Tag Archives: Menlo Security

2 Novel Defenses to Hacking of Browsers

Cyber attackers continue to exploit a significant security gap found in a familiar tool used pervasively in all company networks: the common web browser.

Mozilla Firefox, Google Chrome, Microsoft Explorer and Apple Safari all use an architecture that makes it relatively easy for an attacker to embed malicious code on an employee’s computer — and then use that infected machine as a foothold to probe deeper into the breached network.

Here’s the good news: There is a growing cottage industry of security vendors developing sophisticated technology specifically to plug this gaping exposure. Browser security vendors first appeared on the scene about 2010; leading innovators include Invincea, Bromium, Spikes Security and Menlo Security.

ThirdCertainty recently visited with two new entrants, Ntrepid and Authentic8. Here is what each brings to the table:

The morphing of browser usage

Authentic8 recently introduced a service called Silo, which isolates web browser malware code from the targeted computer — and the rest of the company network — by routing all employees’ browsing sessions to dedicated servers.

Authentic8 CEO Scott Petry has a long history helping companies keep intruders out of companies’ networks. Petry founded email-filtering company Postini, which was bought by Google and folded into the search giant in 2007.

Petry, who co-founded Authentic8 with another Postini alum, Ramesh Rajagopal, observes that the arrival of sophisticated browser security tools (like Silo) is a reflection of how web browser usage in corporate settings has morphed over the past couple of decades.

In the 1990s, IT departments “would control how you compute, when you compute and what applications you access,” Petry recalls.

Steadily, the web browser “became such a massive focal point or gravity center for how people consumed different web services,” Petry says. “It became extremely compelling for employees to access the web for personal use and for businesses to start taking advantage of the web as a way to perform business functions.”

Amazon pioneered e-commerce, and Google got businesses and consumers accustomed to quickly searching for, and pinpointing, desired information. All of this leveraged the browser’s capacity to execute code on individual computers in response to users’ clicks.

“As soon as that happened, business data that IT departments used to control in their environment was suddenly scattered across third-party websites that they didn’t control,” Petry says. Then social media, including Facebook and Twitter, appeared, and all bets were off.

See also: 3 Steps to Improve Cyber Security

Routing malware to silos

The environment “is now a mess,” Petry says. “If you think about how the browser is used, it’s a one-size-fits-all solution. People use the same browser with a tab opened to get to Facebook, a tab opened to get to Dropbox and a tab opened to get to wherever. It’s a mix of personal use and business activity, and it’s no wonder that the browser is such a point of vulnerability.”

Venture capitalists are funding tech entrepreneurs and are coming forward with new systems to lock down browsers — because, going forward, how we have come to use browsers is not likely to change.

“I’m sure at some point we will move away from a monolithic browser,” Petry says. “It might change over time, but people have been predicting the death of email for 10 or 15 years, and it is still the most common form of business communication. So, no, I don’t think the browser is going anywhere any time soon.”

Authentic8’s Silo product isolates all web code in a secure, remote container in the cloud, giving users a benign display of web content. Nothing reaches the user’s device except pixels.

“The attack surface area is now ours, and that’s where we deal with it,” Petry says.

Virtual sessions

Instead of moving browser sessions into isolated servers, Ntrepid addresses the problem by inserting a virtual browser into every employee’s computer.

Any malicious code arriving via a web browsing session is isolated from the hard drive or memory of the targeted computer. The machine, in essence, is inoculated against browser malware and cannot be used by the attacker as a beachhead to go deeper into the company’s network.

Web browsers, by design, execute code over which network administrators have zero control. This code execution enables all of the cool, interactive things we can do on our browsers.

Trouble is, criminal hackers can all too easily slip malware into this mix. Like Authentic8’s isolated servers, Ntrepid’s virtual browsers protect the organization from “all web-based attacks, including web-delivered malware, watering hole attacks, spear phishing, passive information leakage and drive-by downloads,” according to Ntrepid.

Ntrepid’s technology, called Passages, enables employees to “safely browse anywhere,” providing them “the freedom to surf online without the risk of infecting their machines or compromising valuable enterprise data.”

To activate Passages, a user simply clicks on it on the desktop instead of Internet Explorer, Firefox or another conventional browser.

See also: How to Measure Data Breach Costs

Any malware encountered on a website is “trapped” inside Passages’ virtual machine and can’t infect anything else on a user’s computer, says Lance Cottrell, Ntrepid’s chief scientist. The malware is destroyed when the browser session is over.

While, for the moment, browser security technology is being marketed to small- and medium-sized businesses and large enterprises, Ntrepid and Authentic8 are both developing marketing efforts to serve individual consumers.

“We’re starting off on enterprises — our early adopters — but they are always saying, ‘What about my wife, what about my kids, can I get this at home?’” Cottrell says.

Cognizant of a massive data breach last year at the U.S. Office of Personnel Management — when hackers accessed personal information of more than 21.5 million employees, family members and others — Ntrepid is accelerating its marketing efforts to consumers, Cottrell says.

ThirdCertainty’s Gary Stoller contributed to this report.

More stories about browser security:
Spikes Security isolates malware, keeps it from hijacking Web browsers
More organizations find security awareness training is becoming a vital security tool
Managed security services help SMBs take aim at security threats

ransomware

Ransomware: Growing Threat for SMBs

Ransomware, a cyber scourge that appears on the verge of intensifying, poses an increasingly dire threat to small- and medium-sized businesses (SMBs) in 2016.

In a ransomware attack, victims are prevented or limited from accessing their systems. Cyber criminals attempt to extort money by first using malware to encrypt the contents of a victim’s computer, then extracting a ransom in exchange for decrypting the data and allowing the victim to regain access.

Until now, most attacks have targeted consumers and, to a lesser extent, businesses working on Windows platforms.

That’s about to change. Security experts caution that small- and medium-sized business owners and users of non-Windows platforms can expect to be increasingly targeted in attacks that seek to extort money from them via sophisticated ransomware tools.

Upcoming webinar: Navigating Identity Theft: How to Educate and Protect Your Employees and Clients

Experts say many of the malicious campaigns will likely be carried out by opportunistic attackers and newbie extorters trying to take advantage of inexpensive do-it-yourself ransomware kits that are beginning to become available in underground markets.

Estimates about the cost to victims from more widely used ransomware tools like CryptoWall and CryptoLocker range from tens to hundreds of millions of dollars.

Now, analysts are concerned that cyber criminals are on the verge of widening the scope of their attacks. Last month, researchers at security vendor Emsisoft analyzed Ransom32, a malware tool many believe is a harbinger of things to come on the ransomware front.

Fewer are immune to attack

Ransom32 is the first ransomware tool written entirely in Javascript. That makes it easily portable to other platforms like Linux and Mac OS X.

Kowsik Guruswamy, Menlo Security chief technology officer
Kowsik Guruswamy, Menlo Security chief technology officer 

 

Kowsik Guruswamy, chief technology officer at Menlo Security, says that, unlike the JavaScript in a browser that is sandboxed to prevent access to the file system and other local resources, Ransom32 also is designed to have unfettered access to the system.

“Ransom32 is one-of-a-kind in that it’s cross-platform, which alone increases the targets for the malware authors,” Guruswamy says. “Since the underlying Chromium interpreter is cross-platform, this allows Ransom32 to target users across all of the (operating systems) and devices in one go. This is the worrisome part.”

Related video: A case for making software more resistant from the start

Significantly, the authors of the malware appear to have adopted a ransomware-as-a-service model in their distribution approach. Ransom32 is available via a hidden server on Tor to anyone with a bitcoin account.

The malware does not require any specific skills to operate, and it comes with a management interface that the attacker can use to customize ransom messages and specify the ransom amounts. The interface supports a feature that lets the authors of Ransom32 track how much money is being collected via the tool and lets the authors take a 25% cut from the total.

DIY kit for bad guys

Ransom32 is the second publicly disclosed ransomware in recent months that is being distributed as a do-it-yourself kit in the cyber underground. The first was Tox, a malware tool discovered by a researcher at Intel’s McAfee Labs that, like Ransom32, was distributed via Tor to anyone interested in launching a ransomware attack.

“Ransomware as a service is an increasing and worrisome trend,” says Fabian Wosar, a security researcher at Emsisoft. “Fortunately, most schemes are of poor quality, but the people writing these types of frameworks are learning.”

Each time a security vendor finds a weakness in a ransomware tool, the threat actors figure out what mistakes they are making and plug it immediately, Wosar says.

Going forward, expect to see the emergence of tools like Ransom32 and trends like ransomware-as-a-service pose a bigger threat for businesses, especially the small and medium ones, which generally don’t have the same resources that large companies have to defend themselves.

Lately, there have been an increasing number of reports about company servers being attacked directly through the Remote Desktop Protocol (RDP) that is used to remotely administer and manage systems.

SMBs have limited defenses

“Most SMBs don’t have the budget to employ their own in-house IT staff,” Wosar says. “As a result, a lot of them employ outside companies to take care of their IT infrastructure, and these companies often use remote control tools like RDP to administrate the network and server [remotely].”

One result is that a lot of SMBs are exposed to attacks that take advantage of weakly protected remote control interface to gain access to internal systems and data. Wosar says that in such situations it is just a matter of time before an attacker stumbles on a critical server and hijacks it for ransom.

Because the attackers typically gain access to the server itself, they also can turn off any security software that might be installed on it, and they become virtually undetectable in the process. All that is left behind is usually a note that informs the admin about the hack, with a means of communication to negotiate the price.

There already has been an increased interest from cyber criminals in specifically targeting companies, largely because of the potentially bigger payouts involved, says Christian Funk, who heads Kaspersky Lab’s global research and analysis team in Germany.

“A business is depending on its digital assets and, therefore, often more willing to pay the ransom,” Funk says. “There have been cases where cyber criminals noticed that a company has been successfully infected and, therefore, the criminals decided to charge up to eight times the original ransom. I suspect such methods, as well as targeted attacks, are likely to increase in future.”

This article was written by Third Certainty’s Jaikumar Vijayan.