|
|
Initiation responsibility: IT manager, network planner
Implementation responsibility: Administrator, IT users
When accessing the World Wide Web (WWW) various security problems can arise on the computers at the workstation. This can be due to faulty operation on the part of the user, insufficient browser configuration (i.e. the program being used to access the WWW), or weaknesses in the security of the browser.
Local data can be under threat if, for example, programs are downloaded from the Internet and executed without confirmation on the local computer (e.g. ActiveX programs or Java-applets). Documents or pictures may also contain commands which will automatically be executed when viewed and can thus lead to damage (e.g. macro viruses in Winword or Excel documents). To avoid such problems, the safeguards described in the following should be implemented.
Downloading files and/or programmes
When files and/or programmes are downloaded, a considerable number of security problems can arise, the most well-known amongst these being viruses, macro-viruses and Trojan horses. Users should never rely on the fact that the downloaded files or programmes come from trustworthy sources.
When the browser is configured, it must be ensured that the applications associated with files which may contain macro viruses are not started automatically (see also S 4.44 Checking incoming files for macro viruses).
Every user must be reminded that he himself is responsible for taking the relevant precautions when downloading files. Even if the downloaded data is automatically tested for viruses by a firewall, the responsibility for the cleanliness of the files or programmes is still with the user. In principle, the internal security regulations of the organisation must naturally be observed during the installation of programs. In particular, only tested and approved programmes may be installed. Before installation, stand-alone computers should act as a testbed for the cleanliness of their programs.
In case of doubt contact IT administration.
Plug-ins and additional programs
Not all browsers can process all file formats directly. This generally means the files cannot be displayed, and in some cases they cannot be played back. For some file formats, plug-ins or additional programs are also needed.
Plug-ins are library files (e.g. DLL files) which are downloaded by installation programs into the plug-in directory and are executed with the invocation of the corresponding file format.
Additional programs, such as viewers, are independent programs which are able to process certain file formats. The invocation of such an additional program is controlled using one of the browser's configuration files, in which the file extension and program are linked.
When adding plug-ins or additional programs to a WWW browser, the same safeguards should be observed as for loading files and/or programmes. No program should be installed which is not absolutely trustworthy.
Of course, plug-ins also take up memory space and increase the time required to start the browser. All plug-ins that are not required should, therefore, be removed, which is not always easy. Many uninstallation routines do not recognise plug-ins and not all browsers offer a list of the plug-ins that are installed. This means that all the files belonging to a plug-in must be deleted manually in the browser's plug-in directory.
Cookies
Information concerning loaded WWW-pages, passwords and user-conduct is stored in so-called cookie files on the user's computer. Next time the respective user pays a visit, WWW providers can offer him special information or make certain services available to him via password. However, WWW providers can also create user profiles with this technique, for example, to address particular target groups with advertisements.
To prevent this, creation of cookie-files should be prevented or, if this is not possible, they should be regularly deleted. Cookies can usually be found in the configuration directory of the WWW browser in files such as cookie.txt or directories such as cookies. For example this file is called $HOME/.netscape/cookies in Netscape Navigator 2.02 under Unix. Preferably, browsers should be installed with which the storage of cookies can be avoided. If this is not possible, browsers should be installed which at least warn the user of the acceptance of cookies. This option must always be activated. Users can then accept or deny the reception of cookies in every situation. If reception is denied, some WWW pages become partly or fully incapable of transfer, but this happens very rarely. If the function warning against the acceptance of cookies is activated, warnings are accompanied by an indication of the contents of the cookies, so that clarification is obtained as to which provider collects which information about the user.
To prevent the creation of cookie-files, an empty cookie-file can be created and provided with write-protection. The extent to which this is effective depends upon the browser version and the operating system installed. In particular, it must be ensured here that the browser can neither undo the write-protection nor create crashes when doing so.
Otherwise, it can be helpful to control regular deletion of the cookies via a batch-file. The batch-file deletes the old cookie-files for example with every system start or every user log-on.
Data collections
Data regarding various users' access to the Internet are collected externally as well as locally. In this context it must also be ensured that only authorised personnel have access to this data. This applies in particular to the files created by the browsers regarding History, Hotlists and cache. Users must be informed where such data is stored on their local computer, and how this data can be deleted.
These files are particularly sensitive on proxy-servers, because on such servers, every external WWW-access attempt by all staff is logged, including the IP number of the client which started access and the requested URL. Therefore, a badly administrated proxy-server can lead to severe violations of data protection regulations.
Most browsers gather a lot of information on users and their utilisation profiles: Firstly, users might not want these details to be disclosed, and secondly, superfluous information of this nature can block the available storage space on the computer. These data include:
Information on news-server visits
Most browsers are able to directly access news servers.
In this process, Netscape notes the sequential numbers of the news items which have been read. This allows the determination of user profiles which also indicate the newsgroups and news items accessed by a user.
Microsoft's Internet Explorer goes a step further and stores the entire contents of all accessed news items.
History database
The history database of the Internet Explorer contains a complete collection of all activities performed with this browser, i.e. details on pictures which have been viewed, addresses, internal confidential documents which have been read, etc.
As a result, the history database quickly takes up a lot of storage space, so that it needs to be cleared on a regular basis. The files in the history database should not simply be deleted; instead, they should be replaced by prepared copies of an empty history database, as certain entries need to be retained.
Information on users
Browsers also store, and sometimes forward, various details concerning users, e.g. real name, e-mail address, organisation. To prevent flooding by e-mail advertisements, it is advisable to use the browser under an alias name.
Information in the cache
Internet Explorer, Netscape and other browsers generate large numbers of files in a cache directory. These files contain the text and pictures from all Web pages visited since the last time the cache was deleted.
The cache is intended to avoid a multiple loading of pages during a single session. However, the Internet Explorer does not independently delete these data, which are of no use in subsequent sessions, so that tens of megabytes of garbage accumulate in caches which are not deleted regularly. These data can also be used to generate user profiles.
For this reason, the cache should be deleted regularly, just like the history folder.
Unfortunately, it is not always easy for users to find out how to empty the cache. In the case of the Internet Explorer under Windows 95 for example, the cache is emptied by selecting the option Empty folder under View/Options/Advanced/Temporary Internet Files/Settings.
When WWW sites secured with SSL are accessed, this can, amongst other things, be used to transmit sensitive information such as credit card numbers over the Internet in encrypted form. Such pages should, therefore, not be stored in the cache in the first place. In the Internet Explorer, for example, this can be deactivated with "Do not save encrypted pages to disk" under Tools/Internet Options/Advanced/Security.
Access to client hard disk
With some browsers (e.g. Netscape or Microsoft Internet Explorer) the WWW servers will be given the opportunity to actively access the hard disk of the client (ActiveX, Java).
Rather than being executed on the server, Java and ActiveX programmes will be executed on the client site via the browser. However, this transfers the security risk from the server to the client. Therefore, various safeguards have been built into Java and ActiveX to prevent misuse. Many security pitfalls have nevertheless been discovered so far.
Certain security risks exist when using browsers which allow access to the files of the client in connection with ActiveX and Java. Under certain conditions ActiveX allows local resources to be used. Access of this kind is also possible with Java, but only if the user explicitly allows it. The ActiveX security concept is based upon the user having confidence in the content provider and in an authentic third party in the World Wide Web. This confidence is problematic if the web-pages of unknown or new providers are called up.
Due to the existing problems with ActiveX, Java and JavaScript, these should, as a general rule, be deactivated.
If ActiveX, Java and JavaScript absolutely must be used, they should only be allocated to computers separated from other internal computers in such a way that security-relevant data cannot be impaired.
Breaches in the security of WWW browsers
Considerable security breaches have already been found in most browsers. For example in February and March 1997 many weaknesses in the security of different versions of the Microsoft Internet Explorer were discovered.
These mistakes can all be put down to Microsoft attempting to connect WWW with local Windows components, thereby granting WWW-sites as much confidence as local data. With the appropriate software it became possible to execute harmful programmes on the local computer of the WWW-user simply by calling up low-key WWW-sites without the user realising.
Encryption
Since all data is transmitted across the Internet in plain-text, sensitive data should be encrypted before transmission. It is sensible, as long asthe appropriate mechanisms are already provided in the sub-areas of the protocol. For safe transmission of data across the Internet it must be considered whether more recent protocols such as IPv6, S-HTTP or SSL can be used.
More recent browsers support the use of diverse security protocols. At least SSL should be supported.
Using available security functions
In every case, the available security functions of the browser should be used (confirmation before execution of programmes, access to restricted file systems only, no possibility to change local data).
When surfing in the Internet, automatic execution of programmes should be prevented (e.g. via the Disable Java option) and only reactivated for trustworthy servers.
News-Reader and Mail-Clients frequently offer the possibility of reading any type of data in MIME format. Commands can also be contained in this data which lead to automatic execution of programmes on the local computer. The appropriate possibilities should therefore be removed from the configuration files or confirmation should be required before programmes can be executed.
Gathering information about security breaches
Since new gaps in security are constantly discovered in WWW browsers, information should regularly be gathered regarding these gaps and how to eliminate them. Procuring the most up-to-date version of the product should not be a priority as new programme additions can mean new security problems. By installing patches it is at least ensured that acknowledged security breaches are eliminated.
Regulations
The user is responsible for the majority of the safeguards listed above, since their implementation as, for example the activation of certain options, cannot be consistently checked by administration. Every user should therefore be required, via the appropriate instructions, to observe the listed security guidelines before using Internet services. It is advisable to commit users to compliance with an operating pattern before allowing them to access Internet services. A training course should be held to impart the contents of the Internet security guidelines and the operating pattern to users.
This operating pattern should contain a brief description of the available communication services and a list of all the relevant regulations. Every user should confirm with his signature that he has acknowledged the regulations and will observe them when using communication services.
It should be brought to the attention of every user that the use of Internet services can be expensive. Consequently, it is important that the information gathered in the Internet is made available to other staff so that they do not access the same external Web pages repeatedly. For this purpose, a separate area of the internal network should be set aside where such information can be stored in a structured manner.
Furthermore, users must be aware
| © Copyright
by Bundesamt für Sicherheit in der Informationstechnik |
July 1999 |