Wednesday, January 24, 2007

Email security issue

In Security Now episode 61, Leo and Steve talked about some of the security and privacy issue with ISP. The concern is that our ISP may be able to keep track and monitor what we are doing on the web IF we don't secure the our communication channel such as using SSL or VPN.
One interested topic get my attention is about sending secure email. You may not know that even if you encrypt your email data through SSL and send it, you still not secure your data because SSL encrypts the data at start point and decrypts the data at the end point. Therefore, your message is decrypted at your ISP, and then your ISP foward your DECRYPTED message to the destination. Notices that the link between your ISP to the destination is NOT encrypted, and your data is at risk of being exposed.

Saturday, January 20, 2007

Browser Security

First post in 2007, some thoughs about browser security.

Ever since Microsoft developed the so called AtiveX (an dll program, origin from OLAP )which enabled executable code run on client machine, the security issue that relate to IE increase aggressively.

Unlike traditional scripting language such as VB script, Java script who run within the sandbox environment ( executable code is restrict inside the interpreter, like JVM ), AtiveX code can run on the client machine freely. By which mean, ativeX opens a big door for the attackers to take over control the user's computer. Although, many modern technology make sure of activex to bring cool effect, such as the Macromedia Flash; the downside of activeX is incredible overhead. I surely believe people known a the spy ware called the Gator. Thanks to activeX.

Traditional internet concept is only to deliver TEXTUAL static page to the client; however, nowadays, server will even deliver executable codes to the client. Man~~~ that too danger... because there are many malicious code out there on the web. If I am you, I will shied myself up by setting my browser security as high as possible to avoid possible attack.

The browser is like a pioneer, it take you to any place on the web everyday. Imaging that you are exploring a new territory where you never been to before ("Good luck!! hold your breath~~). Will you scare that you be attacked by wild animal. Same concept apply to today's world wide web. Therefore, better shied yourself up while browsing the web.

A little tips from Steve Gibson, an highly intelligent security guy, teaches you to shied up yourself in IE. In IE, there's something call the zone level setting in the preference. User can set that level to the highest level, once you do that, you are disabling all the executable scripting from running in your computer. and then there is a thing called "Trusted zone", where you can specify which sites you will trust and allow it to run executable script.