GuideTo Browser Security And Safe Web Browsing

Document Sample
GuideTo Browser Security And Safe Web Browsing Powered By Docstoc
					Guide to Browser
Security and Safe
Web Browsing


       an               Security eBook
            Guide to Browser Security
             and Safe Web Browsing

                This content was adapted from the eSecurity Planet and CIO Update websites. Contributors:
                Kenneth Van Wyk, Eric Geier, Aaron Weiss, Robert McGarvey and Lisa Phifer.

                2        Internet Explorer 9 vs. Firefox 4: Which is Safer?

                5        8 New Security Add-Ons for Firefox

                7        Top 5 Security Threats in HTML5
5    7

                10 Top 10 Myths of Safe Web Browsing

                12 Top 10 Web Malware Threats
10   12

                                                    Guide to Browser Security
                                                     and Safe Web Browsing

      Internet Explorer 9 vs. Firefox 4: Which is Safer?
                                                         By Kenneth Van Wyk

                ver the past few years, I’ve compared the                      secure way, given some tweaking and fiddling time. In
                security of Internet Explorer and Firefox                      the case of IE, most everything I’d need is built in, which
                several times. With both products well into                    is a good thing. In the case of Firefox, I’d need a plug-in
                their respective beta cycles, it’s time to                     to feel safe. So let’s dive in and take a look at the details.
revisit the question: which browser is a better choice for
the security of an average user?                                               Lower Profile Target
This month, I went into my lab                                                                                        I feel a browser with a huge
and installed the latest beta                                                                                         market share is not as safe as one
version of each browser, and                                                                                          with a miniscule market share.
have updated the comparisons                                                                                          This is due simply to the fact
I’ve made in the past. For                                                                                            that miscreants generally tend to
the record, I tested Firefox                                                                                          write their malware to products
4.0 beta 7 on a Macbook Pro                                                                                           that have large market shares. It’s
running Apple’s Snow Leopard                                                                                          a simple matter of economics in
operating system with all                                                                                             most cases. Further, it in no way
current patches installed. For                                                                                        indicates which browser is more
Internet Explorer (“IE”), I used                                                                                      secure —only which one is safer
IE 9.0.7930.30.16406 (wow!) on                                                                                        because there are fewer attacks
Windows 7 Home Edition (32                                                                                            affecting it.
bit) running in a Parallels version
6 virtual machine with 3.5 GB                                                                            In our case of IE vs. Firefox, their
of RAM. (I felt this was fair.                                                                           respective market shares are
After all, I’m comparing security                                                                        looking more and more similar.
features, not browser speed…)                                                  In the past, IE’s market share was so vastly bigger than
                                                                               Firefox and others that it was pretty easy to assume a
The good news is that there truly is much to like about                        lower profile browser was less likely to be targeted by
both browsers. Safe browsing features, privacy guards                          miscreants.
and such have never been more robust. The bad news
is that, to be secure on today’s Web, both browsers                            But today, most statistics say that IE is at roughly 49
require some tweaking, as their default configurations are                     percent market share compared to Firefox’s 29 percent.
less than ideal. Even though I am someone who enjoys                           That’s still a big difference, but not one I’d be happy
tweaking tools, surely that’s not the case for the average                     hiding behind in smug confidence.
consumer. I fear few users will ever take advantage of the
security features they’re given.                                               Qualitative score: IE gets a “C” while Firefox gets a “B.”
                                                                               Since I last compared them, IE gains a bit while Firefox
Still, I feel I could use either Firefox or IE in a reasonably                 loses a bit.

       2      Back to Contents            Guide to Browser Security and Safe Web Browsing an Security eBook. © 2011,, a division of QuinStreet, Inc.
                                                 Guide to Browser Security
                                                  and Safe Web Browsing

Configurability                                                             I have two gripes here. The first one is that the Internet
                                                                            (default) zone is defined as “medium-high” by default,
This remains one of my toughest criteria to compare                         and allows many forms of active content (e.g., JavaScript)
between the two browsers, but it is one that can have a                     to run from completely untrusted sites. (I prefer a setting
huge impact on the browsers’ relative security. I should                    of “high” for Internet sites, which disallows all forms of
emphasize that I’m limiting my comparisons here to the                      active content. I can then add trustworthy sites to my
base browsers, without any plug-ins installed (for now).                    “trusted sites” zone on a case-by-case basis, enabling
Like many Microsoft products, IE really provides a huge                     them to run JavaScript and such.)
set of security features that can be adjusted to suit a
user’s needs. IE uses security “zones” such as “Internet,”                  By comparison, Firefox’s security choices are overly
“Local intranet,” “Trusted sites” and “Restricted sites” to                 simplistic. You can tune whether a site can invoke active
define what a site may or may not do.                                       content, such as JavaScript, but it’s pretty much an
                                                                            all-or-nothing proposition. If it’s disabled for one site,
This basic feature turns out to be exceptionally powerful                   it’s disabled for them all. (To be fair, a few JavaScript
and can be adjusted to the finest detail. That’s the good                   capabilities can be restricted, but still not on a per-site
news. The bad news is that adjusting things to the finest                   basis.)
detail is something that is vastly outside of the ability
of a typical consumer. To its credit, Microsoft provides
a “security level” slider bar (think “high”, “medium”
and “low”) for making most adjustments easily, without
needing to know the fine details.

                                                                            Although neither is perfect here, IE gets the nod for
                                                                            its capabilities. I do very much wish that they’d make
                                                                            it easier to designate sites as “trusted” zone sites, but
                                                                            that’s a user interface issue I suppose. Still, from the
                                                                            provided features, I’d far prefer having IE’s choices than
                                                                            Firefox’s simplicity.

                                                                            Qualitative score: IE gets an “A-” while Firefox gets a
                                                                            “D+.” IE is unchanged while Firefox loses ground for its

       3     Back to Contents          Guide to Browser Security and Safe Web Browsing an Security eBook. © 2011,, a division of QuinStreet, Inc.
                                                  Guide to Browser Security
                                                   and Safe Web Browsing

Safe Browsing Features                                                       Both browsers now provide the means for a user to
                                                                             delete his browser history, cookies, etc. These features
Both browsers have substantial so-called safe browsing                       are generally good news for the privacy-minded, as well
features. In both cases, they basically work from black                      as for enhanced security.
lists of forbidden sites—sites that are known to carry
malware or other security dangers. Then, when a user                         In both cases, though, the features are largely not
directs the browser — quite likely inadvertently — to                        enabled by default, and it’s unlikely that most consumers
a dangerous site, the browser warns the user before                          would seek these sorts of features, as they’re often not
allowing the action.                                                         aware of the security concerns surrounding browser
                                                                             histories and cookies.
It’s a simple enough feature, but I fear it is one that is
doomed to eventual failure, just as anti-virus products                      Qualitative score: IE gets a “C+” while Firefox gets a
relying on signatures of known viruses have become                           “C-.”
largely ineffective against the onslaught of today’s
malware.                                                                     With those built-in features compared, I remain a firm
                                                                             believer in the use of security plug-ins like NoScript (see
IE uses a feature called “SmartScreen” to maintain                  for Firefox. Although they’re not
its blacklist. Users can report questionable sites, and                      largely used outside of a small community, they’re well
SmartScreen can be used to verify if a site is on the                        worth the effort. (NoScript provides a whitelist feature for
blacklist or not. Conceptually, this is similar to how Firefox               which sites may run active content in the user’s browser.
has been doing its safebrowsing (via Google) for its past                    This largely replicates the capability that IE already
few releases.                                                                has for trusted security zones, but is far easier for most
                                                                             people to use.)
Do they work? Well, I can’t say I’m a fan of the blacklist
or negative validation way of doing things. It is prone to                   So, which browser is right for your security? Will you
failure, doesn’t scale particularly well and generally slows                 spend some time setting the security features? If so, IE
down the user’s browsing experience as the browser                           9 gives you some pretty compelling options (if you’re
checks each and every site against a centrally maintained                    running Windows). If you prefer something a little
list.                                                                        simpler, Firefox is probably a better option, especially if
                                                                             you’re willing to take the few seconds to install and run
Still, the features are on by default, and most users                        the NoScript plug-in.
will leave them on. If they prevent even one user from
stepping on a landmine, then there’s little harm done.                       The Web of 2010 has grown into a veritable mine field
                                                                             in many ways. Malware, identity theft and all sorts of
Qualitative score: IE gets a “C-” while Firefox gets a                       nastiness can be found readily, even on many otherwise
“C-.” Essentially unchanged.                                                 reputable sites. A well-chosen and configured browser
                                                                             can go a long way to preventing those land mines from
                                                                             causing harm to you.
Privacy Features

Although privacy is a separate issue than security, there
are often times a few shared attributes. Personal privacy
is an area that both browsers have advanced in the last
couple of years.

       4     Back to Contents           Guide to Browser Security and Safe Web Browsing an Security eBook. © 2011,, a division of QuinStreet, Inc.
                                                 Guide to Browser Security
                                                  and Safe Web Browsing

                8 New Security Add-Ons for Firefox
                                                              By Eric Geier

             ost lists of Mozilla Firefox security add-ons                  Firesheep is available for Windows XP or newer with
             talk about the same old extensions. Do Web                     Winpcap installed and Mac OS X 10.5 or newer on an
             of Trust (WOT), NoScript, AdBlock Plus or                      Intel processor. Linux support is on the way. It requires
             LastPass sound familiar? These all add great                   Firefox 3.6.12 or newer (32-bit only).
functionality to the open source browser, but we’re going
to look at some newer ones that you probably haven’t                        2. SSLPersonas
seen yet.
                                                                            As you may know, SSL encryption can secure your logins
1. Firesheep                                                                and data on websites. In Firefox, you’ll see a button with
                                                                                                     the domain or company name
This add-on monitors the traffic                                                                     appearing on the left of the
on open or unencrypted Wi-Fi                                                                         address bar and a small padlock
networks and demonstrates the                                                                        in the lower right corner of the
vulnerability of HTTP session                                                                        browser when you’re connected
hijacking. It can capture the login                                                                  via SSL/HTTPS.
credentials to numerous sites,
including Amazon, Facebook,                                                                            However, more a visible
Flickr, Google, Windows Live,                                                                          indication can better help you
Twitter and Yahoo—just to name                                                                         identify sites that aren’t secured.
a few. It displays the captured                                                                        The SSLPersonas add-on does
accounts on the sidebar where                                                                          this by turning the background
you can click on them to login                                                                         of Firefox another color based
with their account. Though the                                                                         upon the encryption status.
login session to the site may be                                                                       When Firefox turns green
encrypted, Firesheep validates                                                                         the website is certified and
that only end-to-end encryption                                                                        the operator was verified by
like SSL provides complete                                                                             a trustworthy authority. Blue
protection.                                                                 indicates a website is secured with a valid certificate, but
                                                                            the organization isn’t fully verified. Orange indicates a
You should understand not all wireless adapters can                         website is only partially secure. You’ll know when a site
sniff the traffic of other users on wireless networks. Thus                 isn’t secured at all—there’s no color.
sometimes Firesheep will only capture accounts that                                                                      continued
are logged into from the same PC running it. However,                       SSLPersonas also improves certificate error warning
wireless adapters do exist that can listen in on any user’s                 pages by giving you a preview of the blocked website. If
traffic.                                                                    you do indeed trust the site, you can bypass the warning
                                                                            with one click.

       5     Back to Contents          Guide to Browser Security and Safe Web Browsing an Security eBook. © 2011,, a division of QuinStreet, Inc.
                                                  Guide to Browser Security
                                                   and Safe Web Browsing

3. CreditCardNanny                                                           Firefox, modifying add-ons and much more.

Though websites implement SSL/HTTPS encryption,                              6. Privacy Locker
it doesn’t necessarily mean their forms and your data
are secure. For example, they could be sending the                           There are plenty of add-ons that offer shortcuts to
information you input into forms via clear-text emails to                    deleting history, cookies and cache files. Privacy Locker,
the site administrators—still a common practice among                        however, takes a different approach. It doesn’t delete
many small businesses. The CreditCardNanny add-on                            anything, but lets you lock down your Bookmarks, Tools
tries to detect and notify you of this type of security issue.               and History menus. It even blocks the keyboard shortcuts
Once installed, you can test the extension by visiting the                   to these menus and prevents access to the about:config
dummy credit card form that uses a form emailer script.                      page. Your browser settings, saved passwords, history
                                                                             and bookmarks would all be protected by a password.
4. DNSSEC Validator                                                          This is a great way to protect your privacy when others
                                                                             use your PC.
The Domain Name System Security Extensions (DNSSEC)
were developed to help secure the Domain Name System                         7. Lockfox
(DNS). Though DNSSEC is still in the early stages of
adoption, you can get prepared by installing this DNSSEC                     This provides a new kind of anti-phishing protection for
Validator.                                                                   Firefox users. Lockfox tracks the passwords you use for
                                                                             each website and alerts you if you try to use the same
This DNSSEC Validator add-on will automatically query                        password twice. If you use unique passwords like you
DNS records for domains and compare them to the                              should, this would help you detect fake or duplicate sites
IP addresses Firefox used to download the page. If                           that are trying to phish for your login credentials or credit
the records contain valid DNSSEC signatures, you’re                          card info.
protected by DNSSEC; otherwise you might be a victim
of DNS spoofing. The results are displayed as a green,                       8)! short URL expander
orange or red key right in the address bar.
                                                                             One of my biggest pet peeves on the Internet these
5. GPO for Firefox                                                           days is shortened URLs. You can’t tell where the link is
                                                                             pointing, it’s just gibberish. However, install this add-
If you administer a domain network with a Windows                            on and you’ll be able to hover over links from over 180
Server and Active Directory, you’re probably familiar                        services to see the long URL and other basic information
with how Group Policy Objects (GPOs) can help you                            about the site. It’s not a huge security concern, but
centralize the management of settings and preferences of                     seeing the longer URL can help you identify the site
Internet Explorer, among other applications and system                       you’re about to visit.
                                                                             Find add-ons for yourself!
This add-on lets you use GPOs for Firefox. They provide
an administrative template to build the GPOs in Active                       You can search or browse through the over 10,000 add-
Directory. The add-on is installable onto clients to read                    ons yourself on the Firefox Add-ons site. Most extensions
the settings and write the preferences to Firefox.                           should be installable via the button on their download
                                                                             page. If you download from a third-party site (like with
These GPOs define general, proxy, security and advanced                      Firesheep), simply open the file in Firefox to install.
settings. They can help prevent users from updating

       6     Back to Contents           Guide to Browser Security and Safe Web Browsing an Security eBook. © 2011,, a division of QuinStreet, Inc.
                                                 Guide to Browser Security
                                                  and Safe Web Browsing

                    Top 5 Security Threats in HTML5
                                                           By Aaron Weiss

             omehow technology seems to evolve at a                         do not) take in building their HTML5 code.
             rapid pace, even when the standards bodies                     We haven’t yet seen real-world attacks on HTML5,
             that help define it do not. Consider that                      but among security researchers, several areas of the
             most of today’s websites are built on HTML4,                   sprawling new feature set are emerging as the most likely
a standard that was introduced in 1997. In the 13 years                     targets for potential threats.
since, the way we use the Web has changed dramatically,
even if the underlying standard has not.                                    1. Cross-Document Messaging
To bridge the gap, Web developers have adopted and                                                                 In an earlier effort to promote
embraced a variety of additional                                                                                   security on the Web, HTML4
technologies, everything from                                                                                      does not allow pages from one
using client-side JavaScript to                                                                                    domain to pass or access data in
build needed features, relying                                                                                     pages from another domain. For
on server-side scripts to process                                                                                  example, if a page loaded from
data in ways the browser could                                                                            contains JavaScript
not, and using third-party plug-                                                                                   code that reads the position of
ins, such as Flash, to extend                                                                                      the mouse pointer after a click,
the browser even further. All of                                                                                   it cannot pass that data to a
these developments reflect the                                                                                     page loaded from,
shift from browser as document                                                                                     which may be in another window
delivery platform to browser as                                                                                    (a pop-up spawned by the first
Web application platform.                                                                                          page, for example).

Now, with the nearly-complete                                                                         This prevents a malicious site
standard for HTML5 being                                                                              from intercepting data from
implemented (at least in part)                                                                        a legitimate page, but it also
in the latest or beta versions of all the major browsers,                   presents an obstacle when legitimate pages hosted at
including Internet Explorer, Firefox, Safari, Chrome                        different domains need to exchange information with
and Opera, many of the advanced Web app features                            each other. Today, many Web apps consolidate content
developers need will be available in native HTML.                           from multiple domains, but their ability to do so without
But with any major introduction of new features, HTML5                      third-party means is limited by this constraint, requiring
also brings with it potential security vulnerabilities —                    cumbersome workaround like Flash or complicated tricks
which is not to say that HTML5 is “flawed,” but that,                       that can expose new vulnerabilities.
invariably, there will be new attack vectors for hackers to
exploit. Some originate from elements of the standard                       HTML5 introduces an API called postMessage that
itself, some from implementations of the standard in each                   creates a framework for a script in one domain to pass
browser, and some from the care that developers do (or                      data to a script running on another domain. To help

       7     Back to Contents          Guide to Browser Security and Safe Web Browsing an Security eBook. © 2011,, a division of QuinStreet, Inc.
                                                  Guide to Browser Security
                                                   and Safe Web Browsing

ensure that requests are not malicious, postMessage                          For example, the new HTML5 attribute “autofocus”
includes object properties that the developer can use to                     will automatically switch browser focus to the specified
verify the origin of the request, to ensure that it matches                  element—a trick that is sometimes useful for user
the expected domain.                                                         interface design and previously had been implemented
                                                                             using JavaScript. But a malicious site could use the
But HTML5 does not itself enforce this origin check,                         autofocus attribute to steal focus unwittingly from the
meaning that a careless developer might not actually                         end user, possibly giving focus to a window that is rigged
implement origin verification, essentially leaving the script                to execute malicious code when active.
exposed to postMessage requests from malicious sites.
                                                                             Likewise, other new attributes, including “poster” and
2. Local Storage                                                             “srcdoc,” allow page elements to point to external
                                                                             resources—resources that may be malicious in nature.
New to HTML5 is offline storage, a client-side SQL                           Again, it is not that these attributes are flawed—they exist
database that can be accessed by JavaScript in a Web                         to enable richer functionality in Web applications—but
page. Like many other HTML5 features, local storage                          that they also could be abused by bad actors.
is something that has existed by virtue of third-party
development (Google Gears), but is now being adopted                         4. Inline Multimedia and SVG
into the HTML standard.
                                                                             HTML5 is significantly more multimedia-savvy than its
Providing access to local storage can significantly                          predecessor. Until now, browsers needed to rely on
accelerate Web applications, especially when they need                       third-party plug-ins (such as Flash) to embed most major
to query from the same set of data repeatedly. But it also                   media formats, including MP3 audio and MP4 video.
presents several possible threats that can be exposed by
careless developers.                                                         With its new <audio>, <video> and <svg> tags, HTML5
                                                                             can natively render popular formats and vector graphics
When storing sensitive data in an offline database, such                     without external plug-ins that consume extra resources
as email messages or passwords, developers need to use                       and sometimes add instability to the browser. But this
SSL and they need to generate unique database names                          puts the onus on browser developers to implement
so that hackers cannot formulate a predictable attack.                       complex multimedia rendering that may result in bugs
Also, developers should use prepared SQL statements,                         that open new vulnerabilities.
rather than constructing queries in JavaScript code, or
else hackers could intercept or emulate these queries to                     For example, an earlier version of Google Chrome
execute “SQL injection” attacks.                                             contained a documented bug in its SVG parser that,
                                                                             if tickled a certain way, could allow scripts to access
3. Attribute Abuse                                                           the object properties of a page hosted on a different
                                                                             domain—in other words, in violation of cross-domain
In addition to providing many new tags, HTML5 also                           security policy.
introduces new attributes, some of which apply to familiar
tags and may be subject to abuse. A particular threat is                     Because each browser will need to implement native
when attributes can be used to trigger automatic script                      multimedia handling to support the new tags, it is
execution.                                                                   possible for different bugs to crop up in each and,
                                                                             therefore, multiple attack vectors could be exposed.

       8     Back to Contents           Guide to Browser Security and Safe Web Browsing an Security eBook. © 2011,, a division of QuinStreet, Inc.
                                                Guide to Browser Security
                                                 and Safe Web Browsing

5. Input Validation
                                                                           Additionally, hackers may be able to exploit client-side
Managing user input always requires care, especially                       validation—for example, flawed regular expression
when that input will later be displayed or rendered.                       (regex) syntax in page code—to, for example, create a
Malicious users can sometimes exploit poor input                           Denial of Service (DoS) attack by sending the browser
validation to sneak executable code or other bug triggers                  into an infinite loop.
into a page, potentially exposing the site to attack.
                                                                           The Price of Progress
Web developers have had to rely on server-side
processing to implement rigorous input validation, but                     Let’s emphasize again that the security threats in HTML5
this method provides a poor user experience, even                          do not necessarily represent a flawed standard, but
though AJAX practices have improved the situation.                         they do represent a new standard. Between vendor
HTML5 provides rich client-side input validation,                          implementation and developer expertise, introducing
empowering Web developers to define input boundaries                       new features always brings with it a cost, and that price is
alongside the forms themselves, with instant feedback                      new threats.
provided to users.
                                                                           The good news is that by talking about HTML5
But input validation can also give developers a false                      vulnerabilities early and often, we can minimize the most
sense of security. Flawed validation definitions could                     harmful attacks, and force hackers to find more obscure
allow users to bypass the checks. While this problem is                    exploits.
not specific to HTML5, because input validation syntax is
new to HTML5, developers may be more prone to make
mistakes in their validation code.

       9    Back to Contents          Guide to Browser Security and Safe Web Browsing an Security eBook. © 2011,, a division of QuinStreet, Inc.
                                                 Guide to Browser Security
                                                  and Safe Web Browsing

               Top 10 Myths of Safe Web Browsing
                                                       By Robert McGarvey

              sense is growing that defenses have gotten                    Myth 3: Apple computers are safe. Some CIOs say
              stiffer and bad guys are too busy phishing                    requests to bring in Apple gear is rising. The purported
              for suckers on Twitter, so what’s the worry?                  safety angle often is cited, but it is nonsense, said
              Here it is in boldface, according to Steve                    John Linkous, chief security officer for security firm
Santorelli, a onetime Scotland Yard cybercrime specialist                   eiQnetworks. Lack of Macs in business is why they
now working for security research firm Team Cymru. “It                      have been ignored. If Apple sells more computers into
gets more dangerous for enterprise IT online every                          enterprise, hacker interest will necessarily rise because
day. That’s the reality.”                                                   they follow the money.

So why so much IT complacency?                                                                                     Myth 4: Some websites are
Experts point to 10 big myths                                                                                      trustworthy. Security experts
about safe browsing inside the                                                                                     pinpoint this as perhaps the
enterprise:                                                                                                        prime problem of the moment.
                                                                                                                   Threats increasingly have shifted
Myth 1: The enemy is kids. Hah,                                                                                    out of email and onto “trusted”
snorted Santorelli who explained                                                                                   websites. Facebook frequently is
the enemy comes in all ages and                                                                                    cited. Because users’ guards are
most of them are in it to make                                                                                     down their vulnerability rises and
money. A proof was the late                                                                                        if they are using the corporate
September round-up of around                                                                                       network, hold on, troubles are
100 hackers in the U.S., U.K.                                                                                      brewing.
and the Ukraine. The ring bilked
businesses of up to $100 million                                                                        Myth 5: Gaming consoles
using the Zeus Trojan (a slick key                                                                      are safe. Christopher Boyd,
logger). Thrill seeking hackers are                                                                     a senior threat researcher for
out there. The 17-year-old Aussie                                                                       GFI Software, pegged this as
who hacked into Twitter and sent users to Japanese                          a surprise vulnerability at many companies that set up
porno sites is an example, but the real danger said                         gaming devices in the employee lunchroom and then
Santorelli is the mounting number of for-profit criminals                   fail to recognize that it’s a backdoor into the system.
who are intent on looting corporate treasuries.                             Problems are acute with Xbox 360s, but he said other
                                                                            devices also pose risks.
Myth 2: Updated anti-virus software will keep enterprise
computers safe. Rubbish, said Dave Lowenstein, CEO                          Myth 6: Unmanaged smartphones represent minor risks.
of IT security firm Federated Networks. “It neutralizes                     Don’t believe it, said Mark Guntrip, a product manager
at best 25 to 50 percent of threats,” he said. Meaning it                   at Cisco, who indicated that smartphones ought to be
misses 50 percent or more.                                                  ever more worrisome to CIOs. As the phones get smarter,
                                                                            with more memory and more processing power, users are

       10    Back to Contents          Guide to Browser Security and Safe Web Browsing an Security eBook. © 2011,, a division of QuinStreet, Inc.
                                                 Guide to Browser Security
                                                  and Safe Web Browsing

indeed browsing with them and that can be a route into                      Think again, said Tyler Reguly, lead security engineer for
the corporate network.                                                      nCircle, a network security and compliance auditing firm.
                                                                            “Tablets are really changing the game and content will
Myth 7: Outside hackers are your prime threat. Not so                       just get harder for enterprises to manage. I’ve been
fast, said LogLogic executive VP Bill Roth who pointed                      caught by this myself recently. I hadn’t considered the
to data that claims 48 percent of all security incidents                    risks of browsing a website using a custom app and was
involve insiders.                                                           hit by ‘click-jacking’ on a popular social networking site.
                                                                            Unfortunately, tablet apps add another attack surface that
Myth 8: Strong passwords are a cure. “Security types will                   is very difficult to lock down.”
go on about ‘strong’ passwords, but a strong password is
just as phishable or keyloggable as a weak one, and if the                  Myth 10: “The biggest myth of safe web browsing
one strong password applies to many of your accounts,                       is the myth of training,” said Anup Ghosh, founder of
you might find that more than just your Facebook account                    Invincea, a start-up security company. He claimed that
has been hijacked,” said Tom Newton, an executive with                      threats have gotten so sophisticated and so camouflaged
security company SmoothWall.                                                that they now often fool even sophisticated computer
                                                                            users. That means it just may be impossible to train
Myth 9: Tablets are inconsequential security risks. Apple                   employees to be safe, said Ghosh.
alone has sold some 3.3 million iPads and BlackBerry,
Samsung and more are piling on this form factor. Some                       Are you listening now? This just may be a golden age for
CIOs continue to think that tablets running mobile phone                    cyber criminals, say the experts. For CIOs this means it is
operating systems are no big deal regarding security.                       time to really do a security inventory ASAP.

      11     Back to Contents          Guide to Browser Security and Safe Web Browsing an Security eBook. © 2011,, a division of QuinStreet, Inc.
                                                 Guide to Browser Security
                                                  and Safe Web Browsing

                          Top 10 Web Malware Threats
                                                              By Lisa Phifer

             ebsites that spread malware may be leveling                    No. 9: Ninth place goes to an oldie but goodie, Mal/
             off, but Web-borne malware encounters                          Iframe-F. Many variants use this popular technique:
             are still growing. According to a 2Q10                         inserting an invisible HTML <iframe> tag into an
             Global Threat Report published by Cisco,                       otherwise legitimate Web page to surreptitiously redirect
criminals are using search engine optimization and social                   visitors to other websites. Hidden iframes may elude
engineering to become more efficient, luring more                           detection by the human eye, but Web content scanners
targeted victims to fewer URLs.                                             can spot them and Web URL filters can block redirects to
                                                                            blacklisted sites.
Using IronPort SenderBase, Cisco estimated that search
engine queries lead to 74 percent                                                                                  No. 8: In a dead heat with
of Web malware encounters in                                                                                       Iframe-F is JS.Redirector.BD,
1Q10. Fortunately, two-thirds                                                                                      a JavaScript Trojan that also
of those encounters either did                                                                                     redirects users to websites they
not deliver exploit code or were                                                                                   had not intended to visit. Like
blocked. But that means 35                                                                                         some other members of the
percent of Web-borne exploits                                                                                      large JS.Redirector family, this
are still reaching browsers,                                                                                       Trojan tries to evade blacklist
where they try to drop files,                                                                                      filters by using obfuscation
steal information, propagate                                                                                       techniques like dynamically
themselves or await further                                                                                        generated target URLs.
                                                                                                      No. 7: Nosing past Redirector.
Browser phishing filters, anti-                                                                       BD is Backdoor.Win32.Alureon.
malware engines and up-to-date                                                                        Alureon refers to a family of
patches can play a huge role                                                                          dynamic, multi-faceted Trojans
in defeating malware reaching                                                                         intended to generate revenue
the desktop. However, to find unguarded vectors and                         from a victim’s Web activities. Malware components
unpatched vulnerabilities, let’s look at how today’s most                   within each instance vary, but Alureon has been seen
prevalent Web malware works.                                                to alter DNS settings, hijack search requests, display
                                                                            malicious ads, intercept confidential data, download
No. 10: Last on Cisco’s list of 2Q10 encounters is                          arbitrary files and corrupt disk drivers. In fact, threat
Backdoor.TDSSConf.A. This Trojan belongs to the TDSS                        reports indicate that Alureon has been used to drop
family of kernel-mode rootkits, TDSS files are dropped by                   TDSS onto infected PCs.
another Trojan (see Alureon, below). Once installed, TDSS
conceals associated files and keys and disables anti-virus                  No. 6: Tied for middle-of-the-pack is Worm.Win32.
programs by using rootkit tactics. Removing TDSS from a                     VBNA.b. VBNA implants itself in a user’s Documents
PC is difficult; using up-to-date anti-malware to block the                 and Settings folder, adding a Run key to the registry.
file drop is a better bet.

       12    Back to Contents          Guide to Browser Security and Safe Web Browsing an Security eBook. © 2011,, a division of QuinStreet, Inc.
                                                 Guide to Browser Security
                                                  and Safe Web Browsing

Thereafter, VBNA auto-launches and propagates itself                        Trojan uses malicious JavaScript to redirect users. In this
to neighboring PCs via writable fileshares. VBNA also                       case, users find themselves at websites that pretend to
displays a fake virus infection warning to trick users into                 scan for viruses then download fake anti-virus code, no
purchasing fake anti-malware (which is often just more                      matter where the user clicks on the displayed window.
malware). Scare tactics like this appear to be on the rise,                 But how do legitimate websites get infected with
preying upon uninformed users.                                              JS.Redirector in the first place? One reportedly common
                                                                            vector: SQL injection.
No. 5: Next up is JS.Redirector.AT, another member of
this Trojan family famous for redirecting users to other                    No. 1: First place goes to the now infamous Trojan
websites. Destination sites reportedly have displayed                       downloader Exploit.JS.Gumblar. According the Cisco,
porn, phished for confidential data, and implanted                          Gumblar represented 5 percent of all Web malware
malware on the victim’s PC. One way to inhibit these                        in 2Q10, down from 11 percent in 1Q10. Gumblar is
Trojans is to disable JavaScript execution – if not in the                  a downloader that drops an encrypted file onto the
browser, then in Acrobat Reader to block JavaScript                         victim’s system. Gumblar runs that executable without
hidden in PDFs. Exploits targeting Adobe PDF, Flash, and                    user consent, injecting JavaScript into HTML pages to
Sun Java vulnerabilities were particularly hot in 1H10.                     be returned by a Web server or displayed by a user’s
                                                                            Web browser. The injected JavaScript usually contains
No. 4: Taking fourth place is Mal/GIFIframe-A, a sibling                    an obfuscated exploit; early scripts downloaded more
to the afore-mentioned Iframe-F. GIFIframe-A also uses                      malware from – thus giving this Trojan its
<iframe> tags, but this family of malware exploits iframes                  name.
that have been injected into files encoded using popular
graphic formats like GIF and JPG. When a user visits an                     Cisco’s 2Q10 list was generated by IronPort, which
infected website and attempts to load the graphic, the                      uses Sophos, Webroot and McAfee malware detection
injected iframe is processed, executing attacker-supplied                   engines. Other vendors use different naming conventions
code.                                                                       and publish slightly different lists that represent other
                                                                            monitored data sources.
No. 3: At third, representing three percent of 2Q10
encounters, is a keylogger called PSW.Win32.Infostealer.                    The purpose of such lists is not therefore to tell you
bnkb. Dozens of Infostealer variant Trojans exist, targeting                which malwares to scan for. That job falls to continuously
a wide variety of institutions and their customers. All                     updated anti-malware defenses, installed on desktops,
work by capturing keystrokes, scanning for specific Web                     servers and gateways. Instead, use this list and others like
transactions, and stealing usernames, passwords, account                    it to identify and proactively fight trends that are likely to
numbers – typically those associated with online banking.                   persist or grow and target your Web servers and users
No. 2: A new JS.Redirector variant took second place in
2Q10: JS.Redirector.cq. Like other family members, this

       13    Back to Contents          Guide to Browser Security and Safe Web Browsing an Security eBook. © 2011,, a division of QuinStreet, Inc.

Shared By:
Description: GuideTo Browser Security And Safe Web Browsing