Forwarded with permission from: Security UPDATE <Security_UPDATE (at) list.windowsitpro.com> PLEASE VISIT OUR SPONSORS, WHO BRING YOU SECURITY UPDATE FOR FREE: Free White Paper: Address the Insider Threat http://list.windowsitpro.com/t?ctl=4C366:57B62BBB09A692791DE937E2FA56D245 Filtering the Spectrum of Internet Threats http://list.windowsitpro.com/t?ctl=4C34E:57B62BBB09A692791DE937E2FA56D245 Automatically fix links when you move files! http://list.windowsitpro.com/t?ctl=4C362:57B62BBB09A692791DE937E2FA56D245 === CONTENTS =================================================== IN FOCUS: A Month of PHP Bugs NEWS AND FEATURES - TJX Data Breach Investigation Reveals More Exposure - Vista Tips for IT Pros - CastleCops Endures DDoS Attack - Recent Security Vulnerabilities GIVE AND TAKE - Security Matters Blog: My Toaster Crashed - FAQ: Recovering Disk Access After Renaming Servers - From the Forum: "Act as part of the operating system" Permission - Share Your Security Tips PRODUCTS - Policy Control Software Adds SNMP Event Monitoring - Wanted: Your Reviews of Products RESOURCES AND EVENTS FEATURED WHITE PAPER ANNOUNCEMENTS === SPONSOR: NetIQ ============================================= Free White Paper: Address the Insider Threat Learn how to develop a comprehensive management system that virtually eliminates the risk of an insider threat. Co-authored by NetIQ and Dr. Eric Cole, this informative white paper identifies the key business processes that must be secured and ready to build a solution to contain the insider threat. http://list.windowsitpro.com/t?ctl=4C366:57B62BBB09A692791DE937E2FA56D245 === IN FOCUS: A Month of PHP Bugs ============= by Mark Joseph Edwards, News Editor, mark at ntsecurity / net You might recall that back in December 2006, Stefan Esser resigned from the PHP Security Response Team in disgust. At the time, Esser said that "any attempt to improve the security of PHP from the inside is futile.... The PHP Group will jump into your boat as soon you try to blame PHP's security problems on the user but the moment you criticize the security of PHP itself you become persona non grata. I stopped counting the times I was called immoral traitor for disclosing security holes in PHP or for developing Suhosin." Suhosin is of course a fantastic patch for the PHP source code that makes it far more secure than it is without the patch. If you haven't read about Suhosin, you can do so at the URL below. http://list.windowsitpro.com/t?ctl=4C355:57B62BBB09A692791DE937E2FA56D245 In response to Esser leaving the PHP Security Response Team, Zeev Suraski wrote that he'd "like to take the opportunity, again, and ask Stefan to come back to [the] security team, and work with the project and not against it. As any project that has hundreds of people contributing to it, you never find yourself in agreement with everyone at any given time. It doesn't mean that those who don't think exactly like you are your 'enemies,' and it certainly doesn't mean you should quit and turn to the 'other side.'" It seems to me that if Suraski is serious about wanting Esser back, then he could have gone without the two less-than-subtle digs at Esser. http://list.windowsitpro.com/t?ctl=4C353:57B62BBB09A692791DE937E2FA56D245 So far, Esser has not returned to the team, and earlier this month, he declared that he's going to launch a "Month of PHP Bugs." He's now decided that March 2007 will be the month to do that. As is the trend, every day for the month of March, Esser will post about at least one bug in PHP. You can read more about it at the URL below. http://list.windowsitpro.com/t?ctl=4C351:57B62BBB09A692791DE937E2FA56D245 PHP is widely used, and many of you undoubtedly have it in use on your systems. You should probably keep an eye on Esser's Web site in March to learn of the newly disclosed PHP bugs so that you can take action to defend your systems. The latest versions of PHP are 5.2.1 and 4.4.5, both released in the second week of February 2007, so be sure you're using the latest version. You should also seriously consider integrating the Suhosin patch as soon as you can--if you can. Unfortunately, no precompiled package of PHP that includes Suhosin seems to be available, so you're on your own and will need to compile the patch yourself. http://list.windowsitpro.com/t?ctl=4C36A:57B62BBB09A692791DE937E2FA56D245 http://list.windowsitpro.com/t?ctl=4C361:57B62BBB09A692791DE937E2FA56D245 === SPONSOR: St. Bernard Software ============================== Filtering the Spectrum of Internet Threats Examine the threats of allowing unwanted or offensive content into your network and learn about the technologies and methodologies to defend against inappropriate content, spyware, IM, and P2P. Download this free white paper now! http://list.windowsitpro.com/t?ctl=4C34E:57B62BBB09A692791DE937E2FA56D245 === SECURITY NEWS AND FEATURES ================================= TJX Data Breach Investigation Reveals More Exposure The TJX Companies reported that its data breach was more severe than it had originally detected. http://list.windowsitpro.com/t?ctl=4C35C:57B62BBB09A692791DE937E2FA56D245 Vista Tips for IT Pros Windows Vista has lots of little changes that will affect IT professionals and administrators. Learn more about them in this article on our Web site. http://list.windowsitpro.com/t?ctl=4C359:57B62BBB09A692791DE937E2FA56D245 CastleCops Endures DDoS Attack CastleCops, an online security community whose charter is to help fight malware and phishing scams, fell under Distributed Denial of Service (DDoS) attacks beginning February 13. http://list.windowsitpro.com/t?ctl=4C35B:57B62BBB09A692791DE937E2FA56D245 Recent Security Vulnerabilities If you subscribe to this newsletter, you also receive Security Alerts, which inform you about recently discovered security vulnerabilities. You can also find information about these discoveries at http://list.windowsitpro.com/t?ctl=4C354:57B62BBB09A692791DE937E2FA56D245 === SPONSOR: Linktek =========================================== Automatically fix links when you move files! Patented LinkFixerPlus is the first application that automatically fixes broken links in Excel, Word, Access, PowerPoint, Acrobat, InDesign, PageMaker, AutoCAD and other files when performing data migrations due to: server consolidations, server name changes, path name changes or folder reorganizations! Detailed broken link reporting too! Download the FREE trial version NOW at http://list.windowsitpro.com/t?ctl=4C362:57B62BBB09A692791DE937E2FA56D245 === GIVE AND TAKE ============================================== SECURITY MATTERS BLOG: My Toaster Crashed by Mark Joseph Edwards, http://list.windowsitpro.com/t?ctl=4C364:57B62BBB09A692791DE937E2FA56D245 Coding errors create security bugs. It's as simple as that. So don't be surprised if someone crashes your toaster someday. Read this blog article to learn just how easily some devices can be crashed. http://list.windowsitpro.com/t?ctl=4C35D:57B62BBB09A692791DE937E2FA56D245 FAQ: Recovering Disk Access After Renaming Servers by John Savill, http://list.windowsitpro.com/t?ctl=4C360:57B62BBB09A692791DE937E2FA56D245 Q: I've renamed servers using a special script but am now having problems accessing disks via the Microsoft Management Console (MMC) Disk Management snap-in. What's the problem? Find the answer at http://list.windowsitpro.com/t?ctl=4C35A:57B62BBB09A692791DE937E2FA56D245 FROM THE FORUM: "Act as part of the operating system" Permission A forum participant has an application that requires the "Act as part of the operating system" right to operate correctly on Windows 2000 systems. However, the same application doesn't require this right on Windows XP systems. He wonders why this is the case and what the implications are of granting an application this right. Join the conversation at the URL below. http://list.windowsitpro.com/t?ctl=4C34D:57B62BBB09A692791DE937E2FA56D245 SHARE YOUR SECURITY TIPS AND GET $100 Share your security-related tips, comments, or problems and solutions in Security Pro VIP's Reader to Reader column. Email your contributions to r2r@private If we print your submission, you'll get $100. We edit submissions for style, grammar, and length. === PRODUCTS =================================================== by Renee Munshi, products@private Policy Control Software Adds SNMP Event Monitoring Active Reasoning announced the availability of Active Reasoning System 5, which lets businesses embed IT policy controls in business systems and applications to provide real-time change detection and configuration auditing. Active Reasoning automatically maps policy frameworks and controls to the users, applications, systems, network devices, files, and databases that need to be monitored to enforce the policies. New in System 5, SNMP event monitoring lets Active Reasoning collect event and change information from network devices in addition to applications and servers. For more information, go to http://list.windowsitpro.com/t?ctl=4C368:57B62BBB09A692791DE937E2FA56D245 WANTED: your reviews of products you've tested and used in production. Send your experiences and ratings of products to whatshot@private and get a Best Buy gift certificate. === RESOURCES AND EVENTS ======================================= For more security-related resources, visit http://list.windowsitpro.com/t?ctl=4C35F:57B62BBB09A692791DE937E2FA56D245 Do you want to block unwanted or undesirable email? Download this free white paper to learn how to manage the content of messages traveling your network. http://list.windowsitpro.com/t?ctl=4C352:57B62BBB09A692791DE937E2FA56D245 How do you manage security vulnerabilities? If you depend on vulnerability assessments to determine the state of your IT security systems, you can't miss this Web seminar. Special research from Gartner indicates that deeper penetration testing is needed to augment your existing vulnerability management processes. Learn more today! http://list.windowsitpro.com/t?ctl=4C34F:57B62BBB09A692791DE937E2FA56D245 Windows + UNIX/Linux = You Need TechX World! If you work in an environment that includes Windows plus UNIX/Linux, TechX World is the place to go for practical strategies and resources to add to your toolkit. This one-day technical training event will teach you how to make the most of open-source tools on Windows and how to manage and sync multiple directories. Register today! http://list.windowsitpro.com/t?ctl=4C35E:57B62BBB09A692791DE937E2FA56D245 === FEATURED WHITE PAPER ======================================= One common set of controls can help you manage compliance across multiple regulations and standards. Download this free IDC white paper and find out how to map controls to the appropriate regulations, saving time and expense in demonstrating compliance. http://list.windowsitpro.com/t?ctl=4C350:57B62BBB09A692791DE937E2FA56D245 === ANNOUNCEMENTS ============================================== Introducing a Unique Security Resource Security Pro VIP is an online information center that delivers new articles every week on topics such as perimeter security, authentication, and system patches. Subscribers also receive tips, cautionary advice, direct access to our editors, and a host of other benefits! Order now at an exclusive charter rate and save up to $50! http://list.windowsitpro.com/t?ctl=4C356:57B62BBB09A692791DE937E2FA56D245 Grab Your Share of the Spotlight! Nominate yourself or a peer to become IT Pro of the Month. This is your chance to get the recognition you deserve! Winners will receive over $600 in IT resources and be featured in Windows IT Pro. It's easy to enter--we're accepting April nominations now, but only for a limited time! Submit your nomination today: http://list.windowsitpro.com/t?ctl=4C365:57B62BBB09A692791DE937E2FA56D245 ================================================================ Security UDPATE is brought to you by the Windows IT Pro Web site's Security page (first URL below) and Security Pro VIP (second URL below). http://list.windowsitpro.com/t?ctl=4C363:57B62BBB09A692791DE937E2FA56D245 http://list.windowsitpro.com/t?ctl=4C369:57B62BBB09A692791DE937E2FA56D245 Subscribe to Security UPDATE at http://list.windowsitpro.com/t?ctl=4C358:57B62BBB09A692791DE937E2FA56D245 Be sure to add Security_UPDATE@private to your antispam software's list of allowed senders. To contact us: About Security UPDATE content -- letters@private About technical questions -- http://list.windowsitpro.com/t?ctl=4C367:57B62BBB09A692791DE937E2FA56D245 About your product news -- products@private About your subscription -- windowsitproupdate@private About sponsoring Security UPDATE -- salesopps@private View the Windows IT Pro privacy policy at http://list.windowsitpro.com/t?ctl=4C357:57B62BBB09A692791DE937E2FA56D245 Windows IT Pro, a division of Penton Media, Inc. 221 East 29th Street, Loveland, CO 80538 Attention: Customer Service Department Copyright 2007, Penton Media, Inc. All rights reserved. __________________________________________ Visit the InfoSec News Security Bookstore! http://www.shopinfosecnews.org
This archive was generated by hypermail 2.1.3 : Thu Mar 01 2007 - 00:13:01 PST