Firm Foundation Technology, LLC's Small Business Update
for Tuesday July 6th, 2004
==========================
Headlines
Internet Explorer - Security like a Seive
E-Mail and the Law - Still in Flux
==========================
Internet Explorer - Security like a Sieve
It has not been a good week for Internet Explorer. It has not been a good week for users of Internet Explorer. Despite Microsoft's "Trustworthy Computing" security initiative, Internet Explorer seems to be as secure as an unlocked car with the keys in the ignition.
On Friday Microsoft made available a download for Windows 2000 and later versions that disabled a portion of the ActiveX component of Windows. ActiveX is a software service used by web pages to provide multimedia enhancements. A very common example would be web pages that have Macromedia Shockwave or Macromedia Flash-enabled components. The security problem is that ActiveX is also often used to download software like Macromedia Flash Player so that the fancy pages work on your computer's web browser. Last week a hacker broke into several web servers and installed a routine that would (using ActiveX) download a program to the computers of several websites' visitors.
This downloaded program was designed to capture user names and passwords when a user went to various online banking sites. The sneaky thing was that a flaw in ActiveX allowed the password-capturing program to be installed on a computer without the user's knowledge or consent. What has angered many computer security experts is that this flaw in ActiveX has been known for over 9 months and has been implicated in several other security issues as well.
The "fix" made available on Friday disables some ActiveX functionality, but does not attempt to fix the flaw. The final fix is still forthcoming. But who knows what problems that "fix" will bring, since the programmers for Internet Explorer have also recently reintroduced a really bad security bug from 6 years ago. The reintroduced flaw makes it possible to change the contents of one browser window by clicking a specially-crafted link in an entirely different window. This flaw could be exploited by a "bad guy" replacing, say, your credit card company page with a convincing fake and asking you to enter your account number, etc.
-- The Small Business Impact --
As usual, download all critical patches from Microsoft's Windows Update site. PLEASE MAKE SURE you get the one with the ID number KB870669. And don't forget to do this on ALL Windows 2000 and later systems. As of right now there is no patch for Windows 98 or Windows ME.
You should also update your anti-virus signatures on ALL Windows systems immediately if you do not have them on daily automatic updates, since most vendors can now intercept the password-capturing program.
I have added a new news feed that links to Microsoft's recent security bulletins on my virus alert web page: http://www.firmfoundationtechnology.com/resources/valert.html
Be warned, these bulletins can get fairly technical.
==========================
E-Mail and the Law - Still in Flux
A federal appeals court in Boston handed down a decision last week that federal wiretap laws do not apply to e-mails that are stored (even for a millisecond) on corporate servers or the servers of an Internet Service Provider (ISP). Instead, they are covered by the slightly less stringent protections of the Stored Communications Act of 1986, designed to cover “delivered but unopened” e-mails. “Delivered but unopened” e-mails are accessible in civil suits, while wiretapped data never is. Hold this thought for a moment.
Back in February, a federal appeals court in San Francisco ruled that e-mails stored on an ISP's server are still "stored communications," even if they've been read by the recipient. Prior to this case “opened” e-mails were accessible by a simple subpoena, a document which does not always require a judge’s consent.
At present, the aforementioned rulings only apply to the geographic areas covered by their respective Circuit Courts, but they create precedents that other courts may decide to adopt, in which case the effects could soon be nationwide. The potential combined effect of these two rulings appears to be that any email that is stored for any length of time, whether “in transit,” “opened” or “unopened,” may become accessible in a civil suit (for example, a shareholder’s suit), but with the protection of judicial oversight.
-- The Small Business Impact --
I'm not a lawyer, so my interpretation is open to error. You should contact your lawyer and review your email retention policies in light of these rulings. At the same time, you may want to consider contacting your Internet Service Provider to request a copy of their email and/or file retention policies.
--------------------------
See you next week
Stan
========================
You are subscribed to Firm Foundation Technology, LLC's Small Business
Update newsletter. Feel free to forward this newsletter to interested parties.
If you received this newsletter as a forward, please consider subscribing
yourself.
To subscribe to the mailing list, simply send a message with the word 'subscribe' in the Subject: field to FFT-SmallBusinessUpdate-request@firmfoundationtechnology.com
To unsubscribe from the mailing list, simply send a message with the word 'unsubscribe' in the Subject: field to FFT-SmallBusinessUpdate-request@firmfoundationtechnology.com
