Aus Anlass des “Safer Internet Day” fordert Google euch auf eure Sicherheits-Einstellungen zu überprüfen und spendiert als Dank 2 GB kostenlosen Cloud Speicher (wird am 28. Februar geschaltet).
Ich kann nur Jedem ans Herz legen die Prüfung durchzuführen (sofern ihr ein Google Konto habt) – ich bin nun wirklich ganz vorne was Sicherheit angeht und habe trotzdem noch einige verweiste Berechtigungen gefunden die ich entfernen konnte.
Hier geht’s zum Test: http://goo.gl/ccgyV0
I’m using Firefox Portable almost exclusively nowadays. I’m even using it on my employer’s Citrix Site, running from a shared drive in our department.
This of course makes security an issue – basically anybody with access to my drive (which means a lot of people…) could also run the browser from there, accessing my cookies, stored passwords and other stuff.
Please spare me the talk of how I should never save confidential stuff anywhere, I’m well aware of the trade-off of security vs. convenience here.
Now, what are my options? I have set a master password, but will this prevent somebody from copying files from the directory to his installation? There’s a new set of issues around using portable apps from public drives. This is something that needs more investigation…
To be continued.
Internet Explorer 7 “mhtml:” Redirection Information Disclosure
Secunia Advisory: SA22477
Release Date: 2006-10-19
Impact: Exposure of sensitive information
Where: From remote
Solution Status: Unpatched
Software: Microsoft Internet Explorer 7.x
This advisory is currently marked as unpatched!
– Companies can be alerted when a patch is released!
A vulnerability has been discovered in Internet Explorer, which can be exploited by malicious people to disclose potentially sensitive information.
The vulnerability is caused due to an error in the handling of redirections for URLs with the “mhtml:” URI handler. This can be exploited to access documents served from another web site.
(I originally wanted to do a post called “Six degrees of SOA”, linking the security challenges of chains of services across enterprise boundaries to the familiar “six degrees of separation”; how do you create trust in such an environment?)
Craig is thinking along similar lines:
“SAP is not likely to just tell their customers to open their systems up to the public internet like I have done for the demos (shhh don’t tell) but rather that some serious thought will have to go into the topic of security especially data security and introducing that data into a collaborative environment allowing for multiple editors and modifiers of the data that is still control by the overall system to ensure data integrity.”
This is a HUGE issue. As a SAP security consultant I’m dealing with enterprise customers on a day to day basis, and their challenges are driven not only by their own concerns, but also by auditors and regulators coming up with stuff like SOX, data protection acts and countless other regulations. Basically it’s about making sure nobody messes with corporate assets (which quite often rightfully belong to shareholders), and being able to prove that the controls they put in place cover the risks adequately.
The big topic is Enterprise Risk Management, and that is already hard to do in todays environments.
Enterprise SOA and Web 2.0 apps open up a whole new can of worms, and I’m not sure enterprises are willing to tackle this right now. This is something Web 2.0 companies need to consider if they’re aiming for the enterprise (which I think they should: there’s a legitimate market which could immensely benefit from that kind of technology). My bet is that the first vendor to actually do that will be miles ahead.
It just won’t stop: PSPUpdates reports that shortly after the universal “Hello World” app there now is a working downgrader for Firmware 2.71.
When will they ever learn – maybe they should take a lesson from how far people are ready to go when they even are ready to downgrade functionality in order to gain freedom.
Now this week will be remembered in the IT security history books: first WindowsMedia DRM goes down the drain, now it’s iTunes: The Hymn Project announces a Python based method to strip DRM from Apple’s music files, and a few days later there is a Windows app to do that.
Wouldn’t this be a good time to agree that DRM was a stupid idea from the beginning, and stop screwing paying customers? I mean, we all know people don’t strip DRM from files to spread them on file sharing networks – they’re all on there way before you cracked the DRM. They do it so they can properly use the stuff they own and paid money for.
Why is it so hard to get that? DRM won’t ever stop piracy, nor has it so far. Or can you tell me ONE song that was issued on a DRMed medium and is now NOT available in plain MP3 form? I rest my case.
Engadget reports that there’s an app called FairUse4WM which will basically strip the DRM from any Windows Media DRM 10 or 11 file.
So much for Microsoft’s media platform, iPod killers and other stupid ideas like that. Get a grip – DRM won’t work. Ever.
At least you can finally say the music you downloaded from Napster Plays4Sure ;)
UPDATE 2006-09-07: Bruce Schneier chimes in:
“That was Saturday. Any guess on how long it will take Microsoft to patch Media Player once again? And then how long before the FairUse4WM people update their own software?
Certainly much less time than it will take Microsoft and the recording industry to realize they’re playing a losing game, and that trying to make digital files uncopyable is like trying to make water not wet.”