Re: Corporate Web based email - threats

[Liran Cohen <theog () tehila gov il>]

It doesnt matter what you use , a simple keylogger or any other spyware for that matter will expose you're data and\or 
identity. now , it depends on the level of security you are interested in , if you require maximum security while 
accessing data remotely , I would recommend Roger's approach , with handing out a device (be it a laptop PDA etc...) to 
the users which are supposed to access the data remotely , use an encryption mechanism and a random identity verifier 
(OTP , PKI etc..) , anything less than that will have to be considered a security compromise.


Cheers
TheOg


Pavel wrote:
> Hi all,
>
> The access to corporate web mail services like OWA, iNotes or VPN SSL stuff is becoming increasingly popular. I saw many posts here about security measures for protecting Web server itself, filtering viruses and encrypting data in transit. However, few people address a problem of temporary content stored on client PCs and stolen session/credentials. Given that companies are looking for more mobility, the typical use of webmail services occurs on public PCs, kiosks and Internet cafés. 
>
> 1. Temporary content. Some Web based email and VPN SSL clients have features to remove temporary files from the client 
> PCs. The tests we performed (iNotes and OWA) show that the cleaning is very poor and a lot files and attachements are 
> still sitting in the IE cache, Temp folder, Acrobat cache, different download managers like Mozilla or Reget/Getrigt 
> etc. The cleaning is ever worse on any PC that have non standard OS (Linux, Mac etc.) and browsers like Firefox, Opera 
> and so on.
>
> 2. Stolen session. Some vendors recommend to use SecurID tokens or stuff like that to prevent stealing users' credentials. 
> However, there is still a lot of possibility to penetrate user sessions starting from stolen session IDs thru a malicious email to 
> different sorts of "parent control" software (keylogger + file/clipboard/web pages sniffer + screenshots every 15 seconds 
> ...). One never khows what is running on that regular public PC.
>
> I would like to hear from you any ideas on how did you mitigate these risks and what was your reasonong to allow/disallow 
> the access to your company's webmail.
>
> Thank you in advance
>
>
> ---------------------------------------------------------------------------
> Computer Forensics Training at the InfoSec Institute. All of our class sizes
> are guaranteed to be 12 students or less to facilitate one-on-one
> interaction with one of our expert instructors. Gain the in-demand skills of
> a certified computer examiner, learn to recover trace data left behind by
> fraud, theft, and cybercrime perpetrators. Discover the source of computer
> crime and abuse so that it never happens again.
>
> http://www.infosecinstitute.com/courses/computer_forensics_training.html
> ----------------------------------------------------------------------------

--
Liran Cohen
Security and communication consultant.
Tehila project
Governement of Israel.
Tel. +972-54-898817
e-mail: theog () tehila gov il








2623361132 1333221532
4222153321