News

Wednesday, July 16, 2008

Firefox Metrics for Measuring Security

WIN_SECURITY UPDATE_
A Penton Media Property
July 16, 2008


If you want to view this on the web go to:
http://ct.email.windowsitpro.com/rd/cts?d=33-10781-803-202-62923-1106186-0-0-0-1-2-207

----------------------------------------
ADVERTISEMENT
Windows IT Pro

Insider Threats - Who Can You Trust?

Although an organization might allow an employee privileged access, why
should they trust that person? Mass media hysterics about external
security threats has caused many of us to temporarily forget the most
important rule-of-thumb about security - 80% of the threat to any
organization comes from inside. Read this paper to identify the key
business processes in your organization that must be secured, and you
will be highly equipped to build a solution that will contain an insider
threat.

http://ct.email.windowsitpro.com/rd/cts?d=33-10781-803-202-62923-1106187-0-0-0-1-2-207
----------------------------------------

IN FOCUS

--Firefox Metrics for Measuring Security
by Mark Joseph Edwards, News Editor
Over the years we've all seen what appears to be a never-ending stream
of security reports that supposedly help make it clear how secure a
given software technology might be. There have been several such reports
on individual products, as well as several comparative reports that pit
products against each other--for example, Internet Explorer (IE) versus
Firefox, or Windows versus one more Linux-based or BSD-based OS.

Although those reports are helpful, they always leave room for
interpretation, particularly because they invariably rely on a flat
count of known security bugs. Heated debates are often the result, and
in the end some security administrators might misunderstand the overall
implications and relative usefulness of such data. Not only that, but
people who aren't so savvy about security can become misinformed because
they don't have the requisite knowledge to understand security to begin
with--which can lead to ridiculous beliefs such as "OS X is bulletproof,
so I don't need a firewall or antivirus protection."

Mozilla recently announced that it intends to take a different approach
in the future for measuring the security of its own products, including
Firefox. The company said that instead of counting bugs, Mozilla will
track various metrics over time. Hopefully that sort of information will
lead to much better information and better products, which of course
would benefit everyone.

Toward that goal, Mozilla has launched a new project currently called
the Mozilla Security Metrics Project. Now in its initial stages of
development, the project is the offspring of collaboration between
Mozilla security team members and security researcher/analyst Rich
Mogull of Securosis---who formerly worked as a security analyst for
Gartner Group. The stated goals of the project are to "develop a metrics
based model to track the relative security of Firefox, evaluate the
effectiveness of security efforts within the development and testing
process, and measure the window of exposure of Firefox users to security
vulnerabilities."

Taking that a step further, the company also said that a secondary goal
is to "develop an open base model that can be standardized and expanded
upon for other software development efforts to achieve the same goals."
Thinking about those goals, it seems apparent that a primary focus is to
improve overall the development software process, as well as to get as
many users protected as soon as possible in the event of a security
vulnerability.

As you might expect, the public is invited to participate in helping to
shape guidelines for the project. And, as it stands now in its early
initial stages, what exists is a spreadsheet document that includes the
proposed metrics to be tracked, information on how to categorize and
label those metrics, and a couple of channels to discuss the proposed
metrics as well as how to proceed with project development.

If you're reading this article, you're obviously interested in security.
If you also use Mozilla software, perhaps you'd like to participate in
and possibly help shape the project. You can do so by reviewing the
information currently available and providing your feedback. To take
part, head over to the Mozilla Security Blog and read the related post
at the URL below. There you'll find links to the existing information,
as well as a contact email address to send comments and suggestions.
You'll also find the usual blog comment form if you want to post your
suggestions openly.

http://ct.email.windowsitpro.com/rd/cts?d=33-10781-803-202-62923-1106188-0-0-0-1-2-207
(http://ct.email.windowsitpro.com/rd/cts?d=33-10781-803-202-62923-1106189-0-0-0-1-2-207)

----------------------------------------
ADVERTISEMENT
Windows IT Pro

Gain enhanced insight into and control over your IT systems

Microsoft System Center Configuration Manager 2007 shipped recently.
System Center Configuration Manager 2007 is the solution to
comprehensively assess, deploy and update your servers, clients, and
devices - across physical, virtual, distributed and mobile environments.
SP1 & R2 betas are also now available. View this web seminar for the
latest and greatest features and product enhancements in the Systems
Center Configuration Manager SP1 and R2.

http://ct.email.windowsitpro.com/rd/cts?d=33-10781-803-202-62923-1106190-0-0-0-1-2-207
----------------------------------------


SECURITY NEWS AND FEATURES

--Countless DNS Servers at Risk
Microsoft recently released a patch to correct security problems in its
DNS server software. But those who use other DNS server software might
still be at risk if they haven't updated their software very recently.
To view the full article go to:
http://ct.email.windowsitpro.com/rd/cts?d=33-10781-803-202-62923-1106191-0-0-0-1-2-207

--Cumulative Updates for Microsoft Office on the Agenda
Microsoft said that it's moving away from weekly updates for Office to a
more predictable update schedule where cumulative updates will be issued
every two months.
To view the full article go to:
http://ct.email.windowsitpro.com/rd/cts?d=33-10781-803-202-62923-1106192-0-0-0-1-2-207

--ICANN Falls Victim to DNS Redirection Attack
ICANN admitted that it recently fell victim to targeted DNS redirection
attacks. The attackers were then able to send users to their own Web
sites when in reality those users should have landed on ICANN-operated
sites.
To view the full article go to:
http://ct.email.windowsitpro.com/rd/cts?d=33-10781-803-202-62923-1106193-0-0-0-1-2-207

--Checkpoint Update Repairs Countless Broken ZoneAlarm Installations
Microsoft's July batch of security patches wound up breaking the
functionality of ZoneAlarm Firewall. As a result, countless people found
themselves unable to access the Internet.
To view the full article go to:
http://ct.email.windowsitpro.com/rd/cts?d=33-10781-803-202-62923-1106194-0-0-0-1-2-207

--Recent Security Vulnerabilities
If you subscribe to this newsletter, you also receive Security Alerts,
which inform you about recently discovered security vulnerabilities. You
can also find information about these discoveries at

http://ct.email.windowsitpro.com/rd/cts?d=33-10781-803-202-62923-1106195-0-0-0-1-2-207
(http://ct.email.windowsitpro.com/rd/cts?d=33-10781-803-202-62923-1106196-0-0-0-1-2-207)


GIVE AND TAKE

--SECURITY MATTERS BLOG: User Names and Passwords in Authentication
Forms
by Mark Joseph Edwards
I made an interesting observation today regarding login forms that
accept user names and passwords for authentication--and what I'm seeing
makes no sense. Read the details in this blog article on our Web site.

http://ct.email.windowsitpro.com/rd/cts?d=33-10781-803-202-62923-1106197-0-0-0-1-2-207
(http://ct.email.windowsitpro.com/rd/cts?d=33-10781-803-202-62923-1106198-0-0-0-1-2-207)

--FAQ: Moving Active Directory's FSMO Roles
by John Savill
Q. How can I use the command line to move the Flexible Single Master
Operations (FSMO) roles in Windows Server 2008?

Find the answer at

http://ct.email.windowsitpro.com/rd/cts?d=33-10781-803-202-62923-1106199-0-0-0-1-2-207
(http://ct.email.windowsitpro.com/rd/cts?d=33-10781-803-202-62923-1106200-0-0-0-1-2-207)

--SHARE YOUR SECURITY TIPS AND GET $100
Share your security-related tips, comments, or problems and
solutions. Email your contributions to r2r@windowsitpro.com
(mailto:r2r@windowsitpro.com). If we print your submission, you'll get
$100. We edit submissions for style, grammar, and length.


RESOURCES AND EVENTS

Epok Edition for Microsoft SharePoint

SharePoint use continues to expand within organizations driven by
business users, IT staff, and information security officers who are all
looking for better ways to collaborate and control information access
and use. Epok software lets organizations securely extend application
access across organizational boundaries--within and between enterprises.
With the Epok Edition for Microsoft SharePoint, SharePoint
administrators can improve partnering and collaboration effectiveness.

http://ct.email.windowsitpro.com/rd/cts?d=33-10781-803-202-62923-1106201-0-0-0-1-2-207
(http://ct.email.windowsitpro.com/rd/cts?d=33-10781-803-202-62923-1106202-0-0-0-1-2-207)

The Impact of Messaging and Web Threats

Internal, messaging, and web-based threats are increasing in number and
severity. Read this Osterman Research paper to learn how organizations
must implement a layered defensive strategy to protect against all types
of threats. This white paper covers the risks of malware, as well as the
multiple layers of defense needed to deal with spam, viruses, Trojans,
worms, and other forms of malware.

http://ct.email.windowsitpro.com/rd/cts?d=33-10781-803-202-62923-1106203-0-0-0-1-2-207
(http://ct.email.windowsitpro.com/rd/cts?d=33-10781-803-202-62923-1106204-0-0-0-1-2-207)

Integrated Virtualization Done Right

Virtualization not only lets you consolidate servers and reduce
operating costs, but also enables more rapid deployment of new
application servers, reduces server-maintenance downtime and driver
dependencies for new hardware, and assists in disaster recovery. This
white paper shows you how to use server virtualization to improve
resource utilization and lower operating costs.

http://ct.email.windowsitpro.com/rd/cts?d=33-10781-803-202-62923-1106205-0-0-0-1-2-207
(http://ct.email.windowsitpro.com/rd/cts?d=33-10781-803-202-62923-1106206-0-0-0-1-2-207)


FEATURED WHITE PAPER

Creating Flexible BI Solutions Using SQL Server 2005 Analysis Services

SQL Server 2005 delivered major changes, especially to SQL Server's
built-in business intelligence (BI) platform, of which SQL Server
Analysis Services (SSAS) is a prominent part. The enhancements and new
options are compelling reasons for using SSAS. This white paper
describes best practices for developing your SSAS 2005 solutions and for
moving existing SQL Server 2000 Analysis Services solutions to SSAS
2005.

http://ct.email.windowsitpro.com/rd/cts?d=33-10781-803-202-62923-1106207-0-0-0-1-2-207
(http://ct.email.windowsitpro.com/rd/cts?d=33-10781-803-202-62923-1106208-0-0-0-1-2-207)


ANNOUNCEMENTS

Master SharePoint with 3 eLearning Seminars--hosted by Windows IT Pro

Join MVPs Dan Holme and Michael Noel to learn how to build a better
SharePoint infrastructure and enable powerful collaboration. On October
1, 2008, at 11:00 AM EDT, direct from your computer, these SharePoint
gurus will guide you through three info-packed sessions: 21st Century
File Sharing: Configuring & Managing Document Libraries; Building
Code-Free SharePoint Applications and Business Intelligence Lite; and
Forms-Based Authentication and Extranet Deployment Options for
SharePoint 2007. All for only $99! Seats are limited to allow for lots
of live Q&A at the end. Register today!

http://ct.email.windowsitpro.com/rd/cts?d=33-10781-803-202-62923-1106209-0-0-0-1-2-207
(http://ct.email.windowsitpro.com/rd/cts?d=33-10781-803-202-62923-1106210-0-0-0-1-2-207)

Know a Developer?

Pass on the SharePoint Mastery series, built especially for developers,
with speaker and Microsoft MVP Andrew Connell!

http://ct.email.windowsitpro.com/rd/cts?d=33-10781-803-202-62923-1106211-0-0-0-1-2-207
(http://ct.email.windowsitpro.com/rd/cts?d=33-10781-803-202-62923-1106212-0-0-0-1-2-207)

Black Hat

Attend Black Hat USA, the world's premier technical event for ICT
security experts, August 2-7 in Las Vegas. Featuring 40 hands-on
training courses and 90 Briefings presentations with lots of new content
and new tools. Network with 4,000 delegates from 50 nations. Visit
product displays by 30 top sponsors in a relaxed setting. A special
Training session called Defend The Flag (DTF) is a unique two-day
hands-on training course designed to take the traditionally dry Windows
security training workshop and make it interactive, personal, and
visceral for each attendee. Students will gain the understanding of
modern exploitation tools and techniques in order to learn how to better
protect their Windows systems.

http://ct.email.windowsitpro.com/rd/cts?d=33-10781-803-202-62923-1106213-0-0-0-1-2-207 (http://ct.email.windowsitpro.com/rd/cts?d=33-10781-803-202-62923-1106214-0-0-0-1-2-207)


CONTACT US
Security UDPATE is brought to you by the Windows IT Pro Web site's
Security page (first URL below) and Security Pro VIP (second URL
below).

http://ct.email.windowsitpro.com/rd/cts?d=33-10781-803-202-62923-1106215-0-0-0-1-2-207

http://ct.email.windowsitpro.com/rd/cts?d=33-10781-803-202-62923-1106216-0-0-0-1-2-207

You are subscribed to this newsletter as boy.blogger@gmail.com

Manage your Security UPDATE subscription at
http://ct.email.windowsitpro.com/rd/cts?d=33-10781-803-202-62923-1106217-0-0-0-1-2-207.

To unsubscribe:
http://ct.email.windowsitpro.com/rd/cts?d=33-10781-803-202-62923-1106218-0-0-0-1-2-207&list_id=803&email=boy.blogger@gmail.com&message_id=10781

Be sure to add Security_UPDATE@email.windowsitpro.com
to your spam filter's list of allowed senders.

To contact us:
About Security UPDATE content -- mailto:letters@windowsitpro.com
About technical questions -- http://ct.email.windowsitpro.com/rd/cts?d=33-10781-803-202-62923-1106219-0-0-0-1-2-207

About your product news -- mailto:products@windowsitpro.com
About your subscription -- mailto:windowsitproupdate@windowsitpro.com
About sponsoring Security UPDATE -- mailto:salesopps@windowsitpro.com

View the Windows IT Pro privacy policy at

http://ct.email.windowsitpro.com/rd/cts?d=33-10781-803-202-62923-1106220-0-0-0-1-2-207

Windows IT Pro, a division of Penton Media, Inc.
221 East 29th Street, Loveland, CO 80538
Attention: Customer Service Department

Copyright 2008, Penton Media, Inc. All rights reserved.

No comments:

Blog Archive