WebApp Sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Securing OWA on public computers.

From: "Alexander" <agtads () hotmail com>
Date: Sun, 10 Nov 2002 09:04:45 -0600

I've thought that context of the group preclude understanding of my message
as lamer quesion about "Where is "Clean the cache" button located?".
The question was really about securing corporate OWA deployment from the
point of view of security consultant.
I'm looking to mitigate risks assocated with standard (not hostile) public
computers and normal users using them, users who never clean cache yourself
after use.
Sure keylogger, forensic drive recovery etc will obtain data, but this is
beyond my risk range.
I know it's easy to say - "Don't use it", but reality is different.

Back to the problem. While connecting through HTTPS most browsers don't
cache HTML, but cache attachments when they open.
Solutions I see by now are:
1. Block attachments in OWA access (almost business prohibitable)
2. Convert attachment on server to HTML. In such case the risk of attachment
disclosure will be downgraded to message text disclosure.
While it's possible for me to code this (for major types of attachment) I'd
like to know if any existing package provide this functionality.
3. Client side scripting to force on attachment click: Download file to disk
a: only and open file from there.
Drawbacks are obvious and not clear how to code at least for IE and
Netscape.
4. Some way to call into object model to clean cache on exit - I do have
hope that users will close open windows :)
5. Legal disclaimers to transfer risk.

Any better ideas?

Regards

----- Original Message -----
From: "3APA3A" <3APA3A () SECURITY NNOV RU>
To: "Alex T." <agtads () hotmail com>
Sent: Sunday, November 10, 2002 7:46 AM
Subject: Re: Securing OWA on public computers.



Dear Alex T.,

try  not  to  open attachment in Internet Explorer, because in this case
attachment  is  saved  in  cache.  Instead  save  attachment  to secured
location and open it from this location.

--Thursday, November 7, 2002, 11:09:11 PM, you wrote to

bugtraq () securityfocus com:


AT> I've noticed that when accessing Outlook web access (through https)

and

AT> opening word attachment the attachment remain in cache.
AT> The cache is still here even after closing browser.
AT> When accessing confidential documents from public computers this

present

AT> security risk.
AT> Any way to prevent this caching?

AT> Thanks

AT> A.Tarasul


AT> _________________________________________________________________
AT> The new MSN 8: advanced junk mail protection and 2 months FREE*
AT> http://join.msn.com/?page=features/junkmail



--
~/ZARAZA
Всегда будем рады послушать ваше чириканье (Твен)
Previous By Date Next
Previous By Thread Next

Current thread: