Technical Tidbits

I want to thank Jeff (our Director of Marketing and Emerging Technology) for testing ForceField and writing such detailed reviews.  You can thank him by visiting his personal blog at: http://haumanadao.com/

That being said, let’s move on to the third part of this series.

When Jeff agreed to test ForceField and document his experience for our blog, he also ran a packet capture using wireshark to determine if we could see exactly what was happening with this.  That’s how I ended up with this last part of the review. I am the packet capture analyzer!

NOTE: Clicking on each image will bring up the full 100% view.

In the first packet captured, upon opening the browser, there is a SYN connection to Zonelabs IP at: 208.185.174.65 that is encrypted.

First Packet Capture

A SYN packet is the beginning of a handshake between two computers. Obviously, ForceField is logging in at ZoneLabs for some reason. Just what reason we don’t know. But the second packet confirms the handshake with an SYN/ACK or acknowledgement that Zonelabs has received the first SYN packet and sets a sequence number for the communication between the two.

For those of you who are not knowledgeable in the reading of packets or do not understand the SYN/ACK packets, as I teach in our PC Security courses, (shameless plug, I know!), the SYN/ACK packets are used to establish a connection with another device - usually two computers. The SYN packet sends a sequence number (to synchronize) of the digital packet and behaves much like a knock on the other computers door. Sort of like saying, “Hello? are you there?”

The ACK packet is returned by the other device in acknowledgement of the knock or attempt to establish communications. Like saying, “Yea! I’m here! Let’s talk!” The sequence number establishes the connection between the two by identifying the packets. Much like a ticket number. If the packets become broken up, the sequence number helps the communicating devices put them back together for a full message.

So, here is the image of the ACK packet in Wireshark:

ACK Packet from Zonelabs

The Flag showing SYN: Set, means that the synchronization number has been set along with the Acknowledgment. This entire process is called the “handshake.”

In case you are wondering if I’m pulling your leg about the IP address belonging to Zonelabs, let me put that theory to rest right now.

WhatIsMyIPAddress.com Results

After the initial handshake and establishing the connection between the browser (or Jeff’s Computer) and Zonelabs, there is another secured handshake initiated.

SSL Handshake with Zonelabs

After a few more back and forths with handshakes and agreeing on the cipher strength, Jeff’s PC starts sending encrypted data back to ZoneLabs in two packets. Packet 12 and Packet 13.

Encrypted Data Being Sent to ZoneLabs

Just what information was sent, we don’t know. But there was definitely information being transferred. And there were a few more packets exchanged identical to the one shown above.

Now, the information shown in the next image, shows that on packet 22, there was another acknowledgement packet sent from ZoneLabs to Jeff’s PC.  I circled the flags to show you that the reset flag nor the fin (finish) flag was set which means that Zonelabs was staying connected to Jeff’s PC. If it were disconnecting, the FIN flag would have been set.

Flags show Zonelabs still connected

You will then notice that the packet capture acknowledges that there is now a clone of the browser as is evidenced by the yellow lines in the capture above.

During the time of the capture and Jeff’s surfing, TrendMicro updated and Zonelabs updated ForceField. Jeff also surfed Google, did a few searches, and checked his e-mail. All the packets captured showed the connection to Jeff’s PC in the background to these sites for updates, the e-mail check and the IP packets to Google. I never found a disconnect from ZoneLabs initial connect in any of the packets captured.

There is one flaw in our research however. Jeff shut off the Packet Capture before closing his browser so we could not see the disconnect from Zonelabs.

I suspect that if he would have closed his browser, forcing the cloned ForceField one to close, that we would’ve seen a disconnect packet. But being a novice to this kind of research and to packets, Jeff is off the hook.

Our take here at MICE is that if you insist on using ForceField for the safety it provides, you are sacrificing your privacy. Under the guises of security and protection, I believe ForceField is Big Brother in disguise. Another wolf in sheeps clothing.

And my take is that I’m going to donate to OpenSource (FireFox) to continue their development of a free, non-big brother browser!

written by Admin \\ tags: ack, Big brother, browser security, firefox, ForceField, open source, packets, spyware, syn, zone alarm, zone labs

After using ForceField for several days a few questions came up about the application in general. The main one was why can’t I see any real details as to what it is blocking? Over the years I can’t tell you how many Wiz Bang programs I’ve installed only to uninstall them because of how they either collided with my other programs or sucked up my resources. So I was just running ForceField through my normal rigors.

In Part 1 I showed you the Advanced tab in the ForceField settings. I was shocked to only find a bunch of checkboxes. Nothing that would allow me to know if what they are blocking was agreeable to me. For all I knew, it could end up allowing something malicious that Zone Labs hadn’t detected yet, which is VERY likely. A statistic that is on the landing page for Debbie’s eLearning Portal states, “Upon their initial outbreak, 21% of the malware did not have an associated antivirus definition”, so I want to keep an eye out for things like this. Education and vigilance are the best ways to protect yourself especially when so many of the security applications or services are reactive.

For the sake of their security, I gave ForceField the benefit of the doubt in that if they gave away too much info it might allow malcoders better access to crack their way around it. So I decided to see if their documentation had anything of interest. Nope, I couldn’t find anything there that even remotely resembled something technical; it was all pretty much for general users. (See for yourself: Starter Guide/User Manual)

So I was left with no other choice than to trust that ForceField has my back covered. With so much “Big Brother” crap going on with applications these days, that’s kind of hard for me to swallow, so for the time being I let it go but kept an even more vigilant eye on how it worked.

One of the first things I noticed occurred in Internet Explorer. My virus protection, Trend Micro Internet Security Pro, has a tool called the Transaction Protector that is designed mainly for wireless use to encrypt your transactions against possible keyloggers. Because ForceField creates a cloned browser, Trend activated the Transaction Protector. I discovered this when trying to do a Google search using Internet Explorer and all that showed up was “ababababab” for anything I typed. It took a few minutes for me to realize what was going on.

Interestingly enough when I tried to get a screen shot of this the problem a week later it had disappeared. This must have happened when ForceField did an update which it did not inform me of nor make the details of it available anywhere. What it did was deactivate the Transaction Provider. I’m sorry, but why are you not allowing me to make this choice? This was my first “Big Brother” suspicion in that Zone Labs shut off a valuable Trend Micro tool without my knowledge assuming that it does a better job? This makes it appear that Zone Labs believes ForceField is the superior tool and that is just plain arrogance especially without documentation to back it up neither for the application itself or the upgrades that it does.

This caused me to do a search for ForceField to see what other issues might be going on. One result claimed that it was a memory hog. To test this I did screen shots of the Windows Task Manager right after startup and then again after I opened a Firefox browser. There was a huge difference in the memory utilization. It went from 22 MB to 137 MB, a 527% increase in memory usage. I have 1 GB RAM of which about half is used upon startup. ForceField used an additional 115 MB when my browser opened which is around 20% of my remaining RAM. I did find that if I left my browser open and then opened up other programs that things did start to slow down after awhile as this is when swap files are now being used more frequently once the RAM is mostly used up.

The other issue that I found during this search was that ForceField was not keeping any Firefox Add-ons. This made me wonder if this might happen with bookmarks and/or organizing bookmarks. I got to experience the answer to this during the course of my normal computer maintenance. When activating Spybot to do my spyware scans, if it detects excessive temporary files it asks you if you want to delete them which will speed up the scanning process. I noticed that I had 1,000+ temporary files which seemed excessive to me, but just figured I had forgot to clean them out. I told Spybot to delete them and to my surprise, when I opened up Firefox, some previous settings in my Bookmarks Toolbar were gone, but when I shut off ForceField and reopened Firefox they were there.

The same problem occurs when I made changes to Firefox with ForceField shut off. This appears to make the cloned browser king but again, the documentation did not specify anything to this level as to how changes to the browser do or do not affect ForceField. It appeared after dealing with this for a time that the answer was in the temporary files ForceField creates (which can look like this: ffffffffffff.isw) which you can remove in the Advanced tab by clearing the Virtual Data but this was never explained clearly anywhere (other than in a forum post that states this should now be the way to remove your temp files). I delete my temporary files using Windows Disk Cleanup tool. The 1-2-3 promos did not allude to this, so perhaps Zone Labs just assumes that no one does this?!? Sorry, but I run a Lean and Mean Computing Machine and ensuring my temp files don’t get excessive is one of the things that are a part of my regularly scheduled maintenance.

I also noticed that when running my defrag tool, Auslogistics Disk Defrag, that it was taking longer than usual. Like I mentioned in Part 1, I like to watch the tool work and noticed that it was showing more fragmentation than usual. Both the longer defrag time and excessive fragmentation have disappeared since I uninstalled ForceField demonstrating that it was the culprit. So although it was not slowing down my browsing experience, it was definitely cluttering my computer with excessive temporary files which in the long run can affect the overall performance (a forum posts mentions that their temp files went from 2,000 before ForceField to over 10,000 after using ForceField!).

So far, much of this has produced mostly consistent frustration. I’m sure that I could have eventually figured out how to circumvent these problems, but that’s really the big issue here because the General User isn’t normally concerned with all of these geeky things. A tool such as this needs to have good consistent use for the General User yet at the same time satisfy the needs of those who are more technically savvy.

The next thing I did was to start poking around their forum and is where my attitude got even worse. Take a quick look for yourself (Click Here); Check out at least the first 5-7 pages and you will see consistent comments on incompatibility or problems with the application. Some of these problems may have been resolved, but this appears to me to be an application still in development that they are selling as a finished product. Does that sound familiar? Microsoft has been doing that since the very first Windows operating system. Although this was originally genius marketing, today it’s a point of contention and frustration.

I also noticed that when checking my Protection Activity that occasionally the Suspicious Sites total would increase but there was no way of knowing what ForceField was designating as a Suspicious Site. I also monitor my network traffic via the icon in my Sys Tray and noticed that when I started up ForceField there was always considerable activity. The element of Big Brother was already becoming more and more suspicious and in conjunction with what I’ve previously mentioned, this was rapidly approaching the point of being uninstalled.

Using a packet capturing tool called, WireShark, I set out to find out what was going on “behind the scenes”. I shut off ForceField so it wouldn’t activate on startup. Rebooted, then turned on WireShark, and then activated ForceField, and then opened a browser and then did some browsing. The results appeared to be initially very interesting, but I have next to no understanding of much of what was going on. This is where Debbie is going to take over because she understands this very well. In Part 3 she will be relating the results of her analysis of the packet capture I did. What you will see is that some kind of encrypted secure communication is going on to Zone Labs putting the element of Big Brother right into the Big Picture of this application.

Here’s my final take and general warning to you. Zone Alarm ForceField comes off as the tool that will save the day with all of the things it will do for you. Such Super Hero tactics when performed by a major corporation rarely end up being totally benign. I hate to be so cynical but more often than not if it sounds too good to be true, it normally is, especially for the consumer. ForceField started off being my new best friend, but eventually tried to convince me that it knew better than me and to just “Trust Me”. Isn’t that what the snake said to Eve in the Garden of Eden? Some things just never change!!

Think I’m being overly cynical? Check out their EULA. Section 2.5 states that if you have the Anti-Spyware version they have the right to delete any program they deem a problem. What you may not realize is spyware detection is a reactive evolution, meaning it’s as good as it is today but may get better AFTER a known problem has been discovered. So they could easily remove a valid program without you knowing it due to some detection algorithm that sees your well known and useful program as a problem. Doesn’t this continue to elude to the fact that they know what’s best for you? Just who designated them King of The Mountain?

Section 5 relates to Third Party software and states, “Certain third party software included with the Software is subject to additional terms and conditions imposed by ZoneAlarm’s third party licensor(s).” I did not see any other reference about WHAT that third party software is other than “Such terms and conditions are contained in the “About” pages of the Software and are deemed incorporated herein by reference.” Okay, so what does that mean to any potential abuse of my personal privacy by your third party licensor(s)?

Section 8.1 states the limited warranty for the software “will be free from defects in material and workmanship, and that the Software shall substantially conform to its user manual”, yet I stated earlier that this manual was somewhat nebulous, so just what does this mean in relation to a limited warranty, is there one when you can easily get out of it with a nebulous user manual?

Section 8.2 GENERAL: ZoneAlarm does not guarantee that use of the Software or Subscription Services will be uninterrupted or error-free. ZoneAlarm does not guarantee that the information accessed by the Software or Subscription Services will be accurate or complete. You acknowledge that performance of the Software and Subscription Services may be affected by any number of factors, including without limitation, technical failure of the Software, the acts or missions of third parties and other causes reasonably beyond the control of ZoneAlarm. Certain features of the Software may not be forward-compatible with future versions of the Software and use of such features with future versions of the Software may require purchase of the applicable future version of the Software.

It seems like this section is stating that with all the hype of how well it can protect you, there is no REAL guarantee that it will, not to mention that it is not responsible for the acts or missions of third parties. Do you smell any stench of Big Brother yet?

This just verifies to me the validity of trust that Open Source has. They are not Corporate Minded with interests in profits for the stock holders/investors, they are a community of people creating applications and operating systems for the good of the people because they are mainly run by the people. So when Thunderbird or Firefox want to do an upgrade, I implicitly trust them because their motives are for the good of their users.

written by Jeff \\ tags: Big brother, browser security, ForceField, keyloggers, spyware, zone alarm, zone labs

This post is written by a guest author.

Monday August 11 at 4:14 PM, the fateful day that an email arrived appearing to contain the resolution for a growing problem on the internet, Drive By Downloads. The email said, “In honor of Patch Tuesday, August 12, 2008, ZoneAlarm (Check Point) will be offering ForceField browser security for FREE for only 24-hours!”

I then went to the ForceField section of the Zone Alarm site and read about the features and watched the promos for it. According to the very amusing video promos it’s as simple as 1-2-3 to not only install but also operate. The security of Internet browsing has taken a giant leap forward!

The month prior to this I had been doing a lot of research for the landing page for the launch of Debbie’s eLearning Portal, namely her PC Security and ID Theft courses in conjunction with her celebration of being in business for 10 years. The main purpose of this landing page was to educate the visitor of what’s really going on out there and how extremely important it is for EVERY user to be educated because many of the tools and services are not 100% reliable; it was starting to appear that the only REAL protection is arming yourself with the proper knowledge and her courses are excellent for that, as her many testimonials have shown.

Some of that effort led me to research results on the state of browser patches and security and the growing incidents of Drive By Downloads. As a result of that, it became apparent that surfing online these days isn’t as benign as so many may think it is. It is getting to the point that if you’re not properly educated in what’s going on, you can become a victim and not even know it and this can be regardless of your level of education. Both Debbie and I have come across this but due to our awareness were able to stop it in time or prevent it from happening. (See Mal Ads Report and Drive By Download video) The Zone Alarm ForceField application, upon my initial review, seemed to be a great response to these problems. Here’s what the site tells you:

1. Block unauthorized downloads and malicious software installations.
2. Protect your identity by blocking phishers and stopping keyloggers.
3. Browse the internet in complete privacy–erases all cache, cookies, history and passwords.
4. Run it with your existing security software–it’s fast, lightweight, and easy to use

Sounds pretty cool!  But wait, there’s more!  Here’s a list of known threats and their impact that ForceField will protect you from.

1. Drive-by download - Visit the wrong website, and it can download spyware, viruses, or even take control of your PC without your knowledge.
2. Keyloggers - Capture and record your keystrokes to obtain passwords, financial information and more.
3. Phishers - Trick you into entering confidential information such as passwords and credit cards on bogus web sites.
4. Spyware - Installed without your knowledge, spyware can collect your personal information and send it to criminals on the Internet.
5. Dangerous downloads - Appear to be safe, like a screen saver application, so the user chooses to download it, but in fact it also installs malicious software.

If you think that’s cool wait until you see their Benefits and Features:

• Virtual Browsing
• Browser Threat Immunity
• Private Browser
• Keylogger & Screengrabber Jamming
• Dangerous Download Detection
• Anti-Phishing
• Spy Site Blocking
• Website Safety Check
• Spyware Flushing
• On-The-Fly Encryption
• Seamless Integration
• Security Software Compatibility
• Fast and Easy to Use

If this isn’t the best thing since sliced bread, I don’t know what is! Although I am being sarcastic, this was close to my initial reaction because based on this and the amusing videos this really did seem like it was going to go a long way in helping to at least stave off these issues that are becoming more and more prevalent. One of the best features being how easy it is to install and use and that it integrates with known security applications. (Click Here to see for yourself)

After reviewing all of this I couldn’t wait for Tuesday to arrive so I could get my copy with a license key for a free year of use!   This was going to be great; Secure Browsing has finally arrived!! (I could hardly sleep that night!)

Once I downloaded the application and received my special license key, everything went just as the promos had stated.  It installed very easily and put itself as an additional toolbar on both my Firefox and Internet Explorer toolbars which contained a ForceField drop down menu, Protection Activity, Site Status, and Private Browser.

Selecting Settings on the drop down menu produces a small window with a General and Advanced tab.  It was very simple and upon initial review all of these settings seemed to be necessary in order to ensure proper protection such as by default ForceField loads on startup of your PC and immediately starts to protect you as soon as you open your browser.  This drop down also has a choice in FireFox that puts the toolbar on the Status bar with a menu when clicked on thus relieving you of the space the ForceField takes away from your viewing pleasure.  I don’t seem to remember the same option in IE, but am not a big user of it either so didn’t care.

The Site Status shows you if the site you are on has been detected as a known phishing or spyware distributor, when it was first registered, and where it’s located.  These are essential elements in assisting in determining a site’s validity as many mal sites come and go very quickly in order to evade detection.

The Protection Activity gives you a summary of the total MB of possibly harmful data prevented from reaching your PC, the total number of threats that were stopped, and a tally of what those were under the headings of Suspicious sites detected, Phishing sites blocked, Spyware sites blocked, and Virus infected downloads detected, plus the total number of downloads it has scanned.

As far as using the Private Browser, I am the only user of my computer so I only checked it out by clicking on the button; it opened a new browser.  Because in the Benefits and Features section it stated that it basically erases everything you do, it did not seem useful for me because whatever I do would be erased including bookmarks, passwords, etc.  This only seems useful if there is more than one user of a browser and you want to hide what you’ve done which when you think about it seems kind of dishonest, unless of course you have something to hide.  This is why this type of browsing has been termed “Porn Mode”.  Maybe it’s because I’m an honest person and don’t have anything to hide is why I don’t understand when this is useful because the only “usefulness” that it serves is when you have something to hide from others.

Actually setting up additional users in Windows would alleviate all of that anyway unless of course you are the admin which would give you access to that information.  For example, having Private Browsing on a computer used by a family would never allow the parents to monitor the browsing habits of their children who are notorious for going places they shouldn’t especially when it comes to free downloads but having each child sign in separately would allow proper parental monitoring.  This is assuming that one parent isn’t hiding something from the other, but then again that’s deceptive and a guaranteed relationship killer.  This whole thing about private browsing which the new version of IE is supposed to have dumbfounds me.  Is our society getting so secretive that we have to continually create ways to hide? (Don’t get me started on PC Pandora!!!)  This is a review and not an expose on the morals of society so I’ll leave it at this.

All in all my initial browsing experience with ForceField was very good.  I did not notice any slow down indicating that ForceField was getting in the way.  When I went to my blog which was only a couple of months old, I got a warning about it and was able to tell ForceField that it is okay.  Another incident of a link I got in an email for some new internet marketing product brought up a phishing warning.  I wasn’t sure if it was a false alarm or not but wasn’t all that interested in the product so I didn’t proceed from there.  Each day I monitored the Protection Activity monitoring how ForceField was working.  It was nice to browse knowing that a clone would take any malware hits.  The sense of security that resulted was refreshing.

But then things began to change; maybe it’s because after working for corporations for the past 10 yrs, one of which was in bankruptcy for 3 years and demolished their long standing defined pension program along with so many other cold hearted choices that I have an inherent distrust that corporations don’t always have my best interest in mind.  Maybe it’s because I’m an armchair marketer and love watching how products are promoted, some of which are not done with sincere integrity.  Maybe it’s because I’m a geek and love information (I like to watch a computer defrag to see how bad the fragmentation is!).  Maybe it’s because I have a knack for processing information resulting in seeing patterns that many others don’t.  Maybe it’s because I believe in taking personal responsibility for my actions and am therefore prone to not let others do it for me if at all possible.

Whatever the case, little by little some things started to show up as I continued to use Zone Alarm’s ForceField.  At first they were annoyances, but eventually turned into big questions of what is really going on behind the scenes.  In Part 2, I will delve into this and let you be the judge as to why something seems to be your best friend yet doesn’t disclose things for the more technically minded who just like to monitor their computer’s processes to ensure the best functionality.  This leads to the suspicion that Big Brother may be lurking behind the scenes.

written by Jeff \\ tags: Big brother, browser security, drive by, drive by downloads, driveby, driveby downloads, ForceField, keyloggers, phishers, porn mode, private browsing, spyware, zone alarm, zone labs

In honor of Patch Tuesday, August 12, 2008, ZoneAlarm (Check Point) will be offering ForceField browser security for FREE for only 24-hours!

In Microsoft’s Advance Warning notice that I receive, there will be 7 critical updates and 5 important updates.

Affected software will be: Windows 2000, Windows XP (SP2 and 3), Windows XP Professional - including x64 edition and SP2, Windows Server 2003 (including: SP1 & SP2, x64, and SP1 & SP2 for Itanium-based Systems),  Windows Vista (including: SP1, x64 and x64 SP1), Windows Server 2008 for 32-bit Systems, Windows Server 2008 for x64-based Systems, Windows Server 2008 for Itanium-based Systems, Microsoft Windows Malicious Software Removal Tool (now there’s a surprise! NOT!), Non-Security, High-Priority Updates on MU (*Microsoft Update), WU (*Windows Update), and WSUS (*Windows Server Update Service), Microsoft Internet Explorer 5.01 Service Pack 4, Microsoft Internet Explorer 6 Service Pack 1, Microsoft Internet Explorer 6, Microsoft Internet Explorer 7, Media Player 11, Microsoft Outlook Express 5.5 Service Pack 2, Microsoft Outlook Express 6 (including SP 1), Windows Mail (Vista), Windows Messenger 4.7, and 5.1. There is also supposed to be critical updates for Access, Excel, and PowerPoint but it’s not clear what versions they are yet.

So, first thing tomorrow morning, head over to ZoneAlarm’s special site here: www.zonealarm.com/patchtuesday and get yourself a copy of ForceField. I think we’re all going to need it!

written by Admin \\ tags: access, Check Point, excel, ForceField, free, free forcefield, Internet Explorer, messenger, Microsoft, microsoft update, OE, Outlook Express, Patch Tuesday, powerpoint, vista, windows mail, Windows Server, windows update, Windows Vista, Windows XP, ZoneAlarm