Friday, March 14, 2008

Who Do You Trust?

We place a large amount of trust in big organisations when we browse to their sites - banks, insurance companies, telecoms + technology companies, etc. We assume that they're doing the right thing and have appropriate security measures in place to prevent breaches and ensure the integrity of their sites.

Two recent episodes have taken place that highlight the problems are the whitepages.com.au banner ad injection and the Trend Micro site compromise on one of their Japanese sites.

Now both of these exploits highlight that large organisations have SNAFU moments too. Unfortunately given their market position, and in Trend's case their security reputation, we can tend to trust them too much.

My take on both these exploits is to:

  • regularly review dynamic code injection into your sites (e.g. banner ads); get rid of them where possible and try to restrict the type of content generated.
  • perform regular integrity checks on your sites; create MD5 or SHA1 checksums of your site prior to deployment, then check these checksums regularly. Shut down the site if the checksums change.
  • make sure you have malware protection software and it's up to date; nothing new in this one really.
  • investigate browser add-ons to help prevent malware infection; IE7Pro for Internet Explorer is good, as is NoScript for Firefox

Remember, ultimately you are responsible for the health of your systems. If Trend Micro are able to be compromised, so are you. Don't outsource your security responsibilities. Have a healthy sense of paranoia and apply a "secure by default" mindset when setting up your Web sites and also your Web browser.

2 comments:

Deborah said...

Your points about security are well taken. If large companies with fully-staffed IT depts. are unable to stay on top of malware, then how much harder is it for an individual? With the prevalence of browser exploits and other underhanded attacks, taking responsibility for one’s own computer is difficult.

One useful tool in your defensive arsenal is Web of Trust . WOT is an online community for reputation rating that lets Internet users share their knowledge of websites. The ratings are based on standards of trustworthiness, vendor reliability, privacy and child safety.

WOT gets it site reputation data from two sources: ratings from the WOT community and trusted sources such as listings of phishing sites. Reputation data is recalculated every 30 minutes, so it's fresh. Users have reported that the people-driven approach gives more accurate ratings than automated ones, especially reputation ratings regarding "vendor reliability" and "child safety" where human input is crucial.

Maybe in the cases of whitepages and TrendMicro, visitors would have been warned in advance if WOT users had rated the sites dangerous. Once the crisis was over, then the rating could be reversed back to normal.

Deborah, Web of Trust

stryqx said...

Thanks for your thoughts Deborah.

I agree - automated systems can only do so much. A mutual, collective rating system like the one you mention is something that should be considered. I've added this to my review list for an additional layer of defense.