Security UPDATE--A Bug Bounty Program for Microsoft?--January 17, 2007

PLEASE VISIT OUR SPONSORS, WHO BRING YOU SECURITY UPDATE FOR FREE:

Expect the Unexpected: Disaster Recovery for your Windows-based Applications

http://www.windowsitpro.com/go/seminars/neverfail/disasterrecovery/?code=SECTop0117

Protecting Organizations from Spyware: Free Whitepaper

http://www.windowsitpro.com/go/whitepapers/websense/phishing/?code=SECMid0117

Double-Take Software: Upcoming Exchange Webinar!

http://w.on24.com/r.htm?e=34233&s=1&k=7B046884F81BFFA6332E514540A6AC3F&partnerref=winitad

CONTENTS

===========================================

IN FOCUS: A Bug Bounty Program for Microsoft? NEWS AND FEATURES - Man-in-the-Middle Attacks Made Simple - Web Sites Move Toward One-Time PINs - Blocking Web Sites in ISA Server - Recent Security Vulnerabilities GIVE AND TAKE - Security Matters Blog: Securing Windows Vista Services - FAQ: Start a Command Shell with Elevated Permissions - From the Forum: Drive Encryption with Page Files and Temporary Files - Share Your Security Tips - Microsoft Learning Paths for Security: Deploying Microsoft Identity and Access Management Technologies PRODUCTS - Encrypt Backup Data at the Media Server - Wanted: Your Reviews of Products RESOURCES AND EVENTS FEATURED WHITE PAPER ANNOUNCEMENTS === SPONSOR: Neverfail

===============================

Expect the Unexpected: Disaster Recovery for your Windows-based Applications Learn to differentiate between alternative solutions to disaster recovery for your Windows-based applications and to ensure seamless recovery of your key systems--whether a disaster strikes just one server or the whole site. On-Demand Web Seminar http://www.windowsitpro.com/go/seminars/neverfail/disasterrecovery/?code=SECTop0117 === IN FOCUS: A Bug Bounty Program for Microsoft?

====

by Mark Joseph Edwards, News Editor, mark at ntsecurity / net iDefense Labs' first quarter 2007 Vulnerability Challenge is targeted at those who can find particular bugs in Windows Vista and Microsoft Internet Explorer (IE) 7.0. The company is offering between $8,000 and $12,000 for a new discovery and between $2,000 and $4,000 for a working exploit of that vulnerability, depending on the quality. According to the Vulnerability Challenge rules (at the URL below), "The vulnerability must be remotely exploitable and must allow arbitrary code execution in a default installation of one of the technologies listed above." Furthermore, "the vulnerability must exist in the latest version of the affected technology with all available patches/upgrades applied," and "the vulnerability must not require additional social engineering beyond browsing a malicious site." http://labs.idefense.com/vcp/challenge.php iDefense (a VeriSign company) profits from these challenges by reselling the vulnerability data to its customers and from the publicity the challenges generate. Black hats sell vulnerability information too. You've probably read news stories about people attempting to sell vulnerabilities of the caliber desired by iDefense on various Internet sites. These black hats often claim that they'll sell a working exploit to the highest bidder (they sometimes have a reserve price that they won't go below). One story I read said that a black hat offered to sell an exploit for $50,000. That's a lot of money for working exploit code. People who buy such exploit code undoubtedly expect to profit from it somehow, most likely through some type of theft or fraud. So if sellers of exploit code can get that kind of money, or even half that much, and buyers can make their money back by using the exploit code, then the potential takers of iDefense's challenge will be either white hats or those who don't have a vehicle to sell their vulnerability information. Fortunately, some people will sell their work to iDefense simply because they don't want to see their discoveries used to exploit innocent people, and that's a great motive. But I think we need to keep in mind that many discovers of security vulnerabilities don't care about innocent people--what they care about is personal gain. Seen in that light, iDefense's offer of a maximum of $12,000 seems rather low and might not attract people who discover the most serious vulnerabilities. Other companies offering bug bounties include 3Com (at the first URL below) and Mozilla Foundation (at the second URL below). 3Com's Zero Day Initiative is a points program in which the more bugs you submit, the more points you receive. You trade points for benefits such as cash and travel to security conferences. Mozilla Foundation pays a flat fee of $500 for a bug found in Mozilla software, plus you get a T-shirt. http://www.zerodayinitiative.com http://www.mozilla.org/security/bug-bounty.html All three of these programs have been under way for quite some time now and are successful to some extent or other. The question in my mind is why hasn't Microsoft instituted a similar program? I think it would be a great addition to the company's current efforts at making their products more secure. === SPONSOR: WebSense

================================

Protecting Organizations from Spyware: Free White Paper Combat phishing and pharming with complete protection against complex Internet threats by filtering at multiple points on the gateway, network, and endpoints. http://www.windowsitpro.com/go/whitepapers/websense/phishing/?code=SECMid0117 === SECURITY NEWS AND FEATURES

=======================

Man-in-the-Middle Attacks Made Simple A kit automates the creation of a fraudulent URL, which acts as a man-in-the-middle to gather sensitive private information from unsuspecting users in real time. http://www.windowsitpro.com/Article/ArticleID/94845 Web Sites Move Toward One-Time PINs Think you have too many cards in your purse or pocket? Just wait until you have a dozen or more PIN generators to carry around. http://www.windowsitpro.com/Article/ArticleID/94846 Blocking Web Sites in ISA Server Web blacklisting services maintain lists of Web sites that contain pornography, hate speech, violence, hacking tools, or other prohibited content. You can subscribe to an inexpensive blacklisting service and import its list (typically updated each week) into ISA Server with a script. Jason Fossen walks you through the steps. http://www.windowsitpro.com/Article/ArticleID/94079 Recent Security Vulnerabilities If you subscribe to this newsletter, you also receive Security Alerts, which inform you about recently discovered security vulnerabilities. You can also find information about these discoveries at http://www.windowsitpro.com/departments/departmentid/752/752.html === SPONSOR: Double-Take Software

====================

Double-Take Software: Upcoming Exchange Webinar! Join this webinar to learn new ways to maintain Exchange uptime by using continuous data replication and application availability. When recoverability matters, depend on Double-Take Software to protect and recover business critical data and applications. Date: 1/30/07. Time: 11 a.m. EST. http://w.on24.com/r.htm?e=34233&s=1&k=7B046884F81BFFA6332E514540A6AC3F&partnerref=winitad === GIVE AND TAKE

====================================

SECURITY MATTERS BLOG: Securing Windows Vista Services by Mark Joseph Edwards, http://www.windowsitpro.com/securitymatters As you might know, services in Vista are better protected than services in previous versions of Windows. But do you know how Microsoft hardens Vista services? http://www.windowsitpro.com/Article/ArticleID/94832 FAQ: Start a Command Shell with Elevated Permissions by John Savill, http://www.windowsitpro.com/windowsnt20002003faq Q: How can I start a command prompt session with Administrative privileges in Windows Vista? Find the answer at http://www.windowsitpro.com/Article/ArticleID/94527 FROM THE FORUM: Drive Encryption A forum participant is testing TrueCrypt drive encryption. He's created an encrypted D drive and set his system page file to reside on the D drive so that it's also encrypted. His temporary directories are also on the D drive. His problem is that at boot time, the screen splits into four squiggly screens, then finally resolves. He said the problem was that the system was unable to create the page file because the D drive is unavailable until you enter the password into TrueCrypt. Does anyone have a solution or a recommendation for other drive encryption software? Join the discussion at http://forums.windowsitpro.com/web/forum/messageview.aspx?catid=42&threadid=83403&enterthread=y SHARE YOUR SECURITY TIPS AND GET $100 Share your security-related tips, comments, or problems and solutions in Security Pro VIP's Reader to Reader column. Email your contributions to [email protected]. If we print your submission, you'll get $100. We edit submissions for style, grammar, and length. MICROSOFT LEARNING PATHS FOR SECURITY: Deploying Microsoft Identity and Access Management Technologies Effective identity and access management is critical to information security and one of the key components of Core Infrastructure Optimization (IO). Use these resources to learn more about the interdependent technologies and processes of deploying identity and access management solutions, including directory services, identity life-cycle management, access management, and more. http://www.microsoft.com/technet/security/learning/identityandaccess.mspx === PRODUCTS

=========================================

by Renee Munshi, [email protected] Encrypt Backup Data at the Media Server Symantec announced the Veritas NetBackup Media Server Encryption Option. NetBackup MSEO encrypts backup data at a central NetBackup media server instead of at the client or on a dedicated encryption appliance. Scheduled to be available this month, MSEO addresses the risk associated with transporting tapes off site. MSEO works with existing NetBackup policies and existing NetBackup clients and can encrypt specific information that client users want to encrypt. MSEO centralizes encryption key management by automatically and centrally tracking which key was used for which tape and can store keys at a disaster recovery site. For more information, go to http://www.symantec.com WANTED: your reviews of products you've tested and used in production. Send your experiences and ratings of products to [email protected] and get a Best Buy gift certificate. === RESOURCES AND EVENTS

=============================

For more security-related resources, visit http://www.windowsitpro.com/go/securityresources You know you need to manage your email data; how do you do it? What steps are you taking? What additional measures should you enact? What shouldn't you do? Get answers to these questions and get control of your vital messaging data. Download the free eBook today! http://www.windowsitpro.com/go/ebooks/ilumin/discovery/?code=0115 Can you really trust users to protect critical business data on their PCs? One in three users write down their passwords, leaving data at risk even with encryption-only protection. True PC data protection requires organizational control of your data. Download this free white paper today to find out how to accomplish your PC data security goals without inhibiting employee productivity. http://www.windowsitpro.com/go/whitepapers/beachhead/encryption/?code=0115 === FEATURED WHITE PAPER

=============================

Ready to get serious about data-driven applications? Learn how to get unparalleled data access and presentation capabilities so that your users can access the critical business information they need. Download this free white paper today to find out more, and get started developing with Microsoft .NET! http://www.sqlmag.com/go/whitepaper/Sybase/datawindow/?code=0117featwp === ANNOUNCEMENTS

====================================

Special Invitation for VIP Access Become a VIP subscriber and get continuous, inside access to ALL the content published in Windows IT Pro, SQL Server Magazine, Exchange & Outlook Pro VIP, Scripting Pro VIP, and Security Pro VIP. Subscribe now and SAVE $100: https://store.pentontech.com/index.cfm?s=1&promocode=eu276buv Ring in the New Year with Windows IT Pro Don't miss Windows IT Pro in 2007! As a subscriber, you'll get full access to must-have coverage relating to Windows Vista deployment, virtualization, disaster recovery, Active Directory enhancements, the Office 2007 launch, SharePoint fundamentals, and much more. Order now and save 58% off the cover price. https://store.pentontech.com/index.cfm?s=1&promocode=eu2071uw

===========================================================

Security UDPATE is brought to you by the Windows IT Pro Web site's Security page (first URL below) and Security Pro VIP (second URL below).

http://www.windowsitpro.com/windowssecurity

http://www.securityprovip.com

Subscribe to Security UPDATE at

http://www.windowsitpro.com/Email/Index.cfm?action=archive

Unsubscribe by clicking

http://list.windowsitpro.com/u?id=%%SUBSCRIBER_ID_TAG%%

Be sure to add [email protected] to your antispam software's list of allowed senders.

To contact us:

About Security UPDATE content -- [email protected]

About technical questions -- http://www.windowsitpro.com/forums

About your product news -- [email protected]

About your subscription -- [email protected]

About sponsoring Security UPDATE -- [email protected]

View the Windows IT Pro privacy policy at

http://www.windowsitpro.com/AboutUs/Index.cfm?action=privacy

Windows IT Pro, a division of Penton Media, Inc.

221 East 29th Street, Loveland, CO 80538

Attention: Customer Service Department

Copyright 2007, Penton Media, Inc. All rights reserved.