Fixing everything, really slowly

Absolutely fascinating reading on the state of IT security and corporate espionage.

At this point, [the hackers] move laterally through the network, compromising systems as they go and using other exploits to attack additional vulnerabilities. The systems being compromised are Windows systems.

Stolen e-mail messages and documents are collected and stored on a staging server inside the company’s network before being encrypted with custom algorithms and compressed into an .rar file. The files are then siphoned out in small random bursts generally via normal protocols with spoofed headers to disguise the activity. In the case of the Google hack, the attackers used an SSL port but a custom protocol.

From: Report Details Hacks Targeting Google, Others | Wired.com.

I’m guessing sales of statefull packet inspecting firewalls will increase this year! It’s sad reading about exploits caused by organisations not following common sense security best practices.

In a funny way these compromises actually validate Google security approach. For example they are:

• Openly encouraging people to move to more up to date browsers
• Making there own open source browser (chrome) which focuses on security thus publicly demonstrating how to solve the very problems being exploited.
• Making web based applications which they can manage and apply security best practices to, thus partially outsourcing the challenges of maintaing secure applications for businesses (I really like their new browser based pdf viewer).

I’m guessing they are cracking down on internal IE usage right now. If I were maintaing an IT department I think I’d configure the proxies and firewalls to forward all outbound traffic from old browsers to a page outlining internal browser policy and offering download links for new ones (after having provided and promoted official alternatives and provided workarrounds for web developers).

Anyone know of a good neutral third party website you can point people to to learn about browsers?