Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Corporate Web based email - threats

From: "Steve" <securityfocus () delahunty com>
Date: Mon, 27 Sep 2004 17:36:51 -0400
I heard that VMware just came out with a solution for this.
http://www.vmware.com/products/desktop/ace_features.html


----- Original Message ----- 
From: <roger.smith () calyonfinancial com>
To: "Pavel" <hiddenrecipient () email com>
Cc: <security-basics () securityfocus com>
Sent: Monday, September 27, 2004 8:43 AM
Subject: Re: Corporate Web based email - threats






Hi Pavel,

We did a thorough analysis on iNotes and  in summary found what you noted.
If you don't control the remote PC then you simply don't have
control....especially spyware, keyloggers, temp files.
We investigated adding SSL VPN (several companies to remain nameless for
legal reasons) that clean the remote PC's leftovers before logoff.  Some do
that cleanup very well but they don't help at all  for abnormal
disconnects.

You need end to end control - including the human at the remote keyboard
*:)  -  They often leave their PC logged on and unattended while in line at
Starbucks waiting for their Venti Caramel Machiatto!

Our decision - Control the remote PC by issuing it ourself to the user
configured with all the security standards we employ for road warrior
portables.....including PDAs.
Sorry, folks but we have too much at stake to do anything less.

Just my (depreciated) 2 cents here.



Roger Smith





             Pavel
             <hiddenrecipient@
             email.com>                                                 To
                                       security-basics () securityfocus com
             09/23/2004 09:48                                           cc
             AM
                                                                   Subject
                                       Corporate Web based email - threats












Hi all,

The access to corporate web mail services like OWA, iNotes or VPN SSL stuff
is becoming increasingly popular. I saw many posts here about security
measures for protecting Web server itself, filtering viruses and encrypting
data in transit. However, few people address a problem of temporary content
stored on client PCs and stolen session/credentials. Given that companies
are looking for more mobility, the typical use of webmail services occurs
on public PCs, kiosks and Internet cafés.

1. Temporary content. Some Web based email and VPN SSL clients have
features to remove temporary files from the client PCs. The tests we
performed (iNotes and OWA) show that the cleaning is very poor and a lot
files and attachements are still sitting in the IE cache, Temp folder,
Acrobat cache, different download managers like Mozilla or Reget/Getrigt
etc. The cleaning is ever worse on any PC that have non standard OS (Linux,
Mac etc.) and browsers like Firefox, Opera and so on.

2. Stolen session. Some vendors recommend to use SecurID tokens or stuff
like that to prevent stealing users' credentials. However, there is still a
lot of possibility to penetrate user sessions starting from stolen session
IDs thru a malicious email to different sorts of "parent control" software
(keylogger + file/clipboard/web pages sniffer + screenshots every 15
seconds ...). One never khows what is running on that regular public PC.

I would like to hear from you any ideas on how did you mitigate these risks
and what was your reasonong to allow/disallow the access to your company's
webmail.

Thank you in advance


---------------------------------------------------------------------------
Computer Forensics Training at the InfoSec Institute. All of our class
sizes
are guaranteed to be 12 students or less to facilitate one-on-one
interaction with one of our expert instructors. Gain the in-demand skills
of
a certified computer examiner, learn to recover trace data left behind by
fraud, theft, and cybercrime perpetrators. Discover the source of computer
crime and abuse so that it never happens again.

http://www.infosecinstitute.com/courses/computer_forensics_training.html
----------------------------------------------------------------------------





DISCLAIMER:
This communication may contain privileged and/or confidential
information and is intended only for the use of the individual or
entity to whom it is addressed.  No waiver of confidentiality or
privilege is made by mistransmission.  If the reader of this
message is not the intended recipient, you are hereby notified
that any unauthorized dissemination, distribution,  reading,
printing, copying and/or use of this communication is strictly
prohibited. If you have received this communication in error,
please immediately notify the sender by return e-mail and delete
this message from your system as well as destroy any paper
copies made.  Calyon Financial makes no representation or
warranty regarding the correctness of any information contained
herein, or the appropriateness of any transaction for any person.
Nothing herein shall be construed as a recommendation to buy or
sell any financial instrument or security.
Previous By Date Next
Previous By Thread Next

Current thread: