Security UPDATE--Taking the Initiative on Bug Bounties--July 27, 2005

1. In Focus: Taking the Initiative on Bug Bounties

2. Security News and Features

- Recent Security Vulnerabilities

- Zero Day Initiative

- Microsoft to Acquire FrontBridge

- Microsoft Invests in Finjan, Licenses Software Patents

- Microsoft Launches OneCare Beta

3. Security Toolkit

- Security Matters Blog

- FAQ

4. New and Improved

- Add Two-Factor Authentication to IAS

==== Sponsor: St. Bernard Software ====

Protecting Your Company by Managing Your Users' Internet Access

Companies pay plenty of attention to hardening their servers and networks but pay little attention to how uncontrolled Internet access from within an organization can represent a significant legal and security risk. For example, users who browse a malicious Web site can become infected with a Trojan or other malware without their knowledge as a result of vulnerabilities in Internet Explorer. Internet filtering technology is a key player in mitigating these threats. This white paper discusses the various methods available for Internet filtering and how to use them to increase security and decrease legal exposure. Download this free white paper now!

http://www.windowsitpro.com/whitepapers/stbernard/internetaccess/index.cfm?code=SecTop_727

==== 1. In Focus: Taking the Initiative on Bug Bounties ====

by Mark Joseph Edwards, News Editor, mark at ntsecurity / net

Two weeks ago, VeriSign announced that it had made a deal to acquire iDEFENSE (see URL below). You probably know that iDEFENSE routinely pays security bug hunters for exclusive access to their discoveries. iDEFENSE then uses such information to work with vendors to create solutions to the problems. The company also uses that information to update the products that it sells to its customers.

http://www.windowsitpro.com/Article/ArticleID/47037

This week, TippingPoint, a division of 3Com, announced it too will institute a bug bounty program. The new Zero Day Initiative will pay bug hunters for their discoveries, work with vendors to develop fixes for those problems, share the discoveries with other security vendors, and subsequently release some amount of information about the problems after a vendor has released a solution.

http://www.windowsitpro.com/Article/ArticleID/47142

As iDEFENSE has shown, bug bounty programs are a concept that work. The concept does, however, raise a couple of interesting questions. The first is why don't vendors have their own bounty programs for problems related to their products?

The only entity I know of that pays for security bug reports regarding its products is Mozilla Foundation, which announced its program in August 2004. Dozens of security problems have been corrected as a result, and the foundation has paid thousands of dollars in rewards to the various discoverers. Obviously, the program is working.

http://www.mozilla.org/security/bug-bounty.html

Certainly, in some cases, a flaw found in a product can be a detriment, particularly when the discoverer releases vulnerability details before the vendor is notified that the vulnerability exists. However, it seems to me that an in-house bug bounty program is a partial remedy that could encourage discoverers to report a flaw to the company first (or forfeit the bounty) and mitigate at least some unfavorable media attention.

The second question that comes to mind is why do companies such as 3Com and iDEFENSE go it alone in their bug bounty programs? The concept could readily become an industry-wide collaborative effort. Product and service vendors (including those who benefit by operating businesses related to information security) could band together to form a group designed specifically to pay security researchers for their discoveries. A group like that could improve overall security for everyone by stemming the haphazard release of security vulnerability details before people have a chance to protect themselves. A collaborative effort would even help protect people who don't use computers (but whose private information is nevertheless stored on bank, credit card company, and mortgage company computers). Forming such a group seems like a great idea. I can only imagine why the industry hasn't already taken the initiative to do so.

====

Windows IT Pro Innovators Contest Deadline Extended to September 1

There's still time to submit an entry in the Windows IT Pro Innovators Contest. If you're a Windows IT pro who has used your technical know-how to devise a creative, innovative solution to a business problem, you could qualify to win a Windows IT Pro Innovators Award. Grand Prizes include one conference pass, airfare, and hotel for Exchange and Windows Connections in San Diego in late October 2005, one VIP subscription to Windows IT Pro, and more! Click here to enter:

http://www.windowsitpro.com/AWARDS/innovators_2005.cfm

==== 2. Security News and Features ====

Recent Security Vulnerabilities

If you subscribe to this newsletter, you also receive Security Alerts, which inform you about recently discovered security vulnerabilities. You can also find information about these discoveries at

http://www.windowsitpro.com/departments/departmentid/752/752.html

Zero Day Initiative

3Com and its TippingPoint division announced Zero Day Initiative (ZDI), a security bug bounty program that will pay researchers for their discoveries.

http://www.windowsitpro.com/Article/ArticleID/47142

Microsoft to Acquire FrontBridge

Microsoft announced its intention to acquire privately held email security vendor FrontBridge Technologies. Terms of the acquisition haven't been made public; however, Microsoft stated that as soon as it receives regulatory approval, integration will begin.

http://www.windowsitpro.com/Article/ArticleID/47103

Microsoft Invests in Finjan, Licenses Software Patents

Security software and appliance maker Finjan Software announced that Microsoft made an equity investment in the company and negotiated a worldwide license to some of its security software patents.

http://www.windowsitpro.com/Article/ArticleID/47108

Microsoft Launches OneCare Beta

Microsoft began sending out beta invites for its upcoming Windows OneCare Live product, an MSN service that will provide Windows XP users with managed antivirus and antispyware software, a two-way firewall, data backup and restore capabilities, and other services.

http://www.windowsitpro.com/Article/ArticleID/47104

==== Resources and Events ====

Identify the Key Security Considerations for Wireless Mobility

Wireless and mobile technologies are enabling enterprises to gain competitive advantage through accelerated responsiveness and increased productivity. In this free Web seminar, you'll receive a checklist of risks to factor in when considering your wireless mobility technology evaluations and design. Sign up today and learn all you need to know about firewall security, transmission security, OTA management, management of third-party security applications, and more!

http://www.windowsitpro.com/seminars/mobilesecurity/index.cfm?code=0727emailannc

New Cities Added--SQL Server 2005 Roadshow in a City Near You

Get the facts about migrating to SQL Server 2005. SQL Server experts will present real-world information about administration, development, and business intelligence to help you implement a best-practices migration to SQL Server 2005 and improve your database computing environment. Attend and receive a 1-year membership to PASS and 1-year subscription to SQL Server Magazine. Register now!

http://www.windowsitpro.com/roadshows/sqlserverusa/index.cfm?code=0727emailannc

Are Your High-Availability Requirements Outstripping the Capabilities of Your Backup/Restore Systems?

Choosing an appropriate availability technology means balancing the system cost, the skill set and knowledge level required, the complexity added to your existing environment, and how much availability each technology gives you. In this free Web seminar, you'll learn the factors for each technology and how Ed Heinemann's famous dictum for aircraft design, "simplicate and add lightness," applies to availability design and deployment.

http://www.windowsitpro.com/seminars/exchangehighavailability/index.cfm?code=0727emailannc

Integrate Your Compliance System With Backup and Recovery

Discover the issues involved with integrating your compliance system with backup and recovery, including backup schedules, pros and cons of outsourcing backup media storage and management, the DR implications of backing up compliance data, the possibility of using alternative backup methods to provide backup and compliance in a single system, and more. You'll learn what to watch out for when combining the two functions and how to assess whether your backup/restore mechanisms are equal to the challenge.

http://www.windowsitpro.com/seminars/backupandrecovery/index.cfm?code=0727emailannc

Chapter 8--SQL Server Administration for Oracle DBAs eBook

Databases have assumed a role of primary importance in many businesses. This highly visible role is complete with multiple responsibilities and demands. In Chapter 8 of this free eBook, you'll discover the availability- and scalability-related features of Oracle and Microsoft SQL Server and the requirements and features that can help you increase availability and scalability. Plus--you'll learn three key backup and recovery features related to availability and scalability.

http://www.windowsitlibrary.com/ebooks/sqlserveradminoracle/index.cfm?code=0727emailannc

Congratulations to Laura Watts--Winner of an iPod mini--for telling us what she thinks about industry conferences and events. Thank you to everyone who participated.

==== Featured White Paper ====

The Actual Cost to Own and Operate PCs Continues to Rise

In this free white paper, get insights into and solutions for some of the less visible but very real costs of PC and LAN ownership. You'll learn a practical approach to reducing the cost of supporting PCs and customers in a multiplatform environment. Plus – you'll also get a cost-savings model for Help desks that demonstrates the cost savings that can be realized by implementing remote control technology.

http://www.windowsitpro.com/whitepapers/netopia/costcontrol/index.cfm

==== Hot Release ====

40% of Hacker Traffic is Pre-Attack Recon... Stop Them with ServerMask!

Your IIS Web server is a homing beacon. Answer a simple HTTP request, and you politely announce OS, Web, and app software to the world. Reduce risk and hacks with free ServerMask trails today.

http://www.port80software.com/products/servermask/index.asp?source=winitpro_secemail

==== 3. Security Toolkit ====

Security Matters Blog: Polly Want a Password Cracker?

by Mark Joseph Edwards, http://www.windowsitpro.com/securitymatters

I couldn't resist the joke, but seriously, check out the LCP password cracker. It's similar to @stake's incredibly popular LC 5 (formerly known as L0phtCrack), with several differences, at least one of which is major: It's free.

http://www.windowsitpro.com/Article/ArticleID/47109/

FAQ

by John Savill, http://www.windowsitpro.com/windowsnt20002003faq

Q: What's Microsoft Baseline Security Analyzer (MBSA) 2.0?

Find the answer at

http://www.windowsitpro.com/Article/ArticleID/47058

==== Announcements ====

(from Windows IT Pro and its partners)

Check Out the New Windows IT Security Newsletter!

Security Administrator is now Windows IT Security. We've expanded our content to include even more fundamentals about building and maintaining a secure enterprise. Each issue also features product coverage of the best security tools available and expert advice on the best way to implement various security components. Plus, paid subscribers get online access to our entire security article database (over 1900 security articles)! Order now:

http://www.secadministrator.com/rd.cfm?code=00eu2557su

Exclusive Content for VIP Subscribers!

Get inside access to all the content and vast resources of Windows IT Pro, SQL Server Magazine, Exchange & Outlook Administrator, Windows Scripting Solutions, and Windows IT Security, with over 26,000 articles at your fingertips. Your VIP subscription also includes a 1-year print subscription to Windows IT Pro and a VIP CD (includes entire article database). Sign up now:

http://www.windowsitpro.com/rd.cfm?code=wveu2757bu

==== 4. New and Improved ====

by Renee Munshi, [email protected]

Add Two-Factor Authentication to IAS

VASCO Data Security's Digipass Plug-In for Microsoft Internet Authentication Server (IAS) is an add-on that lets IAS customers use two-factor authentication instead of a password for network access. Digipass secrets are stored in Active Directory (AD), and policy-driven administration is via Microsoft Management Console (MMC). In addition, a Web site lets end users perform regular operations themselves. Digipass Plug-In for IAS supports most authentication protocols. For more information, go to

http://www.vasco.com

Tell Us About a Hot Product and Get a T-Shirt!

Have you used a product that changed your IT experience by saving you time or easing your daily burden? Tell us about the product, and we'll send you a T-shirt if we write about the product in a future Windows IT Pro What's Hot column. Send your product suggestions with information about how the product has helped you to

[email protected].

Editor's note: Share Your Security Discoveries and Get $100

Share your security-related discoveries, comments, or problems and solutions in the Windows IT Security print newsletter's Reader to Reader column. Email your contributions (500 words or less) to [email protected]. If we print your submission, you'll get $100. We edit submissions for style, grammar, and length.

==== Sponsored Links ====

Argent versus MOM 2005

Experts Pick the Best Windows Monitoring Solution

http://a.windowsitpro.com/RealMedia/ads/click_lx.ads/www.windowsitpro.com/TextLink/1112745096/x14/Penton/WN_Argent_July05_NLSplink_116194/1x1.gif/1

==== Contact Us ====

About the newsletter -- [email protected]

About technical questions -- http://www.windowsitpro.com/forums

About product news -- [email protected]

About your subscription -- [email protected]

About sponsoring Security UPDATE -- [email protected]