Month: November 2003

Microsoft is considering a release of security updates on CD for users of its older operating systems who lack broadband connections to the Internet, according to an e-mail sent to prospective beta testers on Tuesday. The e-mail invites beta testers who are using Windows 98, Windows 98 Second Edition, and…

The bill, which would override all existing state anti-spam laws, puts numerous restrictions on the marketing e-mail messages companies can send to users, levies fines and jail terms for offenders, and instructs the Federal Trade Commission to report to Congress on a plan to create a ‘do-not-spam’ list, one similar to the that recently put into place by the FTC which prevents telemarketers from calling consumers who have added their names and phone numbers to the list.

Criminal charges are also part and parcel of the CAN SPAM Act, with penalties ranging up to five years in prison for such practices as hacking into another person’s computer with the intent of sending spam from the hijacked machine, falsifying header information in bulk junk mail, and registering five or more e-mail accounts using false information then using those ill-gotten accounts to blow spam onto the Internet.

More info: [url=http://www.securitypipeline.com/news/showArticle.jhtml;jsessionid=DZDJ4BPE4AWPCQSNDBCSKHY?articleId=16400839]http://www.securitypipeline.com/news/showArticle.jhtml;jsessionid=DZDJ4BPE4AWPCQSNDBCSKHY?articleId=16400839[/url]

The paper, simply titled “Security at Microsoft,” details the methods and technologies that the company’s Operations and Technology Group (OTG) use to secure the company’s global corporate network of more than 300,000 computers and 4,200 servers.

In the paper, Microsoft describes its risk management strategy, which involves classifying different computing resources according to their “value class” — from servers hosting the Windows source code down to test servers.

Microsoft also provides guidance on how its security group assesses the potential risks and threats to those assets and creates policies to secure the assets that are appropriate, given the value of the data they contain.

To protect corporate assets from threats introduced by remote workers, Microsoft said it has invested heavily in smart card technology, deploying more than 65,000 smart cards to remote workers that enable them to log on to the corporate network using two-factor authentication.

The company is also candid in admitting to past security failures, acknowledging that the company has been attacked in the past and that “there is a medium to high probability that within the next year, a successful attack will occur that could compromise the High Value and/or Highest Value data class,” such as source code or human resources data, according to the document.

Microsoft centrally monitors the patch level of machines on its network using its own Systems Management Server 2003 product, enforces the application of security patches “without end-user intervention” and prohibits users from disabling security patch management features without “an approved exemption,” according to the document.

In addition to publishing the white paper, Microsoft has started broadcasting monthly webcasts featuring senior security executives, who articulate the company’s message on securing its products and answer questions from IT professionals about where to find software patches and technical information, Nash said in an interview on Monday.

The company has also launched a new security portal called the “IT Pro Security Zone” that brings together information on security best practices and provides access to Microsoft MVPs (Most Valuable Professionals), experts on the company’s technology who are active participants in technology news groups and online discussions.

After reading the white paperRuss Cooper,surgeon general of TruSecure. and moderator of the NTBugtraq security discussion list, said that it probably had more public relations than technical value, especially with a reading audience made up of administrators at companies with constrained budgets.

More info: [url=http://www.infoworld.com/article/03/11/21/HNmssecurity_1.html]http://www.infoworld.com/article/03/11/21/HNmssecurity_1.html[/url]

The first major improvement is the ability to go beyond the operating system and patch Windows’ application content. This will be done through a feature called Microsoft Update, as opposed to Windows Update, which Microsoft cannot use for this purpose because of the software maker’s antitrust settlement with the federal government.

As Microsoft said earlier this year, the company is boiling down the number of installers it currently uses — from four to two.

Microsoft Installer for Windows (MSI 3.0) is currently in beta and will be released at the same time as SUS 2.0.

In SUS 2.0, administrators can choose the language and content they want, whereas today, anything connected to a SUS Server gets patched. This is one of the main differentiators between the patch manager and SMS, which just began shipping in its latest version earlier this month. “Reducing the size of the package is huge,” said Roger Wilding, a senior technical engineer at CNF, a Palo Alto, Calif.-based transportation and shipping company.

Questions continue to arise about the level of integration SUS will have with SMS 2003. Today, SMS 2.0 and SUS 1.0 are built on completely different architectures, but Microsoft plans to build SMS on top of SUS so there is a common architecture and experience.

More info: [url=http://searchwin2000.techtarget.com/originalContent/0,289142,sid1_gci938503,00.html]http://searchwin2000.techtarget.com/originalContent/0,289142,sid1_gci938503,00.html[/url]

The machines were in an advanced line of Diebold ATMs built atop Windows XP Embedded, which, like most versions of Windows, was vulnerable to the RPC DCOM security bug exploited by Nachi, and its more famous forebear, Blaster.

At both affected institutions the ATMs began aggressively scanning for other vulnerable machines, generating anomalous waves of network traffic that tripped the banks’ intrusion detection systems, resulting in the infected machines being automatically cut off, Diebold executives said.

Though ATMs typically sit on private networks or VPNs, the most serious worms in the last year have demonstrated that supposedly-isolated networks often have undocumented connections to the Internet, or can fall to a piece of malicious code inadvertently carried beyond the firewall on a laptop computer.

January’s Slammer worm indirectly shut down some 13,000 Bank of America ATMs by infecting database servers on the same network, and spewing so much traffic that the cash machines couldn’t processes customer transactions.

More info: [url=http://www.securityfocus.com/news/7517]http://www.securityfocus.com/news/7517[/url]