EARLIER NEWS
PC NEWS MENU
LATER NEWS
|
|
|
|
|
|
|
|
|
|
10th April 2001 |
SECURITY ON THE WEB |
Brian Grainger |
|
|
As every day goes by we here more reports of viruses released, attempts to bring down web sites and more recently web sites being defaced. As we become more dependent on e-mail and the web such items cause more and more disruption. The ways to avoid these problems become more important and the issue of security becomes much higher profile. The trouble is that implementing security and maintaining ease of use are usually in direct opposition to each other. This means that security is rarely implemented until you are hit. When security is implemented it is usually by technical means - password control - public key encryption of e-mail - virus protection software. No attention is paid to the weakest link in the chain - the people who use or administrate the systems. Recent examples include the Kournikova virus which exploited the weakness of the user when opening e-mails. Well folks, we have a new form of problem where the weakness of people has been exploited. Do you often download elements from the web and see the Verisign digital certificate which says the element has been verified as created by Microsoft? It asks if you trust Microsoft and, assuming you do, proceeds with the download. I guess most people trust Microsoft to supply software free of viruses and which has no hidden agenda so they usually continue the download. The problem is that recently 2 digital certificates were supplied by someone at Verisign to someone purporting to be a Microsoft employee. Unfortunately they weren't. I guess we have to assume the worst and that these certificates are in the hands of a ne'er do well who might well create malicious software with a Microsoft Certificate attached. The offending certificates are dated somewhere between 29 - 30 January and were issued to validate ActiveX controls or Office Macros. Microsoft see this problem as so serious that they have issued a patch for all operating systems, even ones they no longer support. For further details see: |
|
|
|
|
|
|
|
|
|
|