Ivanti Blog: Posts by

Keeping Your Browser Safe is a Hard Day’s Night

Thu, 17 Oct 2019 19:07:43 Z

We all love making our internet experience a little less out-of-the-box and a lit bit more ours. Extensions and add-ons are the most common way of doing this. From ad blockers and password managers to daily jokes, including those from our favorite TV shows (such as the hilarious The Good Place), we like our computers and browsers to fit our specific wants.

But there’s a dark underbelly to this customization. Not all extensions and add-ons are safe.

Browser Hijackers

Browser hijackers have been around for a while. Remember those horrible search toolbars that felt impossible to remove? Over time, browser hijackers are becoming more sophisticated and also more popular. They:

Are easy to mask as legitimate services
Don’t require a dedicated download such as an .exe or .dll
Are easy to install without admin rights on the device

Browser hijackers can do several different things. They can modify your homepage, add other extensions without your knowledge, and change your search engine. They are also employed to install adware, malware, spyware, viruses, and keyloggers.

This may not seem like a big deal. Who cares if you’re using Joojle instead of Google. You’re getting search results, right?

What you may not realize is that ads are being served, slowing down your internet browsing. Bad guys are using your machine with thousands of others to help them mine bitcoin, eating up your CPU and slowing down your PC. Even that may not seem like too big a deal—until you go to Weelsfargo instead of Wellsfargo and now the bad guys have your login and money, while you’re left looking at an empty account and trying to get it all back.

A major part of the problem is that the extension and add-on stores aren’t always able to keep their stores clean and hijacker-free. Even as stores shut down some of these malicious extensions, they don’t always remove them from the store. More often than not, the links become non-searchable and are hidden. What’s more, the stores don’t remove them from machines that have the malicious extension installed.

Help! (I Need Somebody)

So, as users, what can we do? For starters, use common sense before installing any extensions. Some of the most common hijackers are related to Flash and ad blocking. Flash is built into Chrome (at least for a few more months) and doesn’t need an add-on. Flash can also be downloaded from Adobe and installed on the system if you must have it. For ad blocking, go with well-known brands. Don’t always trust install count or reviews, as bots can be purchased to increase install count, ratings, and reviews.

If you’re a Chrome user, CRXcavator.io* offers a great service! You can search by the extension name or ID and see its risk rating. It looks at things like permissions being granted, if there’s a content security policy, third-party vulnerabilities, and other things to determine how risky the extension is. At the end of the day, if in doubt, don’t use it or install it.

If you’re an IT admin, what can you do? There are a few different things. For example, Mozilla and Google have created templates to be used in your GPOs that can whitelist, blacklist, or prevent extensions entirely for you. A bonus to using GPO templates is that they remove any blacklisted extensions as well as preventing them from being reinstalled. Ivanti also offers Ivanti Cloud whose real-time engine can help you discover what extensions are installed in your environment.

The Long and Winding Road (to Being Safe on the Internet)

Like most other things in life, common sense goes a long way:

Make sure you have an antivirus installed and that it’s up to date and running.
Think twice before installing something. Do you really need to have Flash installed? Really?
The old adage of “If it’s too good to be true, it probably is” applies to the internet. Installing an extension won’t win you an iPhone. Installing an extension won’t get you the premium version of Spotify for free. Installing an extension won’t magically get you YouTube Red for free, either.
Keep your browser up to date. Browsers are getting better at sandboxing their processes.
Keep your OS up to date.
If you get prompted to install something, go to the vendor’s website and get it from them. Don’t trust a pop-up.

*No affiliation with Ivanti. Just one awesome company giving kudos to another awesome company.

Facebook Single Sign-On Equals Internet Headache

Mon, 15 Oct 2018 22:41:55 Z

Reports came out recently that, once again, Facebook has been breached. Hackers were able to take over the accounts of at least 50 million users. As this Wired article points out, it wasn’t passwords that were hacked, but access tokens.

One thing that the Wired article details, and which is summed up in this post, is the issue of using Facebook as a Single Sign-On (SSO) solution.

Many websites allow individuals to use Facebook to log into a site’s services. Most of those sites don’t force the user to enter their password again to confirm their identity. The thing is, all of those websites that don’t require the password a second time are also affected by this Facebook breach. Many of those sites contain sensitive personal information, including credit card information, birthdays, and other vital data that heighten the risk of your identity being stolen.

Finding Relief

There are several specific things you can do to help mitigate this headache: 1) using a strong SSO solution; 2) changing passwords; and 3) keeping things up to date.

SSO Solutions

Remember, if you’re not paying a company for their product, you are the product. Enterprises like Facebook and Google thrive on the use of the information you provide them. Using your accounts with them as a single sign-on vehicle allows them to build a stronger internet profile about you.

A better approach is using a solid SSO solution. For example, at Ivanti we use Okta for our SSO. One advantage of Okta is Active Directory integration—allowing password policies such as complexity, reuse, and how long until they change to sync to Okta—and multi-factor authentication. Separating websites from Facebook’s SSO will also help. Doing so safeguards your other accounts if Facebook gets compromised again.

Changing Passwords

Changing passwords after a breach like the one at Facebook is always good hygiene. Even if this breach didn’t concern passwords specifically, you never know whether or not a service you use has been compromised by the bad guys. Ivanti Password Director helps simplify password resets for your users with self-service capability.

Keeping Things Up to Date

The Wired article mentions that the iOS Facebook app had some vulnerabilities in allowing cookies to be hijacked. The Facebook app has been patched, but users may not have downloaded it yet. Ivanti Endpoint Manager allows your IT team to keep iOS, Android, Windows, and Mac devices up to date.

To sum it all up, using a company as your SSO that specializes in using your data can be a bad idea as evidenced by the recent Facebook breach. If you’re going to use an SSO, make sure it’s one that exists for that very purpose. Check out our Password Director tool so your users can reset their passwords easily and as needed. Last but not least, keep your systems and applications up to date with Ivanti Endpoint Manager. You’ll make it more difficult for the bad guys to gain a foothold.

Kaleb Knobel is a Security Engineer at Ivanti and has also worked as a Technical Support Specialist for the State of Utah and a Service Assurance Technician for Integra Telecom. He is working towards a bachelor’s degree in Computer and Information Systems Security/Information from Western Governors University.

To Encrypt or Not to Encrypt, that Is the Question

Wed, 10 Oct 2018 23:01:05 Z

Encrypting has been a problem faced by every IT team. It’s been around so long even Shakespeare wrote about it! From dealing with the complaints from Sales that you slowed down their demo boxes, to having to enter the Recovery Key for George for the umpteenth time, we all ask ourselves if encrypting our machines is worth it.

With the recent article from TechCrunch titled “ Security flaw in ‘nearly all’ modern PCs and Macs exposes encrypted data,” we may be asking ourselves again, is it really worth it?

The answer to this is still a loud, resounding YES! Last December, Forbes published an article containing research from Kensington with some shocking statistics:

On average, a laptop is stolen every 53 seconds.
On average, over 70 million smartphones are lost each year.
Forty-one percent of data breach events from 2005 to 2015 were caused by lost or stolen laptops, tablets, and smartphones.

Now is the winter of our discontent.

With the published article, your users may start to ask why we’re pushing encryption on them when it can be bypassed so easily. The situation isn’t as bad as the article makes it sound.

As mentioned in the article, the bypass only applies to certain devices, and for those affected devices there are ways to configure your disk encryption to mitigate the risk. This, like many security issues, is first and foremost an Asset Management problem—understanding what you have and if it’s at risk.

Next, you need to understand how these devices are configured.

Encryption of tablets and smartphones is still safe.
Enabling the wipe after 10 wrong PIN attempts can help if your device falls into the wrong hands.
Apple devices with a T2 chip aren’t affected by this vulnerability.
Using a firmware PIN for both BitLocker and FileVault can help mitigate the risk.

Once you have an understanding of your assets, if Disk Encryption is enabled, and if the firmware PIN is enabled, you next want to identify devices at risk. For example, if there’s a laptop that’s owned by a user who has access to more sensitive data, you may want to ensure that user is employing the firmware PIN and also prioritize that user for an upgrade if the vulnerability can be eliminated altogether.

Such as we are made of, such we be.

At Ivanti, we use our Unified Endpoint Manager solution to manage recovery keys for both Windows and Mac to help those forgetful users. For devices not compatible with BitLocker and FileVault, WinMagic, an Ivanti ONE partner, offers a solution. We are also using the Ivanti Asset Manager solution to identify older devices (especially those used by the key players in your organization) to identify and prioritize them for a hardware refresh.