CSCD 303Essential ComputerSecuritySpring 2013

Lecture 16Internet Security

Always Wear ProtectionReading: See links in Notes

Overview

• Browser Protection–Badsite identification• Phishing and Malware Sites

–Built-in Protection• Browser Add-ons• Third Party Programs• Virtual Environment

On-Line Phishing Resources

• The Anti-Phishing Working Group (APWG)

– An industry association focused on eliminating identity theft and fraud that result from the growing problem of phishing and email spoofing

http://www.antiphishing.org – An updated chart of examples of phishing attacks

submitted to antiphishing.org are available here

http://www.antiphishing.org/phishing_archive.htm • Phishing Game to Test Your IQ Anti-phishing Phil

http://cups.cs.cmu.edu/antiphishing_phil/

On-Line Phishing Resources

• Other anti-phishing sites– PhishTank – Database of sites

http://www.phishtank.com/

Browser Protection Against Phishing and Other Malware

Safety Features Browsers

• Internet Explorer 8 and up,• Firefox 3 and up,• Google Chrome 4 and up,• Apple's Safari 4, and Opera 10– Include features that block sites known to host

malware and malicious downloads

IE8 and Up Smartscreen

• SmartScreen technology in Internet Explorer 8 blocks known-malicious downloads as well as bad URLs

• How are they doing this?SmartScreen Filter– Checks websites against a dynamically updated

list of reported phishing and malware sites.– Checks software downloads against a

dynamically updated list of reported malicious software sites

– Helps prevent you from visiting phishing websites and other websites that contain malware

IE 8 and Up Smartscreen• With SmartScreen Filter, attempt to visit website

that has been reported, the screen below appears and advises you not to continue to the unsafe websitehttp://www.microsoft.com/security/filters/smartscreen.aspx

http://windows.microsoft.com/en-us/internet-explorer/use-smartscreen-filter#ie=ie-10

IE 8 and Beyond

• Other new security features in IE 8– Include automatic blocking of click-jacking

and cross-site scripting attacks,– Automatic crash recovery, and highlighting

of the actual domain name in the address bar

– Look more closely at XSS attack blocking ...

IE 8

• XSS Filter, a feature new to Internet Explorer 8, detects JScript in URL and HTTP POST requests– If JScript is detected, XSS Filter searches

evidence of reflection,• Information that would be returned to the

attacking Web site if the attacking request were submitted unchanged• If reflection is detected, XSS Filter

sanitizes original request so that additional JScript cannot be executed

IE 8

• Page modified and XSS attack is blocked• Users are NOT presented with a question about

what they would like to do in this case (a question most users would be unable to answer)

• Internet Explorer simply blocks the malicious script from executing

http://msdn.microsoft.com/en-s/library/dd565647%28VS.85%29.aspx

IE 8 Demo Site shows how this workshttp://www.ie8demos.com/tryit/

Safari and Opera

• Apple's Safari browser added phishing and malware blocking in version 3.2, released in late 2008

http://www.apple.com/safari/features.html#security

• Opera's Fraud Protection predates phishing and malware filters in IE and Firefox and is enhanced in the latest Version 10

• Fraud and Malware Protection, warns you about suspicious webpages by checking the page you request against a database of known “phishing” and “malware” websites http://www.opera.com/security/

Private Browsing• IE 8 also lets you control information about your browsing

habits that's shared with Web tracking services

• Firefox also has private browsing feature– Tools > Start Private Browsing, or simply– You can set Firefox to start in private-browsing mode

by clicking Tools > Options > Privacy – Check "Automatically start Firefox in a private browsing

session”• Firefox will not save any data about which sites and

pages you have visited.

• You can open an incognito window in Google Chrome

• Opera as of 10.6 does have this private capability

Overview of all these Browsers Below http://browsers.about.com/od/faq/tp/Private-Browsing.htm

Private Browsing

• Does Private browsing keep you anonymous on the Internet?– NO!! Private Browsing prevents information from

being recorded on your computer. It does not make you anonymous on the Internet.

Browser Anti-phishing Features

• Firefox's built-in antiphishing tool– Claims to update its bad-site database 48

times a day, according to Mozilla's Firefox security page

• Firefox uses Google's Safe Browsing service to automatically block sites that are known to host malware

• We can check out how they do this ...http://code.google.com/apis/safebrowsing/

firefox3_privacy_faq.html

Chrome and Firefox Safe Browsing

• If you use Chrome browser and you have safe browsing mode enabled– Google Chrome contacts servers at Google,

approximately every half hour, to download updated lists of suspected phishing and malware websites

– Lists are being stored on your PC !!!!– When you surf, each site you browse is being

checked against these black lists locally– This is designed to offer performance– If requested site is in black list a warning

message will appear stating that requested site is a suspected phishing site or malicious site and user can choose to go back to safety

Chrome and Firefox Safe Browsing

• See any problems with this?– Raises questions about privacy– Bloggers have noticed ... every few hours when update

of black lists pushed out– Two parameters are being sent to Google servers –

“machineid” and “userid”– Computed information based on machine/user

information– Information is sent along with other browser

information to ask Google if they should download an update

– Information can be used for tracking. Google states it will not use any of personal information being collected!

IE 7

IE 7 and IE 8• When you visit a Web site, IE7 first checks local

'safe list'– If URL is there or it appears in the local cache,

things will go no further• If Phishing Filter enabled, IE transmits details of

URL being visited for checking– From that time on, IE7 will maintain a dynamic

cache of sites that have already been

checking by the Phishing Filter

for period of time

• IE 8 called SmartScreen

Google Chrome Sandbox

• Sandbox leverages OS-provided security to allow code execution that cannot make persistent changes to the computer or access information that is confidential

• Sandbox architecture is dependent on the operating system

http://www.chromium.org/developers/design-documents/sandbox

Google Chrome Sandbox

• Chrome Sandbox• The sandbox uses the security features of

Windows extensively ... does not reinvent any security model• All processes have access token• Access token is like an ID card, contains

information about owner of the process, the list of groups that it belongs to and a list of privileges• Each process has its own token, and the

system uses it to deny or grant access to resources.

Google Chrome Sandbox

Furthermore ...• Before launching renderer process we modify its token

to remove all privileges and disable all groups

• We then convert token to a restricted token

• A restricted token is like a normal token, but access checks are performed twice

• Google Chrome sets secondary list of groups to contain only one item, NULL user

• Since this user is never given permissions to any objects, all access checks performed with access token of renderer process fail, making this process useless to an attacker

Google Chrome and HTML5 http://blog.chromium.org/2010/05/security-in-depth-

html5s-sandbox.html

• Chrome is first browser to include support for new HTML5 feature that lets web developers reduce privileges of parts of their web pages by including a "sandbox" attribute in iframes:

<iframe sandbox src="http://attacker.com/untrusted.html"></iframe>

When displaying untrusted.html in a sandboxed iframe, browser renders untrusted.html with reduced privileges (e.g., disabling JavaScript and popups), similar in spirit to how Google Chrome sandboxes its rendering engine

However, Google Chrome SandboxEasily Defeated in Pwn2Own "We wanted to show that Chrome was not unbreakable. Last

year, we saw a lot of headlines that no one could hack Chrome. We wanted to make sure it was the first to fall this year," he said

During the hack, Bekrar created a web page booby-trapped with his exploit

Once the target machine visited the page, the exploit ran and opened the Calculator (calc.exe) app outside of the sandbox."

"There was no user interaction, no extra clicks. Visit site, popped box."

VUPEN will sell rights to one of zero-day vulnerabilities but company says it won't give up the sandbox escape. "We are keeping that private, keeping it for our customers."

http://www.zdnet.com/blog/security/pwn2own-2012-google-chrome-browser-sandbox-first-to-fall/10588

Change Browser Environment

• Sandboxie runs your programs in an isolated space which prevents them from making permanent changes to other programs and data in your computer– Like a virtual machine

• For Windows 32 bit OS up through Windows 7

http://www.sandboxie.com/

Other Browser Addon Programs

• Netcraft toolbarAdd-in to IE and Firefox on Windows, Linux,

Mac Uses community identification of bad

sites to block access to phishing sites http://toolbar.netcraft.com/Rated at about 75% for finding phishing

siteshttp://www.securiteam.com/

securityreviews/6H00W00HFK.html

Other Browser Add-ons• Noscript

http://noscript.net/– NoScript Firefox extension provides extra

protection for Firefox, Flock, Seamonkey and other mozilla-based browsers• Free, open source add-on allows JavaScript,

Java and Flash and other plugins to be executed only by trusted web sites of your choice

– NoScript's unique whitelist based pre-emptive script blocking approach prevents exploitation of security vulnerabilities

Spyware Prevention

• Spyware –Don't allow it to get on your computer in

the first place–Much like other Malware anti-programs,

spyware prevention programs are necessary

– Spyware programs are specific to spyware

Spyware Solution• Spybot - Search and Destroy– Excellent utility– Like virus checker– Search your computer for known

Spyware and Hijackers and remove them from your system

– Scans registry, files, cookies, and other storage places against a large database of known offenders

• http://www.safer-networking.org/index.php?page=spybotsd

Adware Solution

• Ad-Aware

–Another excellent piece of software for removal of Spyware and Hijackers

– Same features as Spybot, was one of the first programs to be created for removal of these types of programs and is recommended to use this software as well as Spybot

http://www.lavasoftusa.com/support/download/

Prevent Getting Infected

• Browser Protectors Windows• SpywareBlaster from Javacool Software

allows you to protect your browser from risks of future infection by immunizing your system

• Program contains a huge list of known malicious cookies, ActiveX controls, and web sites which it enters into your registry and browser settings• You can not run these programs in the future,

download programs from certain sites, or accept cookies from known ad servers without notification

http://www.bleepingcomputer.com/tutorials/tutorial49.html

Change Browser Environment

• Download free Vmware Playerhttp://www.vmware.com/products/player

–Creates a virtual environment –Download a free file, Browser Appliance–Runs a version of Ubuntu Linux running

Firefox–Why do this?• You isolate any Internet dangers, that could

infect your computer – all is contained within memory of VmWare Player• No spyware, no malware

BLADE Tool• Researchers from Georgia Tech and SRI International

will soon release a free tool that has proven 100% effective in stopping convert binary drive-by malware attacks

• Tested the software, BLADE ("Block All Drive-by Download Exploits) against real-world malicious URLs and zero-day drive-by exploits

• BLADE can provide cross-browser protection against many real threats; – Software is like a security weapon to immunize

vulnerable Windows hosts from sneaky drive-by malware downloads

http://www.blade-defender.org/eval-lab/

BLADE Tool

• In nearly 19,000 trials, BLADE prevented all drive-by downloads and all zero-exploit malware from installing

• It had zero false positives and zero false negatives

Blade Internals• How does it work?• BLADE is a kernel-based monitor designed to block

any malware attempted to be delivered through a browser

– Tool is based on a simple principle– All browser downloads fall into two categories– Supported files–files that make Web pages, for

instance, HTML, images and – Unsupported files, EXE, ZIP and so forth– Typically, browsers fetch supported files silently

and they’re supposed to alert user if an unsupported file type is being downloaded

– Nefarious Web sites subvert the unsupported file notification function ...

Blade Internals

• What BLADE does is introduce capabilities on operating system level that prevents execution of all downloaded unsupported content that has not been directly consented to by user-to-browser interaction

• Drawbacks?

Blade Internals

Drawbacks?– It could interfere with legitimate downloads

of unsupported files–downloads,• Programs updating themselves or

patching themselves for security reasons.– Tool also focuses on downloads that are

written to a hard disk– Some malware is never written to disk and

lives only in memory– Those programs would be able to evade

BLADE

Commercial Security Products

ZoneAlarm Extreme Security 2010

Web browsing, ZoneAlarm Extreme Security 2010 provides multiple layers of download protection

• User downloaded files are first subject to traditional signature scanning

• If nothing is found, an additional layer of protection is available which sequesters the download in a virtual sandbox until the user releases it

• Properly used, this additional layer of protection can protect against both hostile drive-by downloads and malware downloads that occur as a result of a lapse in judgement (perhaps as the result of a social engineering scam)

http://www.zonealarm.com/security/en-us/zonealarm-extreme-security-hde.htm

Avira Antivirus Premium

• Avira AntiVirus Premium not only combats viruses, worms, Trojans, rootkits, phishing, adware and spyware, but also protects you while surfing, thanks to the Web Guard, Anti Drive-by and Mail Guard– AntiRootkit against hidden rootkit threats– AntiDrive-by prevents against downloading viruses

when surfing– MailGuard enhanced email protection– WebGuard protection against malicious websites– RescueSystem create a bootable rescue CD

http://www.avira.com/en/for-home

Summary• Browsers–Chrome seems to be going in right

direction• “Building security in”, sandbox, html5 features,

support for black listed sites

• Add-ons– Do work. Can be annoying. But, alerts do help– However, not all users are savy enough to

install them and use them

• Virtual Environment– Known to work. Must use it when browsing–Might be intimidating to novice users

References

Phishing Web Siteshttp://www.antiphishing.org

http://www.spamfo.co.uk

http://www.millersmiles.co.uk

http://www.tecf.org

http://www.antifraudalliance.com

http://www.phishreport.net

End

Keep working on projectsThere is a lab this week !!!