Breaking Web Browsers' Trust

Technology Review recently published an article talking about a flaw in the way most Web browsers treat secure connections. The flaw was fixed in the browsers, but it's a good reminder about security, when connecting on access points we don't control.

From the article:

Making Internet communications secure means shutting off ways for an unauthorized person to access secret information. This is easier said than done.

In work presented this week at the IEEE Symposium on Security and Privacy, a team of researchers described a former flaw with almost all Web browsers that undermined the protocol used to secure online banking transactions and other sensitive transmissions. The problem arose when the victim was connected to the Internet via a proxy, such as a wireless access point at a hotel or cafe.

Although the researchers completed their work in July 2007, they kept the details secret to allow time to fix vulnerable browsers and test newer ones. The researchers say that they were able to successfully attack Internet Explorer 7 and 8, Firefox 2 and 3, Opera 9, and Chrome Beta and 1. The near-universal nature of the vulnerability suggests that better methods are needed to protect browser communications.

"It's very difficult to figure out the composition of all these end-to-end crypto protocols, which are at different layers of the network," says Shuo Chen, a researcher at Microsoft who helped uncover the vulnerability.

The protocol used to secure browser messages is based on a simple idea, Chen says: it's meant to establish a secure link between the user's browser and a Web server and distrust any points in between. However, because the browser often needs to trust the broader network, weak spots can creep in, he says.

Chen's group uncovered a problem with the way Web browsers display information from Web pages when a secure communications link has been established. They found that most browsers will sometimes treat insecure data as if it's part of the secure protocol. This means that a Web proxy--a machine sitting in between the browser and a website--can issue commands that the browser interprets as coming from a secure website, even if they are not. "In reality, it's very difficult to make sure that you are using a trusted network," he says.

For example, when a browser requests access to a secure website, the proxy could return a fake error message that the browser displays as genuine. The browser could then be tricked into sending secure messages to both the legitimate server and the malicious proxy.

Adam Barth, a researcher at the University of California, Berkeley, who studies browser security, says that the newly revealed flaw is significant because several browsers contained the same vulnerability. "That demonstrates that the issue is subtle," Barth says. "A lot of smart people missed it." He adds that since a browser is a complex system of interlocking parts, it could be useful to investigate tools that could help people analyze how data moves through those parts. Such tools might help catch similar errors in browser design.

Barth also says that Web standards would have mandated more secure behavior if experts had looked at the issue more carefully.

Though the specific problem that Chen's team found was fixed, Chen is still concerned about the methods used to build browsers. Normally, he says, the group of developers that figures out how a browser will display pages works separately from the group that implements a secure communications protocol. Chen thinks the Web community should think more carefully about the way different parts of the browser are put together. "It's difficult for the whole browser-development effort to have the whole picture," he says.

Cybercriminals Imitating Social Networks To Spread Malware

It should be no surprise to any IT administrator who manages a secure web gateway proxy that cybercriminals have been imitating and referencing the domain names of popular social networking sites for the purpose of spreading malware.

From a report on The Journal:

The results of research conducted by Websense, which makes security software, reveals a growing domain-name cloning trend that includes brands like Facebook, MySpace, and Twitter. These sites have no connection to the real sites but are trying to trick unsuspecting users to visit fake Web sites and enter sensitive information or download malicious code.

The Websense Security Labs found more than 150,000 phony copycat sites using the term Facebook and 50,000 using some variation of either MySpace or Twitter in their URLs.

Researchers said hackers appear to be taking steps to create these cloned domains to circumvent security measures put in place by organizations to filter the original domain in a business setting. Many of the domains are proxy avoidance sites that are used to try to evade traditional Web filtering technology.

We've talked on this blog in the past about the importance of keeping your web filtering database up to date, having some way to rate web sites in real time, and having some malware detection on the secure web gateway proxy device. All three of these are necessary components to keep web surfing safe in this Web 2.0 world.

A sure sign of the times

Like many others, I'm not at Interop this week. At first I was thinking it was just me, but as I've heard from others, quotes like "This is the first Interop I haven't attended since 1995", I realized there is definitely a significant impact the economy is having on how many people are at the show this year. With Twitter updates, live floor webcams, event photos on Flickr, chat rooms, Interop TV and blog updates from the show floor, maybe there's not even a need to go this year.

As someone who's attended Interop since 1992, it's certainly strange not to be there this year. While the predictions on whether tech shows will survive remain mixed, there I'll always have a soft spot for Interop.

Should you choose a strategic security vendor or shoot for best-in-breed?

I'm going to take a look at one more article in the Network World series on "Burning Security Questions". The topic, "Should you choose a strategic security vendor or shoot for best-in-breed?"

This has always been a difficult topic for the IT administrator who wants to buy the latest in technical gear, but finds that they work in a "xyz"-shop where "xyz" is on of the do-it-all vendors (like Cisco).

From the article:

A huge debate these days is whether to select a strategic security vendor to provide the majority of security products and services the enterprise might require, or opt to evaluate point products, including those from start-ups, with an eye toward best of breed. ...

The main reason is the strategic security vendor approach can help stretch a budget and gain the advantage of a common management platform, he says. ...

Gaby Dowling, manager of IT security at international law firm Proskauer Rose, believes it isn't logical to consider anything "strategic" if the vendor and the product can't rapidly adapt to a changing threatscape. "Just because different products come from the same vendor doesn't mean they integrate well in my experience," she adds.

While the article doesn't really answer the question, it does highlight a problem many IT administrators face when selecting technology products. While some will continue to get forced to choose the strategic vendor, others will continue to pick the best-of-breed solution. And then of course there's the rare occasion the best-of-breed solution comes from the strategic vendor.

Web attack that poisons Google results gets worse

The IDG news service reported that an attack on websites that affects Google search results known as the Gumblar attack has infected more than 3000 Web sites and is spreading quickly.

This new attack that peppers Google search results with malicious links is spreading quickly according to the U.S. Computer Emergency Readiness Team.

This malware can be found on several thousand legitimate Web sites. It targets known flaws in Adobe's software and uses them to install a malicious program on victims' machines.

The program also steals FTP login credentials from unsuspecting victims and uses that information to spread further. It also hijacks the victim's browser, replacing Google search results with links chosen by the attackers.

This attack is a good reminder to use a web proxy gateway running malware protection. A quick check with Blue Coat Systems verified that their Webfilter/Webpulse products used correctly already protect their this threat.

InterOp 2009: Big Networking in the Recession

InterOp, networking's largest tradeshow is underway this week in Las Vegas. But, with the world recession looming big, there's one big question. In the midst of a recession, will buyers actually show up?

InterOp is coming at a challenging time for vendors and their users. In addition to the world recession, tradeshows themselves are on a major decline, impacted not only by the recession, but fears of swine flu, in a time where buyers are moving increasingly to the web to research products and do self training.


According to Network World:

Despite the recession or perhaps in spite of it, there is no shortage of news and speakers scheduled for the event. If the early hype from the conference organizers is any indication, the winds of change – in terms of buyer sentiment – might be picking up.

A survey of over 900 pre-registered attendees released this week by the conference organizers reported that only 20 percent of attendee IT budgets will decrease in comparison with 2008, while 42 percent claimed that they budgets will increase over 2008.

If those numbers turn out to be true, 2009 might not be such a terrible year for IT after all. Then again, we're nearly halfway through the year now, and we all know how positive (or not) the economy has been so far.

So keep your fingers crossed, and let's watch for the reports on how InterOp turns out this week.

How can you handle risks that come with social networking?

Last week I wrote about one of a collection of seven pieces on Burning Security Questions published by Network World. I'm going to look at a second piece today on the risks that come with social networking.
Facebook, MySpace, Twitter are hard for your end-users to resist but can bring security dangers to your organization's network.

From the article:

[I]t comes with huge risks that range from identity theft to malware infections to the potential for letting reckless remarks damage corporate and personal reputations.

...

Jamie Gesswein, MIS network engineer at Children's Hospital of the King's Daughters in Norfolk, Va. ... still favors blocking general access to social-networking sites unless that access is really needed.

"Be careful of what you post," Gesswein says. "I know users who post anything on everything on these sites. It is at times almost a contest to see who can outdo whom."

He thinks social-networking enthusiasts may be missing the point that this posted information stays around for many years and could come back to haunt them if a job recruiter tries to find out about their digital past.

...

Gaby Dowling, manager for IT manager for international law firm Proskauer Rose, says there's a sound business argument for using social networking sites such as LinkedIn, but she worries about the potential for malware being spread by exploiting trust.

"The Koobface worm spread on Facebook was tricking you because you were receiving that from a trusted party," she points out.

"Social networking sites carry high risks of infecting systems with malware," says SystemExperts analyst Jonathan Gossels, who adds, "At a policy level, employees should not be visiting social-networking sites from production systems."
...

"A typical Facebook or MySpace user session ranges for a few minutes to tens of minutes so you could write an application that farms personally identifiable information," Schwartz said.

This is of course a good reminder not only to keep your end-user informed of the risks of social networking, but to make sure your secure web gateway proxy is up to date and running anti-malware protection to block attacks like the Koob face virus. The latest proxy technology should protect you from the malware threats found on social networking sites, but unfortunately won't protect your end-users from making bad decisions.

Ajax and Mashups

I've written in the past about Web 2.0 and how it relates to proxy and web security. While there's many different definitions of Web 2.0, two terms you'll often hear in conjunction with Web 2.0 are "ajax" and "mashups". In case you aren't familiar with either, a definition for both recently appeared on Coffee with Viktor

Ajax and mashups represent two new Web application development approaches that both fit under the Web 2.0 umbrella.

Ajax

Asynchronous JavaScript + XML (Ajax) allows user interaction with Web pages to be decoupled from the Web browser's communication with the server. In particular, Ajax drives mashups, which integrate disparate content or services into a single user experience. However, Ajax and mashup technology introduce new types of threats because of their dynamic and multidomain nature. It is important to understand these threats and to avoid them by adhering to some best practices.

Mashups

A mashup is a web application that combines content from more than one source into an integrated experience. Usually, the mashup components interact with each other. In the classic example of a mashup, a Craigslist component is combined with a mapping component (e.g., Google or Yahoo maps) such that when a user clicks on a new Craigslist entry, the mapping component updates its view to show the new address.

Mashups typically allow the end user to discover and integrate third party, Ajax-powered mashup components onto the mashup's canvas. Examples in the consumer social networking space include Facebook Widgets and MySpace Widgets, which end users can discover and insert into their pages.

From a technology perspective, mashup components represent Ajax-powered "mini applications" that are assembled into an Ajax-powered mashup container application that provides a framework for the components to communicate with each other. Sometimes the mashup container application enables cross-site communications by providing proxy services to allow server-side redirection to Web servers that are associated with a given mashup component.

Here is a whitepaper from Open Ajax Alliance on Ajax and mashup security that you may wish to peruse.

Ajax and Mashup Security

Thanks Viktor!

Cloud computing holds enormous potential for telecom service providers

With all the talk about cloud services, I thought I'd take another look at it, but this time from the perspective of the telecom providers. Telephony Online wrote a recent article outlining the benefits that cloud computing could give the telecom providers. The article points out that the providers are well positioned to take advantage of cloud computing, but also notes that they are behind in getting to the market with offerings and services.

Telephony Online sees big dollars from telecom providers because:

It increases the value of carrier networks in multiple ways and creates new roles (and revenues) for telecom service providers. At minimum, clouds will greatly increase network traffic and utilization and thus transport revenues. And in physically delivering cloud-based services, telecom carriers have an opportunity to extract two revenue streams from the same function, charging end users for a given level of service quality and, at the other end, charging cloud-based providers for service quality, too – an arrangement similar to that often discussed in the context of content delivery networks.

But that's not all telecom providers should do. Their existing infrastructure lends itself well to cloud services. Each software component offered in the cloud can be treated like a hosted application, which yields parallels in processing and performance.

"A service provider using cloud computing could build a supply-side architecture that matched up with the current application and service-logic trends emerging independently," Tom Nolle, president of CIMI, said in the article. "It's like a combination of two perfect storms."

With all this benefit for telecom providers in cloud computing, you should see more offerings coming soon.

Cloud Antivirus runs smooth but slow

Last week CNET wrote about Panda Security's new antivirus offering in a cloud format as alternative to the desktop antivirus. One of the goals of moving this offering to a cloud is to off load the processing used by the desktop system. It also offers prioritization based on threat type.

Unfortunately, there's one thing about cloud services that few vendors can get away from, and Panda seems to be no exception, and that's performance. CNET reports:

The big concern about a cloud-based antivirus is performance, and Cloud Antivirus handled itself decently enough--although it's not a record-setter. On a ThinkPad T42 with a 1.7 GHz Pentium M chip, 1.5 MB RAM, and running Windows XP SP2, Cloud Antivirus used about 23 MB of RAM when idle.
When running a scan, the scan client ate around 40 MB, but the main client jumped to around 32 MB. The scan also took a long time, with only 45 percent of the computer scanned in more than 30 minutes. Pausing the scan client dropped the usage rate from 40 MB to 2 MB.

So, we'll have to see whether new technologies like WAN Optimization can help resolve the slowness issue of services in the cloud, but for now, it still looks like most IT administrators may want to wait for an improvement in speed before moving their users to the cloud.

Can you no longer avoid closely monitoring employees?

Last week Network World ran a series of articles that they titled "Burning Security Questions". I'm going to take a look at a few of these burning questions, and start today with the topic of "Insider Threats", basically the issue of your own employees turning into the bad guys.

Network World reported:

The insider threat has always existed, but in an era of economic upheaval and uncertainty, the problem is only magnified. That point came across in a recent Ponemon Institute survey of 945 individuals who were laid off, fired or quit their jobs during the last year, with 59% admitting to stealing company data and 67% using their former company's confidential information to leverage a new job.

These security figures reiterate the need for security at the corporate web gateway using technology such as DLP (data leakage prevention). The web proxy is ideally situated to pass on web requests to DLP systems. If you decide your company isn't ready for DLP, the web proxy is also a great way to record web requests, so that any forensics you might need in the future can be done as well, once there is data loss.

While the web proxy and DLP will help secure your network against data loss, it of course doesn't address physical security, and the possibility of your corporate data walking out the door on a thumb drive.