PLEASE VISIT OUR SPONSORS, WHO BRING YOU SECURITY UPDATE FOR FREE:
CIPA - Keeping Students Safe on the Net
Administering Windows Vista Security
Control of Software Use and Reduce Audit Risk
IN FOCUS: Hacking Contests Serve a Great Purpose
NEWS AND FEATURES
- Month of ActiveX Bugs Bears Dangerous Fruit
- Microsoft Launches Forefront Client Security and System Center Essentials 2007
- Recent Security Vulnerabilities
GIVE AND TAKE
- Security Matters Blog: AACS Uproar
- FAQ: How to Create a Bootable USB Flash Device
- From the Forum: Network Monitoring with EtherApe
- Product Evaluations from the Real World
- Share Your Security Tips
- Security-Check Your Email on the Network Edge
RESOURCES AND EVENTS
FEATURED WHITE PAPER
=== SPONSOR: Cyberoam
CIPA - Keeping Students Safe on the Net
Protecting students from the millions of sites that house pornography, adult chat rooms, violence & hacking can provide not just a safe surfing atmosphere to minors in schools and libraries, but also qualify the institutions for federal E-rate funding through CIPA compliance.
=== IN FOCUS: Hacking Contests Serve a Great Purpose
by Mark Joseph Edwards, News Editor, mark at ntsecurity / net
You might recall that last month at the CanSecWest security conference, a challenge was offered for anyone to attempt to break into one of two Apple MacBook Pro laptop systems running OS X. Whoever was successful would win the laptop they broke into. As added incentive, TippingPoint (a division of 3Com) offered a $10,000 cash prize for exclusive rights to details of any vulnerability used to break into the OS.
Of course someone did find a way to break into one of the two laptops. Dino Dai Zovi working in tandem with Shane Macaulay exploited a vulnerability (discovered by Dai Zovi) that exists in the combination of Apple QuickTime and Java. The exploit gave them the ability to access a command shell on OS X. As it turns out, the vulnerability also affects Windows platforms, which makes the vulnerability even more dangerous because it affects a much wider base of computer users around the world.
Last week, Gartner spoke out against public vulnerability research in general as well as hacking contests like the one recently held at CanSecWest. Writing in a research brief for Gartner, research vice presidents Rich Mogull and Greg Young stated that, "Public vulnerability research and 'hacking contests' are risky endeavors, and can run contrary to responsible disclosure practices, whereby vendors are given an opportunity to develop patches or remediation before any public announcements. Vulnerability research is an extremely valuable endeavor for ensuring more secure IT. However, conducting vulnerability research in a public venue is risky and could potentially lead to mishandling or treating too lightly these vulnerabilities--which can turn a well-intentioned action into a more ambiguous one, or inadvertently provide assistance to attackers."
Mogull and Young apparently think that no vulnerability should be known to the public until vendors can first develop a patch. While there is certainly an advantage to that approach, there truly is little if any security offered through that sort of obscurity. It's been shown time and time again that when risks are known by the public, then adequate precautions can be taken either by users or by their solution providers.
Most striking to me is the fact that Mogull and Young overlook a glaring problem in picking the CanSecWest contest as the foundation of their rather weak argument. Dai Zovi didn't know of the vulnerability in advance of the contest. He was contacted by Macaulay from the conference and asked if he could find a way into the OS X system so that they could then split the prize package. Macaulay would get the laptop, and Dai Zovi would get the money. Only then did Dai Zovi go to work to try and find a weakness. Dai Zovi later reportedly said that he was more motivated by the challenge itself rather than the $10,000 cash prize.
Obviously, without the CanSecWest challenge, the QuickTime flaw might not have come to light until a much later date, and it might have been because of some sort of malicious code that exploited the vulnerability and that was unleashed on the unprepared public. We could have all been completely blindsided, and at great expense. So the way I see it, thanks are due to CanSecWest, TippingPoint, Dai Zovi, and Macaulay.
The discovery of this particular vulnerability makes it clear that hacking contests serve a great purpose when they're conducted in a controlled manner with strict guidelines, such as those spelled out by the organizers of CanSecWest as well as TippingPoint.
Furthermore, a mere seven days after the QuickTime vulnerability was discovered, Apple released an update (available at the URL below) that fixes the problem, which demonstrates how a well-run challenge and a lot of press coverage gets bugs fixed really fast.
Calling All Windows IT Pro Innovators!
Have you developed a solution that uses Windows technology to solve a business problem in an innovative way? Enter your solution in the 2007 Windows IT Pro Innovators Contest! Grand-prize winners will receive airfare and a conference pass to Windows and Exchange Connections in Las Vegas, November 5-8, 2007, plus more great prizes and a feature article about the winning solutions in the November 2007 issue of Windows IT Pro. Contest runs through August 1, 2007. To enter, click here:
=== SPONSOR: Symantec
Administering Windows Vista Security
Join Paul Thurrott for a deep dive into administering Windows Vista's new security features with an emphasis on the new Group Policy settings that are exposed by this release including USB device blocking and the new Microsoft Desktop Optimization Pack. Paul will also discuss compliance features in Windows Vista, and upcoming security innovations that will be enabled by combining Windows Vista with Windows Server "Longhorn". On-Demand Web Seminar
=== SECURITY NEWS AND FEATURES
Month of ActiveX Bugs Bears Dangerous Fruit
On the heels of the Month of Kernel Bugs, Month of Browser Bugs, Month of Apple Bugs, and Month of PHP Bugs comes the Month of ActiveX Bugs (MoAxB). Launched by someone who uses the name "shinnai," the project has so far revealed at least five serious vulnerabilities that can allow remote code execution.
Microsoft Launches Forefront Client Security and System Center Essentials 2007
At a customer meeting attended by more than 1,000 IT professionals in Los Angeles, Microsoft Senior Vice President Bob Muglia launched two new products to help secure systems and simplify management tasks.
Recent Security Vulnerabilities
If you subscribe to this newsletter, you also receive Security Alerts, which inform you about recently discovered security vulnerabilities. You can also find information about these discoveries at
=== SPONSOR: Macrovision
Control of Software Use and Reduce Audit Risk
Do you have visibility and control over your software license use? Most organizations face a number of serious challenges, including understanding vendor licensing models, cost overruns, missed deadlines, business opportunities, and lost user productivity. Learn to address these challenges, and prepare for audits. Register for the free Web seminar, available now!
=== GIVE AND TAKE
SECURITY MATTERS BLOG: AACS Uproar
by Mark Joseph Edwards, http://www.windowsitpro.com/securitymatters
The encryption key initially used for the Advanced Access Content System (AACS) in HD DVD and Blu-ray disks was cracked, and the key is widely known at this point. Some people are spreading the key information in very funny ways.
FAQ: How to Create a Bootable USB Flash Device
by John Savill, http://www.windowsitpro.com/windowsnt20002003faq
Q: How can I create a bootable USB flash device running Windows Preinstallation Environment (PE) 2.0?
Find the answer at
FROM THE FORUM: Network Monitoring with EtherApe
A forum participant wants to implement a network traffic monitor to see who's taking up bandwidth. He plans to use EtherApe on a Linux box. He has a switch capable of port mirroring. The Linux desktop is connected to one of the ports, and another port is mirroring the Linux desktop port. Should the desktop have two NICs so that he can log onto the machine and see what's going on in the network?
PRODUCT EVALUATIONS FROM THE REAL WORLD
Share your product experience with your peers. Have you discovered a great product that saves you time and money? Do you use something you wouldn't wish on anyone? Tell the world! If we publish your opinion, we'll send you a Best Buy gift card! Send information about a product you use and whether it helps or hinders you to firstname.lastname@example.org.
SHARE YOUR SECURITY TIPS AND GET $100
Share your security-related tips, comments, or problems and solutions in Security Pro VIP's Reader to Reader column. Email your contributions to email@example.com. If we print your submission, you'll get $100. We edit submissions for style, grammar, and length.
by Renee Munshi, firstname.lastname@example.org
Security-Check Your Email on the Network Edge
Mirapoint introduced RazorGate, an email security appliance that's designed to reject unwanted messages and enforce centrally managed email policies without relying on IT resources behind the corporate firewall. Email addresses and policy service attributes are loaded into RazorGate's Embedded Policy Engine, so RazorGate can consult its own directory outside the firewall rather than querying the corporate directory through holes in the firewall to determine how to handle messages and to enforce policies. Thus, RazorGate takes load off the firewall, internal network, and corporate directory. The RazorGate appliance starts at $5,250. For more information, go to
=== RESOURCES AND EVENTS
For more security-related resources, visit
Get Ready for Exchange & Office 2007 Roadshow--free!
The Microsoft-partnered Get Ready for Exchange & Office 2007 Roadshow is coming to Stockholm! Three independent, respected technical speakers--Jim McBee, Mark Arnold, and Ben Schorr--will deliver tracks on securing, managing, and deploying Exchange and Office 2007 and using Exchange Server 2007 capabilities to improve your messaging environment. Register today for this free day-long event. Your delegate bag will include Microsoft Exchange Server 2007 and Office 2007 Beta 2 Software Kits.
Venue: Berns Hotel, Stockholm
Date: Monday, 14 May 2007
Can your business's Exchange high-availability standards guarantee that users can always access email, even during an outage? Maximize your availability strategy by learning new approaches, such as proper management practices, how to improve clustering and log replication, and how to achieve service outage protection.
Join Paul Robichaux as he presents a disaster recovery planning checklist that you can use to help guide your Exchange 2000/2003/2007 disaster recovery planning. Learn what you should do first, last, and in between to solidify your Exchange infrastructure and be assured of a successful disaster recovery operation. Listen to this on-demand Web seminar at your convenience.
=== FEATURED WHITE PAPER
You can't prevent nature from throwing floods, hurricanes, and earthquakes at your IT systems. You can't always control what people do to your systems, either. Download this free eBook and learn to protect your business from disasters of all kinds.
Introducing a Unique Security Resource
Security Pro VIP is an online information center that delivers new articles every week on topics such as perimeter security, authentication, and system patches. Subscribers also receive tips, cautionary advice, direct access to our editors, and a host of other benefits! Order now at an exclusive charter rate and save up to $50!
Introducing a Unique Exchange and Outlook Resource
Exchange & Outlook Pro VIP is an online information center that delivers new articles every week on messaging topics such as administration, migration, security, and performance. Subscribers also receive tips, cautionary advice, direct access to our editors, and a host of other benefits! Order now at an exclusive charter rate and save up to $50!
Security UDPATE is brought to you by the Windows IT Pro Web site's Security page (first URL below) and Security Pro VIP (second URL below).
Subscribe to Security UPDATE at
Unsubscribe by clicking
Be sure to add Security_UPDATE@list.windowsitpro.com to your antispam software's list of allowed senders.
To contact us:
About Security UPDATE content -- email@example.com
About technical questions -- http://www.windowsitpro.com/forums
About your product news -- firstname.lastname@example.org
About your subscription -- email@example.com
About sponsoring Security UPDATE -- firstname.lastname@example.org
Windows IT Pro, a division of Penton Media, Inc.
221 East 29th Street, Loveland, CO 80538
Attention: Customer Service Department
Copyright 2007, Penton Media, Inc. All rights reserved.