News

Wednesday, August 13, 2008

EFF Steps Up to Advise Security Researchers

WIN_SECURITY UPDATE_
A Penton Media Property
August 13, 2008


If you want to view this on the web go to:
http://ct.email.windowsitpro.com/rd/cts?d=33-12181-803-202-62923-1263216-0-0-0-1-2-207

----------------------------------------
ADVERTISEMENT
Windows IT Pro

Are You Exposed to Costly Litigation?

Get a broad understanding of important regulations and how you can make
sure your site is in adherence in this free white paper on getting in
compliance with government data regulations.

http://ct.email.windowsitpro.com/rd/cts?d=33-12181-803-202-62923-1263217-0-0-0-1-2-207
----------------------------------------

IN FOCUS

--EFF Steps Up to Advise Security Researchers
by Mark Joseph Edwards, News Editor
This year's Black Hat USA conference is over and as usual the show
received mixed reviews from attendees. Windows IT Pro magazine's Tony
Howlett weighs in with his opinion (see the URL below). Among other
anecdotes, Howlett thinks that the conference might be growing too big.
I had similar thoughts: This year there were somewhere around 90
speakers--that's a lot of presentations. But Black Hat USA 2008 pales in
comparison to DEFCON 16, which has roughly twice as many speakers! The
issue comes down to quality of the content juxtaposed against what you
personally want to learn at either conference.

http://ct.email.windowsitpro.com/rd/cts?d=33-12181-803-202-62923-1263218-0-0-0-1-2-207

Which brings us to the speakers and their presentations. As you know, in
the past some presenters have found themselves in very hot water over
legal threats due to the content of their presentations. IOActive
suffered that experience last year over RFID technology (see the first
URL below), as did Mike Lynn in 2005 over vulnerabilities in Cisco
router hardware (see the second URL below). At least one presenter,
Halvar Flake, was barred from entering the United States to deliver his
presentation at last year's conference, on what appears to have been a
"technicality" (see the third URL below).
http://ct.email.windowsitpro.com/rd/cts?d=33-12181-803-202-62923-1263219-0-0-0-1-2-207
http://ct.email.windowsitpro.com/rd/cts?d=33-12181-803-202-62923-1263220-0-0-0-1-2-207

http://ct.email.windowsitpro.com/rd/cts?d=33-12181-803-202-62923-1263221-0-0-0-1-2-207

Indirectly related, but interesting nevertheless, is that according to
the Washington Post and News.com, this year Charles Edge decided to
discuss a serious vulnerability in Apple's FileVault technology, but he
withdrew the presentation on his own. As it turns out Apple is one of
his biggest customers and he's under a non-disclosure agreement. Apple
itself also withdrew from the conference, having been previously slated
to hold a discussion panel regarding the company's security practices.
According to Computerworld, Apple's marketing department didn't approve
of such public discourse.

This year, Electronic Frontier Foundation (EFF) stepped more directly
into the legal implications of security research and disclosure by
setting up a booth at Black Hat USA. EFF established what it calls The
Coder's Rights Project, and according to the foundation the purpose of
EFF's presence at Black Hat is to "provide legal information on reverse
engineering, vulnerability reporting, and copyright law, as well as
patent, trade secret, and free speech issues."

EFF thinks that legal threats put a damper on vital research and better
security. In a press release the foundation wrote: "Those of us doing
research on computer security and privacy need to be able to discuss and
publish our work without fear of legal threats," said EFF Board Member
Edward W. Felten, a security researcher and Princeton University
professor who challenged provisions of the DMCA with EFF in 2001. "The
Coders' Rights Project will give critical legal help to programmers and
developers who do the hard work in keeping technology robust and users
safe."

I think any security administrator can see that without reasonable
disclosure we'd all have systems and networks chock full of holes and
none of us would be aware of the risks to any considerable extent unless
we each did our own research. Not many people have the time or ability
to do that kind of hard work. After years of observation I'm still at a
partial loss as to why some vendors still cannot see how such research
is incredibly beneficial to both them and their customers.

EFF's Coder's Rights Project site (at the URL below) has some good
information for anyone interested in being able to reverse engineer
products. The site also has good information for those of you who might
find yourselves in a position of wanting to report a vulnerability that
you discovered--without reverse engineering. Have a look at the content
and read it over carefully before you decide to spontaneously post a
message to the world that says "I discovered a security hole and here's
demonstration code to prove it." My point is that there's often a very
fine line to walk, and some companies are more than willing to pounce on
you with their multi-million dollar legal strength.
http://ct.email.windowsitpro.com/rd/cts?d=33-12181-803-202-62923-1263222-0-0-0-1-2-207

----------------------------------------
ADVERTISEMENT
Windows IT Pro

Email Archiving: A Proactive Approach to e-Discovery

Without the right tools in place, collecting, processing, and reviewing
electronic data for e-discovery can be time-consuming, expensive, and
expose a business to significant legal risks. This white paper looks
into ways to ensure legal and IT departments address litigation
readiness of electronic documents.

http://ct.email.windowsitpro.com/rd/cts?d=33-12181-803-202-62923-1263223-0-0-0-1-2-207
----------------------------------------


SECURITY NEWS AND FEATURES

--MySpace, Facebook, and Twitter Users Targeted for Malware
Over the past week new forms of malware have been discovered at three
social networking sites. Some of the malware is cross-infecting users of
other social networking sites.
To view the full article go to:
http://ct.email.windowsitpro.com/rd/cts?d=33-12181-803-202-62923-1263224-0-0-0-1-2-207

--DOJ Announces Fraudster Smackdown
The Department of Justice (DOJ) recently indicted 11 people on numerous
charges for their roles in stealing over 40 million credit and debit
card numbers from major retailers, including Barnes & Noble, OfficeMax,
Sports Authority, TJX, and other companies.
To view the full article go to:
http://ct.email.windowsitpro.com/rd/cts?d=33-12181-803-202-62923-1263225-0-0-0-1-2-207

--Tumbleweed to Merge With Axway
Security solution provider Tumbleweed now has shareholder approval to
merge with Axway, maker of collaborative business solutions.
To view the full article go to:
http://ct.email.windowsitpro.com/rd/cts?d=33-12181-803-202-62923-1263226-0-0-0-1-2-207

--Recent Security Vulnerabilities
If you subscribe to this newsletter, you also receive Security Alerts,
which inform you about recently discovered security vulnerabilities. You
can also find information about these discoveries at

http://ct.email.windowsitpro.com/rd/cts?d=33-12181-803-202-62923-1263227-0-0-0-1-2-207
(http://ct.email.windowsitpro.com/rd/cts?d=33-12181-803-202-62923-1263228-0-0-0-1-2-207)


GIVE AND TAKE

--SECURITY MATTERS BLOG: Three Reporters Tossed Out of Black Hat
by Mark Joseph Edwards
Three reporters from Global Security Mag thought it'd be funny to sniff
the network traffic of other reporters at the Black Hat conference. The
stunt backfired on the trio, who got booted out.

http://ct.email.windowsitpro.com/rd/cts?d=33-12181-803-202-62923-1263229-0-0-0-1-2-207
(http://ct.email.windowsitpro.com/rd/cts?d=33-12181-803-202-62923-1263230-0-0-0-1-2-207)

--FAQ: Audit Recent Logons
by John Savill
Q. How can I create a list of the most-recent computer logons?

Find the answer at

http://ct.email.windowsitpro.com/rd/cts?d=33-12181-803-202-62923-1263231-0-0-0-1-2-207
(http://ct.email.windowsitpro.com/rd/cts?d=33-12181-803-202-62923-1263232-0-0-0-1-2-207)

--SHARE YOUR SECURITY TIPS AND GET $100
Share your security-related tips, comments, or problems and solutions.
Email your contributions to r2r@windowsitpro.com
(mailto:r2r@windowsitpro.com). If we print your submission, you'll get
$100. We edit submissions for style, grammar, and length.


RESOURCES AND EVENTS

Implementing VoIP for Your Enterprise

VoIP can make your business more efficient, so you can't afford to
ignore it. A number of technologies simplify VoIP implementation, and
application capabilities in a unified communications solution can make
having VoIP a technological competitive advantage. View this web seminar
to learn how to implement VoIP technologies and leverage them in your
Windows Server environment.

http://ct.email.windowsitpro.com/rd/cts?d=33-12181-803-202-62923-1263233-0-0-0-1-2-207
(http://ct.email.windowsitpro.com/rd/cts?d=33-12181-803-202-62923-1263234-0-0-0-1-2-207)

Doing it Right! Deploying the Perfect SharePoint Farm

If you're like most IT shops, you've either implemented or are
considering SharePoint. How do you deploy the optimal solution with
limited time and expense? This fall, Windows IT Pro and Office &
SharePoint Pro.com present the event series Deploying SharePoint.
Industry experts will share best practices regarding infrastructure,
design, forms configurations, and redundancy. Register early to save
$100! Early-bird pricing applies through August 29.

http://ct.email.windowsitpro.com/rd/cts?d=33-12181-803-202-62923-1263235-0-0-0-1-2-207
(http://ct.email.windowsitpro.com/rd/cts?d=33-12181-803-202-62923-1263236-0-0-0-1-2-207)

WinConnections Conference Fall 2008

Don't miss the premier event for Microsoft IT professionals in Las
Vegas, November 10-13. Register and book your room by August 25 and
receive a FREE room night (based on a three-night minimum stay).

http://ct.email.windowsitpro.com/rd/cts?d=33-12181-803-202-62923-1263237-0-0-0-1-2-207 (http://ct.email.windowsitpro.com/rd/cts?d=33-12181-803-202-62923-1263238-0-0-0-1-2-207)


FEATURED WHITE PAPER

PCI Compliance Made Simple

Is your organization still struggling with PCI compliance? If you
process credit cards, you face tremendous pressure to comply with PCI
DSS standards. Not only must you embrace new policies and implement
changes to network configurations, you must also ensure that the
technology is in place to protect card-holder data. What if you could
achieve compliance through an automated, on-demand platform? Read this
white paper to learn how!

http://ct.email.windowsitpro.com/rd/cts?d=33-12181-803-202-62923-1263239-0-0-0-1-2-207
(http://ct.email.windowsitpro.com/rd/cts?d=33-12181-803-202-62923-1263240-0-0-0-1-2-207)


ANNOUNCEMENTS

Master SharePoint with 3 eLearning Seminars--hosted by Windows IT Pro

Join MVPs Dan Holme and Michael Noel to learn how to build a better
SharePoint infrastructure and enable powerful collaboration. On October
1, 2008, at 11:00 AM EDT, direct from your computer, these SharePoint
gurus will guide you through three info-packed sessions: 21st Century
File Sharing: Configuring & Managing Document Libraries; Building
Code-Free SharePoint Applications and Business Intelligence Lite; and
Forms-Based Authentication and Extranet Deployment Options for
SharePoint 2007. All for only $99! Seats are limited to allow for lots
of live Q&A at the end. Register today!

http://ct.email.windowsitpro.com/rd/cts?d=33-12181-803-202-62923-1263241-0-0-0-1-2-207
(http://ct.email.windowsitpro.com/rd/cts?d=33-12181-803-202-62923-1263242-0-0-0-1-2-207)

Know a Developer?

Pass on the SharePoint Mastery series, built especially for developers,
with speaker and Microsoft MVP Andrew Connell!

http://ct.email.windowsitpro.com/rd/cts?d=33-12181-803-202-62923-1263243-0-0-0-1-2-207
(http://ct.email.windowsitpro.com/rd/cts?d=33-12181-803-202-62923-1263244-0-0-0-1-2-207)

Access All Our Security Resources!

With the online VIP Monthly Pass, you can have all the security
solutions in Windows IT Pro and SQL Server Magazine right at your
fingertips, PLUS VIP-only content on hot topics such as Vista,
SharePoint, and more. You'll also receive a full digital copy of the
latest issue of Windows IT Pro!

http://ct.email.windowsitpro.com/rd/cts?d=33-12181-803-202-62923-1263245-0-0-0-1-2-207
(http://ct.email.windowsitpro.com/rd/cts?d=33-12181-803-202-62923-1263246-0-0-0-1-2-207)


CONTACT US
Security UDPATE is brought to you by the Windows IT Pro Web site's
Security page (first URL below) and Security Pro VIP (second URL
below).
http://ct.email.windowsitpro.com/rd/cts?d=33-12181-803-202-62923-1263247-0-0-0-1-2-207
http://ct.email.windowsitpro.com/rd/cts?d=33-12181-803-202-62923-1263248-0-0-0-1-2-207

You are subscribed to this newsletter as boy.blogger@gmail.com

Manage your Security UPDATE subscription at
http://ct.email.windowsitpro.com/rd/cts?d=33-12181-803-202-62923-1263249-0-0-0-1-2-207.

To unsubscribe:
http://ct.email.windowsitpro.com/rd/cts?d=33-12181-803-202-62923-1263250-0-0-0-1-2-207&list_id=803&email=boy.blogger@gmail.com&message_id=12181

Be sure to add Security_UPDATE@email.windowsitpro.com
to your spam filter's list of allowed senders.

To contact us:
About Security UPDATE content -- mailto:letters@windowsitpro.com
About technical questions -- http://ct.email.windowsitpro.com/rd/cts?d=33-12181-803-202-62923-1263251-0-0-0-1-2-207
About your product news -- mailto:products@windowsitpro.com
About your subscription -- mailto:windowsitproupdate@windowsitpro.com
About sponsoring Security UPDATE -- mailto:salesopps@windowsitpro.com

View the Windows IT Pro privacy policy at
http://ct.email.windowsitpro.com/rd/cts?d=33-12181-803-202-62923-1263252-0-0-0-1-2-207

Windows IT Pro, a division of Penton Media, Inc.
221 East 29th Street, Loveland, CO 80538
Attention: Customer Service Department

Copyright 2008, Penton Media, Inc. All rights reserved.

No comments:

Blog Archive