"Away from rogue internet users."
In a seriously repressed society, one that uses Netsweeper as per the article's early references, one person's "rogue internet user" is another person's "freedom fighter".
Netsweeper's internet filter has a nasty security vulnerability that can be exploited to hijack the host server and tamper with lists of blocked websites. There are no known fixes right now. For those unfamiliar, Netsweeper makes software that monitors and blocks connections to undesirable websites and servers. It's aimed at …
No multi factor authentication? Pretty standard these days and if your system does not support these kinds of authentication you need to ask yourself how secure is this.
Normally I would add the beer icon and make a quip. However it's about 07:30 and I refuse to let the lockdown turn me into a booze hound.
A miscreant can just ask the server to run whatever arbitrary Python code they like.
There's not even an upper limit on size or time, as the Python can download something more evil from the Internet and run that in the security context of the execution engine.
Hopefully that's not root, but if it's got write access to the configuration files for the appliance, then it can happily redirect every single request to $evil_site and force-feed computer nasties to an entire country.
So that's nice.
It's eval() all over again.
First you audit the software before implementing it. Not only what resources it requires but also how it 'does' security. So in terms of authentication ....network layer authentication to be the way to go coupled with MFA. Of course if your MFA is compromised then your on a hiding to nowhere.
This post has been deleted by its author
Is it acceptable for staff to surf stuff at work that other staff or the media would find not suitable for doing at work?
If it’s not acceptable you will need some kind of filter. Every company I have worked at (either government or Fortune 500 equivalents) has had filtering which I’ve sometimes managed. We all accept some level of email filtering as normal, in the uk government has mandated ISP’s block access to certain sites like the pirate bay etc so not a great deal of difference, ok uk isn’t blocking the same extensive list as other nations but blocking exists, just not to sites that most people go to.
Yep. Here, our web filtering list is relatively short. Basically covering things like porn, stopping people downloading illegal things over our network (no, you are NOT using our fiber line to download music/movies & viruses from dodgy sites...) and preventing people from downloading programs since they shouldn't be doing so unless they are IT, in which case they'll have an override password for the filter.
If these sites weren't blocked then we'd have to simply dismiss staff for gross negligence if they were caught doing any of the things above. And that'd require us to keep a stasi level of intrusiveness into what our staff actually do on the internet.
Here our filter is fairly liberal, but it does block xkcd , which is annoying,
I'm not in charge of what it block , or, more to the point, how it is deployed.
I'm a dev now ,not i.t. admin, with normal user rights.
So you know what i do if a want to see xkcd or other "entertainment" sites?
I turn it off.
Yep you heard , they dont channel all the traffic through the filter at the firewall or whatever , they rely on every workstation having certain boxes ticked in the internet settings.
So i just untick.
Granted its got harder since they policied out access to that menu ... I have to use a reg file now.
>Yep. Here, our web filtering list is relatively short.
It works well until you explore a little.
A client had barred "gambling sites", it worked well until they decided to bid for funding from the National Lottery.
On investigation, yes the filter did block the big name sites, but none of the smaller sites - neither did it have an exclusion list. Not naming names but the web filter was from a popular business provider (£) of web filtering services.
Is it acceptable for staff to surf stuff at work that other staff or the media would find not suitable for doing at work?
If it’s not acceptable you will need some kind of filter.
No.
If it's not acceptable, you need a policy which says what is (and is not) acceptable. People caught violating the policy will be subject to company disciplinary process, just like any other breach of company policy.
You cannot make a filter which can tell the difference between Youtube videos for work research and Youtube videos for wasting time.
Yeah, but a filter is a one off cost and they you can forget about it. Or maybe a less than the cost of a wage monthly sub and you don't have the hassle of some meatbag being in charge of checking the logs and stuff. Then the liability is on the filter provider while the C-suite can all have plausible deniability if the shit hits the fan.
[RedactedCo] uses it for two things: security (drive-by malware and phishing mostly, but overall security) and 'productivity enhancement' (i.e., keeping people from looking at social media sites (aka facebook, instagram, snapchat), pulling down content of no business value (i.e. porn, torrents, pirated software, etc.) or other things that the business deems necessary.
Obvious bias: I'm the owner of [RedactedCo]'s content security applications, which is ironic because I despite censorship in all it's forms; I can see why the business needs an internet filter, though.
FTFY: Security vulnerability in a web tool written in any scripting language; must be a day ending with "y".
Seriously... clueless developers abound and it's staggering the awful quality of code that gets vomitted out often using "modern", "progressive" and other bullshit excuses as to why errors don't need to be handled, to excuse the barely mappable mesh of external dependencies pulled in at uncontrolled times and why making a complicated mess is somehow a good idea.
As for repeating the same mistakes that have had solutions and well established best practices for well over 30 years? Never trust user input and only construct queries using proper parameters.
The issue is that vendors don't really do much in the way of securing code or coding securely. Is it the fault of the devs? Perhaps but certainly the vendor should be ensuring devs get the correct guidance. On the flip side are customers who will take any s/w willy nilly with no concept of acceptance testing and indeed the security posture of the software is absolutely part of that acceptance.