web security

The browser is an integral element in the corporate Cloud strategy. The broad take-up of web technology with standardized languages and protocols has resulted in the browser taking on the role of a universal client for end-user access to web-based and cloud-based resources. Browsers are free, and everyone knows how to use one. Pretty compelling arguments when budgets are tight!

But is using an industry standard browser really a zero-cost proposition for the enterprise? Let’s take a look at some of the issues.

Consumer-driven technology. The browsers we’re all familiar all obey one fundamental design principal: they must be as easy to use as possible for the greatest number of users. They must not hinder the user’s interaction with the web and the sites they want to visit – no matter what content those sites are hosting. In response to the Web 2.0 drive to increased user interactivity with rich internet applications, the browser transparently downloads and executes “helper” applications (Ajax, Flash, Java, ActiveX for example). In other words, the configuration of the browser is unstable and unmanageable. Is this really what you want from a key element of the corporate information infrastructure, the user interface to business critical applications?

Insecure design. Security professionals are increasingly aware that browsers are inherently insecure. The problems are threefold: (i) the browser, like any complex software environment, will always be exposed to bugs and vulnerabilities; (ii) the browser, connected to the internet, is inherently more exposed to external threats than software operating primarily locally on the machine, with local data; (iii) the browser’s self-modifying architecture (via plugins, for example – see above) multiplies the two preceding security risks.

No protection for confidential data. The end user connecting to enterprise Cloud services from home or from a cybercafé using the locally-installed browser is a threat to the enterprise. Business-critical processes and data may be exposed, via the browser, to a PC over which the enterprise has no control. Even if the user is sufficiently security-aware (and technically competent) to clear the browser cache and history at the end of each session – and how many of your users are? – sensitive data may still be stored locally (Flash cookies, to give just one example, without going into spyware and other threats).

If corporate IT management is to take full control of the cloud computing environment, we need to rethink the client-side connection. A new browser architecture is needed, secure by design, protecting corporate IT resources against web-based threats.

For more about the security issues of the browser and the Cloud, take a look at our White Papers.

Yes, Microsoft publishes yet another security alert for Internet Explorer. It allows an attacher access to any file on the system, and all versions of Internet Explorer are vulnerable — though the default configuration in the most recent versions of Windows (Vista, Server 2008, or 7) will block attempts to exploit the vulnerability. This leaves Windows XP deployments at risk; that’s 66% of the market according to NetMarketshare.

Bernard Ourghanlian, Director of Security at Microsoft France, has an interesting (for us) take on the issue. Interviewed by journalists for French web media Clubic, he says “We would love to put Internet Explorer 6.0 behind us, but we simply can’t. For an enterprise, deploying a new navigator is a huge job. As long as Microsoft offers support for Windows XP (up to 2014), Internet Explorer 6.0 will also be supported.”

Putting to one side (for the moment) the fact that this new vulnerability is one more proof point for the session isolation we’ve developped with Virtual Browser, Ourghanlian’s words highlight a further problem with the management of desktop navigators as part of the enterprise infrastructure: deployment, updates, patching… all these tasks represent significant management and support overheads for the enterprise. The centralized architecture of Virtual Browser makes updates, whether to the browser or its plugins, trivial, and means that every user sees the updated browser, instantly.

There’s nothing new under the sun, they say; they could have been talking about browser security issues. There’s clearly a need for a revolution in the browser architecture — run-time environment, deployment, and support tools. That’s what we’re working on and where we’re going with Virtual Browser.

Details of a new vulnerability in IE6 and IE7 were published on the internet at the beginning of last week, before Microsoft was aware of the problem. Microsoft has issued a security advisory but has yet to announce an update to correct the problem. Like previous vulnerabilities (see here and here), recommended workarounds and protection measures place heavy (unrealistic?) demands on users, and the risks remain high — an attacker can inherit the user’s access rights on the attacked machine. IE6 and IE7 are still the most widely used browsers on enterprise networks.

It’s worth remembering that even the most well-informed users can fall victim to a web-based attack. It happened to well-known security expert Gadri Evron, who unwittingly helped propagate a worm on Facebook. While Facebook reacted quickly to the attack, it’s interesting to note the propagation method was based on clickjacking rather than on XSRF as some early blog posts said.

In Sizing the Cloud; Understanding the Opportunities in Cloud Services (published in March 2009) analysts at Gartner, Inc. predict a global market for enterprise cloud services reaching $150.1 billion in 2013 – more than three times the size of today’s market of $46.4 billion. The cloud-based enterprise will be dependent on the internet to an extent way beyond the situation today, and information systems and applications will be utility services, like water or electricity — a click of the mouse to bring up the CRM software and shut it down, with the user paying for a metered service.

As far as I’m concerned this is a fantastic development which will allow businesses to focus on — well, what they do best, where they can add value. Information resources will be available on demand, like tapwater. Except that a packet of data is not like a drop of water; those data packets may be carrying business-critical data. The internet is a two-sided coin for the enterprise: one the one hand, on-demand access to flexible, massively scalable information resources ranging from basic hardware platforms to individualized services and applications software; on the other hand, the vector for increasingly intense efforts to penetrate enterprise information systems for criminal gain. In other words, the enterprise is in the process of migrating it’s information resources to the most stressful environment you can think of if you’ve ever had to think about information security.

If the Cloud Computing paradigm is to fulfill its promises, we urgently need to find ways of reducing the stress of internet dependency. We need to protect ourselves from the internet that threatens us, to get the full benefits of the internet that will make our business more agile, more responsive, which will allow us to evolve and progress. If we can’t make the internet “stress free” we’ll start seeing the (costly) development of parallel secure networks for enterprise applications.

If the best way to avoid internet attacks is not to connect to the internet, that’s clearly an unrealistic approach today. What we can do, however, is to segment different usages, isolating access to sensitive, business-critical data and applications from the potential threats. While building an entirely new network is probably a stretch too far, a more realistic solution, perfectly feasible today, is to isolate individual web applications by virtualizing access at the source, the browser itself. Enterprise end-users access sensitive business applications and data over the internet using secure tunnels carrying virtualized browser sessions. With the virtual browsers hosted in close proximity to the applications, data need never be exposed on the internet with this architecture. We can’t clean up the internet to make it entirely safe for your business critical data and applications, but by ensuring that critical systems and end-user browser sessions are protected from attack we can bring a “stress-free” internet experience several steps closer for the CIO.

Version 1.1 of the Virtual Browser solution enhances the product with new features facilitating seamless integration with the enterprise infrastructure:

• Strong authentication based on X.509 certificates increases protection for the enterprise and reduces the risk of security being breached by simple password theft from a compromised terminal.
• Role-based administrator access ensure that each admin only has the authority to execute authorised tasks (eg configuration, monitoring, etc).
• An IE6 rendering engine provides support for older web-based applications, incompatible with more recent browsers.
• Virtual Browser client installations are now available for Apple Macintosh OSX and Linux platforms, in addition to the Microsoft Windows client.

Additional minor modifications have been made to improve performance and ease of use, so that Virtual Browser remains the best solution for secure web access in the enterprise.

The summer holiday period offered little rest for the information security specialist, with a series of browser and plugin vulnerabilities coming to light. Mathieu covered them here, here and here.

Then last week news broke that as many as 57,000 websites (a later report increases the estimate to 70,000) are contaminated with a malicious javascript. And we’re not talking about obscure pages on dubious, rarely visited websites in the outer reaches of the internet; a major New York hospital, medical charities, educational institutes, and a legal partnership all figure in the list of infected sites.

Back in the days when the floppy disk (for those who remember them) was the main method by which viruses were transmitted from one PC to the next, it was common for enterprise administrators to remove or disable the drives. Given today’s security risks, questions must be asked about the future of the internet in the enterprise. Should internet access simply be banned for end users? That’s clearly not the way forward. The web is a powerful communications tool, boosting productivity and competitivity. Added to which today’s users are not just internet-aware, they’re practically dependent on the web and will revolt against any restrictions on access.

So how can the enterprise deliver end-user internet access without leaving its own networks and systems susceptible to attack? With Virtual Browser “internet access” no longer means “connected to the internet.” The end-user’s PC doesn’t bounce from website to potentially risky website following the user’s mouse clicks. The user connects to a browser instance running as a virtual machine hosted in the secure environment of the datacenter. It is this hosted browser which connects to the internet. It’s as if, back in the days of the floppy, we could read and write to the disk without inserting into the drive — so that there was no risk of viruses infecting our PC.

A new infected web page is discovered every 4.5 seconds… It’s not me who says this, but leading antivirus vendor Sophos in its annual security report. Every January all the anti-malware vendors publish their statistics, and all agree on one thing: threats are targeting web applications.

You’ll find an interesting discussion of the problem on this blog.

There’s good news, though, as well as bad news. The bad news: with businesses moving more and more of their applications — even the most critical — onto the web, following the Web 2.0 and Cloud Computing trends, the web is going to remain the No. 1 focus for malware developpers for the next few years. The good news: the Virtual Browser solution is more than ever the perfect response, protecting users and the enterprise against web-based attacks. Stress-free internet!

It’s a mistake to think that the core security issues on the internet are purely technical issues. They are not. Security on the Internet is largely a problem of the trust relationships linking several components:

• The trust a user has in the browser and its capacity to deliver reliable information, while protecting the user;
• The trust between a browser and its trusted certificate authority (CA) list ;
• The trust that the entire IT industry has with respect to the various certificate authorities (CA) and their ability to reliably authenticate certificate owners, to verify their information and to technically protect the underlying mechanism.

If only one element of the trust chain is broken, the entire security model is at risk, as this has been demonstrated recently:

• Eddy Nigg, founder of StartCom, has revealed that certstar, a reseller for the Comodo certificate authority was not verifying the provided information before signing SSL certificates (and certstart was using suspicious renewal scams to get more customers). Eddy easily obtained a certificate for the mozilla.com domain with no relationship with that organization. Comodo reacted immediately once the information had been revealed, revoking the certificate and launching an internal investigation into certstar. Mozilla is seeking stronger assurances from Comodo that they are doing their job professionally, and has threatened to remove Comodo from its trusted CA list if this is not the case.
• A group of researchers presented their work on the creation of a rogue CA certificate, recognized as trusted by the various browsers, and which can be used to generate an on-demand certificate for any secure website at the 25th CCC conference (Chaos Communication Congress). The technique exploits known weaknesses in the MD5 algorithm, still used by some authority certifications. Using a cluster of 200 PS3s, they can relatively rapidly generate a CA certificate with the same MD5 hash value as a RapidSSL certificate signed at their request. With this sort of certificate, they are able to impersonate any secure web site to launch man in the middle attacks. Verisign reacted immediately, banning the use of MD5 by its certification authorities to prevent a possible reproduction.

So it’s clearly difficult for users to be sure they can trust a web site even with all the trust indicators given by his browser. An up-to-date browser and checking of every certificate (using OCSP) remains the best way to surf with low risk. And be sure of what you are doing before accepting an untrusted certificate because basic MITM attacks exist in the wild.

November 2008 has seen a slew of vulnerabilities impacting every main browser on the market. Among them, Safari and Firefox are the most impacted:

• Safari 3.2 includes corrections for 11 vulnerabilities which can lead to code execution, denial of service or information disclosure. An anti-phishing filter and support for EV certificates have also been added in response to criticisms from PayPal.
• Firefox 3.0.4 fixes 9 vulnerabilities with 4 rated as critical. Impacts of these vulnerabilities include denial of service, code execution, privilege escalation and information theft. For users of Firefox 2, these fixes are included in the 2.0.0.18 version.

While other browsers were impacted by fewer vulnerablities, updates were issued for:

• Internet Explorer: Microsoft has published a critical security advisory (MS08-069) concerning Microsoft XML Core Services which includes fixes for remote code execution and information disclosure vulnerabilities. This security update also includes protection to forbid access to HttpOnly cookies by XMLHTTPRequest objects, to prevent or mitigate exploitation of an XSS vulnerability.
• Google Chrome has fixed a vulnerability which can be used to send local files to an external server. This fix is currently only available in the developer version.
• Opera release 9.62 fixes a remote code execution vulnerability.

If you feel unsafe using the browser on your computer and want more details on browser virtualization and web session partitioning: www.commonit.com.

I’m not a big fan of analogies. As a marketing guy I admit they are useful to explain some ideas that often, in our technical environment, are hard to understand for those not familiar with IT. But on the other hand, analogies are limited as soon as they over-simplify concepts that also take their strength from technology’s complexity. Whatever, because commonIT is born from an innovation that could interest everybody… I’ll attempt an analogy :

In Lyon, near commonIT’s headquarters, a unique centre named IWAY has been opened. There, you can try Formula 1 driving in a simulator so realistic even professional drivers were amazed. The analogy with commonIT and our product Virtual Browser is interesting. Imagine you drive a Formula 1 car in a simulator so realistic that everything is just like on a real track: you reach the same speed, feel the same sensations, use the same technologies and the same security mechanisms… But if you crash you do not risk anything. Replace the track with Internet, the Formula 1 car with your web browser, the crash with a computer virus and you get the Virtual Browser concept: the certainty that data and applications can’t be compromised even if an attack occurs.

Among the huge number of discussions that led to the founding of commonIT, a key one took place between Daniel and I when monitoring the growth of the Web 2.0 phenomenon that, with its many benefits introduced whole new families of threats. P2P, IM, Social Networking etc. Each service has the same problem: data and users are connected to complex applications that security products are not able to analyze in depth. No security solution is 100% effective. Every vendor will confirm that. And that’s the point. Because of the exponential growth of new Internet services, security products need big investments for incremental results. During this discussion with Daniel, we tried to think differently from the way our industry has traditionally operated: Instead of adding new software (antivirus, antispam, antispyware, antiphishing, antiwhatever, increasing the load on security appliances or users’ devices, impacting performance with less and less effective security functions) we challenged security product architectures themselves. We wondered how it could be possible to create a product that guarantees, in its architecture, 100% security for data and web applications.

Later (and about 10 years after he designed an architecture later baptised UTM – Unified Threat Management by IDC), Daniel invented Virtual Browser, a “secured by design” product. Virtual Browser is a web browser which executes web code on a secured server instead of running it on the laptop/desktop PC, only the image and the sound of the web application reach the user’s device. Thanks to this architecture, even if an attack is not stopped by the high level security system, data, applications and the whole network can’t be compromised.