[ISN] Security UPDATE -- So You Found a Security Problem, Now What? -- June 29, 2005

InfoSec News isn at c4i.org
Thu Jun 30 03:47:51 EDT 2005


This email newsletter comes to you free and is supported by the 
following advertisers, which offer products and services in which 
you might be interested. Please take a moment to visit these 
advertisers' Web sites and show your support for Security UPDATE. 

Free download: Speed up your systems with Diskeeper 

Symantec Storage and Systems Management Solutions


1. In Focus: So You Found a Security Problem, Now What?

2. Security News and Features
   - Recent Security Vulnerabilities
   - No More Antigen for Unix and Linux 
   - Firewall Appliances, Part 1
   - Importing Security Settings into a GPO

3. Security Toolkit
   - Security Matters Blog
   - FAQ
   - Security Forum Featured Thread

4. New and Improved
   - SOHO Broadband Security Appliance


==== Sponsor: Executive Software ====

Free download: Speed up your systems with Diskeeper 
   Keeping systems up and available to the users is vital! Slow, crash-
prone systems have a devastating effect on productivity and security. 
Disk fragmentation is a major cause of crashes and slowdowns -- but who 
has the time to defragment every system, every day? The solution: 
Diskeeper, the Number One Automatic Defragmenter. Automatic 
defragmentation boosts performance and reliability and decreases Help 
Desk traffic. Click the link to get FREE fully-functional Diskeeper 
trialware. You'll discover why Diskeeper is the Number One Automatic 
Defragmenter with over 17 million sold. 


==== 1. In Focus: So You Found a Security Problem, Now What? ====
   by Mark Joseph Edwards, News Editor, mark at ntsecurity / net

Lots of people find security problems with hardware and software 
products, network services, Web sites, and more. Some find problems 
through day-to-day computer use; others search for security problems 
purposely either as a hobby or as part of their job. 

When you find a security problem, what do you do? The obvious answer is 
to contact the company that produced the product. However, alerting a 
company to your discovery of a problem in one of its products can be a 
challenge. Lots of companies simply don't prepare for reports of 
problems in their products and services. Their employees don't know 
what to do when people try to report problems. Nor do their Web sites 
or product documentation provide any information about who to contact 
for security matters. 

Like many of you, I subscribe to a lot of security mailing lists. I 
can't even begin to remember the number of times I've read a message to 
one of those lists from someone asking how to contact a given company. 
The messages typically say something like, "I found a security problem 
in Product XYZ. I tried to contact the company via email and received 
no response. Does anybody have security contact info for the company?" 

A good case in point happened last week. Someone found a problem in a 
widely used product and tried to contact the company via email and by 
phone. The person couldn't make it past the receptionist and so 
couldn't offer the information about the security problem to anybody in 
a position to do something about it. The person posted a description of 
the experience to a popular security mailing list, and now the company 
has to endure the embarrassment that comes along with public knowledge 
of its shortcomings--and the company's customers are more exposed to 
someone exploiting the publicized vulnerability. Had the company 
trained the receptionist to handle calls regarding security matters, 
the incident probably wouldn't have happened. As it turns out, the 
company in question read the message on the popular mailing list and 
quickly contacted the researcher. The company also quickly established 
a "security@" mailbox to which future reports can be sent.

Of course, in other cases, it turns out that the person who posted the 
vulnerability details didn't try very hard to contact the vendor. I'll 
sidestep the endless debate about whether vulnerability information 
should be publicly posted and say that these situations point out that 
every company that provides products and services should have 
information listed in plain sight in the product documentation and on 
the company Web site that shows who to contact about security matters. 
Even if a company's Web site serves only as an advertising vehicle and 
not as an ecommerce site, the company should include such contact 

Likewise, when you're shopping for products, you should check whether a 
vendor lists security contact information. After all, you want the most 
secure products you can get, right? If a company doesn't provide a 
highly visible contact for security problems, the company is making it 
more difficult than necessary for people to report security problems 
directly to the company. And as I pointed out earlier, such difficulty 
can lead to vulnerabilities being publicly disclosed. 

The trend seems to be to establish a "security@" or possibly a 
"secure@" email address that people can use to report potential 
security problems. Vendors should consider establishing such an 
address, if they haven't already. 


==== Sponsor: Symantec ====

Symantec Storage and Systems Management Solutions
   Symantec invites you to view a series of on-demand webcasts 
featuring Gartner Analysts to learn how Symantec's LiveState solutions 
can help ensure that your client devices are secure, available, and 
compliant with corporate standards -- from acquisition to disposal. 
Webcasts focus on Client Management Issues, Effective Patch Management, 
Protecting the Integrity and Availability of your Company's 
Information, and Discovery of IT Assets. Learn how to stay competitive 
in a world where change is inevitable. Find more information and 
register now at


==== 2. Security News and Features ====

Recent Security Vulnerabilities
   If you subscribe to this newsletter, you also receive Security 
Alerts, which inform you about recently discovered security 
vulnerabilities. You can also find information about these 
discoveries at

No More Antigen for Unix and Linux
   Microsoft completed its acquisition of Sybari and said it will 
discontinue new sales of Sybari Antigen for Unix and Linux. No surprise 
there. The company will continue sales of Antigen for other products. 

Firewall Appliances, Part 1
   When it comes to network security, the firewall is your primary line 
of defense. Firewalls have undergone a major transition in the past few 
years. In this two-part series, Thomas W. Shinder looks at popular 
firewall appliances and makes recommendations based on the size of your 
organization, the level of security you require, and the cost of the 

Importing Security Settings into a GPO
   Unfortunately, you can't export a GPO's security settings. Moving 
settings from one GPO to another requires a fairly simple workaround. 
Randy Franklin Smith explains how to do it by using the Secedit 


==== Resources and Events ====

The Essential Guide to Exchange Preventative Maintenance
   Database health is the weakest link in most Microsoft Exchange 
Server environments. Download this Essential Guide now and find out how 
the ideal solution is an automated, end-to-end maintenance and 
management tool that provides a centralized view of the entire managed 
infrastructure. Get your free copy now!

Show Us How You've Used Windows Technology in Innovative Ways
   If you've used Windows technology in creative ways to devise 
specific, beneficial solutions to problems your business has faced, we 
want you! Now's your chance to get the recognition you deserve. Enter 
the 2005 Windows IT Pro Innovators Contest now! You could win a 
complimentary conference pass to Exchange and Windows Connections in 
San Diego in late October 2005.

Simplify, Automate and Reduce the Cost of Demonstrating Regulatory 
   The need to comply with regulations has increased as legislation 
such as Sarbanes-Oxley, HIPAA, GLBA, and Basel II take effect. The 
growth of these mandates has caused an increase in manually intensive, 
compliance-related tasks that reduce IT efficiency. In this free Web 
seminar, learn how you can simplify, automate, and reduce the cost of 
achieving IT security and regulatory compliance. Register now!

Back By Popular Demand--SQL Server 2005 Roadshow in a City Near You
   Get the facts about migrating to SQL Server 2005. SQL Server experts 
will present real-world information about administration, development, 
and business intelligence to help you implement a best-practices 
migration to SQL Server 2005 and improve your database computing 
environment. Attend and receive a 1-year membership to PASS and 1-year 
subscription to SQL Server Magazine. Register now!

It Just Got Easier to Network With Your IT Peers!
   Windows IT Pro forums are easier to use, searchable, and complete 
with RSS feeds so that you'll always receive the latest discussion 
topics instantly! Check out the new and improved Windows IT Pro forums 

Congratulations to the 4th Annual Best of TechEd 2005 Awards winners!
   Windows IT Pro and SQL Server Magazine presented awards to Windows 
and SQL technology vendors in 12 categories and one overall winner at 
the Best of TechEd Awards in Orlando. The field included more than 260 
entries and products were evaluated based on their strategic importance 
in the market, competitive advantage, and value to the customer. Click 
here to learn all of the Best of TechEd 2005 winners.


==== Featured White Paper ====

Instant Recovery and Data Protection for SQL Servers
   Depending on your environment, Microsoft SQL Server may be your most 
critical application. In this free white paper, learn the data 
protection strategies you need to really protect your database, compare 
the costs, evaluate alternatives, and more!


==== Hot Release ====

FREE Download -- The Next Generation of End-point Security is Available 
   NEW NetOp Desktop Firewall's fast 100% driver-centric design offers 
a tiny footprint that protects machines from all types of malware even 
before Windows loads and without slowing them down. NetOp provides 
process & application control, real-time centralized management, 
automatic network detection & profiles and more. Try it FREE.


==== 3. Security Toolkit ==== 

Security Matters Blog: Firefox 1.0.5 Just Around the Corner
   by Mark Joseph Edwards, http://list.windowsitpro.com/t?ctl=D586:4FB69

Waiting for Firefox 1.0.5? You can get it now or later. The "nightly 
builds" of the new version are available, although the version is still 
in testing. If you're adventurous, download a copy now. If you like to 
play it safe, then you better wait for the official release, which 
undoubtedly is just around the corner. 

   by John Savill, http://list.windowsitpro.com/t?ctl=D584:4FB69 

Q: How can I control which authentication methods my Active Directory 
(AD) domain supports? 

Find the answer at

Security Forum Featured Thread: Removing Access
   I just took a position as CIO. The previous CIO moved to another 
area of the business and no longer needs all the access she once gave 
herself. Can anyone recommend tools to scan the network drives to find 
where her account is assigned? We have Windows 2000 Active Directory 
   Join the discussion at 


==== Announcements ====
   (from Windows IT Pro and its partners)

Why Do You Need the Windows IT Pro Master CD?
   There are three good reasons to order our latest Windows IT Pro 
Master CD. One, because it's a lightning-fast, portable tool that lets 
you search for solutions by topic, author, or issue. Two, because it 
includes our Top 100 Windows IT Pro Tips. Three, because you'll also 
receive exclusive, subscriber-only access to our entire online article 
database. Click here to discover even more reasons:

Monthly Online Pass = Quick Security Answers!
   Sign up today for your Monthly Online Pass and get 24/7 access to 
the entire online Windows IT Security article database, including 
exclusive subscriber-only content. That's a database of over 1900 
Security articles to help you get all the answers you need, when you 
need them. Sign up now for just $14.95 per month:


==== 4. New and Improved ====
   by Dustin Ewing, products at windowsitpro.com

SOHO Broadband Security Appliance
   Electronics Lifestyle Integration (ELI) announced the availability 
of its fully managed Eli broadband security appliance for home, small 
office/home office (SOHO), and remote-office Internet users. Eli 
combines a firewall, antispam and antivirus capability, a DSL modem, a 
cable router, VPN support, and a Web interface. Eli is designed to 
deliver the kind of managed security previously available to large 
enterprises at an affordable price for the SOHO consumer. Pricing is 
$199.99 per device, and managed service starts at $9.99 per month. For 
more information, go to

Tell Us About a Hot Product and Get a T-Shirt!
   Have you used a product that changed your IT experience by saving 
you time or easing your daily burden? Tell us about the product, and 
we'll send you a T-shirt if we write about the product in a future 
Windows IT Pro What's Hot column. Send your product suggestions with 
information about how the product has helped you to 
   whatshot at windowsitpro.com.

Editor's note: Share Your Security Discoveries and Get $100
   Share your security-related discoveries, comments, or problems and 
solutions in the Windows IT Security print newsletter's Reader to 
Reader column. Email your contributions (500 words or less) to 
r2rwinitsec at windowsitpro.com. If we print your submission, you'll 
get $100. We edit submissions for style, grammar, and length.


==== Sponsored Links ====

Quest Software
   Eleven things you must know about quick AD recovery!


==== Contact Us ==== 

About the newsletter -- letters at windowsitpro.com
About technical questions -- http://list.windowsitpro.com/t?ctl=D588:4FB69
About product news -- products at windowsitpro.com
About your subscription -- windowsitproupdate at windowsitpro.com
About sponsoring Security UPDATE -- emedia_opps at windowsitpro.com


This email newsletter is brought to you by Windows IT Security, 
the leading publication for IT professionals securing the Windows 
enterprise from external intruders and controlling access for 
internal users. Subscribe today.

View the Windows IT Pro privacy policy at

Windows IT Pro, a division of Penton Media, Inc.
221 East 29th Street, Loveland, CO 80538
Attention: Customer Service Department

Copyright 2005, Penton Media, Inc. All rights reserved.

More information about the ISN mailing list