Re: Corporate Web based email - threats

From: Steve (securityfocus_at_delahunty.com)
Date: 09/27/04

  • Next message: Samir Kelekar: "Re: learning ethical hacking" 
    To: "Pavel" <hiddenrecipient@email.com>, <roger.smith@calyonfinancial.com>
Date: Mon, 27 Sep 2004 17:36:51 -0400

    I heard that VMware just came out with a solution for this.
    http://www.vmware.com/products/desktop/ace_features.html

    ----- Original Message -----
    From: <roger.smith@calyonfinancial.com>
    To: "Pavel" <hiddenrecipient@email.com>
    Cc: <security-basics@securityfocus.com>
    Sent: Monday, September 27, 2004 8:43 AM
    Subject: Re: Corporate Web based email - threats

    Hi Pavel,

    We did a thorough analysis on iNotes and in summary found what you noted.
    If you don't control the remote PC then you simply don't have
    control....especially spyware, keyloggers, temp files.
    We investigated adding SSL VPN (several companies to remain nameless for
    legal reasons) that clean the remote PC's leftovers before logoff. Some do
    that cleanup very well but they don't help at all for abnormal
    disconnects.

    You need end to end control - including the human at the remote keyboard
    *:) - They often leave their PC logged on and unattended while in line at
    Starbucks waiting for their Venti Caramel Machiatto!

    Our decision - Control the remote PC by issuing it ourself to the user
    configured with all the security standards we employ for road warrior
    portables.....including PDAs.
    Sorry, folks but we have too much at stake to do anything less.

    Just my (depreciated) 2 cents here.

    Roger Smith

                 Pavel
                 <hiddenrecipient@
                 email.com> To
                                           security-basics@securityfocus.com
                 09/23/2004 09:48 cc
                 AM
                                                                       Subject
                                           Corporate Web based email - threats

    Hi all,

    The access to corporate web mail services like OWA, iNotes or VPN SSL stuff
    is becoming increasingly popular. I saw many posts here about security
    measures for protecting Web server itself, filtering viruses and encrypting
    data in transit. However, few people address a problem of temporary content
    stored on client PCs and stolen session/credentials. Given that companies
    are looking for more mobility, the typical use of webmail services occurs
    on public PCs, kiosks and Internet cafés.

    1. Temporary content. Some Web based email and VPN SSL clients have
    features to remove temporary files from the client PCs. The tests we
    performed (iNotes and OWA) show that the cleaning is very poor and a lot
    files and attachements are still sitting in the IE cache, Temp folder,
    Acrobat cache, different download managers like Mozilla or Reget/Getrigt
    etc. The cleaning is ever worse on any PC that have non standard OS (Linux,
    Mac etc.) and browsers like Firefox, Opera and so on.

    2. Stolen session. Some vendors recommend to use SecurID tokens or stuff
    like that to prevent stealing users' credentials. However, there is still a
    lot of possibility to penetrate user sessions starting from stolen session
    IDs thru a malicious email to different sorts of "parent control" software
    (keylogger + file/clipboard/web pages sniffer + screenshots every 15
    seconds ...). One never khows what is running on that regular public PC.

    I would like to hear from you any ideas on how did you mitigate these risks
    and what was your reasonong to allow/disallow the access to your company's
    webmail.

    Thank you in advance

    ---------------------------------------------------------------------------
    Computer Forensics Training at the InfoSec Institute. All of our class
    sizes
    are guaranteed to be 12 students or less to facilitate one-on-one
    interaction with one of our expert instructors. Gain the in-demand skills
    of
    a certified computer examiner, learn to recover trace data left behind by
    fraud, theft, and cybercrime perpetrators. Discover the source of computer
    crime and abuse so that it never happens again.

    http://www.infosecinstitute.com/courses/computer_forensics_training.html
    ----------------------------------------------------------------------------

    DISCLAIMER:
    This communication may contain privileged and/or confidential
    information and is intended only for the use of the individual or
    entity to whom it is addressed. No waiver of confidentiality or
    privilege is made by mistransmission. If the reader of this
    message is not the intended recipient, you are hereby notified
    that any unauthorized dissemination, distribution, reading,
    printing, copying and/or use of this communication is strictly
    prohibited. If you have received this communication in error,
    please immediately notify the sender by return e-mail and delete
    this message from your system as well as destroy any paper
    copies made. Calyon Financial makes no representation or
    warranty regarding the correctness of any information contained
    herein, or the appropriateness of any transaction for any person.
    Nothing herein shall be construed as a recommendation to buy or
    sell any financial instrument or security.

  • Next message: Samir Kelekar: "Re: learning ethical hacking"