Security in layers
This blog was going to be a continuation of my last blog, “Does Your Domain Have Bad Neighbors?“, but instead I would like to take a few minutes to cover something else that people have been asking me about recently. Often times I get questions along the lines of ‘What are some things I can do to help protect myself even more from security threats?”.
Security should be thought of in terms of layers. The more layers you add, the more you help to isolate yourself and mitigate potential attack vectors. With the recent uptick of malware using different means for delivery, including Malvertising (malicious advertising), drive-by downloads, and the use of TOR, it might be overwhelming to think of ways to protect yourself. There are a few small, simple tricks that I feel can help you focus your efforts to be most effective:
As you may have heard, the use of advertisements as a means for delivering malware has been increasing rapidly. The methods have slightly changed, however; while it is still highly recommended to avoid clicking away on random links, especially from unknown email senders, users can now be infected even without clicking recklessly.
Malvertising works by running malicious code when the advertisement loads in your browser, gathering all of the information it can and sending it back to a Command and Control server, where any number of exploit kits can be used to leverage a compromise of the client machine. Ad-Block does exactly as its name implies, blocking ads that are shown to visitors of web sites. While the vast majority of ads are safe, it’s that small percentile that causes the most headaches for users and System Administrators alike. OpenDNS took the stance of removing ads from its site back in June, which you can read more about here.
How does this help? Some compromised web pages will attempt to deliver what is known as a ‘drive-by download‘, which will attempt to look for possible vulnerabilities in a clients machine, deliver that information back to a server, and download the exploit kit, much in the same way that Malvertising works, minus the ads.
At first you might feel like your Internet experience is not the same, especially with so many sites that employ scripting to enhance user experience. No-Script offers you the option to allow sites you wholly trust to run, without having to allow the scripts every time. Globally allowing all scripts is highly discouraged.
TOR is used by many people all over the world to add anonymity to their web browsing. This is especially helpful in places where the Internet is heavily censored, regimes that might be monitoring dissidents trying to get the word out about repressive actions taking place, and others who just want to keep their surfing habits private. Recently, however, certain variants of malware have started using TOR as a means to call out to the Command and Control servers to download more badness (read: CryptoWall 2.0). It does not seem to be that far fetched to think that other malware families might soon follow suit. Sometimes I come across rumors that TOR (The Onion Router) cannot be blocked. To a small extent, this is true. To a larger extent, it is not. Below are two simple curl commands you can use that download the IPs used by TOR. These IPs are updated daily, so setting a cronjob to run and download the lists is pretty easy. After downloading the IPs, they are written to two CSV files, one for all the IPs and the other for the exit nodes. These lists can then be added into your firewall rules. I would like to point out that this is by no means a cure-all to blocking TOR based sites, but does reduce the means for connection by dropping the attempts from either coming into or going out of the client system.
curl http://torstatus.blutmagie.de/ip_list_exit.php/Tor_ip_list_EXIT.csv > Tor_ip_list_EXIT.csv
curl http://torstatus.blutmagie.de/ip_list_all.php/Tor_ip_list_ALL.csv > Tor_ip_list_ALL.csv
The output will create these two files:
Essentially what you are doing at this point is cutting off the call-out from a machine to the first entry point in the TOR relay circuits, preventing connections to be established. I should mention that while this will block malicious connections that use the TOR network, it will also cut off any legitimate web site that might be hosted on the same IP that is not a hidden service AND will prevent you from using TOR altogether.
Hopefully you find these three, yet significant, steps helpful to mitigating risk during your Internet experience.