Once again, convenience is at odds with security. Learn how web browsers making life easy for users also helps the bad guys.
Web browsers have matured into capable software
tools. Getting to this point required significant effort by dedicated
developers, who continue to enhance their code in order to provide an
ever more gratifying user experience.
These
enhancements come at a price—increased complexity. Like today's
automobiles, web browsers are extremely complicated, so complex that
like cars, it’s almost a waste of time to look under the hood when
something’s not operating correctly.
Sadly, there’s
additional fallout from the inherent complexity; it’s easier for
nefarious types to find cracks in the code or manipulate existing code
to further their own agenda.
Fortunately, there are
developers willing to think like bad guys, figure out possible attack
scenarios, and tell us about them. One such developer is Kyle Adams of Juniper Networks. In his blog post, What is Your Browser Doing Behind Your Back,
Kyle takes a look at several automated "behind the scenes" browser
processes that attackers could leverage to steal sensitive user
information such as bank account numbers. Let’s start by looking at DNS
Prefetching.
DNS prefetching
Take a second,
and count the number of links on this article’s web page. Click one. It
loads fast doesn’t it? That's because web browsers use DNS prefetching to
resolve DNS information for every link on the rendered web
page, just in case the user clicks on one of the links.
Kyle
explains how an attacker could leverage DNS prefetching: "If an
attacker puts a hidden link on a page that points to their domain, and
sets up his DNS server, he can be notified when you view the page and
get your IP address—even if you never click the link. This is bad in the
case of emails and forums."
The key piece of information
is “even if you never click the link.” What if a nefarious type managed
to get a link placed on a high-traffic website? And that link pointed to
a malicious website devised to download malware automatically? If the
computer is vulnerable, it’s a done deal. Unfortunately, this happens
all the time, particularly when websites use third-party advertising. Next on Kyle’s list was page prefetching.
Page prefetching
I became aware of page prefetching when I wrote this article about Google Instant.
Google Instant guesses what you are typing into Search. Then, Instant
displays (along with prefetching the associated DNS information) what it
thinks you are looking for, usually before you finish typing. Great
idea. The bad guys think so as well, now that they have figured out how
to game the system.
In my article, I used the search entry of Antivir Solution Pro as an example. At that time, Antivir Solution Pro was
the name given to some nasty malware. Notice in the slide below what
Google Instant guessed after I typed in just "anti," Sure enough,
Antivir Solution Pro was Instant’s first choice.
Many
people thought they were going to a website offering an official
antivirus product like Antivir or Antivirus Solution, but ended up
getting a computer full of malware. Kyle then moved on to session
cookies.
Session cookies
Web browsing without session cookies would
be a major pain. Session cookies allow a web browser to remember the
user’s information when moving from one web page to another on the same
website. There is a problem though. Kyle explains, “Some browsers, most
notably Chrome, do not delete session cookies when you clear the
cookies. This means even if you clear your cookies, sites can keep
tracking you until you close your browser.”
I’m trying to
determine which web browsers retain session cookies, and which do not.
It seems there are varying opinions. Retaining session cookies is not
normally an issue, but it is important to understand if session cookies
are persistent, another user could resume an earlier session and access
potentially sensitive web pages—something you may not want to happen.
And, finally Kyle looks at plug-ins.
Plug-ins
Plug-ins are
software that allow users to customize an application, adding
significant versatility to web browsers. I’d be lost without my ad
blocking plug-in. Kyle states his concern: “Each plug-in operates with
an immense amount of privileges. They can look at everything the user
does, mess with content on their system, and make requests without the
user knowing.”
Kyle offered this example:
Plug-ins commonly shipped with antivirus applications are designed to warn you when you visit a malicious page. However, in order for the AV vendor to know you’re visiting a malicious page, they need to know every page you do visit. This means that as you browse the Internet, the entire sum of your Internet activity is being silently shipped to a third party.
Kyle
went on to mention that he would consider most AV vendors trustworthy,
but Kyle also noted that some plug-ins do not encrypt the data, so the
data is fair game in transit to the AV vendor’s servers.
Final thoughts
I’m
afraid the “cat is out of the bag” on the four web browser processes
Kyle talked about. I intend to keep using them. But knowing what Kyle
has uncovered allows us to be careful in how we use them.
0 comments:
Post a Comment
Appreciate your concern ...