jamie wrote:

The bad:
- no cross frame scripting on local domain
- simple little scripts - like "Click here to make this your homepage" are blocked

jamie wrote:

- WAY TOO MANY - this page is blocked from running because your using - what usually amounts to - a non- MS sanctioned way of doing something ie; css with graphics, .js includes etc

jamie wrote:

- the removal of kiosk mode interfaces
this is my main one. I do alot of these - full screen windows-ish interfaces - but now - they all error, or when they do finally open ( after getting through the Pop up blocker) they add a top toolbar - and usually the status bar - even if it is turned off.

jamie wrote:

This is only a land grab = NO more making full screen interfaces that cover windows ( like you could do since IE4

I cant use mozilla for this very reason - when i need full screen - i DONT WANT A TOOL BAR.)

jamie wrote:

Serive Pack 2 is the worst thing i have ever seen come out of a supposed USER FRIENDLY company. It completely makes it impossible to do what you COULD before.)

jamie wrote:

i hate security excuses for land grab decreaced functionality and freedom

jamie wrote:

all i know - as someone interested in using IE to do stuff - that maybe it wasnt meant to do - but did FLAWLESSLY - well all that was usually interface specific stuff and its mostly been removed.

If there was another browser that offered it - i gotta say for first time in my life - id look at switching

jamie wrote:

* I talked alot with Ben Slivka during the ie3/4 years and chris jones in ie5 years

this stuff was really developer empowering stuff
- but ya i guess "goofs" could use it for bad purposes..

jamie wrote:

Still think there could have been other ways rather than removing developer features

jamie wrote:

and i also do think your top brass wanted this stuff gone - not so much for security - but so that - say Google couldnt make its web site - a full screen interface - covering Win desktop

Manip wrote:

Sounds MORE like poor implementation on the part of the developer to me.

jamie wrote:

[quote user="Shining Arcanine"]

Personally, I don't want developers to be empowered to make it impossible for me to leave their website.

Most people hate it when webpages hijack Internet Explorer, you are the only person that I have ever known that likes it.



>> What if you arnt "highjacking" anything?
What if its clear - you are launching a full screen window. This was a feature that is now gone...correct?

jamie wrote:

..guess youd have to love windows so much - youd want to emulate it - and spend your spare time making interfaces that appear to boot - and "appear" to have a startbar, browser. media player - all in dhtml and html jscript - only to have the functionality REMOVED on you

so ya i agree

sob sob sob

For the last six years the Computer Security Institute (CSI) has performed a survey in cooperation with the Federal Bureau of Investigation's (FBI) Computer Intrusion Squad to help determine the extent of computer crime in the United States. In March 2001, CSI published its “2001 Computer Crime and Security Survey,” which is based on responses from 538 computer security practitioners in U.S. corporations, government agencies, financial institutions, medical institutions, and universities. Of those organizations surveyed, 91 percent reported detecting computer security breaches in the last 12 months^[1] and 97 percent of those polled had Web sites. Of those with Web sites, 23 percent reported suffering an attack within the last 12 months and 27 percent did not know if they had experienced an attack. Of those reporting attacks, 21 percent reported two to five incidents and 58 percent reported ten or more.

^[1] Power, Richard. 2001. 2001 CSI/FBI Computer Crime and Security Survey. San Francisco: Computer Security Institute.

These statistics may be alarming, but the actual state of computer security may be worse than the statistics suggest. Many organizations are still not equipped to detect security breaches. Only 61 percent (up from 50 percent in 2000) of those polled in the CSI survey reported using intrusion detection. Thus, it is likely the actual number of attacks and losses are greater than those reported. While it appears that organizations are starting to implement more security controls, security incidents and losses continue to grow. This could be due to the fact that the security products are not implemented correctly or that the proper policies and procedures are not built around them. In the 2001 CSI survey Patrice Rapalus, CSI director, provided this insight on why incidents and loss continue to grow:

The survey results over the years offer compelling evidence that neither technology nor policies alone really offer an effective defense for your organization… . Organizations that want to survive need to develop a comprehensive approach to information security embracing both the human and technical dimensions.^[2]

^[2] Power, Richard. 2001. 2001 CSI/FBI Computer Crime and Security Survey. San Francisco: Computer Security Institute, p. 1.

Organizations were also asked to estimate the financial damages they suffered as a result of the security breaches. Although 64 percent reported financial damages, only 35 percent were able to quantify the losses. Table 1-1 shows the results. Although the $377,828,700 in reported damages seems an enormous number, it is important to note that this reflects the damages suffered by a mere 186 organizations (35 percent of those surveyed). Considering the number of computer-using organizations in the country, the overall cost of computer security breaches must be vastly greater.

Not only is the problem bad, it appears that it is getting worse. In the years 1997–1999, the average damage due to break-ins was $120,240,180. The year 2000 losses were more than double that average. The losses continued to increase in the year 2001, with a more than 42 percent increase over the year 2000 losses despite 87 fewer organizations reporting losses.^[3] Table 1-2 shows the results of the CSI survey over the last five years. Although some of the increased reported damages in the 2001 survey come from improved detection and reporting, a large portion of the increase is due to increased hacker activity.

^[3] Power, Richard. 2001. 2001 CSI/FBI Computer Crime and Security Survey. San Francisco: Computer Security Institute.

The reported sources of the attacks were also interesting. External attacks continue to be more common, but the threat from internal sources is still there—49 percent of the respondents reported attacks from internal sources. Internet connections were frequent targets, as stated by 70 percent of the respondents, while 31 percent reported their internal systems were a common point of attack. Keep in mind that many companies more closely monitor Internet-connected systems for abuse and unauthorized activity than internal systems. Even considering this fact, the results support the reality that the threat from both internal and external sources is great. While the reported frequency of internal attacks is lower than that for external ones, internal attackers can often cause more damage due to their proximity to and knowledge of the systems.

Table 1-1. Losses Reported in Dollars by Type (for 2001)

Type	Loss
Unauthorized insider access	$6,064,000
Theft of proprietary information	$151,230,100
Telecom fraud	$9,041,000
Financial fraud	$92,935,500
Viruses	$45,288,150
Laptop theft	$8,849,000
Insider abuse of Internet access	$35,001,650
Denial of service	$4,283,600
Sabotage	$5,183,100
System penetration	$19,066,600
Telecom eavesdropping	$886,000
Active wiretapping	$0
Other	$0
Total	$377,828,700
Source: Power, Richard. 2001. 2001 CSI/FBI Computer Crime and Security Survey. San Francisco: Computer Security Institute.

The CSI survey provides a wealth of information and statistics concerning computer crime and security. We have touched on just a small portion of the results that help illustrate the risks. You can obtain a free copy of the complete CSI survey by visiting www.gocsi.com.

Table 1-2. Total Reported Financial Losses by Year

Year	Respondents (Number Reporting Losses/% of Total Respondents)	Reported Losses
2001	186 respondents/35%	$377,828,700
2000	273 respondents/42%	$265,586,240
1999	161 respondents/31%	$123,779,000
1998	216 respondents/42%	$136,822,000
1997	331 respondents/59%	$100,119,555
Total		$1,004,135,495
Source: Power, Richard. 2001. 2001 CSI/FBI Computer Crime and Security Survey. San Francisco: Computer Security Institute.

CSI is not the only organization whose surveys indicate a growing computer security threat. A global survey released in July 2000 of 4,900 information technology (IT) professionals across 30 nations, conducted by InformationWeek Research and fielded by PricewaterhouseCoopers LLP, predicts U.S. firms will suffer losses of over $266 billion this year from viruses and computer hacking.^[4] The prediction for worldwide losses climbs to $1.6 trillion. The CERT Coordination Center maintains statistics for the number of incidents reported each year (www.cert.org/stats/cert_stats.html). In 2000 there were 21,756 incidents, which is more than double the number of incidents reported in 1999 (9,859 incidents). All these statistics indicate the threat appears to be growing, which calls for a renewed sense of urgency to address the security issues facing every company.

^[4] PRNewswire. 2000. “Study Finds Computer Viruses and Hacking Take $1.6 Trillion Toll on Worldwide Economy.” Wire report, July 7.

The statistics are persuasive, but they are sometimes not enough to make the case for increased computer security. However, the statistics are not the only indication of increased computer crimes. Media outlets have started to take notice of computer crimes and have increased the reporting of system compromises, particularly attacks that involve well-known companies. Some of the attacks involve denial of service, stolen information, or other forms of loss.

In February 2000, many large Internet companies suffered major disruptions in service from distributed denial-of-service (DDoS) attacks. Denial-of-service (DoS) attacks generally involve trying to overwhelm or bring down a target system to make it unavailable for use. (DoS attacks are covered in greater detail in Chapter 21.) Yahoo.com, Amazon.com, ETRADE.com, Buy.com, CNN.com, eBay.com, and others were offline for hours combating the problem. These incidents brought great visibility to cyber crime.

Other well-known attacks also help illustrate the increase in computer crime. In October 2000, news sources reported an attack against Microsoft's internal systems, targeting its source code. In May 1999, the FBI investigated several hacking groups based in the United States. After the FBI seized a suspected teenage hacker's computer, several hacker groups retaliated by defacing government Web sites. At one point, a DoS attack caused the FBI Web site to be taken offline for seven days.^[5] In January 2000, an Internet hacker threatened CD Universe, stating that if the company did not pay a ransom of $100,000 he would publish 300,000 credit card numbers he stole from its Web site. The company refused to pay the ransom and the hacker published over 25,000 credit card numbers. This attack destroyed consumer confidence in CD Universe and added to the mistrust consumers already have in online buying. Between the middle of 1999 and the beginning of 2000, computer viruses such as Melissa, I LOVE YOU, and Explorer.zip devastated corporate networks, forcing companies to shut down for days to combat the viruses. These viruses demonstrated the frailty of present-day virus scanners and how easy it is to get users to execute malicious code. The incidents also illustrated the problems and losses a company can suffer from an attack.

^[5] Mell, Peter, and John Wack. 2000. “Mitigating the Hacker Threat.” Accessed on July 18, 2000, at the National Institute of Standards and Technology Web site, http://csrc.nist.gov/publications/nistbul/itl00-06.txt.

Web-site defacements are one of the most prevalent security incidents. Hundreds of defaced Web sites are posted on hacker sites each month. Attrition.org (www.attrition.org) and 2600 (www.2600.org) are two of many sites that contain defaced Web-site archives. The archives contain a listing of sites that have been defaced and in some instances display a copy of the defaced site. Figure 1-1 shows an example of the listings of defaced Web sites from Attrition.org. Defacements may consist of impolite messages, a hacker's claim to fame, pornographic material, or other embarrassing information. Even in cases where an attack is not destructive, the loss of confidence in the organization's ability to protect sensitive data will drive customers away.

This information should be sufficient to make a strong case for putting information security in the forefront of an organization's IT strategy. Most security professionals are already aware of the risks facing IT managers today. However, there is no way security and system administrators can both satisfy their job requirements and proactively secure their systems without user and management support. A good way to gain support is through effective security awareness training that is both convincing and constant. Users need to be continually reminded of the dangers of lax security and what they can and must do to protect against these problems. Security programs and policies must be designed to be easy to use and follow, and they must be enforceable

Source:

Hack I.T.: Security Through Penetration Testing

T. J. Klevinsky Scott Laliberte Ajay Gupta Publisher: Addison Wesley

First Edition February 01, 2002
ISBN: 0-201-71956-8

vanlandw wrote:

for me the firewall will be the first thing disabled....i play online games and windows firewall always messes up those connections. 

send file on msn messenger - get following:

jamie wrote:

how can you go from being for the USER - into being SECURE without contradicting 20 years of MS stregnth? - allow user to DO WHAT THEY WANT unencumbered

jamie wrote:

That's not really in SP2... but I could see how you could be easily be mistaken by the removal of many user / client side things that were always there before but now have been disallowed.

Lwatson wrote:

So now you are saying that because I chose poorly and did not save my work before I went to bed that the power going off that night would be SP2's fault? The results would be the same, whatever I worked on would be gone. Now I will be the first to agree that windows perpensity to reboot at the drop of a hat is an annoyance that gets tiresome but if you have automatic updates happening then you must understand that the reboot is coming. We are talking about windows here.

Wiseman wrote:

also i hate Trustworthy Computing

Jackco wrote:

Wiseman wrote:also i hate Trustworthy Computing

that why I won't download sp2 because it got NGSBC.