Educause Security Discussion mailing list archives
Re: IT-ISAC Information Bulletin re MS04-004
From: Clyde Hoadley <hoadleyc () MSCD EDU>
Date: Tue, 3 Feb 2004 09:32:39 -0700
I have a sinking feeling that I'm being baited <grin> Oh, well - her it goes... > http(s)://username:password@server/resource.ext I suggest that use of the above syntax is a poor computing practice - it is unsafe. I suggest the above syntax is a violation of the Confidentiality portion of the Confidentiality, Integrity, Availability (CIA) security triad - the corner stones of Information Security. Book marks are stored in clear text on the users hard drive and can be read using any one of 100's of techniques - including the windows "type" command, notepad or the web browser itself. Links created on a web page using the above syntax can be discovered by moving the mouse over the link or viewing the source code of the downloaded web page. I've seen untrained Web Masters create such links on their web pages, I've seen users Email their book marks and, I've seen users create unprotected file shares to their hard drive. These can all be Confidentiality violations depending on the content and value of the asset. Security involves striking a balance between ease of use and protecting the assets. Too often users and Management focus only on the ease of use at the total expense of the security of their assets. Ease of use is important but, simply because something is easy to do does not mean that it is the right thing to be doing! In my opinion, Microsoft removing this feature is the responsible thing for them to do. -- Clyde Hoadley, CISSP Security & Disaster Recovery Coordinator Division of Information Technology Metropolitan State College of Denver hoadleyc () mscd edu http://clem.mscd.edu/~hoadleyc/ (303) 556-5074 ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Current thread:
- IT-ISAC Information Bulletin re MS04-004 REN-ISAC (Feb 02)
- <Possible follow-ups>
- Re: IT-ISAC Information Bulletin re MS04-004 Ariel Silverstone (Feb 03)
- Re: IT-ISAC Information Bulletin re MS04-004 REN-ISAC (Feb 03)
- Re: IT-ISAC Information Bulletin re MS04-004 Clyde Hoadley (Feb 03)
- Re: IT-ISAC Information Bulletin re MS04-004 Gary Flynn (Feb 03)