Apparently, that was then. Fyodor, the creator of nmap recently wrote a scathing article about how CNET has now become the very essence of a drive-by download – where you get a little more than you bargained for when you download software from a website. CNET has taken the concept to another level by actually reverse-engineering submitted software and injecting malicious content before presenting them to trusting users.

The article is a serious indictment on CNET for abusing the trust placed on them by millions of users and the software developers who are kind enough to create a program and give it to users for free. By monetizing the hard work of these developers without their knowledge (unless they are willing to pay a “premium fee), it is not far-fetched to accuse CNET of “stealing”. It is just now, after they were outed that there is talk of ” giving the developers a cut” of the money they’ve been raking in from dropping trojans and adware on the computers of millions of unsuspecting users, including kids, for crying out loud.

Why is this a problem? We know that most users click through installation prompts without bothering to read, and this is exactly what CNET was taking advantage of, until they messed with Wireshark and NMap.

The unethical nature of it is that while CNET was raking in millions of dollars, the creators of the software they were reverse-engineering were catching grief for infecting users’ computers with bogus web browser toolbars, home pages and adware that could very well have leaked private information.

As Alan Shimel of networkworld explains it, here’s how these “wrappers” work:
“[W]hen you click to download software from their site (which is software developed by others), they are “wrapping” it in their own installers.  This C/Net installer will either ask you (if they are polite) or in some cases not so obviously install other 3rd party software on your computer.  Things like web toolbars, alternate search engines and other programs that usually pay money for every copy that gets installed.”

Is this practice limited to just CNET? Not by a long shot, but most do it on the website – like when you are presented with the download button for something different than what you originally wanted to download. The argument is always that ” this is to help us pay the bills”. No one is arguing with the need to generate revenue. It is the deceptive way in which that goal is being achieved that is drawing some angst. There is a difference between giving the user an option to install a toolbar and respecting the choice when the user selects “No”, and installing a toolbar, changing the home page and dropping adware on a user’s computer through a deceptive “accept” button.

Then there is the other part of the equation – the enablers of CNET’s unethical behavior. The parties who were encouraging CNET to bundle toolbars, browsers, search engines etc. in the software they were hosting should also be ashamed of their dirty tricks.

It is important to remind users to take the time to read the dialog boxes that pop up when trying to install an application:

• If available, always choose the “Custom” option so you can at least see what other crap is going to be dumped on your computer by the installer. In most cases, you can decline or uncheck the box for items you do not want.
• After the installation, go through the “add/remove” (Windows XP) or “program features” (Windows Vista/7) section in control panel to see if some strange software was installed without your knowledge and promptly remove them.
• Run “msconfig” and look through the “startup” tab to see if some strange application has inserted itself to automatically start with Windows and disable them.

It is only going to get worse, unfortunately.

Some of the names in the list of bogus certificates generated by the attackers include Comodo, Google, Thawte, Microsoft, Mozilla, WindoswUpdate, WordPress’ MI6, the CIA, Facebook and Twitter.

For three whole months ( June to August), the attacker camped out on DigiNotar’s servers and did his/her work and cleaned up.  S/He was even kind enough to leave a message in a script file that was used to generate the rogue certificates.

The question now is, how much trust should we place on these providers of digital certificates? A few months ago (March 2011), a subsidiary of Comodo was hacked apparently by the same person. Here’s why I am concerned, and I’ll quote from page 9 of the report:

• The successful hack implies that the current network setup and/or procedures at DigiNotar are not sufficiently secure to prevent this kind of attack.
• The most critical servers contain malicious software that can normally be detected by anti-virus software
• The separation of critical components was not functioning or was not in place
• The CA (Certificate Authority) servers were accessible over the network from the management LAN
• All CA servers were members of the same Windows domain (and they all apparently used the same user/password combination)
• The password was not very strong and could easily be brute-forced
• The software installed on the public web servers was outdated and not patched
• No antivirus protection was present on the investigated servers
• No secure central network logging was in place

The breach has led to the revocation of a lot of digital certificates – over 500 so far and the breach prompted Mozilla to take measures so “that all DigiNotar certificates will be untrusted by Mozilla products,” which includes the Firefox browser. Google’s Chrome browser also placed DigiNotar certificates on a permanent block list.

It is inexplicable that after the attention that the Comodo breach garnered and the recent spate of hacks against RSA, Barracuda, Citigroup and a host of other high profile targets, that the management at DigiNotar did not deem it wise to do due diligence and execute some element of due care.

This is even more depressing because from this F-Secure blog, the company has been hacked before, back in May of 2009.

Look at the bullet points above again and tell me if those are not things that could have been fixed. And beyond that, what role has their auditor play in this mess? It will be ridiculous to assume that they were not paying an external party to audit their environment. Why did an auditing firm not raise a red flag over these lapses? Is this another case of check box auditing that has come to bite DigiNotar in the ass?

The larger concern is how can we continue to trust DigiNotar and other certificate authorities to help ensure that there is no eavesdropping on secure communications between users and the sites they visit? After all, anyone armed with a rogue certificate for a web firm or service can impersonate that organization and get at communications that would otherwise be impossible to read because they are encrypted.

Update:

As Russ Bellew posted, DigiNotar filed for bankruptcy and their fate should be a wake-up call to other Certificate Authorities and indeed all companies with an internet presence. After all, the DigiNotar hacker did say that four other major CA’s were on the chopping block.

A lot of the accolades are warranted, but my focus in this write-up is on the area of user data privacy and how the Chrome browser seems to have built-in tools that are a reg-flag for privacy violations in spite of Google’s Privacy Policy.

Our position is that the Chrome browser is “chatty”,  and acts as a keystroke logger in the area of search. In fact, the folks at Scroogle characterized Google Chrome as a browser that tends to “phone home a lot”.  And here’s why:

• It is common knowledge now that when a user conducts a search using a search engine, Google stores three main types of information in a log file: the user’s IP address (a unique network address given by an Internet service provider), the words the user searched for, and a cookie identifier (unique value given to every Web-browser that visits a web page). See here for more details.

• According to Google, the Omnibox (which combines search with the address bar) is supposed to automatically suggest websites as you type and you “can disable Omnibox suggestions by unchecking the box in the “Privacy” section of Goggle Chrome’s options. As it turns out, you can disable Omnibox suggestions, but the browser conveniently ignores your choice and uses auto-suggest anyway.

• The Chrome browser uses a client_id variable which is unique for every Chrome user, and which can be used to create exact user profiles of a user’s actions while using Google Chrome. According to Google’s Privacy Policy:
  “The client ID is used for the user metrics service. This is an opt-in service that lets users send usage statistics to Google so that we can learn how Google Chrome is being used for the sake of making improvements. It helps us answer questions like, “Are people using the back button?” and “How common is it that people click the back button repeatedly?” Users can always update their preference about sending usage statistics.”

• Apparently, there is no option to prevent Chrome from recording History and downloads, options which  are available in Firefox, Opera and Internet Explorer 9. I found it really annoying that Google deliberately removed the option to disable history, especially since it was tied to the search engine a user may be using at any point.
  For example, here’s how Firefox does it:
  

Auto-complete and “predictive” search may have their uses, but the fact that a user’s keystrokes are sent to a search engine in real-time and are tied to the user’s IP address does not look like protecting privacy. This is doubly worrisome since we learned a long time ago that Google was uploading the history data in Chrome offsite – to its data centers.

• Google Update does more than update your Chrome browser to the latest version. It “periodically sends information to Google about how you obtained the browser, how often you use the Chrome browser, and specifically, “whether you used Google Chrome in the last day, the number of days since the last time you used it, and the total number of days that Google Chrome has been installed”

Here’s how to lock down Google’s Chrome browser:

There are some tools available that you can install to help you remove the client_id that Google tags you with in order to track your usage of the browser. See Unchrome,  Chrome Privacy Protector  and Chrome Privacy Guard. Ultimately, I prefer not having to deal with yet another software for a feature Google should have made available or not included in the first place. So we will fix this at the source.

• First thing is to resolve the privacy issue by making Chrome open up in private browsing or incognito mode permanently. To do this, right-click on a Chrome shortcut, select properties. The “Shortcut” tab will open up. On the “Target” address, add –incognito at the end so it will look like this:
  \google\Chrome\Application\chrome.exe — incognito

To address the history palava, make the relevant files in the default folder read-only. These files are “Archived History”, “History” and “Visited Links” and can be found in the “Users\<profile>\AppData\Local\Google\Chrome\User Data\Default” folder in Windows Vista and 7.  XP users can find the folder here: …\Local Settings\Application Data\Google\Chrome\User Data

1. Create a blank home page by going to options and setting the home page to about:blank
2. Close the Chrome browser and navigate to “Users\<profile>\AppData\Local\Google\Chrome\User Data\Default”. Delete the files called “Archived History”, “History” and “Visited Links”. Do not close the folder.
3. Open Chrome, but do not visit any site. This will allow the browser to recreate the files you just deleted. The big difference now is that those files are empty and you want to keep them that way by doing the next step.
4. Locate the new archived history, history and visited links files and make them read-only by right-clicking, selecting properties and checking the “Read-only” box.
5. Open Chrome and enjoy

The next hurdle is the search engine spying that is built into the Chrome browser. While this knowledge is not new, it is still disturbing that the browser tracks every keystroke you type while using the location bar. A quick check with Wireshark will educate you on this.

The ability of browsers to tie your search to your IP address is troubling. To prevent this, create your own “search engine” by doing this:

• On the “Basics” section of the Options page, select “Manage search engines”.
  In the “Other search engines” section, click on the “Add a new search engine” box and type in a name. Call it anything you want, like “Private”.
  Enter a keyword in the Keyword box and http://%s in the URL box. This prevents Chrome from piping every URL you type in the location bar to a search engine. Unfortunately, this also messes up searching.
  If you must set up a default search engine, I recommend Scroogle at www.scroogle.org and you can use this on the URL box – https://ssl.scroogle.org/cgi-bin/nbbwssl.cgi?Gw=%s

A little paranoid? I don’t think so. It’s all about choices. There are things we must do online and it is inevitable that some of our private information will be exchanged. But users need to know that they have the option of turning something off, if they do not need it. If a “malicious” software installed a keylogger on a user’s computer, we would cry blue murder. How is the keystroke tracking behavior by search engines different?

Next we need to disable the automatic opening of files.

You cannot control the setting to automatically open certain downloaded files in the browser – a practice you should stay away from as much as possible. It is preferable to download and scan before opening a file. Drive-by downloads use this vector to drop stuff on your computer.
The option to manage this feature tends to be grayed-out on first use, unless you allow Chrome to open a file – see the complaints here. Thankfully, exe files are not allowed.

Again, in contrast, here’s how applications are managed in Firefox:

Notice the options to “Always ask”, “Save File” etc.

To fix this annoyance, open a blank tab and type in chrome://plugins/ or about:plugins to pull up the settings for the plug-ins installed with Chrome and turn off what you do not want.

For those not afraid of looking under the hood:
Close Chrome. Browse to: Users\<profile>\AppData\Local\Google\Chrome\User Data\Defaul (Windows Vista/7) or In Linux it is usually $HOME/.config/google-chrome/Default/Preferences.

Open the Preferences file in a text editor. Look for these lines:

“download”: {
“directory_upgrade”: true,
“extensions_to_open”: “flv”,   [ change this to ]    “extensions_to_open”: “”,
“prompt_for_download”: false
}

For those who are interested, here’s a link on customizing chrome.

Final thoughts are that Google’s Chrome browser may be a good fit for many users, but given the subtle and sometimes aggressive data gathering tools built into the browser, there is a lot to be worried about in the area of user data privacy. While data breach and hacking seem to be a daily occurrence these days, it won’t hurt a user to take some precautions in limiting the amount of information unwittingly sent to vendors just because you installed their software on your computer.

Here are some other things you could do:

Set the browser to automatically delete cookies every time you close it.

Whenever possible, use the private browsing feature built into most modern browsers.

Use specific browsers for specific purposes – general browsing, search, online banking etc. and customize each browser accordingly.

You can also get an alternative Chrome-like browser called Iron that is based on the free Source code “Chromium” – without the problems of privacy and security baggage of Google Chrome.

While the media has been abuzz about the exploits of Anonymous and LulzSec, the bigger question we should be asking is, are any of their exploits new or did they just give us a wake up call that there is no security, at least in the way we normally define it. What they have demonstrated is that security is a term we use to make ourselves feel good.

A quick look at their “victims” shows that most of the organizations they targeted have tons of money to throw at security, and some are known vendors of security “solutions”. Whether it is RSA, CitiGroup, Bank of America, the CIA, the U.S. Senate, Fox News, Barracuda, Northrup Gruman, Lockheed Martin, Comodo, Yahoo! and countless others too “insignificant” to get on the front page like Distribute IT, the recent attacks clearly show that any one can be had.

It could have been worse and these attacks could have gone on quietly, as I am sure they have been for quite  a while. I strongly believe that what the LulzSEC and Anonymous groups exposed were events that happened regularly but were covered up by the affected organizations.

The effect of such cover-ups were a false sense of security on the part of the general populace and the tendency by most organizations to believe that just installing a security appliance was enough. It also gave vendors of security products license to continue milking millions of dollars from the government, consumers and businesses until the holes in their products were exposed.

Rather than demonize these groups, organizations and businesses should be thankful that someone has provided a yardstick by which you can hold your security vendors accountable. There is now a talking point of “how can you guarantee that what happened to Citi won’t happen to us and if it happens, can you fix it without billing us additional millions”.

Indeed, as the group wrote:

“Our planned 50 day cruise has expired, and we must now sail into the distance, leaving behind – we hope – inspiration, fear, denial, happiness, approval, disapproval, mockery, embarrassment, thoughtfulness, jealousy, hate, even love. If anything, we hope we had a microscopic impact on someone, somewhere.”

Their activities in the past few weeks, if anything has put a little pressure on IT professionals saddled with the task of protecting a network to get off the World of Warcraft and actually do some continuous monitoring and vulnerability scanning; it gives security professionals food for thought when they go on an risk assessment assignment because they will actually be forced to do a thorough assessment instead of check-boxing their way through. CFOs should be thankful because now they have a reason to demand that the money budgeted for security is actually being spent on security and not on some cool gadget that is completely useless in protecting the organization from security breaches.

Finally, while there are ethical gaps in the way these groups did their “ethical hacking”, I hope it gives us reason to think twice before we put confidential information in insecure locations. But from the mostly negative and arguably silly comments you read on websites that report on the activities of these groups, a lot of people still do not seem to get it. There is a lot of focus on the what instead of the why and how. If the systems that were compromised were secure in the first place, could they have gained access? What does a hack teach the organization that was hacked? If these guys could get into our corporate systems and tell us, who else got in and did not tell us?

In today’s business world, where organizations face ever-escalating customer demands and expectations and little room for downtime, logic dictates that businesses today are seriously revamping their business continuity and risk management plans, or developing one if they did not have any.

This is even more pertinent given what we have witnessed in recent months in the areas of data breaches, hack attempts and the underground “war” being waged in cyberspace that has put most of the world’s powerful organizations on the defensive.
Business continuity management is usually regarded as “the capability to assist in preventing, preparing for, responding to, managing and recovering from the impacts of a disruptive event”. (Business Continuity Management, Australian National Audit Office, 2009)

We have always been told that to remain competitive we must build a resilient IT infrastructure, or risk our competition having us for lunch. Apparently, the folks at Distribute IT were not listening.

As few may be aware, Distribute IT, one of Australia’s web hosting providers got hacked on June 14, 2011 and practically went out of business overnight. In what could only be described as weird, absurd or the greatest display of corporate irresponsibility, the company did not have sufficient redundant backups to save its or most of its customers’ data. The company did not take offline backups and was forced to shamefully admit that:

Our Data Recovery teams have been working around the clock in an attempt to recover data from the affected servers shared Servers [sic]. At this time, we regret to inform that the data, sites and emails that were hosted on Drought, Hurricane, Blizzard and Cyclone can be considered by all the experts to be unrecoverable… our greatest fears have been confirmed that not only was the production data erased during the attack, but also key backups, snapshots and other information that would allow us to reconstruct these Servers from the remaining data.

Aptly named servers apparently, because nothing good usually comes out of an encounter with drought, blizzard, hurricane or cyclone unless you heed safety warnings and take appropriate measures! As the company explained to its customers, the hack and its aftermath left them with “…little choice but to assist you in any way possible to transfer your hosting and email needs to other hosting providers.”

Business continuity management is supposed to be an essential part of an organization’s overall approach to effective risk management. It is or was the overall responsibility of DIT’s executive to raise awareness and implement some form of resilience into the infrastructure and sadly, it failed woefully in that regard.

It is amazing that despite what we have experienced this year in terms of hacks, breaches and what not by the likes of Google, RSA, Comodo, Barracuda, and City Group to name a few, Distribute IT did not think it was pertinent to take precautions and bolster the security of its servers. The company has since been acquired by NetRegistry, but questions remain.

Distribute IT was ICANN accredited, but it appears that there is no form of auditing performed by the organization to determine whether registries are doing enough to secure their systems and preserve customer data.

Second, is the check-box “methodologies” of risk management experts creating a false sense of security and the ability to recover in the minds of clients?

How do information security “experts” do a better job of encouraging better risk and security decisions? Or avoid making the assumption that an organization will always recover if its risk controls fail?

Distribute IT is a small business compared to other providers in the industry, but it is not too farfetched to think that we couldn’t see similar sorts of existential threats to larger, IT-dependent businesses that might not be as risk savvy as a financial entity, for example – heck even those are feeling the pain – just ask CitiGroup or Bank of America, or Commerica Bank.

This unfortunate incident is yet another example of what happens when businesses ignore the risks that they shouldn’t. This situation will continue as long as executives think that security is all about installing firewalls and running the latest antivirus software.

As is always the case, it is only after a tragedy happens that people spring to action, despite several warnings that could have prevented the problem in the first place. Of course, there is always the reminder by company executives that they have tape and/or offline backups, but how many have taken the time to do a proper risk assessment?

Are we truly in an era when people can claim that “[t]here is no security, there will be no security. The horse has bolted, and it’s not going to be the infrastructure that’s going to change, it’s going to be us”?

Are these recent spate of breaches and hacks that have been exposed just old occurrences coming to light? US Department of Homeland Security advisor Jeff Moss Tweeted recently, “When I heard RSA had a shiny new half million dollar HSM to store seed files I wondered where had they been stored before”.