Microsoft warns of seven Windows flaws
VNUNet.com By Robert Jaques Wednesday, July 14, 2004
Security NewsAll News Security News Home
Microsoft yesterday warned of seven security vulnerabilities,
two of which it rated as 'critical'.
The company has issued updates for all seven flaws. These
include MS04-022, which addresses a vulnerability in Task
Scheduler that could allow code execution.
Microsoft explained that if a user is logged on with
administrative privileges, an attacker who successfully exploited
this vulnerability could take complete control of an affected
system, including installing programs, viewing, changing or
deleting data, or creating new accounts with full privileges. More....
Firms ignore MP3 and memory stick security
riskVNUNet.com
By Robert Jaques
Wednesday, July 14
UK businesses are leaving themselves open to viruses and loss of corporate data by failing to deal with the security threat from the introduction to their networks of removable media devices such as portable hard drives and MP3 players.
A survey by Reflex Magnetics found that 82 per cent of businesses consider mobile media devices to be a significant security threat, but 60 per cent admitted failing to monitor device usage.
"The research has revealed some worrying attitudes towards corporate security," said Andy Campbell, managing director of Reflex
Magnetics, in a statement.
"While businesses recognise a problem exists, they are taking few practical measures to protect themselves from the risks associated with removable media devices."
More....
Survey: Users say remote access security is
too weak
By Tim Greene
Network
World VPNs Newsletter
Apparently, a significant number of potential VPN users think
the technology isn't secure enough to protect corporate data.
The 240 network managers who participated in an Infonetics
Research study rank security as their top concern, and a third of
them say that security is a barrier to implementing VPNs,
indicating they don't think remote access security is strong
enough.
Interesting, considering that IPSec VPN security supports
Triple-DES and AES - the federal government's favored standards -
Secure Sockets Layer encryption is used for virtually all online
transactions.
The study, called "User Plans for VPN products and Services,
North America 2004," also indicates that overall, use of
remote access VPNs and SSL remote access is still growing and that
by 2006, 70% of these users will rely on either one of these
technologies. More....
Best Practices: Securing IM Against Attacks
Free instant messaging services are just one of the many security
holes facing corporate IT
by
Mathew Schwartz
In 2001, the CEO of eFront, a Web-site affiliation service, found
that hundreds of his instant messaging (IM) conversations had been
stolen and posted online. The logs included details and sensitive
commentary on business partners—and that was just for starters.
In light of that incident, and similar threats today, many
companies weigh whether IM is a corporate productivity tool or a
security liability. While a range of enterprise tools exist to
encrypt and protect IM communications in transit, many
organizations allow employees to use free IM services, which
introduces security risks, such as the one noted above. To discuss
best practices for securing IM, plus the evolution of IM attacks,
Security Strategies spoke with Eric Chien, the chief researcher
for Symantec Security Response.
How secure is IM use in companies today?
There are a few security concerns with instant messaging that
exist … First and foremost, you can transfer files, just as you
can with e-mail. Already today we have instant messaging worms
that iterate through your instant messaging buddy list … This
affects home users as well.
[Take] all of the free instant messaging clients—AOL, Yahoo,
MSN, ICQ, IRC … None of them by default [has] encryption. This
means people using it for business purposes, inside companies, don’t
realize that when they’re sending a message from their cube to
the one next to them, that [message] goes outside the company, and
then back to the guy sitting in the cube across from them. And
that message goes out in plain text, which means someone could
sniff the text … That’s a big concern, because … all that
data can be sniffed and stolen by potentially malicious users.
Four Steps to a Secure Budget
A seasoned security manager offers hard-nosed advice on how to
get critical IT security projects funded. Security Manager's
Journal by Roger Foix
JULY 12 (COMPUTERWORLD) - After working as an in-house
security manager in the financial services industry for many
years, I recently moved to consulting work. This will give me the
opportunity to work in a variety of industries (my current
contract is with a company in the health care industry) and
projects. I've spent the past few days thinking about the many
issues I face, trying to decide which one to discuss in this, my
first column. In the end, it was an easy decision: extortion. I'm
not talking about preventing employees or outsiders from stealing
funds. I'm referring to my ability to "extort"
appropriate funding from management. There are less-cynical ways
of looking at the budgeting process, but my experiences over the
past few years at different companies have made getting blood out
of a stone look simple in comparison. Many security managers labor
under the misapprehension that the budget process consists of
working out how much you need, spending a few weeks coaxing your
figures into the bizarre formats that the finance group requires,
then defending your important projects in meetings. But my
successful budgets have been the result of a different process -
one in which I laid the groundwork well ahead of time. Here are
four steps I follow to obtain funding from that parsimonious
corporate bean counter.
The IT Agenda: Battling Targeted Trojan
Spoofing Trojan
Terror While e-mail and antispam vendors try to fix SMTP, we
must take action ourselves. Here's what you can do.
By Jonathan Feldman
You know how annoying SMTP address spoofing is, but did you
know it can be deadly? It's not the spoofing by itself that's
dangerous. It's the lethal combination of spoofing and Internet
Explorer bugs. Phishing--the scam that imitates e-mail from
legitimate organizations to fool users into revealing personal
financial information--has already done significant damage. Now
Trojan-bearing spam is beginning to take its toll, as we saw with
the recent Osama Trojan (see "Osama: Slammer or Spammer?").
And though antispam devices are a great deterrent, it's only a
matter of time until Trojan spoofing targeted to your users
becomes just as serious a threat to your network.
How do I know? I performed a proof-of-concept test on some spam-protected
targets to see how easily I could invade them by sending malicious
HTML, and it worked well, even at reasonably security-paranoid
corporate networks, like a Manhattan-based international law firm
and a Georgia bank. Here's my five-step process (for technical
details and the script, see feldman.org/smtp):
1. Procure targeted e-mail addresses by the type of
"negative acknowledgement" spammers use. Once you know
the names of VIPs, send probe messages to all permutations of
those names (jfeldman, feldmanj, jonathan. feldman and so on)
until you no longer get a bounce message; no bounce means it's a
valid address.
Vulnerabilities
