Modernizing Authentication — What It Takes to Transform Secure Access
The recent attacks against Google and other companies highlighted "spear phishing" attacks. The term refers to scam e-mail messages designed to trick the recipient into infecting his or her own computer with malicious software (malware).
The end result of the phony yarn, spun in the body of an e-mail message, is that the duped user either visits an infected Web page, opens a maliciously crafted document, or runs a malicious program.
Unlike regular phishing e-mails that are blasted out to millions, spear phishing, as the name implies, is specifically targeted. Anyone that works with secrets that the bad guys want, may be sent an e-mail message targeted specifically at them. The message will appear to come from someone they know and the topic will be something that the sender would normally discuss. Everything about the message is fraudulent, including the From address.
The fraud is successful, in part, because people trust the From address of an e-mail message. No one should; forging the From address is childs play. But, since the From address is correct 99% of the time and many don't know that it is easily forged, this gets the spear phishing message in the door, so to speak.
As I recently wrote, the most important aspect of Defensive Computing is skepticism. Corporate executives may be skeptical when dealing with people, but lack awareness of common online scams.
Just a few days ago, Roger Thompson of AVG described the hacking of the Oklahoma Tax Commission Website. To be infected, the end user simply had to agree to an Adobe license agreement. The agreement looked legit, but it was from bad guys rather than Adobe, and agreeing to it installed malware.
Here I assume we are configuring a computer for someone with access to corporate secrets, someone whose lack of technical know-how makes them an easy target for online scammers. What steps can we take to protect this person from themselves?
Running as a limited (a.k.a. restricted or standard) user is job one. For the sake of backward compatibility Windows users, by default, run as Administrators, which lets them change anything, anytime, anywhere. Despite this default behavior, Microsoft recommends, and all techies agree, that people are safer running as limited users.
Windows Vista and 7 users may feel that UAC protects them, even when logged on as an administrator. It does not.
I've been testing life as a restricted user for a while on both Windows XP and 7. It works better on Windows 7; XP has a number of quirks in the implementation. But regardless of any quirks, this is perhaps the biggest weapon in the Defensive Computing software arsenal. Barring severe bugs in Windows, it should prevent the installation of any software (assuming the bigshot is not given an Administrator password).
If, for whatever reason, running as a limited user is not an option, Windows XP users can still get most of the protection it offers with the free DropMyRights program. This Microsoft program is used to front-end another program and drop its rights. For example, an Administrator class user can click on an icon for the Adobe Reader, which actually runs DropMyRights. It, in turn, runs the Adobe Reader, but only after dropping the rights down to those of a limited user. Thus, if an infected PDF file tries to install software, it fails.
I blogged about DropMyRights extensively in the summer of 2007 (see Every Windows XP user should drop their rights).
Running as a limited user however does not prevent malicious software from running, just from running out of certain folders (and from being permanently installed). More steps are needed.
It took security expert Steve Gibson a while to come around to my Defensive Computing posture, but he finally did.
No more Internet Explorer.
Just say no. Friends don't let friends use Internet Explorer.
In part this is unfair to Microsoft, as IE is not necessarily any buggier than competing browsers. But it is buggy enough, and it has a huge target painted on its back.
Plus, Microsoft makes a bad situation worse by being slow to fix bugs. If for no other reason than this, any other Web browser is safer than IE.
Other browsers are updated with bug fixes when they are needed. IE has to live in a huge bureaucracy that dictates it only gets updated once a month. It makes headlines when IE is patched when needed, as opposed to on schedule. Not good for security.
In addition to the slow IE patching imposed by the once-a-month schedule, Microsoft has a history of just being slow.
For example, the IE bug that was exploited recently to attack Google and others was initially called a zero-day vulnerability; techie terminology for a newly discovered bug. It turns out not have been zero day at all, more like 120 days. Microsoft was alerted to the problem four months before it was exploited on Google.
And, we're still not done with IE issues. Computerworld reports that design flaws in the browser can let it expose the entire C: disk.
There is no such thing as removing Internet Explorer, but we can hide it.
First, lock it down as best as possible. On the Security tab (of Internet Options) set the Internet and Local intranet zones to high security. Turn on protected mode and DEP (note that DEP requires companion support in both the processor and BIOS).
Then get rid of all visible signs of Internet Explorer. Remove it from the desktop, task bar, and the Start button. It's still there, only now the only way to run it is to navigate to
C:Program FilesInternet Exploreriexplore.exe
Firefox and Adobe Reader
In place of Internet Explorer, I suggest Firefox; no news here. But, it does need some work out of the box.
A great security tweak to Firefox is to force the address bar to turn green on all secure HTTPS Web pages. It shouldn't be hard to train anyone that green is safe and anything else is not. This tweak is done by editing a file called userchrome.css. For more see "Make Firefox flag secure web pages as green."
Another possibility is using the portable version of Firefox rather than a normally installed copy. Not only does this allow a limited/restricted/standard user to update the browser with new patches, it also makes the software harder to find by any malware looking to infect it.
Another program that I'd ban from the computer of anyone involved with corporate secrets is Adobe Acrobat Reader.
Like Internet Explorer, the Adobe Reader has a big target painted on it. It has also been rather buggy over the last couple years. At one point, Adobe thought it was a good idea to only issue bug fixes every three months. And the procedure for updating the software is harder than it needs to be.
In addition to the Reader itself, Adobe installs two programs that run every time Windows starts, which is an accident waiting to happen. In fact, simply hovering the mouse over the name of a PDF file causes an Adobe program(AcroRd32Info.exe) to run, no clicking required. This is true even if the Adobe Reader is not the default program for opening PDFs (tested on Windows XP with Adobe Reader 8.2.0).
It's all just too intrusive for my taste.
There are many other PDF readers, any one of which will be a lesser target. I use the one from Foxit Software. It doesn't do everything that Adobe Reader does, but it should be enough for almost everyone.
Other software issues
For years viruses have spread on USB flash drives (a.k.a. pen drive, thumb drive, etc.) and they continue to do so. Windows 7 is more locked down in this respect than XP, but it is not bullet-proof.
The good news is that with a simple update to the registry, you can offer 100% protection from all Autorun/AutoPlay vulnerabilities. (I wrote about this last year: "The best way to disable Autorun for protection from infected USB flash drives.")
While Internet Explorer and Adobe Reader are the most frequently targeted applications, bad guys also exploit other popular software. Thus, the less software installed the better. With this in mind, I would un-install QuickTime, Java, Shockwave, Real Player, and any other popular software that is not absolutely needed.
Flash is a difficult choice. Because it's popular, you can expect bad guys to exploit known vulnerabilities as they are discovered. But, it's also needed frequently. As a compromise, consider the Flashblock Firefox extension.
It works by blocking Flash objects on Web pages and replacing them with placeholders. If a particular Flash object is needed, all you need do is click on it to run it. As I write this, the Flashblock extension has been downloaded nearly 8 million times.
Perhaps the king of popular software is Microsoft Office. Consider replacing it with Open Office, the theory being, again, software that is a lesser target.
Open Office is not as functional as Microsoft Office, but for non-techies, such as corporate bigshots, it should be functional enough.
Did you know that the recent bug in Internet Explorer, the one that was so critical that Microsoft released an immediate fix without waiting for the second Tuesday of the month, also affected Microsoft Office? This didn't get much press. In Microsoft's own words:
We are also aware that the vulnerability can be exploited by including an ActiveX control in a Microsoft Access, Word, Excel, or PowerPoint file. Customers would have to open a malicious file to be at risk of exploitation. To prevent exploitation, we recommend that customers disable ActiveX Controls in Microsoft Office.
Support for ActiveX controls in Office documents is a security accident waiting to happen. I read the instructions for disabling ActiveX controls in Microsoft Office 2003. They were so confusing, I couldn't follow them. The safest thing to do is replace Microsoft Office with competing software.
On the hardware side, I have two suggestions. First, set a password for the hard drive in the computer. This should be a simple thing to do and hard drive passwords are more secure than both BIOS level startup passwords and operating system passwords. For more see, "Hard disk passwords offer great security for free."
The best encryption is, arguably, full disk encryption and if an executive has sensitive files on her computer, this might make sense. But, sensitive files should not be kept on a laptop or desktop computer. They are best stored on an external hard drive, one that can travel with the bigshot to places that a computer can't go.
Two encrypted hard drives, the Lenovo ThinkPad USB Secure Hard Drive and the Aegis Padlock, stand out for not needing any software running on any computer; thus they can work with computers running Windows, OS X, or Linux.
Each has built-in buttons that are used to enter a password. Until a valid password is given, the computer can't see anything on the drive. After the password is validated, the drives work like normal un-encrypted hard drives. The computer is totally unaware of the encryption. For the user, there is no learning curve, just a password.
Another big advantage to an external encrypted hard drive is that it can be easily and quickly locked just by unplugging it from the computer.
Is all this too much trouble? Am I over reacting?
The operation that Google uncovered at the end of 2009 was very sophisticated. The Financial Times just reported that "personal friends of employees at Google, Adobe, and other companies were targeted by hackers."
Friends? The article, by Joseph Menn, says
...the attackers had selected employees at the companies with access to proprietary data, then learnt who their friends were. The hackers compromised the social network accounts of those friends, hoping to enhance the probability that their final targets would click on the links they sent."
Michael Horowitz is a regular columnist for eSecurityPlanet.com. Read more of his columns here.