If you use Internet Explorer then you should pay close attention to this…

An exploit to security holes in Internet Explorer (even if you have XP SP2 installed) has been posted by a group called GreyHats.  They are not happy that MS has not fixed the exploits since they were made known in October 2004 and figured they can increase the speed of a patch, but in the process I expect they will only succeed in screwing alot of innocents.

If you run with least privledge then life is much better for you then if you run as an administrator on your web surfing box.  Either way I suggest you vist the test page provided by Secunia and see the likely bad news.

If you are vulnerable, be careful where you go between now and when you install whatever patch comes out.

It seems to hold true that any tool can have a good and a bad use.  In a recent attacks, Google was used as a support mechanism for spreading a virus and defacing web sites.

While there isn’t anyone who can guarentee that a particular package or product won’t be vulnerable, it does pay to ensure that whoever you get your software from has a track record or providing patches quickly when this kind of thing occurs.  If not then make sure you figure out how you will patch the stuff yourself.

A recent article about a security flaw in the new Google Desktop Beta should serve as another reminder that you should never use beta software on production machines.  The rule for me has always gone that if I would be upset by a total rebuild of the box, then only tested and finished software should be installed.  I admit that I love the new stuff myself, but if you dance with the devil don’t be surprised if you get burned.

MS has made available a preview of the Member Management Component that you can use to build into .Net 1.1 sample applications.  It isn’t exactly what will be released with VS.Net 2005, but it gives you something to play with so you can get used to the new model.

Be advised that it seems that it doesn’t seem to be licensed for production use.  If that interpretation is correct then it means that this is just something to play with in advance of VS.Net 2005 and can’t be built into any real applications.

Who owns the passwords that you or your users use to access your network or application?

If you don’t know, then you have a problem.  Your users hopefully memorize their passwords, but therein lies the rub.  If an accountant has gone to the trouble of memorizing a complex password then they are very likely to be tempted to use that password for other systems.  Maybe the corner hardware store’s web site requires registration.  If they use the same username and password that works on your systems and top it off with entering the company email address then your security now depends on the security of the corner hardware store’s web site security (provided it isn’t actually run by a hacker)!

Tell your users in writing that the passwords they use at work are company property and must not be used on any other systems.  Put it in writing like any other company policy and ensure they know that failure to comply is a terminable offense (and mean it).  If you don’t then forget about security, it won’t help you in the end.

A recent article about how Petco not only was found to be vulnerable to a SQL Injection attack, but also got fined for the false claims this realization cast on their privacy policy just goes to show that no matter how much we talk about it, SQL Injection remains a huge risk.

But the stakes have been raised in the last year.  Now messing up your companies security has legal consequences that start out with fines and can go all the way up to criminal liability and jail time! 

Dell has launched a website designed to help small businesses deal with all the security challenges.  The site seems good, but the performance was so bad at one point that I can’t decide whether that means it is a resounding success or a dismal failure.

It is very much aimed at selling more product.  When you click on the spyware link it doesn’t mention any of the free products that solve the problem, just the ones you can buy from Dell.

The sites advice is a bit behind the times (doesn’t mention pass phrases under the password section), but if you just want to point someone to a place where they can self help on security using a name they will likely trust then this might be a useful link.