Thursday, June 12, 2008

no such thing as trusted sites anymore

darn, rich mogull beat me to the publish button - that will teach me to put work and home repair first... i think i'm going to post what i had anyways, though, because mine isn't exactly the same and frankly when it comes to principles that i anticipate needing to hammer home repeatedly it's nice when i have them all in one place... also, actual incidents like yahoo mail serving malware and not cleaning up promptly sort of drive this point home better than xss vulnerabilities found on security vendors sites; i'm a security blogger and even i rarely visit security vendor sites so i don't imagine the average person does much either - yahoo mail, on the other hand gets LOTS of traffic from average folks... so here's what i had in my draft folder with the addition of some links i was waiting to find time to look up...

once upon a time there used to be this piece of advice about online security that said don't go to dodgy sites and you should be just fine... the principle behind it is that if you won't get compromised by malicious web content if you only ever run trustworthy web content and if you only ever got to trustworthy sites then trustworthy web content should be all your browser is exposed to...

internet explorer's security zone model has this very principle in mind, some sites are trustworthy and some aren't and those that aren't don't get to take advantage of as much rich web-based functionality as those that are...

even the mighty noscript firefox plugin depends on this basic premise to protect those firefox users who use noscript (in fact, adding a site to noscript's whitelist is in many ways the same as adding a site to ie's trusted sites zone - only easier, more convenient, and more intuitive)...

the principle makes sense and the advice (even in absence of the technologies that try to make it automatic) has been one of the more successful bits of security know-how at gaining widespread adoption... unfortunately the principle is falling apart because malicious web content is increasingly finding it's way on to what would otherwise be considered trustworthy sites... dancho danchev often informs his readers of instances of web sites being directly compromised to serve malware, and sandi hardmeier regularly informs her readers of instances of sites serving malware indirectly by virtue of malvertizements (malicious advertisements) infiltrating the 3rd party ad networks the site owners use...

when (as this zdnet article suggests) such compromises are up 400% over last year, and when affected sites include such well known internet properties as yahoo mail, cnn (among others), or the superbowl then it begs the question "is there any such thing as trusted sites anymore?" and the answer i think has to be either "no" or "not for much longer"...

now, of course the efficacy of the tools like noscript aren't quite as affected as a basic careful internet user would be since the tools can look at where the content is coming from rather than just what the current site is, but it really makes you wonder about those oh-so-clever users who go around not using any anti-malware software and thinking they're fine because they don't go to dodgy sites...

prudence alone isn't really enough anymore, you need good tools to help control what web content is allowed to run (i.e. some kind of whitelist like noscript), in what environment it runs (i.e. some kind of web sandbox whether it's multiple browsers/browser profiles, or sandboxing software like sandboxie, or even a full virtual machine like vmware), and to detect when something slips through the cracks (i.e. a scanner, preferably one that implements an lsp) to help prevent it from stealing data you enter and/or using your browsing session as a staging point for an attack on other things on your network (like your router) or the internet at large...

0 comments: