Forwarded from: Security UPDATE <Security_UPDATE (at) list.windowsitpro.com> PLEASE VISIT OUR SPONSORS, WHO BRING YOU SECURITY UPDATE FOR FREE: Free Brief: Personal HP Workstations = Higher ROI? http://list.windowsitpro.com/t?ctl=4976E:57B62BBB09A692792718C527C856CB62 Hosted Security: A solution for small and medium-size businesses http://list.windowsitpro.com/t?ctl=49759:57B62BBB09A692792718C527C856CB62 Warning. PC encryption protection depends on user compliance--and users make poor security guards! http://list.windowsitpro.com/t?ctl=4975B:57B62BBB09A692792718C527C856CB62 === CONTENTS =================================================== IN FOCUS: The Problem with Vista Voice Recognition NEWS AND FEATURES - Is HD DVD and Blu-Ray Security Now Moot? - Vista DRM Cracked Already? - Symantec Expands into Endpoint Management Via Acquisition - Recent Security Vulnerabilities GIVE AND TAKE - Security Matters Blog: Logcheck for Linux - FAQ: Disable Windows Vista's User Access Control (UAC) - From the Forum: Which Firewall Do You Use? - Share Your Security Tips - Microsoft Learning Paths for Security: Improving the Intelligence of Your Gateway Security PRODUCTS - A Firewall for Your Phone - Wanted: Your Reviews of Products RESOURCES AND EVENTS FEATURED WHITE PAPER ANNOUNCEMENTS === SPONSOR: HP ================================================ Free Brief: Personal HP Workstations = Higher ROI? Discover why financial services executives get a LOT more out of their IT investments by investing in HP Personal Workstation Technology. Quickly learn how workstations ensure accuracy and security while driving down short and long term operating costs. This quick- read guide is a must read today. http://list.windowsitpro.com/t?ctl=4976E:57B62BBB09A692792718C527C856CB62 === IN FOCUS: The Problem with Vista Voice Recognition ========= by Mark Joseph Edwards, News Editor, mark at ntsecurity / net Among Windows Vista's new features is robust voice recognition, which sounds rather innocuous. But as it turns out, that isn't the case. The voice recognition feature lets you talk to the computer (fortunately, it doesn't talk back!) to issue commands, dictate documents, and so on. Therein resides the first vulnerability discovered since Vista's release to consumers last week. Vista can act on verbal commands, and it doesn't matter where those commands come from--they can even come from your computer's speakers! In his blog, Sebastian Krahmer wrote: "Yesterday I had the idea to use Vista's speech recognition system for remote exploiting. By embedding commands into a soundfile offered by an evil website or into all these Web 2.0 videos, remote attackers might be able to execute commands on a Vista system while they are spoken upon viewing." http://list.windowsitpro.com/t?ctl=4975D:57B62BBB09A692792718C527C856CB62 Shortly after Krahmer echoed his idea onto the Dailydave mailing list (at the URL below) George Ou decided to give it a try. He made an audio file with embedded spoken commands and played the file. His Vista computer acted on the commands. Microsoft subsequently confirmed the vulnerability. http://list.windowsitpro.com/t?ctl=4975C:57B62BBB09A692792718C527C856CB62 The vulnerability leaves plenty of room for intruders to go hog-wild creating all sorts of malicious audio-command files. Fortunately, the voice recognition system isn't enabled by default in new Vista installations. Nevertheless, I have to wonder along with Ou why Microsoft didn't integrate a preliminary security system into the voice recognition system. By not requiring some sort of spoken passphrase, the company left a door wide open in Vista. In Microsoft's Security Response Center blog, Adrian wrote, "It is not possible through the use of voice commands to get the system to perform privileged functions such as creating a user without being prompted by UAC for Administrator credentials. The UAC prompt cannot be manipulated by voice commands by default." http://list.windowsitpro.com/t?ctl=49755:57B62BBB09A692792718C527C856CB62 While that's true, it's still possible to delete files, execute code that doesn't require elevated privileges, and do who knows what other mischief. So, if you must use the voice command system, at least turn off the microphone when you're finished. Hopefully, Microsoft will release a fix for this problem soon. In the meantime, be careful of running audio files with unknown content and of pranksters who might walk by your desk or call you on VoIP and say things like "shut down." === SPONSOR: St. Bernard Software ============================== Hosted Security: A solution for small and medium-sized businesses Is effective security out of reach for your small or medium-sized business? Imagine having a team of IT experts who only focus on security as part of your staff. Download this free must-have white paper today and find out how you can eliminate your company's security risks. http://list.windowsitpro.com/t?ctl=49759:57B62BBB09A692792718C527C856CB62 === SECURITY NEWS AND FEATURES ================================= Is HD DVD and Blu-Ray Security Now Moot? Earlier this month, a person using the alias "muslix64" claimed to have circumvented the protection system in High Definition DVD (HD DVD). That system, called Advanced Access Content System (AACS), is designed to prevent duplication and unauthorized playback of AACS- protected disks. Now muslix64 says he's cracked Blu-Ray security, which also uses AACS. http://list.windowsitpro.com/t?ctl=49766:57B62BBB09A692792718C527C856CB62 Vista DRM Cracked Already? A Romanian-born programmer claims to have developed code that can bypass the Digital Rights Management (DRM) technology in Windows Vista. Writing in his blog, Alex Ionescu said that for over a year, he's been working on a method of getting around Vista's signed driver requirements and that he's recently succeeded. http://list.windowsitpro.com/t?ctl=49767:57B62BBB09A692792718C527C856CB62 Symantec Expands into Endpoint Management Via Acquisition Symantec intends to bolster its offering of endpoint solutions with the acquisition of Altiris. Altiris provides solutions aimed at mobile devices, laptops, desktops, servers, and storage-related devices. The company's solutions help manage and enforce security policies, protect against threats, and repair and service assets. http://list.windowsitpro.com/t?ctl=49765:57B62BBB09A692792718C527C856CB62 Recent Security Vulnerabilities If you subscribe to this newsletter, you also receive Security Alerts, which inform you about recently discovered security vulnerabilities. You can also find information about these discoveries at http://list.windowsitpro.com/t?ctl=4975E:57B62BBB09A692792718C527C856CB62 === SPONSOR: Beachhead ========================================= Warning. PC encryption protection depends on user compliance--and users make poor security guards! Can you trust users to protect critical PC business data? One in 3 users write down their passwords--leaving data at risk, even with encryption-only protection. True PC data protection requires organizational control of your data. Download this free white paper today to find out how to accomplish your PC data security goals without inhibiting employee productivity. http://list.windowsitpro.com/t?ctl=4975B:57B62BBB09A692792718C527C856CB62 === GIVE AND TAKE ============================================== SECURITY MATTERS BLOG: Logcheck for Linux by Mark Joseph Edwards, http://list.windowsitpro.com/t?ctl=4976C:57B62BBB09A692792718C527C856CB62 Managing and reviewing system logs is vital for security. Here's a tool that helps you get that job done on Linux. http://list.windowsitpro.com/t?ctl=49763:57B62BBB09A692792718C527C856CB62 FAQ: Disable Windows Vista's User Access Control (UAC) by John Savill, http://list.windowsitpro.com/t?ctl=4976A:57B62BBB09A692792718C527C856CB62 Q: How do I disable Windows Vista's User Access Control (UAC)? Find the answer at http://list.windowsitpro.com/t?ctl=49764:57B62BBB09A692792718C527C856CB62 FROM THE FORUM: Which Firewall Do You Use? A forum participant is comparing firewalls. He currently uses SmoothWall but wonders if an appliance solution would be better and would like to get some feedback from fellow techies. If he's going to consider another solution, it must interoperate with SmoothWall in order to keep VPNs working between sites. Join the discussion at http://list.windowsitpro.com/t?ctl=49756:57B62BBB09A692792718C527C856CB62 SHARE YOUR SECURITY TIPS AND GET $100 Share your security-related tips, comments, or problems and solutions in Security Pro VIP's Reader to Reader column. Email your contributions to r2r@private If we print your submission, you'll get $100. We edit submissions for style, grammar, and length. MICROSOFT LEARNING PATHS FOR SECURITY: Improving the Intelligence of Your Gateway Security This month, we take a dive into the technologies that provide mobile and remote workers with easy and flexible secure access from a broad range of devices and locations including kiosks, PCs, and mobile devices. http://list.windowsitpro.com/t?ctl=49768:57B62BBB09A692792718C527C856CB62 === PRODUCTS =================================================== by Renee Munshi, products@private A Firewall for Your Phone F-Secure is demonstrating its recently announced F-Secure Mobile Security for smartphones and mobile multimedia computers at the RSA Conference 2007 this week. F-Secure Mobile Security adds firewall software to F-Secure's previously offered mobile-device antivirus software (F-Secure Mobile Anti-Virus). F-Secure Mobile Security is for devices based on S60 3rd Edition and Symbian OS 9, including four Nokia devices: Nokia N71, Nokia E60, Nokia E61, and Nokia E70. For more information, go to http://list.windowsitpro.com/t?ctl=49771:57B62BBB09A692792718C527C856CB62 WANTED: your reviews of products you've tested and used in production. Send your experiences and ratings of products to whatshot@private and get a Best Buy gift certificate. === RESOURCES AND EVENTS ======================================= For more security-related resources, visit http://list.windowsitpro.com/t?ctl=49769:57B62BBB09A692792718C527C856CB62 Black Hat DC, February 26-March 1 in Washington, DC, is the DC version of Black Hat, the world's premier technical event for IT security experts. Featuring 10 hands-on training courses and 30 briefings presentations with lots of new content--the best of Black Hat. Network with 300 delegates and see solutions from 10 major sponsors. http://list.windowsitpro.com/t?ctl=49772:57B62BBB09A692792718C527C856CB62 How do you manage security vulnerabilities? If you depend on vulnerability assessments to determine the state of your IT security systems, you can't miss this Web seminar. Special research from Gartner indicates that deeper penetration testing is needed to augment your existing vulnerability management processes. Learn more today! http://list.windowsitpro.com/t?ctl=49757:57B62BBB09A692792718C527C856CB62 Do you know the clues and secrets to effective disaster recovery? Lucky mates will win a Weekly Prize of a $25 Best Buy Gift Card or a Grand Prize of a $100 Best Buy Gift Card. Find the buried treasure by uncovering the secrets to Web filtering. Complete this quiz correctly and you could be a winner! http://list.windowsitpro.com/t?ctl=49762:57B62BBB09A692792718C527C856CB62 Do you want to create a fast, user-friendly, reliable, secure, and scalable backup strategy for your small-to-midsized business? Download this free white paper today and learn how you can break away from tape and move to disk-based data protection. http://list.windowsitpro.com/t?ctl=4975A:57B62BBB09A692792718C527C856CB62 === FEATURED WHITE PAPER ======================================= Learn the 7 critical email problems to watch for and how to prevent them. Find out how to better manage your email environment, including your disaster recovery, compliance, data storage, security, and wireless devices. Download this free white paper today. http://list.windowsitpro.com/t?ctl=49758:57B62BBB09A692792718C527C856CB62 === ANNOUNCEMENTS ============================================== Introducing a Unique Security Resource Security Pro VIP is an online information center that delivers new articles every week on topics such as perimeter security, authentication, and system patches. Subscribers also receive tips, cautionary advice, direct access to our editors, and a host of other benefits! Order now at an exclusive charter rate and save up to $50! http://list.windowsitpro.com/t?ctl=4975F:57B62BBB09A692792718C527C856CB62 Grab Your Share of the Spotlight! Nominate yourself or a peer to become IT Pro of the Month. This is your chance to get the recognition you deserve! Winners will receive over $600 in IT resources and be featured in Windows IT Pro. It's easy to enter--we're accepting March nominations now, but only for a limited time! Submit your nomination today: http://list.windowsitpro.com/t?ctl=4976D:57B62BBB09A692792718C527C856CB62 ================================================================ Security UDPATE is brought to you by the Windows IT Pro Web site's Security page (first URL below) and Security Pro VIP (second URL below). http://list.windowsitpro.com/t?ctl=4976B:57B62BBB09A692792718C527C856CB62 http://list.windowsitpro.com/t?ctl=49770:57B62BBB09A692792718C527C856CB62 Subscribe to Security UPDATE at http://list.windowsitpro.com/t?ctl=49761:57B62BBB09A692792718C527C856CB62 Be sure to add Security_UPDATE@private to your antispam software's list of allowed senders. To contact us: About Security UPDATE content -- letters@private About technical questions -- http://list.windowsitpro.com/t?ctl=4976F:57B62BBB09A692792718C527C856CB62 About your product news -- products@private About your subscription -- windowsitproupdate@private About sponsoring Security UPDATE -- salesopps@private View the Windows IT Pro privacy policy at http://list.windowsitpro.com/t?ctl=49760:57B62BBB09A692792718C527C856CB62 Windows IT Pro, a division of Penton Media, Inc. 221 East 29th Street, Loveland, CO 80538 Attention: Customer Service Department Copyright 2007, Penton Media, Inc. All rights reserved. ______________________________________ Subscribe to the InfoSec News RSS Feed http://www.infosecnews.org/isn.rss
This archive was generated by hypermail 2.1.3 : Wed Feb 07 2007 - 22:49:40 PST