Thursday, October 09, 2014

How Do You Secure The Internet?

This is a question I have been asked a few times now, and the asker doesn't typically mean the ENTIRE Internet, they just mean their own little corner of it.  You know, the one sitting on your desk.

When someone asks this, what they really mean is "How do we keep the bad guys out?"

The three major ways the bad guys get in are:  exploiting your desktop computers, exploiting your servers, and exploiting you.  You see, the bad guys exploit both computers and users alike.  Malware (a blanket term referencing adware, spyware, and viruses), service exploitation (this is what people usually think of when they hear the word "hacking"), and calling you or emailing you and straight up lying to you are ways that your data may be compromised.  You see, we're not dealing with nice people here.

Often people are just trying to get through their day with all of their work done well.  They're looking for a fast free tool because it might take too long to complete a purchase.  Free compression utilities, file viewers, and PDF printers have the potential to infect users computers and provide easy ways for the bad guys to get in.  Interestingly enough most of the adwares and spy wares I have encountered aren't normally detected by antivirus programs as they are classified as "PUPs" - Potentially Unwanted Programs.  These technically aren't viruses, but a nuisance as they may download other PUPs which download some more, and so forth.  I'm not just talking banners inside of the app, I'm talking full-on browser hijacking where you lose your homepage, search results are altered to promote certain products, and even your line-of-business application windows display ads.
Have you seen me?
Technicians can sometimes struggle for hours to remove them because these apps aren't meant to be easy to remove.  Furthermore these apps can download additional content from other bad characters who don't just stop at serving ads: they will try to convince you to directly give them money by scaring you.  They will intimidate you with frightening looking ads and ominous messages about your computer being slow or having viruses.  Some will even go so far as to tell you that illegal activity has been detected on your computer and offer, for a fee, to clean it off.  Some even lock your computer, say that illegal activity has been detected by the government, and you may pay a fine if your want to avoid jail - all from the convenience of your office and payable via Bitcoin.

These sorts of applications don't just come from misguided efforts at inexpensive office productivity, they are often secretly shoehorned into your computer by the advertising on web sites.  Not just scummy places nobody has any business visiting - we're talking major news outlets and popular web portals like the New York Times.  I am now seeing workers with a long history of being productive and not screwing around ending up with some pretty nasty bugs.

Another, more targeted method, seeks to install even nastier tools into the computers of workers handling sensitive financial.  Known as Spearphishing, the idea is to send emails which look like important communications to financial staff.  These emails have a file attached, typically a .zip or .pdf, which, when opened, installs software that watches for important financial data to be accessed.  When sensitive data is detected the malware neatly packs it up and sends it to someone who is going to steal your customers credit card data and potentially empty all of your bank accounts.
Surprised?
It turns out that, short of pulling the plug on your Internet connection, there is no one solution which will prevent this sort of abuse.  What is required is a "Defense in Depth" - layers of protection which, when takes as a whole, offer a more solid defense than any one process or product.  The entire process of retrieving information from the Internet must be questioned and examined at critical junctures.

Let's look at the process:

  • First the user makes a decisions that they want to get something done on the Internet.  This is the best time to intervene - the user needs to have knowledge to avoid danger online.  The bad guys often depend on us being either inattentive or ignorant.  Here's a good article on spotting bad links.
    Just click Download already!
  • When you request your web page your computer performs a DNS (Domain Name Service) query - this is akin to looking up a number in the phone book - the response can be controlled by both good guys and bad guys alike.  Good guys can alter these results and prevent access to undesirable web sites.  Bad guys can do likewise and funnel your users into advertising or more malware.
  • The HTTP Get is the next critical juncture - your computer has the number of the party you are trying to reach, dialed it, and the metaphorical phone is now ringing.  This is where a proxy server steps in - it intercepts the call and makes the call on your behalf.  Again, proxies can be used by both good guys and bad, and some of the bad ones insert ads, open additional pages, and even prevent you from accessing web sites and information for removing the malware.  The good guys will use it to compare the URL of the web site you're visiting to a categorical list of URLs and block web sites which fall into undesirable categories.  Administrators and mangers can also look at the proxy logs and get a good idea of how you have spent your time online.  Analysis of these logs can indicate which users are engaged in risky online behavior and give managers an opportunity to offer some advice on how to better spend their time online.
    I see you've been surfing the web...
  • Ongoing HTTP Sessions can also be intercepted by a proxy, reassembled, examined for viruses, and then forwarded to the client.  This would be a great job for a powerful router, but many businesses don't have them yet.  Interestingly, Charter Business is leading the charge in this field and is providing routers with this capability to their high speed customers.
  • Now that your computer has completed its call there's data to be opened or executed.  This is where a good antivirus product comes into play.  Many of todays malwares are "drive by downloads" which means you never actually clicked a download button, nor did you click Open or Run.  It just happens...  Unless you have a good antivirus product which does behavioral monitoring.  Antivirus products can watch what your computer is doing and prevent suspicious activity.  Check with your antivirus vendor (I know a good one) to find out if your current product does this monitoring.  Hopefully the malware packages never get a chance to misbehave as your antivirus will detect and quarantine them as soon as the download completes.
  • If, after all of this, your computer still becomes infected with malware the malware must now succeed in making it past some or all of the lower level services to succeed in communicating with its masters - savvy DNS managers maintain lists of known bad actors and can block requests to hosts based on these lists.  Though they're uncommon, an Intrusion Detection Systems (IDS) at the firewall can detect the command and control communications used by malware, then generate alerts or terminate suspicious connections.  IDS's are are prone to false positives, so be careful if you go this route because they can require a lot of care and feeding.
  • If the malware has made it past all of these defenses then the bad guys have done a good job (relatively speaking, it's awful for us) and are now winning the game.  The likelihood of this has been reduced through defense in depth, but we can never consider ourselves to have won:  we have to find every hole in our defenses and fix it, the bad guys only have to find one. 
Spearphishing attacks are incredibly crafty, and the bad guys know how to get past many of these defenses.  Users must be prepared to match their own wits against those of the bad guys.  They will receive messages crafted to make the user want to open the attachment.  Messages will claim their attachments are:
  • Requests for bid
  • IRS communications
  • postal notifications
  • shipping notifications
  • bank password reset requests
  • law enforcement notifications
  • holiday greeting cards
  • invoices
  • awards
  • banking documents
All of these are important stuff, and nobody wants to drop the ball.  The bad guys know this and will do everything in their power to prey on our sense of duty or curiosity.  Needless to say, some of our friends and coworkers might benefit from a brief orientation on these threats.  I can't emphasize enough what a vital role your gut will play in this - if you think it might be a scam it probably is.
And for good reason.
There are many opportunities to prevent spearphishing attacks.  Remember, spearphishing is sending malware via email to people with sensitive jobs.  Many email servers (Like Microsoft's Office365) include virus scanning which will remove the threat before it reaches your inbox.  Email servers may also be configured so that they may only receive mail from trusted systems or from systems that can pass a series of tests that only trustworthy servers can pass.  As if that's not enough, servers will often read the email and make some decisions based on the content.  It's not uncommon to see 2/3 of the messages received by a server silently dropped.

Controlling DNS responses can be useful here, as well - compromised servers are may be detected and listed with security services.  If you have been duped into clicking a dangerous link the attempt could be blocked by services such as OpenDNS.

Think you can spot a phishing attack?  Take the OpenDNS Phishing quiz!

I hope that I've been able to help you learn a bit more about the threats faced by modern office staff.  If you would like to learn more about how Safe Mode might be able to secure your office computers please don't hesitate to call or email!