By Beardy.

—

Ok, anyone who knows anything about security in IT systems knows that “security through obscurity” is akin to “the road to Hell is paved with good intentions”. It just does not really provide the desired outcome in the long term.

So, let’s examine the history of this approach. M$ products, getting better, tend to still depend on M$-specific proprietary APIs and protocols, that inevitably lead to “critical” security patch after “critical” security patch ad infinitum, sound familiar?

On the hardware and network design side, many people (some of whom should know better!) think that just because they have what is termed a “NAT firewall”, that their precious LAN is secured from the kiddiots and other nasty denizens of the world-wide-whackfest. WRONG!

First of all, while NAT does provide at least some level of protection (certainly better than the twits who connect their USB ADSL MODEMs directly to the ‘net without even enabling Winblows firewall, nuff sed on that one.), it only really obfuscates things, it is not true protection. Consider the annual C and Perl code obfuscation contests, the result is code that is nearly impossible to read without getting a headache, but it is decipherable in the end. This will eventually become largely academic as IPV6 becomes more pervasive. Remember that NAT was originally created to provide an artificial extension of the internet’s IPV4 address space (well, that combined with non-routable IP address ranges).

All the gurus of internet hacking agree on one thing about NAT as a “firewall” technology; it is limited but fine provided the machines on the inside NEVER open a connection OUT and no ports are forwarded IN. All a potential attacker needs is the details of who and where you came from and they can (in theory at least) use that against you, kinda like identity theft.

So where am I going with this?

Well, we all know that IE is kinda like the promiscuous child of web browsers and the Firefox fanbois would have you believe that they have superior technology. Ignoring Safari, Chrome and Opera with their miniscule market shares for now (although they probably suffer from the same malady), let us examine how a web browser is kinda like the used hypodermic needle when it comes to the spread of bad things.

What is a web browser?  In short, it is an application that knows how to turn formatted data into a (supposedly) consistent human-readable display at least something like it’s author intended. To enhance the capabilities beyond the research tool it was designed to provide, so-called “rich content” extensions have been added over the years much like pin-stripes and towbars to our little utility.

I won’t go into the evils of VBScript and it’s spawn-of-Satan twin ASP+IIS, nor will I pontificate on the bane of good programming and style associated with that most despicable of languages whose name we will not utter (but James Gosling has a lot to answer for…). I won’t even stoop to kick CGI and poor coding of browsers or OSes in the teeth.

What this is all about is HOW the humble browser has now become public enemy #1 when it comes to malware vectors.

“What?!?!”  I hear you scream?  Well, while it IS true that you can be moderately “safe” and “secure” if you avoid known bad sites, you know…the ones that your AntiVirus software pops up and warns you about, just before you click “proceed anyway”. Don’t bother to deny it, curiosity killed the cat, your mouse and ultimately most of the other vermin in your PC before you inserted the recovery disk.

So. What “safe” places could cause such a problem ?  Have you ever bothered to do a “view source” on some common “safe” sites to see what and where you are REALLY being fed data streams? Go to the BBC, CNN, NY Times news sites and have a look. Are you sure you would have gone to “adsense.com” (better known by it’s parent Google…) ?  ”Big deal” you say, but stop to think how you got there…

Now look at your corporate INTRANET website, your vendor-supplied ITIL product (eg: HP OpenSpew, Tivoli, etc.) from it’s web view. What little thing seems to be everywhere?  Here’s a hint: try using a text-only browser (no extensions) to view TechRepublic (another “safe” site) and you should bump into a little warning “Requires JavaScript for most site functionality”. I’m sorry, what did you say?  You don’t HAVE a non-JavaScript-enabled browser?

If you are like the vast majority of WWW users, you will find that many sites simply do not render ANYTHING or fail to render correctly if you do not have JavaScript. Once again, I hear “big deal” and “so what” comments. More importantly, the Firefox fanbois will be saying that they are not affected. BZZZT! Wrong!

What makes the difference between fast and slow web browsing?  Caches.  Most browsers have one and almost nobody ever clears theirs manually. Frequently they’ll even leave the default size and age settings in place.

Well, if you ARE one of those people here’s some food for thought. There are those of us who are seriously paranoid about identity theft and cross-site scripting and silently-delivered malware. One browser to do banking, eBay, Amazon, etc and a DIFFERENT browser to do general surfing. It is getting so bad on eBay and Amazon that I may soon have to resort to using a separate machine to ensure security for online banking.

Things found in MY (uber-paranoid-mode) cache have included cookies, JavaScript, applets and plug-ins from RedSheriff, DoubleClick, AdWords, AdSense and a bunch of Adobe “things” (Flash, Shockwave, Air) and other things that I never intentionally installed.

Let’s move forward a single step. I browse from behind a NAT, SPI and firewalled router, Linux firewall and cache and a secondary router to isolate the WiFi machines from the servers. Despite this, my browser has delivered all manner of “unexpected” things. It would only take ONE compromised Auctiva-extended eBay page or hacked banking site for someone to deliver a supposedly “safe” JavaScript to my machine that lurks until I next connect. Personally, my next step is to force all browsing through the proxy cache and run a live scanner for malware, not that I expect it will improve matters much.

The article below is a more readable explanation of how this all works to compromise your PC. How to stop it happening is the question to which nobody appears to have a foolproof answer. I suppose in an extreme case, we could all resort to surfing from browsers sandboxed in snapshotted VMs or from “live CDs”.

The governments are trying to tighten security and censor the web. Flawed, futile and infuriating as that may be, it may in the end be a moot point if “surfing the net” becomes so hazardous that people start rethinking whether the convenience is worth the risk.

“New attack class exploits intranet weaknesses”
<http://threatpost.com/blogs/new-attack-class-exploits-intranet-weaknesses>

This entry was posted on Saturday, June 13th, 2009 at 1:29 am and is filed under Security. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.