[ISN] New Services and Devices Bring New Security Risks

From: InfoSec News (alerts@private)
Date: Wed Oct 03 2007 - 23:06:13 PDT

Forwarded with permission from: Security UPDATE <Security_UPDATE (at) list.windowsitpro.com>


Trends in Malware: 2007 Security Threat Report

How Websense Technology Protects Against Internet-Based Threats

Gain Control of Software Usage and Reduce Audit Risks

=== CONTENTS ===================================================

IN FOCUS: New Services and Devices Bring New Security Risks

   - Danish Company Offers Free Web Application Firewall
   - Sun to Synchronize Java Security Updates
   - Mobile Device Security: Whose Data Is It, Anyway?
   - Recent Security Vulnerabilities

   - Security Matters Blog: SSHFS Mounts Remote Linux File Systems; 
Worm Author Gets Job Offers
   - FAQ: Use Group Policy to Check for Server Core 
   - From the Forum: Domain User Application Problems
   - Share Your Security Tips

   - Out-of-Email-Stream Encryption Solution
   - Wanted: Your Reviews of Products 




=== SPONSOR: Sophos ============================================

Trends in Malware: 2007 Security Threat Report
   A sharp rise in web threats is the latest twist in cyber criminals' 
continually evolving efforts to steal information for financial gain. 
We review the year so far and predict the threat landscape for the 
second half of 2007.

=== IN FOCUS: New Services and Devices Bring New Security Risks 
   by Mark Joseph Edwards, News Editor, mark at ntsecurity / net

The booming dot com era is certainly long gone, but even so, every 
month, more new Internet services make their debut, and not quite as 
frequently, new devices and gadgets are brought to market. Inevitably, 
some of these items will make their way into your network environment, 
often carrying with them considerable security risks. 

A good case in point popped up last week. A relatively new company 
called Pudding Media announced its new VoIP solution called 
ThePudding.com. The company intends to employ a lure typical of many 
new online services. Anyone will be able to use ThePudding.com's VoIP 
service for free to make calls in North America because the company 
intends to profit through the insertion of targeted advertising. Sounds 
reasonable, but there's a new twist. 

According to the company's privacy policy (at the URL below), "Our 
technology detects spoken keywords during a conversation and brings you 
rich media, news and offers, related to the very topics you talk about 
during your calls. The conversation keywords are not kept in our system 
after they are processed, and the conversation can not be 

Therein resides the risk. One of your employees or contractors might 
decide to use the VoIP service, thinking that by doing so they could 
save themselves or your business money. If the person discussed 
sensitive information, it could leak out. 

Pudding Media says it won't store keywords, and you might decide to 
trust the company. But there already are known ways to potentially 
eavesdrop on VoIP calls. Because this particular VoIP solution will, by 
design, be able to listen to conversations to discover keywords to use 
for targeted advertising, it stands to reason that the solution will 
have such capabilities built right into the VoIP software. And if 
that's the case, listening in might become even easier for intruders. 

Whether to allow the use of ThePudding.com is a decision you need to 
make before the service explodes into widespread use. You can read 
numerous stories about the service by checking Yahoo! News at the URL 

The overall point I'd like to make here is that if you hadn't learned 
about the service, you wouldn't even know that such a risk exists. So 
it's probably a good idea to read lots of news, follow the trends, 
research the overall computing industry to some extent, weigh the 
security impact of your findings on your environment, and take 
appropriate actions sooner rather than later. 

To stay up to date on news and trends, you can use some of the more 
obvious sources, such as major magazines and newspapers and even the 
news aggregation features of major search engines. However, a few more 
specialized sites can help you learn about trends faster than weeding 
through a huge pile of news. Next week, I'll tell you about some of the 
sites I use to follow trends. So stay tuned. 

=== SPONSOR: Websense ==========================================

How Websense Technology Protects Against Internet-Based Threats
   The Internet--with its wealth of information and features that have 
become integrated into our everyday lives--has become a necessary tool 
for business and also provides a vast array of options for personal 
use. However, it does have a dark side. This whitepaper will examine 
technologies that will help guard against Internet-based threats.

=== SECURITY NEWS AND FEATURES =================================

Danish Company Offers Free Web Application Firewall
   Danish security company Armorlogic released a free version of its 
Profense Web application firewall. Based on OpenBSD, the product runs 
on your hardware and is a scaled-down version of the company's full-
featured firewall.

Sun to Synchronize Java Security Updates
   Sun Microsystems said it will synchronize its security updates 
across its most widely used Java SE product release families. The 
company will also begin offering advance notification of security 

Mobile Device Security: Whose Data Is It, Anyway?
   Businesses have a duty to protect their corporate information, but 
employees who provide their own mobile devices don't want the company 
imposing intrusive policies on their access. The solution requires a 
tradeoff between convenience and risk.

Recent Security Vulnerabilities
   If you subscribe to this newsletter, you also receive Security 
Alerts, which inform you about recently discovered security 
vulnerabilities. You can also find information about these 
discoveries at

=== SPONSOR: Macrovision =======================================

Gain Control of Software Usage and Reduce Audit Risks
  Take the necessary steps for application management, from conversion 
of legacy applications to MSI to customizing applications to fit 
corporate standards. Don't overlook an important component of an OS 
migration--join us for the free on-demand Web seminar. 

=== GIVE AND TAKE ==============================================

SECURITY MATTERS BLOG: SSHFS Mounts Remote Linux File Systems; Worm 
Author Gets Job Offers
   by Mark Joseph Edwards, http://list.windowsitpro.com/t?ctl=6897B:57B62BBB09A69279522C6B62EFCB2AF0
   Learn about a tool that I recently came across, SSHFS, which is 
based on SSH and which lets you locally mount remote Linux file 
systems. Also learn about a worm author that got offers for several 
high paying jobs that he could take after he gets out of prison!

FAQ: Use Group Policy to Check for Server Core 
   by John Savill, http://list.windowsitpro.com/t?ctl=68978:57B62BBB09A69279522C6B62EFCB2AF0 

Q: How can I check for a Windows Server 2008 Server Core installation 
as part of a Group Policy application?

Find the answer at

FROM THE FORUM: Domain User Application Problems
   A forum participant uses Windows Server 2003 Small Business Server 
(SBS) with Active Directory (AD) for a network of about 20 users and 
lots of applications. However, he often finds that users don't have 
enough rights to run some of the applications. He wonders whether 
there's an out-of-the-box solution. Join the discussion at 

   Share your security-related tips, comments, or problems and 
solutions in Security Pro VIP's Reader to Reader column. Email your 
contributions to r2r@private If we print your submission, 
you'll get $100. We edit submissions for style, grammar, and length.

=== PRODUCTS ===================================================
   by Renee Munshi, products@private

Out-of-Email-Stream Encryption Solution
   Kryptiva announced the availability of Kryptiva's Email Encryption 
Architecture, which consists of two primary components. The Kryptiva 
Packaging Plugin integrates into a user's current email application, 
and the Kryptiva Packaging Server is installed on a local server on the 
network and integrates with LDAP services. These components pull email 
messages out of the email traffic stream and package outgoing ones for 
authentication and encryption, and decrypt incoming ones. Customers 
must obtain an SSL certificate from a recognized Certificate Authority 
(CA), but the Email Encryption Architecture itself is free for U.S. and 
Canadian companies. Add-on services will be available for purchase in 
2008. For more information, go to 

WANTED: your reviews of products you've tested and used in 
production. Send your experiences and ratings of products to 
whatshot@private and get a Best Buy gift certificate.

=== RESOURCES AND EVENTS =======================================
   For more security-related resources, visit

If there's a "killer app," it's email. Business communications rely on 
it, and increasingly, mobile users and clients lower the tolerance for 
email downtime. View this Web seminar and hear from Paul Robichaux, who 
will share information to help you meet your enterprise's high-
availability needs. Tune in for useful tips and a guide to available 
disaster recovery planning resources.  

Learn how Symantec and IBM deliver a comprehensive archiving solution 
to capture and store email, files, instant messages, databases, VoIP, 
and many other document formats while helping to reduce storage costs 
and simplify management. View this Web seminar to better understand the 
challenges of your Exchange environment and the Symantec and IBM 
capabilities that can help you solve them.  

To stay competitive these days, IT leaders are required to take a 
primary role in delivering business value. Gain insight into business 
intelligence and Microsoft application platform optimization solutions 
in this full-day business intelligence virtual conference on October 4, 

=== FEATURED WHITE PAPER =======================================

Is effective security out of reach for your small or midsized business? 
Imagine having a team of IT experts who focus on security as part of 
your staff. Learn how a hosted security solution can be an option for 
small and midsized businesses. Download this white paper today and find 
out how you can eliminate your company's security risks. 

=== ANNOUNCEMENTS ==============================================

Got a Tough Exchange or Outlook Question? 
   Rely on Exchange & Outlook Pro VIP, the new online resource with in-
depth articles on administration, migration, security, and performance. 
Subscribers get direct access to our top-flight editors, so subscribe 
and receive personalized solutions to your toughest technical 
questions. It beats a support call to Microsoft!   

Discover the New SQL Server Magazine 
   Don't miss the relaunched SQL Server Magazine, coming this month! 
Besides a new look, we have even more coverage of administration and 
performance, development and Web apps, BI and Reporting Services, and 
SQL Server fundamentals. Subscribe now and save 58% off the cover 


Security UDPATE is brought to you by the Windows IT Pro Web site's 
Security page (first URL below) and Security Pro VIP (second URL 

Subscribe to Security UPDATE at

Be sure to add Security_UPDATE@private 
to your antispam software's list of allowed senders.

To contact us: 
   About Security UPDATE content -- letters@private
   About technical questions -- http://list.windowsitpro.com/t?ctl=6897C:57B62BBB09A69279522C6B62EFCB2AF0
   About your product news -- products@private
   About your subscription -- windowsitproupdate@private
   About sponsoring Security UPDATE -- salesopps@private

View the Windows IT Pro privacy policy at

Windows IT Pro, a division of Penton Media, Inc.
221 East 29th Street, Loveland, CO 80538
Attention: Customer Service Department

Copyright 2007, Penton Media, Inc. All rights reserved.

CSI 2007 is the only conference that delivers a business-focused
overview of enterprise security. It will convene 1,500+ delegates,
80 exhibitors and features 100+ sessions/seminars providing a
roadmap for integrating policies and procedures with new tools
and techniques.  Register now for savings on conference fees   
and/or free exhibits admission. - www.csiannual.com

This archive was generated by hypermail 2.1.3 : Wed Oct 03 2007 - 23:33:19 PDT