Security UPDATE--Social Engineering: Another Focus Area for 2006--January 4, 2006

This email newsletter comes to you free and is supported by the following advertisers, which offer products and services in which you might be interested. Please take a moment to visit these advertisers' Web sites and show your support for Security UPDATE.

St. Bernard Software



1. In Focus: Social Engineering: Another Focus Area for 2006

2. Security News and Features

- Recent Security Vulnerabilities

- Windows Graphics Rendering Vulnerability Leaves Countless Computers Unprotected

- Microsoft Hones Internet Explorer 7.0 Security

3. Security Toolkit

- Security Matters Blog


- Security Forum Featured Thread

4. New and Improved

- Encrypt Your Wireless Communications for Free


==== Sponsor: St. Bernard Software ====

Filtering the Spectrum of Internet Threats: Defending Against Inappropriate Content, Spyware, IM, and P2P at the Perimeter

Because of the proliferation of Web-based threats, you can no longer rely on basic firewalls as your sole network protection. Attackers continue to evolve clever methods for reaching victims, such as sending crafty Web links through Instant Messaging (IM) clients or email, or by simply linking to other Web sites that your employees might surf. This free white paper examines the threats of allowing unwanted or offensive content into your network and describes the technologies and methodologies to combat these types of threats. Get your free copy now!


==== 1. In Focus: Social Engineering: Another Focus Area for 2006 ====

by Mark Joseph Edwards, News Editor, mark at ntsecurity / net

Do you know people who simply must have the latest and greatest software, even if that means running beta code? The number of people who fit that description is properly staggering. There's nothing wrong with wanting to run better or newer software, but people who let an emotional urge overpower their common sense and caution are open to social engineering exploits. Enter one "MSN Messenger 8.0 Beta."

Last week, a Trojan horse program that alleged to be a copy of a leaked MSN Messenger beta began to spread. The "leaked beta" supposedly boasts many new features, all of which are designed to entice people into downloading it. But no such beta exists. People who downloaded and installed the file infected their systems with a Trojan horse, which then sent IM messages to other MSN Messenger users trying to coax them into installing the program. The Trojan horse program includes a proxy and remote command shell capabilities, can perform Denial of Service (DoS) attacks, connects the system to a botnet, and more. In short, it's a disaster on any computer.

Another security problem also became known last week. A severe vulnerability that can be used to execute arbitrary code on an affected system was discovered in Windows Graphic Rendering Engine. You can read more about that problem in the news story "Windows Graphics Rendering Vulnerability Leaves Countless Computers Unprotected."

Exploits are of course circulating on the Internet, and no patch is available. Many of these try to coax users into visiting malicious Web sites, which can infect their systems even if they don't download any files. Other exploits might arrive via email, IM clients, or other inroads. A number of exploits related to this and other vulnerabilities rely on social engineering--which is a nice way of saying that they rely on the ignorance of computer users.

Last week, I wrote about three areas (least-privileged user accounts, root kits, and backups) that will most likely be major focus areas for security administrators in 2006. If I had to pick an additional item to add to that list, I'd say computer user education. Security tools are getting better with each passing month, but these tools will never replace the need for user education (which hopefully promotes common sense and caution). User education might minimize the need for some security tools. But more frequently, user education could help you shift the focus of your security work from reactive mode to proactive mode. If computer users become savvy enough to sense when they're being baited, they won't fall victim to attacks as often. As a result, your security-related work could become less hectic.

In 2006, consider investing in end user security education, particularly in regard to increasing users' awareness of predatory mindsets. If you can make that one of your priorities, you'll likely see returns sooner rather than later.


==== Sponsor: BindView ====

As a result of growing credit card identity theft, the PCI Data Security Standard was developed and is rapidly becoming a requirement for all organizations to protect the privacy of cardholders and their confidential information. In this free white paper you'll get the tips you need to prepare and comply with PCI-Data Security standards, including defining the 12 major requirements, how those requirements affect IT and more!


==== 2. Security News and Features ====

Recent Security Vulnerabilities

If you subscribe to this newsletter, you also receive Security Alerts, which inform you about recently discovered security vulnerabilities. You can also find information about these discoveries at

Windows Graphics Rendering Vulnerability Leaves Countless Computers Unprotected

Exploits are spreading rapidly that take advantage of a vulnerability in Microsoft's Graphics Rendering Engine. Microsoft released an advisory, "Vulnerability in Graphics Rendering Engine Could Allow Remote Code Execution," which explains the problem in some detail and offers simple workarounds that can protect systems until a patch is available.

Microsoft Hones Internet Explorer 7.0 Security

Microsoft engineers detailed changes to Microsoft Internet Explorer (IE) 7.0's security model, which will include new security zone settings not found in IE 6.0. The new version will also include several changes to the way international domain names are processed and other security enhancements.


==== Resources and Events ====

SQL Server 2005: Up & Running Roadshows Coming to Europe!

SQL Server experts will present real-world information about administration, development, and business intelligence to help you put SQL Server 2005 into practice and learn how to use its new capabilities. Includes one-year PASS membership and subscription to SQL Server Magazine. Register now for London and Stockholm, Sweden:

Black Hat Federal Briefings and Trainings

January 23-26, 2006, Sheraton Crystal City, Washington, DC. This new show--with 4 Briefings tracks and 11 Training classes--focuses on the problems and issues that governments face in protecting their infrastructure. Content will be oriented toward attack and defense, from rootkit detection to IDS evasion. Stellar speakers include Michael Lynn, Simson Garfinkel, Halvar Flake, and Dan Kaminsky.

Visit for complete updates.

Enabling Secure Collaboration in the Workplace

Join Microsoft and Sybari experts and learn how to help foster collaboration among employees and partners while reducing security risks and enforcing corporate compliance policies.

WEB SEMINAR: Validate your disaster recovery data and learn if your backup and restore data is worth staking your career on.

EBOOK: Learn all you need to know about today's most popular security protocols for secure Web-based communications.


==== Featured White Paper ====

WHITE PAPER: Optimize your existing Windows Server infrastructure with the addition of server and storage consolidation software and techniques.


==== Hot Spot ====

Secure Your Online Data Transfer with SSL

Increase your customers' confidence and your business by securely collecting sensitive information online. In this free white paper you'll learn about the various applications of SSL certificates and their appropriate deployment, along with details of how to test SSL on your web server.


==== 3. Security Toolkit ====

Security Matters Blog: Turn Your Wireless Router into an IDS

by Mark Joseph Edwards,

If you have a spare Linksys WRT54G or WRT54GS wireless router lying around (or can buy a new one), why not turn it into a Snort-based intrusion detection device? You can do so relatively easily if you have some amount of Linux knowledge.

FAQ by John Savill,

Q: How do I install new Windows Server 2003 R2 features?

Find the answer at

Security Forum Featured Thread: Personal Firewall for Windows Server 2003

A forum participant has a Sygate firewall that has been compromised a few times in the course of a week by Denial of Service (DoS) attacks or other nontraceable means. He wants to replace it with a similar product that runs under Windows Server 2003 and is looking for product suggestions. Join the conversation at


==== Announcements ====

(from Windows IT Pro and its partners)

Get Full Online Access to Windows IT Pro

Order a Monthly Online Pass now and get INSTANT access to all articles, tools, and helpful resources published on, including exclusive Web content. You'll have 24/7 access to the Windows IT Pro article database (includes more than 9000 articles) and get the latest digital issue of Windows IT Pro delivered to your inbox. Order now for just $5.95 per month:

Celebrate the New Year with Windows IT Pro Magazine

You won't want to miss any of Windows IT Pro's upcoming 2006 issues! Subscribe now and discover the best ways to plan for Longhorn, the need-to-knows of VBScript, ways to make sense of SQL Server 2005, the 10 Security Tools You Can't Live Without, Vista launch essentials, and much more. You'll save $40 off the full cover price and gain exclusive access to the entire Windows IT Pro online article database FREE. Subscribe today:


==== 4. New and Improved ====

by Renee Munshi, [email protected]

Encrypt Your Wireless Communications for Free

iOpus Software has released iOpus Private Internet Gateway (iPIG), which uses 256-bit Advanced Encryption Standard (AES) technology to protect email and IM messages; Web, Voice over IP (VoIP), and FTP traffic; and other inbound and outbound communications you receive and send over Wi-Fi or wired networks. iPIG runs under Windows 2000/XP/2003 and is available without charge. You can also set up your own iPIG VPN server for up to five users without charge. The iPIG Server PRO Edition, which allows an unlimited number of users, is available for $99.95. For more information, go to

Tell Us About a Hot Product and Get a T-Shirt!

Have you used a product that changed your IT experience by saving you time or easing your daily burden? Tell us about the product, and we'll send you a T-shirt if we write about the product in a future Windows IT Pro What's Hot column. Send your product suggestions with information about how the product has helped you to

[email protected]

Editor's note: Share Your Security Discoveries and Get $100

Share your security-related discoveries, comments, or problems and slutions in the Windows IT Security print newsletter's Reader to Reader column. Email your contributions (500 words or less) to [email protected] If we print your submission, you'll get $100. We edit submissions for style, grammar, and length.


==== Contact Us ====

About the newsletter -- [email protected]

About technical questions --

About product news -- [email protected]

About your subscription -- [email protected]

About sponsoring Security UPDATE -- [email protected]


This email newsletter is brought to you by Windows IT Security, the leading publication for IT professionals securing the Windows enterprise from external intruders and controlling access for internal users. Subscribe today.

View the Windows IT Pro privacy policy at

Windows IT Pro, a division of Penton Media, Inc.

221 East 29th Street, Loveland, CO 80538

Attention: Customer Service Department

Copyright 2005, Penton Media, Inc. All rights reserved.

TAGS: Security
Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.