Last year I wrote about our critical state of cyber-security: the barbarians are at the gates, and CISOs must take bold steps forward to adopt new practices to dramatically reduce enterprise insecurity.
Late last month, my colleagues at Bromium Labs and Google announced to the world that YouTube had been compromised and had been serving out bank-credential stealing malware to millions of youtube.com visitors.
Let’s take a quick look at what Google’s safe browsing infrastructure says about youtube.com on Mar 25, 2014.
The Google Safe Browsing infrastructure is the same system that Google Chrome uses to help you avoid bad websites when surfing the web. Google is stating here that its own youtube.com had very recently served malware.
This is stunning!
This type of “black mark of disapproval” used to be indicative of a poorly secured website, a site that users should avoid. This was not something you would expect for a very popular website run by an amazing and great company like Google.
How exactly did Google’s YouTube fall to the barbarians?
The details are over here. In short: when you visit a web site, your device actually executes computer code authored by the content provider of the website. Furthermore, some of the code on the web page may come from 3rd parties that are different from the main content provider: e.g., from social media sites that provide the various “Like” and “Follow” buttons, or ads from advertisers. The YouTube intruders had managed to bypass Google’s strict security vetting processes, and were able to inject their malicious credential stealing code into ads served by youtube.com.
This method of attack is by no means novel. But the intruder used various steps of subterfuge to stay hidden on YouTube’s infrastructure for weeks, undetected.
What is more shocking is the scale and impact of the attack. YouTube is one of the world’s most popular website, with 100s of millions of monthly visitors – consumers and business users. From a CIO’s or CISO’s perspective, none of the traditional enterprise defenses, firewalls, IPS/IDS, whitelisting or anti-virus was able to detect the compromise or attribute the attack to YouTube for weeks.
Advanced network security is better than ever before, but we simply don’t consume information by directly tapping into a network. All information is consumed, stored and created at some endpoint. If the endpoint is compromised, your information is at risk and may be stolen. Laptops and mobile devices were particularly vulnerable to compromise by YouTube while the user was surfing the web from their home or a coffee shop, and could then easily bring malware back into the enterprise.
Now, the folks at Google are wicked smart, very responsible and extremely responsive – they banned this particular malicious advertiser from YouTube within hours of being alerted by Bromium folks.
What is still very troubling, is to think about the other malicious ads, not yet discovered, that are hiding on reputable sites such as YouTube. And, such attacks are clever about getting past advanced network based defenses– they might wait until you are 30 min into viewing a movie, before detonating.
Ads are the lifeblood of the Internet economy, and our Ad networks might be sick with malware. This is a $100B+ problem.
Back to what to do about it: the CISO and the CIO must invest on new approaches that protect the endpoint directly, without the need to rely on detection algorithms for new malware. One example is Bromium’s micro-virtualization which uses hardware to protect applications, the operating system and data at runtime, to extract and analyze malware for incident response, and to make endpoints self-remediating.