News

Wednesday, May 09, 2007

Hacking Contests Serve a Great Purpose

PLEASE VISIT OUR SPONSORS, WHO BRING YOU SECURITY UPDATE FOR FREE:

CIPA - Keeping Students Safe on the Net

http://list.windowsitpro.com/t?ctl=557EB:4160B336D0B60CB1A3CE6C1C3A4C9CBE

Administering Windows Vista Security

http://list.windowsitpro.com/t?ctl=557D6:4160B336D0B60CB1A3CE6C1C3A4C9CBE

Control of Software Use and Reduce Audit Risk

http://list.windowsitpro.com/t?ctl=557D5:4160B336D0B60CB1A3CE6C1C3A4C9CBE


=== CONTENTS ===================================================

IN FOCUS: Hacking Contests Serve a Great Purpose

NEWS AND FEATURES
- Month of ActiveX Bugs Bears Dangerous Fruit
- Microsoft Launches Forefront Client Security and System Center
Essentials 2007
- Recent Security Vulnerabilities

GIVE AND TAKE
- Security Matters Blog: AACS Uproar
- FAQ: How to Create a Bootable USB Flash Device
- From the Forum: Network Monitoring with EtherApe
- Product Evaluations from the Real World
- Share Your Security Tips

PRODUCTS
- Security-Check Your Email on the Network Edge

RESOURCES AND EVENTS

FEATURED WHITE PAPER

ANNOUNCEMENTS


=== SPONSOR: Cyberoam ==========================================

CIPA - Keeping Students Safe on the Net
Protecting students from the millions of sites that house
pornography, adult chat rooms, violence & hacking can provide not just
a safe surfing atmosphere to minors in schools and libraries, but also
qualify the institutions for federal E-rate funding through CIPA
compliance.

http://list.windowsitpro.com/t?ctl=557EB:4160B336D0B60CB1A3CE6C1C3A4C9CBE


=== IN FOCUS: Hacking Contests Serve a Great Purpose =============
by Mark Joseph Edwards, News Editor, mark at ntsecurity / net

You might recall that last month at the CanSecWest security conference,
a challenge was offered for anyone to attempt to break into one of two
Apple MacBook Pro laptop systems running OS X. Whoever was successful
would win the laptop they broke into. As added incentive, TippingPoint
(a division of 3Com) offered a $10,000 cash prize for exclusive rights
to details of any vulnerability used to break into the OS.

Of course someone did find a way to break into one of the two laptops.
Dino Dai Zovi working in tandem with Shane Macaulay exploited a
vulnerability (discovered by Dai Zovi) that exists in the combination
of Apple QuickTime and Java. The exploit gave them the ability to
access a command shell on OS X. As it turns out, the vulnerability also
affects Windows platforms, which makes the vulnerability even more
dangerous because it affects a much wider base of computer users around
the world.

Last week, Gartner spoke out against public vulnerability research in
general as well as hacking contests like the one recently held at
CanSecWest. Writing in a research brief for Gartner, research vice
presidents Rich Mogull and Greg Young stated that, "Public
vulnerability research and 'hacking contests' are risky endeavors, and
can run contrary to responsible disclosure practices, whereby vendors
are given an opportunity to develop patches or remediation before any
public announcements. Vulnerability research is an extremely valuable
endeavor for ensuring more secure IT. However, conducting vulnerability
research in a public venue is risky and could potentially lead to
mishandling or treating too lightly these vulnerabilities--which can
turn a well-intentioned action into a more ambiguous one, or
inadvertently provide assistance to attackers."

http://list.windowsitpro.com/t?ctl=557D7:4160B336D0B60CB1A3CE6C1C3A4C9CBE

Mogull and Young apparently think that no vulnerability should be known
to the public until vendors can first develop a patch. While there is
certainly an advantage to that approach, there truly is little if any
security offered through that sort of obscurity. It's been shown time
and time again that when risks are known by the public, then adequate
precautions can be taken either by users or by their solution
providers.

Most striking to me is the fact that Mogull and Young overlook a
glaring problem in picking the CanSecWest contest as the foundation of
their rather weak argument. Dai Zovi didn't know of the vulnerability
in advance of the contest. He was contacted by Macaulay from the
conference and asked if he could find a way into the OS X system so
that they could then split the prize package. Macaulay would get the
laptop, and Dai Zovi would get the money. Only then did Dai Zovi go to
work to try and find a weakness. Dai Zovi later reportedly said that he
was more motivated by the challenge itself rather than the $10,000 cash
prize.

Obviously, without the CanSecWest challenge, the QuickTime flaw might
not have come to light until a much later date, and it might have been
because of some sort of malicious code that exploited the vulnerability
and that was unleashed on the unprepared public. We could have all been
completely blindsided, and at great expense. So the way I see it,
thanks are due to CanSecWest, TippingPoint, Dai Zovi, and Macaulay.

The discovery of this particular vulnerability makes it clear that
hacking contests serve a great purpose when they're conducted in a
controlled manner with strict guidelines, such as those spelled out by
the organizers of CanSecWest as well as TippingPoint.

Furthermore, a mere seven days after the QuickTime vulnerability was
discovered, Apple released an update (available at the URL below) that
fixes the problem, which demonstrates how a well-run challenge and a
lot of press coverage gets bugs fixed really fast.

http://list.windowsitpro.com/t?ctl=557E2:4160B336D0B60CB1A3CE6C1C3A4C9CBE

===

Calling All Windows IT Pro Innovators!
Have you developed a solution that uses Windows technology to solve
a business problem in an innovative way? Enter your solution in the
2007 Windows IT Pro Innovators Contest! Grand-prize winners will
receive airfare and a conference pass to Windows and Exchange
Connections in Las Vegas, November 5-8, 2007, plus more great prizes
and a feature article about the winning solutions in the November 2007
issue of Windows IT Pro. Contest runs through August 1, 2007.
To enter, click here:
http://list.windowsitpro.com/t?ctl=557E1:4160B336D0B60CB1A3CE6C1C3A4C9CBE


=== SPONSOR: Symantec ==========================================

Administering Windows Vista Security
Join Paul Thurrott for a deep dive into administering Windows
Vista's new security features with an emphasis on the new Group Policy
settings that are exposed by this release including USB device blocking
and the new Microsoft Desktop Optimization Pack. Paul will also discuss
compliance features in Windows Vista, and upcoming security innovations
that will be enabled by combining Windows Vista with Windows Server
"Longhorn". On-Demand Web Seminar

http://list.windowsitpro.com/t?ctl=557D6:4160B336D0B60CB1A3CE6C1C3A4C9CBE


=== SECURITY NEWS AND FEATURES =================================

Month of ActiveX Bugs Bears Dangerous Fruit
On the heels of the Month of Kernel Bugs, Month of Browser Bugs,
Month of Apple Bugs, and Month of PHP Bugs comes the Month of ActiveX
Bugs (MoAxB). Launched by someone who uses the name "shinnai," the
project has so far revealed at least five serious vulnerabilities that
can allow remote code execution.

http://list.windowsitpro.com/t?ctl=557E6:4160B336D0B60CB1A3CE6C1C3A4C9CBE

Microsoft Launches Forefront Client Security and System Center
Essentials 2007
At a customer meeting attended by more than 1,000 IT professionals
in Los Angeles, Microsoft Senior Vice President Bob Muglia launched two
new products to help secure systems and simplify management tasks.

http://list.windowsitpro.com/t?ctl=557E3:4160B336D0B60CB1A3CE6C1C3A4C9CBE

Recent Security Vulnerabilities
If you subscribe to this newsletter, you also receive Security
Alerts, which inform you about recently discovered security
vulnerabilities. You can also find information about these
discoveries at

http://list.windowsitpro.com/t?ctl=557DB:4160B336D0B60CB1A3CE6C1C3A4C9CBE


=== SPONSOR: Macrovision =======================================

Control of Software Use and Reduce Audit Risk
Do you have visibility and control over your software license use?
Most organizations face a number of serious challenges, including
understanding vendor licensing models, cost overruns, missed deadlines,
business opportunities, and lost user productivity. Learn to address
these challenges, and prepare for audits. Register for the free Web
seminar, available now!

http://list.windowsitpro.com/t?ctl=557D5:4160B336D0B60CB1A3CE6C1C3A4C9CBE


=== GIVE AND TAKE ==============================================

SECURITY MATTERS BLOG: AACS Uproar
by Mark Joseph Edwards, http://list.windowsitpro.com/t?ctl=557EA:4160B336D0B60CB1A3CE6C1C3A4C9CBE

The encryption key initially used for the Advanced Access Content
System (AACS) in HD DVD and Blu-ray disks was cracked, and the key is
widely known at this point. Some people are spreading the key
information in very funny ways.

http://list.windowsitpro.com/t?ctl=557E4:4160B336D0B60CB1A3CE6C1C3A4C9CBE

FAQ: How to Create a Bootable USB Flash Device
by John Savill, http://list.windowsitpro.com/t?ctl=557E8:4160B336D0B60CB1A3CE6C1C3A4C9CBE


Q: How can I create a bootable USB flash device running Windows
Preinstallation Environment (PE) 2.0?

Find the answer at

http://list.windowsitpro.com/t?ctl=557E5:4160B336D0B60CB1A3CE6C1C3A4C9CBE

FROM THE FORUM: Network Monitoring with EtherApe
A forum participant wants to implement a network traffic monitor to
see who's taking up bandwidth. He plans to use EtherApe on a Linux box.
He has a switch capable of port mirroring. The Linux desktop is
connected to one of the ports, and another port is mirroring the Linux
desktop port. Should the desktop have two NICs so that he can log onto
the machine and see what's going on in the network?

http://list.windowsitpro.com/t?ctl=557D4:4160B336D0B60CB1A3CE6C1C3A4C9CBE

PRODUCT EVALUATIONS FROM THE REAL WORLD
Share your product experience with your peers. Have you discovered a
great product that saves you time and money? Do you use something you
wouldn't wish on anyone? Tell the world! If we publish your opinion,
we'll send you a Best Buy gift card! Send information about a product
you use and whether it helps or hinders you to
whatshot@windowsitpro.com.

SHARE YOUR SECURITY TIPS AND GET $100
Share your security-related tips, comments, or problems and
solutions in Security Pro VIP's Reader to Reader column. Email your
contributions to r2r@securityprovip.com. If we print your submission,
you'll get $100. We edit submissions for style, grammar, and length.


=== PRODUCTS ===================================================
by Renee Munshi, products@windowsitpro.com

Security-Check Your Email on the Network Edge
Mirapoint introduced RazorGate, an email security appliance that's
designed to reject unwanted messages and enforce centrally managed
email policies without relying on IT resources behind the corporate
firewall. Email addresses and policy service attributes are loaded into
RazorGate's Embedded Policy Engine, so RazorGate can consult its own
directory outside the firewall rather than querying the corporate
directory through holes in the firewall to determine how to handle
messages and to enforce policies. Thus, RazorGate takes load off the
firewall, internal network, and corporate directory. The RazorGate
appliance starts at $5,250. For more information, go to

http://list.windowsitpro.com/t?ctl=557EE:4160B336D0B60CB1A3CE6C1C3A4C9CBE


=== RESOURCES AND EVENTS =======================================
For more security-related resources, visit

http://list.windowsitpro.com/t?ctl=557E7:4160B336D0B60CB1A3CE6C1C3A4C9CBE

Get Ready for Exchange & Office 2007 Roadshow--free!
The Microsoft-partnered Get Ready for Exchange & Office 2007
Roadshow is coming to Stockholm! Three independent, respected technical
speakers--Jim McBee, Mark Arnold, and Ben Schorr--will deliver tracks
on securing, managing, and deploying Exchange and Office 2007 and using
Exchange Server 2007 capabilities to improve your messaging
environment. Register today for this free day-long event. Your delegate
bag will include Microsoft Exchange Server 2007 and Office 2007 Beta 2
Software Kits.
Venue: Berns Hotel, Stockholm
Date: Monday, 14 May 2007

http://list.windowsitpro.com/t?ctl=557E0:4160B336D0B60CB1A3CE6C1C3A4C9CBE

Can your business's Exchange high-availability standards guarantee that
users can always access email, even during an outage? Maximize your
availability strategy by learning new approaches, such as proper
management practices, how to improve clustering and log replication,
and how to achieve service outage protection.

http://list.windowsitpro.com/t?ctl=557D9:4160B336D0B60CB1A3CE6C1C3A4C9CBE

Join Paul Robichaux as he presents a disaster recovery planning
checklist that you can use to help guide your Exchange 2000/2003/2007
disaster recovery planning. Learn what you should do first, last, and
in between to solidify your Exchange infrastructure and be assured of a
successful disaster recovery operation. Listen to this on-demand Web
seminar at your convenience.

http://list.windowsitpro.com/t?ctl=557D8:4160B336D0B60CB1A3CE6C1C3A4C9CBE


=== FEATURED WHITE PAPER =======================================

You can't prevent nature from throwing floods, hurricanes, and
earthquakes at your IT systems. You can't always control what people do
to your systems, either. Download this free eBook and learn to protect
your business from disasters of all kinds.

http://list.windowsitpro.com/t?ctl=557DA:4160B336D0B60CB1A3CE6C1C3A4C9CBE


=== ANNOUNCEMENTS ==============================================

Introducing a Unique Security Resource
Security Pro VIP is an online information center that delivers new
articles every week on topics such as perimeter security,
authentication, and system patches. Subscribers also receive tips,
cautionary advice, direct access to our editors, and a host of other
benefits! Order now at an exclusive charter rate and save up to $50!

http://list.windowsitpro.com/t?ctl=557DD:4160B336D0B60CB1A3CE6C1C3A4C9CBE

Introducing a Unique Exchange and Outlook Resource
Exchange & Outlook Pro VIP is an online information center that
delivers new articles every week on messaging topics such as
administration, migration, security, and performance. Subscribers also
receive tips, cautionary advice, direct access to our editors, and a
host of other benefits! Order now at an exclusive charter rate and save
up to $50!

http://list.windowsitpro.com/t?ctl=557DC:4160B336D0B60CB1A3CE6C1C3A4C9CBE


================================================================

Security UDPATE is brought to you by the Windows IT Pro Web site's
Security page (first URL below) and Security Pro VIP (second URL
below).

http://list.windowsitpro.com/t?ctl=557E9:4160B336D0B60CB1A3CE6C1C3A4C9CBE

http://list.windowsitpro.com/t?ctl=557ED:4160B336D0B60CB1A3CE6C1C3A4C9CBE

Subscribe to Security UPDATE at

http://list.windowsitpro.com/t?ctl=557DF:4160B336D0B60CB1A3CE6C1C3A4C9CBE

Unsubscribe by clicking

http://list.windowsitpro.com/u?id=4160B336D0B60CB1A3CE6C1C3A4C9CBE

Be sure to add Security_UPDATE@list.windowsitpro.com
to your antispam software's list of allowed senders.

To contact us:
About Security UPDATE content -- letters@windowsitpro.com
About technical questions -- http://list.windowsitpro.com/t?ctl=557EC:4160B336D0B60CB1A3CE6C1C3A4C9CBE

About your product news -- products@windowsitpro.com
About your subscription -- windowsitproupdate@windowsitpro.com
About sponsoring Security UPDATE -- salesopps@windowsitpro.com

View the Windows IT Pro privacy policy at

http://list.windowsitpro.com/t?ctl=557DE:4160B336D0B60CB1A3CE6C1C3A4C9CBE

Windows IT Pro, a division of Penton Media, Inc.
221 East 29th Street, Loveland, CO 80538
Attention: Customer Service Department

Copyright 2007, Penton Media, Inc. All rights reserved.

No comments:

Blog Archive