Enabling a safer internet: The positive approach to
web security
a safer internet: the positive approach to web security
One newly infected webpage is discovered every 4.5 seconds.
Web-based malware: the new weapon
With one new web page infected every 4.5 seconds,1 the web is now the number one vector of attack for cybercriminals. Taking advantage of web infrastructure vulnerabilities, particularly the ever-increasing
capability for user-submitted content, hackers are able to covertly inject malicious code into
more and more legitimate sites. This web-based malware is then able to exploit social engineering
tactics or browser vulnerabilities to infect visitors, the intention being to surreptitiously steal
confidential information directly, install further malicious code or, worse, silently recruit the host
system into a botnet – a network of hijacked computers for distributing further malware,
spyware, or spam.
Thousands of systems are infected in this way every day and the activity is particularly lucrative
for the criminals – a single compromised computer can give access to thousands of confidential
records. This significant security risk can be extremely costly to businesses, with some
estimates for a data breach estimated at millions, and even billions, of dollars.
In addition to significant security and financialrisks, organizations are having to deal with the legal implications of security breaches. Organizations can be legally liable if their computers are used to view pornography or hate material or to incite illegal behavior. There are also ramifications if users violate third-party licenses through illegal MP3, film and software downloads.
At the same time uncontrolled web browsing can have serious productivity implications with unauthorized surfing potentially causing network slowdown, staff inefficiency and further security (and legal) risk if sensitive company or personal data is posted online.
Exploiting legitimate, trusted brands
Hackers don’t tend to discriminate between websites. Large, more established brands with high traffic volumes are very attractive to cybercriminals but smaller organizations are equally likely to fall victim. The only criterion is
that the website has vulnerabilities that the hacker can exploit. The techniques used continue to evolve rapidly and this paper now looks at what the hackers are up to today.
Enabling safer surfing: The positive approach to
web security
Enabling a safer internet: the positive approach to web security
Infecting trusted sites with SQL injection attacks
One of the main threats comes from SQL injection attacks. Such attacks exploit security vulnerabilities
and insert malicious code (in this case script tags) into the database running a site. When user input,
for instance via a web form, is not correctly filtered or checked, the code peppers the database with
malicious instructions.
Websites that have been attacked in this way include:
BusinessWeek magazine – one of the 1000 busiest websites – which attempted to download malware from a Russian-based server.
An area of the Adobe website designed to offer support to video bloggers, which tried to
download spyware.
Sony’s US PlayStation website, putting visitors at risk from a scareware attack.
Recovery from a SQL injection attack can be difficult, and there are numerous cases of website
owners cleaning up their database only to be hit again a few hours later.
New gateways for cybercrime
The new freedoms opened up by the web, blurring the lines between work and social interaction and
offering easy ways to share information, have opened up new loopholes for cybercriminals to
exploit.
Social networking sites
A favorite target for today’s hackers are social networking websites. People who have learned to
be suspicious of email links are on the whole less savvy about links posted on Facebook and the
like. Hackers have found value in compromising Facebook accounts, stealing usernames and
passwords, and then using the profiles as a launching pad for mass-distributing malware
attacks and spam.
In August 2008, Facebook admitted that up to 1800 users had had their profiles defaced by an attack that secretly installed a Trojan while displaying an animated graphic of a court jester blowing a raspberry.7
One particularly active threat is Koobface, a family of worms, and its rapid evolution demonstrates
the wide range of social networks that are vulnerable. Initially targeting Facebook and MySpace, Koobface now targets a more diverse set of social networks, including MySpace, Bebo, hi5, GeoCities, Friendster and Tagged.
The malware works by directing your “friends” on your social networking site to click on a link to another site
purporting to contain a video clip. If they are tricked into downloading an executable to watch the video at the third-party website, a message is displayed: “Error installing Codec. Please Contact Support”. The malware then accesses Facebook/MySpace/etc to spread itself further.
The websites to which victims are directed use a script to check which of these social networking
sites has sent them there. The aim is to serve up malware specifically tailored to the networks of which you’re known to be a member (though in fact to date these links all result in the same executable).
Blogs, micro-blogs and hackers
Hackers are also targeting other social media such as blogs. In much the same way that they set up malicious pages on fake websites and then use social engineering techniques to lure visitors to them, they are using free blogging services to infected blogs. Unsuspecting victims then receive emails with links to the blog, from which
malicious software is downloaded.
A Sophos white paper Enabling a safer internet: the positive approach to web security
At the same time, vulnerabilities in common legitimate blogging platforms – just like any other platform – can be, and are, exploited by criminals.
Of note is the micro-blogging site, Twitter, which has begun to be targeted. In January 2009, Twitter’s internal systems were hacked and the accounts of Britney Spears, Fox News and Barack Obama, among others, were broken into.11 Two months later hundreds of Twitter users were hit when messages were sent from compromised
accounts trying to drive traffic to a pornographic website.
The spread of the phishing net
Phishing attacks – whereby unsuspecting users are directed to to a bogus login page which requests
their username and password – continue to be a significant threat.
A common misconception is that phishing is just a banking problem. It remains, of course, a banking
problem but it is now also a problem for social networking sites, such as MySpace, Facebook, Bebo and a wide range of other networks and
enterprises.
A handful of examples from February and March 2009 alone demonstrate the scale of the problem.
Google A phishing campaign spread via the Google Talk chat system.13
iStockphoto a phishing attack was perpetrated across iStockphoto’s online forums and via the
site’s mail system.14
Gaming community The Valve Steam network was targeted by a phish offering add-ons for the
new zombie shooter Left 4 Dead.15
Paypal An unusual type of phishing attack spammed out malware within a RAR attachment.16
HMRC The passing of the deadline for
submitting tax returns to HM Revenue & Customs in the UK prompted a phish.17
The risks posed by anonymizing proxies
Many organizations have responded to the growing web threat by using URL filtering to curtail
internet browsing. This has motivated many users to respond by using anonymizing proxies which disguise the true nature of a website in order to trick an organization’s web filter into allowing access.
Anonymizing proxies are big business in the underground economy, driven by advertising revenues and subscription fees. Hundreds of new anonymizing proxies are created daily and distributed via blogs, forums, and dedicated
websites. There is also a growing number of unknown private anonymizing proxies setup and maintained by individuals or small groups for their own use. This makes it extremely easy for users to access any site they want through an anonymizing proxy, but a difficult, tedious, and time-consumingtask for administrators to track and block them.
Anonymizing proxies hold significant risks for organizations:
Security: If users are browsing via anonymizing proxies, then in addition to bypassing URL filtering, they might also be circumnavigating content scanning at the perimeter, which dramatically increases the chance of infection.
There are even anonymizing proxies that are themselves, either accidentally or deliberately,
infected with malware.
Anonymizing proxies bypass URL filtering and create enormous security vulnerabilities.
a safer internet: the positive approach to web security
Liability: Unrestricted access to inappropriate
material or illegal downloads could have
serious legal ramifications for an organization,
as could the sharing of confidential information
over the internet.
Productivity: The ability for users to bypass
their organization’s web filter means they
could spend all day on, for example, social
networking sites rather than working, and
consume valuable network bandwidth.
The three pillars of modern web protection
Internet access creates a dilemma for network administrators – on the one hand, the risks presented by allowing unfettered access to the web are enormous, yet the internet is undeniably becoming a mission-critical business tool. Social networking sites, blogs, forums and media portals have all become important instruments for employee recruitment, viral marketing, public relations, customer interaction, and research – they cannot be blocked without seriously impacting business productivity and effectiveness.
A new approach to web security and control is required that fully supports the needs of business,
equipping users with the tools they need to be more effective while eliminating the associated risks of potential infection from trusted legitimate sites. In addition to good preventive practices, such as rigorous patching and educating users about the risks of browsing, it is vital that organizations implement a comprehensive web
security solution, comprising three key pillars of protection:
Reputation-based filtering
Real-time predictive malware filtering
Content-based filtering.
Reputation-based filtering
Reputation-based filters are the first critical component in the fight against web-based threats.
They prevent access to a catalog of sites that are known to have hosted malware or other
unwanted content, by filtering URLs based on their reputation as “good” or “bad”, and are
an established and proven tool for successfully protecting against already known and located
web-based threats. As well as providing this basic form of preventive protection, they help optimize
network performance and staff productivity by blocking access to illegal, inappropriate or nonbusiness-
critical web content.
Although traditional URL filters often connect to vast, regularly updated databases of sites known to host malware or suspicious content, they have several significant shortcomings. In particular, they offer no protection against malware hosted on legitimate, previously safe, sites that have become hijacked. Neither do they protect against malware
on newly created websites. Cybercriminals are well aware of, and readily exploit, the fact that traffic from these sites is not blocked and that malware, whether new or old, will be allowed into an organization.
Another significant shortcoming of traditional URL filters is that they often lack an effective solution
to deal with the enormous issue of anonymizing proxies. To prevent users from bypassing filtering
controls, the following two components are critical in forming a defense against anonymizing proxy use:
A reputation-based service that actively seeks out new anonymizing proxies as they are
published and updates the filtering database at frequent, regular intervals
A real-time proxy detection engine that automatically inspects traffic for signs that it’s being routed through a proxy, effectively closing the door on private proxies or other proxies not identified through the reputation service.
A Sophos white paper Enabling a safer internet: the positive approach to web security
Real-time predictive malware filtering
Real-time predictive malware filtering goes a long way to closing the gap left by reputationbased filters. All web traffic passes through a scanner designed to identify both known and newly emerging zero-day malware. The malware
engine is optimized for low-latency scanning and whenever a user accesses a website, irrespective
of its reputation or category, the traffic is scanned using a combination of signatures and behaviorbased
technologies.
It is worth noting that this type of real-time scanning has a further advantage over traditional URL filters, in that the filtering is, almost by definition, bi directional – both the user request to, and information returning from, the web server are scanned. In addition to detecting known malware as it moves across legitimate sites, this
bi-directional filtering can also provide protection against new threats regardless of where they are
hosted.
The use of real-time predictive threat filtering remains uncommon amongst many of the leading web filtering security solutions in the market today. Many security vendors are currently relying on signatures alone. Others who are fairly recent entrants to the market claim comprehensive solutions but lack the evidence to prove they are
delivering fully proactive protection.
Content-based filtering
Content-based filtering analyzes all web traffic on the network to determine the true filetype of content coming back from a website and can allow or disallow this traffic, based on corporate policy.
Key questions to ask a prospective vendor
Does the URL database used for your reputation-based filtering have global
coverage?
How frequently is your product updated to cover new threats?
How many new threat-hosting sites are identified daily?
Do you scan all incoming traffic for malware in real-time?
Do you use your own technology for malware scanning or rely on third-parties?
Is your malware scanning engine signature-based or does it use behavioral analysis?
Is there an additional cost for real-time malware filtering?
Is there a performance impact for real-time malware filtering?
How many anonymizing proxies do you catalog daily?
Does your solution identify anonymizing proxy use in real time?
Do you analyze the true content of files, or rely on the extension or the MIME-type?
r/>
Do you scan HTTPS-encrypted traffic?
Can you demonstrate real research expertise in web threats?
Do you have independent statistics of your proactive web threat detection rates?
Can I see a demo of the admin console to see how easy it is to use?
Are there on-board monitors to track software, hardware and traffic health?
How are issues reported to the administrator? Via email? Via phone call?
Do you provide real-time uptime monitoring to assure the system is available 24/7?
Conclusion
Every minute of every day, cybercriminals are looking to exploit web traffic for commercial
gain, and since web browsing is integral to most businesses’ day-to-day activities, the web gateway
must be equipped with a security solution that enables business and users to be productive while
providing the security essential to ensure a risk-free experience.
Organizations looking to protect against the growing threat of web-based malware need a
solution that above all demonstrates its security attributes and combines powerful site and content
controls with low-impact, effective administration.
At the same time end-user expectations and requirements for speed, efficiency, and open access to the tools and sites they need must be met. Solutions which fail to meet these demands for security, control, performance, and accessibility will ultimately fail the organization.
Content filters scan the actual content of a file, rather than simply looking at the file extension or
the MIME-type reported by the web server, and so can identify and block files that are masquerading
as innocent/allowed filetypes but really contain unauthorized content. A file might, for example,
have a .TXT extension but in fact be an executable file.
By enabling enforcement of only business type content, this pillar of protection enables organizations to create policies around a variety of content types that can be used to send malware, thereby reducing the risks of infection.
For example Windows executables or screensavers might be disallowed. Content-based filtering also improves
bandwidth optimization by blocking large or resource-hungry content, such as streaming video.
User education as a tool for defense
Many businesses have successfully educated users about how to spot email-borne threats, and while
the fight against web-based threats relies much more heavily on sophisticated technology, users can and should be engaged in the fight.
Many firms already have procedures in place that define which websites are considered appropriate, but few have updated these to include guidance on how to avoid infection whilst surfing the net.
A good policy will dictate that:
Employees must never open spam emails
Employees must never click on links included in emails sent from unknown senders
IT must ensure that the organization’s web browsers are patched at all time
Employees should minimize their non work-related browsing for both security and productivity reasons.