1. Create documents online
2. Upload documents from Word
3. Publish to the web
4. Post to your blog
5. Participate in online collaboration with people you specify

Yes, it’s a great product with fantastic potential.  And now that Google has purchased the company, Upstartle, things could get very interesting.  There is just one catch; there are no safeguards to protect the content of documents during editing or viewing.

On February 27, 2006, in the Writely blog, Jen, an employee of Upstartle, responded to a thread in which users questioned why SSL protection was not provided. 

 [QUOTE=Jen]OK, now I have to reply ;-}

We don’t have SSL definitively planned as part of a premium service, although that’s certainly possible. SSL will definitely slow the service down, which is why we would likely not make it the default in the basic service. Yes, I know this response is vague, but it’s only because our plans are not final![/QUOTE]

As I posted to the Writely blog, it’s irresponsible for an organization to provide a tool like this without any apparent regard for safeguarding the activities of its users.  I hope that Google takes a different approach with this innovative and, in my opinion, much needed service.

 Author:  Tom Olzak
 

Listen to our Podcasts –>

Free security training available at http://adventuresinsecurity.com/SCourses

You can either leave a blog comment or sent an email to tom.olzak@erudiosecurity.com.

Thanks for your support.

Podcasts –>

Write Watch- manages the writing of files to local or network drives. Based on custom rules and/or the Threat database files can be blocked from writing and/or alerts can be sent.
Exe Watch- manages executables on the client machine. Based on custom rules and/or the Threat database programs are monitored in real-time and can be blocked from running and/or alerts can be sent.
File Watch- manages the existing files on local or network drives. Based on custom rules and/or the Threat database files can be removed and/or alerts can be sent.

You also have full reporting capabilities. One of the features that impressed me was the ability to make custom signature databases. This allows you to customize rules that warn, alert, block, delete or uninstall almost any file or software on a client machine. This is a really powerful feature.

Case 1:
In a recent post and podcast we discussed a security concern with the new Google desktop. The only real way to mitigate the risk in your organization was to make sure your users had the Enterprise version of Google desktop installed, and not the consumer version. A single installation of the consumer version could compromise an entire security program, not mention lots of regulations. With ETS you could simply right a custom database rule not allowing the consumer version to install, to scan for it and un-install it if found, and to not allow it to execute if somehow it was installed.
Case 2:
We all know users like to keep music on their machines, and sometimes even try and share it on the corporate network. The Threat Shield client can continually scan for mp3 files and remove them automatically, possibly saving your organization from costly litigation and fines.

These are just two examples showing that not only do you get coverage from malicious software but you can also manage your user’s files and any other software that may or may not be malicious. Threat shield also supports the tracking of web surfing usage but tracks only time spent surfing. No details are recorded. This feature seems like an after thought and the only real value would be for cases of documenting misuse.

Conclusion
SurfControl Enterprise Threat Shield is an interesting product. It takes a different approach to malware prevention and in doing so gives some extra capabilities. Being marketed as a spyware prevention tool it more closely resembles an application management product, and in my mind you are getting more than you paid for. That being said there are a few draw backs. The signature only approach has its pro’s and con’s. With out the “intelligence” of heuristics you are relying solely on SurfControl to keep you protected with prompt updates. On the flip side the occurrence of false positives is going to be near zero. While I think this is a great solution it alone can not do it all. It is a stellar start but you’ll need to couple this product with a webfilter and possibly an IDS/IPS to get that restful baby like sleep most managers do with out. If you have the need for such a product and the $15 dollars a seat retail cost, I could easily recommend this product. It performs as advertised and in this reviewers opinion ETS could trim a serious chunk of support resources if deployed and used properly. And no I am not affiliated with SurfControl in any way, I just think this software is really neato.

Author:  Larry Hinz

In this article, I’ll explore how Goodmail’s CertifiedEmail works, what the implementation of this solution means to business, and what users of AOL email services can expect.

How CertifiedEmail Works 

According to Goodmail, “…CertifiedEmail is a comprehensive email certification platform that eliminates the uncertainties associated with email delivery and message safety” (http://www.goodmailsystems.com/certifiedmail/).  In other words, this solution is not designed to reduce the amount of spam received by Internet email users.  Instead, Goodmail claims it will allow the delivery of business mail (which many would call spam) while mitigating the risk of receiving malware or phishing email.

Figure 1, downloaded from the Goodmail web site, steps through the message certification process.

  Figure 1 (click image to enlarge)

Enumerated steps in the image walk through the process Goodmail uses to deliver messages to its ISP Partners (i.e. AOL).  In essence, when the sender (business) wants to send a message to an AOL email subscriber, the Goodmail Imprinter calculates a message hash value.  It also requests a valid token from the Goodmail Generator.  Senders pay for the tokens.  The hash value and the token are attached to the message, which is sent to the receiver (AOL).  The receiver checks the token.  If the token is valid, the message is sent to the recipient’s mailbox.  If not, the message is run through the normal content and volume filters to determine if the message meets spam criteria.  Again, the sender pays for this spam-filter-bypass service. 

Businesses wishing to sign-up as authenticated, reputable senders must apply for and pass an accreditation process.  Prospective accredited senders must possess the following qualifications:

• Have at least one year of verifiable business history
• Have business headquarters in the United States or Canada
• Must Transmit messages from dedicated IP addresses with a six month history of doing so
• Must have a sending history with a complaint rate among the lowest of senders transmitting to Goodmail’s ISP partners
• Must be able to comply with Goodmail’s Acceptable Use and Security Policy
• Must agree to the Token Purchase Agreement

Business Benefit 

So what value can a business realize from accreditation?  According to Goodmail, marketing effectiveness is enhanced due to:

• Assured email delivery – messages no longer pass through a receiver’s spam filters
• Confirmation that a message was delivered
• Invalid addresses identified
• Accurate detailed reports

It’s not clear what affect this pay-as-you-go approach to email marketing will have on small businesses.  Small businesses without the working capital of large companies, with seemingly bottmless buckets of marketing cash, will be at an apparent disadvantage.  In the new model, if you have money your spam is not spam.  But if you can’t afford to pay, you’ll remain a spammer. 

Well, it looks like this is a great idea for big marketing companies.  But what about consumers?  What is the impact on personal mailboxes?

Impact on Consumers 

Spam filters are not just tools to keep out malware.  They also prevent personal mailboxes from filling with marketing and sales literature.  Without spam filtering, the time Internet mail users might spend going through their email looking for meaningful messages would significantly increase.  The following is a list of alleged consumer benefits from using a receiver (ISP Partner) that subscribes to the Goodmail service:

• Consumers will have an improved email experience because they can differentiate CertifiedMail messages from others in the inbox.  OK, the marketing and sales email is filtered and marked.  But it doesn’t show up at all now.
• Ability to easily identify, safely open, and respond to messages with confidence that the sender is legitimate.  I’ll admit, this has some value.  Opening only marketing or sales related messages marked as safe is a start on the road to solving phishing problems. 
• Assurance that important messages they expect to receive will be delivered and not lost to spam filters.  Another good point.  But most email users are capable of checking spam folders for important messages to prevent losing messages due to false positives in the spam filter.  Once a trusted sender is identified, it’s pretty easy to add it to the trusted sender list.

Conclusion

Although there are obvious benefits to consumers, businesses will derive the most benefit from messages circumventing spam filters.  Email service providers like AOL should provide their subscribers with the ability to opt out of CertifiedEmail.  In fact, this should be the default setting for new mailbox configurations.  It hasn’t been that long ago that we began to prevent the large amounts of unwanted marketing information from intruding into our lives.  Let’s not take a step back. 

Author:  Tom Olzak

The Windows OneCare Beta release can be downloaded from here.  But before you jump into the fire, make sure your system is able to run the product.  System requirements include:

• Windows XP, Service Pack 2
• Internet Explorer 6 or above
• No other anti-virus products can be installed

To clarify, Firefox is not supported.  And yes, you’ll have to uninstall Symantec, McAfee, and any other security product currently running on your system.  The developers made an interesting comment about it being an industry best practice to only run one security product at a time on a system.  I’m not sure what industry they were talking about.

OneCare is not designed for the Enterprise.  From its interface to its transparent functionality, it’s designed for consumers who just want to run a secure machine without having to care about how it gets that way.  From my brief look at the product, I’d say Microsoft did a reasonably decent job.

Figure 1 is a screen shot of the OneCare interface.

Figure 1 (Click to Enlarge)

This window presents information about the general health of the system.  And OneCare is definitely busy keeping things safe and optimized by performing the following tasks:

• Continuous virus protection
• Continuous two-way firewall protection
• Automatic PC tune-ups
• disk defragmentation
• file repair
• disk cleanup
• Automatic software updates
• Backup files
• by category
• to external drives, including CD and DVD

In addition to these automated processes, OneCare also provides the following on-demand features:

• Virus scan and cleaning
• Scan for open network ports
• Tune-up scan
• Backup and restore files

Noticeably missing from the list is spyware protection.  Microsoft announced that anti-spyware functionality is coming soon.  Although this release targets consumers, an Enterprise release is expected within the next several months.  The main difference will be the addition of a central management application.

Overall, Onecare has been well received.  But there have been some bumps.

1. It can be difficult to uninstall.  Instructions for uninstalling the Beta product are virtually non-existent.  The most effective way to remove it is via registry hacks.  I know that’s always my first software removal choice.
2. The two-way firewall is designed to allow applications using the Java Virtual Machine total access to the Internet.  Applications with a digital signature have the same privileges.  I guess criminals are too dumb to figure out how to exploit this hole…
3. There have been reports of performance problems, especially after the update to deal with the recent discovery of the WMF vulnerability.

But after all, this is still in Beta.  Most if not all discovered issues should be addressed prior to the final release.

Non-technical consumers will likely embrace this product.  But what about medium to large businesses?  Will the Enterprise solution be deployed widely enough to be successful in that market?  Neil McDonald has doubts. 

In the Gartner Research Article “Microsoft’s Entry will Bring Big Changes to Desktop Security,” McDonald lists the following potential barriers to Enterprise acceptance:

• Microsoft needs to deliver a unique solution rather than taking a “me too” approach to desktop security.
• Microsoft shouldn’t expect to be taken seriously as a security vendor if it only supports Microsoft products.  They should partner with other providers to provide support for non-Microsoft platforms.

In addition to these issues, Microsoft may face the same challenge as McAfee when it attempted marketing a software service solution in 2001.  Enterprise security managers are not typically willing to allow outsiders to manage desktop protection.  This may be especially true in Microsoft’s case.  There’s a chance Microsoft’s intent to charge for protecting Windows will be viewed as an attempt to capitalize on vulnerabilities they introduced in the first place.

However this turns out, Microsoft has started down a path that can only help make the Internet a safer place.  I’m a big advocate of the belief that cleaning up consumer workstations is crucial to protecting the Internet overall.  Let’s hope Microsoft gets this right. 

Author:  Tom Olzak

Sources:

Microsoft’s Entry Will Bring Big Changes to Desktop Security (Gartner G00132868)

Microsoft’s OneCare firewall draws fire

Will Enterprises Care About Windows OneCare?

This chapter describes the Just Enough Security (JES) model.  It’s fundamentally a layered approach to applying security safeguards.

JES_Chapter4_Draft_2006.pdf

Like all forums, the Yahoo Answer service suffers from user ignorance.  Many answers posted are just plain stupid.  Those are pretty obvious.  So they cause no harm.  However, there are answers selected as “best answers” that are wrong.  Of course you can post comments about the wrong answer, but the participants don’t seem to care.  The best answer, even if wrong, continues to rack up votes while the person requesting the information goes merrily on his or her way with an erroneous factoid lodged securely in the brain.

 I decided to pass on this service.  I have many other worthwhile activities to pursue.  Someday, however, I hope to find a forum where knowledge and attention to accuracy actually has some meaning.