[ISN] Security UPDATE -- Reading EULAs Can Help Prevent Spyware Infiltration -- September 28, 2005

InfoSec News isn at c4i.org
Thu Sep 29 00:27:16 EDT 2005


This email newsletter comes to you free and is supported by the 
following advertisers, which offer products and services in which 
you might be interested. Please take a moment to visit these 
advertisers' Web sites and show your support for Security UPDATE. 

Symantec LiveState Patch Manager

Filtering the Spectrum of Internet Threats: Defending Against 
Inappropriate Content, Spyware, IM, and P2P at the Perimeter 


1. In Focus: Reading EULAs Can Help Prevent Spyware Infiltration

2. Security News and Features
   - Recent Security Vulnerabilities
   - Microsoft Boosts Its Ability to Provide End-to-End PKI Solutions
   - New Microsoft Tool Locks Down Shared XP Systems

3. Security Toolkit
   - Security Matters Blog
   - FAQ
   - Security Forum Featured Thread

4. New and Improved
   - Control Endpoint Media Devices


==== Sponsor: Symantec ====

Symantec LiveState Patch Manager
   Symantec LiveState Patch Manager allows you to reliably protect your 
infrastructure from vulnerabilities. Its intuitive interface allows 
organizations to scan, identify and install missing patches on hundreds 
of clients and servers in minutes. Flexible grouping capabilities allow 
the targeting of patches to specific groups of users. Provides detailed 
patch status reports. Persistent delivery assures patches are 
successfully delivered and applied, helping ensure clients are secure 
and protected. LiveState Patch Manager is a member of a family of 
modular solutions that work on their own--with tools you may already 
have--and can be assembled into a broader suite if desired, leveraging 
a common look-and-feel, management database and agent deployment 
infrastructure. To learn more, visit us at:


==== 1. In Focus: Reading EULAs Can Help Prevent Spyware Infiltration
   by Mark Joseph Edwards, News Editor, mark at ntsecurity / net

Does anybody (except lawyers) really like reading End User License 
Agreements (EULAs)? For that matter, does anybody like reading privacy 
statements? I doubt it. But it's something we all should do because if 
we don't, we can eventually wind up with all kinds of spyware on our 
networks that could lead to serious problems. 

For example, you might download a slick-looking desktop tool, click to 
accept the EULA without reading it, then later find out that the tool 
has been recording all your Web and email activity and sending that 
information to someone's data collection center. In another scenario, 
you might install the latest IM and chat tool. If you don't read the 
privacy policy, you might not know that the company providing the tool 
reserves the right to track who you contact, how often you transfer 
data, and more. 

That's just the tip of iceberg. In fact, poorly written EULAs and 
privacy statements, along with people's unwillingness to read them 
carefully, have spawned an entire multimillion- (if not billion-) 
dollar industry that now focuses exclusively on the elimination of 

When surfing the Web last week, I came across an interesting story at 
Techdirt that points out just how lackadaisical people can be when it 
comes to reading EULAs. Techdirt pointed out an experiment conducted by 
PC Pitstop (at the URL below). The company embedded in one of its EULAs 
an offer of $1000 to the first person who simply asked for it! More 
than 3000 people downloaded the software before somebody actually asked 
for the check! 

A few weeks ago, I learned about a new tool, EULAlyzer from Javacool 
Software (at the URL below), which as the name implies is designed to 
help you analyze EULAs to look for areas that might need extra 
attention. It works by scanning for keywords. It then links to areas 
that contain those keywords so that you can review those spots. I 
tested EULAlyzer on a EULA and found that it did point me to some key 
phrases that I needed to read more closely, but it certainly didn't 
eliminate the need for me to read the entire EULA carefully. 

Last week, I learned about another tool, currently called Project Truth 
Serum (read about it at the first URL below), that will help analyze 
EULAs. That tool is being developed by Facetime Communications (at the 
second URL below) and is currently in closed beta testing, so I didn't 
have a chance to try it. But based on the sample output, which you can 
view at the third URL below, the tool provides similar functionality to 

I don't see any reason why EULA analyzers couldn't be made to analyze 
privacy statements. But when I tried EULAlyzer on a tool's privacy 
statement, it didn't flag anything as suspect, even though the 
statement did indicate that my use of the tool would be tracked. But 
maybe at some point, Javacool and/or Facetime will upgrade their 
analyzers to also work on privacy statements. 

At any rate, both of these tools are essentially designed to help guard 
against spyware. Although they're useful to some extent, they certainly 
aren't replacements for careful reading, nor are they designed to offer 
you legal advice. They are simply helper applications that might 
prevent you from overlooking something in a given EULA. If you're 
interested in this sort of helper application, try EULAlyzer and keep 
an eye out for Facetime's eventual product release. 


==== Sponsor: St. Bernard Software ====

Filtering the Spectrum of Internet Threats: Defending Against 
Inappropriate Content, Spyware, IM, and P2P at the Perimeter 
   Because of the proliferation of Web-based threats, you can no longer 
rely on basic firewalls as your sole network protection. Attackers 
continue to evolve clever methods for reaching victims, such as sending 
crafty Web links through Instant Messaging (IM) clients or email, or by 
simply linking to other Web sites that your employees might surf. This 
free white paper examines the threats of allowing unwanted or offensive 
content into your network and describes the technologies and 
methodologies to combat these types of threats. Get your free copy now!


==== 2. Security News and Features ====

Recent Security Vulnerabilities
   If you subscribe to this newsletter, you also receive Security 
Alerts, which inform you about recently discovered security 
vulnerabilities. You can also find information about these 
discoveries at

Microsoft Boosts Its Ability to Provide End-to-End PKI Solutions
   Microsoft announced that it has acquired privately held Alacris, 
maker of identity and access-management solutions. The acquisition puts 
Microsoft in a better position to offer end-to-end solutions and to 
take the solutions beyond the enterprise environment and out to 

New Microsoft Tool Locks Down Shared XP Systems
   Microsoft released a new toolkit that helps you lock down shared 
Windows XP systems. The new Shared Computer Toolkit for Windows XP 
includes three parts, including a disk protection tool, user 
restrictions tool, and an accessibility tool.


==== Resources and Events ====

Exploit the Opportunities of a Wireless Fleet
   With the endless array of mobile and wireless devices and 
applications, it's hard to decide what you can do with the devices 
beyond providing mobile email access. It's even tougher to know how to 
keep it all secure. Join industry guru Randy Franklin Smith in this 
free Web seminar and discover what you can do to leverage your mobile 
and wireless infrastructure, how to pick devices that are right for 
you, and more!

Get Ready for the SQL Server 2005 Roadshow in Europe
   Back By Popular Demand--Get the facts about migrating to SQL Server 
2005! SQL Server experts will present real-world information about 
administration, development, and business intelligence to help you 
implement a best-practices migration to SQL Server 2005 and improve 
your database-computing environment. Receive a one-year membership to 
PASS and a one-year subscription to SQL Server Magazine. Register now.

Are You Walking the Tightrope Between Recovery and Continuity?
   There's a big difference between the ability to quickly recover lost 
or damaged data and the ability to keep your messaging operations 
running normally before, during, and after an outage. In this free Web 
seminar, you'll learn what the technical differences are between 
recovery and continuity, when each is important, and what you can do to 
make sure that you're hitting the right balance between them.

Streamline Desktop Deployments--Free Web Seminar and White Paper!
   Managing desktop software configurations doesn't have to be a manual 
process, resulting in unplanned costs, deployment delays, and client 
confusion. In this on-demand Web seminar, find out how to manage the 
software package preparation process and increase your desktop 
reliability, user satisfaction, and IT cost effectiveness. Plus--
register today and receive a free industry white paper on standardizing 
the software packaging process.

Deploy VoIP and FoIP Technologies
   Voice over IP (VoIP) is the future of telecommunications and many 
companies are already enjoying the benefits of transporting voice over 
IP networks to significantly reduce telephone and facsimile costs. Join 
industry expert David Chernicoff for this free Web seminar to learn the 
ins and outs of boardless fax in IP environments, tips for rolling out 
fax, integrating fax with telephony technologies, and more!


==== Featured White Paper ====

Supercharging SMS for Effective Asset Management
   Cost control and license compliance have risen to the top of the IT 
asset and desktop management agenda. Learn to map Microsoft's SMS to 
specific business objectives and examine the pitfalls of relying solely 
on SMS to achieve business IT asset management objectives. Download 
this free white paper now and find out how you can leverage technology 
to bridge the gap between technical professionals and your CFO.


==== 3. Security Toolkit ==== 

Security Matters Blog: Are Most Desktop Firewalls too Complicated? 
   by Mark Joseph Edwards, http://list.windowsitpro.com/t?ctl=14B62:4FB69

An interesting assertion is that Windows Firewall is enough for most 
people because they aren't capable of making informed decisions about 
whether to allow certain outbound network traffic. If that's true, is 
it just that such people need a more intuitive interface and possibly a 
little education? Read the rest of this blog entry for more about this 
subject and post your comments to share your opinion with other 

   by John Savill, http://list.windowsitpro.com/t?ctl=14B60:4FB69 

Q: How do I log on to Windows Vista using a domain account?  

Find the answer at

Security Forum Featured Thread: Problem with Windows Update 
   A forum participant writes that when he tries to access Windows 
Update he receives the message "The website has encountered a problem 
and cannot display the page you are trying to view." This occurs just 
after the site informs him that it's checking for the latest updates. 
He said this happens only on one server and wonders if anyone knows 
what the problem might be. Join the discussion at


==== Announcements ====
   (from Windows IT Pro and its partners)

Stay Up-to-Date with the Windows IT Security Newsletter
   Every issue of Windows IT Security features related product coverage 
of the best security tools available and expert advice on the best way 
to implement security. Our expanded content includes even more 
fundamentals on building and maintaining a secure enterprise. In 
addition, paid subscribers get access to our entire online security 
article database (more than 1900 articles)! Subscribe today:

VIP Monthly Online Pass = Quick Security Answers!
   Sign up today for your VIP Monthly Online Pass and get 24/7 access 
to the entire Windows IT Security online article database, including 
exclusive subscriber-only content. That's a database of more than 1900 
security articles to help you get all the answers you need, when you 
need them. Sign up now:


==== 4. New and Improved ====
   by Renee Munshi, products at windowsitpro.com

Control Endpoint Media Devices
   Ecora Software announced the latest version of its endpoint security 
solution, Ecora DeviceLock. DeviceLock provides centralized management 
and access control for USB and FireWire ports, Wi-Fi and Bluetooth 
adapters, CD-ROM/DVD and floppy drives, and other removable media 
devices according to user, schedule, and/or specific device. DeviceLock 
now lets you define a discrete list of administrator accounts so that 
users with local administrator privileges can't disable or remove 
DeviceLock services from computers. The product's USB whitelist can now 
limit access to devices whose serial numbers are on the list. And 
DeviceLock can now display custom messages when an access attempt is 
denied. DeviceLock pricing starts at $35 per endpoint. For more 
information, visit

Tell Us About a Hot Product and Get a T-Shirt!
   Have you used a product that changed your IT experience by saving 
you time or easing your daily burden? Tell us about the product, and 
we'll send you a T-shirt if we write about the product in a future 
Windows IT Pro What's Hot column. Send your product suggestions with 
information about how the product has helped you to 
   whatshot at windowsitpro.com.

Editor's note: Share Your Security Discoveries and Get $100
   Share your security-related discoveries, comments, or problems and 
solutions in the Windows IT Security print newsletter's Reader to 
Reader column. Email your contributions (500 words or less) to 
r2rwinitsec at windowsitpro.com. If we print your submission, you'll 
get $100. We edit submissions for style, grammar, and length.


==== Sponsored Links ====

Argent Versus MOM 2005
   Download Argent Versus Microsoft Operations Manager 2005

Is Your Office Truly Fax Integrated?
   Download this free whitepaper from Faxback and find out!

Admins rush to install BLOG servers
   How to run your own blog server. Free 5 user license.


==== Contact Us ==== 

About the newsletter -- letters at windowsitpro.com
About technical questions -- http://list.windowsitpro.com/t?ctl=14B64:4FB69
About product news -- products at windowsitpro.com
About your subscription -- windowsitproupdate at windowsitpro.com
About sponsoring Security UPDATE -- salesopps at windowsitpro.com


This email newsletter is brought to you by Windows IT Security, 
the leading publication for IT professionals securing the Windows 
enterprise from external intruders and controlling access for 
internal users. Subscribe today.

View the Windows IT Pro privacy policy at

Windows IT Pro, a division of Penton Media, Inc.
221 East 29th Street, Loveland, CO 80538
Attention: Customer Service Department

Copyright 2005, Penton Media, Inc. All rights reserved.

More information about the ISN mailing list