News

Wednesday, May 14, 2008

New URI Scheme on the Horizon?

WIN_SECURITY UPDATE_
A Penton Media Property
May 14, 2008


If you want to view this on the web go to:
http://ct.email.windowsitpro.com/rd/cts?d=33-7606-803-202-62923-748626-0-0-0-1-2-207

----------------------------------------
ADVERTISEMENT
iPrism Web Filter by St. Bernard

Win a 50" Plasma TV, Just for Viewing a Product Demo

When it comes to managing your Internet access, don't break your budget
and tie up your resources with a complex software solution like
Websense. Get the iPrism Web Filter! Our powerful h-Series appliances
offer a model to fit any requirement and performance that leaves
Barracuda in the dust. And solutions like 8e6 require extra hardware.
Need more convincing? iPrism got the highest rating from SC magazine, 5
stars, and our renewal rates are over 95% -- no one can match that. See
a demo, get a free T-shirt and maybe win a 50" plasma TV. How cool is
that?

http://ct.email.windowsitpro.com/rd/cts?d=33-7606-803-202-62923-748627-0-0-0-1-2-207
----------------------------------------

IN FOCUS

--New URI Scheme on the Horizon?
by Mark Joseph Edwards, News Editor
Browsers are rapidly becoming the tool of choice for all sorts of
desktop activity. And "Web 2.0" technology is making browsers even more
important than they already are. As you know, browsers typically rely on
Uniform Resource Identifiers (URIs) to locate various types of
resources. The first part of a URI is called the scheme. The most
commonly used schemes are http and https, which are used to locate
content that can be accessed via the Hypertext Transfer Protocol (HTTP).

At this time there are over 50 schemes (see the URL below for details)
that a given browser might know how to handle. In addition to http and
https, some of the more popular schemes also include ftp, file, mailto,
and news. Then there are several other schemes that you've probably seen
in use at some point or other, including javascript, ldap, nntp, and
chrome (the latter is common for Mozilla-based browsers).
esw.w3.org/topic/UriSchemes (http://ct.email.windowsitpro.com/rd/cts?d=33-7606-803-202-62923-748628-0-0-0-1-2-207)

Recently Opera Software submitted a draft proposal to the World Wide Web
Consortium (W3C) that may or may not become accepted as an official W3C
Web API working group draft. The proposal calls for the creation of a
new Web application programming interface (API) in Web browsers, called
File I/O, which in turn will use a new URI scheme called mountpoint. The
purpose of the API is to create an abstract method for Web applications
to interact with a computer's local file system in a sandbox
environment. The API would be compatible with various file systems
without the need for any knowledge of which file system type is actually
in use (e.g., FAT, FAT32, NTFS, EXT3, ReiserFS).

As it stands now (and this could change, assuming the draft is accepted
by W3C), the API would let a Web application and its user browse,
create, read, write, copy, and move directories and files. The API would
allow the creation of mount points and those mount points could be made
persistent across restarts of an application.

Based on what I've read in the draft, there would be some amount of
protection in place to prevent possible mischief. For example, the API
would need to ensure that a user actually took physical action via the
keyboard or mouse before allowing various types of file I/O activity to
take place. That level of protection would help defend against automated
file access, typically perpetrated via URLs, scripting, and other
technologies. While there is no detail about how the API's sandbox would
be maintained and controlled, we can assume that considerable efforts
will be made to ensure overall system security.

But, we've seen sandbox-related file access problems in the past in
various browsers. Since people have discovered ways to escape sandbox
environments we've had to endure all sorts of related exploits. That's
exactly why I bring this API draft to your attention.

If the draft is accepted and development begins on a formal
specification, then without a doubt we'll see this new URI scheme and
its underlying functionality rolled out into popular browsers. And thus,
we'll also see the URI scheme become commonplace in Web 2.0
applications. And you know what that means: We'll inevitably see bad
guys find chinks in the API's armor, which nearly always leads to
malicious exploits.

So, if and when the API goes into formal development you'll have a whole
new level of security concerns to add to your heap, and while that heap
is probably big enough already we'll all still have to address these new
concerns in one way or another.

If you're interested in reading about the proposed File I/O API you can
do so at the first URL below. And while you're there, have a look at
some of the other proposals at the second URL below, especially the
FileUpload, Clipboard Operations, and Network Communications API
proposals--each of which poses other potential browser-related security
considerations.

dev.w3.org/2006/webapi/fileio/fileIO.htm
(http://ct.email.windowsitpro.com/rd/cts?d=33-7606-803-202-62923-748629-0-0-0-1-2-207)

dev.w3.org/2006/webapi/ (http://ct.email.windowsitpro.com/rd/cts?d=33-7606-803-202-62923-748630-0-0-0-1-2-207)

----------------------------------------
ADVERTISEMENT
BeyondTrust

Problems removing Admin Rights? Best practices

Removing Admin Rights and applying the principle of least privilege will
decrease security breaches by malware and malicious users, and reduce IT
costs. However certain users require elevated rights in order to run
required applications, ActiveX controls and more.

Read this white paper to discover best practices for removing admin
rights.

http://ct.email.windowsitpro.com/rd/cts?d=33-7606-803-202-62923-748631-0-0-0-1-2-207
----------------------------------------


SECURITY NEWS AND FEATURES

--Finjan Discovers 1.4GB of Stolen Data
Finjan uncovered a server that contained private information stolen from
thousands of individuals. The data included banking information, medical
records, billing information, private correspondence, login details, and
more.
To view the full article go to:
http://ct.email.windowsitpro.com/rd/cts?d=33-7606-803-202-62923-748632-0-0-0-1-2-207

--McAfee Launches Web App Scanning Service
McAfee announced its new Secure for Web Sites service, which helps site
operators keep their sites secure, adhere to PCI standards, and stay
abreast of the latest vulnerabilities.
To view the full article go to:
http://ct.email.windowsitpro.com/rd/cts?d=33-7606-803-202-62923-748633-0-0-0-1-2-207

--Srizbi Botnet Is Tops in Spam Delivery
Security solution provider Marshal said that the Srizbi bot now sends
more spam per day than all other botnets combined.
To view the full article go to:
http://ct.email.windowsitpro.com/rd/cts?d=33-7606-803-202-62923-748634-0-0-0-1-2-207

--McAfee Detects Massive Fake MP3 Attack
Researchers at McAfee Avert Labs have discovered a new Trojan downloader
attack that masquerades as legitimate media files. Over 360,000
computers have already become infected.
To view the full article go to:
http://ct.email.windowsitpro.com/rd/cts?d=33-7606-803-202-62923-748635-0-0-0-1-2-207

--Recent Security Vulnerabilities
If you subscribe to this newsletter, you also receive Security Alerts,
which inform you about recently discovered security vulnerabilities. You
can also find information about these discoveries at

windowsitpro.com/departments/departmentid/752/752.html
(http://ct.email.windowsitpro.com/rd/cts?d=33-7606-803-202-62923-748636-0-0-0-1-2-207)


GIVE AND TAKE

--SECURITY MATTERS BLOG: OSSEC 1.5 Now Available
by Mark Joseph Edwards
OSSEC 1.5, a popular open-source intrusion detection system (IDS), is
now available. The new version introduces support for Checkpoint, Smart
Defense, and Shorewall logs, as well as Postfix and Asterisk logs, among
several other new features. Learn more in this blog entry.

windowsitpro.com/article/articleid/99088/ossec-15-now-available.html
(http://ct.email.windowsitpro.com/rd/cts?d=33-7606-803-202-62923-748637-0-0-0-1-2-207)

--FAQ: OWA and Concurrent Logons
by John Savill
Q. Does logging on to Outlook Web Access (OWA) or remote procedure call
(RPC) over HTTP Secure (HTTPS) count as a concurrent logon?

Find the answer at

windowsitpro.com/article/articleid/99028
(http://ct.email.windowsitpro.com/rd/cts?d=33-7606-803-202-62923-748638-0-0-0-1-2-207)

--Vote in the 2008 Windows IT Pro Community Choice Awards!
Final voting for the Windows IT Pro Community Choice Awards is now open!
Voting in this awards program is open to all Windows IT Pro Web site
visitors, but vendors whose products are nominated are prohibited from
voting. Enter the voting tool at:

www.surveymonkey.com/s.aspx?sm=_2fz97tv4rU5iY2IsYDbyCRg_3d_3d
(http://ct.email.windowsitpro.com/rd/cts?d=33-7606-803-202-62923-748639-0-0-0-1-2-207)

Voting closes May 23 at 11:45 p.m. Mountain Time.

--SHARE YOUR SECURITY TIPS AND GET $100
Share your security-related tips, comments, or problems and solutions in
Security Pro VIP's Reader to Reader column. Email your contributions to
r2r@securityprovip.com (mailto:r2r@securityprovip.com). If we print your
submission, you'll get $100. We edit submissions for style, grammar, and
length.


PRODUCTS

--Vault-like Protection for BlackBerry Data
by Lavon Peters, Security Editor
A new add-on for BlackBerry and similar devices, called JumpVault,
creates electronic vaults to safeguard vital information in case devices
are lost or stolen. According to Steve White, QuickVault co-founder,
"JumpVault actually transforms an ordinary USB flash or mobile device
such as a BlackBerry into a secure virtual container." Documents such as
contracts, proposals, and business plans can now be protected on users'
mobile storage devices. JumpVault operates on Windows (including Vista),
as well as on Mac OSs. For more information, visit QuickVault at
www.jumpvault.com (http://ct.email.windowsitpro.com/rd/cts?d=33-7606-803-202-62923-748640-0-0-0-1-2-207.


RESOURCES AND EVENTS

Virtualization Newsletter

From the data center to the desktop, virtualization has a far-reaching
impact on the IT industry. Delivered directly to your inbox twice a
month, Virtualization UPDATE gives you the information you need to stay
ahead in this rapidly growing segment of the IT marketplace. Sign up
today!

www.windowsitpro.com/email (http://ct.email.windowsitpro.com/rd/cts?d=33-7606-803-202-62923-748641-0-0-0-1-2-207)

Fundamentals eBook--9 Chapters Introducing You to the IT Benefits of Fax
Servers

Fax servers are rarely at the top of an IT professional's list of cool
technologies. But faxing is something that customers are comfortable
with, even if they aren't particularly computer literate. From IT's
perspective, implementing a fax server solution benefits both the users
and those who support them and the business process.

windowsitpro.com/eBooks/index.cfm?fuseaction=ebook&ebid=5a34b838-4394-4966-a989-0d1373be7911&code=050708er
(http://ct.email.windowsitpro.com/rd/cts?d=33-7606-803-202-62923-748642-0-0-0-1-2-207)

KVM Over IP for the Distributed IT Environment

With many organizations' network infrastructure spread across corporate
campuses, among cities, and around the globe, there is a critical market
need for a next-generation keyboard/video/mouse (KVM) over IP solution
that is specifically designed to meet the needs of distributed
environments. Read this white paper, and you'll learn that the
distribution of interconnected resources requires a secure IP-based KVM
management strategy that guarantees simple, non-invasive, flexible,
fault-tolerant, scalable, and cost-effective access from anywhere, at
any time.

windowsitpro.com/whitepapers/Index.cfm?fuseaction=ShowWP&wpid=eafd9199-49c7-4f1b-8da4-9781b87da076&code=050708er
(http://ct.email.windowsitpro.com/rd/cts?d=33-7606-803-202-62923-748643-0-0-0-1-2-207)


FEATURED WHITE PAPER

Protect Your Data with System Center Data Protection Manager 2007

Explore this demo to learn about Microsoft System Center Data Protection
Manager 2007's continuous data protection for Windows application and
file servers, rapid and reliable data recovery, and advanced technology
for enterprises of all sizes. Download this resource and learn how you
can reduce costs and improve the agility of your business.

windowsitpro.com/Whitepapers/Index.cfm?fuseaction=ShowWP&WPID=6f528cbd-967c-45ff-93d3-5293b4c7fb83&code=050708er
(http://ct.email.windowsitpro.com/rd/cts?d=33-7606-803-202-62923-748644-0-0-0-1-2-207)


ANNOUNCEMENTS

Windows IT Pro Master CD: Take the Experts with You!

Find the solutions you need within the thousands of searchable articles,
helpful bonus content, and loads of expert advice on the Windows IT Pro
Master CD. A Master CD subscription buys you portable access to the
entire Windows IT Pro article database plus exclusive access to all the
new articles we publish only on WindowsITPro.com every day. It's like
having a team of consultants in your pocket! Get real-world solutions
fast--order the Windows IT Pro Master CD today.

store.pentontech.com/index.cfm?s=1&promocode=EU2284WC&
(http://ct.email.windowsitpro.com/rd/cts?d=33-7606-803-202-62923-748645-0-0-0-1-2-207
)

CONTACT US
Security UDPATE is brought to you by the Windows IT Pro Web site's
Security page (first URL below) and Security Pro VIP (second URL
below).

http://ct.email.windowsitpro.com/rd/cts?d=33-7606-803-202-62923-748646-0-0-0-1-2-207

http://ct.email.windowsitpro.com/rd/cts?d=33-7606-803-202-62923-748647-0-0-0-1-2-207

You are subscribed to this newsletter as boy.blogger@gmail.com

Manage your Security UPDATE subscription at
http://ct.email.windowsitpro.com/rd/cts?d=33-7606-803-202-62923-748648-0-0-0-1-2-207.

To unsubscribe:
http://ct.email.windowsitpro.com/rd/cts?d=33-7606-803-202-62923-748649-0-0-0-1-2-207&list_id=803&email=boy.blogger@gmail.com&message_id=7606

Be sure to add Security_UPDATE@email.windowsitpro.com
to your spam filter's list of allowed senders.

To contact us:
About Security UPDATE content -- mailto:letters@windowsitpro.com
About technical questions -- http://ct.email.windowsitpro.com/rd/cts?d=33-7606-803-202-62923-748650-0-0-0-1-2-207

About your product news -- mailto:products@windowsitpro.com
About your subscription -- mailto:windowsitproupdate@windowsitpro.com
About sponsoring Security UPDATE -- mailto:salesopps@windowsitpro.com

View the Windows IT Pro privacy policy at

http://ct.email.windowsitpro.com/rd/cts?d=33-7606-803-202-62923-748651-0-0-0-1-2-207

Windows IT Pro, a division of Penton Media, Inc.
221 East 29th Street, Loveland, CO 80538
Attention: Customer Service Department

Copyright 2008, Penton Media, Inc. All rights reserved.

No comments:

Blog Archive