Forwarded from: Security UPDATE <Security_UPDATE (at) list.windowsitpro.com>
PLEASE VISIT OUR SPONSORS, WHO BRING YOU SECURITY UPDATE FOR FREE:
Expect the Unexpected: Disaster Recovery for your Windows-based
Applications
http://list.windowsitpro.com/t?ctl=46B61:7EB890
Protecting Organizations from Spyware: Free Whitepaper
http://list.windowsitpro.com/t?ctl=46B62:7EB890
Double-Take Software: Upcoming Exchange Webinar!
http://list.windowsitpro.com/t?ctl=46B60:7EB890
=== CONTENTS ===================================================
IN FOCUS: A Bug Bounty Program for Microsoft?
NEWS AND FEATURES
- Man-in-the-Middle Attacks Made Simple
- Web Sites Move Toward One-Time PINs
- Blocking Web Sites in ISA Server
- Recent Security Vulnerabilities
GIVE AND TAKE
- Security Matters Blog: Securing Windows Vista Services
- FAQ: Start a Command Shell with Elevated Permissions
- From the Forum: Drive Encryption with Page Files and Temporary
Files
- Share Your Security Tips
- Microsoft Learning Paths for Security: Deploying Microsoft
Identity and Access Management Technologies
PRODUCTS
- Encrypt Backup Data at the Media Server
- Wanted: Your Reviews of Products
RESOURCES AND EVENTS
FEATURED WHITE PAPER
ANNOUNCEMENTS
=== SPONSOR: Neverfail =========================================
Expect the Unexpected: Disaster Recovery for your Windows-based
Applications
Learn to differentiate between alternative solutions to disaster
recovery for your Windows-based applications and to ensure seamless
recovery of your key systems--whether a disaster strikes just one
server or the whole site. On-Demand Web Seminar
http://list.windowsitpro.com/t?ctl=46B61:7EB890
=== IN FOCUS: A Bug Bounty Program for Microsoft? ==============
by Mark Joseph Edwards, News Editor, mark at ntsecurity / net
iDefense Labs' first quarter 2007 Vulnerability Challenge is targeted
at those who can find particular bugs in Windows Vista and Microsoft
Internet Explorer (IE) 7.0. The company is offering between $8,000 and
$12,000 for a new discovery and between $2,000 and $4,000 for a working
exploit of that vulnerability, depending on the quality.
According to the Vulnerability Challenge rules (at the URL below), "The
vulnerability must be remotely exploitable and must allow arbitrary
code execution in a default installation of one of the technologies
listed above." Furthermore, "the vulnerability must exist in the latest
version of the affected technology with all available patches/upgrades
applied," and "the vulnerability must not require additional social
engineering beyond browsing a malicious site."
http://list.windowsitpro.com/t?ctl=46B76:7EB890
iDefense (a VeriSign company) profits from these challenges by
reselling the vulnerability data to its customers and from the
publicity the challenges generate.
Black hats sell vulnerability information too. You've probably read
news stories about people attempting to sell vulnerabilities of the
caliber desired by iDefense on various Internet sites. These black hats
often claim that they'll sell a working exploit to the highest bidder
(they sometimes have a reserve price that they won't go below). One
story I read said that a black hat offered to sell an exploit for
$50,000. That's a lot of money for working exploit code.
People who buy such exploit code undoubtedly expect to profit from it
somehow, most likely through some type of theft or fraud. So if sellers
of exploit code can get that kind of money, or even half that much, and
buyers can make their money back by using the exploit code, then the
potential takers of iDefense's challenge will be either white hats or
those who don't have a vehicle to sell their vulnerability information.
Fortunately, some people will sell their work to iDefense simply
because they don't want to see their discoveries used to exploit
innocent people, and that's a great motive. But I think we need to keep
in mind that many discovers of security vulnerabilities don't care
about innocent people--what they care about is personal gain. Seen in
that light, iDefense's offer of a maximum of $12,000 seems rather low
and might not attract people who discover the most serious
vulnerabilities.
Other companies offering bug bounties include 3Com (at the first URL
below) and Mozilla Foundation (at the second URL below). 3Com's Zero
Day Initiative is a points program in which the more bugs you submit,
the more points you receive. You trade points for benefits such as cash
and travel to security conferences. Mozilla Foundation pays a flat fee
of $500 for a bug found in Mozilla software, plus you get a T-shirt.
http://list.windowsitpro.com/t?ctl=46B78:7EB890
http://list.windowsitpro.com/t?ctl=46B73:7EB890
All three of these programs have been under way for quite some time now
and are successful to some extent or other. The question in my mind is
why hasn't Microsoft instituted a similar program? I think it would be
a great addition to the company's current efforts at making their
products more secure.
=== SPONSOR: WebSense ==========================================
Protecting Organizations from Spyware: Free White Paper
Combat phishing and pharming with complete protection against
complex Internet threats by filtering at multiple points on the
gateway, network, and endpoints.
http://list.windowsitpro.com/t?ctl=46B62:7EB890
=== SECURITY NEWS AND FEATURES =================================
Man-in-the-Middle Attacks Made Simple
A kit automates the creation of a fraudulent URL, which acts as a
man-in-the-middle to gather sensitive private information from
unsuspecting users in real time.
http://list.windowsitpro.com/t?ctl=46B6D:7EB890
Web Sites Move Toward One-Time PINs
Think you have too many cards in your purse or pocket? Just wait
until you have a dozen or more PIN generators to carry around.
http://list.windowsitpro.com/t?ctl=46B6C:7EB890
Blocking Web Sites in ISA Server
Web blacklisting services maintain lists of Web sites that contain
pornography, hate speech, violence, hacking tools, or other prohibited
content. You can subscribe to an inexpensive blacklisting service and
import its list (typically updated each week) into ISA Server with a
script. Jason Fossen walks you through the steps.
http://list.windowsitpro.com/t?ctl=46B6E:7EB890
Recent Security Vulnerabilities
If you subscribe to this newsletter, you also receive Security
Alerts, which inform you about recently discovered security
vulnerabilities. You can also find information about these
discoveries at
http://list.windowsitpro.com/t?ctl=46B66:7EB890
=== SPONSOR: Double-Take Software ==============================
Double-Take Software: Upcoming Exchange Webinar!
Join this webinar to learn new ways to maintain Exchange uptime by
using continuous data replication and application availability. When
recoverability matters, depend on Double-Take Software to protect and
recover business critical data and applications. Date: 1/30/07. Time:
11 a.m. EST.
http://list.windowsitpro.com/t?ctl=46B60:7EB890
=== GIVE AND TAKE ==============================================
SECURITY MATTERS BLOG: Securing Windows Vista Services
by Mark Joseph Edwards, http://list.windowsitpro.com/t?ctl=46B75:7EB890
As you might know, services in Vista are better protected than services
in previous versions of Windows. But do you know how Microsoft hardens
Vista services?
http://list.windowsitpro.com/t?ctl=46B70:7EB890
FAQ: Start a Command Shell with Elevated Permissions
by John Savill, http://list.windowsitpro.com/t?ctl=46B72:7EB890
Q: How can I start a command prompt session with Administrative
privileges in Windows Vista?
Find the answer at
http://list.windowsitpro.com/t?ctl=46B6F:7EB890
FROM THE FORUM: Drive Encryption
A forum participant is testing TrueCrypt drive encryption. He's
created an encrypted D drive and set his system page file to reside on
the D drive so that it's also encrypted. His temporary directories are
also on the D drive. His problem is that at boot time, the screen
splits into four squiggly screens, then finally resolves. He said the
problem was that the system was unable to create the page file because
the D drive is unavailable until you enter the password into TrueCrypt.
Does anyone have a solution or a recommendation for other drive
encryption software? Join the discussion at
http://list.windowsitpro.com/t?ctl=46B5F:7EB890
SHARE YOUR SECURITY TIPS AND GET $100
Share your security-related tips, comments, or problems and
solutions in Security Pro VIP's Reader to Reader column. Email your
contributions to r2r@private If we print your submission,
you'll get $100. We edit submissions for style, grammar, and length.
MICROSOFT LEARNING PATHS FOR SECURITY: Deploying Microsoft Identity and
Access Management Technologies
Effective identity and access management is critical to information
security and one of the key components of Core Infrastructure
Optimization (IO). Use these resources to learn more about the
interdependent technologies and processes of deploying identity and
access management solutions, including directory services, identity
life-cycle management, access management, and more.
http://list.windowsitpro.com/t?ctl=46B64:7EB890
=== PRODUCTS ===================================================
by Renee Munshi, products@private
Encrypt Backup Data at the Media Server
Symantec announced the Veritas NetBackup Media Server Encryption
Option. NetBackup MSEO encrypts backup data at a central NetBackup
media server instead of at the client or on a dedicated encryption
appliance. Scheduled to be available this month, MSEO addresses the
risk associated with transporting tapes off site. MSEO works with
existing NetBackup policies and existing NetBackup clients and can
encrypt specific information that client users want to encrypt. MSEO
centralizes encryption key management by automatically and centrally
tracking which key was used for which tape and can store keys at a
disaster recovery site. For more information, go to
http://list.windowsitpro.com/t?ctl=46B7A:7EB890
WANTED: your reviews of products you've tested and used in
production. Send your experiences and ratings of products to
whatshot@private and get a Best Buy gift certificate.
=== RESOURCES AND EVENTS =======================================
For more security-related resources, visit
http://list.windowsitpro.com/t?ctl=46B71:7EB890
You know you need to manage your email data; how do you do it? What
steps are you taking? What additional measures should you enact? What
shouldn't you do? Get answers to these questions and get control of
your vital messaging data. Download the free eBook today!
http://list.windowsitpro.com/t?ctl=46B67:7EB890
Can you really trust users to protect critical business data on their
PCs? One in three users write down their passwords, leaving data at
risk even with encryption-only protection. True PC data protection
requires organizational control of your data. Download this free white
paper today to find out how to accomplish your PC data security goals
without inhibiting employee productivity.
http://list.windowsitpro.com/t?ctl=46B63:7EB890
=== FEATURED WHITE PAPER =======================================
Ready to get serious about data-driven applications? Learn how to get
unparalleled data access and presentation capabilities so that your
users can access the critical business information they need. Download
this free white paper today to find out more, and get started
developing with Microsoft .NET!
http://list.windowsitpro.com/t?ctl=46B65:7EB890
=== ANNOUNCEMENTS ==============================================
Special Invitation for VIP Access
Become a VIP subscriber and get continuous, inside access to ALL the
content published in Windows IT Pro, SQL Server Magazine, Exchange &
Outlook Pro VIP, Scripting Pro VIP, and Security Pro VIP. Subscribe now
and SAVE $100:
http://list.windowsitpro.com/t?ctl=46B69:7EB890
Ring in the New Year with Windows IT Pro
Don't miss Windows IT Pro in 2007! As a subscriber, you'll get full
access to must-have coverage relating to Windows Vista deployment,
virtualization, disaster recovery, Active Directory enhancements, the
Office 2007 launch, SharePoint fundamentals, and much more. Order now
and save 58% off the cover price.
http://list.windowsitpro.com/t?ctl=46B68:7EB890
================================================================
Security UDPATE is brought to you by the Windows IT Pro Web site's
Security page (first URL below) and Security Pro VIP (second URL
below).
http://list.windowsitpro.com/t?ctl=46B74:7EB890
http://list.windowsitpro.com/t?ctl=46B79:7EB890
Subscribe to Security UPDATE at
http://list.windowsitpro.com/t?ctl=46B6B:7EB890
Be sure to add Security_UPDATE@private
to your antispam software's list of allowed senders.
To contact us:
About Security UPDATE content -- letters@private
About technical questions -- http://list.windowsitpro.com/t?ctl=46B77:7EB890
About your product news -- products@private
About your subscription -- windowsitproupdate@private
About sponsoring Security UPDATE -- salesopps@private
View the Windows IT Pro privacy policy at
http://list.windowsitpro.com/t?ctl=46B6A:7EB890
Windows IT Pro, a division of Penton Media, Inc.
221 East 29th Street, Loveland, CO 80538
Attention: Customer Service Department
Copyright 2007, Penton Media, Inc. All rights reserved.
_____________________________
Subscribe to InfoSec News
http://www.infosecnews.org/mailman/listinfo/isn
This archive was generated by hypermail 2.1.3 : Wed Jan 17 2007 - 22:14:17 PST