Security UPDATE--Another Perspective on OS Haste--July 26, 2006

IN FOCUS: Another Perspective on OS Haste

NEWS AND FEATURES

- Microsoft Gains Winternals Expertise

- Skype Protocol Cracked?

- Zero-Day PowerPoint Exploit on the Loose

- Authentication Options

- Recent Security Vulnerabilities

GIVE AND TAKE

- Security Matters Blog: Who Is Connected to Your Systems?

- FAQ: Security Assessment

- From the Forum: Network Drive Folders

- Calling All Windows It Pro Innovators

- Take the Windows IT Pro Salary Survey

- Share Your Security Tips

PRODUCTS

- More Security Events Managed Faster

- Tell Us About a Hot Product

RESOURCES AND EVENTS

FEATURED WHITE PAPER

ANNOUNCEMENTS

=== SPONSOR: Surf Control

Achieve compliance in today's complex regulatory environment, while managing threats to the inward- and outward-bound communications vital to your business. Adopt a best-practices approach, such as the one outlined in the international information security standard ISO/IEC 17799:2005. Download the whitepaper today to secure the confidentiality, availability and integrity of your corporate information!

http://www.windowsitpro.com/go/whitepapers/surfcontrol/securitystandard/?code=SECTop0726

=== IN FOCUS: Another Perspective on OS Haste

by Mark Joseph Edwards, News Editor, mark at ntsecurity / net

Last week, I wrote about Microsoft CEO Steve Ballmer's comment, "Rest assured we will never have a gap between Windows releases as long as the one between XP and Windows Vista." My perspective was that longer release cycles often help with the security aspects of OS development, primarily because they provide more time to work on features and functions.

I received a response from a reader who has a different perspective on release cycles. The reader wrote that we might "be better off from a security \[point of view\] shipping \[OS releases\] more rapidly." The reader argues that "threats evolve quickly, and so must our responses. \[Not to imply\] that it is OK to turn out bad quality, but quick \[OS upgrade turnaround times\] give \[developers\] more flexibility to respond to changing conditions. \[On the other hand,\] it's hard to \[create\] really innovative stuff in short stages, so there also need to be some long cycles to accommodate \[the truly creative aspects of OS evolution\]."

He continues, "Here's another wrinkle to consider: If you go a long time between releases, upgrading becomes harder, and the \[end users\] stay on the old version longer. \[It seemed like\] it was going to take forever for people to migrate \[away from Windows NT 4.0.\] A lot of \[the migration delay was\] because it was a fairly long haul between NT 4.0 and Win2K, and there were a lot of changes \[including\] a whole new \[user interface\], a whole new administration model, etc. \[Because of such dramatic differences, end users kept using\] the old \[OS\] longer, which isn't good for security. \[So it appears that\] if we want to optimize for security, we need to shorten the upgrade cycle, not lengthen it."

The reader also offered some observations about Microsoft Office: First, Microsoft did a good job of upgrading the Office suite, including auditing the code to find faults that could have led to security problems. Because of the security focus placed on the Office suite, there weren't many vulnerabilities for roughly two years. However, the reader pointed out that a few significant changes took place in the security community in the meantime: "The attackers have a business model--vulns do sell for about $25K--and they're using some reasonably sophisticated fuzzers." (Fuzzers inject all sorts of data into applications to look for weaknesses).

The reader's opinion is that effectively all the work Microsoft did on Office bought the company about two years of time. But, because of unforeseen developments in the realms of intrusion, Microsoft could have actually used three years of time without vulnerabilities because that's how long it's taking to ready the next release of Office. Therefore, "if the release cycle of Office were shorter, they'd be in a better defensive position, but then again, \[Microsoft\] can't \[develop the really creative stuff, as seen in the new version of Office\] on a short cycle."

So there you have it: A very different perspective from the one I presented last week. My thanks to the reader (who wished to remain unnamed) for providing an argument that makes a lot of sense.

=== SPONSOR: SPI Dynamics

ALERT: "How A Hacker Launches A LDAP Injection Attack!" White Paper

It's as simple as placing additional LDAP query commands into a Web form input box giving hackers complete access to all your backend systems! Firewalls and IDS will not stop such attacks because LDAP Injections are seen as valid data. Download this *FREE* white paper from SPI Dynamics for a complete guide to protection!

https://download.spidynamics.com/1/ad/LD.asp?Campaign_ID=70160000000CYh4

=== SECURITY NEWS AND FEATURES

Microsoft Gains Winternals Expertise

Microsoft announced last week that it had acquired privately held Winternals Software, which is widely known for its commercial and freeware Windows tools.

http://www.windowsitpro.com/Article/ArticleID/92766

Skype Protocol Cracked?

The hugely popular VoIP software Skype uses a proprietary protocol. But now a Chinese company has reportedly reverse-engineered the Skype protocol and plans to release compatible software in the near future.

http://www.windowsitpro.com/Article/ArticleID/92709

Zero-Day PowerPoint Exploit on the Loose

A new flaw has been discovered in Microsoft PowerPoint that could allow intruders to execute remote code if a user opens an affected PowerPoint file. An exploit is circulating that includes a Trojan horse that opens a backdoor into the system. Microsoft is aware of the problem, but no patch is available at this time.

http://www.windowsitpro.com/Article/ArticleID/92721

Authentication Options

What can a security administrator do to avoid the risks associated with passwords? A bewildering array of alternatives to the use of usernames and passwords exists. Three of the most popular alternatives are smart cards, tokens, and biometric readers. John Howie discusses the pros and cons of each solution and the scenarios in which they work best.

http://www.windowsitpro.com/Article/ArticleID/50550

Recent Security Vulnerabilities

If you subscribe to this newsletter, you also receive Security Alerts, which inform you about recently discovered security vulnerabilities. You can also find information about these discoveries at

http://www.windowsitpro.com/departments/departmentid/752/752.html

=== SPONSOR: CrossTec

Are you spending too much time monitoring security logs?

Activeworx collects event logs from all your security devices and vendors to provide a single Dashboard view along with correlated alerts; hundreds of compliance reports; and deep forensics tools. Easy to install and use. Free White Paper or Try Activeworx yourself - 30 minute Install & Free Tech Support.

http://www.crossteccorp.com/TryASC/?utm_source=WinITPro&utm_medium=newsletter&utm_campaign=asc072606

=== GIVE AND TAKE

SECURITY MATTERS BLOG: Who Is Connected to Your Systems?

by Mark Joseph Edwards, http://www.windowsitpro.com/securitymatters

WhoIsConnected is a nifty tool that lets you see what connections are open on your systems. The tool goes beyond the functionality found in Microsoft's staple Netstat command-line tool.

http://www.windowsitpro.com/Article/ArticleID/92722

FAQ: Security Assessment

by John Savill, http://www.windowsitpro.com/windowsnt20002003faq

Q: How can I perform a high-level security assessment of my company's computing environment?

Find the answer at http://www.windowsitpro.com/WindowsSecurity/Article/ArticleID/92696/92696.html

FROM THE FORUM: Network Drive Folders

A forum participant would like to hear the pros and cons of putting passwords on individual files that are shared among users in multiple locations around the country.

http://forums.windowsitpro.com/web/forum/messageview.aspx?catid=42&threadid=48424&enterthread=y

CALLING ALL WINDOWS IT PRO INNOVATORS

Have you developed a solution that uses Windows technology to solve a business problem in an innovative way? Enter your solution in the 2006 Windows IT Pro Innovators Contest! Grand-prize winners will receive airfare and a conference pass to Windows and Exchange Connections in Las Vegas, November 6-9, 2006, plus more great prizes and a feature article about the winning solutions in the November 2006 issue of Windows IT Pro. Contest runs through August 1, 2006.

To enter, go to http://www.windowsitpro.com/AWARDS/innovators_2006.cfm

TAKE THE WINDOWS IT PRO SALARY SURVEY

We need your help! Windows IT Pro is launching its third Windows IT Pro Industry Salary Survey, and we want to find out all about you and what makes you a satisfied IT pro. When you complete the survey (about 10 minutes of your time), you'll be entered in a drawing for one of five $100 American Express gift certificates. Look for the survey results--and how you stack up against your peers--in our December issue. To take the survey, go to

https://websurveyor.net/wsb.dll/12237/WITPSalarySurvey06.htm

SHARE YOUR SECURITY TIPS AND GET $100

Share your security-related tips, comments, or problems and solutions in the Windows IT Security print newsletter's Reader to Reader column. Email your contributions to [email protected]. If we print your submission, you'll get $100. We edit submissions for style, grammar, and length.

=== PRODUCTS

by Renee Munshi, [email protected]

More Security Events Managed Faster

eIQnetworks announced the general availability of Enterprise Security Analyzer (ESA) 2.5. eIQ says the performance of this latest version of its event management application has improved 100 percent: ESA 2.5 can process 15,000 events per second on one server and tens of thousands of events per second across multiple servers. ESA 2.5 also adds Oracle and Microsoft SQL Server event management, support for Payment Card Industry (PCI) guidelines, and compliance modules for major federal and industry mandates including Sarbanes Oxley (SOX), the Gramm-Leach-Bliley Act (GLBA), the Federal Information Security Management Act (FISMA), and the Health Information Portability and Accountability Act (HIPAA). The entry price of $7995 includes licensing for five devices and five hosts. For more information, go to

http://www.eiqnetworks.com

Tell Us About a Hot Product and Get a Best Buy Gift Card!

Have you used a product that changed your IT experience by saving you time or easing your daily burden? Tell us about the product, and we'll send you a Best Buy Gift Card if we write about the product in a Windows IT Pro What's Hot column. Send your product suggestion with information about how the product has helped you to [email protected].

=== RESOURCES AND EVENTS

Learn to easily configure and deploy desktop spyware protection throughout your organization by using policy-based deployment, AD support, an Admin Console for easy centralized management, and one of the most robust spyware threat databases in the industry. View the demo today!

http://www.windowsitpro.com/go/download/sunbelt/counterspydemo/?code=0726emailannc

Is your continuity solution letting you down? If you're not getting 100% coverage against lost or missing messages, even for short, unplanned outages, you might be jeopardizing your messaging system integrity and your company productivity. Learn how to manage disruptions to your messaging environment without breaking the bank in the process. Live Event: Tuesday, August 3

http://www.windowsitpro.com/go/seminars/messageone/neverlose/?partnerref=0726emailannc

Gain control of your messaging data with step-by-step instructions for complying with the law and ensuring your systems are working properly, and ultimately make your job easier. Download the latest eBook chapter today: Hardware and Software Implementation

http://www.windowsitpro.com/toolkits/ilumin/index.cfm?code=0726emailannc

Take the necessary steps for managing application migration to a new OS, from converting legacy applications to MSI to customizing applications to fit corporate standards. Don't overlook an important component of an OS migration--join us for this free Web seminar, now available on demand.

http://www.windowsitpro.com/go/seminars/macrovision/appmanagement/?partnerref=0726emailannc

Gear up for TechX World Roadshow

Hear first-hand from today's leading interoperability experts, vendors, and peers at this exclusive one-day event. You'll learn about OS interoperability management, directory migration, data interoperability, and much more. This event provides in-depth information on how Windows and other systems cooperate with each other.

http://www.techxworld.com/registration/?code=0726emailannc

=== FEATURED WHITE PAPER

On average, enterprises spend $10 million anually on IT compliance. How much is your company spending? Learn to streamline and automate the compliance life cycle and reduce your costs today!

http://www.windowsitpro.com/go/whitepapers/scalable/compliance?code=0726featwp

=== ANNOUNCEMENTS

Invitation for VIP Access

Become a VIP subscriber and get continuous, inside access to ALL content published in Windows IT Pro, SQL Server Magazine, and the Exchange & Outlook Administrator, Windows Scripting Solutions, and Windows IT Security newsletters--that's more than 26,000 articles at your fingertips. You'll also get a valuable one-year print subscription to Windows IT Pro and two VIP CDs that include the entire article database and are delivered twice per year. Order now:

https://store.pentontech.com/index.cfm?s=1&promocode=eu2767uv

Save $40 off Windows IT Pro Magazine

Subscribe to Windows IT Pro magazine today and SAVE up to $40! Along with your 12 issues, you'll also get FREE access to the entire Windows IT Pro online article archive, which houses more than 9,000 helpful IT articles. This is a limited-time offer, so order now:

https://store.pentontech.com/index.cfm?s=1&promocode=eu2068uw