Forwarded from: Security UPDATE <Security_UPDATE (at) list.windowsitpro.com>
PLEASE VISIT OUR SPONSORS, WHO BRING YOU SECURITY UPDATE FOR FREE:
Free Brief: Personal HP Workstations = Higher ROI?
http://list.windowsitpro.com/t?ctl=4976E:57B62BBB09A692792718C527C856CB62
Hosted Security: A solution for small and medium-size businesses
http://list.windowsitpro.com/t?ctl=49759:57B62BBB09A692792718C527C856CB62
Warning. PC encryption protection depends on user compliance--and
users make poor security guards!
http://list.windowsitpro.com/t?ctl=4975B:57B62BBB09A692792718C527C856CB62
=== CONTENTS ===================================================
IN FOCUS: The Problem with Vista Voice Recognition
NEWS AND FEATURES
- Is HD DVD and Blu-Ray Security Now Moot?
- Vista DRM Cracked Already?
- Symantec Expands into Endpoint Management Via Acquisition
- Recent Security Vulnerabilities
GIVE AND TAKE
- Security Matters Blog: Logcheck for Linux
- FAQ: Disable Windows Vista's User Access Control (UAC)
- From the Forum: Which Firewall Do You Use?
- Share Your Security Tips
- Microsoft Learning Paths for Security: Improving the Intelligence
of Your Gateway Security
PRODUCTS
- A Firewall for Your Phone
- Wanted: Your Reviews of Products
RESOURCES AND EVENTS
FEATURED WHITE PAPER
ANNOUNCEMENTS
=== SPONSOR: HP ================================================
Free Brief: Personal HP Workstations = Higher ROI?
Discover why financial services executives get a LOT more out of
their IT investments by investing in HP Personal Workstation
Technology. Quickly learn how workstations ensure accuracy and security
while driving down short and long term operating costs. This quick-
read guide is a must read today.
http://list.windowsitpro.com/t?ctl=4976E:57B62BBB09A692792718C527C856CB62
=== IN FOCUS: The Problem with Vista Voice Recognition =========
by Mark Joseph Edwards, News Editor, mark at ntsecurity / net
Among Windows Vista's new features is robust voice recognition, which
sounds rather innocuous. But as it turns out, that isn't the case.
The voice recognition feature lets you talk to the computer
(fortunately, it doesn't talk back!) to issue commands, dictate
documents, and so on. Therein resides the first vulnerability
discovered since Vista's release to consumers last week. Vista can act
on verbal commands, and it doesn't matter where those commands come
from--they can even come from your computer's speakers!
In his blog, Sebastian Krahmer wrote: "Yesterday I had the idea to use
Vista's speech recognition system for remote exploiting. By embedding
commands into a soundfile offered by an evil website or into all these
Web 2.0 videos, remote attackers might be able to execute commands on a
Vista system while they are spoken upon viewing."
http://list.windowsitpro.com/t?ctl=4975D:57B62BBB09A692792718C527C856CB62
Shortly after Krahmer echoed his idea onto the Dailydave mailing list
(at the URL below) George Ou decided to give it a try. He made an audio
file with embedded spoken commands and played the file. His Vista
computer acted on the commands. Microsoft subsequently confirmed the
vulnerability.
http://list.windowsitpro.com/t?ctl=4975C:57B62BBB09A692792718C527C856CB62
The vulnerability leaves plenty of room for intruders to go hog-wild
creating all sorts of malicious audio-command files. Fortunately, the
voice recognition system isn't enabled by default in new Vista
installations. Nevertheless, I have to wonder along with Ou why
Microsoft didn't integrate a preliminary security system into the voice
recognition system. By not requiring some sort of spoken passphrase,
the company left a door wide open in Vista.
In Microsoft's Security Response Center blog, Adrian wrote, "It is not
possible through the use of voice commands to get the system to perform
privileged functions such as creating a user without being prompted by
UAC for Administrator credentials. The UAC prompt cannot be manipulated
by voice commands by default."
http://list.windowsitpro.com/t?ctl=49755:57B62BBB09A692792718C527C856CB62
While that's true, it's still possible to delete files, execute code
that doesn't require elevated privileges, and do who knows what other
mischief. So, if you must use the voice command system, at least turn
off the microphone when you're finished. Hopefully, Microsoft will
release a fix for this problem soon. In the meantime, be careful of
running audio files with unknown content and of pranksters who might
walk by your desk or call you on VoIP and say things like "shut down."
=== SPONSOR: St. Bernard Software ==============================
Hosted Security: A solution for small and medium-sized businesses
Is effective security out of reach for your small or medium-sized
business? Imagine having a team of IT experts who only focus on
security as part of your staff. Download this free must-have white
paper today and find out how you can eliminate your company's security
risks.
http://list.windowsitpro.com/t?ctl=49759:57B62BBB09A692792718C527C856CB62
=== SECURITY NEWS AND FEATURES =================================
Is HD DVD and Blu-Ray Security Now Moot?
Earlier this month, a person using the alias "muslix64" claimed to
have circumvented the protection system in High Definition DVD (HD
DVD). That system, called Advanced Access Content System (AACS), is
designed to prevent duplication and unauthorized playback of AACS-
protected disks. Now muslix64 says he's cracked Blu-Ray security, which
also uses AACS.
http://list.windowsitpro.com/t?ctl=49766:57B62BBB09A692792718C527C856CB62
Vista DRM Cracked Already?
A Romanian-born programmer claims to have developed code that can
bypass the Digital Rights Management (DRM) technology in Windows Vista.
Writing in his blog, Alex Ionescu said that for over a year, he's been
working on a method of getting around Vista's signed driver
requirements and that he's recently succeeded.
http://list.windowsitpro.com/t?ctl=49767:57B62BBB09A692792718C527C856CB62
Symantec Expands into Endpoint Management Via Acquisition
Symantec intends to bolster its offering of endpoint solutions with
the acquisition of Altiris. Altiris provides solutions aimed at mobile
devices, laptops, desktops, servers, and storage-related devices. The
company's solutions help manage and enforce security policies, protect
against threats, and repair and service assets.
http://list.windowsitpro.com/t?ctl=49765:57B62BBB09A692792718C527C856CB62
Recent Security Vulnerabilities
If you subscribe to this newsletter, you also receive Security
Alerts, which inform you about recently discovered security
vulnerabilities. You can also find information about these
discoveries at
http://list.windowsitpro.com/t?ctl=4975E:57B62BBB09A692792718C527C856CB62
=== SPONSOR: Beachhead =========================================
Warning. PC encryption protection depends on user compliance--and users
make poor security guards!
Can you trust users to protect critical PC business data? One in 3
users write down their passwords--leaving data at risk, even with
encryption-only protection. True PC data protection requires
organizational control of your data. Download this free white paper
today to find out how to accomplish your PC data security goals without
inhibiting employee productivity.
http://list.windowsitpro.com/t?ctl=4975B:57B62BBB09A692792718C527C856CB62
=== GIVE AND TAKE ==============================================
SECURITY MATTERS BLOG: Logcheck for Linux
by Mark Joseph Edwards, http://list.windowsitpro.com/t?ctl=4976C:57B62BBB09A692792718C527C856CB62
Managing and reviewing system logs is vital for security. Here's a tool
that helps you get that job done on Linux.
http://list.windowsitpro.com/t?ctl=49763:57B62BBB09A692792718C527C856CB62
FAQ: Disable Windows Vista's User Access Control (UAC)
by John Savill, http://list.windowsitpro.com/t?ctl=4976A:57B62BBB09A692792718C527C856CB62
Q: How do I disable Windows Vista's User Access Control (UAC)?
Find the answer at
http://list.windowsitpro.com/t?ctl=49764:57B62BBB09A692792718C527C856CB62
FROM THE FORUM: Which Firewall Do You Use?
A forum participant is comparing firewalls. He currently uses
SmoothWall but wonders if an appliance solution would be better and
would like to get some feedback from fellow techies. If he's going to
consider another solution, it must interoperate with SmoothWall in
order to keep VPNs working between sites. Join the discussion at
http://list.windowsitpro.com/t?ctl=49756:57B62BBB09A692792718C527C856CB62
SHARE YOUR SECURITY TIPS AND GET $100
Share your security-related tips, comments, or problems and
solutions in Security Pro VIP's Reader to Reader column. Email your
contributions to r2r@private If we print your submission,
you'll get $100. We edit submissions for style, grammar, and length.
MICROSOFT LEARNING PATHS FOR SECURITY: Improving the Intelligence of
Your Gateway Security
This month, we take a dive into the technologies that provide mobile
and remote workers with easy and flexible secure access from a broad
range of devices and locations including kiosks, PCs, and mobile
devices.
http://list.windowsitpro.com/t?ctl=49768:57B62BBB09A692792718C527C856CB62
=== PRODUCTS ===================================================
by Renee Munshi, products@private
A Firewall for Your Phone
F-Secure is demonstrating its recently announced F-Secure Mobile
Security for smartphones and mobile multimedia computers at the RSA
Conference 2007 this week. F-Secure Mobile Security adds firewall
software to F-Secure's previously offered mobile-device antivirus
software (F-Secure Mobile Anti-Virus). F-Secure Mobile Security is for
devices based on S60 3rd Edition and Symbian OS 9, including four Nokia
devices: Nokia N71, Nokia E60, Nokia E61, and Nokia E70. For more
information, go to
http://list.windowsitpro.com/t?ctl=49771:57B62BBB09A692792718C527C856CB62
WANTED: your reviews of products you've tested and used in
production. Send your experiences and ratings of products to
whatshot@private and get a Best Buy gift certificate.
=== RESOURCES AND EVENTS =======================================
For more security-related resources, visit
http://list.windowsitpro.com/t?ctl=49769:57B62BBB09A692792718C527C856CB62
Black Hat DC, February 26-March 1 in Washington, DC, is the DC version
of Black Hat, the world's premier technical event for IT security
experts. Featuring 10 hands-on training courses and 30 briefings
presentations with lots of new content--the best of Black Hat. Network
with 300 delegates and see solutions from 10 major sponsors.
http://list.windowsitpro.com/t?ctl=49772:57B62BBB09A692792718C527C856CB62
How do you manage security vulnerabilities? If you depend on
vulnerability assessments to determine the state of your IT security
systems, you can't miss this Web seminar. Special research from Gartner
indicates that deeper penetration testing is needed to augment your
existing vulnerability management processes. Learn more today!
http://list.windowsitpro.com/t?ctl=49757:57B62BBB09A692792718C527C856CB62
Do you know the clues and secrets to effective disaster recovery? Lucky
mates will win a Weekly Prize of a $25 Best Buy Gift Card or a Grand
Prize of a $100 Best Buy Gift Card. Find the buried treasure by
uncovering the secrets to Web filtering. Complete this quiz correctly
and you could be a winner!
http://list.windowsitpro.com/t?ctl=49762:57B62BBB09A692792718C527C856CB62
Do you want to create a fast, user-friendly, reliable, secure, and
scalable backup strategy for your small-to-midsized business? Download
this free white paper today and learn how you can break away from tape
and move to disk-based data protection.
http://list.windowsitpro.com/t?ctl=4975A:57B62BBB09A692792718C527C856CB62
=== FEATURED WHITE PAPER =======================================
Learn the 7 critical email problems to watch for and how to prevent
them. Find out how to better manage your email environment, including
your disaster recovery, compliance, data storage, security, and
wireless devices. Download this free white paper today.
http://list.windowsitpro.com/t?ctl=49758:57B62BBB09A692792718C527C856CB62
=== ANNOUNCEMENTS ==============================================
Introducing a Unique Security Resource
Security Pro VIP is an online information center that delivers new
articles every week on topics such as perimeter security,
authentication, and system patches. Subscribers also receive tips,
cautionary advice, direct access to our editors, and a host of other
benefits! Order now at an exclusive charter rate and save up to $50!
http://list.windowsitpro.com/t?ctl=4975F:57B62BBB09A692792718C527C856CB62
Grab Your Share of the Spotlight!
Nominate yourself or a peer to become IT Pro of the Month. This is
your chance to get the recognition you deserve! Winners will receive
over $600 in IT resources and be featured in Windows IT Pro. It's easy
to enter--we're accepting March nominations now, but only for a limited
time! Submit your nomination today:
http://list.windowsitpro.com/t?ctl=4976D:57B62BBB09A692792718C527C856CB62
================================================================
Security UDPATE is brought to you by the Windows IT Pro Web site's
Security page (first URL below) and Security Pro VIP (second URL
below).
http://list.windowsitpro.com/t?ctl=4976B:57B62BBB09A692792718C527C856CB62
http://list.windowsitpro.com/t?ctl=49770:57B62BBB09A692792718C527C856CB62
Subscribe to Security UPDATE at
http://list.windowsitpro.com/t?ctl=49761:57B62BBB09A692792718C527C856CB62
Be sure to add Security_UPDATE@private
to your antispam software's list of allowed senders.
To contact us:
About Security UPDATE content -- letters@private
About technical questions -- http://list.windowsitpro.com/t?ctl=4976F:57B62BBB09A692792718C527C856CB62
About your product news -- products@private
About your subscription -- windowsitproupdate@private
About sponsoring Security UPDATE -- salesopps@private
View the Windows IT Pro privacy policy at
http://list.windowsitpro.com/t?ctl=49760:57B62BBB09A692792718C527C856CB62
Windows IT Pro, a division of Penton Media, Inc.
221 East 29th Street, Loveland, CO 80538
Attention: Customer Service Department
Copyright 2007, Penton Media, Inc. All rights reserved.
______________________________________
Subscribe to the InfoSec News RSS Feed
http://www.infosecnews.org/isn.rss
This archive was generated by hypermail 2.1.3 : Wed Feb 07 2007 - 22:49:40 PST