Schneier on Security
A blog covering security and security technology.
« Mail Cover |
| Friday Squid Blogging: Squid Festival in Monterey »
May 10, 2013
The Onion on Browser Security
At Chase Bank, we recognize the value of online banking -- it’s quick, convenient, and available any time you need it. Unfortunately, though, the threats posed by malware and identity theft are very real and all too common nowadays. That’s why, when you’re finished with your online banking session, we recommend three simple steps to protect your personal information: log out of your account, close your web browser, and then charter a seafaring vessel to take you 30 miles out into the open ocean and throw your computer overboard.
And while we're talking about the Onion, they were recently hacked by Syria (either the government or someone on their side). They responded in their own way.
EDITED TO ADD (5/11): How The Onion got hacked.
Posted on May 10, 2013 at 1:49 PM
• 29 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
I do online banking with Chase, and every time I log out and see the suggestion to close my browser, I think "And lose all these open tabs? Screw you!"
I have a different browser running in a virtual machine that is just used for online financial stuff - banking, brokerage - NOTHING else. The hostOS is not connected to the internet.
None of these OSes run MS-Windows.
Check out TinyCore just for this purpose.
@JohnP Wait, how does the guest connect to the internet, if your host its not connected?
@Sean: if you use Firefox, you could get the "Close and Forget" add-on which nukes the cookies for the current site as it closes the tab.
I don't go as far as JohnP, but I always use a different browser for secure transactions than I use for everyday browsing.
This method allows me to have a stripped down browser (no add-ons, plug-ins, extensions, unless explicitly needed for a financial site).
My favorite part of the Onion hack is this:
At this point the editorial staff began publishing articles inspired by the attack. The second article, Syrian Electronic Army Has A Little Fun Before Inevitable Upcoming Deaths At Hands Of Rebels, angered the attacker who then began posting editorial emails on their Twitter account.
So the attackers were baited into revealing their remaining access to The Onion computers, and the IT staff then locked them out completely. They were sort of 'reverse-phished', by accident, by the normal operations of a humor magazine.
I've come up with a good idea to explain the current monitoring of computer user's and their information. What they are doing is, in effect, coming up with something that closely resembles Kennedy assassination theories. Before the fact.
We do know one thing about the method. It creates thousands of theories and endless enjoyment. The fact that all but one are correct keeps the folks at the FBI, Homeland Security, and endless other groups of individuals entertained on a never ending quest for the correct answer. It certainly helps the unemployment numbers.
"I don't go as far as JohnP, but I always use a different browser for secure transactions than I use for everyday browsing."
Actually, I think you go much farther than JohnP. Like Mike pointed out, his host isn't even connected to the Internet. He must cut and paste his online banking activity from the VM to his postal mail box.
The laugh is that anybody believes that the syrian electronic army actually exists or can be blamed for this. It sounds like yet more anti-assad propaganga. I mean couldnt it be pro-Al Qaida American hackers?
@ Nick P,
Like Mike pointed out, his host isn't even connected to the Internet
You are repeating the mistake Mike made.
JohnP said his "hostOS is not connected to the Internet" not that the "host" (or the hardware for that matter).
Part of the problem is the word "host" has many meanings and depending on your view point you may be thinking something different to the person talking...
The first problem is the use of "host" is many fold if you are talking about VM systems the HostOS is the one closest to the metal of the system. This usage of "host" is fully independent of the meaning of "host" when talking specifficaly about networking, where unfortunatly host has different meanings to different people depending on who's training course they took.
At one time a system with multiple network cards was a multi-host system so also was a system with one network card that responded to more than one unique IP address (but did not respond to all IP addresses in the network range). That is the "host" was the IP address and the network stack behind it not the network hardware or main system hardware or for that matter the OS software.
I could give the history of how the use of the term "Host" with respect to networking went wrong, but to be quick it was Microsoft's Certification System documentation where the rot was first clearly seen by the masses.
It is possible to set up a HostOS to use local networking only and not to route, or to address/use a gateway that does not route but just dropps packets (like using a modern firewall the other way around). Such tricks were used to set up "Bastion Hosts" to make DMZ's etc in the early days befor the term firewall got mutated to it's current 'network appliance' meaning.
Now I don't know what HostOS JohnP is using or what the VM client OS is but it is possible with some VM systems to have the VM ClientOS use the network with it's own IP address and a different gateway to the HostOS, and impliment what is required for "full networking".
Further there is the issue of which OS actually has control of the network device, the VM HostOS could just pass control through to the VM ClientOS.
So yes it's possible to do what JohnP has said depending on what meaning you ascribe to "Host". And I've mentioned similar in the past when talking about the next step back from using a CD only system using thin clients and or VM systems.
I guess if people want to know more about JohnP's setup they will have to ask him.
Alternativly go have a dig into the likes of the HoneyNet projects docs on how to setup VM systems to do slightly unusual things.
I'm not sure I entirely agree with the Onion advice.
If you look at many charts you will find that 30 miles off shore is not always sufficient to give a depth of water so that of a diver or ROV cannot recover it.
Thus as NickP, myself and others have discussed in the past, you need to insert first the "thermite solution" then the "Boiling conc nitric solution" prior to ditching the waste overboard. Oh and the "Ball Mill solution" for that little extra security would not go amiss.
But importantly make sure you have filled in the correct EPA and Customs paperwork as those bureaucratic types can make you life a real pain.
Oh and always remember the correct gloves, glasses and other safety cloathing otherwise H&S droids will ruin your day (better still if you see one on deck without full abandonment kit on it could be a good day for an impromtue Man Over Board drill ;-)
... angered the attacker who then began posting editorial emails on their Twitter account...
Possibly the only option left to them as it appears the US Treasury now owns all Syria domains that the attacker might otherwise have used,
@JohnP and @Clive
How would you suggest configuring a VM for banking, in English please?
The network setup I have is a little advanced and took more trial and error to get than I'd like to admit. The hostOS is on a different subnet than the clientOSes.
A pretty good virtual machine solution for banking is to:
* do not use the hostOS on the internet; this is extremely critical. If the hostOS is corrupted in any way, we have lost this war.
* get an ISO Linux - something like TinyCore; any OS that supports booting a LiveCD can work.
* setup a VM that doesn't have a HDD, just a CDROM connected to the TinyCore.iso file.
The VM hypervisor used doesn't really matter too much for this setup, but if you are doing desktop-on-desktop virtualization, then VirtualBox OSE is probably the best choice, IMHO. KVM and Xen and LXC and even VMware Player can work.
Thanks @JohnP. I think I've got it. A little over my head, but I understand the concept.
@ Clive re my previous comment
Well, my bad. I guess the joke's on me then. Haha.
@ Arch Newbie
"How would you suggest configuring a VM for banking, in English please?"
The setup JohnP did right after your comment would work. So would a basic Ubuntu or Windows browser VM. The idea is that any infection doesn't touch the host. Also, advanced virtualization schemes allow snapshots where you set the virtual machine up to usable state, snapshot its condition and "revert to snapshot" in event of a problem. Presto chango, you have a clean machine.
Of course, you must remember that these don't stop attacks within the browser itself. That's become more popular over the years. A common solution there is Firefox w/ NoScript. Here's links for you.
Brian Krebs on Live CD Banking
Nice list of addons and recommendations here
In truth, running an obscure OS (eg Linux) with security-enhanced Firefox protects your system way more than virtualization b/c it addresses more threats.
"I'm not sure I entirely agree with the Onion advice."
"If you look at many charts you will find that 30 miles off shore is not always sufficient to give a depth of water so that of a diver or ROV cannot recover it."
The onions advice doesn't end with sinking the computer. Read the whole article.
@Clive Robinson - remember to ensure that the nitric acid isn't chinese and the ball mill isn't made by Huwei otherwise it may have super-secret-data-spying technology
I did read the article but the thing with the clams is an obvious flaw in their system especialy with the sunken ship making the disposal site easy to find ;-)
Any way I was mainly joking about officious bureaucrats (well maybe not the H&S ones as they seriously ruin your day ;-)
A true story about H&S gone mad...
As many of this blogs readers know war zones are not exactly healthy places to be as often there can be low flying FMJ lead poisoning buzzing around which kind of shows up the ridiculousness of the "managment speak" parrrot phrase of 'taking one for the team'.
Well at a forward observation point a two story hardend structure had been made as a lean too against an existing compound wall the main components being stout timber and lots and lots of sand bags. This OP had come under morter and heavy machine gun attack on a number of occassions and survived.
Well apparently the "Modern" army feels the need to turn certain "junior officer" types into H&S droids and send them of into the field...
One warm afternoon a couple of snipers were holed up in the OP doing what they do best, being invisable and watching carefully to see what the enemy is doing. When they are suprised to hear a strange movment at the entrance to the OP, which is basically a four foot high hole in the tripple sand bag thick wall with very stout timber supporting the bags over it.
Being some what wary one of the snippers slips down and looks to see what is causing the noise. He is somewhat surprised to see a junior officer in freshly cleaned and ironed working dress standing there with a clip board and tape measuring the hole. One being ask WTF he's doing the junior officer indicates he is the new H&S person and that the "hight of the door way was to low"... Well the sniper said a few things to the junior officer H&S Muppet that caused the Muppet to lodge a formal complaint with the Officer Commanding... The OC was less than impressed and said so in terms that were overheard by others... Suffice it to say the Muppet was not seen again and the OP lean too carried on it's faithfull service unchanged.
@Arch Newbie, Nick P.
I can recommend TAILS as the privacy/security enhanced Linux Guest OS to be used in the VM setup.
Or Cisco routers. :P
Tails is developed by anonymous individuals, like TrueCrypt. Tails is open source but how many people are auditing every version? The binaries as new versions release? The majority aren't compiling the distro themselves, they're using what's given to them, binaries prepared by the anonymous Tails developers.
If you use Tails, run rkhunter on it and note the warnings of dozens of hidden files and strange NFS warnings/references within.
Off topic, but I had an extremely worrying incident last night. I was browsing a web site on an Android phone with Firefox and without any prompting Firefox downloaded an APK and immediately launched the APK installer to install it. It was some app which claimed to be a screensaver but given it wanted SMS permissions one can assume it was more interested in calling premium rate numbers.
Bugs the hell out of me that Firefox would think this behaviour is remotely acceptable.
The thing that doesn't make sense to me is WHY would hackers target the Onion? It isn't as if they could publish stories with the Onion's venerable name attached. Why didn't they hack the Enquirer while they were at it?
I did like the Onion's response to the hacking however.
The thing that doesn't make sense to me is WHY would hackers target the Onion? It isn't as if they could publish stories with the Onion's venerable name.
Well how about the fact that it's a very popular site which is trusted by many people, thus the hackers could put browser exploits up on the site and get them onto rather more machines more quickly than they would through an ordinary phishing, driveby or watering hole attack.
After all unlike the Washington Post or New York Times, The Onion like any good satirical commentator is a must read for Govenrment types and Politicos ;-)
The best online banking tool is to not keep your money in a bank. It's a tool made by Cyprus Solutions. Check it out.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.