Security Watch

Internet Explorer In the Thick of IT Security

IE 8 has a target on its back this week. Plus: ISACA to audit social media apps; Microsoft Support isn't calling you personally (a free security tip).

• By Jabulani Leffall
• 03/09/2011

It's patch week, but it's also time for Pwn2own. What's the key issue that ties these events together? Internet Explorer.
 
Microsoft had no security updates for Microsoft's browser in its regular release, nor does it plan an out-of-band fix. But maybe that changes after March 9, when the Pwn2Own contest starts at the CanSecWest conference
 
IE 8 will likely be in hackers' crosshairs as they try to win prizes for "pwning" it. IE 8 isn't the only target, though, as hackers will also aim at taking down Mac OS, Apple's Safari browser and, increasingly, mobile phone operating systems such as Windows Phone 7, the Blackberry OS, Google's growing Android and the iPhone. With ironic effect, all are also prizes in the competition.
 
Google has issued a sizable bounty of 20 stacks (or $20,000) and Chrome notebooks for any IT miscreant who has the cojones to stand and be identified and is able to crack Google's Chrome OS and browser within 30 minutes using Google source code for the incursion. We'll tell you how it went in the weeks to follow.
 
Auditing Social Media
Social media and auditing seem intuitively to be on the opposite ends of the spectrum for: a) things the average person would like to take part in, and b) things that are cool. But the two converge as ISACA, the wily trade group of IT compliance artists formerly known as the Information Systems Audit and Control Association, has come up with a program to measure system integrity for social media in the enterprise space.
 
The thinking here is that enterprise entities looking to integrate social media into the branding, communication and project management aspects of the business also need to avoid what ISACA believes are the very real risks of "data leakage, malware propagation and privacy infringement."
 
The focus is on creating policies and procedures for social media usage, indentifying users and processes, and how Web 2.0 technology is linked to the larger processing environment. Additionally, the audit program explores the likelihood of the risks of being spoofed on Facebook or Twitter and getting bitten by malicious code hidden in URL shorteners like TinyURL and BitLY.
 
Microsoft Support Online -- NOT!
As if tech savvy hackers and complex automated malware aren't enough to plague Windows users, good old bricks and mortar ingenuity still fills a a slot on the IT security risk list.
 
According to Internet security shop Trusteer, a Windows system-savvy impostor has been cold-calling Windows users claiming to be with "Microsoft Windows Solutions."
 
Apparently, a tech support person called one of Trusteer's customers offering to fix system glitches on her Windows operating system. He then gained her trust and permission to look at her system from a remote location while they talked on the phone. The tip-off to the scam came when he tried to sell her non-Microsoft software.
 
Here's a very low-tech tip for what seems to be a growing and widespread con: There's no such institution inside Microsoft Corp. known as "Microsoft Windows Solutions." Also note: Most system glitches or security threats in Microsoft products are automated and no one needs to physically call your phone to tell you.
 
Some things are elementary, but with security risks, sometimes that's the point.