Firefox Patch Tuesday
by Carl Anctil
Background:
A few months ago, Microsoft released (and silently installed through Windows Update) a .NET Framework Assistant add-on for the Firefox web browser. Microsoft installed this add-on to Firefox without warning the user that the add-on would be installed as part of the .NET Framework 3.5 Service Pack 1. Security professionals, bloggers, users in general all over the Internet were in an uproar over Microsoft’s activities. Propel forward a few months, and Mozilla proactively disables two Microsoft-installed add-ons; one of them is the infamous .NET FA add-on. Following some discussions with Microsoft, Mozilla later selected to unblock the .NET FA, but continued to block the .NET Windows Presentation Foundation add-on.
Situation:
The browser is rapidly becoming the “new” OS, and add-ons are the “new” applications. This is the new computer model. The momentum is moving toward SaaS, IaaS, PaaS and other cloud computing acronyms. The impact this is having is such that our browsers are acting more and more like Operating Systems.
If we look back and remember how networking has evolved over the years, we will notice a pattern. Many years ago, networking emerged from thin clients, then it advanced to thick clients and now we are going back to thin clients. The browser is the new thin client. It’s essentially the new OS. It isn’t a coincidence that Google’s new OS is called Chrome OS. Or is it? Can anyone say: “Firefox patch Tuesday”? I think we may have witnessed the first Firefox patch push.
When Mozilla decided to proactively block two Microsoft add-ons, the result of this action was effectively the same as patching a vulnerability (automatic updates). The reason these two distinct actions are similar is because the results are the same; they both prevent, fix, or block a vulnerability from an exploit. The block imposed by Mozilla impacted every instance of Firefox automatically, without user interaction.
What’s even more disturbing with this model is its ability to completely bypass many perimeter defences. This cloaking behaviour is a huge blow for the security of our networks. It’s giving a transporter to our adversaries to infiltrate our networks. Once inside our browsers, this enemy fundamentally becomes a virtual insider on our networks. It turns our users into allies and uses tactics that are very effective and easy to deploy: Tricks like social engineering, spear phishing, SPAM and emails with various types of specially-crafted attachments, etc.
We must protect and educate our greatest asset, which is coincidentally also our weakest link: The user. Vulnerabilities such as XSS, XSF, drive-by downloads, etc. are almost always triggered by trusted, authenticated and authorized users on the network.
Conclusion:
I just touched on this subject, but I believe a general awareness strategy will have to play an important role in the future. The bad guys will keep winning as long as they are the only ones reaching out to our users. We must positively reach out to users or they will keep getting tricked into doing things against us (and themselves).
Into the Breach – Audio Series – Chapter 3 (Breaking the Security Diet)
Episode 4: Into the Breach: Chapter 3 (Breaking the Security Diet)
Welcome to the continuation of the Into the Breach: Protect Your Business by Managing People, Information and Risk audio series. (Click this link) to learn more about this how this book solves today’s challenges and pick up a complete copy. This series, underwritten by Configuresoft, now part of EMC, is the full and unabridged audio version of Into the Breach, written by Michael Santarcangelo and read by the author. Join us for a new chapter released on the first Tuesday of each month (there are 13 chapters total).
What you’ll find in this episode (Chapter 3)
Breaking the security diet is recognition that what happens in organizations today is more akin to a crash diet than a healthy approach to securing information. In this chapter, Michael reveals the high cost of this “fad diet” approach and shines a light on the new fad diet: encryption. However, there is a solution, and Michael explains how to break the fad diet, improve leadership and engage individuals. A pivotal chapter in the book, designed to create a fundamental change in the way organizations and individuals protect information.
Go deeper Into the Breach with Michael Santarcangelo in October with EMC
In October, join Michael Santarcangelo for a live conversation to journey deeper into the chapter. During the conversation, hosted by EMC, Michael will:
- Reveal the ideas and concepts that may have been pared from the chapter you just listened to
- Expand upon or update the elements in the chapter you just listened to
- Answer questions in a candid and direct style – focused on delivering insights that lead to results
Go to www.configuresoft.com/securitycatalyst today to register now and listen to the recorded sessions from before and get reminded to join in for the September session.
You want more, so after listening…
After listening to this segment of Into the Breach, keep the energy going and support the shift in thinking and inspire behavior change by
- Engaging (not following) Michael on twitter (http://twitter.com/catalyst)
- Subscribing to The Security Catalyst podcast & blog to get more insights
- Checking out the upcoming schedule to meet Michael (and his family) “onTour” – as they travel the country by RV (working on Dallas, Phoenix and San Francisco, with a likely stop in Atlanta and maybe Charlotte)
Podcast: Play in new window | Download (11.0MB)
Do you know why virtual teams fail? Take 5 minutes to help some grad students understand
One of the areas I have been interested in is how teams can effectively work in a virtual environment – and in a way that protects information. I like to work virtually, and it’s the only way I can effective support the growing team of professionals behind the security catalyst (we have nearly 10 people now).
I was recently contacted by a group of grad students from Johns Hopkins studying virtual teams. They wanted to pick my brain on the topic of what kills virtual teams, talk a bit of security, and then buttered me up to ask if I would produce a podcast of their results by interviewing an expert. I agreed.
Part of their approach is to conduct a brief six-question survey (this literally takes 5 minutes): http://www.surveymonkey.com/s.aspx?sm=Z23UF52G_2bIvUD_2bSzPICoqA_3d_3d
By participating, you’ll be helping some grad students – and we’ll all get the results with a podcast! We only need 100 people to help – please take a few minutes and share your experiences.
Since I’m conducting the interview of their expert, if you have comments, questions or suggestions, please send them to me before Thursday at securitycatalyst@gmail.com.
Here is some additional background.
The school: Johns Hopkins University Carey Business School
• A business school situated within one of the greatest research universities in the world.
• Innovative business school curricula taught by expert faculty and prominent business leaders, based on the Hopkins model of combining theory and practice.
The class: Building Teams and Developing Teamwork
This course is designed to teach students to benchmark the qualities, characteristics, and structures that lead to high performance teams. They examine the similarities and differences among interdisciplinary work teams, multidisciplinary work teams, cross-functional work teams, and virtual teams. Models of team development and organizational culture are applied to diagnosing, consulting, and facilitating team success.
The project: Bring new knowledge to the field of work team behavior
A group of five Hopkins graduate students were charged with bringing new knowledge to the field of teaming. This group elected to research the world of virtual teaming and in doing so there is a great body of literature on what makes virtual teams successful, but little written about what causes them to fail or at least be sub-optimized. This brief, six question survey addresses potential problems related to virtual teaming and will be used in conjunction with data gather by conducting a series of structured interviews with subject matter experts to examine “virtual team killers.” The final product of this research will be a podcast sharing the research finding and further exploring the topic.
Please take a few minutes and share your experiences and insights: http://www.surveymonkey.com/s.aspx?sm=Z23UF52G_2bIvUD_2bSzPICoqA_3d_3d
TSC Insight: Do Email Disclaimers Matter?
By Michael Santarcangelo with Patrick G. Romero
If you’r
e like me, you routinely ignore the email disclaimers that many messages seem to have attached to them these days. For the most part, disclaimers have been added by the company, automatic and out of the hands of the users. Some users include their own, both serious and sometimes to be funny. I’d more or less accepted that some used them, while others didn’t – but paid little mind to the question – do email disclaimers matter?
During a breakfast a few weeks ago, a friend of mine shared a situation in which a business email sent to an individual was later posted to a website (by the recipient). In this case, it wasn’t really a big deal, but then he asked me if he needed to start using an email disclaimer.
It’s been a while since someone asked me if they needed a disclaimer, and my instinct was that it simply wasn’t necessary. Rather than give him a wrong answer, I promised that I’d look into it. With the help of Patrick Romero, this is what we found:
Some Background on Disclaimers
Turns out these disclaimers can be used for a whole list of things – from breach of confidentiality to transmission of viruses to employer’s liability. However, the most common type of disclaimers are those that guarantee the privacy and confidentiality of documents. They usually look something like this:
This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited.
With the prevalence of e-mail communication, statements like these have become more and more ubiquitous among private and public companies – the majority are automatically generated whenever a user sends out any information regardless of the content of the message.
So now that we have examined the basis for email disclaimers, let’s dig deeper and explore if they provide any value or serve any purpose.
Can e-mail disclaimers guarantee the privacy and confidentiality of documents?
Generally speaking, e-mail disclaimers are not legally enforceable.
The misconception that they are stems from a lack of knowledge that surrounds the interception of electronic communication. The relevant statute that supports this belief comes from the language of the Electronic Communications Privacy Act of 1986 (ECPA) which includes language that criminalizes the interception of electronic communications. However, ECPA defines “intercept” as “the aural or other acquisition of the contents of any wire, electronic, or oral communication through the use of any electronic, mechanical, or other device.” A narrow reading of the statute would insinuate that only information that has been acquired illegally can be found to be intercepted.
One of the many courts that have defined “intercept” this way is the 8th Circuit. The Court held that electronic communications that have reached their destination are ineligible for interception and, therefore, are outside the protections of the ECPA. As a result, unless an e-mail has been intercepted in transit, the ECPA will not provide legal authority for individuals seeking to prevent disclosure of a misdirected e-mail.
If you are concerned about the privacy and confidentiality of your email, we offer three basic considerations:
1. Use encryption
2. Use the “envelope within an envelope” approach
3. Write carefully, review and think before pressing send
1. Can encryption provide privacy and confidentiality email?
I have spent a lot of time reminding people recently that “solutions follow requirements” – and I’m always hesitant to recommend a solution without understanding the requirements. However, if you are concerned about the privacy and confidentiality of your email communications, you probably need to investigate the use of encryption.
I have always enjoyed learning about and teaching encryption – and while it can be a double-edged sword, it offers the safest means of ensuring privacy of email communications. In general usage, the message is encrypted (and signed in most current applications) before being sent. In a properly constructed and managed solution, only the designated recipient has the ability to decrypt and verify the message – ensuring the confidentiality of the transmission (this is an overly simplified explanation – if you’re thinking about using email encryption, give me a call and we can talk about specific details).
Encryption solutions are available for commercial and personal use. If you’re looking at this for corporate use – please start with your requirements and then select your solution.
2. It’s all about positioning
If you’re convinced that you need to continue to use a disclaimer, then you might consider where you place it. Arguments have been posed that by placing the disclaimer at the bottom of the e-mail, the user is undermining the enforceability of the disclaimer.
Think about it – how can you comply with a disclaimer after having read the content of the e-mail? As a result, there are some who advocate (albeit annoying for those who rely on email) that the disclaimer appear at the top of the e-mail. This option is known as the “envelope within an envelope” approach. The confidential information is sent as an attachment and the text of the e-mail only contains the actual language of the disclaimer.
While this does not guarantee that the recipient will not open the attachment, it could provide some greater standing in litigation if disclosure does occur. Such evidence would be relevant into providing proof that the sender took reasonable measures to ensure the confidentiality of documents.
3. Stop. Think before you press send.
One of the best methods for protecting information (note: information protection doesn’t always mean encryption) is to establish and effectively communicate expectations for proper use of email (if you need some help learning how to communicate policies more effectively – pick up the phone and call, it’s what we do).
Every organization should put in place a company policy with regards to sending confidential information through e-mail. This could range from a “no forwarding” policy to restrictions on what information can and cannot be sent. Clear guidelines within an organization can provide directions for individuals to understand the proper use of e-mail and decrease disclosure of sensitive information.
In the end, some do, some don’t and you get to chose
Currently, there is little case law or statutory interpretation that discusses the legal rights of senders vis-à-vis e-mail disclaimers. With the prevalence of internet use, it is understandable that individuals would attempt to ensure some level of privacy when sending e-mails. Unfortunately, the law today does not provide protection for the misuse of confidential information sent over the internet regardless of a written disclaimer. Companies and individuals need to determine, on their own, the risk of disclosure and how to best protect their privacy.
Engage with Michael
-
Journey Into the Breach
