Take a moment to consider this question: What is the most important piece of software on your computer right now? Maybe you have some expensive industry-specific licensed juggernaut. Maybe you’re a home user who just really likes Solitaire. But I would suggest that the most important program of all may be very good at going unnoticed: your web browser. Whether you use Google Chrome, Mozilla Firefox, Internet Explorer, or something else, for many people the browser has effectively become the operating system. No wonder Google now sells a computer that is effectively nothing but a web browser. It’s amazing how much can be accomplished without ever touching the actual operating system.
The browser is also a security risk, and a commonly overlooked one at that. More than any other common application, web browsers represent the largest attack surface of the common workstation, as nothing else deals with so much content straight from the Internet. It’s no longer enough to simply not download suspicious files, avoid unknown links, and only visit websites you know. Malicious software, including ransomware, can be installed on a computer simply by visiting a site with malicious advertising, a practice known as malvertising. Even well-known and well-regarded sites can serve up malicious advertising, as many ads are served by third-party ad networks with lax vetting and security measures.
Thankfully, there are some measures we can take to put control back into our own hands.
Use a good browser
To start, a defense is only as good as the platform it is built upon. For most users, Google Chrome is the browser of choice. It features built-in PDF reader and Adobe Flash components, and frequent, automated updates – a relief considering the frequency with which flaws are found in both of those applications. It also has integration with Google’s web crawler, which does an impressive job detecting untrustworthy sites and warning the user before they are allowed to visit. Finally, it has integrated sandboxing, keeping running code isolated from other processes. In fact, Chrome can be installed without administrator rights, further restricting the impact that any attacking code could leverage over the host system. Chrome does have a tendency to use a lot of system resources to maintain these features, however, so it may not be well served on older hardware.
Mozilla Firefox used to be the information security professional browser of choice, given its adaptability and extensive library of extensions, but it has recently started lagging behind the rest of the pack. In fact, at the recent Pwn2Own hacking contest, Firefox was not an accepted target as it had not had sufficient “serious security improvements in the last year”. Still, it remains a better browser than Internet Explorer, and supports many of the same extensions as Chrome.
With the release of Windows 10, Microsoft has replaced Internet Explorer with Microsoft Edge, a browser built from scratch to replace the flaws of the outdated Internet Explorer code. Depending on who is doing the reporting, Edge is either a marked improvement, more of the same, or even worse off than it was before. The final verdict remains to be seen, but Google Chrome is presently the browser to beat.
Install an ad blocker
As mentioned, compromised advertising networks are the primary delivery method for modern malware. Installing an extension that will selectively chose to not load a portion of a webpage that is able to recognize as a likely ad combats this risk. It also has additional benefits: ads tend to be rather intrusive and obnoxious, and not loading them can considerably speed up your web browsing experience. In fact, in a comparison of different ad blocking extensions, the homepages of popular sites like CNN and CNET saw their load times cut in half or better.
The best ad blocker available right now is uBlock Origin, available for both Chrome and Firefox. Actually, simply calling it an ad blocker sells it rather short, as it offers many security features outside of simple ad blocking. The creator states that the intended purpose is a robust privacy protection platform, designed to defeat user tracking, malware, and other web concerns. Ultimately, what makes uBlock Origin so effective is the very minimal effort required to install and maintain – the default settings are most likely totally sufficient for most users, while users who want a more customized experience are able to dig under the hood and configure to their hearts’ content. Viable alternatives include AdBlock Plus, but no other offerings come close to the success and ease of use of uBlock Origin.
It is worth mentioning that obviously not everybody thinks that ad blocking is a good idea – namely, organizations that rely on advertising for revenue. There is a large-scale debate in tech about how to handle advertising, considering both the risk and annoyance it forces upon users, as well as how to monetize on the internet. For a more in-depth look at both the technology and the politics behind ad blocking, I highly recommend this TechCrunch article on the topic.
Disable multimedia content
Despite the best efforts of Adobe, Google, and others to keep their multimedia platforms up-to-date, they are fighting a constant battle against flaws of most multimedia formats. By default, browsers will render PDF and Flash content from webpages if they are capable of doing so. Changing the behavior from “run automatically” to “click to run” limits the exposure to potentially harmful code execution, thereby reducing the browser’s attack surface.
In Chrome, the content options can be found under privacy settings – a quick search in the settings menu should find it quickly. Select the option for “Let me choose when to run plugin content”. This will make the browser show a dark gray box wherever content has been intentionally not displayed. A simple right-click to bring up the run menu should be all it takes to display any content that the user actually desires. Sometimes a website may have a stubborn overlay or similar, in which case the user may click the puzzle piece with red X in the address bar to select a “run all this time” option.Firefox has a similar setting, asking that each plugin be set by a drop-down menu for default behavior instead.
Enforce secure connections
While most sites are intelligent enough to default to an HTTPS connection when one is available, it is not always a guarantee. Using the HTTPS Everywhere extension from the Electronic Frontier Foundation attempts to solve this problem by having the browser check for a secure HTTPS connection before falling back to the insecure HTTP standard. While it’s not a perfect solution, it’s a good stop-gap while SSL certificates are becoming easier than ever to configure and install.
If something were to compromise the browser, it will likely start behaving in unexpected ways. If something about your browser experience changes, such as a different homepage or all search engine links leading to the same result, then something may have slipped past. The first step to remediation should be to inspect which extensions are currently loaded in the browser. In Chrome, this is available at chrome://extensions. For Firefox, Mozilla has published instructions on how to handle add-ons. Internet Explorer, the most likely to be impacted if it is the primary browser, has similar instructions, but tends to be difficult to manually clean out problematic extensions without performing a complete reset.
Finally, the previously mentioned tactics of inspecting links before following them and carefully vetting all downloaded files is still a very valuable practice. After all, these security measures aren’t designed to restrict the ability to use the Internet in a productive, efficient manner, only to reduce the likelihood of encountering compromising code interacting with your computer in the first place. Ultimately, the responsibility for ensuring safety online is up to the user.
Latest posts by Tyler Butler (see all)
- Pentesting the Hard Way, Part One: What is a Pentest? - July 12, 2016
- Security for Everybody: Secure Your Browser - June 21, 2016
- Cracking Domain Passwords from NTDS.dit with Metasploit and john - May 3, 2016