[ISN] Security UPDATE -- So You Found a Security Problem,
Now What? -- June 29, 2005
isn at c4i.org
Thu Jun 30 03:47:51 EDT 2005
This email newsletter comes to you free and is supported by the
following advertisers, which offer products and services in which
you might be interested. Please take a moment to visit these
advertisers' Web sites and show your support for Security UPDATE.
Free download: Speed up your systems with Diskeeper
Symantec Storage and Systems Management Solutions
1. In Focus: So You Found a Security Problem, Now What?
2. Security News and Features
- Recent Security Vulnerabilities
- No More Antigen for Unix and Linux
- Firewall Appliances, Part 1
- Importing Security Settings into a GPO
3. Security Toolkit
- Security Matters Blog
- Security Forum Featured Thread
4. New and Improved
- SOHO Broadband Security Appliance
==== Sponsor: Executive Software ====
Free download: Speed up your systems with Diskeeper
Keeping systems up and available to the users is vital! Slow, crash-
prone systems have a devastating effect on productivity and security.
Disk fragmentation is a major cause of crashes and slowdowns -- but who
has the time to defragment every system, every day? The solution:
Diskeeper, the Number One Automatic Defragmenter. Automatic
defragmentation boosts performance and reliability and decreases Help
Desk traffic. Click the link to get FREE fully-functional Diskeeper
trialware. You'll discover why Diskeeper is the Number One Automatic
Defragmenter with over 17 million sold.
==== 1. In Focus: So You Found a Security Problem, Now What? ====
by Mark Joseph Edwards, News Editor, mark at ntsecurity / net
Lots of people find security problems with hardware and software
products, network services, Web sites, and more. Some find problems
through day-to-day computer use; others search for security problems
purposely either as a hobby or as part of their job.
When you find a security problem, what do you do? The obvious answer is
to contact the company that produced the product. However, alerting a
company to your discovery of a problem in one of its products can be a
challenge. Lots of companies simply don't prepare for reports of
problems in their products and services. Their employees don't know
what to do when people try to report problems. Nor do their Web sites
or product documentation provide any information about who to contact
for security matters.
Like many of you, I subscribe to a lot of security mailing lists. I
can't even begin to remember the number of times I've read a message to
one of those lists from someone asking how to contact a given company.
The messages typically say something like, "I found a security problem
in Product XYZ. I tried to contact the company via email and received
no response. Does anybody have security contact info for the company?"
A good case in point happened last week. Someone found a problem in a
widely used product and tried to contact the company via email and by
phone. The person couldn't make it past the receptionist and so
couldn't offer the information about the security problem to anybody in
a position to do something about it. The person posted a description of
the experience to a popular security mailing list, and now the company
has to endure the embarrassment that comes along with public knowledge
of its shortcomings--and the company's customers are more exposed to
someone exploiting the publicized vulnerability. Had the company
trained the receptionist to handle calls regarding security matters,
the incident probably wouldn't have happened. As it turns out, the
company in question read the message on the popular mailing list and
quickly contacted the researcher. The company also quickly established
a "security@" mailbox to which future reports can be sent.
Of course, in other cases, it turns out that the person who posted the
vulnerability details didn't try very hard to contact the vendor. I'll
sidestep the endless debate about whether vulnerability information
should be publicly posted and say that these situations point out that
every company that provides products and services should have
information listed in plain sight in the product documentation and on
the company Web site that shows who to contact about security matters.
Even if a company's Web site serves only as an advertising vehicle and
not as an ecommerce site, the company should include such contact
Likewise, when you're shopping for products, you should check whether a
vendor lists security contact information. After all, you want the most
secure products you can get, right? If a company doesn't provide a
highly visible contact for security problems, the company is making it
more difficult than necessary for people to report security problems
directly to the company. And as I pointed out earlier, such difficulty
can lead to vulnerabilities being publicly disclosed.
The trend seems to be to establish a "security@" or possibly a
"secure@" email address that people can use to report potential
security problems. Vendors should consider establishing such an
address, if they haven't already.
==== Sponsor: Symantec ====
Symantec Storage and Systems Management Solutions
Symantec invites you to view a series of on-demand webcasts
featuring Gartner Analysts to learn how Symantec's LiveState solutions
can help ensure that your client devices are secure, available, and
compliant with corporate standards -- from acquisition to disposal.
Webcasts focus on Client Management Issues, Effective Patch Management,
Protecting the Integrity and Availability of your Company's
Information, and Discovery of IT Assets. Learn how to stay competitive
in a world where change is inevitable. Find more information and
register now at
==== 2. Security News and Features ====
Recent Security Vulnerabilities
If you subscribe to this newsletter, you also receive Security
Alerts, which inform you about recently discovered security
vulnerabilities. You can also find information about these
No More Antigen for Unix and Linux
Microsoft completed its acquisition of Sybari and said it will
discontinue new sales of Sybari Antigen for Unix and Linux. No surprise
there. The company will continue sales of Antigen for other products.
Firewall Appliances, Part 1
When it comes to network security, the firewall is your primary line
of defense. Firewalls have undergone a major transition in the past few
years. In this two-part series, Thomas W. Shinder looks at popular
firewall appliances and makes recommendations based on the size of your
organization, the level of security you require, and the cost of the
Importing Security Settings into a GPO
Unfortunately, you can't export a GPO's security settings. Moving
settings from one GPO to another requires a fairly simple workaround.
Randy Franklin Smith explains how to do it by using the Secedit
==== Resources and Events ====
The Essential Guide to Exchange Preventative Maintenance
Database health is the weakest link in most Microsoft Exchange
Server environments. Download this Essential Guide now and find out how
the ideal solution is an automated, end-to-end maintenance and
management tool that provides a centralized view of the entire managed
infrastructure. Get your free copy now!
Show Us How You've Used Windows Technology in Innovative Ways
If you've used Windows technology in creative ways to devise
specific, beneficial solutions to problems your business has faced, we
want you! Now's your chance to get the recognition you deserve. Enter
the 2005 Windows IT Pro Innovators Contest now! You could win a
complimentary conference pass to Exchange and Windows Connections in
San Diego in late October 2005.
Simplify, Automate and Reduce the Cost of Demonstrating Regulatory
The need to comply with regulations has increased as legislation
such as Sarbanes-Oxley, HIPAA, GLBA, and Basel II take effect. The
growth of these mandates has caused an increase in manually intensive,
compliance-related tasks that reduce IT efficiency. In this free Web
seminar, learn how you can simplify, automate, and reduce the cost of
achieving IT security and regulatory compliance. Register now!
Back By Popular Demand--SQL Server 2005 Roadshow in a City Near You
Get the facts about migrating to SQL Server 2005. SQL Server experts
will present real-world information about administration, development,
and business intelligence to help you implement a best-practices
migration to SQL Server 2005 and improve your database computing
environment. Attend and receive a 1-year membership to PASS and 1-year
subscription to SQL Server Magazine. Register now!
It Just Got Easier to Network With Your IT Peers!
Windows IT Pro forums are easier to use, searchable, and complete
with RSS feeds so that you'll always receive the latest discussion
topics instantly! Check out the new and improved Windows IT Pro forums
Congratulations to the 4th Annual Best of TechEd 2005 Awards winners!
Windows IT Pro and SQL Server Magazine presented awards to Windows
and SQL technology vendors in 12 categories and one overall winner at
the Best of TechEd Awards in Orlando. The field included more than 260
entries and products were evaluated based on their strategic importance
in the market, competitive advantage, and value to the customer. Click
here to learn all of the Best of TechEd 2005 winners.
==== Featured White Paper ====
Instant Recovery and Data Protection for SQL Servers
Depending on your environment, Microsoft SQL Server may be your most
critical application. In this free white paper, learn the data
protection strategies you need to really protect your database, compare
the costs, evaluate alternatives, and more!
==== Hot Release ====
FREE Download -- The Next Generation of End-point Security is Available
NEW NetOp Desktop Firewall's fast 100% driver-centric design offers
a tiny footprint that protects machines from all types of malware even
before Windows loads and without slowing them down. NetOp provides
process & application control, real-time centralized management,
automatic network detection & profiles and more. Try it FREE.
==== 3. Security Toolkit ====
Security Matters Blog: Firefox 1.0.5 Just Around the Corner
by Mark Joseph Edwards, http://list.windowsitpro.com/t?ctl=D586:4FB69
Waiting for Firefox 1.0.5? You can get it now or later. The "nightly
builds" of the new version are available, although the version is still
in testing. If you're adventurous, download a copy now. If you like to
play it safe, then you better wait for the official release, which
undoubtedly is just around the corner.
by John Savill, http://list.windowsitpro.com/t?ctl=D584:4FB69
Q: How can I control which authentication methods my Active Directory
(AD) domain supports?
Find the answer at
Security Forum Featured Thread: Removing Access
I just took a position as CIO. The previous CIO moved to another
area of the business and no longer needs all the access she once gave
herself. Can anyone recommend tools to scan the network drives to find
where her account is assigned? We have Windows 2000 Active Directory
Join the discussion at
==== Announcements ====
(from Windows IT Pro and its partners)
Why Do You Need the Windows IT Pro Master CD?
There are three good reasons to order our latest Windows IT Pro
Master CD. One, because it's a lightning-fast, portable tool that lets
you search for solutions by topic, author, or issue. Two, because it
includes our Top 100 Windows IT Pro Tips. Three, because you'll also
receive exclusive, subscriber-only access to our entire online article
database. Click here to discover even more reasons:
Monthly Online Pass = Quick Security Answers!
Sign up today for your Monthly Online Pass and get 24/7 access to
the entire online Windows IT Security article database, including
exclusive subscriber-only content. That's a database of over 1900
Security articles to help you get all the answers you need, when you
need them. Sign up now for just $14.95 per month:
==== 4. New and Improved ====
by Dustin Ewing, products at windowsitpro.com
SOHO Broadband Security Appliance
Electronics Lifestyle Integration (ELI) announced the availability
of its fully managed Eli broadband security appliance for home, small
office/home office (SOHO), and remote-office Internet users. Eli
combines a firewall, antispam and antivirus capability, a DSL modem, a
cable router, VPN support, and a Web interface. Eli is designed to
deliver the kind of managed security previously available to large
enterprises at an affordable price for the SOHO consumer. Pricing is
$199.99 per device, and managed service starts at $9.99 per month. For
more information, go to
Tell Us About a Hot Product and Get a T-Shirt!
Have you used a product that changed your IT experience by saving
you time or easing your daily burden? Tell us about the product, and
we'll send you a T-shirt if we write about the product in a future
Windows IT Pro What's Hot column. Send your product suggestions with
information about how the product has helped you to
whatshot at windowsitpro.com.
Editor's note: Share Your Security Discoveries and Get $100
Share your security-related discoveries, comments, or problems and
solutions in the Windows IT Security print newsletter's Reader to
Reader column. Email your contributions (500 words or less) to
r2rwinitsec at windowsitpro.com. If we print your submission, you'll
get $100. We edit submissions for style, grammar, and length.
==== Sponsored Links ====
Eleven things you must know about quick AD recovery!
==== Contact Us ====
About the newsletter -- letters at windowsitpro.com
About technical questions -- http://list.windowsitpro.com/t?ctl=D588:4FB69
About product news -- products at windowsitpro.com
About your subscription -- windowsitproupdate at windowsitpro.com
About sponsoring Security UPDATE -- emedia_opps at windowsitpro.com
This email newsletter is brought to you by Windows IT Security,
the leading publication for IT professionals securing the Windows
enterprise from external intruders and controlling access for
internal users. Subscribe today.
Windows IT Pro, a division of Penton Media, Inc.
221 East 29th Street, Loveland, CO 80538
Attention: Customer Service Department
Copyright 2005, Penton Media, Inc. All rights reserved.
More information about the ISN