Security UPDATE--A Bug Bounty Program for Microsoft?--January 17, 2007

iDefense Labs' current Vulnerability Challenge is aimed at finding bugs in Vista and IE 7.0. Microsoft and its customers might benefit from a similar program sponsored by Microsoft itself.

ITPro Today

January 16, 2007

9 Min Read
ITPro Today logo in a gray background | ITPro Today

PLEASE VISIT OUR SPONSORS, WHO BRING YOU SECURITY UPDATE FOR FREE:

Expect the Unexpected: Disaster Recovery for your Windows-based Applications

http://www.windowsitpro.com/go/seminars/neverfail/disasterrecovery/?code=SECTop0117

Protecting Organizations from Spyware: Free Whitepaper

http://www.windowsitpro.com/go/whitepapers/websense/phishing/?code=SECMid0117

Double-Take Software: Upcoming Exchange Webinar!

http://w.on24.com/r.htm?e=34233&s=1&k=7B046884F81BFFA6332E514540A6AC3F&partnerref=winitad

CONTENTS

===========================================

===============================

Expect the Unexpected: Disaster Recovery for your Windows-based Applications Learn to differentiate between alternative solutions to disaster recovery for your Windows-based applications and to ensure seamless recovery of your key systems--whether a disaster strikes just one server or the whole site. On-Demand Web Seminar http://www.windowsitpro.com/go/seminars/neverfail/disasterrecovery/?code=SECTop0117 === IN FOCUS: A Bug Bounty Program for Microsoft?

====

by Mark Joseph Edwards, News Editor, mark at ntsecurity / net iDefense Labs' first quarter 2007 Vulnerability Challenge is targeted at those who can find particular bugs in Windows Vista and Microsoft Internet Explorer (IE) 7.0. The company is offering between $8,000 and $12,000 for a new discovery and between $2,000 and $4,000 for a working exploit of that vulnerability, depending on the quality. According to the Vulnerability Challenge rules (at the URL below), "The vulnerability must be remotely exploitable and must allow arbitrary code execution in a default installation of one of the technologies listed above." Furthermore, "the vulnerability must exist in the latest version of the affected technology with all available patches/upgrades applied," and "the vulnerability must not require additional social engineering beyond browsing a malicious site." http://labs.idefense.com/vcp/challenge.php iDefense (a VeriSign company) profits from these challenges by reselling the vulnerability data to its customers and from the publicity the challenges generate. Black hats sell vulnerability information too. You've probably read news stories about people attempting to sell vulnerabilities of the caliber desired by iDefense on various Internet sites. These black hats often claim that they'll sell a working exploit to the highest bidder (they sometimes have a reserve price that they won't go below). One story I read said that a black hat offered to sell an exploit for $50,000. That's a lot of money for working exploit code. People who buy such exploit code undoubtedly expect to profit from it somehow, most likely through some type of theft or fraud. So if sellers of exploit code can get that kind of money, or even half that much, and buyers can make their money back by using the exploit code, then the potential takers of iDefense's challenge will be either white hats or those who don't have a vehicle to sell their vulnerability information. Fortunately, some people will sell their work to iDefense simply because they don't want to see their discoveries used to exploit innocent people, and that's a great motive. But I think we need to keep in mind that many discovers of security vulnerabilities don't care about innocent people--what they care about is personal gain. Seen in that light, iDefense's offer of a maximum of $12,000 seems rather low and might not attract people who discover the most serious vulnerabilities. Other companies offering bug bounties include 3Com (at the first URL below) and Mozilla Foundation (at the second URL below). 3Com's Zero Day Initiative is a points program in which the more bugs you submit, the more points you receive. You trade points for benefits such as cash and travel to security conferences. Mozilla Foundation pays a flat fee of $500 for a bug found in Mozilla software, plus you get a T-shirt. http://www.zerodayinitiative.com http://www.mozilla.org/security/bug-bounty.html All three of these programs have been under way for quite some time now and are successful to some extent or other. The question in my mind is why hasn't Microsoft instituted a similar program? I think it would be a great addition to the company's current efforts at making their products more secure. === SPONSOR: WebSense

================================

Protecting Organizations from Spyware: Free White Paper Combat phishing and pharming with complete protection against complex Internet threats by filtering at multiple points on the gateway, network, and endpoints. http://www.windowsitpro.com/go/whitepapers/websense/phishing/?code=SECMid0117 === SECURITY NEWS AND FEATURES

=======================

Man-in-the-Middle Attacks Made Simple A kit automates the creation of a fraudulent URL, which acts as a man-in-the-middle to gather sensitive private information from unsuspecting users in real time. http://www.windowsitpro.com/Article/ArticleID/94845 Web Sites Move Toward One-Time PINs Think you have too many cards in your purse or pocket? Just wait until you have a dozen or more PIN generators to carry around. http://www.windowsitpro.com/Article/ArticleID/94846 Blocking Web Sites in ISA Server Web blacklisting services maintain lists of Web sites that contain pornography, hate speech, violence, hacking tools, or other prohibited content. You can subscribe to an inexpensive blacklisting service and import its list (typically updated each week) into ISA Server with a script. Jason Fossen walks you through the steps. http://www.windowsitpro.com/Article/ArticleID/94079 Recent Security Vulnerabilities If you subscribe to this newsletter, you also receive Security Alerts, which inform you about recently discovered security vulnerabilities. You can also find information about these discoveries at http://www.windowsitpro.com/departments/departmentid/752/752.html === SPONSOR: Double-Take Software

====================

Double-Take Software: Upcoming Exchange Webinar! Join this webinar to learn new ways to maintain Exchange uptime by using continuous data replication and application availability. When recoverability matters, depend on Double-Take Software to protect and recover business critical data and applications. Date: 1/30/07. Time: 11 a.m. EST. http://w.on24.com/r.htm?e=34233&s=1&k=7B046884F81BFFA6332E514540A6AC3F&partnerref=winitad === GIVE AND TAKE

====================================

=========================================

by Renee Munshi, [email protected] Encrypt Backup Data at the Media Server Symantec announced the Veritas NetBackup Media Server Encryption Option. NetBackup MSEO encrypts backup data at a central NetBackup media server instead of at the client or on a dedicated encryption appliance. Scheduled to be available this month, MSEO addresses the risk associated with transporting tapes off site. MSEO works with existing NetBackup policies and existing NetBackup clients and can encrypt specific information that client users want to encrypt. MSEO centralizes encryption key management by automatically and centrally tracking which key was used for which tape and can store keys at a disaster recovery site. For more information, go to http://www.symantec.com WANTED: your reviews of products you've tested and used in production. Send your experiences and ratings of products to [email protected] and get a Best Buy gift certificate. === RESOURCES AND EVENTS

=============================

=============================

Ready to get serious about data-driven applications? Learn how to get unparalleled data access and presentation capabilities so that your users can access the critical business information they need. Download this free white paper today to find out more, and get started developing with Microsoft .NET! http://www.sqlmag.com/go/whitepaper/Sybase/datawindow/?code=0117featwp === ANNOUNCEMENTS

====================================

Special Invitation for VIP Access Become a VIP subscriber and get continuous, inside access to ALL the content published in Windows IT Pro, SQL Server Magazine, Exchange & Outlook Pro VIP, Scripting Pro VIP, and Security Pro VIP. Subscribe now and SAVE $100: https://store.pentontech.com/index.cfm?s=1&promocode=eu276buv Ring in the New Year with Windows IT Pro Don't miss Windows IT Pro in 2007! As a subscriber, you'll get full access to must-have coverage relating to Windows Vista deployment, virtualization, disaster recovery, Active Directory enhancements, the Office 2007 launch, SharePoint fundamentals, and much more. Order now and save 58% off the cover price. https://store.pentontech.com/index.cfm?s=1&promocode=eu2071uw

===========================================================

Security UDPATE is brought to you by the Windows IT Pro Web site's Security page (first URL below) and Security Pro VIP (second URL below).

http://www.windowsitpro.com/windowssecurity

http://www.securityprovip.com

Subscribe to Security UPDATE at

http://www.windowsitpro.com/Email/Index.cfm?action=archive

Unsubscribe by clicking

http://list.windowsitpro.com/u?id=%%SUBSCRIBER_ID_TAG%%

Be sure to add [email protected] to your antispam software's list of allowed senders.

To contact us:

About Security UPDATE content -- [email protected]

About technical questions -- http://www.windowsitpro.com/forums

About your product news -- [email protected]

About your subscription -- [email protected]

About sponsoring Security UPDATE -- [email protected]

View the Windows IT Pro privacy policy at

http://www.windowsitpro.com/AboutUs/Index.cfm?action=privacy

Windows IT Pro, a division of Penton Media, Inc.

221 East 29th Street, Loveland, CO 80538

Attention: Customer Service Department

Copyright 2007, Penton Media, Inc. All rights reserved.

Read more about:

Microsoft
Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.

You May Also Like