Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Security-Basics
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Corporate Web based email - threats

from [Pavel] Network Security [Permanent Link]
Subject: Corporate Web based email - threats
Date: 23 Sep 2004 14:48:37 -0000 


Hi all,

The access to corporate web mail services like OWA, iNotes or VPN SSL stuff is 
becoming increasingly popular. I saw many posts here about security measures 
for protecting Web server itself, filtering viruses and encrypting data in 
transit. However, few people address a problem of temporary content stored on 
client PCs and stolen session/credentials. Given that companies are looking for 
more mobility, the typical use of webmail services occurs on public PCs, kiosks 
and Internet cafés. 

1. Temporary content. Some Web based email and VPN SSL clients have features to 
remove temporary files from the client PCs. The tests we performed (iNotes and 
OWA) show that the cleaning is very poor and a lot files and attachements are 
still sitting in the IE cache, Temp folder, Acrobat cache, different download 
managers like Mozilla or Reget/Getrigt etc. The cleaning is ever worse on any 
PC that have non standard OS (Linux, Mac etc.) and browsers like Firefox, Opera 
and so on.

2. Stolen session. Some vendors recommend to use SecurID tokens or stuff like 
that to prevent stealing users' credentials. However, there is still a lot of 
possibility to penetrate user sessions starting from stolen session IDs thru a 
malicious email to different sorts of "parent control" software (keylogger + 
file/clipboard/web pages sniffer + screenshots every 15 seconds ...). One never 
khows what is running on that regular public PC.

I would like to hear from you any ideas on how did you mitigate these risks and 
what was your reasonong to allow/disallow the access to your company's webmail.

Thank you in advance


---------------------------------------------------------------------------
Computer Forensics Training at the InfoSec Institute. All of our class sizes
are guaranteed to be 12 students or less to facilitate one-on-one
interaction with one of our expert instructors. Gain the in-demand skills of
a certified computer examiner, learn to recover trace data left behind by
fraud, theft, and cybercrime perpetrators. Discover the source of computer
crime and abuse so that it never happens again.

http://www.infosecinstitute.com/courses/computer_forensics_training.html
----------------------------------------------------------------------------
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: learning ethical hacking, Chris Griffin
Next by Date:  nc help needed., Vijay Kumar
Previous by Thread:  New Whitepaper - "The Phishing Guide", WebAppSecurity [Technicalinfo.net]
Next by Thread:  Re: Corporate Web based email - threats, roger . smith
Indexes:  [Date] [Thread] [Top] [All Lists]