Security UPDATE--Meeting of the Browser Developers' Minds--November 30, 2005

1. In Focus: Meeting of the Browser Developers' Minds

2. Security News and Features

- Recent Security Vulnerabilities

- Qualys Launches On-Demand SANS Top 20 Scanning Service

- Secure Your Wireless Network

- Use Guest Accounts to Fight Malware

3. Security Toolkit

- Security Matters Blog

- FAQ

- Security Forum Featured Thread

4. New and Improved

- Quickly View Windows Permissions

==== Sponsor: Panda Software ====

Provide Secure Remote Access

It may be tempting to deploy a WiFi wireless access point or offer PDAs or laptops to your roaming employees so they can work from virtually anywhere. In this free white paper you'll get the important security implications you should consider before you do so.

http://www.windowsitpro.com/go/whitepapers/panda/mobileandwireless?code=SECTop1130

==== 1. In Focus: Meeting of the Browser Developers' Minds

by Mark Joseph Edwards, News Editor, mark at ntsecurity / net

Can you imagine trying to use a computer these days without a Web browser? It would be almost impossible, except in limited-use environments. After all, countless applications rely on Web access of some sort or other and countless more will do so in the future.

Heavy reliance on Web browsers and Web servers makes the technologies a common target for potential intruders of all sorts, as evidenced by the influx of new attacks that appear each week. Security improvements for Web technologies are a constant goal for developers, and finally, Web browser makers are cooperating with each other--at least to some extent.

Two weeks ago, several Web developers gathered in Canada to discuss possible joint efforts to improve browser security. The meeting was hosted by George Staikos, core developer of K Desktop Environment (KDE), which is a popular graphical environment for Linux systems. (The KDE Web site is at the URL below.) Attendees included Carsten Fischer and Yngve Nysaeter Pettersen from Opera Software, Frank Hecker from Mozilla Foundation, and Rob Franco and Kelvin Yiu from Microsoft. Apparently, other developers were invited but were unable to attend. According to Staikos, "The aim was to come up with future plans to combat the security risks posed by phishing, aging encryption ciphers and inconsistent SSL Certificate practices."

http://www.kde.org

The first item agreed upon by those in attendance was to minimize use of weak encryption. For example, SSL 2.0 has already been removed from the KDE source code tree; in Microsoft Internet Explorer (IE) 7.0, SSL 2.0 will be disabled by default. Opera, Mozilla, and other vendors will undoubtedly follow. Likewise, weaker ciphers, such as those that use 40-bit and 56-bit keys, will be retired in favor of stronger encryption, and efforts will be made to push Certificate Authorities (CAs) to issue stronger certificates that use 2048-bit (or stronger) keys.

Speaking of CAs, a major focus of the meeting was certificate extensions. The meeting attendees would like to see CAs implement extensions to X.509 certificates that would indicate when a certificate owner has undergone some sort of extra verification process (i.e., a process beyond what's required to obtain a regular certificate). Browser software could make users aware of that stronger verification through visual indicators, such as color and text.

For example, Rob Franco writes in an IEBlog posting about the meeting that in IE 7.0, the address bar will be color-coded depending on the site visited. A red background will indicate sites that are known to participate in phishing. Yellow will represent sites suspected but not confirmed of participating in phishing. White will indicate sites that use a typical SSL certificate; green is "for sites that meet future guidelines for better identity validation. Along with the green fill, our current design for the address bar includes the name of the business alternating with the name of the third party Certification Authority who identified the business. We think this alternating presentation of business name with Certification Authority name is the right balance of user notification and simplicity."

From all reports, there was a lot of discussion at the meeting and the sense that everyone agreed on several ideas. For more details about what was discussed and what might result from the meeting, read the articles written by those who attended. You can read Staikos's comments at the first URL below, the Opera developers' comments at the second URL, the Mozilla participant's comments at the third URL, and the IE 7 developers' comments at the fourth URL.

http://dot.kde.org/1132619164

http://www.opera.com/security/toronto

http://www.hecker.org/mozilla/ssl-ui

http://blogs.msdn.com/ie/archive/2005/11/21/495507.aspx

==== Sponsor: NSI ====

Ensure Data Protection and High Availability for Microsoft Exchange

Having a mission-critical, data protection solution that is cost-effective, hardware independent and scalable is something every IT manager should consider. In this free white paper get all you need to know about ensuring data protection and high availability for Exchange. This is one paper you can't afford to miss!

http://www.windowsitpro.com/go/whitepapers/NSI/exchange?code=SECMid1130

==== 2. Security News and Features ====

Recent Security Vulnerabilities

If you subscribe to this newsletter, you also receive Security Alerts, which inform you about recently discovered security vulnerabilities. You can also find information about these discoveries at

http://www.windowsitpro.com/departments/departmentid/752/752.html

Qualys Launches On-Demand SANS Top 20 Scanning Service

The SANS Institute recently released the 2005 SANS Top 20 Most Critical Internet Vulnerabilities report. Now Qualys, provider of vulnerability-management and policy-compliance solutions, has released a free online scanning service that helps you determine whether your Internet-facing systems are vulnerable to any of the issues in the SANS report.

http://www.windowsitpro.com/Article/ArticleID/48569

Secure Your Wireless Network

Along with the benefits of wireless networks comes a need to keep them secure. Owners of unsecured networks risk lost bandwidth on their Internet connection, virus and worm infection, and potentially even criminal or civil liability if their unsecured wireless networks are used to launch attacks against others. John Howie offers advice on how to secure your wireless networks in this article on our Web site.

http://www.windowsitpro.com/Article/ArticleID/47860

Use Guest Accounts to Fight Malware

Security administrators face the dilemma of needing to limit the use of administrator privileges while still giving users adequate permissions to perform their routine tasks. One solution that accommodates both needs is to let users run most applications as administrators but configure users to run applications that are most vulnerable to a malware attack under the low-privilege Guest account. Mark Burnett looks at when you might want to use a Guest account and how to set one up.

http://www.windowsitpro.com/Article/ArticleID/48300

==== Resources and Events ====

Get the facts about deploying SQL Server(TM) 2005!

SQL Server experts will present real-world information about administration, development, and business intelligence to help you put SQL Server 2005 into practice and how to use its new capabilities to improve your database-computing environment. Receive a one-year membership to PASS and one-year subscription to SQL Server Magazine. Register now at:

http://www.windowsitpro.com/roadshows/sqlservereurope/index.cfm?code=1130emailannc

Are You Really Prepared for Disaster Recovery?

Join industry guru Liam Colvin in this free Web seminar and get the tips you need to validate your disaster recovery data. You'll learn if your backup and restore data is worth staking your career on, what type of geo-clustering is right for you, which response to use in crisis situations, and more!

http://www.windowsitpro.com/go/seminars/disasterrecovery/?partnerref=1130emailannc

Upgrade to Analysis Services 2005

Get the tips and tricks you'll need to upgrade to Analysis Services 2005, including possible upgrade and migration scenarios, pre-planning steps, running the new Analysis Services migration wizard, and more. Plus discover what steps need to be completed after the migration process is complete and explore some of the new features of Analysis Services 2005.

http://www.windowsitpro.com/go/seminars/analysisservices/?partnerref=1130emailannc

Plan and Implement Highly Available Exchange Systems

Learn about the concepts behind high availability Exchange server planning. Plus, discover how to properly assess the business drivers that affect how you craft your Service Level Agreements. You'll get the tips you need to understand the various options available to you for planning and implementing highly available Exchange systems including: Fault Tolerant design, clustering and what uptime really means! Register today at:

http://www.windowsitpro.com/go/seminars/exchange/?partnerref=1130emailannc

Scripting and code don't have to be boring.

Subscribe today to Scripting Central and get a down-and-dirty technical, yet lighthearted look at scripts. You'll also get tools for and tips on how to write scripts for a variety of Windows applications, like Exchange and SQL Server. Sign up today!

http://www.windowsitpro.com/email

Win a $100 American Express Gift Certificate

What companies are the leaders in offering email security products and services? And what features must such products have before you'll even consider purchasing them? We invite you to take 3 minutes and tell us your opinion about the email security products and services you currently use--or wish you could use. Take the email security products psSurvey today at:

https://websurveyor.net/wsb.dll/12237/EmailSec.htm

==== Featured White Paper ====

Integrating Fax Servers in MFP Environments

Did you know that wasteful processes can drive the cost of document management and output to as high as 10-15% of your company's annual revenues? Download this free white paper today and find out how you can use fax solutions to achieve cost control, security and compliance, increased workflow and more.

http://www.windowsitpro.com/go/whitepapers/Faxback/faxing?code=1130emailannc

==== Hot Release ====

Demo: Make Securing Your Desktops & Servers Easy

Simplify managing & securing your desktops and servers with KBOX. HW & SW inventory and distribution, patch management, configuration management, security vulnerability assessment, policy enforcement and automatic remediation--it's all in the KBOX. Fix your weakest link with an affordable, elegant, all-inclusive appliance. View Flash Demo.

http://www.kace.com/land/newsletter2.php?partner=winitPro3

==== 3. Security Toolkit ====

Security Matters Blog: Can't Get LC5? Try LCP Instead

by Mark Joseph Edwards, http://www.windowsitpro.com/securitymatters

If you're outside the United States and Canada, you can no longer buy a copy of the popular LC5, the most recent version of the L0phtCrack password-cracking tool. However, there are alternatives, as you'll discover if you read this blog entry on our Web site.

http://www.windowsitpro.com/Article/ArticleID/48567/48567.html

FAQ

by John Savill, http://www.windowsitpro.com/windowsnt20002003faq

Q: What's a rootkit, and how can I check for rootkits installed on my machine?

Find the answer at

http://www.windowsitpro.com/Article/ArticleID/48499

Security Forum Featured Thread

A forum participant wants to know if there's a tool that can help him determine which users logged on to which computers at a given time. For example, he wants to know which users logged on to any of 15 computers between 1:00 P.M. and 2:00 P.M. Join the discussion at

http://forums.windowsitpro.com/web/forum/messageview.aspx?catid=42&threadid=44677&enterthread=y

==== Announcements ====

(from Windows IT Pro and its partners)

Want to Become a VIP Subscriber?

Become a VIP subscriber and get continuous, inside access to ALL of the online resources published in Windows IT Pro magazine, SQL Server Magazine, Exchange and Outlook Administrator newsletter, Windows Scripting Solutions newsletter, and Windows IT Security newsletter--that's over 26,000 articles at your fingertips. You will also get a valuable one-year print subscription to Windows IT Pro and two VIP CDs (includes the entire article database on CD, delivered twice per year). Don't miss out ... sign up now:

https://store.pentontech.com/index.cfm?s=1&promocode=eu275cuv

Holiday Special--Save up to $40 off Windows IT Pro

You won't want to miss any of Windows IT Pro's upcoming winter issues! Subscribe now and discover the best ways to plan for Longhorn, the need-to-knows of VBScript, ways to make sense of SQL Server 2005, the 10 Security Tools You Can't Live Without, Vista launch essentials, and much more. You'll also gain exclusive access to the entire Windows IT Pro online article database FREE, and save up to $40 off the full cover price. Click here:

https://store.pentontech.com/index.cfm?s=1&promocode=eu205cum

==== 4. New and Improved ====

by Renee Munshi, [email protected]

Quickly View Windows Permissions

Pervedia has released Permission Analyzer 1.2.8, which lets you quickly view your Windows system access permissions. You can run scans manually or schedule them, and you can check permissions by user or user group. You can look for all permissions or selected permissions, such as list, read, execute, modify, write, or full. The program also has a report that shows which applications are running on which workstations, by workstation or by application. Permission Analyzer costs $99 and requires a server running Windows 2003/XP/2000, clients running Windows 2003/XP/2000/Me/98, and an Internet connection. For more information, go to

http://www.permissionanalyzer.com

Tell Us About a Hot Product and Get a T-Shirt!

Have you used a product that changed your IT experience by saving you time or easing your daily burden? Tell us about the product, and we'll send you a T-shirt if we write about the product in a future Windows IT Pro What's Hot column. Send your product suggestions with information about how the product has helped you to

[email protected].

Editor's note: Share Your Security Discoveries and Get $100

Share your security-related discoveries, comments, or problems and solutions in the Windows IT Security print newsletter's Reader to Reader column. Email your contributions (500 words or less) to [email protected]. If we print your submission, you'll get $100. We edit submissions for style, grammar, and length.

==== Contact Us ====

About the newsletter -- [email protected]

About technical questions -- http://www.windowsitpro.com/forums

About product news -- [email protected]

About your subscription -- [email protected]

About sponsoring Security UPDATE -- [email protected]