While reading recent articles on the Sony breaches, I noticed many comments in the forums saying things like, “if you connect to the Internet, you should consider yourself breached.” Although I understand the sentiment, I can’t help but wonder, is it really that bad?
Many moons ago, I rebuilt my Internet connection, firewall, and home network– all at the same time. For the sake of curiosity, I installed IDS software on an old, unpatched PC, and watched as I connected the system, exposed, to the Internet. At the time, I saw the IDS software identify an out-of-order port scan start within about 15 seconds from the time I connected the computer to the outside world. Within 10 minutes of the completion of the scan, someone started trying remote connections. I was amazed to see how fast the threats appeared.
But, based on the comments about the Sony breach, I wonder if this same thing would happen now? Does a connection to the Internet entail an automatic breach?
As part of a completely informal “Internet Security Threat Evaluation,” I employed an entirely unscientific methodology. I used a reasonably patched XP system called “Grendel,” and put it in an unfiltered DMZ on my Internet router. For Antivirus and malware I used Norton Antivirus, Avira AntiVir free edition, Malwarebytes and Bitdefender free editions– not all at the same time. I used ZoneAlarm and BlackICE to compliment the identification of threats. I also used the ESET Online Scanner to help verify results from a source outside of Grendel.
One by one, I manually scanned Grendel with each of the security products, and then put the system online. I was slightly surprised when, after four hours of exposure, I detected no overt scans or probes of Grendel. After four hours, I took the system off line, and re-ran the manual scans, finding no new threats. I then left Grendel up overnight, and saw the same results. Nothing.
To elevate my exposure, I used Google to launch a series of searches on Lindsay Lohan, Charlie Sheen, the NFL draft, Facebook security, and a watchable version of the movie Sucker Punch, along with several other searches. I then proceeded to browse like a crazy person. I did limited filtering of search results, and pretty much just clicked through on the highest ranked results for each search. All in all, I was a very bad boy. Within about 15 minutes, I got my first hit: Bloodhound.exploit.281, detected and blocked. Then again, two more Bloodhounds in the next 10 minutes. An Explorer pop-up asked me to reset my homepage, and responded with “Are you sure?” when I tried to close it. I accepted the close, and in a few seconds identified a VBS.downloader.trojan. Another 10 minutes gave me my first fake “Virus detection” and I was offered a free online scan, which I accepted. I was immediately rewarded with Antivirus 2011/Windows Security Center. Grendel’s outbound firewall blocked a series of connections to our comrades in domains at .li and .ru. I’ve gone through this before, so it was easier just to restore a backup.
I soon continued my click happy ways. In the next 45 minutes, I captured Bloodhound.PDF and Backdoor.Trojan. I was prompted to run several executables to watch the movie, on which I passed. I was informed that “This website wants to run the following add-on…”, but I passed on that one also. My final hit was Trojan.Gen.2, which came three times over several minutes. My security software also blocked many redirects to sites at .li, .ru, .cz, .nl, one to .ca, and even a couple that showed up as “unassigned.”
If I take out the time to reboot and restore, I spent a total of close to 90 minutes clicking through search results and following whatever links popped up. In that time, I had the following results:
1. Explorer locked up twice (not responding…)
2. Explorer failed to “close” the active window two times
3. 10 exploits attempted
I rescanned Grendel to try to verify that I still had a clean system, then went back online and searched and clicked more carefully. I did the same searches, but checked the results as I clicked. If Symantec said “Site is unsafe” I avoided clicking onward. When I reached a new page, I would carefully check the link before proceeding, (hover your mouse over the link and check what the exposed URL at the bottom of the Explorer window says) and found several cases where the link on the screen did not match the actual exposed URL at the bottom of the page. I followed many links, and opened many new pages, though admittedly, I browsed at a slower pace than before. Over the next45 minutes, I was a “careful user”, and Internet Explorer locked up once, but I saw no overt signs of exploit. My security software reported no identified issues.
So what did I learn? Keep in mind that my approach was completely unscientific, and I definitely browsed like a home user rather than a corporate user. However, I can make the following observations:
1. A few years ago, when I exposed my unprotected system to the Internet, I was scanned within seconds. This time, Grendel was not scanned at all, even though the system sat exposed for some 20 hours. There is, I guess, some small chance that I was scanned and did not see it. But, I think it reasonable to assume that I was not scanned at all. I felt more secure just because my system was not instantly poked, however unreasonable that might be. And the fact that Grendel remained “unpoked” overnight made me feel even better.
2. When I clicked everything in front of me, it was only a matter of minutes before I stumbled across something that was detrimental to the health of my computer security. Several of the attempted downloads included rootkits and other badness, so any one of them could have compromised my security. And, when I was foolish, I clicked across 10 exploits in less than 90 minutes about one every eight or nine minutes. Granted, there were times where it seemed like I was actually looking for the worst places on the screen where I could find a place to click. In addition, I followed what were really some pretty obviously dangerous links. But, if I can click the link, anyone can– the testing was not completely bogus.
3. When I browsed like a responsible (paranoid) person, I identified no security issues. Admittedly, I only browsed safely for about 45 minutes, and by then I was bored with it. But, if I had browsed crazily for the same amount of time I would have seen four or five exploit attempts.
4. This test may have been less valid than it could have been since I used no social media in the process. I avoided exposing my Facebook account and any personal information (like online banking). I did “shop” at least enough to start the process, but did not enter any real information, and certainly no valid credit card data. One shopping site I hit offered me a nice convenient http: page into which I could submit my credit card number (no SSL).
So, the truth of the matter is that the Internet is probably somewhere in between. People don’t click through websites like they are having some kind of convulsion, nor do they completely avoid everything that is even slightly suspicious. But, based on my testing, I am reinforcing the following recommendations, however obvious, for “safer” Internet use for both corporate and home users:
1. Keep your system patched to current versions of software. This is especially true for Java and PDF software. I don’t know how many more threats I would have faced if my system was unpatched. Grendel was pretty current and I still saw both Java and PDF attacks.
2. Run anti-virus software that includes malware protection/detection. It was never my intent to actually do formal testing of the actual tools I used, and most of the stuff I used was the free version. With even casual matching of anti-virus and malware, I saw similar results with all the security software I used – no software stood out as being significantly better or worse. But, having anti-virus AND anti-malware software consistently produced better results than having only one. I think the proper message is that it is probably more important to use something you are comfortable with than it is to use the “best” thing. Keep it current, let it run in protection mode, and scan systems periodically.
3. Be in control when you browse. Check your sites, and don’t just blindly follow links– that will get you in trouble. Use a browsing privacy/security tool like the Symantec Safe Web, or McAffe’s Site Advisor that rates sites as safe or unsafe. They are not replacements for caution, but are another layer of protection.
In the end, my results suggest that the boogieman is not really out there looking for the common user. You can, however, find him pretty easily if you are foolish.