Security UPDATE--Black Hat Briefly--August 16, 2006

IN FOCUS: Black Hat Briefly

NEWS AND FEATURES

- Windows Server Service Still Vulnerable to DoS Attacks

- Cult of the Dead Cow Puts Malware Samples Online

- Name That Computer!

- Recent Security Vulnerabilities

GIVE AND TAKE

- Security Matters Blog: Shine Some Light on Potential UAC Problems

- FAQ: Process Explorer

- Share Your Security Tips

PRODUCTS

- Antispyware on the Go

- Wanted: Your Reviews of Products

RESOURCES AND EVENTS

FEATURED WHITE PAPER

ANNOUNCEMENTS

=== SPONSOR: St. Bernard Software

Choose Your Savings on Web Filtering

iPrism, the IDC-ranked #1 Web filtering appliance has an offer that's too good to pass up. Purchase a 3-year subscription to the most accurate database in the industry and get your iPrism appliance at no charge. Or, purchase an iPrism and a 3-year subscription and get an extra year free. Only iPrism gives you two ways to save big. This is a limited time offer so get a Quick Quote now!

http://www.stbernard.com/forms/quickquote/quote_ip_q306choice.asp?oc=510

=== IN FOCUS: Black Hat Briefly

by Mark Joseph Edwards, News Editor, mark at ntsecurity / net

The Black Hat USA 2006 conference ended August 3. Several presentations at the show made some big waves. This week, I'll briefly summarize some of the more notable happenings in relation to Microsoft.

You might have read any of the dozens of news stories about the Wi-Fi driver problems. David Maynor and Johnny Cache (a pseudonym used by John Ellch) demonstrated that they could hijack an Apple MacBook system even when it wasn't connected to a wireless Access Point (AP). Some of the stories implied that the flaw was within Mac OS X. But as Maynor pointed out in his presentation, "Don't think however that just because we're attacking an Apple that the flaw is in an Apple. We're actually using a third-party wireless card." Maynor and Ellch also discovered flaws in third-party Wi-Fi drivers for Windows platforms. So the problems aren't with any particular OS but instead reside firmly with third-party driver developers whose code contains significant flaws.

Maynor and Ellch played a recording of their presentation at the conference instead of doing it live because they didn't want to risk having someone intercept Wi-Fi packets at the conference to discern the exact nature of their attack while various vendors are working on solutions for their problematic drivers. If you want to see Maynor and Ellch's presentation, you can watch it at YouTube:

http://youtube.com/watch?v=H2oxrqs9T2s

Another interesting presentation was given by Dan Kaminsky, who demonstrated a method of probing TCP/IP networks to determine whether a given Internet backbone provider is manipulating traffic based on its type or origin. Backbone providers have made noise recently about wanting to charge content providers, such as those who provide large amounts of audio and video, more money to carry high-bandwidth traffic. Kaminsky's tool would help reveal which backbone providers are already practicing traffic shaping. He plans to release the tool as part of his Paketto Keiretsu toolkit, which he intends to update in the next half year. You can learn more about Paketto Keiretsu at his Web site.

http://www.doxpara.com/read.php/code/paketto.html

Joanna Rutkowska made some waves too when she demonstrated how to load unsigned code into Windows Vista. Her attack requires that the code run under an account with administrative privileges, and Vista's new User Account Control (UAC) feature will help defend against such attacks, provided users don't make mistakes answering a plethora of prompts. Also, Microsoft has reportedly fixed Rutkowska's path of attack in later builds of Vista. I'm not sure whether she'll post her presentation online, but you can monitor her Web site if you're interested:

http://invisiblethings.org

Microsoft was out in force at Black Hat watching presentations and giving eight presentations that touched on various aspects of Vista security and Microsoft's changing security landscape. During his presentation, John Lambert, security group manager in Microsoft's Security Engineering and Communications Group, said the company is putting Vista through the biggest penetration testing process in history.

I remember years ago when people (myself included) cried out for Microsoft to hire hackers instead of opposing them when they discovered and released vulnerability reports. Well, now Microsoft has reportedly hired numerous companies and many well-known hackers to help with various aspects of security, including penetration testing--and I must say, it's about time!

=== SPONSOR: 8e6 Technologies

Protect Your Network - Threats Brought in By Remote Laptops

Learn how employee laptops indiscriminately harm company networks, despite standard security gear, and gain valuable information on how to protect your company against these threats - without throwing out the laptops. Get the FREE white paper from 8e6 Technologies. Qualify Now!

http://findtechinfo.com/penton/nl/110

=== SECURITY NEWS AND FEATURES

Windows Server Service Still Vulnerable to DoS Attacks

Microsoft released a dozen security updates this month (which incidentally fix nearly two dozen flaws), but the updates don't include a fix for a known Denial of Service (DoS) attack that could cause an affected system to crash.

http://www.windowsitpro.com/WindowsSecurity/Article/ArticleID/93119/WindowsSecurity_93119.html

Cult of the Dead Cow Puts Malware Samples Online

Offensive Computing, an offshoot of Cult of the Dead Cow (cDc), which labels itself a "technology activist group," offers a new malware library on its Web site.

http://www.windowsitpro.com/WindowsSecurity/Article/ArticleID/93103/WindowsSecurity_93103.html

Name That Computer!

Jeff Fellinge looks at how naming conventions and IP standards can help you quickly identify systems, then compares the approaches that two everyday Windows tools take to resolve IP addresses to names.

http://www.windowsitpro.com/Article/ArticleID/49793

Recent Security Vulnerabilities

If you subscribe to this newsletter, you also receive Security Alerts, which inform you about recently discovered security vulnerabilities. You can also find information about these discoveries at

http://www.windowsitpro.com/departments/departmentid/752/752.html

=== SPONSOR: Shavlik

Patch and Spyware Management: An Integrated Approach to Network Security

Manage threats and vulnerabilities from adware and spyware in one console as a comprehensive approach to maximizing network security.

http://www.windowsitpro.com/go/whitepapers/shavlik/adwareconsole/?code=SECHot08

=== GIVE AND TAKE

SECURITY MATTERS BLOG: Shine Some Light on Potential UAC Problems

by Mark Joseph Edwards, http://www.windowsitpro.com/securitymatters

Windows Vista introduces User Account Control (UAC), which might cause problems for some applications that aren't designed to run under the least-privileged user account (LUA) approach. Aaron Margosis released a tool, LUA Buglight, that might help you discover the source of such problems.

http://www.windowsitpro.com/Article/ArticleID/93102/93102.html

FAQ: Process Explorer

by John Savill, http://www.windowsitpro.com/windowsnt20002003faq

Q: What is the Process Explorer utility?

Find the answer at

http://www.windowsitpro.com/windowsnt20002003faq/Article/ArticleID/92973/windowsnt20002003faq_92973.html

SHARE YOUR SECURITY TIPS AND GET $100

Share your security-related tips, comments, or problems and solutions in the Windows IT Security print newsletter's Reader to Reader column. Email your contributions to [email protected]. If we print your submission, you'll get $100. We edit submissions for style, grammar, and length.

=== PRODUCTS

by Renee Munshi, [email protected]

Antispyware on the Go

ParetoLogic announces the immediate availability of XOFTspy Portable, which consists of the antispyware program XoftSpySE running on a U3 smart USB flash drive. XOFTspy Portable is licensed for use on multiple computers and is designed to protect roaming users on whatever PC they might use. In addition to cleaning the computers a user plugs it into, the product protects the data and applications stored on the device itself. XOFTspy Portable costs $14.95, and more information is available at

http://www.paretologic.com/products/xoftspypa/index.aspx

WANTED: your reviews of products you've tested and used in production. Send your experiences and ratings of products to [email protected] and get a Best Buy gift certificate.

=== RESOURCES AND EVENTS

Is your continuity solution letting you down? If you're not getting 100% coverage against lost or missing messages, even for short, unplanned outages, you might be jeopardizing your messaging system's integrity and your company's productivity. Learn how to manage disruptions to your messaging environment without breaking the bank in the process. View the on-demand Web seminar today!

http://www.windowsitpro.com/go/seminars/messageone/neverlose/?partnerref=0816emailannc

Use policy-based deployment to easily configure and deploy throughout your organization desktop spyware protection that provides AD support, an easy Admin Console for centralized management, and one of the most robust spyware threat databases in the industry. View the demo today!

http://www.windowsitpro.com/go/download/sunbelt/counterspydemo/?code=0816emailannc

Incorporate Virtual Machines into Your Disaster Recovery Plan

Join us for this free Web seminar to learn how incorporating VMs into your disaster recovery plan can reduce your TCO by 50% or more, reduce hardware cost, and simplify management. Attend the live Web seminar and get your questions answered by industry leaders from VMware and CA XOsoft. Live Event: Tuesday, September 19.

http://www.windowsitpro.com/go/seminars/xosoft/virtualmachines/?partnerref=0816emailannc

Any unscheduled downtime--especially of your Exchange systems--can quickly affect your company's bottom line. Learn the essential skills to reduce downtime to minutes instead of hours.

http://www.windowsitpro.com/go/essential/lucid8/exchange/?code=0816emailannc

Are you ready for the next spyware attack? Make sure--learn from industry expert Mark Joseph Edwards. Protect against emerging spyware threats, including rootkits, keyloggers, and distribution methods. View the on-demand Web seminar today!

http://www.windowsitpro.com/go/seminars/webroot/spyware/?partnerref=0816emailannc

=== FEATURED WHITE PAPER

Are you vulnerable when your users access the Internet outside the corporate network? Track and monitor remote access easily and unobtrusively to make sure that your intellectual assets are secure. Download the free whitepaper and find out more today!

http://www.windowsitpro.com/go/whitepapers/surfcontrol/remoteaccess/?code=0816emailannc

=== ANNOUNCEMENTS

Save $40 off Windows IT Pro Magazine

Subscribe to Windows IT Pro magazine today and SAVE up to $40! Along with your 12 issues, you'll get FREE access to the entire Windows IT Pro online article archive, which houses more than 9,000 helpful IT articles. This is a limited-time offer, so order now:

https://store.pentontech.com/index.cfm?s=1&promocode=eu2068uw

Invitation for VIP Access

For only $29.95 per month, you'll get instant VIP online access to ALL articles published in Windows IT Pro, SQL Server Magazine, and the Exchange and Outlook Administrator, Windows Scripting Solutions, and Windows IT Security newsletters--that's more than 26,000 articles at your fingertips. Sign up now:

https://store.pentontech.com/index.cfm?s=1&promocode=eu2768um