Security Basics mailing list archives
Re: Corporate Web based email - threats
From: "Steve" <securityfocus () delahunty com>
Date: Mon, 27 Sep 2004 17:36:51 -0400
I heard that VMware just came out with a solution for this. http://www.vmware.com/products/desktop/ace_features.html ----- Original Message ----- From: <roger.smith () calyonfinancial com> To: "Pavel" <hiddenrecipient () email com> Cc: <security-basics () securityfocus com> Sent: Monday, September 27, 2004 8:43 AM Subject: Re: Corporate Web based email - threats Hi Pavel, We did a thorough analysis on iNotes and in summary found what you noted. If you don't control the remote PC then you simply don't have control....especially spyware, keyloggers, temp files. We investigated adding SSL VPN (several companies to remain nameless for legal reasons) that clean the remote PC's leftovers before logoff. Some do that cleanup very well but they don't help at all for abnormal disconnects. You need end to end control - including the human at the remote keyboard *:) - They often leave their PC logged on and unattended while in line at Starbucks waiting for their Venti Caramel Machiatto! Our decision - Control the remote PC by issuing it ourself to the user configured with all the security standards we employ for road warrior portables.....including PDAs. Sorry, folks but we have too much at stake to do anything less. Just my (depreciated) 2 cents here. Roger Smith Pavel <hiddenrecipient@ email.com> To security-basics () securityfocus com 09/23/2004 09:48 cc AM Subject Corporate Web based email - threats Hi all, The access to corporate web mail services like OWA, iNotes or VPN SSL stuff is becoming increasingly popular. I saw many posts here about security measures for protecting Web server itself, filtering viruses and encrypting data in transit. However, few people address a problem of temporary content stored on client PCs and stolen session/credentials. Given that companies are looking for more mobility, the typical use of webmail services occurs on public PCs, kiosks and Internet cafés. 1. Temporary content. Some Web based email and VPN SSL clients have features to remove temporary files from the client PCs. The tests we performed (iNotes and OWA) show that the cleaning is very poor and a lot files and attachements are still sitting in the IE cache, Temp folder, Acrobat cache, different download managers like Mozilla or Reget/Getrigt etc. The cleaning is ever worse on any PC that have non standard OS (Linux, Mac etc.) and browsers like Firefox, Opera and so on. 2. Stolen session. Some vendors recommend to use SecurID tokens or stuff like that to prevent stealing users' credentials. However, there is still a lot of possibility to penetrate user sessions starting from stolen session IDs thru a malicious email to different sorts of "parent control" software (keylogger + file/clipboard/web pages sniffer + screenshots every 15 seconds ...). One never khows what is running on that regular public PC. I would like to hear from you any ideas on how did you mitigate these risks and what was your reasonong to allow/disallow the access to your company's webmail. Thank you in advance --------------------------------------------------------------------------- Computer Forensics Training at the InfoSec Institute. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors. Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse so that it never happens again. http://www.infosecinstitute.com/courses/computer_forensics_training.html ---------------------------------------------------------------------------- DISCLAIMER: This communication may contain privileged and/or confidential information and is intended only for the use of the individual or entity to whom it is addressed. No waiver of confidentiality or privilege is made by mistransmission. If the reader of this message is not the intended recipient, you are hereby notified that any unauthorized dissemination, distribution, reading, printing, copying and/or use of this communication is strictly prohibited. If you have received this communication in error, please immediately notify the sender by return e-mail and delete this message from your system as well as destroy any paper copies made. Calyon Financial makes no representation or warranty regarding the correctness of any information contained herein, or the appropriateness of any transaction for any person. Nothing herein shall be construed as a recommendation to buy or sell any financial instrument or security.
Current thread:
- Corporate Web based email - threats Pavel (Sep 24)
- Re: Corporate Web based email - threats roger . smith (Sep 27)
- Re: Corporate Web based email - threats Steve (Sep 29)
- Re: Corporate Web based email - threats roger . smith (Sep 27)