Educause Security Discussion mailing list archives
Re: "Porn-surfing hits taxpayer IDs"
From: Gary Flynn <flynngn () JMU EDU>
Date: Wed, 14 Jun 2006 16:09:22 -0400
Jere Retzer wrote:
From today's Oregonian. Here is another threat/risk to consider. Does anyone know about other incidents of trojans stealing personal data?
Happens all the time. Especially banking data. I'm also looking for safeguards to build into web-based applications used to access sensitive data to prevent malware on individual PCs from harvesting the data. Thanks You can't fix an operator/desktop problem in the web application except superfically. If the operator can access the data, software run by the operator can access the data. If nothing else, by screen scraping. Run desktops that handle sensitive data using a regular user account. Most of today's malware won't install and if it does, it won't be very well hidden or be able to disable AV and other system processes. For administrative desktops handling sensitive data, difficulties with user initiated software installations, printer installations, and academic freedom should not be an issue. Handle exceptions for poorly behaved applications on a case by case basis. If policy says the desktops are not to be used for outside web browsing, lock down Internet Explorer security to job related trusted sites so scripting and other avenues of attack aren't available to unauthorized sites. For critical desktops, blacklisting the bad isn't enough. Particularly when legitimate web sites offer malware because they're hacked or get ad banners from another place that is hacked. An additional risk reduction measure would be to use software restriction policies to allow only a whitelist of applications to run. -- Gary Flynn Security Engineer James Madison University www.jmu.edu/computing/security
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
Current thread:
- "Porn-surfing hits taxpayer IDs" Jere Retzer (Jun 14)
- <Possible follow-ups>
- Re: "Porn-surfing hits taxpayer IDs" Joel Rosenblatt (Jun 14)
- Re: "Porn-surfing hits taxpayer IDs" Gary Flynn (Jun 14)
- Re: "Porn-surfing hits taxpayer IDs" Jere Retzer (Jun 14)
- Re: "Porn-surfing hits taxpayer IDs" Brendan Callahan (Jun 14)
- Re: "Porn-surfing hits taxpayer IDs" Pace, Guy (Jun 14)
- Re: "Porn-surfing hits taxpayer IDs" Jere Retzer (Jun 14)
- Re: "Porn-surfing hits taxpayer IDs" Graham Toal (Jun 14)
- Re: "Porn-surfing hits taxpayer IDs" Jere Retzer (Jun 14)
- Re: "Porn-surfing hits taxpayer IDs" Gary Flynn (Jun 15)
- Re: "Porn-surfing hits taxpayer IDs" Chris Green (Jun 15)
- Re: "Porn-surfing hits taxpayer IDs" Graham Toal (Jun 15)
- Re: "Porn-surfing hits taxpayer IDs" Jere Retzer (Jun 15)