Views on the news

I have come across a few news stories I wanted to share with you all today, so instead of having multiple posts I thought I would address them all here.

The first news story I nearly didn't read but I'm glad I did. Moodle is a course management portal used by universities and the like across the world. The story explained how the portal has two vulnerabilities, XSS (Cross Site Scripting,not really a "wow") but also a CSRF (Cross Site Request Forgery). The CSRF really interested me and I now have something to point my colleagues to who have listened to me talking about this issue for a while now.

I won't explain CSRF here (details can be found here) but the attack itself tricked users into clicking on a link which sent an edit profile request on their behalf. This leads to a compromise of the users account.

The second story explains how 3/4 UK companies have banned IM within their infrastructure. In the story it states that only 88% of the IT directors surveyed felt IM posed a security risk, oh dear. Personally I would ban public IM (MSN, Yahoo etc) for all users, in fact I would go one step further and remove web access completely for certain business units. If a business unit has access to sensitive data then, in my opinion, the systems in that business unit should not have web access. The sensitive data could be credit card data, Intellectual Property such as source code - anything sensitive and of high value to the business really.

I'd like to hear the opinions of other people on this.

Just one more to go, a more technical story.

The last one is from Sans ISC, have a read and let me know what you think.

Dave