Re: "Porn-surfing hits taxpayer IDs"

[Gary Flynn <flynngn () JMU EDU>]

Jere Retzer wrote:

> From today's Oregonian. Here is another threat/risk to consider. Does anyone know about other incidents of trojans 
> stealing personal data?

Happens all the time. Especially banking data.

 I'm also looking for safeguards to build into web-based applications
used to access sensitive data to prevent malware on individual PCs from
harvesting the data. Thanks

You can't fix an operator/desktop problem in the web
application except superfically. If the operator can
access the data, software run by the operator can
access the data. If nothing else, by screen scraping.

Run desktops that handle sensitive data using a regular
user account. Most of today's malware won't install
and if it does, it won't be very well hidden or be
able to disable AV and other system processes.

For administrative desktops handling sensitive data,
difficulties with user initiated software installations,
printer installations, and academic freedom should not
be an issue. Handle exceptions for poorly behaved
applications on a case by case basis.

If policy says the desktops are not to be used for
outside web browsing, lock down Internet Explorer
security to job related trusted sites so scripting
and other avenues of attack aren't available to
unauthorized sites. For critical desktops, blacklisting
the bad isn't enough. Particularly when legitimate web
sites offer malware because they're hacked or get ad
banners from another place that is hacked.

An additional risk reduction measure would be to use
software restriction policies to allow only a whitelist
of applications to run.



--
Gary Flynn
Security Engineer
James Madison University
www.jmu.edu/computing/security

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature