View
214
Download
1
Category
Tags:
Preview:
Citation preview
Know your enemy .....The Dancing Pig syndrome
No amount of self-control can stop someone from clicking on links or running attachments when the payoff is the promise of tutu-clad swine parading across the screen!
- Steve Riley, Microsoft
Immutable Laws of Human Nature
• Stupidity• Selfishness• Horniness
- Scott Adams, The Dilbert Future
Threat VectorsIncreasing Severity & Ways of Risk
2003Browser Exploits in the wild
2005Social Engineering
2006MalwareIE 7 & Phishing Protection
2008 +Blended Threats Web 2.0 Site Exploits
Blended threats shifting from the browser to sitesImpact to data governance & regulationsRapid pace of threat innovationConsumer & employee data at risk
Web 2.0 - Challenge or Opportunity? Efficiency, economics and expectations Syndicated content and advertising business model enables sites and business Growth in eCommerce depends on consumer trust
Trust may be undermined by less than transparent collection of data and inadequate protection of privacy
Unknown accountability of 3rd parties
Potential backlash & heightened consumer concerns
Internet Explorer 8: Trustworthy Browsing Confidently bank, communicate & shop
Extended Validation (EV) SSL Certificates SmartScreen® Filter – Blocks Phishing & Malware Domain HighlightingEnhanced Delete Browsing History InPrivate™ Browsing & Filtering
Build on a secure foundationSecurity Development Lifecycle (SDL)Protected ModeActiveX ControlsDEP - Data Execution PreventionRevised process architecture
Extends browser protection to the web server HTTP-only cookiesGroup PoliciesXDomainRequest - Cross Domain RequestsXDM - Cross Domain MessagingXSS Filter - Cross Site ScriptingAnti-ClickJacking
Web Server & Applications
Browser Vulnerabilities
Social Engineering & Privacy
Domain HighlightingMore accurately ascertain the domain of the visiting The domain is black vs. other characters which are gray
EV SSL Certificates“Look for the Green”Provides consumers added user confidence and brands enhanced protectionImplemented by over 10,000 leading commerce, banking and transactional sites
Social Engineering
Emerging threat vector and diversificationAddress concerns of Users and Site owners SmartScreen® Filter
Integrated Phishing & Malware download protectionExamines URL string, preempting evolving threats Blocks 1 million+ weekly attempts to visit phish sitesSignificant malware site detection volumes ~10 x traffic as compared to phishing, (IE8 beta users).Group Policy support – Key IT requirement24 x 7support processes and feedback mechanisms
Identifies and neuters the attackBlocks the malicious script from executing
.
IE 8 XSS Filter
Web Server & Applications
ClickJacking
Entices users to click on content from another domain without the user realizing it Evolving server exploit, mitigated by the SmartScreen Filter
Impacts all browsers, only IE 8 has integrated protection capabilities
Add an X-FRAME-OPTIONS tag in either the HTTP header or the HTTP EQUIV meta tagon pageDeny All or allow from same origin hosts
Some Things that are "Creepy"
Smile to the cameras – you’re on them about 200 times/day
"We're steadily marching to a society where every moment that you leave your home will be monitored and videotaped. And that's creepy.”
• – Kevin Keenan, ACLU
Government online recordsMortgage documents, public state records, etc.
• -- Computerworld, Jan 29
Why are they so Creepy?
Having records online, using surveillance cameras – not necessarily illegalIt’s because “contextual integrity” is violated
Information is transferred in contextA context has a set of normsWhen information is transferred from one context to another without notice and consent, contextual integrity is violated.
Security vs. Privacy
SecurityCore engineering issuesProtection from harmProtection from fraud
PrivacyControl over preferencesControl over how information is shared
Phishing?
Web Privacy Issues Today – Some Examples
ISP Website 3rd-partiesIE8 User
- Privacy on Shared PC- Anonymization (or, IP Obfuscation??)- Third party content providers- ISP monitoring- Server-side data sharing
IE8 Privacy Goals
Put the user in control of the web browserShared PC
Delete Browsing HistoryInPrivate™ Browsing
On the WebInPrivate™ Filtering
Build, useful, convenient features to make it easy to stay in controlLeap ahead of the competition
InPrivate FilteringPreserve Favorites data
Delete Browsing History
Preserve data from Favorites sitesKeep the useful stuff, delete the not-so-useful stuffConvenient
CheckboxesDelete browsing history on exitGroup policy
InPrivate Browsing
Creates a new browsing window that does not record browsing history
Some things that are turned offHistoryCookies (accepted, but downgraded to session-only)Suggested SitesForm data saving
Things that are deleted when you exitTemporary Internet FilesCompatibility View listActiveX Opt-In list
InPrivate Browsing FAQ
Parental ControlsDisables InPrivate Browsing
IT ScenariosInPrivate Browsing can be disabled via GPDoes not interfere with proxy servers
Proxy servers will record sites browsed
Does not provide anonymizationAdd-ons
UI Toolbars, BHOs - not loaded by defaultAPIs are available for ActiveX Controls
Suggested sites feature is turned off
Third Party Content ServingOver time, users’ history and profiles can unknowingly be aggregated
Any third-party content can be used like a tracking cookieThere is little end-user notification or control todaySyndicated photos, weather, stocks, news articles; local analytics, etc….
Unclear accountability with third party security & privacy policies
User Visits Unique Sites
msn.com ebay.comamazon.com cnn.comcnet.com about.commsnbc.com
Prosware-sol.com3rd party Syndicator
Web server
nytimes.com
Some Analogies
CreepiestSurveillance camera everywhere
Less creepySurveillance camera in a shopping mall
Facts
Information exchange is goodBoth parties get value from behavior data
The online economy is fueled byhigh-tech advertisingWe also believe in Trustworthy Browsing
The user is always in control
InPrivate Filtering
Helps give you control over which 3rd-party content providers have a line of sight into your web browsing
Keeps a table of 3rd-party content and the first party sites the content was loaded fromAllows you to block content that passes a configurable threshold (10 1st-party sitesby default)
InPrivate Filtering FAQ (Short List)
If I have a website, what do I do? Will my website break?
IE8 includes a javascript-accessible API (bool InPrivateFilteringEnabled()) that lets website owners detect when InPrivate Filtering is enabled
Not an ad blockerSome advertisements may be blockedInPrivate Filtering is a privacy tool It can only block content that has a “line of sight” into your browsing history
3rdParty.htmlPoints to the same directory as the third party objectUp to the content provider to create What to include*
Who is the third partyWhy allowedConsumer value & purposePoint to the privacy policyData collection and data sharing practicesContact info……..
Optimize Enterprise DeploymentPreparing for launch
1. Optimize using the IE Desktop Security Guide2. Turn on SmartScreen Filter by default3. Disable ability to click through phishing / malware warnings4. Prevent additions or deletion of sites from Security Zones5. Do not allow users to change policies from Security Zones6. Do not allow users ability to turn off Protected Mode7. Enable Prevent Ignoring Certificate Errors8. Test compatibility with intranet and internet sites9. Consider implementing group policies to disable
InPrivate Browsing
For Publishers and Content ProvidersPublish “thirdparty.html” pageTest all 3rd party code for XSSAdd no-frame tag for CSRF sensitive pages SiteLock your ActiveX controlsLeverage InPrivate Filtering session status through the windows.external DOM objectImplement EV SSL certificates for ecommerce and transaction related sitesLearn more about compatibility, accelerators and Web Slices
www.microsoft.com/teched
International Content & Community
http://microsoft.com/technet
Resources for IT Professionals
http://microsoft.com/msdn
Resources for Developers
www.microsoft.com/learning
Microsoft Certification & Training Resources
Resources Tech·Ed Africa 2009 sessions will be made available for download the week after the event from: www.tech-ed.co.za
© 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS,
IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Recommended