CSCD 303 Essential Computer Security Spring 2013
description
Transcript of CSCD 303 Essential Computer Security Spring 2013
CSCD 303Essential ComputerSecuritySpring 2013
Lecture 16Internet Security
Always Wear ProtectionReading: See links in Notes
Overview
• Browser Protection–Badsite identification• Phishing and Malware Sites
–Built-in Protection• Browser Add-ons• Third Party Programs• Virtual Environment
On-Line Phishing Resources
• The Anti-Phishing Working Group (APWG)
– An industry association focused on eliminating identity theft and fraud that result from the growing problem of phishing and email spoofing
http://www.antiphishing.org – An updated chart of examples of phishing attacks
submitted to antiphishing.org are available here
http://www.antiphishing.org/phishing_archive.htm • Phishing Game to Test Your IQ Anti-phishing Phil
http://cups.cs.cmu.edu/antiphishing_phil/
On-Line Phishing Resources
• Other anti-phishing sites– PhishTank – Database of sites
http://www.phishtank.com/
Browser Protection Against Phishing and Other Malware
Safety Features Browsers
• Internet Explorer 8 and up,• Firefox 3 and up,• Google Chrome 4 and up,• Apple's Safari 4, and Opera 10– Include features that block sites known to host
malware and malicious downloads
IE8 and Up Smartscreen
• SmartScreen technology in Internet Explorer 8 blocks known-malicious downloads as well as bad URLs
• How are they doing this?SmartScreen Filter– Checks websites against a dynamically updated
list of reported phishing and malware sites.– Checks software downloads against a
dynamically updated list of reported malicious software sites
– Helps prevent you from visiting phishing websites and other websites that contain malware
IE 8 and Up Smartscreen• With SmartScreen Filter, attempt to visit website
that has been reported, the screen below appears and advises you not to continue to the unsafe websitehttp://www.microsoft.com/security/filters/smartscreen.aspx
http://windows.microsoft.com/en-us/internet-explorer/use-smartscreen-filter#ie=ie-10
IE 8 and Beyond
• Other new security features in IE 8– Include automatic blocking of click-jacking
and cross-site scripting attacks,– Automatic crash recovery, and highlighting
of the actual domain name in the address bar
– Look more closely at XSS attack blocking ...
IE 8
• XSS Filter, a feature new to Internet Explorer 8, detects JScript in URL and HTTP POST requests– If JScript is detected, XSS Filter searches
evidence of reflection,• Information that would be returned to the
attacking Web site if the attacking request were submitted unchanged• If reflection is detected, XSS Filter
sanitizes original request so that additional JScript cannot be executed
IE 8
• Page modified and XSS attack is blocked• Users are NOT presented with a question about
what they would like to do in this case (a question most users would be unable to answer)
• Internet Explorer simply blocks the malicious script from executing
http://msdn.microsoft.com/en-s/library/dd565647%28VS.85%29.aspx
IE 8 Demo Site shows how this workshttp://www.ie8demos.com/tryit/
Safari and Opera
• Apple's Safari browser added phishing and malware blocking in version 3.2, released in late 2008
http://www.apple.com/safari/features.html#security
• Opera's Fraud Protection predates phishing and malware filters in IE and Firefox and is enhanced in the latest Version 10
• Fraud and Malware Protection, warns you about suspicious webpages by checking the page you request against a database of known “phishing” and “malware” websites http://www.opera.com/security/
Private Browsing• IE 8 also lets you control information about your browsing
habits that's shared with Web tracking services
• Firefox also has private browsing feature– Tools > Start Private Browsing, or simply– You can set Firefox to start in private-browsing mode
by clicking Tools > Options > Privacy – Check "Automatically start Firefox in a private browsing
session”• Firefox will not save any data about which sites and
pages you have visited.
• You can open an incognito window in Google Chrome
• Opera as of 10.6 does have this private capability
Overview of all these Browsers Below http://browsers.about.com/od/faq/tp/Private-Browsing.htm
Private Browsing
• Does Private browsing keep you anonymous on the Internet?– NO!! Private Browsing prevents information from
being recorded on your computer. It does not make you anonymous on the Internet.
Browser Anti-phishing Features
• Firefox's built-in antiphishing tool– Claims to update its bad-site database 48
times a day, according to Mozilla's Firefox security page
• Firefox uses Google's Safe Browsing service to automatically block sites that are known to host malware
• We can check out how they do this ...http://code.google.com/apis/safebrowsing/
firefox3_privacy_faq.html
Chrome and Firefox Safe Browsing
• If you use Chrome browser and you have safe browsing mode enabled– Google Chrome contacts servers at Google,
approximately every half hour, to download updated lists of suspected phishing and malware websites
– Lists are being stored on your PC !!!!– When you surf, each site you browse is being
checked against these black lists locally– This is designed to offer performance– If requested site is in black list a warning
message will appear stating that requested site is a suspected phishing site or malicious site and user can choose to go back to safety
Chrome and Firefox Safe Browsing
• See any problems with this?– Raises questions about privacy– Bloggers have noticed ... every few hours when update
of black lists pushed out– Two parameters are being sent to Google servers –
“machineid” and “userid”– Computed information based on machine/user
information– Information is sent along with other browser
information to ask Google if they should download an update
– Information can be used for tracking. Google states it will not use any of personal information being collected!
IE 7
IE 7 and IE 8• When you visit a Web site, IE7 first checks local
'safe list'– If URL is there or it appears in the local cache,
things will go no further• If Phishing Filter enabled, IE transmits details of
URL being visited for checking– From that time on, IE7 will maintain a dynamic
cache of sites that have already been
checking by the Phishing Filter
for period of time
• IE 8 called SmartScreen
Google Chrome Sandbox
• Sandbox leverages OS-provided security to allow code execution that cannot make persistent changes to the computer or access information that is confidential
• Sandbox architecture is dependent on the operating system
http://www.chromium.org/developers/design-documents/sandbox
Google Chrome Sandbox
• Chrome Sandbox• The sandbox uses the security features of
Windows extensively ... does not reinvent any security model• All processes have access token• Access token is like an ID card, contains
information about owner of the process, the list of groups that it belongs to and a list of privileges• Each process has its own token, and the
system uses it to deny or grant access to resources.
Google Chrome Sandbox
Furthermore ...• Before launching renderer process we modify its token
to remove all privileges and disable all groups
• We then convert token to a restricted token
• A restricted token is like a normal token, but access checks are performed twice
• Google Chrome sets secondary list of groups to contain only one item, NULL user
• Since this user is never given permissions to any objects, all access checks performed with access token of renderer process fail, making this process useless to an attacker
Google Chrome and HTML5 http://blog.chromium.org/2010/05/security-in-depth-
html5s-sandbox.html
• Chrome is first browser to include support for new HTML5 feature that lets web developers reduce privileges of parts of their web pages by including a "sandbox" attribute in iframes:
<iframe sandbox src="http://attacker.com/untrusted.html"></iframe>
When displaying untrusted.html in a sandboxed iframe, browser renders untrusted.html with reduced privileges (e.g., disabling JavaScript and popups), similar in spirit to how Google Chrome sandboxes its rendering engine
However, Google Chrome SandboxEasily Defeated in Pwn2Own "We wanted to show that Chrome was not unbreakable. Last
year, we saw a lot of headlines that no one could hack Chrome. We wanted to make sure it was the first to fall this year," he said
During the hack, Bekrar created a web page booby-trapped with his exploit
Once the target machine visited the page, the exploit ran and opened the Calculator (calc.exe) app outside of the sandbox."
"There was no user interaction, no extra clicks. Visit site, popped box."
VUPEN will sell rights to one of zero-day vulnerabilities but company says it won't give up the sandbox escape. "We are keeping that private, keeping it for our customers."
http://www.zdnet.com/blog/security/pwn2own-2012-google-chrome-browser-sandbox-first-to-fall/10588
Change Browser Environment
• Sandboxie runs your programs in an isolated space which prevents them from making permanent changes to other programs and data in your computer– Like a virtual machine
• For Windows 32 bit OS up through Windows 7
http://www.sandboxie.com/
Other Browser Addon Programs
• Netcraft toolbarAdd-in to IE and Firefox on Windows, Linux,
Mac Uses community identification of bad
sites to block access to phishing sites http://toolbar.netcraft.com/Rated at about 75% for finding phishing
siteshttp://www.securiteam.com/
securityreviews/6H00W00HFK.html
Other Browser Add-ons• Noscript
http://noscript.net/– NoScript Firefox extension provides extra
protection for Firefox, Flock, Seamonkey and other mozilla-based browsers• Free, open source add-on allows JavaScript,
Java and Flash and other plugins to be executed only by trusted web sites of your choice
– NoScript's unique whitelist based pre-emptive script blocking approach prevents exploitation of security vulnerabilities
Spyware Prevention
• Spyware –Don't allow it to get on your computer in
the first place–Much like other Malware anti-programs,
spyware prevention programs are necessary
– Spyware programs are specific to spyware
Spyware Solution• Spybot - Search and Destroy– Excellent utility– Like virus checker– Search your computer for known
Spyware and Hijackers and remove them from your system
– Scans registry, files, cookies, and other storage places against a large database of known offenders
• http://www.safer-networking.org/index.php?page=spybotsd
Adware Solution
• Ad-Aware
–Another excellent piece of software for removal of Spyware and Hijackers
– Same features as Spybot, was one of the first programs to be created for removal of these types of programs and is recommended to use this software as well as Spybot
http://www.lavasoftusa.com/support/download/
Prevent Getting Infected
• Browser Protectors Windows• SpywareBlaster from Javacool Software
allows you to protect your browser from risks of future infection by immunizing your system
• Program contains a huge list of known malicious cookies, ActiveX controls, and web sites which it enters into your registry and browser settings• You can not run these programs in the future,
download programs from certain sites, or accept cookies from known ad servers without notification
http://www.bleepingcomputer.com/tutorials/tutorial49.html
Change Browser Environment
• Download free Vmware Playerhttp://www.vmware.com/products/player
–Creates a virtual environment –Download a free file, Browser Appliance–Runs a version of Ubuntu Linux running
Firefox–Why do this?• You isolate any Internet dangers, that could
infect your computer – all is contained within memory of VmWare Player• No spyware, no malware
BLADE Tool• Researchers from Georgia Tech and SRI International
will soon release a free tool that has proven 100% effective in stopping convert binary drive-by malware attacks
• Tested the software, BLADE ("Block All Drive-by Download Exploits) against real-world malicious URLs and zero-day drive-by exploits
• BLADE can provide cross-browser protection against many real threats; – Software is like a security weapon to immunize
vulnerable Windows hosts from sneaky drive-by malware downloads
http://www.blade-defender.org/eval-lab/
BLADE Tool
• In nearly 19,000 trials, BLADE prevented all drive-by downloads and all zero-exploit malware from installing
• It had zero false positives and zero false negatives
Blade Internals• How does it work?• BLADE is a kernel-based monitor designed to block
any malware attempted to be delivered through a browser
– Tool is based on a simple principle– All browser downloads fall into two categories– Supported files–files that make Web pages, for
instance, HTML, images and – Unsupported files, EXE, ZIP and so forth– Typically, browsers fetch supported files silently
and they’re supposed to alert user if an unsupported file type is being downloaded
– Nefarious Web sites subvert the unsupported file notification function ...
Blade Internals
• What BLADE does is introduce capabilities on operating system level that prevents execution of all downloaded unsupported content that has not been directly consented to by user-to-browser interaction
• Drawbacks?
Blade Internals
Drawbacks?– It could interfere with legitimate downloads
of unsupported files–downloads,• Programs updating themselves or
patching themselves for security reasons.– Tool also focuses on downloads that are
written to a hard disk– Some malware is never written to disk and
lives only in memory– Those programs would be able to evade
BLADE
Commercial Security Products
ZoneAlarm Extreme Security 2010
Web browsing, ZoneAlarm Extreme Security 2010 provides multiple layers of download protection
• User downloaded files are first subject to traditional signature scanning
• If nothing is found, an additional layer of protection is available which sequesters the download in a virtual sandbox until the user releases it
• Properly used, this additional layer of protection can protect against both hostile drive-by downloads and malware downloads that occur as a result of a lapse in judgement (perhaps as the result of a social engineering scam)
http://www.zonealarm.com/security/en-us/zonealarm-extreme-security-hde.htm
Avira Antivirus Premium
• Avira AntiVirus Premium not only combats viruses, worms, Trojans, rootkits, phishing, adware and spyware, but also protects you while surfing, thanks to the Web Guard, Anti Drive-by and Mail Guard– AntiRootkit against hidden rootkit threats– AntiDrive-by prevents against downloading viruses
when surfing– MailGuard enhanced email protection– WebGuard protection against malicious websites– RescueSystem create a bootable rescue CD
http://www.avira.com/en/for-home
Summary• Browsers–Chrome seems to be going in right
direction• “Building security in”, sandbox, html5 features,
support for black listed sites
• Add-ons– Do work. Can be annoying. But, alerts do help– However, not all users are savy enough to
install them and use them
• Virtual Environment– Known to work. Must use it when browsing–Might be intimidating to novice users
References
Phishing Web Siteshttp://www.antiphishing.org
http://www.spamfo.co.uk
http://www.millersmiles.co.uk
http://www.tecf.org
http://www.antifraudalliance.com
http://www.phishreport.net
End
Keep working on projectsThere is a lab this week !!!