[ISN] A Bug Bounty Program for Microsoft?

From: InfoSec News (alerts@private)
Date: Wed Jan 17 2007 - 22:06:15 PST

Forwarded from: Security UPDATE <Security_UPDATE (at) list.windowsitpro.com>


Expect the Unexpected: Disaster Recovery for your Windows-based 

Protecting Organizations from Spyware: Free Whitepaper

Double-Take Software: Upcoming Exchange Webinar!

=== CONTENTS ===================================================

IN FOCUS: A Bug Bounty Program for Microsoft?

   - Man-in-the-Middle Attacks Made Simple
   - Web Sites Move Toward One-Time PINs
   - Blocking Web Sites in ISA Server
   - Recent Security Vulnerabilities

   - Security Matters Blog: Securing Windows Vista Services  
   - FAQ: Start a Command Shell with Elevated Permissions
   - From the Forum: Drive Encryption with Page Files and Temporary 
   - Share Your Security Tips
   - Microsoft Learning Paths for Security: Deploying Microsoft 
     Identity and Access Management Technologies

   - Encrypt Backup Data at the Media Server
   - Wanted: Your Reviews of Products 




=== SPONSOR: Neverfail =========================================

Expect the Unexpected: Disaster Recovery for your Windows-based 
   Learn to differentiate between alternative solutions to disaster 
recovery for your Windows-based applications and to ensure seamless 
recovery of your key systems--whether a disaster strikes just one 
server or the whole site. On-Demand Web Seminar

=== IN FOCUS: A Bug Bounty Program for Microsoft? ==============
   by Mark Joseph Edwards, News Editor, mark at ntsecurity / net

iDefense Labs' first quarter 2007 Vulnerability Challenge is targeted 
at those who can find particular bugs in Windows Vista and Microsoft 
Internet Explorer (IE) 7.0. The company is offering between $8,000 and 
$12,000 for a new discovery and between $2,000 and $4,000 for a working 
exploit of that vulnerability, depending on the quality.

According to the Vulnerability Challenge rules (at the URL below), "The 
vulnerability must be remotely exploitable and must allow arbitrary 
code execution in a default installation of one of the technologies 
listed above." Furthermore, "the vulnerability must exist in the latest 
version of the affected technology with all available patches/upgrades 
applied," and "the vulnerability must not require additional social 
engineering beyond browsing a malicious site."

iDefense (a VeriSign company) profits from these challenges by 
reselling the vulnerability data to its customers and from the 
publicity the challenges generate. 

Black hats sell vulnerability information too. You've probably read 
news stories about people attempting to sell vulnerabilities of the 
caliber desired by iDefense on various Internet sites. These black hats 
often claim that they'll sell a working exploit to the highest bidder 
(they sometimes have a reserve price that they won't go below). One 
story I read said that a black hat offered to sell an exploit for 
$50,000. That's a lot of money for working exploit code. 

People who buy such exploit code undoubtedly expect to profit from it 
somehow, most likely through some type of theft or fraud. So if sellers 
of exploit code can get that kind of money, or even half that much, and 
buyers can make their money back by using the exploit code, then the 
potential takers of iDefense's challenge will be either white hats or 
those who don't have a vehicle to sell their vulnerability information. 

Fortunately, some people will sell their work to iDefense simply 
because they don't want to see their discoveries used to exploit 
innocent people, and that's a great motive. But I think we need to keep 
in mind that many discovers of security vulnerabilities don't care 
about innocent people--what they care about is personal gain. Seen in 
that light, iDefense's offer of a maximum of $12,000 seems rather low 
and might not attract people who discover the most serious 

Other companies offering bug bounties include 3Com (at the first URL 
below) and Mozilla Foundation (at the second URL below). 3Com's Zero 
Day Initiative is a points program in which the more bugs you submit, 
the more points you receive. You trade points for benefits such as cash 
and travel to security conferences. Mozilla Foundation pays a flat fee 
of $500 for a bug found in Mozilla software, plus you get a T-shirt. 

All three of these programs have been under way for quite some time now 
and are successful to some extent or other. The question in my mind is 
why hasn't Microsoft instituted a similar program? I think it would be 
a great addition to the company's current efforts at making their 
products more secure.

=== SPONSOR: WebSense ==========================================

Protecting Organizations from Spyware: Free White Paper
   Combat phishing and pharming with complete protection against 
complex Internet threats by filtering at multiple points on the 
gateway, network, and endpoints.

=== SECURITY NEWS AND FEATURES =================================

Man-in-the-Middle Attacks Made Simple
   A kit automates the creation of a fraudulent URL, which acts as a 
man-in-the-middle to gather sensitive private information from 
unsuspecting users in real time.

Web Sites Move Toward One-Time PINs 
  Think you have too many cards in your purse or pocket? Just wait 
until you have a dozen or more PIN generators to carry around.

Blocking Web Sites in ISA Server
   Web blacklisting services maintain lists of Web sites that contain 
pornography, hate speech, violence, hacking tools, or other prohibited 
content. You can subscribe to an inexpensive blacklisting service and 
import its list (typically updated each week) into ISA Server with a 
script. Jason Fossen walks you through the steps.

Recent Security Vulnerabilities
   If you subscribe to this newsletter, you also receive Security 
Alerts, which inform you about recently discovered security 
vulnerabilities. You can also find information about these 
discoveries at

=== SPONSOR: Double-Take Software ==============================

Double-Take Software: Upcoming Exchange Webinar!
   Join this webinar to learn new ways to maintain Exchange uptime by 
using continuous data replication and application availability. When 
recoverability matters, depend on Double-Take Software to protect and 
recover business critical data and applications. Date: 1/30/07. Time: 
11 a.m. EST.

=== GIVE AND TAKE ==============================================

SECURITY MATTERS BLOG: Securing Windows Vista Services   
   by Mark Joseph Edwards, http://list.windowsitpro.com/t?ctl=46B75:7EB890

As you might know, services in Vista are better protected than services 
in previous versions of Windows. But do you know how Microsoft hardens 
Vista services?

FAQ: Start a Command Shell with Elevated Permissions
   by John Savill, http://list.windowsitpro.com/t?ctl=46B72:7EB890 

Q: How can I start a command prompt session with Administrative 
privileges in Windows Vista? 

Find the answer at

FROM THE FORUM: Drive Encryption
   A forum participant is testing TrueCrypt drive encryption. He's 
created an encrypted D drive and set his system page file to reside on 
the D drive so that it's also encrypted. His temporary directories are 
also on the D drive. His problem is that at boot time, the screen 
splits into four squiggly screens, then finally resolves. He said the 
problem was that the system was unable to create the page file because 
the D drive is unavailable until you enter the password into TrueCrypt. 
Does anyone have a solution or a recommendation for other drive 
encryption software? Join the discussion at

   Share your security-related tips, comments, or problems and 
solutions in Security Pro VIP's Reader to Reader column. Email your 
contributions to r2r@private If we print your submission, 
you'll get $100. We edit submissions for style, grammar, and length.

MICROSOFT LEARNING PATHS FOR SECURITY: Deploying Microsoft Identity and 
Access Management Technologies
   Effective identity and access management is critical to information 
security and one of the key components of Core Infrastructure 
Optimization (IO). Use these resources to learn more about the 
interdependent technologies and processes of deploying identity and 
access management solutions, including directory services, identity 
life-cycle management, access management, and more.

=== PRODUCTS ===================================================
   by Renee Munshi, products@private

Encrypt Backup Data at the Media Server
   Symantec announced the Veritas NetBackup Media Server Encryption 
Option. NetBackup MSEO encrypts backup data at a central NetBackup 
media server instead of at the client or on a dedicated encryption 
appliance. Scheduled to be available this month, MSEO addresses the 
risk associated with transporting tapes off site. MSEO works with 
existing NetBackup policies and existing NetBackup clients and can 
encrypt specific information that client users want to encrypt. MSEO 
centralizes encryption key management by automatically and centrally 
tracking which key was used for which tape and can store keys at a 
disaster recovery site. For more information, go to

WANTED: your reviews of products you've tested and used in 
production. Send your experiences and ratings of products to 
whatshot@private and get a Best Buy gift certificate.

=== RESOURCES AND EVENTS =======================================
   For more security-related resources, visit

You know you need to manage your email data; how do you do it? What 
steps are you taking? What additional measures should you enact? What 
shouldn't you do? Get answers to these questions and get control of 
your vital messaging data. Download the free eBook today! 

Can you really trust users to protect critical business data on their 
PCs? One in three users write down their passwords, leaving data at 
risk even with encryption-only protection. True PC data protection 
requires organizational control of your data. Download this free white 
paper today to find out how to accomplish your PC data security goals 
without inhibiting employee productivity. 

=== FEATURED WHITE PAPER =======================================

Ready to get serious about data-driven applications? Learn how to get 
unparalleled data access and presentation capabilities so that your 
users can access the critical business information they need. Download 
this free white paper today to find out more, and get started 
developing with Microsoft .NET! 

=== ANNOUNCEMENTS ==============================================

Special Invitation for VIP Access 
   Become a VIP subscriber and get continuous, inside access to ALL the 
content published in Windows IT Pro, SQL Server Magazine, Exchange & 
Outlook Pro VIP, Scripting Pro VIP, and Security Pro VIP. Subscribe now 
and SAVE $100:  

Ring in the New Year with Windows IT Pro 
   Don't miss Windows IT Pro in 2007! As a subscriber, you'll get full 
access to must-have coverage relating to Windows Vista deployment, 
virtualization, disaster recovery, Active Directory enhancements, the 
Office 2007 launch, SharePoint fundamentals, and much more. Order now 
and save 58% off the cover price.  


Security UDPATE is brought to you by the Windows IT Pro Web site's 
Security page (first URL below) and Security Pro VIP (second URL 

Subscribe to Security UPDATE at

Be sure to add Security_UPDATE@private 
to your antispam software's list of allowed senders.

To contact us: 
   About Security UPDATE content -- letters@private
   About technical questions -- http://list.windowsitpro.com/t?ctl=46B77:7EB890
   About your product news -- products@private
   About your subscription -- windowsitproupdate@private
   About sponsoring Security UPDATE -- salesopps@private

View the Windows IT Pro privacy policy at

Windows IT Pro, a division of Penton Media, Inc.
221 East 29th Street, Loveland, CO 80538
Attention: Customer Service Department

Copyright 2007, Penton Media, Inc. All rights reserved.

Subscribe to InfoSec News

This archive was generated by hypermail 2.1.3 : Wed Jan 17 2007 - 22:14:17 PST