Tag Archives: Google Chrome

2 Novel Defenses to Hacking of Browsers

Cyber attackers continue to exploit a significant security gap found in a familiar tool used pervasively in all company networks: the common web browser.

Mozilla Firefox, Google Chrome, Microsoft Explorer and Apple Safari all use an architecture that makes it relatively easy for an attacker to embed malicious code on an employee’s computer — and then use that infected machine as a foothold to probe deeper into the breached network.

Here’s the good news: There is a growing cottage industry of security vendors developing sophisticated technology specifically to plug this gaping exposure. Browser security vendors first appeared on the scene about 2010; leading innovators include Invincea, Bromium, Spikes Security and Menlo Security.

ThirdCertainty recently visited with two new entrants, Ntrepid and Authentic8. Here is what each brings to the table:

The morphing of browser usage

Authentic8 recently introduced a service called Silo, which isolates web browser malware code from the targeted computer — and the rest of the company network — by routing all employees’ browsing sessions to dedicated servers.

Authentic8 CEO Scott Petry has a long history helping companies keep intruders out of companies’ networks. Petry founded email-filtering company Postini, which was bought by Google and folded into the search giant in 2007.

Petry, who co-founded Authentic8 with another Postini alum, Ramesh Rajagopal, observes that the arrival of sophisticated browser security tools (like Silo) is a reflection of how web browser usage in corporate settings has morphed over the past couple of decades.

In the 1990s, IT departments “would control how you compute, when you compute and what applications you access,” Petry recalls.

Steadily, the web browser “became such a massive focal point or gravity center for how people consumed different web services,” Petry says. “It became extremely compelling for employees to access the web for personal use and for businesses to start taking advantage of the web as a way to perform business functions.”

Amazon pioneered e-commerce, and Google got businesses and consumers accustomed to quickly searching for, and pinpointing, desired information. All of this leveraged the browser’s capacity to execute code on individual computers in response to users’ clicks.

“As soon as that happened, business data that IT departments used to control in their environment was suddenly scattered across third-party websites that they didn’t control,” Petry says. Then social media, including Facebook and Twitter, appeared, and all bets were off.

See also: 3 Steps to Improve Cyber Security

Routing malware to silos

The environment “is now a mess,” Petry says. “If you think about how the browser is used, it’s a one-size-fits-all solution. People use the same browser with a tab opened to get to Facebook, a tab opened to get to Dropbox and a tab opened to get to wherever. It’s a mix of personal use and business activity, and it’s no wonder that the browser is such a point of vulnerability.”

Venture capitalists are funding tech entrepreneurs and are coming forward with new systems to lock down browsers — because, going forward, how we have come to use browsers is not likely to change.

“I’m sure at some point we will move away from a monolithic browser,” Petry says. “It might change over time, but people have been predicting the death of email for 10 or 15 years, and it is still the most common form of business communication. So, no, I don’t think the browser is going anywhere any time soon.”

Authentic8’s Silo product isolates all web code in a secure, remote container in the cloud, giving users a benign display of web content. Nothing reaches the user’s device except pixels.

“The attack surface area is now ours, and that’s where we deal with it,” Petry says.

Virtual sessions

Instead of moving browser sessions into isolated servers, Ntrepid addresses the problem by inserting a virtual browser into every employee’s computer.

Any malicious code arriving via a web browsing session is isolated from the hard drive or memory of the targeted computer. The machine, in essence, is inoculated against browser malware and cannot be used by the attacker as a beachhead to go deeper into the company’s network.

Web browsers, by design, execute code over which network administrators have zero control. This code execution enables all of the cool, interactive things we can do on our browsers.

Trouble is, criminal hackers can all too easily slip malware into this mix. Like Authentic8’s isolated servers, Ntrepid’s virtual browsers protect the organization from “all web-based attacks, including web-delivered malware, watering hole attacks, spear phishing, passive information leakage and drive-by downloads,” according to Ntrepid.

Ntrepid’s technology, called Passages, enables employees to “safely browse anywhere,” providing them “the freedom to surf online without the risk of infecting their machines or compromising valuable enterprise data.”

To activate Passages, a user simply clicks on it on the desktop instead of Internet Explorer, Firefox or another conventional browser.

See also: How to Measure Data Breach Costs

Any malware encountered on a website is “trapped” inside Passages’ virtual machine and can’t infect anything else on a user’s computer, says Lance Cottrell, Ntrepid’s chief scientist. The malware is destroyed when the browser session is over.

While, for the moment, browser security technology is being marketed to small- and medium-sized businesses and large enterprises, Ntrepid and Authentic8 are both developing marketing efforts to serve individual consumers.

“We’re starting off on enterprises — our early adopters — but they are always saying, ‘What about my wife, what about my kids, can I get this at home?’” Cottrell says.

Cognizant of a massive data breach last year at the U.S. Office of Personnel Management — when hackers accessed personal information of more than 21.5 million employees, family members and others — Ntrepid is accelerating its marketing efforts to consumers, Cottrell says.

ThirdCertainty’s Gary Stoller contributed to this report.

More stories about browser security:
Spikes Security isolates malware, keeps it from hijacking Web browsers
More organizations find security awareness training is becoming a vital security tool
Managed security services help SMBs take aim at security threats

How to Keep Malware in Check

Firewalls are superb at deflecting obvious network attacks. And intrusion detection systems continue to make remarkable advances. So why are network breaches continuing at an unprecedented scale?

One reason is the bad guys are adept at leveraging a work tool we all use intensively every day: the Web browser. Microsoft Explorer, Mozilla Firefox, Google Chrome and Apple Safari by design execute myriad tiny programs over which network administrators have zero control. Most of this code execution occurs with no action required by the user. That’s what makes browsers so nifty.

A blessing and a curse

But that architecture is also what makes browsers a godsend for intruders. All a criminal hacker has to do is slip malicious code into the mix of legit browser executable code. And, as bad guys are fully aware, there are endless ways to do that.

Stay informed with a free subscription to SPWNR

The result: The majority of malware seeping into company networks today arrives via infectious code lurking on legit, high-traffic websites. The hackers’ game often boils down to luring victims to click to an infected site, or simply just waiting to see who shows up and gets infected.

So if browsers represent a wide open sieve to company networks, could inoculating browsers be something of a security silver bullet? A cadre of security start-ups laser-focused on boosting browser security is testing that notion. The trick, of course, is to do it without undermining usability.

spike

Branden Spikes, Spikes Security founder and CEO

ThirdCertainty recently sat down with one of these security innovators, Branden Spikes, to discuss the progress and promise of improving Web browser security. Spikes left his job as CIO of SpaceX, where he was responsible for securing the browsers of company owner Elon Musk’s team of rocket scientists, to launch an eponymous start-up, Spikes Security. (Answers edited for clarity and length.)

3C: The idea of making Web browsing more secure certainly isn’t new.

Spikes: Let me break it down by drawing a line between detection and isolation. Browser security has been attempted with detection for many, many years, and it’s proven to not work. McAfee, Symantec, Sophos, Kaspersky and all the anti-virus applications that might run on your computer became Web-aware a while back. They all try to use detection mechanisms to prevent you from going to bad places on the Web.

Then you have detection that takes place at secure Web gateways. Websense, Ironport (now part of Cisco), Blue Coat, Zscaler and numerous Web proxies out there have security features based on the concept of preventing you from going to places that look malicious or that are known to be bad. Well, hackers have figured out how to evade detection, so that battle has been lost.

3C: Okay, so you and other start-ups are waging the browser battle on a different front?

Spikes: When you realize that detection doesn’t work, now you have to isolate. You have to say, :You know, I don’t trust browsers anymore. Therefore, I’m not going to let my stuff interact with the Web directly.” In the past five years, newer products have started to offer browser isolation technology. We’ve taken a very no-compromise approach to isolation technology.

Free IDT911 white paper: Breach, Privacy, And Cyber Coverages: Fact And Fiction

3C: So instead of detecting and blocking you’re isolating, and sort of cleansing, browser interactions?

Spikes: Yes, and much like with detection technology, isolation can exist in either the endpoint or on the network. Some examples of endpoint isolation might be Invincea or Bromium, where you’ve got your sandboxes that do isolation on the endpoint. I applaud all the efforts out there. It spreads the whole gamut from minimal amount of isolation to sandbox technologies built into browsers. There’s quite a bit of investment going into this.

3C: Your approach is to intercept browser activity before it can execute on the worker’s computer.

Spikes: If you come at the problem from the assumption that all Web browsers are fundamentally malware, you can understand our technology. We essentially take the malware off the endpoint entirely, and we isolate the execution of Web pages on a purpose-built appliance. What goes to the end user is a very benign stream of images and sound. There’s really no way for malware to get across that channel.

3C: If browser security gets much better, at least in the workplace, how much will that help?

Spikes: If we successfully solve the browser malware problem, we could, I think, allow for more strategically important things to occur in cybersecurity. We could watch the other entry points that are less obvious. This sort of rampant problem with the browser may have taken some very important attention away from other entry points into the network: physical entry points, social engineering and some of the more dynamic and challenging types of attacks.