DE-'BUGGING' COMPUTERS

December 2003
		The Internet has facilitated global communication like never before but also created the need to secure computer networks from viruses and worms. Two security experts on the front line of the battle against these computer "bugs" answer your questions.

Online NewsHour Special Report: Computer Worms and Viruses Forum Introduction I read a lot about vulnerabilities embedded in Web browser code that enable sending data through ports that are normally open and assumed to be safe by most firewalls. Is this a true threat and how serious is it? Have any viruses or worms arrived in .txt or .jpg or PDF files? These are files that by definition have NO executable code and are hence, treated as data and nothing else. Are there NO files that can be safely opened on a PC? I noticed that all of the worms identified on the newshour are w32 ... what responsibility for this security problem should be assigned to Microsoft? Is the ZoneAlarm security program effective against worms? Before switching to a DSL connection, with a (Linksys) wireless router, I always used a (ZoneAlarm) firewall. Now, however, I have been told by many people that there is no need for the firewall as the router serves that function. Is that true, or do I still need a firewall? I have installed a new program for fighting spam - Spam Inspector. It seems to be quite good. My question is that it looks as if the spam is opened (by the spam fighter) to determine if it is spam. Does that opening make me vulnerable to virus attack? Are there free firewalls available on the Web that do the job?	C. Killian of Falls Church, Va., asks: I read a lot about vulnerabilities embedded in Web browser code that enable sending data through ports that are normally open and assumed to be safe by most firewalls. Is this a true threat and how serious is it? Thanks for all that CERT does. You are truly the CDC of electronics. Larry Rogers responds: It is a true threat, though it is not restricted to the Web browser components. It is not an everyday occurrence, but we have seen variations. It is not unreasonable to expect that intruders will use these techniques more and more to bypass firewall technology. The form of information sent over an arbitrary network port is in many cases a matter of convention and not an enforced requirement. For example, activity on port 25 - the SMTP port - does not mean that that information conforms to the SMTP protocol standard. All it has to be is in a form - a protocol - that both ends agree to. In the overwhelming majority, but not in all cases, it is SMTP. The fundamental paradigm that says "if it is port X then it must be protocol Y" is being changed by intruders who are basically saying: "Says who?" There is evidence that standard, well known and highly used ports are being used to carry information that does not conform to the protocol traditionally found on that port. Intruders are leveraging open ports in hardware and software firewalls to transfer their own information and violate the fundamental paradigm I previously talked about. It's clever and obvious when you think about it. What needs to happen is for defenders to restrict port contents to the proper protocol, and that will be a challenge. The complexity and amount of information that the firewall - hardware or software - will have to track becomes very large when protocol conformance is the goal. In the meantime, look at http://www.cert.org/current/services_ports.html to see a list of ports associated with known vulnerabilities and exploits with links to our documents that mention them.