Thursday, April 18, 2013

Blurring the line between login credentials

Yesterday’s XKCD comic got me thinking about something. The point of the comic is that we jealously guard the admin account on computers, with the mindset that if the admin account is protected, we are doing a good job at security.

As Google, Yahoo, Facebook, and others begin “federating” their login services (i.e. I can log into unrelated third party sites using my Facebook or Google credentials), the line between various service providers has first blurred, and now vanished altogether. It used to be that if my Facebook account were compromised, the only thing at risk was, well, my Facebook identity. But with “Facebook Connect,” now if my Facebook password is stolen, an attacker could conceivably have access to my accounts with CBS, Disney/ABC, Hulu, Twitter, Vimeo, WordPress, and more (assuming I use those services).


Similarly, if I choose to stay logged into sites I am not actively using (most non-banking sites have an option to “keep me logged in” or “remember me”) and my browser session is hijacked, an attacker could have access to my sessions on every web site I am logged into. Depending on the details, they might be able to read my email, steal my money, and impersonate me to my friends, as the comic suggests.

A colleague and fellow security thinker blogged that the focus on malware, Trojans, viruses, patches, and the like is misdirected because if all the important things someone does are in a browser then why would an attacker ever care about leaving it? By and large software patching, firewalls and antivirus software reduces the threat of malicious code gaining control of my computer as a whole, but are less effective at preventing “badness” from happening within one browser window.



I challenge two assumptions implied in that statement though.

1) If I do ALL my browsing from the same isolated browsing environment / VM / whatnot, then that is quite true – the attacker interested in the things I hold of value has no need to escape my browser. They have all they want at their fingertips. But that's not what I or many other professionals recommend - we say to isolate your SENSITIVE browsing from other browsing. Put banking in one VM or computer, completely separate from anything else. Perhaps put email in a second, dedicated VM. There is still a lot of personal data overlap, but separating levels of sensitivity at least puts boundaries on the damage an attacker can do.


2) There are different classes of attacker. The common miscreant is interested in and profits from "ALL YOUR SENSITIVE INFORMATION;" this person has little reason to escape a browser environment since all he wants is right there. But a different class of attacker has completely different goals. The person using personal credentials as a stepping stone into a corporate environment, from whence to attack business value, still wants to escape that sandbox. For instance, the Aurora event of a couple years ago: the attackers started with Gmail, but used information they gleaned there to pivot into high-tech corporations and go after high-value assets that could not be accessed solely from a browser. From a business perspective we have interest in the first class, but are much more concerned with the second class.


What does it mean?


As an Internet user, a few basic steps go a long way. Install the latest software patches to fix known bugs used by cybercrooks. Use a web filter or alternate DNS to reduce the risk of accidentally stumbling across known bad sites. Run antivirus software (and keep it updated with the latest malware signatures). Don’t use the same password on every site. And separate sensitive browsing from non-sensitive browsing to limit the scope of damage should one browsing session be compromised.


From a security professional perspective, we need to be aware of where our most critical data and services are, and protect them where they reside. The growth of cloud computing makes this a daunting task – David Smith, CEO of HBMG spoke to an Austin-area ISSA group today and said 60% of Internet traffic now is device-to-device traffic, with nary a human between (think DVRs, home security systems, automated HVAC, your electric meter, many newer cars, even the things your smartphone does in the background without your intervention). There is no human user to authenticate, yet there is still data that may need to be protected. The key is for us to understand that data exists; understand WHERE that data is produced, stored, and used; and then put in controls appropriate to the importance of that data.