Computer Security: drive-bye
Like a lion waiting to ambush gazelles at a waterhole, malware can catch you by surprise.
As some of you might have noticed, the Computer Security Team had to block the news site “20min.ch” a while ago, as it was found to be distributing malware. This block comes after similar incidents at other Swiss organizations. Our blocking is protective in order to safeguard your computers, laptops, tablets and smartphones.
Unfortunately, this is not the first time we have seen these so-called drive-by/waterhole attacks: once you have visited an affected website, embedded third-party malicious code is downloaded to your computer and subsequently infects it (if running Windows or Android as well as, less likely, Mac operating systems). Hence the name “drive-by”. As “20min.ch” is a very frequented website among CERN staff members and users, it makes it a perfect source for attacks against CERN (or other Geneva-based organisations): instead of attacking those organisations directly, which might be difficult as they are likely to be security aware, why not first target an external site with a lower security level, but with high visibility? Like a lion waiting to ambush gazelles at a waterhole, hence the name “waterhole attack”. In the past, other prominent websites in the Geneva area were also susceptible to such attacks. “20min.ch” has already shown up on our radar a few times in the past.
Protection is difficult as the hosted malware is usually based on “zero-day” exploits, i.e. malware that is exploiting vulnerabilities not publicly known at that moment. We usually recommend having your system completely up-to-date – using Windows Update, Mac Update, Yum auto-update, or any other permanent update mechanism for your preferred operating system and applications. We also recommend running an antivirus solution: check here for CERN’s free offerings. However, these won’t help with fighting zero-day exploits, as neither the patching nor the antivirus software could know about them. Still, don’t be negligent. If you want to be careful, browse the web from a Linux PC (like LXPLUS) as they are currently less susceptible to that kind of attack. Or just refrain from visiting this type of website. Remember? When in doubt about the link/URL you are about to open: “Stop, think, don’t click!”
For further information, questions or help, check our website or contact us at Computer.Security@cern.ch.
Do you want to learn more about computer security incidents and issues at CERN? Follow our Monthly Report.
Access the entire collection of Computer Security articles here.
by Stefan Lueders, Computer Security Team