News

Wednesday, July 18, 2007

WabiSabiLabi: A Really Bad Idea?

Security UPDATE--WabiSabiLabi: A Really Bad Idea?--July 18, 2007


PLEASE VISIT OUR SPONSORS, WHO BRING YOU SECURITY UPDATE FOR FREE:

Keep Unsecured Machines Off Your Network

http://list.windowsitpro.com/t?ctl=5E7E0:4160B336D0B60CB12392409884ED4CF6

Reducing Costs and Risks of Data Protection

http://list.windowsitpro.com/t?ctl=5E7DD:4160B336D0B60CB12392409884ED4CF6

ALERT: "How A Hacker Launches A LDAP Injection Attack!"- White Paper

http://list.windowsitpro.com/t?ctl=5E7E3:4160B336D0B60CB12392409884ED4CF6


=== CONTENTS ===================================================

IN FOCUS: WabiSabiLabi: A Really Bad Idea?

NEWS AND FEATURES
- Survey Says Pay for Certifications Is Dropping, Except in Security
- Google Adds Security to Its Hosted Application Offerings
- Recent Security Vulnerabilities

GIVE AND TAKE
- Security Matters Blog: Microsoft's Malware Removal Starter Kit
- FAQ: Preparing Exchange Server 2007 For Active Directory
- From the Forum: Problems with Symantec Anti-Virus Corp. 10.2
- Share Your Security Tips
- Microsoft Learning Paths for Security: Managing Network Security
Challenges

PRODUCTS
- Wanted: Your Reviews of Products

RESOURCES AND EVENTS

FEATURED WHITE PAPER

ANNOUNCEMENTS


=== SPONSOR: St. Bernard Software =========================================

Keep Unsecured Machines Off Your Network
IT departments tend to spend a lot of time and energy on creating
and managing firewall rules and router tables, yet overlooking a direct
channel between the Internet and computers on the corporate network.
Without any type of filtering solution in place - this connection is
managed purely by the user. Do you trust your users enough to make the
right decisions? Even if you believe that your users are capable of
safely using the Internet, it really only takes one bad apple to ruin
the lot by downloading a virus or viewing highly objectionable content.
Here are five steps to build a world-class web filtering solution --
end-to-end.

http://list.windowsitpro.com/t?ctl=5E7E0:4160B336D0B60CB12392409884ED4CF6

=== IN FOCUS: WabiSabiLabi: A Really Bad Idea? =============
by Mark Joseph Edwards, News Editor, mark at ntsecurity / net

About a month ago, I wrote about a new twist in the world of
vulnerability research in which Intellectual Weapons announced that
it's offering to work with researchers to develop fixes for security
vulnerabilities and then patent those fixes. The idea is to profit
through the sale of patent rights or infringement case settlements. If
you missed that column you can read it at the URL below:

http://list.windowsitpro.com/t?ctl=5E7E5:4160B336D0B60CB12392409884ED4CF6

By now you probably know that other companies, such as 3Com and
iDefense, also have programs that pay researchers for vulnerability
information. In those two programs, discoverers receive cash for their
hard work, and 3Com and iDefense earn income too by selling the
information to their network of customers in one fashion or another.

This month yet another company, Switzerland-based WabiSabiLabi (at the
URL below), entered the mix by offering an auction platform for
vulnerabilities. Researchers submit their vulnerabilities for sale in
one of four auction formats (traditional, dutch, buy now, and buy
exclusively) and if the vulnerability sells, then the researcher earns
money and WabiSabiLabi earns its cut too.

http://list.windowsitpro.com/t?ctl=5E7F4:4160B336D0B60CB12392409884ED4CF6

Reaction to the auction has been mixed. Some people think it's an
incredibly bad idea because there's no telling who might actually buy a
vulnerability. Although WabiSabiLabi says that it will diligently work
to verify the identity of a buyer, that's no real guarantee because a
real bad guy could easily use a front man to do the buying.

Furthermore, WabiSabiLabi leaves it up to the discoverer to inform any
particular vendor affected by a vulnerability. This too is another
cited bad aspect of the auction site. With this policy, WabiSabiLabi is
basically standing behind "traditional Swiss neutrality", as it openly
states.

So far, WabiSabiLabi has four vulnerabilities posted for sale, one each
for Yahoo! Instant Messenger, SquirrelMail GPG Plugin, Pidgin Instant
Messenger, and the Linux kernel. As was pointed out by Montasano
Security on its company blog, the nature of GPG problem can be
discovered by anyone well-versed in PHP code analysis. And, someone
already publicly posted an exploit for the Linux kernel problem. So
half of WabiSabiLabi's auction items are already mostly worthless in
terms of cash value. And the Linux kernel exploit clearly points out
that WabiSabiLabi is already having a negative effect on overall system
security around the globe.

According to a statement in a company press release, "[WabiSabiLabi]
decided to set up this portal for selling security research because
although there are many researchers out there who discover
vulnerabilities very few of them are able or willing to report it to
the right people due to the fear of being exploited."


What I don't completely understand is why any company would willingly
pay developers to write code and to put that code through some amount
of quality assurance testing yet be totally unwilling to pay an
outsider who found significant problems with that code ? especially
security problems. A solution to this long-time standoff would be to
form a new group whose member companies would be willing to pay anyone
for vulnerability information as long as acceptable disclosure policies
were maintained by the discoverers ? basically like 3Com and iDefense
are already doing except with widespread vendor participation.

I do support the need for security researchers to be compensated for
their hard work, and it's troubling that many vendors can't bring
themselves to pay independent researchers. Nevertheless I don't see how
WabiSabiLabi is an effective solution. It'll be interesting to watch
over time to see if people continue to neutralize WabiSabiLabi by
revealing the nature of the vulnerabilities that it tries to sell.

=== SPONSOR: Double-Take Software ========================================

Reducing Costs and Risks of Data Protection
Get yourself up-to-speed on the latest data protection strategies
for branch and remote offices including how to protect and recover
customer databases, e-mail servers, and financial information that is
critical to every company's day-to-day operation. Download this free
whitepaper today!

http://list.windowsitpro.com/t?ctl=5E7DD:4160B336D0B60CB12392409884ED4CF6

=== SECURITY NEWS AND FEATURES =================================

Survey Says Pay for Certifications Is Dropping, Except in Security
New survey results show that the premium base pay for those having
various certifications hasn't increased over the past six months,
unless the certification was in the area of security.

http://list.windowsitpro.com/t?ctl=5E7EA:4160B336D0B60CB12392409884ED4CF6

Google Adds Security to Its Hosted Application Offerings
Google took another leap forward, adding security to its hosted
application offerings by entering into a deal to acquire email security
firm Postini.

http://list.windowsitpro.com/t?ctl=5E7EB:4160B336D0B60CB12392409884ED4CF6

Recent Security Vulnerabilities
If you subscribe to this newsletter, you also receive Security
Alerts, which inform you about recently discovered security
vulnerabilities. You can also find information about these
discoveries at

http://list.windowsitpro.com/t?ctl=5E7E4:4160B336D0B60CB12392409884ED4CF6


=== SPONSOR: SPI Dynamics ========================================

ALERT: "How A Hacker Launches A LDAP Injection Attack!"- White Paper
It's as simple as placing additional LDAP query commands into a Web
form input box giving hackers complete access to all your backend
systems! Firewalls and IDS will not stop such attacks because LDAP
Injections are seen as valid data. Download this *FREE* white paper
from SPI Dynamics for a complete guide to protection!

http://list.windowsitpro.com/t?ctl=5E7E3:4160B336D0B60CB12392409884ED4CF6

=== GIVE AND TAKE ==============================================

SECURITY MATTERS BLOG: Microsoft's Malware Removal Starter Kit
by Mark Joseph Edwards, http://list.windowsitpro.com/t?ctl=5E7F1:4160B336D0B60CB12392409884ED4CF6
Microsoft published a new toolkit to help small and medium businesses
remove malware from infected systems.

http://list.windowsitpro.com/t?ctl=5E7DF:4160B336D0B60CB12392409884ED4CF6

FAQ: Preparing Exchange Server 2007 For Active Directory
by John Savill, http://list.windowsitpro.com/t?ctl=5E7EF:4160B336D0B60CB12392409884ED4CF6


Q: How do I manually prepare my AD forest and domain for Exchange Serve
2007?

Find the answer at
http://list.windowsitpro.com/t?ctl=5E7EC:4160B336D0B60CB12392409884ED4CF6


FROM THE FORUM: Problems with Symantec Anti-Virus Corp. 10.2
(Two messages in this thread)
A forum participant writes that anytime he tries to install anything on
his server, including patches, upgrades, new programs, etc., the
installation process causes the server to hang to the point that it
becomes unresponsive and he then has to reboot the system. If he
disables all of the Symantec services then installations work fine. He
wants to know if anyone has ideas why this happens?

http://list.windowsitpro.com/t?ctl=5E7DB:4160B336D0B60CB12392409884ED4CF6

SHARE YOUR SECURITY TIPS AND GET $100
Share your security-related tips, comments, or problems and
solutions in Security Pro VIP's Reader to Reader column. Email your
contributions to r2r@securityprovip.com. If we print your submission,
you'll get $100. We edit submissions for style, grammar, and length.

MICROSOFT LEARNING PATHS FOR SECURITY: Managing Network Security
Challenges

http://list.windowsitpro.com/t?ctl=5E7ED:4160B336D0B60CB12392409884ED4CF6


=== PRODUCTS ===================================================

WANTED: your reviews of products you've tested and used in
production. Send your experiences and ratings of products to
whatshot@windowsitpro.com and get a Best Buy gift certificate.

=== RESOURCES AND EVENTS =======================================
For more security-related resources, visit

http://list.windowsitpro.com/t?ctl=5E7EE:4160B336D0B60CB12392409884ED4CF6

Learn about a disaster-recovery and high-availability solution for
conscientious IT professionals. Find out how WANsync works to protect
data and how it can ensure the integrity of the application as well as
the data. Download your free copy today!

http://list.windowsitpro.com/t?ctl=5E7E2:4160B336D0B60CB12392409884ED4CF6

To achieve the secure mail and messaging infrastructure that's crucial
to today's businesses, every organization needs to plan for three
fundamental mail and message management services from the start. This
eBook introduces those services--security, availability, and control
services--and explains how you can implement them in a Microsoft-
centric email and messaging environment. Download now!

http://list.windowsitpro.com/t?ctl=5E7DE:4160B336D0B60CB12392409884ED4CF6

Learn how high-speed data connectors for the new SQL Server Integration
Services environment make plug-and-play with mainframe, legacy,
Teradata, and other database systems a reality. ETI's new connectors
are cost-effective drop-in solutions that provide best-of-breed
bidirectional data movement. On-demand Web seminar.

http://list.windowsitpro.com/t?ctl=5E7E1:4160B336D0B60CB12392409884ED4CF6

=== FEATURED WHITE PAPER =======================================

When customers depend on your IT services to communicate with you,
purchase your products, or manage orders, what happens when your
applications or Web sites become unavailable? Download this free white
paper and learn how to eliminate application downtime disruptions and
ensure the continuity of your business.

http://list.windowsitpro.com/t?ctl=5E7DC:4160B336D0B60CB12392409884ED4CF6


=== ANNOUNCEMENTS ==============================================

Windows IT Pro: Buy 1, Get 1With Windows IT Pro's real-life solutions,
news, tips, tricks, AND access to over 10,000 articles online,
subscribing is like hiring your very own team of Windows consultants.
Subscribe now, and get 2 years for the price of 1!

http://list.windowsitpro.com/t?ctl=5E7E6:4160B336D0B60CB12392409884ED4CF6

Got a Tough Exchange or Outlook Question?
Rely on Exchange & Outlook Pro VIP, the new online resource with in-
depth articles on administration, migration, security, and performance.
Subscribers get direct access to our top-flight editors, so subscribe
and receive personalized solutions to your toughest technical
questions. It beats a support call to Microsoft!

http://list.windowsitpro.com/t?ctl=5E7E7:4160B336D0B60CB12392409884ED4CF6

================================================================

Security UDPATE is brought to you by the Windows IT Pro Web site's
Security page (first URL below) and Security Pro VIP (second URL
below).

http://list.windowsitpro.com/t?ctl=5E7F0:4160B336D0B60CB12392409884ED4CF6

http://list.windowsitpro.com/t?ctl=5E7F3:4160B336D0B60CB12392409884ED4CF6

Subscribe to Security UPDATE at

http://list.windowsitpro.com/t?ctl=5E7E9:4160B336D0B60CB12392409884ED4CF6

Unsubscribe by clicking

http://list.windowsitpro.com/u?id=4160B336D0B60CB12392409884ED4CF6

Be sure to add Security_UPDATE@list.windowsitpro.com
to your antispam software's list of allowed senders.

To contact us:
About Security UPDATE content -- letters@windowsitpro.com
About technical questions -- http://list.windowsitpro.com/t?ctl=5E7F2:4160B336D0B60CB12392409884ED4CF6

About your product news -- products@windowsitpro.com
About your subscription -- windowsitproupdate@windowsitpro.com
About sponsoring Security UPDATE -- salesopps@windowsitpro.com

View the Windows IT Pro privacy policy at

http://list.windowsitpro.com/t?ctl=5E7E8:4160B336D0B60CB12392409884ED4CF6

Windows IT Pro, a division of Penton Media, Inc.
221 East 29th Street, Loveland, CO 80538
Attention: Customer Service Department

Copyright 2007, Penton Media, Inc. All rights reserved.

No comments:

Blog Archive