6

Another question inspired by a recent discussion in the 'The DMZ' chatroom.

Long story short: IT guys are worried that accountants' workstations may become compromised because accountants watch cat meme websites. Proposed solution: Lock down the devices used by accountants so that they may not watch cat meme websites.

Are cat meme websites inherently dangerous?

I've heard anecdotes about compromised wesbites of local parishes installing malware on visitors' computers in a drive-by-download fashion. Then is there such a thing as a website that is not inherently dangerous?

I don't really know what accountants need to do their work. But if the development workstation used to author and compile the software then used by accountants is compromised then the devices used by accountants are compromised as well. And, from my experience, access to internet is very helpful when making software. Not (only ) for two minutes of relief by dropping to a cat meme website and then immediately back to work:

enter image description here

Yes - most often I end up on StackExchange or on other 'well known' (and therefore (relatively?) safe?) forum. But not exclusively, sometimes I do end up on a forum I've never seen before. Also, who hasn't ever been redirected to a malicious website from a legitimate (but compromised?) one?

Also, is StackExchange indeed 'safe'? To play a devil's advocate: This is a forum for technical people. Statistically speaking it is more likely that visitors of StackExchange will be able to pull off an XSS attack or something against other visitors of the website than visitors of a cat meme site.

Perhaps this was naivety on my side, but I usually thought that browsing the web is (supposed to be?) a relatively safe thing to do (barring stupidities such as downloading & running cracks). But now I hear that a machine is untrusted solely by virtue of having been used to watch a cat meme?

In that case is the only solution to lock all machines used for professional purposes so tightly that only select few websites absolutely necessary to do one's job are accessible? But won't doing so harm employee productivity very badly? (As it is sometimes useful to browse the web for a solution to a work related problem)?

Realistically, how likely are cat meme websites to compromise a machine?

gaazkam
  • 5,657
  • 11
  • 24
  • 38
  • The title and the body of the question don't match. The title asks about _random_ web sites, the body about web sites in the specific interest of the user, i.e. clearly not random. How dangerous these are depends on the kind of web sites - because in some cases being dangerous or having a relaxed attitude regarding protecting the user is part of the business model of these sites. So either this question is too imprecise in what it is asking or is actually asking for a variety of opinions about this (such questions are off-topic). – Steffen Ullrich Sep 30 '21 at 20:12
  • The Aurora exploit used to compromise Google is an excellent example that this is indeed possible when using outdated web browser or when 0 days for such browsers exist. Another common attack vector is that sites include remote libraries that are not under their control, which may be compromised and inject malicious code. – Jeroen Sep 30 '21 at 20:51
  • Also, there is the problem than an accountant might click OK on a dialog they got even if it said "We need to install a virus on your computer so you can view this cat video, click OK to continue" where one would hope this would be less likely for the people who visit here. – user10489 Sep 30 '21 at 22:46
  • While zero day issues are still a problem, the problem might not be that they can view cat videos, but that they are allowed to install any random piece of software offered. And some zero days take advantage of this, and find ways to install without them clicking on the dialog box. – user10489 Sep 30 '21 at 22:48

4 Answers4

1

Then is there such a thing as a website that is not inherently dangerous?

Yes. Intranet sites for organizations, sites without remote scripts or frames, text-only repositories, those are more safe than the average random site.

This is a forum for technical people. Statistically speaking it is more likely that visitors of StackExchange will be able to pull off an XSS attack or something against other visitors of the website than visitors of a cat meme site.

I disagree. You are right that more people on StackExchange would be able to pull off an XSS attack, but I believe admins at StackExchange would be much more likely to detect the attack than admins at a meme site. And one attacker is enough to XSS the cat meme users.

Realistically, how likely are cat meme websites to compromise a machine?

and

But now I hear that a machine is untrusted solely by virtue of having been used to watch a cat meme?

There's an attack called Watering Hole:

Watering hole is a computer attack strategy in which an attacker guesses or observes which websites an organization often uses and infects one or more of them with malware. Eventually, some member of the targeted group will become infected.

Using Watering Hole attack and a Remote Code Execution on a popular browser, an attacker can have a good chance of attacking one of your users if they know which sites they usually access. That would allow the attacker to compromise their computers, and steal credentials, backdoor applications, things like that.

Disallowing access to any site that isn't strictly needed reduces the attack surface by a lot. For example, on a client I work with, I have a VDI locked down, it's not possible to access any external site, and even DNS resolution for external resources won't work. As it can only access internal resources, any attacker trying to compromise the VDI would need internal access to the servers I access, on which case they would not have to compromise my VDI at all.

ThoriumBR
  • 51,983
  • 13
  • 131
  • 149
  • 1
    "*For example, on a client I work with, I have a VDI locked down, it's not possible to access any external site, and even DNS resolution for external resources won't work.*" - Then is the best practice to offer each employee *two* devices instead of one - one device has access to internal resources of the company and no access to anything external and the second device can be used to look something on StackOverflow if needed and/or to respond to work related e-mails while having no access to company's internal resources? – gaazkam Oct 01 '21 at 11:07
  • Copy and paste usually works across devices. – ThoriumBR Oct 01 '21 at 17:29
1

Perhaps this was naivety on my side, but I usually thought that browsing the web is (supposed to be?) a relatively safe thing to do (barring stupidities such as downloading & running cracks). But now I hear that a machine is untrusted solely by virtue of having been used to watch a cat meme?

"untrusted" is not the same as "compromised".

Cat memes are content potentially served from websites with lax security and concern for visitors, probably including less reputable ad networks. There've been cases of ad networks serving malware. In other words: The concerns of IT are not entirely baseless. If the threat level to your company or the security requirements for the accountants data are elevated, this risk, though not especially high, may well exceed the risk appetite of the company.

Of course, I don't assume that anyone in IT has actually quantified the risk and made a rational decision, it's probably more of a gut feeling thing.

In general, the web is not a safe space. It is safe enough for most purposes, in the sense that driving a car is safe enough for millions of people to do it every day - but there's about 1.25 mio. road deaths a year (globally). So it's not really very safe. The web is very similar. Almost everyone will be ok almost every day. If IT is worried about the "almost" part, then a solution (sandboxed browser? browsing via Citrix? there's plenty of ideas) should be found. Just locking down systems (i.e. taking away stuff) is rarely the solution - people will find a workaround. Give them a solution.

Tom
  • 10,201
  • 19
  • 51
-1

How likely is it to be compromised by browsing a random website? I'd say not very, as there are a lot of good websites, and only a few ones containing malicious code.

Now, not having anything against cat meme websites or accountants in particular, but using both as an example, how likely is it that your accountant would be targeted by a phishing email to visit a constructed cat meme website containing malicious code, and that they'd share it with all their accountant friends? I'd say the chances are high enough to be worried.

The key here is to weigh the risks of your company's money being stolen by hackers who targeted your accountants vs. the convenience of allowing the accountants a pleasant break during their lunch hour.

And banning them from viewing cat videos is not the only way (and probably not even the best way) to mitigate this risk. You can also filter email for phishing, lock down their computer to make it difficult to install malware, only allow approved software to run, keep the web browsers, office software, and operating system patched at the latest release, etc.

However, as the dollar amount goes up and the risk becomes higher, possibly the system should be locked down more. Ultimately, the solution might be to make using the computer so unpleasant to use that they only do financial transactions on it and nothing else, and provide a second computer to watch cat videos and read emails.

user10489
  • 1,305
  • 1
  • 3
  • 13
-1

This may be a somewhat controversial take, but I would contend that, generally speaking, the risks of merely visiting a malicious site (whether by browsing random cat sites or clicking a link in an email) tend to be exaggerated by the security community.

The primary danger in visiting a malicious site is that the site will try to trick you into taking some action that exposes you or your organization to attack. This may include tactics like pretending to be a legitimate site and asking for sensitive information (like your password), or instructing you to grant the attacker extensive permissions on your machine by downloading and running a malicious executable.

The ways in which such a site might try to trick you are many and varied, so usually security advice/training from experts tends to focus heavily on stopping you from visiting the malicious site in the first place, rather than going over every possible way it might try to trick you after you visit it. Usually though (with one exception that we'll discuss in a moment), merely visiting a malicious site isn't particularly dangerous in and of itself; it's what you do after that which can cause problems. (Though to be fair, depending on how computer savvy the victim is that may indeed be a significant risk.)

The one exception to this is when there is an unfixed flaw in your browser that allows a malicious website to attack your machine directly. From the average user's perspective these flaws are extremely rare and unlikely to be exploited so long as your browser is kept up to date, and so are not typically worth worrying about unless you are a high-value target like a government official, celebrity, political activist, or someone else who is likely to be individually targeted by a powerful organization. If you do fall into one of those categories, it is likely that more extreme measures may need to be taken to ensure your security; merely avoiding malicious sites is probably insufficient.

Ajedi32
  • 4,695
  • 2
  • 26
  • 61