[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ISN] Hacking Contests Serve a Great Purpose

Forwarded with permission from: Security UPDATE <Security_UPDATE (at) list.windowsitpro.com>


CIPA - Keeping Students Safe on the Net

Administering Windows Vista Security

Control of Software Use and Reduce Audit Risk

=== CONTENTS ===================================================

IN FOCUS: Hacking Contests Serve a Great Purpose

   - Month of ActiveX Bugs Bears Dangerous Fruit
   - Microsoft Launches Forefront Client Security and System Center 
Essentials 2007
   - Recent Security Vulnerabilities

   - Security Matters Blog: AACS Uproar
   - FAQ: How to Create a Bootable USB Flash Device
   - From the Forum: Network Monitoring with EtherApe
   - Product Evaluations from the Real World
   - Share Your Security Tips

   - Security-Check Your Email on the Network Edge




=== SPONSOR: Cyberoam ==========================================

CIPA - Keeping Students Safe on the Net
   Protecting students from the millions of sites that house 
pornography, adult chat rooms, violence & hacking can provide not just 
a safe surfing atmosphere to minors in schools and libraries, but also 
qualify the institutions for federal E-rate funding through CIPA 

=== IN FOCUS: Hacking Contests Serve a Great Purpose =============
   by Mark Joseph Edwards, News Editor, mark at ntsecurity / net

You might recall that last month at the CanSecWest security conference, 
a challenge was offered for anyone to attempt to break into one of two 
Apple MacBook Pro laptop systems running OS X. Whoever was successful 
would win the laptop they broke into. As added incentive, TippingPoint 
(a division of 3Com) offered a $10,000 cash prize for exclusive rights 
to details of any vulnerability used to break into the OS.

Of course someone did find a way to break into one of the two laptops. 
Dino Dai Zovi working in tandem with Shane Macaulay exploited a 
vulnerability (discovered by Dai Zovi) that exists in the combination 
of Apple QuickTime and Java. The exploit gave them the ability to 
access a command shell on OS X. As it turns out, the vulnerability also 
affects Windows platforms, which makes the vulnerability even more 
dangerous because it affects a much wider base of computer users around 
the world.

Last week, Gartner spoke out against public vulnerability research in 
general as well as hacking contests like the one recently held at 
CanSecWest. Writing in a research brief for Gartner, research vice 
presidents Rich Mogull and Greg Young stated that, "Public 
vulnerability research and 'hacking contests' are risky endeavors, and 
can run contrary to responsible disclosure practices, whereby vendors 
are given an opportunity to develop patches or remediation before any 
public announcements. Vulnerability research is an extremely valuable 
endeavor for ensuring more secure IT. However, conducting vulnerability 
research in a public venue is risky and could potentially lead to 
mishandling or treating too lightly these vulnerabilities--which can 
turn a well-intentioned action into a more ambiguous one, or 
inadvertently provide assistance to attackers."

Mogull and Young apparently think that no vulnerability should be known 
to the public until vendors can first develop a patch. While there is 
certainly an advantage to that approach, there truly is little if any 
security offered through that sort of obscurity. It's been shown time 
and time again that when risks are known by the public, then adequate 
precautions can be taken either by users or by their solution 

Most striking to me is the fact that Mogull and Young overlook a 
glaring problem in picking the CanSecWest contest as the foundation of 
their rather weak argument. Dai Zovi didn't know of the vulnerability 
in advance of the contest. He was contacted by Macaulay from the 
conference and asked if he could find a way into the OS X system so 
that they could then split the prize package. Macaulay would get the 
laptop, and Dai Zovi would get the money. Only then did Dai Zovi go to 
work to try and find a weakness. Dai Zovi later reportedly said that he 
was more motivated by the challenge itself rather than the $10,000 cash 

Obviously, without the CanSecWest challenge, the QuickTime flaw might 
not have come to light until a much later date, and it might have been 
because of some sort of malicious code that exploited the vulnerability 
and that was unleashed on the unprepared public. We could have all been 
completely blindsided, and at great expense. So the way I see it, 
thanks are due to CanSecWest, TippingPoint, Dai Zovi, and Macaulay. 

The discovery of this particular vulnerability makes it clear that 
hacking contests serve a great purpose when they're conducted in a 
controlled manner with strict guidelines, such as those spelled out by 
the organizers of CanSecWest as well as TippingPoint. 

Furthermore, a mere seven days after the QuickTime vulnerability was 
discovered, Apple released an update (available at the URL below) that 
fixes the problem, which demonstrates how a well-run challenge and a 
lot of press coverage gets bugs fixed really fast. 


Calling All Windows IT Pro Innovators!
   Have you developed a solution that uses Windows technology to solve 
a business problem in an innovative way? Enter your solution in the 
2007 Windows IT Pro Innovators Contest! Grand-prize winners will 
receive airfare and a conference pass to Windows and Exchange 
Connections in Las Vegas, November 5-8, 2007, plus more great prizes 
and a feature article about the winning solutions in the November 2007 
issue of Windows IT Pro. Contest runs through August 1, 2007.
   To enter, click here:

=== SPONSOR: Symantec ==========================================

Administering Windows Vista Security
   Join Paul Thurrott for a deep dive into administering Windows 
Vista's new security features with an emphasis on the new Group Policy 
settings that are exposed by this release including USB device blocking 
and the new Microsoft Desktop Optimization Pack. Paul will also discuss 
compliance features in Windows Vista, and upcoming security innovations 
that will be enabled by combining Windows Vista with Windows Server 
"Longhorn". On-Demand Web Seminar

=== SECURITY NEWS AND FEATURES =================================

Month of ActiveX Bugs Bears Dangerous Fruit
   On the heels of the Month of Kernel Bugs, Month of Browser Bugs, 
Month of Apple Bugs, and Month of PHP Bugs comes the Month of ActiveX 
Bugs (MoAxB). Launched by someone who uses the name "shinnai," the 
project has so far revealed at least five serious vulnerabilities that 
can allow remote code execution. 

Microsoft Launches Forefront Client Security and System Center 
Essentials 2007
   At a customer meeting attended by more than 1,000 IT professionals 
in Los Angeles, Microsoft Senior Vice President Bob Muglia launched two 
new products to help secure systems and simplify management tasks.

Recent Security Vulnerabilities
   If you subscribe to this newsletter, you also receive Security 
Alerts, which inform you about recently discovered security 
vulnerabilities. You can also find information about these 
discoveries at

=== SPONSOR: Macrovision =======================================

Control of Software Use and Reduce Audit Risk
   Do you have visibility and control over your software license use? 
Most organizations face a number of serious challenges, including 
understanding vendor licensing models, cost overruns, missed deadlines, 
business opportunities, and lost user productivity. Learn to address 
these challenges, and prepare for audits. Register for the free Web 
seminar, available now!

=== GIVE AND TAKE ==============================================

   by Mark Joseph Edwards, http://list.windowsitpro.com/t?ctl=558AB:57B62BBB09A69279A638DD2CD6295BF1

The encryption key initially used for the Advanced Access Content 
System (AACS) in HD DVD and Blu-ray disks was cracked, and the key is 
widely known at this point. Some people are spreading the key 
information in very funny ways.

FAQ: How to Create a Bootable USB Flash Device
   by John Savill, http://list.windowsitpro.com/t?ctl=558A9:57B62BBB09A69279A638DD2CD6295BF1 

Q: How can I create a bootable USB flash device running Windows 
Preinstallation Environment (PE) 2.0?

Find the answer at

FROM THE FORUM: Network Monitoring with EtherApe
   A forum participant wants to implement a network traffic monitor to 
see who's taking up bandwidth. He plans to use EtherApe on a Linux box. 
He has a switch capable of port mirroring. The Linux desktop is 
connected to one of the ports, and another port is mirroring the Linux 
desktop port. Should the desktop have two NICs so that he can log onto 
the machine and see what's going on in the network? 

   Share your product experience with your peers. Have you discovered a 
great product that saves you time and money? Do you use something you 
wouldn't wish on anyone? Tell the world! If we publish your opinion, 
we'll send you a Best Buy gift card! Send information about a product 
you use and whether it helps or hinders you to 

   Share your security-related tips, comments, or problems and 
solutions in Security Pro VIP's Reader to Reader column. Email your 
contributions to r2r@xxxxxxxxxxxxxxxxxxx If we print your submission, 
you'll get $100. We edit submissions for style, grammar, and length.

=== PRODUCTS ===================================================
   by Renee Munshi, products@xxxxxxxxxxxxxxxx

Security-Check Your Email on the Network Edge
   Mirapoint introduced RazorGate, an email security appliance that's 
designed to reject unwanted messages and enforce centrally managed 
email policies without relying on IT resources behind the corporate 
firewall. Email addresses and policy service attributes are loaded into 
RazorGate's Embedded Policy Engine, so RazorGate can consult its own 
directory outside the firewall rather than querying the corporate 
directory through holes in the firewall to determine how to handle 
messages and to enforce policies. Thus, RazorGate takes load off the 
firewall, internal network, and corporate directory. The RazorGate 
appliance starts at $5,250. For more information, go to

=== RESOURCES AND EVENTS =======================================
   For more security-related resources, visit

Get Ready for Exchange & Office 2007 Roadshow--free! 
   The Microsoft-partnered Get Ready for Exchange & Office 2007 
Roadshow is coming to Stockholm! Three independent, respected technical 
speakers--Jim McBee, Mark Arnold, and Ben Schorr--will deliver tracks 
on securing, managing, and deploying Exchange and Office 2007 and using 
Exchange Server 2007 capabilities to improve your messaging 
environment. Register today for this free day-long event. Your delegate 
bag will include Microsoft Exchange Server 2007 and Office 2007 Beta 2 
Software Kits. 
   Venue: Berns Hotel, Stockholm 
   Date: Monday, 14 May 2007 

Can your business's Exchange high-availability standards guarantee that 
users can always access email, even during an outage? Maximize your 
availability strategy by learning new approaches, such as proper 
management practices, how to improve clustering and log replication, 
and how to achieve service outage protection.   

Join Paul Robichaux as he presents a disaster recovery planning 
checklist that you can use to help guide your Exchange 2000/2003/2007 
disaster recovery planning. Learn what you should do first, last, and 
in between to solidify your Exchange infrastructure and be assured of a 
successful disaster recovery operation. Listen to this on-demand Web 
seminar at your convenience. 

=== FEATURED WHITE PAPER =======================================

You can't prevent nature from throwing floods, hurricanes, and 
earthquakes at your IT systems. You can't always control what people do 
to your systems, either. Download this free eBook and learn to protect 
your business from disasters of all kinds. 

=== ANNOUNCEMENTS ==============================================

Introducing a Unique Security Resource 
   Security Pro VIP is an online information center that delivers new 
articles every week on topics such as perimeter security, 
authentication, and system patches. Subscribers also receive tips, 
cautionary advice, direct access to our editors, and a host of other 
benefits! Order now at an exclusive charter rate and save up to $50! 

Introducing a Unique Exchange and Outlook Resource 
   Exchange & Outlook Pro VIP is an online information center that 
delivers new articles every week on messaging topics such as 
administration, migration, security, and performance. Subscribers also 
receive tips, cautionary advice, direct access to our editors, and a 
host of other benefits! Order now at an exclusive charter rate and save 
up to $50! 


Security UDPATE is brought to you by the Windows IT Pro Web site's 
Security page (first URL below) and Security Pro VIP (second URL 

Subscribe to Security UPDATE at

Be sure to add Security_UPDATE@xxxxxxxxxxxxxxxxxxxxx 
to your antispam software's list of allowed senders.

To contact us: 
   About Security UPDATE content -- letters@xxxxxxxxxxxxxxxx
   About technical questions -- http://list.windowsitpro.com/t?ctl=558AD:57B62BBB09A69279A638DD2CD6295BF1
   About your product news -- products@xxxxxxxxxxxxxxxx
   About your subscription -- windowsitproupdate@xxxxxxxxxxxxxxxx
   About sponsoring Security UPDATE -- salesopps@xxxxxxxxxxxxxxxx

View the Windows IT Pro privacy policy at

Windows IT Pro, a division of Penton Media, Inc.
221 East 29th Street, Loveland, CO 80538
Attention: Customer Service Department

Copyright 2007, Penton Media, Inc. All rights reserved.

Attend Black Hat USA, July 28-August 2 in Las Vegas, 
the world's premier technical event for ICT security 
experts. Featuring 30 hands-on training courses and 
90 Briefings presentations with lots of new content 
and new tools. Network with 4,000 delegates from 
70 nations.   Visit product displays by 30 top
sponsors in a relaxed setting. Rates increase on 
June 1 so register today. http://www.blackhat.com