Protecting Internet-facing Systems

Every organization in this world that operates online, has Internet-facing systems. These are services which are necessary to deliver to customers, clients or guests. These operations are non-negotiable, and a must-have.

Security-minded organizations apply better practices, such as diligently keeping all services patched, as well as using additional protection services such as Web Application Firewalls (WAF), frontend proxies that can detect and block known attacks, and maybe even anti-DDoS systems from the likes of Akamai and CloudFlare. Organizations that utilize these practices are generally protected from known threats of the past. We liken it to driving forward by using the rearview mirror.

#secalert

CNAME checking

DNS CNAMEs are now being used by trackers, in an escalating war against anti-trackers. While this isn’t new to us in the industry, the growing adoption is what’s new. Thanks to Steve Gibson for helping raise awareness in Security Now Episode #808.

Trackers are all about wide distribution of their software, so they make it easy to copy & paste their javascript snippet into a website. In the past, such approach was invisible to the end-user and didn’t require any extra work on the part of webmasters or app authors, so the code would simply run in the user’s browser/app, and apart from reaching out to the intended service, it would simultaneously reach out to the tracker as well. It would cause no extra load on the main website, but the webmaster would now have tracking information through a third party.

#secalert

Port 3389 Exploit: Prevent another WannaCry

On Patch Tuesday (14 May 2019) Microsoft offered an RDP patch for legacy Windows and outlined the details here:

https://blogs.technet.microsoft.com/msrc/2019/05/14/prevent-a-worm-by-updating-remote-desktop-services-cve-2019-0708/

The most immediate steps your organization should pursue are the following:

1. Disable port 3389 from being publicly visible as it is only a matter of days, or perhaps hours, before the patch is reverse-engineered into a wormable exploit. To test if you are publicly visible, check out grc.com/shieldsup to show not just RDP but any other ports you may be exposing to the public Internet.
2. Turn off Remote Desktop everywhere it isn’t absolutely needed. If you’re part of a corporate network, your IT administrators can do this with a Group Policy. Otherwise, on each Windows computer, disable Remote Desktop.
3. Update Windows immediately using Windows Update.

It is important to note that even if you have egress control and a strict firewall, this type of attack, when it materializes, can move laterally in an organization without going over a firewall, so it is important to take all of the above precautions regardless of the strength of your gateway security.

#secalert

Benefits of URL PING tracking

URL ping is an HTML5 tag that pings a URL anytime the link is clicked. In Security Now Episode #709, Steve Gibson explains in detail (as he always does so masterfully) how this HTML5 standard has gained some velocity in browsers where you cannot even opt out anymore in Chrome, possibly to be followed by other browsers, inevitably.

This invasion of individual privacy is definitely a problem we want to allow our users to mitigate.

#tracking