Davin Fligel, Security Analyst: Lighting Down the Line
January 2010 by Davin Fligel, Security Analyst
Nobody wants to be an innocent bystander; we avoid high risk areas where problems are likely to break out. The risk averse amongst us avoids areas that pose even a modicum of risk. You are unlikely to find me trawling a battle ground even for the most precious of loot. So it was with horror that I learnt as a teenager that lightning could come down a telephone line and kill you. More precisely kill me!
I could become an innocent bystander in my own home. I was not safe inside all that brick and mortar. The first thing that came to mind was: “What are the chances of that?” closely follow by, “I live in a lightning prone area” and “I need the phone to communicate.” This was the choice of communication methods before the ubiquitous mobile phone and the pervasive Internet. So I ran to my mother and demanded that we get lightning surge protectors as fast as humanly possible. How could I survive without a telephone, I was a teenager.
On the Internet computers are to homes as browsers are to telephones. To be able to communicate between houses you need to use your browser. Some would say the Internet is somewhat “lightning prone.” You browse around as normal until unsuspectingly hitting an intentionally malicious or even legitimate site that had been compromised and your computer is compromised. How does not using the internet for security reasons sound you? Could you do it or would you sprint out and get the first “surge protector” you could find?
“But I have a firewall” cries the recently recruited member to the latest fashionable botnet. Unless your firewall can stop you connecting outbound to a compromised site then it is useless against this threat. Last I checked I was not blocking my browser from connecting to the Internet. That would defeat the purpose.
“But I only visit safe sites” cries the latest attack vector into a corporate network after being compromised by the penetration testing team. Man in the middle attacks from fake or compromised wireless access points or internet cafes, even man in the middle attacks on the LAN if the opportunity arises. No WiFi? I think not, Sir!
“But I have antivirus” cries the IT Manager as he explains to the CIO how he just lost a stack of confidential records. Kernel rootkit injection and core library replacement through an un-patched vulnerability had left him open long enough to get the data and leave without writing the files that AV definitions would easily identify.
The truth of the matter is browser security is the new file and network security. Even legitimate web sites fall prey to zero day vulnerabilities, cross site scripting and SQL injection attacks. If not the sites themselves, then the advertising engines posting advertisements for their parent sites. This is assuming you are surfing from a safe network let alone the added risks of unprotect wireless networks and the hacker friendly man in the middle opportunities they present.
This is lightning down the wire all over again, only on a grander scale with exponentially more lightning.
The moral of this story is simple to elucidate but difficult to implement: Make yourself a smaller target, install your lightning protectors, patch your browsers and if you cannot patch them use ones that are not vulnerable, use Intrusion Prevention Systems (IPS), Host Intrusion Prevention Systems (HIPS), Layer-7 aware Web Application Firewalls (WAFs), use a secure VPN from public WiFi hotspots, block unnecessary outbound communications, or at a minimum monitor them.
Surf safe, don’t browse without protection.