Interesting quotes from guys that demonstrated attack vectors in Google’s Chrome during Blackhat 2011:
“The software security model we’ve been dealing with for decades now has been reframed,” Johansen said. “It’s moved into the cloud and if you’re logged into bank, social network and email accounts, why do I care what’s stored in your hard drive?”
- An important illumination regarding the shifting of the risk landscape. How the user interfaces with data and the system has changed and challenges the current technology controls relied upon to safeguard the intellectual property.
- What is the effective rate of end-point security (malware / phishing agents, anti-virus) on this new user case?
- What is being deployed and effective – policy, procedure, technology, a hybrid?
“While the Chrome browser has a sandboxing security feature to prevent an attack from accessing critical system processes, Chrome extensions are an exception to the rule. They can communicate among each other, making it fairly easy for an attacker to jump from a flawed extension to steal data from a secure extension.”
- Speaks to the issue of convergence of apps that are emerging on iPhones, Androids, respective tablets, TVs, browsers, operating systems, etc… Similar to the fragmentation attacks of the past – where packets would be innocent separate, but when all received they would reform to something capable of malicious activity.
Interesting extension of risk here is that the platform and / or devices may be trusted and accepted by enterprises, but it is these Apps / Widgets / Extensions that are creating the security scenarios. This requires a policy and process for understanding the state of these platforms (platforms here including all mobile devices, browsers, and similar App-Loadable environments) beyond the gold configuration build.
Another article on the Google Chrome extension risk described above.