Content Filters Should Be Used for Security

By PatB
Contributing Writer, [GAS]

Most workplaces use a proxy server or a content filter between the end user and the Internet. Such filters usually enforce a company’s web surfing policies by blocking access to pornography, social networking sites, daytrading sites, online dating, etc. As a grown adult, I don’t much care for web filtering products that block content based on objectionable material. I don’t need a net nanny.

Not that I want to surf porn or anything, but as a security analyst such filters sometimes make my job difficult when handling an incident or investigating a policy violation. For instance, how do I know something objectionable was downloaded if I can’t tell myself? Or how do I know malware was blocked if I can’t see the attack work in a lab environment?

But there are definite advantages to blocking content, especially if you know which URLs are malicious. SANS reports today about a massive web defacement that exploited weaknesses in SQL to inject malicious java script on over 40,000 websites across dozens of domains. The java script silently downloads password stealers and other trojans. This particular mass-defacement is targeting gamers and their passwords to their online accounts. The next such defacement will likely install botnet software. But if you know the malicious strings in the content, you can employ a content filter to block those pages.

According to SANS, the mass defacement injects a string that calls to the following URL- yl18.net/0.js . If you have a content filter, it would be prudent to block that string, and in fact, it wouldn’t hurt to block all calls to “0.js”. Experience has proven that malware hosted at a single site has a very short shelf life. The exploits will likely cease to work within 24 hours. But the script kiddies will strike again and use a different server somewhere else, and will likely recycle the same scripts, changing only the domain name. Blocking calls to this script could stop some exploits.

And if you can’t block malicious content? Well, patch everything, cross your fingers, and surf carefully.