Multi-Tasking Security

[herme3]

Are there any dangers to multi-tasking on the same computer? For example, if I was logged into a banking web site, could a malicious web site opened in another browsing window possibly steal any information I'm working with in the other window? I'm using Windows Vista, which is much more resistant to malicious code than Windows XP, but are there still risks if I multi-task?

[Cap'n Refsmmat]

That's a browser problem. The answer should be "no", unless there is a vulnerability in the specific webbrowser you use.

 

I'd worry more about other possible attack vectors.

[herme3]

I use Firefox 2 on Windows XP computers, and Internet Explorer 7 on Windows Vista computers. These seem to be the most secure combinations for blocking sites that try to install trojans, but I really don't know much about preventing information from being stolen between different windows.

 

What other types of attack vectors are you concerned about? I have a hardware firewall built into my router, which should help keep hackers out.

[Cap'n Refsmmat]

When you're browsing the Internet, a hardware firewall will do absolutely nothing to stop attacks in Web pages or programs you download.

 

The key here is the security of your browser and the websites you visit. If someone compromises your bank's website with XSS, they can easily collect your bank number and PIN as you log in, and there's no way you could know besides inspecting the page source code before you log in.

 

There are also things such as DNS poisoning, which could fool computers into believing they're connected to the bank's website when in fact they're not, various browser vulnerabilities that allow attackers to steal stored passwords, man-in-the-middle attacks where someone intercepts your Internet connection and steals data or manipulates the stream, and much, much more.

 

None of the things (besides the browser problem) are problems you can stop with a firewall or software update.

[Dak]

herme, if you go to the firefox homepage and look at the list of updates/security fixes, you should get an idea of what's possible via browser exploits. iirc, i've seen a few security holes patched that could, in theory, be used to spy on other open tabs, so maybe it'd be an idea not to multi-task.

 

capn's right, tho, the risk is minimal. use a non-IE browser and keep it updated, along with your OS, and use stuff like an anti-virus/anti-spyware/firewall etc.

 

btw, possibly the best idea if you don't do online banking that often is to reboot into a live-CD, something like puppy linux or xubuntu whenever you do online banking.

[RyanJ]

From what you've described in your first post I'd have to say the circumstances you described couldn't be exploited. Normally web browsers add a feature called a sand box which checks the permissions of a script before allowing it to execute. This is done through means of content policy checking, in this case nothing should be able to open a new window (unless given permission to do so, say for example the actual site its self opened the window then it would have permission to read some information from its child window). Other than that an externally running script can't read from other windows in normal circumstances.

 

I'm mainly speaking in terms of Firefox here because I am unaware about bow other browsers process security contexts and content policies and so forth.

[Dak]

From what you've described in your first post I'd have to say the circumstances you described couldn't be exploited. Normally web browsers add a feature called a sand box which checks the permissions of a script before allowing it to execute. This is done through means of content policy checking, in this case nothing should be able to open a new window (unless given permission to do so, say for example the actual site its self opened the window then it would have permission to read some information from its child window). Other than that an externally running script can't read from other windows in normal circumstances.

 

yeah, but most security vulnerabilities are when people find abnormal ways to get around such measures.

 

unauthorised access to data open in another tab via cache:

 

http://www.mozilla.org/security/announce/2007/mfsa2007-03.html

 

I believe this one should allow your script to treat all pages as it's childeren?

 

http://www.mozilla.org/security/announce/2007/mfsa2007-21.html

 

reeeeeeeeeally unlikely in my (amature) oppinion, but still a theoryoretically real threat.

[RyanJ]

yeah, but most security vulnerabilities are when people find abnormal ways to get around such measures.

 

unauthorised access to data open in another tab via cache:

 

http://www.mozilla.org/security/announce/2007/mfsa2007-03.html

 

I believe this one should allow your script to treat all pages as it's childeren?

 

http://www.mozilla.org/security/announce/2007/mfsa2007-21.html

 

reeeeeeeeeally unlikely in my (amature) oppinion, but still a theoryoretically real threat.

 

Your right but thankfully most of the holes are patched quickly and are of a low security risk. In normal instances however it isn't possible for a normal window to access another window that it did not open, the same goes for content within frames and so forth.

[Dak]

In normal instances however it isn't possible for a normal window to access another window that it did not open, the same goes for content within frames and so forth.

 

yes, buuuuut, my point is that in computer security "under normal circumstances x isn't possible" isn't very useful as several hacks revolve around exploiting unusual circumstances.

 

iow, "normally x isn't possible" roughly equals "it was designed to try to stop you doing x"... x is still possible, tho, whenever a situation is found that exposes a design flaw.

[RyanJ]

yes, buuuuut, my point is that in computer security "under normal circumstances x isn't possible" isn't very useful as several hacks revolve around exploiting unusual circumstances.

 

iow, "normally x isn't possible" roughly equals "it was designed to try to stop you doing x"... x is still possible, tho, whenever a situation is found that exposes a design flaw.

 

Yes I understand what your saying but based on the context is the question it isn't possible. Even if a script ran that could bypass the content policy checks and suck it still won't work on a bank website because they normally use HTTPS which encrypts the data to stop it being broken into this way.

[Cap'n Refsmmat]

Not if the script can get access to the unencrypted data being displayed in your browser.

 

The other problem is bank websites that only encrypt the login page, and not the rest of the site. And that a lot of people will use their bank website even if the little lock security icon doesn't show up, because the site's actually a phishing website that managed to sneak in.

[RyanJ]

Not if the script can get access to the unencrypted data being displayed in your browser.

 

That depends nearly all browsers today use streamed decoding which used a unique key per window so there would be no way for an external script to access the decrypted stream data. Unfortunately as ou say its only used in some places when it should be used on the whole site. A recent example stating why to always use HTTPS were applicable is http://dmiessler.com/blogarchive/why-you-should-encrypt-all-of-your-google-activities-poc

 

Some people may find that an interesting read.