seguridad corporativa con internet explorer 8(1)
DESCRIPTION
TRANSCRIPT
- 1. Seguridad Corporativa con Internet Explorer 8
Alejandro Ponicke
[email protected]
Juan Ladetto
[email protected]
2. Agenda
Evolucin de Internet Explorer. Historia.
El Browser como puerta de entrada a las amenazas que pululan en
Internet, navegacin responsable.
Cross-side scripting (XSS exploits), ClickJacking y SmartScreen
filtering.
La mejor ayuda desde el lugar menos pensado: El poder de
GroupPolicies controlando IE.
Optimizacin de deployment. Recomendaciones.
Extensibilidad: Caso de Uso IE forKids.
Introduccin a IEAK. Usos.
3. Evolucin de Internet Explorer
Internet Explorer 1 15 de Agosto 1995
Parte de Microsoft Plus (Internet Jumpstart Kit in Plus!) -
Internet Explorer 1.5 sale unosmesesmstarde y soporta rendering de
tablas
Internet Explorer 2 22 de Noviembre 1995
Ahorasoporta SSL, cookies, VRML, newsgroups
Internet Explorer 3 13 de Agosto 1996
Se empieza a volver popular, el primer browser en soportarcss, se
agrega java y controlesactiveX, sale con otrosagregados: mail y
news, netmeeting y adreess Book (internet y los browsers empiezan a
serblanco de los hackers
Internet Explorer 4 17 de Setiembre 1997
Se adapta al SO y ahora con windows desktop update y convierte a
windows desktop en Active desktop. Ahorasoporta group policy,
internet mail esoutook express y ahoratambin sale con MS chat
4. Evolucin de Internet Explorer
Internet Explorer 5 18 de Marzo 1999
Includo en windows 98 SE, ahorasoporta bidirectional text, xml,
xlt, caracteres ruby , textobidireccional, mhtml y lo mejor de
todonaceajax (xmlhttprequest), ltimaversinpara mac y unix
Ie 5.5 agregassl de 128 bits, mejoras en printing, html y css
compatible con estndares
5. Pregunta
CundoSalio Internet Explorer 6?
6. Evolucin de Internet Explorer
Internet Explorer 6 27 de Agosto 2001
Mejoras en DHTML, inline frames, soporteparcialparacss 1, dom 1 y
SMIL 2.0, ieak (ahora se puedecustomizar)
En 2010 se acaba el soporte de estaversin
Internet Explorer 7 18 de Octubre 2006
Mejoras en los estndares web, navegacinpor tabs, search,
filtroantiphishing y variasms
Internet Explorer 8 19 de Marzo 2009
Seguridad, facilidad de acceso, estndares, rss, css y ajaxes la
prioridad. motores de rendering (ie7)
Internet Explorer 9 - ???
7. Arquitectura de ie8
8. Evolution & Change
Web 2.0 - significant benefits & challenges
Blended threats shifting from the browser
Decreasing consumer trust and confidence
Data Governance & Regulations
Privacy & User Preferences
Rapid pace of threat innovation
Organized Crime On The Rise
Spy
Corp Data & National Interest
Personal Gain
Thief / Organized International Crime
Personal Fame
Curiosity
Vandal
Amateur
Expert
Specialist
Script-Kiddy
9. Security by the Numbers
Perception vs. reality
10. Top Concerns
Top User Concerns
Protection from intrusions
Protection from harm
Control on data / privacy
Business Concerns
Data governance / corporate IP
Business Interruption / productivity
Impact to brand on consumer confidence
11. Internet Explorer 8 Trustworthy Browsing
Build on a secure foundation
Security Development Lifecycle (SDL)
Protected Mode
ActiveX Controls
DEP - Data Execution Prevention
Browser Vulnerabilities
Extends browser protection to the web server
Http only cookies
Group Policies
XDomainRequest - Cross Domain Requests
XDM - Cross Domain Messaging
XSS Filter - Cross Site Scripting
ClickJacking Defense
Web Server & Applications
Confidently bank, communicate & shop
Extended Validation (EV) SSL Certificates
SmartScreen Filter Blocks Phishing & Malware
Domain Highlighting
Enhanced Delete Browsing History
InPrivate Browsing & Blocking
Social Engineering & Privacy
IE 7, IE 8
12. Browser Vulnerabilities
13. Browser Vulnerabilities
ActiveX Hardening& Enhancements
Can it be used?
Opt in
Is control permitted to run in browser without prompt?
IE7
Exploit Controls
ActiveX Killbits
Has control been flagged as unsafe?
IE5
Where?
Per site
Is control permitted to run on this site?
IE8
14. Browser Vulnerabilities
ActiveX Hardening& Enhancements
Doesnt require users to have admin privileges to install
Can be disabled through Group Policy
Who?
Per User
Doesnt req. elevating admin privileges
15. Web Server & Applications
16. Web Server & Applications
Secure data exchangeCross Domain Communication
SameOrigin Policy
Permits scripts running on pages originating from the same site to
access each other's methods and properties with no specific
restrictions but prevents access to most methods and properties
across pages on different sites.
Workarounds can be dangerous & costly
17. Web Server & Applications
Secure data exchangeInvestments in securing Web 2.0
Cross Domain Request (XDomainRequest)
Enables web developers to more securely communicate between
domains
Provides a mechanism to establish trust between domains through an
explicit acknowledgement of sharing cross domain, and both parties
know which sites are sharing information
Proposed to W3C for standardization
Cross Document Messaging (XDM)
Enables two domains to establish a trust relationship to exchange
object messages
Provides a web developer a more secure mechanism to build cross
domain communication
Part of the HTML5 specification
18. Web Server & Applications
XSS Exploits
The new buffer overflow; steal cookies & history
Log keystrokes
Deface sites
Steal credentials
XSS Filter neuters the attack
Blocks the malicious script from executing
Port-scan the Intranet
Abuse browser/AX vulnerabilities
Evade phishing filters
Circumvent HTTPS
19. XSS Demo
demo
Web Server & Applications
20. Web Server & Applications
Behind The Scenes
Malicious URL in email contains encoded
string:http://www.woodgrovebank.co.uk/woodgrovebank.asp?SID=%22%3E%3C%73%63%72...
Vulnerable application adds tag to page:
Generated Signature:
Neutered Script:
21. Web Server & Applications
ClickJacking
Type of Cross Site Request Forgery
Entices users to click on content from another domain without the
user realizing it.
Evolving server exploit
Impacts all browsers, only IE 8 has integrated protection
capabilities
Add an X-FRAME-OPTIONS tag in either the HTTP header.
Deny all or allow from SameOrigin hosts
22. Web Server & Applications
ClickJacking
23. Social Engineering & Privacy
24. Social Engineering
& Privacy
Microsoft Confidential NDA Only
25. Social Engineering
& Privacy
Perhaps a more effective warning?
26. Social Engineering
& Privacy
EV SSL CertificatesLook for the Green
Provides consumers added user confidence and brands enhanced
protection
Implemented by over 10,000 leading commerce, banking and
transactional sites
27. Social Engineering
& Privacy
Domain Highlighting
Helps to more accurately ascertain the domain of the site they are
visiting
The domain is black, vs. other characters which are gray
28. Social Engineering
& Privacy
SmartScreen Filteroffering dynamic protection from
Phishing
Malware
29. SmartScreen DemoPhishing & Malware
demo
Social Engineering
& Privacy
30. User Choice & Control
Social Engineering
& Privacy
Delete Browsing History
InPrivate Browsing
InPrivate Filtering
31. Social Engineering
& Privacy
Delete Browsing History
New option to Delete Browsing History while retaining
favorites
32. Social Engineering
& Privacy
Third Party Content Serving
Over time, users history and profiles can unknowingly be
aggregated
Any third-party content can be used like a tracking cookie
There is little end-user notification or control today
Syndicated photos, weather, stocks, news articles; local analytics,
etc.
Unclear accountability with third party security & privacy
policies
Tailspintoys.com
Woodgrovebank.com
Farbrikan.com
Southridge1-1.com
Litware-bulk.com
adventureworks.com
Northwintd.com
Contoso.com
User Visits Unique Sites
Prosware-sol.com
3rd party Syndicator
Web server
33. InPrivate Demo
demo
Social Engineering
& Privacy
34. AdministracionCentralizadausandopolticas de grupo
35. 36. 37. Implementando IE8
- Microsoft Systems Management Software.
38. Group Policy. 39. Windows Update. 40. Windows System Update Services. 41. Network shared folder.