Security watchers have reacted positively to recently announced improvements to Microsoft’s Edge browser, which had earned an unenviable reputation for easy pwnage. Redmond is reducing its exposure to malicious exploits by improving1 Edge’s sandboxing technology . Further features have been added to existing technologies like ACG (Arbitrary Code Guard) and CIG (Code Integrity Guard) to prevent remote code execution. ACG1 and CIG2 are designed to make it harder for hackers to load malicious code into memory . Edge omits support for the ActiveX or Browser Helper Objects technologies of Internet Explorer so it is able to run entirely inside app container sandboxes at all times .
The improved defences are designed to better guard against so-called drive-by download attacks. The security revamp focuses on reducing the attack surface of the software . To this end, Microsoft’s app containers have been redesigned to reduce the amount of code in the sandbox . Developers have also incorporated less privileged and custom-crafted app containers in order to make life harder for potential hackers.
“We will continue to invest in both RCE and sandbox mitigations for Microsoft Edge,” said senior program manager Crispin Cowan. “These exploit mitigations combined with the strengthened sandboxing should make Microsoft Edge significantly more work for attackers to exploit, and thus discourage attackers from trying in the first place.”
Microsoft Edge app container model Source: Microsoft
The changes are welcome not least because Microsoft Edge was the most-hacked browser at the recent Pwn2Own event2 . The weak security issues extend into the real world beyond the high-profile hacker event . For example, Google Project Zero has uncovered a number of security flaws with previous iterations of the browser, most recently an unpatched Microsoft Edge3 and IE vulnerability (CVE-2017-0037) last month.
Despite its previously lacklustre reputation, experts are by no means down on Microsoft’s browser technology . Several are positive about Microsoft’s security roadmap. Marco Cova, senior security researcher at malware detection firm Lastline, commented: “Microsoft is definitely on the right track here . Reducing the privileged operations available to untrusted code and containing it in sandboxes so that exploits are harder to pull off successfully are the two best ways we know to build secure systems.
“It sounds like a great engineering feat on their part .
Of course, the devil is in the details of how they actually implemented these mechanisms, and I’m sure quite a few people will be testing them extensively in the near future.”
Security consultant Kevin Beaumont is also upbeat about Edge. “Microsoft Edge is actually a great browser for corp use and some of the upcoming security features are killer,” he said in a Twitter update4.
1ACG is meant to ensure code cannot be dynamically generated or modified
2CIG is designed so that only properly signed images can load
German Government Commissioner for Information Technology Klaus Vitt | German Federal Ministry of the Interior
Klaus Vitt discusses his role protecting Germany from cyber attacks.
3/20/17, 7:54 PM CET
Updated 3/20/17, 8:10 PM CET
BERLIN Meet the man in charge of protecting Europe s largest country against the ever-changing threat of hacking: the German government s IT commissioner, Klaus Vitt. During an interview with POLITICO at the German Interior Ministry, Vitt described the country s current cyber threat level as increasingly critical, announced plans to cooperate with private companies and explained why his analysts believe most professional hacking attacks on Germany come from Russia or China.
In September, Germany elects a new parliament . Could the vote be manipulated by cyber attacks?
We have analyzed all processes during election day . Wherever we found weak spots, we have introduced measures and taken precautions. In Germany, there are no electronic voting machines or automation .
The vote, therefore, is not that big of a target . However, there s never a security of 100 percent.
You re talking about potential attacks on the IT network on election night . Another issue is cyber attacks that could happen in the run-up to the election . People are concerned that stolen material from hacks could be used to compromise candidates . Do they have a reason to be afraid?
The danger is real . This is why our Federal Office for Information Security (BSI) advises parliamentarians and their groups in the parliament how to protect themselves . It starts with using virus protection software on your private computer but certainly doesn t end there.
Have cyber attacks increased during the last couple of years?
Yes, the threat situation is becoming increasingly critical . We still observe many security breaches in software and hardware, as analyzed in the BSI s annual report on the state of IT security . This in itself is critical . At the same time, however, our society, economy and state are increasingly becoming more digitalized, which also makes them more vulnerable . On top of that, attackers are becoming more professional, and they are using more intelligent malware.
In 2015, a broad-scale cyber attack on the Bundestag, the lower house of the German parliament, made headlines . What consequences did the government draw from the incident?
The Bundestag is in charge of its own IT security . However, there have been numerous consultations on how the parliament should make its network more secure, and the government took part in them . These recommendations were put into action very consistently . The network and its security components were completely rebuilt from scratch.
Could foreign intelligence services be involved in attacks like the one in 2015?
We are dealing with very professional attackers, that s why only in rare cases can you identify them indisputably . We analyze serious attacks very thoroughly to find out from where they originate . In order to do that, we take patterns from comparable attacks in the past as a reference . Based on such analogies, one can say with a certain probability where those attacks originate from and those analogies suggest that a majority of attacks comes from Russia or China, at least geographically.
How can Germany protect itself?
Attackers want to produce the largest effect possible . That s why they target their attacks primarily against critical infrastructure.
With Germany s IT security law introduced in 2015, we have created legislation that focuses on such infrastructures . On the one hand, it introduces minimum standards for IT security: how operators need to protect themselves against cyber attacks . There are regular checks to make sure they still follow those standards . On the other hand, they are obliged to inform authorities about any critical IT security incidents . If operators are affected, they need to alert the BSI about it, which in turn can analyze it, assess the threat and inform other operators as fast as possible so that they can protect themselves in time. I would like to apply a similar model to other companies which are not operating critical infrastructure and the public administration.
In November 2016, Germany introduced a cyber security strategy: a plan for the country on how to protect itself and how to best react to cyber attacks. What about attacks that have already happened and data that may have been taken?
A cyber attack can have different goals . One aim can be to extract information . If you have no possibility to prevent this, you need to cut off access to the internet . This was one of the measures taken during the cyber attack on the Bundestag . From this moment on, no more information can be extracted. However, in the aftermath, it s difficult to detect where malware could possibly have had access to and which data has been extracted.
What measures are you taking?
To guarantee an appropriate IT security level, we will consolidate the data centers and the networks of the national government and its institutions. Today, we have around 1,000 rooms with servers: large ones, medium-sized ones, small ones . We will centralize them at three or four highly-protected, locations . The same thing will be done with the networks . This is how we will protect the administration with a high standard of IT security.
Another measure is expanding our Cyber Defense Center opened in 2011 . The goal is to always have a clear description of what s happening in cyber space . To do that, we will analyze and assess cyber incidents, with all national security agencies exchanging technical information about the incidents with each other . Needless to say, cyber space is not limited to just Germany. And there s another plan we are pursuing: In Germany, we have large international companies with their own cyber security units, who observe cyber attacks, similarly to what our Cyber Defense Center does .
Four DAX companies have joined forces in the so-called German Cybersecurity Organization (DCSO) cooperation . Our idea is to work with them through exchanging technical information . However, we need a contractual basis for that . This is about highly sensitive data.
When in 2015, a Bundestag subcommittee met to discuss the hacking attack, a BSI official told the MPs that only around 15 employees inside his office had the expertise to analyze and deal with such an attack . This doesn t sound like a lot of people?
The BSI is only one unit in our Cyber Defense Center . We have more experts in the Federal Criminal Police, in the Armed Forces, and in both our domestic and the foreign intelligence agencies.
Talking about personnel: Part of the cyber security strategy is hiring more cyber security experts . How easy or difficult is it to find candidates with the necessary expertise?
There is a great demand for IT security experts . The BSI has hired several people recently . It wasn t easy to fill those positions placing an ad in some newspaper wouldn t be enough .
All those positions could be filled; in the meantime, however, we have new open positions.
How attractive a job is, however, is not only defined by its salary but also by how exciting or dynamic its environment is and by its compatibility with having a family.
The interview has been edited and condensed for clarity.
Related stories on these topics:
Your antivirus and network protection efforts may actually be undermining network security, a new paper and subsequent CERT advisory have warned. The issue comes with the use of HTTPS interception middleboxes and network monitoring products . They are extremely common and are used to check that nothing untoward is going on. However, the very method by which these devices skirt the encryption on network traffic through protocols like SSL, and more recently TLS, is opening up the network to man-in-the-middle attacks.
In the paper1 PDF, titled The Security Impact of HTTPS Interception, the researchers tested out a range of the most common TLS interception middleboxes and client-side interception software and found that the vast majority of them introduced security vulnerabilities.
“While for some older clients, proxies increased connection security, these improvements were modest compared to the vulnerabilities introduced: 97 per cent of Firefox, 32 per cent of e-commerce, and 54 per cent of Cloudflare connections that were intercepted became less secure,” it warns, adding: “A large number of these severely broken connections were due to network-based middleboxes rather than client-side security software: 62 per cent of middlebox connections were less secure and an astounding 58 per cent had severe vulnerabilities enabling later interception.”
Of the 12 middleboxes the researchers tested ranging from Checkpoint to Juniper to Sophos just one achieved an “A” grade . Five were given “F” fail grades meaning that they “introduce severe vulnerabilities” and the remaining six got “C” grades . In other words, if you have a middlebox on your network and it’s not the Blue Coat ProxySG 6642, pull it out now. Likewise, of the 20 client-side pieces of software from 12 companies, just two received an “A” grade: Avast’s AV 11 for Windows (not Mac), and Bullguard’s Internet Security 16 . Ten of the 20 received “F” grades; the remaining eight, “C” grades.
How does it happen?
TLS and SSL encrypt comms between a client and server over the internet by creating an identity chain using digital certificates . A trusted third party provides that certificate and it verifies that your connection is to a trusted server. In order to work, therefore, an interception device needs to issue its own trusted certificate to client devices or users would constantly see warnings that their connection was not secure. Browsers and other applications use this certificate to validate encrypted connections but that introduces two problems: first, it is not possible to verify a web server’s certificate; but second, and more importantly, the way that the inspection product communicates with the web server becomes invisible to the user.
In other words, the user can only be sure that their connection to the interception product is legit, but has no idea whether the rest of the communication to the web server, over the internet is secure or has been compromised. And, it turns out, many of those middleboxes and interception software suites do a poor job of security themselves . Many do not properly verify the certificate chain of the server before re-encrypting and forwarding client data . Some do a poor job forwarding certificate-chain verification errors, keeping users in the dark over a possible attack.
In other words: the effort to check that a security system is working undermines the very security it is supposed to be checking . Think of it as someone leaving your front door wide open while they check that the key fits. What’s the solution? According to CERT2, head to the website badssl.com3 to verify whether your inspection product is doing proper verification itself . And of course, check out the SSL paper and make sure you’re not running any of the products it flags as security fails on your network.