Security UPDATE--Security Researchers: Readers Respond--January 12, 2005

This email newsletter comes to you free and is supported by the following advertisers, which offer products and services in which you might be interested. Please take a moment to visit these advertisers' Web sites and show your support for Security UPDATE.

Debunking the Top 5 Myths of Outsourcing Email Security

http://www.windowsitpro.com/whitepapers/postini/outsourcingemail/index.cfm?code=0112SEC_P

Exchange & Outlook Administrator

http://www.exchangeadmin.com/rd.cfm?code=fsep2351up

1. In Focus: Security Researchers: Readers Respond

2. Security News and Features

- Recent Security Vulnerabilities

- Microsoft WINS and SQL Server Targeted

- SQL Injection Attacks by Example

- Shavlik Enters Anti-Spyware Market

3. Security Matters Blog

- Liquid WiFi Containment

- The Lunacy of Some Junk Mail

4. Instant Poll

5. Security Toolkit

- FAQ

- Security Forum Featured Thread

6. New and Improved

- Survey Wireless Activity

==== Sponsor: Postini ====

Debunking the Top 5 Myths of Outsourcing Email Security

As spam and email-borne viruses continue to threaten the productivity and stability of email systems, enterprises are evaluating various anti-spam email security solutions including buying software or appliances for deployment in-house, or outsourcing email security to a managed service. In this free White paper, you'll find out the five most common myths surrounding the concept of outsourcing email security. Plus, you'll gain an understanding of the benefits gained from using a managed service for email security including improved protection against new email threats and attacks, lower infrastructure costs, less administrative burden, and reduced risk and complexity. Get this white paper now!

http://www.windowsitpro.com/whitepapers/postini/outsourcingemail/index.cfm?code=0112SEC_P

==== 1. In Focus: Security Researchers: Readers Respond ====

by Mark Joseph Edwards, News Editor, mark at ntsecurity / net

Last week, I wrote that I think some security researchers release too much information too soon, which invariably leads to exploits being unleashed on the unsuspecting masses. I also wrote that some so-called "researchers" make little if any effort to inform vendors of their discoveries but claim that they've tried and failed to find vendor contact information. This week, I'd like to share some of the responses we've received.

One reader wrote, "It seems to me that working on your own time and budget and publishing an exploit to the public is already more than enough of a contribution to the \[number one\] software seller in the world. Mark suggests that researchers should invest even more of their own time to do what the \[business\] itself should be doing - fixing the security problems of their own products. After all, as he states, the places where these researchers publish are well known. So it eludes me why he isn't lamenting about the lack of vision, investment and commitment to security by the \[business\] itself."

I should point out that last week I didn't mention anything that pertains to what vendors do. Nor did I suggest that researchers invest more of their time. It's possible that this particular reader doesn't comprehend how much time it takes to develop a patch and test it carefully before making it available to the public.

The reader further said, "Maybe the corporate leaders could learn something about the drive to excellence from Donald E. Knuth and, as he did, \[write\] $1 checks for errata submissions \[and offer $500\] for a proven vulnerability \[...\] if the price tag seems high - it's not. It's a \[pittance\] against typical \[research hours\] spent and even less if compared to potential damages and loss \[incurred\] by \[a vendor's\] customers."

One thing to keep in mind is that researchers looking for vulnerabilities do so by their own choice. If a vendor isn't compensating them for their work, they don't have to hunt for vulnerabilities in that vendor's products. That logic seems simple enough to me.

Another reader wrote, "\[...\] you are assuming \[that certain researchers\] are assuming \[two things\]: One, as a systems administrator I am too incompetent to do my job. It's true most administrators may not get around to patching their systems for some time, but those are business decisions made because something else has been deemed more important at the time. \[...\] you also assume that the exploit would not have been found by someone with malicious intent and exploited anyway. Certainly if you or I can go through line after line of code, then so can the malcontents. At least with some warning of what to look out for / what application / what port / what whatever, I stand a better chance of being able to defend against any attack."

I want to assure you that I don't think that systems administrators are incompetent, and I do realize that patching is a unique process for each business. I think many, if not most, of you would agree with the reader's second point--that malicious coders might find vulnerabilities if researchers don't. I also think you'd agree that there is a tremendous difference between telling the world what to look out for and giving the world working proof-of-concept code before a patch is available and before people have a reasonable amount of time to install that patch.

Another reader wrote, "Our beloved 'last chance effort' has become an advertising domain for companies who say they are in the 'security' business. It seems to me that the \[security mailing lists\] are being well abused and end users, companies, and vendors are paying the price. I no longer support the full-disclosure lists (and have voiced my opinion to the CISSP forum) because of the complete lack of regard of safety and proper ways to deal with vulnerabilities by some 'researchers'."

That is precisely the problem I see: lack of regard of safety and improper handling of vulnerabilities. If they really wanted to, some of the so-called researchers could make a more diligent effort to contact vendors, allow ample time for vendors to produce patches, and allow the public ample time to become aware of those patches and install them--before publishing proof-of-concept code. They could also keep in mind that not everybody has the desire or time to think about, and monitor, computer security issues all day, every single day. Greater consideration for others might be in order.

We're conducting a new poll that asks, "Do you think security researchers should allow more time before releasing proof-of-concept code?" Visit the Security Hot Topic Web page and let us know your opinion.

http://www.windowsitpro.com/WindowsSecurity

Until next time, have a great week!

==== Sponsor: Exchange & Outlook Administrator ====

Try a Sample Issue of Exchange & Outlook Administrator!

If you haven't seen Exchange & Outlook Administrator, you're missing out on key information that will go a long way towards preventing serious messaging problems and downtime. Request a sample issue today, and discover tools you won't find anywhere else to help you migrate, optimize, administer, backup, recover, and secure Exchange and Outlook. Order now!

http://www.exchangeadmin.com/rd.cfm?code=fsep2351up

==== 2. Security News and Features ====

Recent Security Vulnerabilities

If you subscribe to this newsletter, you also receive Security Alerts, which inform you about recently discovered security vulnerabilities. You can also find information about these discoveries at

http://www.windowsitpro.com/departments/departmentid/752/752.html

Microsoft WINS and SQL Server Targeted

The Internet Storm Center (ISC) reports that attempts to penetrate systems through WINS and SQL Server have been detected. Read this article to learn how to ensure that your systems aren't vulnerable.

http://www.windowsitpro.com/Article/ArticleID/45015/45015.html

SQL Injection Attacks by Example

If you use SQL Server as a back end for your applications, have you protected against injection attacks? Such attacks can inject code into SQL statements that might lead to the inadvertent exposure of sensitive information, or worst-case, might lead to a total system and/or network compromise. Steve Friedl recently released a white paper, "SQL Injection Attacks by Example," which discusses the steps he took during a recent security audit to penetrate a customer's system.

http://www.windowsitpro.com/Article/ArticleID/45023/45023.html

Shavlik Enters Anti-Spyware Market

Shavlik, known for its popular security solutions, says that spyware blocking should be handled by systems administrators, not end users. The company said that it will enter the enterprise antispyware market with the release of an upcoming product, NetChk Spyware.

http://www.windowsitpro.com/Article/ArticleID/45046/45046.html

==== Announcements ====

(from Windows IT Pro and its partners)

InfoSec World 2005, April 4-6, 2005, Orlando, FL

InfoSec World 2005 is where connections are made. Expand your knowledge with the hottest topics and get real-world strategies and tested techniques for meeting your toughest information security challenges. With a full spectrum of events, InfoSec World offers an array of stimulating programs, presentations, activities, networking opportunities and more!

http://www.misti.com/12/os05el7.html

Try a Sample Issue of Windows Scripting Solutions

Windows Scripting Solutions is the monthly newsletter that shows you how to automate time-consuming, administrative tasks by using our simple downloadable code and scripting techniques. Sign up for a sample issue right now, and find out how you can save both time and money. Plus, get online access to our popular "Shell Scripting 101" series--click here!

http://www.winscriptingsolutions.com/rd.cfm?code=fsep2641up

Discover All You Need to Know About 64-bit Computing in the Enterprise

In this free on-demand Web seminar, you'll learn the most important factors and best uses of 64-bit technology. Join industry expert Mike Otey as he compares 32-bit and 64-bit technology and reveals the best platform for high performance. You'll also learn how to successfully migrate and manage the two. Register now!

http://www.windowsitpro.com/seminars/integrityservers/index.cfm?code=0110emailannc

New Web Seminar! Meeting the Risks of Instant Messaging Head On

In this free seminar, we'll expose you to the wide variety of risks associated with IM-like malware and disclosure of confidential information and how addressing these risks can be mitigated. You'll learn which risks can be addressed without special IM security solutions and which can't. And you'll receive a list of top requirements to consider when evaluating an IM security solution. Register now!

http://www.windowsitpro.com/seminars/instantmessaging/index.cfm?code=0110emailannc

====3. Security Matters Blog ====

by Mark Joseph Edwards, http://www.windowsitpro.com/securitymatters

Check out these recent entries in the Security Matters blog:

Liquid Wi-Fi Containment

Looking for a way to contain your Wi-Fi signals and block unwanted outside signals? An extra coat of paint might be your answer.

http://www.windowsitpro.com/Article/ArticleID/44955/44944.html

The Lunacy of Some Junk Mail

Why would a company harvest my email address and spam me in order to ask me to pay them $36 per year to remove my name from spam lists?

http://www.windowsitpro.com/Article/ArticleID/45031/45031.html

==== 4. Instant Poll ====

Results of Previous Poll:

Do you think Microsoft should improve its security alerting process?

The voting has closed in this Windows IT Pro Security Hot Topic nonscientific Instant Poll. Here are the results from the 73 votes:

82% - Yes, it should send alerts about all security updates

18% - No, the process works fine for me the way it is

New Instant Poll:

Do you think security researchers should allow more time before releasing proof-of-concept code?

- Yes, they should wait until well after a patch is released

- They should not release such code at all

- No

Go to the Security Hot Topic and submit your vote for

http://www.windowsitpro.com/windowssecurity#poll

==== 5. Security Toolkit ====

FAQ: What's the Portqry tool?

by John Savill, http://www.windowsitpro.com/windowsnt20002003faq

Find the answer at

http://www.winnetmag.com/Article/ArticleID/44919/44919.html

Security Forum Featured Thread: Fending Off DDoS Attacks

A forum participant has questions regarding the Wired Equivalent Privacy (WEP) standard and Wireless Transport Layer Security (WTLS). He wonders if the two can be used together, whether WEP is configured on both the wireless NIC and the wireless Access Point (AP), and where to configure WTLS. Join the discussion at:

http://www.windowsitpro.com/Forums/messageview.cfm?catid=42&threadid=128859

==== Events Central ====

(A complete Web and live events directory brought to you by Windows IT Pro at http://www.windowsitpro.com/events )

Sensible Best Practices for Exchange Availability Web Seminar--January 27

If you're discouraged about not having piles of money for improving the availability of your Exchange server, join Exchange MVP Paul Robichaux for this free Web seminar and learn how to maximize your existing configuration. Survive unexpected outages, plan for the unplannable, and evaluate what your real business requirements are without great expense. Register now!

http://www.windowsitpro.com/seminars/exchangeavailability/index.cfm?code=0110emailannc

==== 6. New and Improved ====

by Renee Munshi, [email protected]

Survey Wireless Activity

AirMagnet announced the latest version of AirMagnet Surveyor, which expands the features of the wireless LAN (WLAN) site survey tool and customizes the tool to meet the needs of two distinct user groups. Surveyor 2.0 Standard Edition is for network managers who set up their own wireless LANs and routinely perform their own site surveys. Surveyor 2.0 PRO adds reporting of in-depth survey data for site surveyors and consultants who install and deploy WLANs as their core business. AirMagnet Surveyor products perform active surveys, associating with specific Access Points (APs) or Service Set Identifiers (SSIDs) to gather actual end user performance information and multifloor site surveys. AirMagnet Surveyor 2.0 is priced at $1995 for the Standard Edition and $3195 for the PRO edition. Current customers can upgrade for free. For more information, go to

http://www.airmagnet.com

Tell Us About a Hot Product and Get a T-Shirt!

Have you used a product that changed your IT experience by saving you time or easing your daily burden? Tell us about the product, and we'll send you a T-shirt if we write about the product in a future Windows IT Pro What's Hot column. Send your product suggestions with information about how the product has helped you to [email protected].

Editor's note: Share Your Security Discoveries and Get $100

Share your security-related discoveries, comments, or problems and solutions in the Security Administrator print newsletter's Reader to Reader column. Email your contributions (500 words or less) to [email protected]. If we print your submission, you'll get $100. We edit submissions for style, grammar, and length.

==== Contact Us ====

About the newsletter -- [email protected]

About technical questions -- http://www.windowsitpro.com/forums

About product news -- [email protected]

About your subscription -- [email protected]

About sponsoring Security UPDATE -- [email protected]