Security UPDATE--New Services and Devices Bring New Security Risks--October 3, 2007

IN FOCUS: New Services and Devices Bring New Security Risks

NEWS AND FEATURES

- Danish Company Offers Free Web Application Firewall

- Sun to Synchronize Java Security Updates

- Mobile Device Security: Whose Data Is It, Anyway?

- Recent Security Vulnerabilities

GIVE AND TAKE

- Security Matters Blog: SSHFS Mounts Remote Linux File Systems; Worm Author Gets Job Offers

- FAQ: Use Group Policy to Check for Server Core

- From the Forum: Domain User Application Problems

- Share Your Security Tips

PRODUCTS

- Out-of-Email-Stream Encryption Solution

- Wanted: Your Reviews of Products

RESOURCES AND EVENTS

FEATURED WHITE PAPER

ANNOUNCEMENTS

=== SPONSOR: Sophos

Trends in Malware: 2007 Security Threat Report

A sharp rise in web threats is the latest twist in cyber criminals' continually evolving efforts to steal information for financial gain. We review the year so far and predict the threat landscape for the second half of 2007.

http://findtechinfo.com/as/acs?pl=399&ca=748

=== IN FOCUS: New Services and Devices Bring New Security Risks

by Mark Joseph Edwards, News Editor, mark at ntsecurity / net

The booming dot com era is certainly long gone, but even so, every month, more new Internet services make their debut, and not quite as frequently, new devices and gadgets are brought to market. Inevitably, some of these items will make their way into your network environment, often carrying with them considerable security risks.

A good case in point popped up last week. A relatively new company called Pudding Media announced its new VoIP solution called ThePudding.com. The company intends to employ a lure typical of many new online services. Anyone will be able to use ThePudding.com's VoIP service for free to make calls in North America because the company intends to profit through the insertion of targeted advertising. Sounds reasonable, but there's a new twist.

According to the company's privacy policy (at the URL below), "Our technology detects spoken keywords during a conversation and brings you rich media, news and offers, related to the very topics you talk about during your calls. The conversation keywords are not kept in our system after they are processed, and the conversation can not be reconstructed."

http://thepudding.com/media/app/privacy_notice.html

Therein resides the risk. One of your employees or contractors might decide to use the VoIP service, thinking that by doing so they could save themselves or your business money. If the person discussed sensitive information, it could leak out.

Pudding Media says it won't store keywords, and you might decide to trust the company. But there already are known ways to potentially eavesdrop on VoIP calls. Because this particular VoIP solution will, by design, be able to listen to conversations to discover keywords to use for targeted advertising, it stands to reason that the solution will have such capabilities built right into the VoIP software. And if that's the case, listening in might become even easier for intruders.

Whether to allow the use of ThePudding.com is a decision you need to make before the service explodes into widespread use. You can read numerous stories about the service by checking Yahoo! News at the URL below.

http://news.search.yahoo.com/news/search?p=ThePudding&c=

The overall point I'd like to make here is that if you hadn't learned about the service, you wouldn't even know that such a risk exists. So it's probably a good idea to read lots of news, follow the trends, research the overall computing industry to some extent, weigh the security impact of your findings on your environment, and take appropriate actions sooner rather than later.

To stay up to date on news and trends, you can use some of the more obvious sources, such as major magazines and newspapers and even the news aggregation features of major search engines. However, a few more specialized sites can help you learn about trends faster than weeding through a huge pile of news. Next week, I'll tell you about some of the sites I use to follow trends. So stay tuned.

=== SPONSOR: Websense

How Websense Technology Protects Against Internet-Based Threats

The Internet--with its wealth of information and features that have become integrated into our everyday lives--has become a necessary tool for business and also provides a vast array of options for personal use. However, it does have a dark side. This whitepaper will examine technologies that will help guard against Internet-based threats.

http://www.windowsitpro.com/go/wp/websense/threats/?code=secmid1003

=== SECURITY NEWS AND FEATURES

Danish Company Offers Free Web Application Firewall

Danish security company Armorlogic released a free version of its Profense Web application firewall. Based on OpenBSD, the product runs on your hardware and is a scaled-down version of the company's full-featured firewall.

http://www.windowsitpro.com/Article/ArticleID/97177

Sun to Synchronize Java Security Updates

Sun Microsystems said it will synchronize its security updates across its most widely used Java SE product release families. The company will also begin offering advance notification of security updates.

http://www.windowsitpro.com/Article/ArticleID/97161

Mobile Device Security: Whose Data Is It, Anyway?

Businesses have a duty to protect their corporate information, but employees who provide their own mobile devices don't want the company imposing intrusive policies on their access. The solution requires a tradeoff between convenience and risk.

http://www.windowsitpro.com/Article/ArticleID/97196

Recent Security Vulnerabilities

If you subscribe to this newsletter, you also receive Security Alerts, which inform you about recently discovered security vulnerabilities. You can also find information about these discoveries at

http://www.windowsitpro.com/departments/departmentid/752/752.html

=== SPONSOR: Macrovision

Gain Control of Software Usage and Reduce Audit Risks

Take the necessary steps for application management, from conversion of legacy applications to MSI to customizing applications to fit corporate standards. Don't overlook an important component of an OS migration--join us for the free on-demand Web seminar.

http://www.windowsitpro.com/go/seminars/macrovision/appmanagement/?partnerref=sechot1003

=== GIVE AND TAKE

SECURITY MATTERS BLOG: SSHFS Mounts Remote Linux File Systems; Worm Author Gets Job Offers

by Mark Joseph Edwards, http://www.windowsitpro.com/securitymatters

Learn about a tool that I recently came across, SSHFS, which is based on SSH and which lets you locally mount remote Linux file systems. Also learn about a worm author that got offers for several high paying jobs that he could take after he gets out of prison!

http://www.windowsitpro.com/blog/index.cfm?action=BlogIndex&DepartmentID=949

FAQ: Use Group Policy to Check for Server Core

by John Savill, http://www.windowsitpro.com/windowsnt20002003faq

Q: How can I check for a Windows Server 2008 Server Core installation as part of a Group Policy application?

Find the answer at

http://www.windowsitpro.com/Article/ArticleID/97186

FROM THE FORUM: Domain User Application Problems

A forum participant uses Windows Server 2003 Small Business Server (SBS) with Active Directory (AD) for a network of about 20 users and lots of applications. However, he often finds that users don't have enough rights to run some of the applications. He wonders whether there's an out-of-the-box solution. Join the discussion at

http://forums.windowsitpro.com/web/forum/messageview.aspx?catid=42&threadid=87431&enterthread=y

SHARE YOUR SECURITY TIPS AND GET $100

Share your security-related tips, comments, or problems and solutions in Security Pro VIP's Reader to Reader column. Email your contributions to [email protected]. If we print your submission, you'll get $100. We edit submissions for style, grammar, and length.

=== PRODUCTS

by Renee Munshi, [email protected]

Out-of-Email-Stream Encryption Solution

Kryptiva announced the availability of Kryptiva's Email Encryption Architecture, which consists of two primary components. The Kryptiva Packaging Plugin integrates into a user's current email application, and the Kryptiva Packaging Server is installed on a local server on the network and integrates with LDAP services. These components pull email messages out of the email traffic stream and package outgoing ones for authentication and encryption, and decrypt incoming ones. Customers must obtain an SSL certificate from a recognized Certificate Authority (CA), but the Email Encryption Architecture itself is free for U.S. and Canadian companies. Add-on services will be available for purchase in 2008. For more information, go to

http://www.kryptiva.com

WANTED: your reviews of products you've tested and used in production. Send your experiences and ratings of products to [email protected] and get a Best Buy gift certificate.

=== RESOURCES AND EVENTS

For more security-related resources, visit

http://www.windowsitpro.com/go/securityresources

If there's a "killer app," it's email. Business communications rely on it, and increasingly, mobile users and clients lower the tolerance for email downtime. View this Web seminar and hear from Paul Robichaux, who will share information to help you meet your enterprise's high-availability needs. Tune in for useful tips and a guide to available disaster recovery planning resources. http://www.windowsitpro.com/go/seminars/xosoft/exchangeHA/?partnerref=100107e&r

Learn how Symantec and IBM deliver a comprehensive archiving solution to capture and store email, files, instant messages, databases, VoIP, and many other document formats while helping to reduce storage costs and simplify management. View this Web seminar to better understand the challenges of your Exchange environment and the Symantec and IBM capabilities that can help you solve them.

http://www.windowsitpro.com/go/whitepapers/symantec/yellowbook?code=100107e&r

To stay competitive these days, IT leaders are required to take a primary role in delivering business value. Gain insight into business intelligence and Microsoft application platform optimization solutions in this full-day business intelligence virtual conference on October 4, 2007.

http://events.unisfair.com/index.jsp?eid=212&seid=28&code=100107e&r

=== FEATURED WHITE PAPER

Is effective security out of reach for your small or midsized business? Imagine having a team of IT experts who focus on security as part of your staff. Learn how a hosted security solution can be an option for small and midsized businesses. Download this white paper today and find out how you can eliminate your company's security risks.

http://www.windowsitpro.com/go/whitepaper/stbernard/hostedsecurity/?code=1001featwp

=== ANNOUNCEMENTS

Got a Tough Exchange or Outlook Question?

Rely on Exchange & Outlook Pro VIP, the new online resource with in-depth articles on administration, migration, security, and performance. Subscribers get direct access to our top-flight editors, so subscribe and receive personalized solutions to your toughest technical questions. It beats a support call to Microsoft!

https://store.pentontech.com/index.cfm?s=1&promocode=eu2376up

Discover the New SQL Server Magazine

Don't miss the relaunched SQL Server Magazine, coming this month! Besides a new look, we have even more coverage of administration and performance, development and Web apps, BI and Reporting Services, and SQL Server fundamentals. Subscribe now and save 58% off the cover price.

https://store.pentontech.com/index.cfm?s=9&promocode=ep2179rL