."
Spikes of IBR occur for various reasons. For example, Internet services
like WebTV sometimes send data to the wrong IP address when they attempt to
contact users. A firewall might interpret that activity as a port scan. Internet
privacy and security guru Simson Garfinkel, author of
Of the products we examined, BlackICE--using carefully crafted reporting
windows--provides the clearest, most useful information. The program notes
the source of any probe, and it's the only personal firewall we tested that
automatically looks up IP addresses and provides contact information about
whoever "touched" your PC. An honorable mention goes to Norton and Secure
Desktop, which log events in accessible text windows. But ZoneAlarm went a
bit overboard: We finally turned off its endless stream of pop-up alert windows,
relying instead on its comprehensive event logging for detailed information.
However, only ZoneAlarm effectively alerts you in real time to all potential
threats--a level of detail that may appeal to some hands-on users. (For more
on using ZoneAlarm, see
We ran each of the six firewalls through a number of scenarios to check
its compatibility with other applications and its responsiveness to a potential
Trojan horse. Compatibility is an important concern with applications that
access the Internet: A poorly designed firewall might misconstrue as hacking
attempts such legitimate activities as opening ports for Internet communication,
and it may mistake legitimate programs for
A good firewall can distinguish between network traffic related to trusted
applications and malicious traffic from a hacker or Trojan horse. Some firewalls
focus on applications, while others focus on data traffic. In the first case,
Norton uses a lookup table of preapproved applications. BlackICE Defender,
on the other hand, doesn't note what apps are running. Instead, it scrutinizes
all data passing to and from the computer for suspicious behavior, or
In our tests, we connected to the Internet over DSL and evaluated each firewall's ability to work with common applications that access the Internet: Microsoft Internet Explorer and NetMeeting, WS-FTP LE (a file-transfer program), ICQ (a messaging program), Napster (MP3 music search and download software), PC Anywhere (a program that allows remote control of one computer by another), and RealPlayer (music and video player software).
Sometimes the biggest challenge was determining whether the firewalls were working at all. For instance, in its default installation, McAfee.com does not launch at system start-up or appear in the system tray. You must select those options in the program's configuration. And even though Secure Desktop launches automatically at start-up, it runs entirely in the background--there isn't even an icon for the program in the system tray.
Secure Desktop did ask for permission to run some applications, but when operating at its highest security setting, the program would not allow other applications--ICQ, Napster, or NetMeeting--to run at all. McAfee.com and ZoneAlarm worked fairly smoothly, asking permission for each application. Norton automatically configured rules to permit some apps, but in other cases it made us walk through an overly detailed, six-screen Q&A to manually configure rules for future use of the app. BlackICE doesn't scrutinize applications per se, but it accurately monitors the types of data they send and receive.
Finally, we ran a not-so-trusted application: the freeware version of PKZip (file-compression software). This download includes a built-in application called TSAdbot, which acts as a conduit for advertisements from the Internet and displays them while PKZip is running. TSAdbot is not a malicious program, but it does function similarly to a Trojan horse and thus tests the firewalls' sensitivity to these intruders. McAfee.com, Norton, Secure Desktop, and ZoneAlarm detected TSAdbot and asked us for authorization. ESafe failed to react; BlackICE did not recognize TSAdbot's behavior as harmful. When we asked Network ICE about this result, spokesperson Robert Graham said, "Currently, Network ICE does not consider adbots to be malware." But he added, "Maybe we should reconsider our position."
We then hit each firewall with three simulated hacks: installing and accessing the Back Orifice Trojan horse, running a port scan, and conducting a denial-of-service attack. We ran each test at the programs' default security settings. (Some default to the highest security setting, while others default to the second-highest.) If a firewall failed a test, we tried it again at a higher setting.
In the Back Orifice test, BlackICE did not stop the attack at its default security setting. However, it did stop the Trojan horse when we bumped the security up a notch. (The newest BlackICE version, not available in time for our comparison testing, does stop Back Orifice at its default setting.)
Three products--McAfee.com, Norton, and ZoneAlarm--identified Back Orifice by its file name, Umgr32.exe, and asked permission to run it. Not many PC users have heard of Back Orifice, let alone Umgr32.exe, so they might not know whether to block the app or let it run. ESafe's built-in virus checker identified the Umgr32.exe file and asked whether we wanted to delete it. Secure Desktop failed the Back Orifice test--and all other attack tests--even at its highest security setting.
We next hit our test PC with a port scan, having deliberately left two ports open to see how the firewalls would handle them. The first port, called NetBIOS, is opened when printer and file sharing are enabled. The second port was opened for our Back Orifice Trojan horse. (Some firewalls look for standard ports used by Trojan horses, but we upped the ante by choosing a nonstandard port.) A personal firewall can hide your PC by putting ports into stealth mode so they will not respond to a hacker's port scan; the ports will thereby offer no evidence that your computer exists.
At their default settings, BlackICE, McAfee.com, and ZoneAlarm put the two ports into stealth mode, but ESafe, Norton, and Secure Desktop failed to hide the ports we left open.
Finally, we ran a miniature denial-of-service attack, hitting each firewall with a flood of meaningless data intended to confound the operating system. In the real world, a denial-of-service attack overwhelms your Internet connection, making it difficult or impossible to access the Net. It can also crash your system. Malicious hackers can increase the pressure by launching a distributed-denial-of-service attack, in which multiple computers are commandeered and used to launch an attack. Such assaults are usually directed against major Web sites and the servers that support them. In the unlikely event your PC is targeted for a full attack, a good firewall may block the incoming data packets and prevent your machine from crashing, but no firewall can ensure that your Internet connection will remain open.
At their default settings, four of the firewalls we tested--BlackICE, McAfee.com, Norton, and ZoneAlarm--prevented a crash, although BlackICE was the only product that correctly identified the nature of the attack. Norton gave no indication an attack was under way. We were disappointed that ZoneAlarm repelled the attack only at its default (High) setting, and Secure Desktop and ESafe failed to prevent a crash even at their highest settings.
According to Murphy's Law, anything that can go wrong, will. People are putting more sensitive data (such as financial records) on their PCs, and sending other sensitive data (such as credit card numbers) over the Web. They're also switching from dial-up modem-based service to broadband connections, with continuous service and fixed IP addresses. Meanwhile, hackers are acquiring more devious software tools and putting more potential victims at risk. Hacking will inevitably increase. But the good news is, you can protect yourself now.
No computer connected to the Internet is 100 percent safe from hacking. But take heart: These five easy steps can make a PC running Windows virtually impervious to online attacks.
Internet security is a complex subject. Here are some key terms and concepts for PC users to know.
The Internet is a playground for hackers, but it's also a great place to learn about security and how to protect yourself from attack. Here is a sampling of online sites that provide information, testing, and security products.