Preemptive analysis, consulting, and planning

The most often-used
malware, spyware, and adware—
are you aware?

Posted July 17, 2018 by Marc Abel

Choice of software for browsing the Internet is paltry; none of today's four principal vendors have business interests that align with browser users. Although the security ramifications are entrenched and precarious, help is not on the way. This table shows who has final say over the best-maintained platforms:

Browser primary funding sources
FirefoxGooglevia Mozilla Foundation
Internet ExplorerMicrosoftfor legacy systems
OperaChinapreviously Google
SafariAppleApple hardware only

Businesses that either use non-Apple computers or can't run software written under Chinese authority select either Google or Microsoft. There are no other sponsors.

Some may ask my basis for my treatment of the Mozilla Foundation. After all, Firefox is the only open-source browser on the list. I use Firefox every day, but I strongly devalue Mozilla as an independent entity on the basis of hundreds of millions of dollars from its dominant commercial sponsor, and the anti-user design features wrapped into the browser itself.

Firefox has a dizzying infestation of "dial home" features, or spyware characteristics, that purport to be for your own good, are enabled by default, have scrawny or no end user documentation, and have no single facility to disable them. Firefox also adopted a highly unpopular specification called Encrypted Media Extensions, or EME, in "a difficult and uncomfortable step" under financial pressure from YouTube's parent company, Google.

My classification of all six browsers under the term malware places me in a distinct minority. Yet NIST publishes data to support this position. Consider this table, which I tabulated from the National Vulnerability Database as of July 17, 2018:

NVD vulnerabilities by browser
Browser1999-2018Half 2018
Internet Explorer123512

NIST's search engine doesn't offer the capability to tabulate by vulnerable products. If you'd like to cross-check these figures, I'll send you my code if you ask.

The counts in this table reflect the number of vulnerabilities in the NIST database for all time, and for January through June 2018, tabulated by browser. More than 5,000 vulnerabilities for just six browsers, and in 2018 a new vulnerability published every day and a half. I took care to not double-count: a vulnerability that affects more than one flavor (mobile vs. desktop) or version of a given browser is counted one time only. I also do not count instances where the browser is mentioned but is not itself vulnerable.

In case you're a little new to security, a vulnerability is not an incident of somebody getting hacked. A browser vulnerability is a problem that has been replicated to millions, sometimes hundreds of millions of users. So read this table's numbers like you would a financial report for a big company: you have to add a lot of zeros to understand their impact.

As the figures given indicate, there are grave deficiencies with all six browsers, but the data should be treated only qualitatively. Some browsers predate the database, others appeared only recently, some aren't used heavily in the United States, and the source code is accessible in varying degrees. I would discourage "X is safer than Y" generalizations, even for the browser that is having a quiet year.

These metrics indicate an entrenched pattern of indifference and neglect that has existed for the lifetime of all of these browsers and continues to this date. Only Opera appears to have settled down numerically, but its 2016 purchase by China-headquartered investors raises other trust concerns. For five of the six browsers, inaccessibility of the source code for audit also concerns me.

The combined age of these six products from first public release to July 17, 2018 is 32,627 days, or a little over 89 years. Development costs are not reported but are in the billions USD. From the standpoint of stability and security, there is little to show for the millennia of human talent put in. In the meantime US businesses are in harm's way.

It's not hard to write a practical and secure hypertext retrieval system, but that isn't happening with the World Wide Web. The engine driving all these security failures is the commercial interest of the browser writers. The typical user only wants to go online, and if she can do this simple thing, she has no reason to upgrade browsers. There are two commercially effective countermeasures against user complacency. One is to guarantee an unending stream of serious vulnerabilities to compel "upgrades." The other is to ensure that the W3C specifications for how the Web runs continually become obsolete.

The business needs of typical browser users do not warrant the complexity of the offerings. The source code for Firefox 61.0.1 contains 244,207 files. A product with that many lines would be quite large and had better be very capable, but these are files. Inside these files are 2,593,611 lines of C, C++, Rust, and JavaScript. The other browsers are of comparable size and complexity, but have not released their complete source code for us to measure.

Unfortunately, the Web has reached a "singularity" where so many websites expect so many features to be available in visitors' browsers, that people are no longer able to "surf" without using a browser with all of these unnecessary capabilities. A large fraction of websites refuse to send pages at all if demands they impose on visitors are not placated. This singularity probably arrived by 2000 and presents a significant barrier for producing better browsers, with the consolidation shown in these tables as one consequence. Internet Explorer is on Microsoft's chopping block, and Firefox has become so large and expensive to maintain that its existence or extinction might already be at Google's will.

Another security issue with at least Firefox and possibly all of these browsers is they run separately-provided code that is not written or maintained by the browser authors. Firefox depends on (that is, uses code from) about two dozen other programs that are written and controlled by other sources. The type and extent of this control varies from source to source, meaning that in addition to Mozilla and Google, many other groups around the world can change how Firefox behaves the next time someone runs an "automatic update." That next "update" can include a catastrophic bug or a sophisticated attack. This kind of security failure has happened before and is not unique to web browsers.

There are many approaches to making web browsing safer, and I am not neutral as to which I think are suitable and which aren't. For a good example of what I wouldn't do, look at the U.S. Department of Defense, which places too much emphasis on commercial off-the-shelf components. That is to say, they use the same damn browsers you and I do, and build a big wall around their systems so that "bad people can't get inside." In essence, the admirals and generals have simply mimicked the fences and guards around U.S. military installations. But in reality, they have walled our sergeants and petty officers in a beautiful garden with most of the world's knowledge assets on the wrong side of that wall.

For what the U.S. military spends on their firewall and the lost productivity of our armed services personnel, they could write ten browsers that have adequate security, safeguards, and reliability. But the talent to accomplish such a project on time and on budget might not be easy to find in the United States. Many of today's leading software geniuses come from our allies: consider for instance Bellard, de Raadt, van Rossum, Tanenbaum, Torvalds. Some personnel security clearance gymnastics could be necessary, or the initiative could choke like so many others in the hands of the usual contractors.

The presence of Internet browsers exposes business users to such levels of unwarranted risk that it's reasonable to classify the actual browsers as malware, adware, and spyware, even though the offending software will remain in use for the foreseeable future. Most companies are unable at this time to conduct business without using Edge, Firefox, Chrome, IE, Safari, and/or Opera. But what can be done is relocate web browsing to systems that do not have access to sensitive or important assets. In essence, web browsing activity needs to be carefully segregated or "firewalled" from everything else.

Your business, and every business with any kind of Web interaction, faces a critical choice. You can accept the existing risk that your web browser will participate in causing grave harm. Depending on what your business does, large amounts of money can be stolen, manufacturing plants destroyed, trade secrets leaked to foreign competitors, or lives lost. Or you can change the way you store, access, and use your browser so its flimsiness won't become the first domino in your firm's devastation. In the next post, I offer suggestions about countermeasures for businesses against web browser vulnerabilities.

How to browse the Web safely in 2018

Posted July 19, 2018 by Marc Abel

Note: This article is not about the privacy of how you use the World Wide Web or how advertisers track you. It's about your own computer's security.

After 35 years of offering high-performing solutions to complex problems for very competitive prices, I find this article difficult to write. What I do still energizes me, but we have come to an apocalypse together. Intel has broken our entire universe, and help is not coming. I can help you find shelter for your information, but we cannot build it a safe home for a few years at least.

As I mentioned, today's major browsers are Chrome, Edge, Firefox, Internet Explorer, Opera, and Safari. Their most basic use is to retrieve information from the Internet, more specifically the World Wide Web, and display it for you. There are more advanced uses in the form of Web applications your business might use—collaboration, professional and social networking, etc.—but we needn't consider these. For security purposes, the browsers are inadequate for even the most basic chores.

Fortunately, there is a fallback.

Our fallback is the security capability of the hardware your web browser runs on. The Intel-led family of computers you're familiar with dates to the 1970s. In 1982, Intel introduced the world's first microprocessor to offer a built-in "protected mode" where you can run a computer program without the program being able to take control of the machine. In protected mode, the machine controls the software rather than the software controls the machine. If a problem comes up such as a software bug or computer virus, the machine will win and your data will be safe. That microprocessor was the 80286, a 16-bit device that for Intel marketing reasons was severely undervalued and had far too short a life.

The desktop machines we run today are essentially souped-up versions of the "286" and still support its original 16-bit instructions, with waves of extensions added. But protected mode on the 80286 turned out to be buggy. It was broken 35 years ago, and it's still broken today: only the cracks are in different places. The fallback we all relied on has fallen itself, and the malware that our hardware was supposed to prevent controls our hardware instead.

The solution is that all your computers are going to the landfill. They can't go for at least a few years, because nothing better exists to replace them with. There are some computers with potentially better security in some ways, but they are not fast enough to browse contemporary websites. Ironically this lack of speed is a major reason they are more secure, but this article isn't a good place to elaborate.

You'll naturally think about buying older equipment that doesn't have all these new security problems. Sometimes this is a good approach, but 2018's headline hardware vulnerabilities like Spectre and Meltdown were anticipated no later than 1995 and 2002 respectively. It turns out that replacing your equipment even with 20-year-old machines doesn't get you to safety, and beyond that vintage nothing is going to run fast enough for today's Internet sites.

Even had the Intel microarchitecture and its competitors been secure, we had already lost the hardware security battle anyhow, because the memory in your computer is vulnerable in its own right. This is because the RAM in your computer is cheap "dynamic RAM" that only needs one transistor to store a bit of information. The problem is that this RAM starts to forget what it's been told in less than one second, and this tendency to be forgetful can be exploited to introduce false stories. There is expensive "static RAM" that uses about six times as many transistors, but market interest has been so small that they don't even make static memory modules big enough to replace your ordinary memory.

Fortunately, there is still another fallback.

Our previous fallback was to stand and fight using the hardware security architecture that has matured over 35 years. But every last weapon is broken. All we can do now is run away with our data.

What we need to do with our web browsing is understand that the computers we use with browser software are fully exposed and cannot be sheltered adequately. To protect our sensitive information, we have to remove it from these systems entirely. Not to another login, not to an encrypted folder, not to a Linux chroot, not to a BSD jail, not to a Windows runas, not to a virtual machine, but totally gone. And then wipe the disk.

In principle every user needs at least two machines. One is for browsing the World Wide Web, and the other is for everything else, including email. For your business two machines might not be enough separation, but I want to introduce this concept gently. I use nine machines at Wakefield Cybersecurity, and I'm its only employee.

The principle of isolating web browsing on separate hardware is straightforward, but implementation probably won't be. For one thing, you are most secure not with a separate machine for your browser, but a separate machine for every website you browse. That's because the many websites have extremely different security models and wildly fluctuating levels of safety. A news website's purpose is to cram as many advertisements as they can on your screen, and they don't care very much if some of the advertisements happen to contain malware, as long as the ads themselves are paid for. You can't visit these sites, even the Russian ones that pretend to share your political leanings, from the same computer you use to transfer money. You're begging for trouble.

In a lot of cases there is no practical means to segregate every site you browse from every other site. Your best approach is to cluster your tasks according to how good the security is. Read all your news on one computer. Do online research for product development in your industry on another. Handle your money on yet another.

Large financial accounts require separate computers: one computer per set of login credentials, no exceptions. If you have $35 million at Wells Fargo and $180 million at Fidelity, don't use remotely similar passwords, don't use idiot authenticators like your mother's maiden name, and don't use the same computer. Even if you're the CFO. I paid $40 for the last computer I bought. It was almost ten years old at that time; the newer models are no more secure anyway. Get another cubicle if you don't have room for another computer. You'll need other safeguards like multi-factor authentication—no, not using your cell phone—no, not using your email account—no, not logging in through Facebook—but that's a discussion for another time.

Not every website your employees desire needs to be accessible from their work-issued computers. If people tell you they need weather forecasts, set up a display with the forecast and radar. Wikipedia is a special situation: if your company uses Wikipedia regularly, make your own copy of all of Wikipedia and serve it from your own infrastructure. That offers you not only extra isolation but valuable privacy in the research that you do. For Wikipedia there are no license fees for either the data or the hosting software, but consider making a donation that your budget can readily afford.

Some businesses are lenient in terms of what employees might do online during work hours. If that's working at your business, don't try to "fix" it for the sake of security. You need the goodwill and comfort of everyone who works for you, and if their job involves a lot of time waiting, let them have their Facebook access if they're mature about it. But not on company equipment. Instead, provide wireless connectivity to an entirely separate Internet service, and let your team bring their personal gadgets to work and connect with them. Don't allow company data on employee-owned machinery; if someone shows you a great tool, buy her a company one.

Most operations should not get too worried that employees will misuse their personal connection privilege to steal proprietary information. If this is a threat vector, the threat is from unfaithful personnel, not the gadgets you see brought in and out. You can have a no-gadget policy, but nothing short of cavity searches will keep contraband devices outside of your offices. You would also have to pilfer all of your staff's U.S. mail and packages, and unroll all the tissue when you restock the restrooms. The best preventive measures for betrayal are not technological, but they are within the scope of Wakefield's services.

Computers that browse the World Wide Web are prone to infestation from time to time. As a consequence, you need to regularly erase these machines, re-install everything, and restore any configuration you need to pick up where work was left off. Don't wait until you think the machine has been compromised. At my office I have this sterilization down to 132 seconds, so the disruption is tolerable and fresh starts are just another phase of survival. Confer with an expert about this process so you understand its quirks and limitations.

Once you have decided what computers will be used for which browsing purposes, you should implement controls that discourage people from using the wrong systems for the wrong things. One way to approach this is using packet filters and domain resolver customization. If you have an IT department of any size, ask if your company uses an in-house DNS service or another supplier such as your ISP or Google. You gain a lot of control, confidentiality, and auditability if you do this in-house, without laying an onerous task on your IT staff.

Many browsers were designed at a time when extensibility was in vogue. For you, these browser plug-ins, add-ons, and extensions are a liability unless your security audit team has checked every line of their source code. I'll confess that I use Adblock Plus, but there is a tradeoff. I also use NoScript, but today's websites are so script-centered that most users will have trouble using it effectively. NoScript also has side effects that few would anticipate, such as disabling custom fonts even though fonts are not scripts. In addition to being highly customizable, Adblock Plus and NoScript are both open-source products that you can in theory audit and modify.

Although browser additions like the above give the appearance of drop-in protection by filtering out bad content, the system this protection runs on is tainted by the browser's presence. Today's best antivirus packages are only about 80% effective, meaning that every fifth strain of mischief can paralyze whatever protections you've installed on the computers you browse from. If you're big enough to have the IT resources, you should put the filtering function on its own separate hardware that does not do any web browsing of its own. In addition to being more secure, it will run much faster, not slow down the machines your employees use, be centrally administered, and scale effortlessly to as many employees as you need to protect. Balancing these many benefits are added system complexity and certain security implications such as switching from end-to-end to hop-to-hop connection security. Your team can support you in the decisions you'll need to make.

The matters we've considered for your Internet browsing are, at best, a good place to begin. If you do nothing else, get your business information completely off anything you run Chrome, Edge, Firefox, Internet Explorer, Opera, or Safari on. When you're ready to go further, your security partners such as Wakefield Cybersecurity are here to help.

Ever think about JavaScript?

Posted July 12, 2018 by Marc Abel

JavaScript is not evil, but it has been a security nightmare. In the first half of 2018 alone, NIST's National Vulnerability Database cites JavaScript in 230 new vulnerabilities. Many websites can get by just fine without JavaScript if they put their mind to it, while still providing as much capability and richness that their visitors need and expect.

Although it would be a simple matter to write "innocuous" JavaScript for the Wakefield Cybersecurity website, use of client-side scripting can impose on your organization auditing burdens and uncertainty about the future. We elect to avoid all client scripting on this site, thereby providing you an example you can point to in conversations with your other vendors.

Wakefield Cybersecurity LLC
Wake secure℠