Thursday, December 18, 2008

The Promiscuous Browser in a Dangerous World

Microsoft released an urgent patch for a critical Internet Explorer vulnerability yesterday, highlighting the risks our web browsers represent to our online safety. Web browsers in general, and Internet Explorer specifically, are the most promiscuous programs we run on our computers. "Promiscuous" refers to the quantity and diversity of web sites we visit, content we view, programs we download, and sensitive information we exchange when browsing the web. Browser promiscuity also refers to what happens after we type a URL into the address bar. The browser first downloads an HTML page that includes tags and pointers to other content: images, stylesheets, scripts and videos. This content can come from many different web servers operated by many different organizations and can carry harmful data that infect our computers, steal our data or just sit there, undetected, until an online criminal issues remote commands to bring it to life.

Richard Adhikari posted an excellent article on that describes the Internet Explorer patch, why it was necessary and what it means for online safety going forward. The multitude of exploitable features in Internet Explorer make it an excellent target for online criminals seeking to gain control of our computers and our bank accounts.

Simply put, it is not reasonable to use one browser for everything we do on the Internet. It is important for us to segment our web activities into two basic buckets:

Casual Web Use
Casual use includes reading the news, listening to music, researching recipes, and clicking links to the latest must-see Flash video our friends send us in email.

Sensitive Web Use
Sensitive use includes online banking, shopping, applying for a job, or any other transaction that requires information we would not want everyone to know.

Casual use is where we are most likely to get our computer or browser infected. It's easy to visit hundreds of websites a month, clicking from link to link, moving from reasonably safe websites to a dangerous Internet neighborhood where crimeware infections are likely to occur. Sensitive use is where we are most likely to get our money or identity stolen if we are using an infected computer or browser. Moving from one activity to the other with the same browser is just not smart. I like the excerpt from court-ordered wiretaps of Illinois Gov. Rod R. Blagojevich, quoted here from a Department of Justice press release:

"assume everybody’s listening, the whole world is listening."

That is smart advice for Internet users. If you have casually browsed the web for a few weeks or months on your computer, there is a high likelihood you have been infected through a web browser vulnerability. Infections can include "banker trojans," password- and money-stealing programs that listen in to your online banking sessions. So, when you move from casual use to sensitive use, assume the whole world is listening.

Safe Web Use
A new category of web usage that we are pioneering at Authentium is "Safe Web Use." Safe Web Use means we assume "everybody's listening" and still protect your sensitive online transactions. Our SafeCentral service helps to automatically switch between Casual and Sensitive web use and kicks in extra protection to block crimeware that got past your antivirus software during a casual web browsing session. SafeCentral stops keyloggers, screen-stealers, harmful browser plug-ins and many other crimeware components. We also provide a Secure DNS services that protects against another class of threat: DNS redirection.

So, be sure you get yesterday's Internet Explorer patch. But please understand that yesterday's patch will not protect against tomorrow's exploit. In October Microsoft released an unscheduled, critical update for Windows. Chances are the online criminals are already working on exploits we will only hear about in January or February.

Also be sure to check out SafeCentral and be safe even if everybody's listening.

Tuesday, December 9, 2008

DNS Changer Learns a New Trick

SANS, Symantec, McAfee and others have reported on a new trick that malware is using to redirect unsuspecting users from authentic web destinations--the name we type into the browser address bar or pick from our favorites--to a web server operated by the Bad Guys. These guys can set up web sites that look just like the real Citibank or Wachovia but are designed to steal our user ID and password or transfer money out of our account.

The trickiest part of the new trick is that we can follow all of the best security advice and still be susceptible. If one user on a Wifi network is infected with this new DNS Changer, all users who connect to that network can have their DNS settings changed by the one infected computer. So that guy who is halfway through his latte when you sit down in the coffee shop and open your laptop could be a threat to you. Even if you are super careful about the websites you visit and the security software you have installed.

DNS is the Internet-wide system that translates names like "" into the numerical address our computers need to actually connect to MyBank. If the Bad Guys control your DNS, they control where your web browser really goes when you think it is going to PayPal.

Every time we open our laptop and connect to a new network, a router on that network will send down settings that let us connect, (pay!), and get out on the Internet. The new DNS Changer trick is this: a computer infected with this DNS Changer variant will listen for new computers requesting a connection on the same network (the same coffee shop) and try to answer with Bad Guy settings before the "official" router can send it the "official" settings.

As fundamental as DNS is to the operation of the world-wide web, it's amazingly susceptible to compromise. This new DNS Changer behavior capitalizes on the vulnerability of DNS settings and: (1) leaves no traces, (2) doesn't require your computer to be infected with anything that your antivirus software will complain about.

Now What?
This is why we invented SafeCentral. SafeCentral includes a unique Secure DNS feature that protects against DNS Changer and other threats. SafeCentral uses it's own DNS. It uses Authentium's Secure DNS servers and it does so through an encrypted (HTTPS) connection.

So even if we connect to a Wifi hotspot that is hosting an infected computer, we can happily browse the web, bank and shop safely.