7 Common Targets of Stealth Threats
There's the danger you know, and then there's the danger you don't know.
Most of us are rightfully wary of downloading and running programs that have no pedigree, or of performing day-to-day operations as an administrative user. But with each passing year, new security threats march in to eclipse the old -- many of them not getting their share of attention until it's too late.
Threats go unappreciated for various reasons. Some seem too obscure or unlikely to be valid until they actually materialize in the wild (such as the .PDF exploits I document later on). Others are overshadowed by more widely publicized problems (e.g., the way Firefox's issues take a backseat to Internet Explorer's).
Here I'll be giving a tour of a number of lesser-advertised security issues that can bite you when you least expect it, and offering some advice on how to defend yourself. (Also, test your knowledge with our Cybersecurity Quiz and learn more at "10 Quick Fixes for the Worst Security Nightmares.")
Apart from Microsoft, Adobe may well be the one software maker whose programs run on every Windows-based PC out there. Nearly everyone has Flash, Acrobat Reader and/or Shockwave -- and they are used by malware as delivery mechanisms. (Of course, Adobe's applications run on other operating systems as well, but it's the Windows PCs that are being targeted.) The danger comes when you use outdated versions of those programs, or current versions with unpatched bugs that are exploited as security holes.
One common manifestation -- one I've been hit with personally a few times now -- comes when the user visits a Web site with a Flash-powered banner ad. No clicking required: as soon as the ad comes up, it delivers its payload. Sometimes it also comes in the form of one of Adobe's other products -- for example, an infected .PDF document, which opens spontaneously upon visiting an ad. (I've been hit with this one many times, too.)
Keep Adobe products updated and don't run your system as Administrator or root if you can possibly help it -- that gives malware possible access to your system settings. (Not running as an admin for day-to-day work in Windows is good advice anyway, and could easily be appended to any of the other threats listed in this article.)
Adobe does have an auto-updater for its products, but its behavior is weirdly spotty; it tends to only report updates for whatever product is currently active. If you run the updater within Acrobat, for instance, you aren't informed about updates to other Adobe products, so a certain amount of manual research is needed to make sure Flash, for instance, is current.
Another possible safety measure: Disable thumbnail previews for Acrobat documents. The thumbnail previews in Explorer generated by Acrobat were part of how one proof-of-concept exploit worked, so turning off that functionality or upgrading to a version known to be safe removes another potential source of attacks.
I would like to say that moderating one's browsing habits or visiting only "known good" sites (via mechanisms like Web of Trust) is a good idea, but I'm not sure anymore. The syndication systems that serve up these types of infected ads now run on all sorts of sites. I've been hit with drive-by malware from sites that I visit regularly and which have good ratings from site-review services, so it's no longer a question of simply keeping away from the Web's poorly-lit side streets.
Some people take additional steps, such as blocking ads entirely by running a plugin like Adblock Plus, or selectively disabling scripting for sites they're dubious about by using the NoScript plugin.
Firefox add-ons are a potential security hazard -- not as bad as IE ActiveX plug-ins, but still a potential threat. Many Web-based attacks that target Firefox don't aim for the program executable itself. Rather, they seek to undermine add-ons -- files which may not be binaries and so may not be assumed to be at risk -- and the support structure for the program.
Most of the danger comes from add-ons that pretend to be legitimate. For example, one add-on pretended to be the Adobe Flash Player, insisted on "updating" itself and dropped malware into the system.
One would think that antivirus programs would be a good first line of defense, but they have a spotty record of detecting things like this. For instance, the overlay.xul attack described above was still being ignored by many prominent antivirus engines (Symantec, Panda, Kaspersky, Trend Micro) even after a month of being in the wild. The SANS researchers who examined this threat ran it through an online virus-scanning service and were dismayed at how few applications flagged it as malicious.
One possible workaround is to use a non-installed version of Firefox such as Mozilla Firefox Portable Edition, which can run in any directory or even from a removable drive. If the program becomes infected, it can be kept segregated from the rest of your applications, and is easier to clean up and reset without damaging your user data. (Another possible workaround is to use a different browser entirely, but that might be more effort than it's worth.)
Many people switch to the Macintosh out of a sense that the Mac's a safer platform. By and large, it is, but threats do exist in the wild, whether piggybacked on pirated software or as the result of vulnerabilities in the platform itself. Most dangerous of all, though, is a false sense of security: users can be duped no matter what they're running.
Mac security-product creators Intego released a report(PDF) in 2009 that examined Mac malware and kernel vulnerabilities. There's not a lot of Mac malware in the wild -- Intego found most of it in pirated copies of commercial applications (iWork '09, Adobe Photoshop) available on peer-to-peer file-sharing networks.
The kernel issues are also worth noting (the report notes that one was discovered in April 2009), but more worrisome are vulnerabilities in Safari. The browser has been shown time and again to be a weak link in OS X's security chain. Debates rage on about whether Macs are attacked less because of their minority share or because they are less vulnerable, but that doesn't make any attack on the platform less troublesome.
Most important of all, though, is the user at the keyboard. Mac users are no less vulnerable to social engineering -- and no less apt to download pirated software that turns out to be loaded with Trojans -- than those using other platforms.
A false sense of security is a bad habit to cultivate, especially if Mac adoption continues to climb. What's crucial is that users not assume that simply changing platforms is by itself a defense mechanism. It can stave off some obvious problems, but it won't eliminate all of them for all time.
To that end, Mac users need to keep apps updated (not too hard by itself), but also stay conscious of their security as a platform-neutral issue. Rip-off artists are loyal to no OS, and a bug in Safari can be just as problematic as a bug in IE. (The same goes for Linux as well: A scam run past someone using Firefox in Ubuntu is still a scam by any other name.)
Users should also stay informed about threats in the wild that might not seem like any of their concern at first. Malware is not just becoming more aggressive, it's jumping platforms and diversifying across them, targeting the user rather than the platform. Consider the Firefox XUL hijack described earlier: that was an attack that could be staged on multiple editions of Firefox, since the files attacked were not platform-specific.
And Mac users should avoid pirated software, for security (as well as ethical) reasons. The threat from such things may be marginal now, but that doesn't mean it'll always be that way.
(For some additional tips, you might want to check out this article: 15 easy fixes for Mac security risks.)
We sometimes forget that there are Apple products on the Windows PC -- and those need to be regarded with the same sort of scrutiny as any other application. A big part of the concern is, again, ubiquity: Many PCs have QuickTime or iTunes installed, and most of us don't think of those things as potential security holes. However, various exploits have been documented in both the Mac and PC versions of QuickTime.
Two examples: In 2007, a nasty buffer overflow exploit affected just about every extant version of QuickTime in both Windows and Mac machines. And another bug was found in 2008 with similar properties. (Want more examples? Search US-CERT using the keyword "QuickTime" to see many more such exploits.)
Apple does have an automatic updater for its software in Windows, so PC users should keep QuickTime updated. Also, keep the number of file types associated with QuickTime itself to a minimum -- most people just use it to play QuickTime files and nothing else anyway, so this helps limit the available attack surface.
URL-shortening services like bit.ly or is.gd have become all the rage with the rise of Twitter and Facebook. They're also a great way to slip someone a digital Mickey Finn: What better way to hide an attack than to not even let people know the actual URL they're clicking on?
URL shorteners generally perform no safety checking on the links they process. Also, shortened URLs tend to be passed around from user to user without much thought for whether or not they've been sanitized. Consequently, someone can pass you a direct link to malware or to an infected site, and folks with a blind click-first reflex may end up taken somewhere they don't want to go.
LongURL is a site that lets you paste in a short URL and expand it to see if you're dealing with something malicious. If copy-and-paste is too much hassle, they also provide an add-on version of the service for Firefox, which shows you the long version of the URL when you hover over a shortened link. LongURL also offers a set of APIs that can be integrated with things like jQuery, so people who integrate link-shortening tools into their own sites or programs can make use of such tools, too.
In addition, many Twitter clients -- such as TweetDeck and Mixero, to name two -- have a preview function that shows the long form of a shortened URL so that you can see what you're about to click on.
DNS servers translate raw Internet addresses (such as 126.96.36.199) into human-friendly domain names (www.myfunsite.com). With a little work, the information provided by some DNS servers can be hijacked or misdirected -- "poisoned" -- allowing an attacker to send someone to any Web site they choose.
The most common DNS poisoning attacks exploit flaws in DNS server software to allow fake name-resolution data to be sent to clients. One of the worst examples of DNS poisoning surfaced in 2008, when computer researcher Dan Kaminsky demonstrated how domains could be redirected with the then-current version of BIND, the software that most servers use to perform DNS resolution. The end result: You can hijack an entire domain -- including its subdomains, its mail servers (MX entries), its SPF records and everything else that can be stuffed into its DNS resources.
In this case, prevention is mostly up to the people running domain name services. Admins should update to the most recent version of BIND, which is much more skeptical about the data it receives and performs more thorough cross-checking to prevent poisoning.
If you have doubts about the validity of your DNS hosting, you can test it through the DNSStuff.com toolset. Its DNSreport Demo (free for regular users; the full non-demo version is for-pay) lets you check the results of DNS resolution for common domain names from your servers. If you suspect your DNS servers are dodgy or compromised, you can always use a different one by editing your TCP/IP settings or by setting your in-house router (if you use one) to resolve to another server. The Google Public DNS service might come in handy here, since Google claims its DNS is less vulnerable to poisoning.
In-House Router Attacks
Attacks on home networking hardware have been rare, but are garnering more attention. Back in 2006, a couple of Indiana University researchers talked about how home routers could be attacked and used to steal personal information. Since then, the attack they described has shown up in the wild.
A simple attack might consist of nothing more than changing the DNS server used by the router -- which in itself can be used to leverage a whole slew of other attacks. A more complex attack could involve modifying the programming in the router to forward encrypted traffic, log passwords or make changes to the machines attached to the router by exploiting known security issues there.
Home routers are designed to be plugged in and used with minimal interaction. That makes any bugs in their design less obvious to casual users -- and all the more enticing to crackers, who pound on such devices constantly to find ways in.
The most malicious home router attacks require some degree of user participation to be pulled off -- for example, the British Telecom Home Hub exploit. Here, a piece of home-router hardware provided by BT was shown to have enough weaknesses that an attacker could do everything from remotely control the router to steal wireless encryption keys.
The word "participation" in this context simply means all a user has to do is be tricked into clicking on the wrong link. Other attacks may be much simpler -- e.g., guessing the router's password or forcing a denial-of-service attack that knocks the user offline.
Other network devices can also be vulnerable. Joshua Wright, senior security analyst with InGuardians, recently wrote about the Verizon MiFi, a battery-powered 802.11b/g access point that lets you share an EV-DO connection across Wi-Fi-enabled devices. He was able to crack the device's security with the same gamut of tools used for conventional Wi-Fi cracking, provided the device's default password hadn't been changed. (Another reason to do exactly that.)
When you set up a new router, do four things:
1. Reset it to its factory state, even if you think it's fresh out of the box.
2. Update it with the latest firmware available for the device.
3. Reset the default password (and use a secure password that doesn't just consist of a single word that can be found in the dictionary or easily guessed).
4. Turn off all features that allow the device to be administered from anything other than another device plugged directly into the router.
The above advice goes double if you pick up a used router from someone else -- those should be flushed and reconfigured from scratch. Also, any wireless router that doesn't support WPA or WPA2 should be taken out of service if at all possible, or used for wired connections only. WEP passwords can be cracked in minutes; full tutorials for how to do this are readily available. WPA should also be toughened by setting the key interval to a relatively short period of time (20 minutes or less).
Finally, bear in mind that your router's firmware should be checked for updates the same as any other piece of software. And because this typically isn't something that can be automated, end users have to make the time to do it themselves. It's a good idea to set a reminder in your calendar to check for updates every three or four months.
In the end, computer security is an arms race. No matter what operating system, browser, or applications you run, you're always going to find some new danger nipping at your heels. The best weapon in such an arms race is a little knowledge, which can go a long way.
Serdar Yegulalp has been writing about computers and information technology for over 15 years for a variety of publications, including InformationWeek and Windows Magazine.