Forwarded with permission from: Security UPDATE <Security_UPDATE (at) list.windowsitpro.com> PLEASE VISIT OUR SPONSORS, WHO BRING YOU SECURITY UPDATE FOR FREE: VeriSign's Extended Validation SSL Certificates http://list.windowsitpro.com/t?ctl=573F3:57B62BBB09A69279661DBC84E7D40DD5 Identity-based Security with UTM http://list.windowsitpro.com/t?ctl=573FD:57B62BBB09A69279661DBC84E7D40DD5 Your First Look at FAN Technology http://list.windowsitpro.com/t?ctl=573EC:57B62BBB09A69279661DBC84E7D40DD5 === CONTENTS =================================================== IN FOCUS: BITS Gives Bad Guys an Inroad NEWS AND FEATURES - Microsoft Redesigns Security Bulletins and Advanced Notifications - Verizon Expands Security Offerings Via CyberTrust Acquisition - Enterprise Wireless Routers Buyers Guide - Recent Security Vulnerabilities GIVE AND TAKE - Security Matters Blog: Time to Upgrade Samba and PHP - FAQ: Check a Folder for a File Type - From the Forum: Network Access for Services - Product Evaluations from the Real World - Share Your Security Tips PRODUCTS - Finding Malicious Content in Email Message Bodies RESOURCES AND EVENTS FEATURED WHITE PAPER ANNOUNCEMENTS === SPONSOR: VeriSign ========================================== VeriSign's Extended Validation SSL Certificates Increase customer confidence at transaction time with the latest breakthrough in online security - Extended Validation (EV) SSL Certificates from VeriSign. Extended Validation triggers the address bar to turn green when a visitor is using Microsoft Internet Explorer 7 and viewing a site with EV SSL Certificates. This green bar lets customers know that the site they are on is highly authenticated and secure. In a recent VeriSign study, 77% of the respondents indicated that they would be hesitant about shopping at, would check into problems with, or would abandon a site that once showed EV and no longer did. Learn more about Extended Validation by reading the technical white paper: Maximizing Site Visitor Trust Using Extended Validation SSL. http://list.windowsitpro.com/t?ctl=573F3:57B62BBB09A69279661DBC84E7D40DD5 === IN FOCUS: BITS Gives Bad Guys an Inroad ============= by Mark Joseph Edwards, News Editor, mark at ntsecurity / net Malware developers have been using Microsoft's Background Intelligent Transfer Service (BITS) to download software to Windows systems for quite some time. Using BITS is logical because it's designed to download files and is a standard part of all supported Windows OSs. BITS takes advantage of unused bandwidth to help optimize network usage, which makes its activity less noticeable to a user. One problem in defending against this misuse is that BITS is used by Windows Update, Microsoft Systems Management Server (SMS), Microsoft Messenger, and other tools, so it's typically trusted by firewalls to move traffic in and out of the network. Another problem in preventing malware developers from using BITS is that when a malicious application downloads files with it, the traffic is seen as coming from BITS and not the application itself. Firewall leak testers have long known about the potential danger of BITS and have openly discussed the matter for over a year. At least one program, bits_tester.exe (at the first URL below), is available that works with Microsoft's bitsadmin.exe tool (in the Windows XP SP2 Support Tools at the second URL below) to demonstrate how BITS can easily download files from Web servers. http://list.windowsitpro.com/t?ctl=573FA:57B62BBB09A69279661DBC84E7D40DD5 http://list.windowsitpro.com/t?ctl=573E4:57B62BBB09A69279661DBC84E7D40DD5 According to Guillaume Kaddouch of the Firewall Leak Tester Web site, the only way to currently control BITS activity is to limit the ability of svchost.exe (on XP and later Windows versions) or services.exe (on Windows 2000) to communicate over the network. So for example, if you want to better guarantee that BITS will be used only for file transfers on your network or between your network and Microsoft's software update sites, then you need to implement a deny-all policy for svchost.exe or services.exe and make specific exceptions for hosts that you want to receive content from through BITS. Keep in mind that because Microsoft also makes a BITS API available for developers to use, you might need to make exceptions for other legitimate desktop applications that use BITS to download their updates or other content. The danger of malware misusing BITS isn't limited to software downloads. BITS can also become a significant source of information leakage because it can upload files too, although doing so requires that BITS upload to a Microsoft IIS server with BITS extensions installed. Here again, a deny-all policy can help. Elia Florio brought the BITS problem to light again this month in a post on the Symantec Security Response blog (at the URL below) in which Florio suggested that Microsoft could improve the security of BITS. "It's not easy to check what BITS should download and not download," he wrote. "Probably the BITS interface should be designed to be accessible only with a higher level of privilege, or ... BITS should be restricted to only [download content from] trusted URLs." http://list.windowsitpro.com/t?ctl=573E5:57B62BBB09A69279661DBC84E7D40DD5 Microsoft hasn't said much about the issue of BITS being misused or whether the company intends to add any layers of security for it. While we're all waiting to find out, you do need to protect your systems in case your other security solutions fail to detect malware that might misuse BITS. I did a bit of checking to put together a list of URLs for sites that BITS might use to download files and updates from Microsoft. The list below is probably not complete, but you can use it to start building firewall rules. Keep in mind that you might need to add the usual HTTP or HTTPS prefix to the server addresses below, depending on your firewall rule requirements. I've noted the two addresses that require HTTPS access; the others require regular HTTP access. windowsupdate.microsoft.com *.windowsupdate.microsoft.com *.windowsupdate.microsoft.com (HTTPS required) *.windowsupdate.com update.microsoft.com *.update.microsoft.com *.update.microsoft.com (HTTPS required) download.windowsupdate.com *.download.windowsupdate.com download.microsoft.com wustat.windows.com ntservicepack.microsoft.com If your rule mechanism allows for it, you could simplify the matter by allowing BITS to access *.windowsupdate.com, *.microsoft.com, and *.windows.com over both HTTP and HTTPS. === SPONSOR: Cyberoam ========================================== Identity-based Security with UTM Identity-based UTM is a third generation security solution, offering the complete set of security features over a single platform. Its user identity-based security offers protection against blended threats that target the individual user as well as insider threats. http://list.windowsitpro.com/t?ctl=573FD:57B62BBB09A69279661DBC84E7D40DD5 === SECURITY NEWS AND FEATURES ================================= Microsoft Redesigns Security Bulletins and Advanced Notifications Advanced notifications will provide more information, and security bulletins will have decision-making information at the top. http://list.windowsitpro.com/t?ctl=573F4:57B62BBB09A69279661DBC84E7D40DD5 Verizon Expands Security Offerings Via CyberTrust Acquisition Verizon Business announced that it will acquire CyberTrust, a privately held security services provider. Terms of the deal were not disclosed, however the two companies expect the transaction to be completed sometime in the next 60 to 90 days. http://list.windowsitpro.com/t?ctl=573F5:57B62BBB09A69279661DBC84E7D40DD5 Enterprise Wireless Routers Selecting the hardware and configuration for your company's wireless network is a complicated and daunting task. The most important criteria for purchasing an enterprise wireless router are network standards and speed, security, and dependability. Learn more in our Buyer's Guide. http://list.windowsitpro.com/t?ctl=573F6:57B62BBB09A69279661DBC84E7D40DD5 Recent Security Vulnerabilities If you subscribe to this newsletter, you also receive Security Alerts, which inform you about recently discovered security vulnerabilities. You can also find information about these discoveries at http://list.windowsitpro.com/t?ctl=573EE:57B62BBB09A69279661DBC84E7D40DD5 === SPONSOR: Brocade =========================================== Your First Look at FAN Technology Gain control over the growing amount of file data in your enterprise. Learn how File Area Networks (FANs) can help you centralize file consolidation, migration, replication, and failover. Download this eBook and start streamlining your file management projects today! http://list.windowsitpro.com/t?ctl=573EC:57B62BBB09A69279661DBC84E7D40DD5 === GIVE AND TAKE ============================================== SECURITY MATTERS BLOG: Time to Upgrade Samba and PHP by Mark Joseph Edwards, http://list.windowsitpro.com/t?ctl=573FC:57B62BBB09A69279661DBC84E7D40DD5 If you're using Samba for Linux and Windows interoperability or PHP to drive applications on your Web servers or desktops, you should upgrade those tools soon. The new releases of both Samba and PHP contain fixes for several security problems and new features. Learn more at http://list.windowsitpro.com/t?ctl=573EB:57B62BBB09A69279661DBC84E7D40DD5 FAQ: Check a Folder for a File Type by John Savill, http://list.windowsitpro.com/t?ctl=573F9:57B62BBB09A69279661DBC84E7D40DD5 Q: How can I quickly check whether a folder contains a certain type of file? Find the answer at http://list.windowsitpro.com/t?ctl=573F7:57B62BBB09A69279661DBC84E7D40DD5 FROM THE FORUM: Network Access for Services A forum participant has a server that runs a particular service. Because the service has a GUI, the participant wonders if he needs to grant that service the right to interact with the desktop. The service also needs network access, but the participant is having trouble granting that access. He gets an "access denied" error when the service attempts network access. Join the discussion at http://list.windowsitpro.com/t?ctl=573E6:57B62BBB09A69279661DBC84E7D40DD5 PRODUCT EVALUATIONS FROM THE REAL WORLD Share your product experience with your peers. Have you discovered a great product that saves you time and money? Do you use something you wouldn't wish on anyone? Tell the world! If we publish your opinion, we'll send you a Best Buy gift card! Send information about a product you use and whether it helps or hinders you to whatshot@private SHARE YOUR SECURITY TIPS AND GET $100 Share your security-related tips, comments, or problems and solutions in Security Pro VIP's Reader to Reader column. Email your contributions to r2r@private If we print your submission, you'll get $100. We edit submissions for style, grammar, and length. === PRODUCTS =================================================== by Renee Munshi, products@private Finding Malicious Content in Email Message Bodies Avinti announced iSolation Server 4.0 with Blended Threat Protection, which blocks attacks that use active content and URLs embedded in email messages. Avinti has extended its behavior observation technology so that in addition to looking at attachments for viruses, iSolation Server can search the body of a message for active content such as malicious Java, JavaScript, or ActiveX code and URLs that link the user to Web sites that download malware in the background. Administrators can choose to block the malicious content or issue a warning. iSolation Server 4.0 with Blended Threat Protection will be available in June. For more information, visit http://list.windowsitpro.com/t?ctl=57401:57B62BBB09A69279661DBC84E7D40DD5 === RESOURCES AND EVENTS ======================================= For more security-related resources, visit http://list.windowsitpro.com/t?ctl=573F8:57B62BBB09A69279661DBC84E7D40DD5 Protect your users and your network from email-borne threats. This free eBook gives you the knowledge required to understand the real threat that email-borne attacks pose and how to address those attacks in a way that reduces risk while ensuring users aren't impacted. http://list.windowsitpro.com/t?ctl=573ED:57B62BBB09A69279661DBC84E7D40DD5 Do you want to create a fast, user-friendly, reliable, secure, and scalable backup strategy for your small-to-midsized business? Download this free white paper today and learn how you can break away from tape and move to disk-based data protection. http://list.windowsitpro.com/t?ctl=573EA:57B62BBB09A69279661DBC84E7D40DD5 Did you know that 75% of corporate intellectual property resides in email? The challenges facing this vital business application range from spam to the costly impact of downtime and the need for effective, centralized email storage systems. Join us for a free on-demand Web seminar and learn the key features of a holistic approach to managing email security, availability, and control. http://list.windowsitpro.com/t?ctl=573E9:57B62BBB09A69279661DBC84E7D40DD5 0521e&r Discover the New Releases with Microsoft and Industry Experts at IT Pro Connections--Amsterdam IT Pro Connections offers the deepest and most relevant education for Microsoft IT professionals, especially in this time of important new products and technologies. Now is the time for you to quickly come up to speed. Get prepared for the newest technologies and products through the real-world experience of our expert presenters. "Insider" details help you make sense of new technologies, apply them to your environment, and master them faster and more effectively. Immerse yourself in the latest Microsoft technologies: Windows PowerShell, Exchange Server 2007, Windows Vista, Windows Server "Longhorn," Sharepoint Server and Communications Server, System Center Family (Operations Manager and Configuration Manager), Windows XP, Forefront, and more--with experts from Microsoft and world-renowned subject matter experts! 19-20 June 2007 Post-Conference Workshops 21 June 2007 Amsterdam, The Netherlands Amsterdam RAI http://list.windowsitpro.com/t?ctl=573E7:57B62BBB09A69279661DBC84E7D40DD5 http://list.windowsitpro.com/t?ctl=573FF:57B62BBB09A69279661DBC84E7D40DD5 === FEATURED WHITE PAPER ======================================= You have heard that Windows Vista is the most secure platform that Microsoft has ever produced, but when considering migration, security is of the utmost importance. Download this free white paper now and find out the implications of migrating to Vista in terms of messaging and Web security. Plus, you'll get a summary of the key issues you need to consider. http://list.windowsitpro.com/t?ctl=573E8:57B62BBB09A69279661DBC84E7D40DD5 === ANNOUNCEMENTS ============================================== Introducing a Unique Security Resource Security Pro VIP is an online information center that delivers new articles every week on topics such as perimeter security, authentication, and system patches. Subscribers also receive tips, cautionary advice, direct access to our editors, and a host of other benefits! Order now at an exclusive charter rate and save up to $50! http://list.windowsitpro.com/t?ctl=573F0:57B62BBB09A69279661DBC84E7D40DD5 Introducing a Unique Exchange and Outlook Resource Exchange & Outlook Pro VIP is an online information center that delivers new articles every week on messaging topics such as administration, migration, security, and performance. Subscribers also receive tips, cautionary advice, direct access to our editors, and a host of other benefits! Order now at an exclusive charter rate and save up to $50! http://list.windowsitpro.com/t?ctl=573EF:57B62BBB09A69279661DBC84E7D40DD5 ================================================================ Security UDPATE is brought to you by the Windows IT Pro Web site's Security page (first URL below) and Security Pro VIP (second URL below). http://list.windowsitpro.com/t?ctl=573FB:57B62BBB09A69279661DBC84E7D40DD5 http://list.windowsitpro.com/t?ctl=57400:57B62BBB09A69279661DBC84E7D40DD5 Subscribe to Security UPDATE at http://list.windowsitpro.com/t?ctl=573F2:57B62BBB09A69279661DBC84E7D40DD5 Be sure to add Security_UPDATE@private to your antispam software's list of allowed senders. To contact us: About Security UPDATE content -- letters@private About technical questions -- http://list.windowsitpro.com/t?ctl=573FE:57B62BBB09A69279661DBC84E7D40DD5 About your product news -- products@private About your subscription -- windowsitproupdate@private About sponsoring Security UPDATE -- salesopps@private View the Windows IT Pro privacy policy at http://list.windowsitpro.com/t?ctl=573F1:57B62BBB09A69279661DBC84E7D40DD5 Windows IT Pro, a division of Penton Media, Inc. 221 East 29th Street, Loveland, CO 80538 Attention: Customer Service Department Copyright 2007, Penton Media, Inc. All rights reserved. _____________________________________________________ Attend Black Hat USA, July 28-August 2 in Las Vegas, the world's premier technical event for ICT security experts. Featuring 30 hands-on training courses and 90 Briefings presentations with lots of new content and new tools. Network with 4,000 delegates from 70 nations. Visit product displays by 30 top sponsors in a relaxed setting. Rates increase on June 1 so register today. http://www.blackhat.com
This archive was generated by hypermail 2.1.3 : Wed May 23 2007 - 23:18:38 PDT