Saturday, November 24, 2012

"I don't need car insurance since I only drive to places familiar to me"

It has been a while since I have made a post but in the past month I've had the same conversation with two different people where the underlying logic was akin to the title of this post:

I don't need car insurance since I only drive to places familiar to me

Both are people who actively use technology and one happens to manage a fleet of server systems. What was the topic? Desktop security while browsing, i.e. avoidance of malware. I was encouraging a certain approach to browsing which I have already talked about on this blog. I've heard many arguments on this front which are usually just masks for hope as a strategy (which it isn't, i.e., hope). They feel comfortably ensconced with I only use browser 'X' for my finances or I only visit trusted sites. Unfortunately such thinking is akin to the latter statement about car insurance. Here's why:

http://arstechnica.com/security/2012/11/new-linux-rootkit-exploits-web-servers-to-attack-visitors/

The latter case is classic pharming. The idea being that unlike phishing where you spray/send malware randomly by various means, often email, to users and hope someone falls for it, in pharming you poison the water well as it were and have a greater chance of something sticking simply because the malware is being served up by a legitimate web site and the content is actively being processed by a web browser.

In the case of phishing multiple approaches have been found in the wild. Some comes in the form of spam but various email providers have gotten very good at filtering such emails and as the Internet user base has gotten increasingly tech savvy, the efficacy of this approach diminishes. There are also web sites disguising as legitimate sites trying to trick users into divulging their username and password. With all of these the chances of deceiving someone are much smaller than a situation where every single web page served up by a legitimate web site has malware embedded in it hoping to leverage exploits in unpatched software on the desktops of unsuspecting users up to and including their favorite web browser. Namely pharming.

The example that Arstechnica has brought to light is not new. Ad networks that serve up ads for popular web sites have in the past been compromised and found to be serving up malicious content:

https://threatpost.com/en_us/blogs/major-ad-networks-found-serving-malicious-ads-121210

Then there are cases of more directed attacks where a legitimate site is breached on account of having users with a given demographic profile, in this case, money to pilfer:

http://securityledger.com/web-attacks-target-foreign-exchange-payment-processing-sites/

http://arstechnica.com/security/2012/12/sophisticated-botnet-steals-more-than-47m-by-infecting-pcs-and-phones/

So, it does not matter if you are only visiting the Wall Street Journal or the New York Times or whatever web site strikes your fancy -- if your computer is fetching content on the web, you are at risk. Quite simply, most web pages are an aggregation of content from many, many sources. There is simply no way any individual can police how diligent all these content providers are with respect to their computer security maintenance and security policies.

These are the two tools I encourage everyone to install:

http://mastercobbler.blogspot.com/2010/09/microsofts-enhanced-mitigation.html

http://mastercobbler.blogspot.com/2010/06/microsoft-security-essentials.html

This all underscores why the logic of I only visit sites I trust does not work and why I liken it with I don't need car insurance since I only drive to places familiar to me.

Realize that the only computer system that is 100% secure is one that does not exist. So it is all about mitigating the chances of you becoming a victim. Ignorance is bliss until reality comes calling.