Client-side Security

I was planning to start this topic for some time now and here I am making the first steps towards explaining what client-side security is and why it is important. I suspect that there will be a follow up post in the near future. There is definitely a lot of ground work that needs to be laid out for this topic.

"So, what is client-side security?" Well, it is related to JavaScript and Browser security, which is a hot topic today, but in general, simply put, client-side security is all about the security of the client. I hope that wasn't a surprise for you. As I said many times throughout other publications at GNUCITIZEN, the client and the server are in very delicate situation. Here is a quote from a previous GNUCITIZEN article about The Next Super Worm.

Clients and servers are in symbiosis. The security of the server depends on the security of the client and vice versa

The role of the client can be taken by anything. A client is your browser but also your machine as part of a Windows domain. A client is also your Skype and your Wifi card that is associated with an access point. Every piece of software often is a client. Please do not assume that clients and servers are only terms used to describe the state between machines in a network. The role of the client is taken by the thing that sits on one of the sides of the communication spectrum. We define clients and servers based on the way we look at them. Very often servers are clients too as we established that earlier in this post.

The reason why client-side security is interesting today is because it is often ignored by security professionals and in general companies that pay these security professionals to test for vulnerabilities. Here is a typical example; When we need to perform a wifi test, very often we look at things such as available networks, encryption on these networks, network segmentation between them and also signal range. These points definitely cover many things about the security aspects of a wifi network but for sure this is not all. What is left are things such as rouge access points, preferred network list probes and ad-hoc networks. These characteristics of the premises that is tested could be provided as part of the report but very often no solution is specified simply because it is harder to control hundreds of machines compared to controlling only a few.

This is exactly what client-side security problems are. Here is an example how the preferred network list probe requests available exclusively in Windows are a problem for your organization. So let's say that you are supporting encryption (WPA) with 802.1x authentication. It sounds great and moderately secure. However, if any of the clients of that network has other networks in their preferred network list that are not encrypted, attackers can setup a rouge access point, pretending to be one of them, and wait for that client to associate. Once the connection is established and the DHCP server transmits the client IP down the line, the attacker has a network access to that machine. From that point on the attacker will attack this client, which is not as well secured as your corporate infrastructure, and plant a program that will allow the attacker to sneak into your protected WPA enabled network. That of course can be accomplished in many different ways one of which is to wait for a software update from one of the many installed software components like Skype, Firefox and Google Desktop, and replace that update with your own. In an environment where the attacker controls the network, that can be accomplished quite easily.

The reason why I use Wifi problems here in order to describe client-side security is because I want to escape from the Web2.0 cliché for a moment. Similar attacks can be applied to many other things. Just because you have a firewall and well configured intrusion detection system, it does not mean that you are secure. It means that attackers cannot attack your network directly and this is it. However, as we saw earlier in this post, there are many, many other ways a similar goal can be accomplished.

It is said that the security of a system is as strong as its weakest link. The users, the client, these are the weakest links of any system. They are the low-hanging fruit and aldo the targets attackers will go after. Not your network! Their security problems are defined by the term client-side security because often they are seen as clients.