Forwarded with permission from: Security UPDATE <Security_UPDATE (at) list.windowsitpro.com> PLEASE VISIT OUR SPONSORS, WHO BRING YOU SECURITY UPDATE FOR FREE: ALERT: "How a Hacker Launches a SQL Injection Attack!" White Paper http://list.windowsitpro.com/t?ctl=5A013:57B62BBB09A6927949837399EDFFF4AC CIPA--Keeping Students Safe on the Net http://list.windowsitpro.com/t?ctl=5A022:57B62BBB09A6927949837399EDFFF4AC Managing Risk Through Security http://list.windowsitpro.com/t?ctl=5A00C:57B62BBB09A6927949837399EDFFF4AC === CONTENTS =================================================== IN FOCUS: Security Fixes to Be Patented NEWS AND FEATURES - Solution to IIS Security Bug Is to Upgrade? - Google's Data Mining Reveals Web Server Security Trends - Watchfire to Become Part of IBM - Recent Security Vulnerabilities GIVE AND TAKE - Security Matters Blog: It All Started 30 Years Ago; Microsoft Releases 6 Security Bulletins for June - FAQ: Vista's Symbolic Link Capabilities - From the Forum: How to Block an IP Address in Windows 2003 - Share Your Security Tips PRODUCTS - Wireless Intrusion Prevention in Service Form - Product Evaluations from the Real World RESOURCES AND EVENTS FEATURED WHITE PAPER ANNOUNCEMENTS === SPONSOR: SPI Dynamics ====================================== ALERT: "How a Hacker Launches a SQL Injection Attack!" White Paper It's as simple as placing additional SQL commands into a Web Form input box giving hackers complete access to all your backend systems! Firewalls and IDS will not stop such attacks because SQL Injections are NOT seen as intruders. Download this *FREE* white paper from SPI Dynamics for a complete guide to protection! http://list.windowsitpro.com/t?ctl=5A013:57B62BBB09A6927949837399EDFFF4AC === IN FOCUS: Security Fixes to Be Patented ==================== by Mark Joseph Edwards, News Editor, mark at ntsecurity / net Finding security vulnerabilities can sometimes be a tough, thankless job. But that might be about to change when people start patenting security fixes. Researchers spend untold amounts of time finding vulnerabilities, and in the somewhat distant past, there was no reward for that effort other than a possible public acknowledgment from the vendor whose product contained the vulnerability and the satisfaction of knowing that yet another security hole was closed, which benefits everyone who uses the product. Then came companies such as 3Com and iDefense, which began paying for vulnerability information. Discoverers receive cash for their hard work, and 3Com and iDefense earn income too by selling the information to their network of customers in one fashion or another. Now, yet another dimension is about to be added to the mix. In the latest evolution of vulnerability discovery, a company called Intellectual Weapons is offering to work with researchers to develop fixes for security vulnerabilities and then patent those fixes. Intellectual Weapons would then be in a position to license or sell the patent to vendors that need it. Of course, marketing a patent also requires aggressive enforcement of the patent, and the company says it does expect "major battles," which might occur when someone else discovers the same vulnerability or when a vendor designs around the intellectual property in the patent. The company says that it would give the discoverer 50 percent of any income generated by the patent. So how much does Intellectual Weapons intend to charge a vendor for some form of rights to the patents it obtains? According to a published FAQ, "The vendor [will be] asked to pay something close to the true value of the vulnerability, i.e. the cost to them if it goes unchecked." Exactly how that cost will be measured remains to be seen. In developing this concept into a business, Intellectual Weapons obviously saw gigantic dollar signs. The company cites numerous instances in which small companies have gained millions of dollars through patent infringement litigation. For example, according to Intellectual Weapons, Eolas won $520 million and Stac Electronics won $120 million from Microsoft. Clearly, there is big money to be made through patenting inventions, and I suspect that money is Intellectual Weapons' primary motive. I think the company name speaks pretty loudly. I also think that what the company is doing might change the patent process to some extent, if only to set some significant legal precedents over time. Furthermore, it could instigate other companies who routinely provide temporary third-party fixes to patent their methodology too, or even cause such companies to stop providing such fixes. Overall, something about this entire idea bothers me. To read more about Intellectual Weapons' proposed plan of operation visit the URL below. http://list.windowsitpro.com/t?ctl=5A024:57B62BBB09A6927949837399EDFFF4AC What's your opinion on this plan? Post your comments with this article at http://list.windowsitpro.com/t?ctl=5A01A:57B62BBB09A6927949837399EDFFF4AC Or post your thoughts on the Security Forum at http://list.windowsitpro.com/t?ctl=5A012:57B62BBB09A6927949837399EDFFF4AC === SPONSOR: Cyberoam ========================================== CIPA--Keeping Students Safe on the Net Protecting students from the millions of sites that house pornography, adult chat rooms, violence & hacking can provide not just a safe surfing atmosphere to minors in schools and libraries, but also qualify the institutions for federal E-rate funding through CIPA compliance. http://list.windowsitpro.com/t?ctl=5A022:57B62BBB09A6927949837399EDFFF4AC === SECURITY NEWS AND FEATURES ================================= Solution to IIS Security Bug Is to Upgrade? An authentication bug in Microsoft IIS 5.x surfaced last December, and recently Microsoft said that the fix is to upgrade to IIS 6.0. http://list.windowsitpro.com/t?ctl=5A019:57B62BBB09A6927949837399EDFFF4AC Google's Data Mining Reveals Web Server Security Trends Google recently launched its Online Security Blog, in which new information reveals which server platforms host the most malware, including drive-by downloads. http://list.windowsitpro.com/t?ctl=5A01D:57B62BBB09A6927949837399EDFFF4AC Watchfire to Become Part of IBM IBM announced its intention to acquire privately held security and compliance testing company Watchfire. http://list.windowsitpro.com/t?ctl=5A01B:57B62BBB09A6927949837399EDFFF4AC Recent Security Vulnerabilities If you subscribe to this newsletter, you also receive Security Alerts, which inform you about recently discovered security vulnerabilities. You can also find information about these discoveries at http://list.windowsitpro.com/t?ctl=5A014:57B62BBB09A6927949837399EDFFF4AC === SPONSOR: Neverfail ========================================= Managing Risk Through Security Every business faces risk. Have you properly assessed your company's risk and put a focus on business continuity? Attend this free Web seminar and learn how you can ensure seamless recovery of your key systems and keep your users continuously connected. On-demand Web seminar. http://list.windowsitpro.com/t?ctl=5A00C:57B62BBB09A6927949837399EDFFF4AC === GIVE AND TAKE ============================================== SECURITY MATTERS BLOG: It All Started 30 Years Ago; Microsoft Releases 6 Security Bulletins for June by Mark Joseph Edwards, http://list.windowsitpro.com/t?ctl=5A021:57B62BBB09A6927949837399EDFFF4AC Who would have guessed that events in the summer of 1977 would lead us to where we are today? For some interesting history and nostalgia about Apple plus information about Microsoft's latest security bulletin release, go to http://list.windowsitpro.com/t?ctl=5A010:57B62BBB09A6927949837399EDFFF4AC FAQ: Vista's Symbolic Link Capabilities by John Savill, http://list.windowsitpro.com/t?ctl=5A01F:57B62BBB09A6927949837399EDFFF4AC Q: How do I create symbolic links in Windows Vista? Find the answer at http://list.windowsitpro.com/t?ctl=5A01C:57B62BBB09A6927949837399EDFFF4AC FROM THE FORUM: How to Block an IP Address in Windows 2003 A forum participant has a VoIP switch hosted in the US. An intruder repeatedly tried to access all his SIP accounts one by one, so he changed the passwords to keep the intruder out, but the intruder kept coming back. The intruder's IP address was known, so the forum participant blocked it in Microsoft IIS. He wants to know how he can block the IP address in Windows Server 2003 to help prevent other possible types of access by the intruder. Join the discussion at http://list.windowsitpro.com/t?ctl=5A00B:57B62BBB09A6927949837399EDFFF4AC SHARE YOUR SECURITY TIPS AND GET $100 Share your security-related tips, comments, or problems and solutions in Security Pro VIP's Reader to Reader column. Email your contributions to r2r@private If we print your submission, you'll get $100. We edit submissions for style, grammar, and length. === PRODUCTS =================================================== by Renee Munshi, products@private Wireless Intrusion Prevention in Service Form VeriSign and AirMagnet launched VeriSign Wireless Intrusion Prevention Service (IPS), which uses AirMagnet's Enterprise solution to shield corporate wireless networks from theft and other security threats. By combining AirMagnet technology with VeriSign Teraguard, companies can integrate IPS for both wireless and wired networks. VeriSign designs and deploys the wireless IPS devices and then monitors them 24x7. VeriSign Wireless IPS is a new offering in VeriSign's Managed Security Services portfolio. For more information, go to http://list.windowsitpro.com/t?ctl=5A00A:57B62BBB09A6927949837399EDFFF4AC PRODUCT EVALUATIONS FROM THE REAL WORLD Share your product experience with your peers. Have you discovered a great product that saves you time and money? Do you use something you wouldn't wish on anyone? Tell the world! If we publish your opinion, we'll send you a Best Buy gift card! Send information about a product you use and whether it helps or hinders you to whatshot@private === RESOURCES AND EVENTS ======================================= For more security-related resources, visit http://list.windowsitpro.com/t?ctl=5A01E:57B62BBB09A6927949837399EDFFF4AC Join Paul Robichaux as he presents a checklist you can use to help guide your Exchange 2000/2003/2007 disaster recovery planning. Learn what you should do first, last, and in between to solidify your Exchange infrastructure and be assured of a successful disaster recovery operation. On-demand Web seminar http://list.windowsitpro.com/t?ctl=5A00E:57B62BBB09A6927949837399EDFFF4AC IT Pro Connections in Amsterdam, 19-20 June 2007, offers the deepest, most relevant education for Microsoft IT professionals. The real-world experience of expert presenters will help you prepare for the newest technologies and products. Insider details help you make sense of new technologies, learn how to apply them to your environment, and master them quickly and effectively. Immerse yourself in PowerShell, Exchange Server 2007, Vista, Windows Server 2008, SharePoint Server, Live Communications Server, the System Center family, XP, Forefront, and more, with experts from Microsoft and world-renowned subject matter experts! Post-conference workshops 21 June 2007. http://list.windowsitpro.com/t?ctl=5A025:57B62BBB09A6927949837399EDFFF4AC Learn how to achieve ROI with your log management system in a matter of months without costly or complex investments. This Web seminar explains how to ensure that your organization gets the most out of its log management investment, the key requirements and architectural differences you need to consider, and the caveats and risks to watch for when you spec out your requirements and design. http://list.windowsitpro.com/t?ctl=5A00D:57B62BBB09A6927949837399EDFFF4AC Disaster recovery isn't just theory for most businesses--it's a harsh business reality. Improve your own disaster recovery efforts today and learn from real-life disaster survivors. Make sure that your plan is ready before a disaster strikes--download this free white paper today! http://list.windowsitpro.com/t?ctl=5A011:57B62BBB09A6927949837399EDFFF4AC === FEATURED WHITE PAPER ======================================= This paper begins with a brief review of the difference between high availability and disaster recovery, then describes the related features of Exchange 2007 with an eye toward how they map to specific types of failures and outages. Finally, it examines a solution that delivers additional value beyond what Microsoft offers in Exchange 2007. http://list.windowsitpro.com/t?ctl=5A00F:57B62BBB09A6927949837399EDFFF4AC === ANNOUNCEMENTS ============================================== Introducing a Unique Exchange and Outlook Resource Exchange & Outlook Pro VIP is an online information center that delivers new articles every week on messaging topics such as administration, migration, security, and performance. Subscribers also receive tips, cautionary advice, direct access to our editors, and a host of other benefits! Order now at an exclusive charter rate and save up to $50! http://list.windowsitpro.com/t?ctl=5A016:57B62BBB09A6927949837399EDFFF4AC Special Invitation for VIP Access Become a VIP subscriber and get continuous, inside access to ALL the content published in Windows IT Pro, SQL Server Magazine, Exchange & Outlook Pro VIP, Scripting Pro VIP, and Security Pro VIP. Subscribe now!: http://list.windowsitpro.com/t?ctl=5A015:57B62BBB09A6927949837399EDFFF4AC ================================================================ Security UDPATE is brought to you by the Windows IT Pro Web site's Security page (first URL below) and Security Pro VIP (second URL below). http://list.windowsitpro.com/t?ctl=5A020:57B62BBB09A6927949837399EDFFF4AC http://list.windowsitpro.com/t?ctl=5A026:57B62BBB09A6927949837399EDFFF4AC Subscribe to Security UPDATE at http://list.windowsitpro.com/t?ctl=5A018:57B62BBB09A6927949837399EDFFF4AC Be sure to add Security_UPDATE@private to your antispam software's list of allowed senders. To contact us: About Security UPDATE content -- letters@private About technical questions -- http://list.windowsitpro.com/t?ctl=5A023:57B62BBB09A6927949837399EDFFF4AC About your product news -- products@private About your subscription -- windowsitproupdate@private About sponsoring Security UPDATE -- salesopps@private View the Windows IT Pro privacy policy at http://list.windowsitpro.com/t?ctl=5A017:57B62BBB09A6927949837399EDFFF4AC Windows IT Pro, a division of Penton Media, Inc. 221 East 29th Street, Loveland, CO 80538 Attention: Customer Service Department Copyright 2007, Penton Media, Inc. All rights reserved. _____________________________________________________ Attend Black Hat USA, July 28-August 2 in Las Vegas, the world's premier technical event for ICT security experts. Featuring 30 hands-on training courses and 90 Briefings presentations with lots of new content and new tools. Network with 4,000 delegates from 70 nations. Visit product displays by 30 top sponsors in a relaxed setting. Rates increase on June 1 so register today. http://www.blackhat.com
This archive was generated by hypermail 2.1.3 : Wed Jun 13 2007 - 22:18:24 PDT