Talk about throwing out the baby with the bath water. The Financial Times reported on Monday that Google has begun telling new employees that they are no longer able to request Windows PCs, giving them the choice of Mac or Linux systems. Google has long offered its employees their choice of work operating system but will no longer do so. According to a Google employee, any exceptions will require will require CIO approval. [ I find that assertion questionable though ].

Google is apparently making this decision in response to the hacking attacks on late last year in China. The attackers  used vulnerabilities  in Microsoft’s Internet Explorer 6 to go after Google’s intellectual property, believed to be source code.  One could argue that if they had updated their browsers, the attacker would have had to find other vectors for attacks.

Could this be a strategic move by Google to prove that an Enterprise can survive WITHOUT Microsoft? With Google’s Chrome OS on the horizon, this may just be the warm-up act.

Source: http://www.ft.com/cms/s/2/d2f3f04e-6ccf-11df-91c8-00144feab49a.html

German’s official cyber-security response team is advising surfers not to use Firefox pending the release of a patch to defend against a critical unpatched vulnerability. This is the second time in two months that Germany has taken such a step. Earlier in January, the German government issued a similar warning to IE users. I did a post about it titled Germany warn users against Internet Explorer.

The zero-day vulnerability in the latest full version 3.6 of Firefox was discovered by security researcher Evgeny Legerov last month.  Legerov controversially offered to sell exploit code he developed.  Mozilla acknowledged the security vulnerability on Thursday and promised the the next version of 3.6.2, due at the end of the month, would plug the hole.

I have to applaud the German government for taking such a proactive approach to online security of it’s citizens. I have to wonder what would be the response to such an approach my the US government here. As to the advice given, I’m of two minds really. Whereas home users are at liberty to switch browsers as often as their underpants, corporate users may not have that luxury. Whole scale software migrations in a corporate setting is no small undertaking. Ig it were, I doubt Google would have gotten hacked for using IE6.

Vulnerabilities in all browsers are discovered over time. Corporate users, does the musical browser approach really work even if it were possible? I think not. My advice: Test and Upgrade as soon as is feasible.

The newly released Safari 4.0.5 reportedly fixes a number of security issues on the Windows and Mac OSX platform versions of its browser, and includes remediations for a total of 16 security vulnerabilities.

Some of these vulnerabilities allows your system to be compromised simply by browsing a page with an infected image file so upgrade without delay.

According to Brian Cluley of Sophos , “It doesn’t matter whether you own a Mac or PC, if you run Safari the message is clear: It’s time to update your browser and ensure that you are protected against hackers exploiting the security holes detailed in the security advisory on Apple’s website”

Following up on yesterday’s post, the advice was to ascertain the legitimacy of the web site by verifying the digital certificate. So what is a web site really? It’s just files located on a server somewhere. As you “browse the web”, your browser connects to the web server where those files are stored, downloads and displays them to you. The digital certificate resides on the web server and is transferred to your browser when you connect to a web site using https. The certificate contains two important items: the identification information of the web server and the encryption key that allows your browser to create an encrypted tunnel to the web server. The encrypted tunnel protects  your web traffic from attackers.

So https indicates your communications to the web site is encrypted. Clicking on the golden lock displays the digital certificate and identity information. But what if your browsers decides it doesn’t like the certificate? Well it warns you. Ever seen these before:

If you have spent any amount of time on the web, you will have eventually come across these warnings. What do you generally do? Flee for your life? Read the details? Continue on to the web site anyway? Well, don’t just ignore this warning! There are multiple reasons why your browser might balk at pproceeding to the requested web site.

Certificates are generally issued by companies like Verisign and Thawte after the entity requesting the certificate has verified its identity. The certificates are digitally connected to a root certificate located at the issuer. Browsers are pre-configured with a number of more popular root certificates. That is why, when you access your online bank account, your browsers automatically recognizes the certificate and allows you to proceed without issue. The certificates are valid for a specified period of time and require renewal. If the certificate has expired, your browser will detect it and you will see the warning displayed  above. If your browser does not recognize the source of the certificate ( i.e no connection to a known root certificate), you will see the error message as well. This is the case when web site owners decide not to purchase a certificate issued by one of the aforementioned third-parties and create their own certificate which still provides the same functions: claims an identify and enable encryption.

This last point is key. Anyone can create a certificate. I can create a certificate in seconds claiming my laptop to be https://www.your-online-bank.com. Tools that enable a man-in-the-middle attack mentioned in yesterday’s post automatically do this.  Now, as your browser will recognize the lack of digital connection between my fake web site certificate and the real root certificate, it will warn you with one of the  errors displayed above. Beware that you don’t make it a habit of clicking to continue without giving it a second thought.