Posted by David Lyle on February 2, 2010
If you didn’t heed years of advice to upgrade your browser and you’re still using Internet Explorer version 6 (or less), the train is pulling out of the station!
Last month there was a big ruckus (see my posts too) about the Aurora attack exploiting IE6. For years now, IE6 has been a thorn in the side of web developers who constantly have had to add special code to handle the outdated browsers.
Now another nail in the coffin. Google killing support for IE6 in their applications.
As of March 1, Google will be killing support for IE6 in their web applications, and begin phasing out support for IE6 throughout Google. This is awesome news!
It will also save a lot of money from companies having to pay developers to spend extra time ensuring “compatibility” with the antiquated browsers.
Now if we could get Macs and their odd font sizing to match everyone else we’d be set O:)
Designers and Developers will be able to focus more on SEO, and marketing. Because that’s where it counts.
-David Lyle
Posted by David Lyle on January 22, 2010
Today (1/21/2010) Microsoft issued an emergency patch for IE – that should plug the hole used in the Aurora attack. It should roll out to pretty much everyone within 24 hours.
If you’re running automatic update, you should be patched – but here’s the skinny: Microsoft Security Bulletin MS10-002-Critical
At this point, the real-world attacks have only occurred under IE 6, but the flaw exists in all unpatched versions of Internet Explorer. Please see my previous entry: The Aurora attack – can you be safe from cyberattack in your business for more information.
Additionally, we’re seeing continued traffic from China that is spam-bot and probing attacks against civilian business. These attacks are mostly aimed at web sites currently. Blocking code seems to be holding at this point, I will soon post an article on how to do that.
As usual, keep up the basics. In a future article I will go over some thoughts about where to focus on next.
-David Lyle
Thunderpaw
Posted by David Lyle on January 18, 2010
The latest news items revolve around the quite large alleged attacks on Google (and other companies) from China. Mcafee on Operation Aurora
“Microsoft Internet Explorer that was used as an entry point for “Operation Aurora” to exploit Google and at least 30 other companies.” – Mcafee.
Microsoft posted this security advisory:
Microsoft Security Advisory (979352) – Vulnerability in Internet Explorer Could Allow Remote Code Execution
However, this is simply a continuation of larger issues.
When investigating cyberattack against businesses, we see an awful lot of sloppy security. Of course, not where most people expect it. Most everyone runs virus protection (sometimes 3 or 4 – I guess just to slow down their computers), firewalls (again sometimes 3 or 4! A corporate Firewall, then Windows Firewall, then McAfee or Norton as well!) Perhaps it’s fear of the unknown, perhaps it’s the old “more is better” concept. Try removing all those extra anti-virus and firewall apps, use one and make sure it’s working properly.
However, the real threats are not so much from random attacks. Real threats generally come from inside somewhere. Either an unhappy employee, or simple social engineering. I suspect both are at play in the Google attack. The weakest link in your corporate computer security often sits at one of your corporate computers drinking coffee.
Security always goes back to basics. Additionally, there is no security which is 100%. None. Well, ok there is one way – disconnect your computer from the ‘net and turn it off. That should protect you pretty well.
If, however, you feel the need to remain connected, then continue with the basics. Don’t panic over the little stuff. Here are some basic common sense security tips (which are amazingly not so common sense!)
- Change passwords regularly and use strong passwords.
- Change all important system passwords when employees leave.
- Backup backup backup. Store backups in multiple locations. Offsite if possible.
- If it’s important to your business, TREAT it as important!
- Let your IT people upgrade Internet Explorer. If you’re still using IE6 for business then you don’t care about your business. (or switch to an alternative browser)
- Hire professional IT people, and trust them.
- Let your IT professionals know of “odd” behavior. Sometimes it points to security issues that need to be addressed.
Finally, do your best, and understand that there are people, companies, and countries which do nothing but try to hack. Many are after information, so think seriously what you store and how. Ponder how you’ll feel if you find out Google lost vital information about your company.
