When I was at the Citrix Synergy show in Orlando last week, I was interested in tracking down their announcement about their securing web browsing product. I have been interested in secure browsing technology for several years now, mainly because the web browser has been a major infection vector and allows malware to be transported to millions of computers through phishing, man-in-the-middle, SQL injection and countless other attacks. Securing the browsing channel could be a way to stop this madness.

A few years ago, I did a review of several products for Network World, looking at Authentic8 Silo, Spoon’s BrowerStudio, Invincea’s FreeSpace and Spikes AirGap. While the review is outdated, the process that I went through to try to test these products made me realize that securing everyone’s web browsers is a lot harder problem that it first appears.

Typically, these products offer one of two approaches: One way is they sandbox, virtualize or otherwise contain the browsing session via several different methods so that any Web pages or online content can’t reach the actual desktop that is being used to surf the Web. A second approach is to replace the usual Internet Explorer, Firefox or Chrome browser software with a specialized browser that is locked down and has limited functionality.

The secure browser might give up surfing speed or not view a more complex website properly. And you still have someone’s regular browser sitting on their PC that could cause trouble. Not to mention that some of these early products did a lousy job at protection.

Citrix has had a secure browser service as part of its Cloud offerings for about a year now. It uses a combination of sandboxing and locking down the browser environment in an interesting way.

While the motivation behind its old and new products is similar, the execution is different, as Brett Waldman in their product marketing department explained to me at the show. The older secure browser (shown here) allows you to secure a specific web app. You set up an instance that ties a specific browser version (such as Chrome or Edge) to a specific app (such as Facebook), and you can add a data center that the browser request will originate from. Once this is done, every time you launch that instance, you will bring up an HTML v5 copy of a browser and taken to Facebook’s website under just those circumstances. The actual browsing is happening inside Citrix Cloud, not on your local PC. It is a way to lock things down with a specific app. You can think of it as running a stripped-down version of Receiver just for this one app.

But that isn’t good enough and doesn’t handle a lot of situations. What happens if you want more control over your browsing experience that goes beyond specifying a browser type and originating location? Or if you want to run a machine that isolates the browser from the rest of the applications? Or just want to try out a secure browser without loading a lot of Citrix infrastructure? That is where the app layering technology that Unidesk provides comes in handy, and that was what announced this week with Secure Browsing Essentials which will be available on the Azure Marketplace. By having layers, you can select exactly which bits and pieces of the browser you want to enable, so if you don’t want Flash or want to block pop-ups or downloads of executable files, you don’t assemble those pieces of code.

Citrix has other “Essentials” products on the Azure Marketplace, which makes it easy for anyone to get started with this technology. PJ Hough, Citrix SVP of Product, said the new Citrix Secure Browser Essentials will be available before the end of the year, with pricing starting at $180 per year (with a three-year subscription for a minimum of 50 subscribed users). Waldman said that this product “gives us a different route to market and to be able to satisfy these other use cases. Because it is on the Marketplace, it can also be more self-service and reach a different kind buyer, even within an existing Citrix customer.”

The WannaCry ransomware worm that plagued many people last week is notable for two reasons: first, it is a worm, meaning it self-propagates. It also uses a special exploit that was first developed by the NSA and then stolen by hackers. It first began on Friday and quickly spread to parts of Europe and Asia, eventually infecting more than 200k computers across more than 100 different countries. It moved quickly, and the weekend saw many IT managers busy to try to protect their networks. One researcher called it a “Frankenstein’s monster of vulnerabilities.”

Most of the victims were using outdated Windows versions such as XP. This map shows real-time tracking of the infected systems, where the bulk of infections hit Russian sites, although Telefonia in Spain was also attacked.

The hardest-hit were numerous hospitals and clinics run by the British National Health Service. Apparently, they had an opportunity to update their systems two years ago but didn’t due to budgets. So far, the best analysis is on The Register.  

WannaCry attack summary and timeline

American sites weren’t infected due to an interesting series of events. A young British security researcher who goes by the Twitter handle MalwareTechBlog discovered by accident a kill switch that stopped its operation. His account of that fortunate happenstance can be foundhere. Basically, by reverse engineering its code, he found that the malware checks for the existence of a specific domain name (which didn’t exist at the time and which he quickly registered). Once that domain had an operating “sinkhole” website, the malware attacks ended, at least until new variations are created without the kill switch or that check for a different site location. Sadly, the researcher was outed by the British tabloids. No good deed goes unpunished.

The story on payouts

One curious story about WannaCry is the small ransom payouts to date. About 100 people have been recorded paying any ransom, according to the three Bitcoin accounts that were used by criminals. (Yes, Virginia, Bitcoin may be anonymous but you can still track the deposits.) Other Bitcoim addresses could be used, of course, but it is curious that for something so virulent, so little has been paid to date.

Microsoft reaction and mitigation

The malware leverages an exploit that had been previously patched in mid-March by Microsoft and assigned the designation MS17-010. The company and took the unusual step to provide patches for all currently supported Windows along with Windows XP, Windows 8 and Windows Server 2003 versions.

Microsoft also recommends disabling SMBv1 and firewalling SMB ports 139 and 445 from the outside Internet. If you haven’t been doing these things, you have a lot of other problems besides WannaCry.

Microsoft’s president posted an op/ed blog piece saying “this attack demonstrates the degree to which cybersecurity has become a shared responsibility between tech companies and customers. The fact that so many computers remained vulnerable two months after the release of a patch illustrates this aspect. Users are fighting the problems of the present with tools from the past.” Speaking of the past, they didn’t mention how many people are still running ancient versions of Windows such as XP, but at least should be commended for having patches for these older systems.

Numerous security vendors have posted updates to their endpoint and network protection tools that will catch WannaCry, or at least the last known variant of it. And that is the issue: the hackers are good at morphing malware into something new that can pass by the defensive blocks. One interesting tool is this Python script that will detect and remove DoublePulsarexploits. That was the original NSA hack that can creates a backdoor to your system. In the meantime, as I said last week, hope is not a strategy.

In my day job as editor of the Inside Security email newsletter, I read a lot of infosec stories from various sources: some technical, some legal, some for beginners. But I was struck by reading this piece in Dark Reading this week by this sense of failing purpose, and how IT is at best at parity with our attackers.

The piece is by a security consultant, Mark Hardy. Entitled, 7 Steps to Fighting Ransomware, it does what it says, providing some practical advice for corporate IT managers on how to prepare for the coming attack. Make no mistake: it is coming. All it takes is one person and one careless click and your network is compromised.

Some of Hardy’s suggestions are pretty predictable: make sure your systems are kept up to date on patches. Segment your network to limit the exposed systems that an attacker can easily access. Backup frequently and move them offline for further protection. Yeah, yeah, we’ve heard it before. Some corporations actually do these things too.

But one suggestion stopped me in my tracks: Buy some Bitcoin to prepare in advance, in case you have to fork over the ransom on short notice. That was a chilling point to make because it says no matter how carefully you prepare, there is still the off chance that you may have missed something and will need to pay out the ransom.

This is what I mean when I say we are at parity with the bad guys. We are fighting an asymmetric war against them: they have the ability to penetrate our networks and steal our data with a vast array of tools that are only getting better and more finely crafted. There is malware that can operate in memory and hide by using bits and pieces of software already part of your operating system that is very difficult to detect. There is malware that changes its attack signature every second. There is malware that uses flaws in the operating system (such as one that was patched this week by Microsoft, ironically in its malware protection engine program). And there are malware kits that run completely in the cloud, so all it takes is money and a few commands to launch an attack.  So it is inevitable that someday your company will be hit, it is just a matter of when.

Security strategies are forged in the heat of battle when you realize that no matter how many spare copies or protective procedures, something went wrong: your copies are bad, you have mission-critical data lurking on some executive’s laptop that wasn’t part of the backup, or some phisher dangled some bait and succeeded. Game over.

I speak from sad experience. Not over ransomware, but a simple backup error. Many years ago I lost my mailing list server due to a flooded basement. All the content on my server was duplicated elsewhere, offsite, save for one thing: the actual names on my list. A pretty critical piece of information, don’t you think? If that server didn’t come back online (it did), I would be out of business. I didn’t have a spare copy of my list. All it took was a simple command to have that list of names. But somehow I forgot to include that in my workflow. Oops.

Hardy says, “Ransomware is a clear and present danger. Companies can no longer afford to take a wait-and-see attitude. If you’re vulnerable to ransomware and take no precautions to mitigate those vulnerabilities, then the only thing you’re relying upon to prevent an infection is hope — and hope is not a strategy.”  So stop hoping, and start preparing.

If you haven’t been paying attention, today’s typical home-town newspaper has gone high tech. A few recent articles in the NY Times and elsewhere should make that clear.

For example, how about the tech that Michael Shear uses. He is one of the Times’ White House correspondents. He uses Sling TV so he can watch cable TV news no matter where he is in the world. He uses 2FA for all his accounts and tries mightily to detect phishing campaigns, as much as we all can. His sources “now routinely ask to discuss issues with secure texting apps such as Signal or Confide.” He watches various Twitter feeds, too. “I had to adjust my Do Not Disturb settings on my iPhone so that notifications resume earlier — at 5:30 a.m. now.” He also has his Apple Watch set to alert him every time the President tweets, but thankfully set to silent mode.

But that is just one reporter. How about if you had to support the entire Times newsroom? That is the job for Runa Sandvik, who has the unique title of Director of Information Security for the Newsroom. Her job is a combination of IT support and researcher. She has already created a number of secure tip lines for sources to leak info to the paper. This includes a public-facing Signal and WhatsApp number, as well as a SecureDrop instance. She has set up 2FA on all the paper’s Twitter accounts and routinely gives security lectures to help reporters improve their security hygiene.

These tips are a big deal: the Times gets hundreds of them a day, and in the past they weren’t very secure. A hackathon in Australia last month developed another secure messaging app that could be simply deployed even by smaller papers that don’t have their own Sandvik-in-residence, and posted the code on Github. The effort was part what is being called “Editor’s Lab” sponsored by Walkleys, a journalist/tech collaboration.

Alecia Swasy did her doctoral research by studying the habits of 50 top reporters at four metro papers for the past couple of years. With all of them, reluctance to use Twitter gave way to acceptance and now expertise. One early advantage was that Twitter can monitor a reporter’s beat 24×7. “Twitter gives print journalists a chance to beat TV news cameras to breaking news,” she posted. It is also the new phone directory for a reporter to track down a source or confirm an identity. “You still need to wear out your shoes and knock on doors,” she posted. Twitter can also expand your readership to a global reach, far beyond your metro circulation boundaries. As an example, an environmental reporter in Tampa had a commanding Twitter presence which landed him a gig on Slate and eventually a book deal. The new rule for reporters is: If you don’t have it on Twitter first, it’s not a scoop. 

Finally, there is this news nugget. When someone working at the NY Times (or at least having an IP address in the Times’ network address range) shows up in your web server logs, it could tip off someone that they might be a target of an investigation. This is what happened in a 2015 federal corruption case. Sandvik uses this as an example of why more reporters should be using VPNs and Tor and similar services. The same thing routinely happens at non-governmental organizations that may be targeted by groups that don’t agree with their mission. Some groups are at the receiving end of malware that targets their IP addresses too.

No doubt about, tech is here to stay. Who knows – it might help the newsrooms become more productive as staff sizes shrink?