Security UPDATE--Hacking Contests Serve a Great Purpose--May 9, 2007


CIPA - Keeping Students Safe on the Net

Administering Windows Vista Security

Control of Software Use and Reduce Audit Risk



IN FOCUS: Hacking Contests Serve a Great Purpose


- Month of ActiveX Bugs Bears Dangerous Fruit

- Microsoft Launches Forefront Client Security and System Center Essentials 2007

- Recent Security Vulnerabilities


- Security Matters Blog: AACS Uproar

- FAQ: How to Create a Bootable USB Flash Device

- From the Forum: Network Monitoring with EtherApe

- Product Evaluations from the Real World

- Share Your Security Tips


- Security-Check Your Email on the Network Edge




=== SPONSOR: Cyberoam


CIPA - Keeping Students Safe on the Net

Protecting students from the millions of sites that house pornography, adult chat rooms, violence & hacking can provide not just a safe surfing atmosphere to minors in schools and libraries, but also qualify the institutions for federal E-rate funding through CIPA compliance.

=== IN FOCUS: Hacking Contests Serve a Great Purpose


by Mark Joseph Edwards, News Editor, mark at ntsecurity / net

You might recall that last month at the CanSecWest security conference, a challenge was offered for anyone to attempt to break into one of two Apple MacBook Pro laptop systems running OS X. Whoever was successful would win the laptop they broke into. As added incentive, TippingPoint (a division of 3Com) offered a $10,000 cash prize for exclusive rights to details of any vulnerability used to break into the OS.

Of course someone did find a way to break into one of the two laptops. Dino Dai Zovi working in tandem with Shane Macaulay exploited a vulnerability (discovered by Dai Zovi) that exists in the combination of Apple QuickTime and Java. The exploit gave them the ability to access a command shell on OS X. As it turns out, the vulnerability also affects Windows platforms, which makes the vulnerability even more dangerous because it affects a much wider base of computer users around the world.

Last week, Gartner spoke out against public vulnerability research in general as well as hacking contests like the one recently held at CanSecWest. Writing in a research brief for Gartner, research vice presidents Rich Mogull and Greg Young stated that, "Public vulnerability research and 'hacking contests' are risky endeavors, and can run contrary to responsible disclosure practices, whereby vendors are given an opportunity to develop patches or remediation before any public announcements. Vulnerability research is an extremely valuable endeavor for ensuring more secure IT. However, conducting vulnerability research in a public venue is risky and could potentially lead to mishandling or treating too lightly these vulnerabilities--which can turn a well-intentioned action into a more ambiguous one, or inadvertently provide assistance to attackers."

Mogull and Young apparently think that no vulnerability should be known to the public until vendors can first develop a patch. While there is certainly an advantage to that approach, there truly is little if any security offered through that sort of obscurity. It's been shown time and time again that when risks are known by the public, then adequate precautions can be taken either by users or by their solution providers.

Most striking to me is the fact that Mogull and Young overlook a glaring problem in picking the CanSecWest contest as the foundation of their rather weak argument. Dai Zovi didn't know of the vulnerability in advance of the contest. He was contacted by Macaulay from the conference and asked if he could find a way into the OS X system so that they could then split the prize package. Macaulay would get the laptop, and Dai Zovi would get the money. Only then did Dai Zovi go to work to try and find a weakness. Dai Zovi later reportedly said that he was more motivated by the challenge itself rather than the $10,000 cash prize.

Obviously, without the CanSecWest challenge, the QuickTime flaw might not have come to light until a much later date, and it might have been because of some sort of malicious code that exploited the vulnerability and that was unleashed on the unprepared public. We could have all been completely blindsided, and at great expense. So the way I see it, thanks are due to CanSecWest, TippingPoint, Dai Zovi, and Macaulay.

The discovery of this particular vulnerability makes it clear that hacking contests serve a great purpose when they're conducted in a controlled manner with strict guidelines, such as those spelled out by the organizers of CanSecWest as well as TippingPoint.

Furthermore, a mere seven days after the QuickTime vulnerability was discovered, Apple released an update (available at the URL below) that fixes the problem, which demonstrates how a well-run challenge and a lot of press coverage gets bugs fixed really fast.


Calling All Windows IT Pro Innovators!

Have you developed a solution that uses Windows technology to solve a business problem in an innovative way? Enter your solution in the 2007 Windows IT Pro Innovators Contest! Grand-prize winners will receive airfare and a conference pass to Windows and Exchange Connections in Las Vegas, November 5-8, 2007, plus more great prizes and a feature article about the winning solutions in the November 2007 issue of Windows IT Pro. Contest runs through August 1, 2007. To enter, click here:

=== SPONSOR: Symantec


Administering Windows Vista Security

Join Paul Thurrott for a deep dive into administering Windows Vista's new security features with an emphasis on the new Group Policy settings that are exposed by this release including USB device blocking and the new Microsoft Desktop Optimization Pack. Paul will also discuss compliance features in Windows Vista, and upcoming security innovations that will be enabled by combining Windows Vista with Windows Server "Longhorn". On-Demand Web Seminar



Month of ActiveX Bugs Bears Dangerous Fruit

On the heels of the Month of Kernel Bugs, Month of Browser Bugs, Month of Apple Bugs, and Month of PHP Bugs comes the Month of ActiveX Bugs (MoAxB). Launched by someone who uses the name "shinnai," the project has so far revealed at least five serious vulnerabilities that can allow remote code execution.

Microsoft Launches Forefront Client Security and System Center Essentials 2007

At a customer meeting attended by more than 1,000 IT professionals in Los Angeles, Microsoft Senior Vice President Bob Muglia launched two new products to help secure systems and simplify management tasks.

Recent Security Vulnerabilities

If you subscribe to this newsletter, you also receive Security Alerts, which inform you about recently discovered security vulnerabilities. You can also find information about these discoveries at

=== SPONSOR: Macrovision


Control of Software Use and Reduce Audit Risk

Do you have visibility and control over your software license use? Most organizations face a number of serious challenges, including understanding vendor licensing models, cost overruns, missed deadlines, business opportunities, and lost user productivity. Learn to address these challenges, and prepare for audits. Register for the free Web seminar, available now!




by Mark Joseph Edwards,

The encryption key initially used for the Advanced Access Content System (AACS) in HD DVD and Blu-ray disks was cracked, and the key is widely known at this point. Some people are spreading the key information in very funny ways.

FAQ: How to Create a Bootable USB Flash Device

by John Savill,

Q: How can I create a bootable USB flash device running Windows Preinstallation Environment (PE) 2.0?

Find the answer at

FROM THE FORUM: Network Monitoring with EtherApe

A forum participant wants to implement a network traffic monitor to see who's taking up bandwidth. He plans to use EtherApe on a Linux box. He has a switch capable of port mirroring. The Linux desktop is connected to one of the ports, and another port is mirroring the Linux desktop port. Should the desktop have two NICs so that he can log onto the machine and see what's going on in the network?


Share your product experience with your peers. Have you discovered a great product that saves you time and money? Do you use something you wouldn't wish on anyone? Tell the world! If we publish your opinion, we'll send you a Best Buy gift card! Send information about a product you use and whether it helps or hinders you to [email protected]


Share your security-related tips, comments, or problems and solutions in Security Pro VIP's Reader to Reader column. Email your contributions to [email protected] If we print your submission, you'll get $100. We edit submissions for style, grammar, and length.



by Renee Munshi, [email protected]

Security-Check Your Email on the Network Edge

Mirapoint introduced RazorGate, an email security appliance that's designed to reject unwanted messages and enforce centrally managed email policies without relying on IT resources behind the corporate firewall. Email addresses and policy service attributes are loaded into RazorGate's Embedded Policy Engine, so RazorGate can consult its own directory outside the firewall rather than querying the corporate directory through holes in the firewall to determine how to handle messages and to enforce policies. Thus, RazorGate takes load off the firewall, internal network, and corporate directory. The RazorGate appliance starts at $5,250. For more information, go to



For more security-related resources, visit

Get Ready for Exchange & Office 2007 Roadshow--free!

The Microsoft-partnered Get Ready for Exchange & Office 2007 Roadshow is coming to Stockholm! Three independent, respected technical speakers--Jim McBee, Mark Arnold, and Ben Schorr--will deliver tracks on securing, managing, and deploying Exchange and Office 2007 and using Exchange Server 2007 capabilities to improve your messaging environment. Register today for this free day-long event. Your delegate bag will include Microsoft Exchange Server 2007 and Office 2007 Beta 2 Software Kits.

Venue: Berns Hotel, Stockholm

Date: Monday, 14 May 2007

Can your business's Exchange high-availability standards guarantee that users can always access email, even during an outage? Maximize your availability strategy by learning new approaches, such as proper management practices, how to improve clustering and log replication, and how to achieve service outage protection.

Join Paul Robichaux as he presents a disaster recovery planning checklist that you can use to help guide your Exchange 2000/2003/2007 disaster recovery planning. Learn what you should do first, last, and in between to solidify your Exchange infrastructure and be assured of a successful disaster recovery operation. Listen to this on-demand Web seminar at your convenience.



You can't prevent nature from throwing floods, hurricanes, and earthquakes at your IT systems. You can't always control what people do to your systems, either. Download this free eBook and learn to protect your business from disasters of all kinds.



Introducing a Unique Security Resource

Security Pro VIP is an online information center that delivers new articles every week on topics such as perimeter security, authentication, and system patches. Subscribers also receive tips, cautionary advice, direct access to our editors, and a host of other benefits! Order now at an exclusive charter rate and save up to $50!

Introducing a Unique Exchange and Outlook Resource

Exchange & Outlook Pro VIP is an online information center that delivers new articles every week on messaging topics such as administration, migration, security, and performance. Subscribers also receive tips, cautionary advice, direct access to our editors, and a host of other benefits! Order now at an exclusive charter rate and save up to $50!


Security UDPATE is brought to you by the Windows IT Pro Web site's Security page (first URL below) and Security Pro VIP (second URL below).

Subscribe to Security UPDATE at

Unsubscribe by clicking

Be sure to add [email protected] to your antispam software's list of allowed senders.

To contact us:

About Security UPDATE content -- [email protected]

About technical questions --

About your product news -- [email protected]

About your subscription -- [email protected]

About sponsoring Security UPDATE -- [email protected]

View the Windows IT Pro privacy policy at

Windows IT Pro, a division of Penton Media, Inc.

221 East 29th Street, Loveland, CO 80538

Attention: Customer Service Department

Copyright 2007, Penton Media, Inc. All rights reserved.

TAGS: Security
Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.