Month: January 2005

SiteDigger 2.0, delivered on Monday, looks for information about a Web site’s security by sending specific queries to Google’s Web database. Known as Google hacking, such searches can turn up easily exploitable flaws and sensitive information, including credit card numbers and user account information. The free service should help Webmasters stay informed about what information is out there regarding their sites, said Chris Prosise, vice-president of worldwide professional services for security technology company McAfee.

“We built this tool really as an awareness tool,” Prosise said, adding that SiteDigger highlights problems that Webmasters might otherwise not know about. “As a victim, you would never really know that someone was using this information.”

SiteDigger does not discern whether the person using it is an authorised administrator of the site or a potential attacker looking for weaknesses.

Prosise agreed that this means the tool could be used against a site, but pointed out that Google requires that any user of an automated service sign up with its Web services development programme.

Recently, the Santy worm used Google queries to find potentially vulnerable computers, which the program would then try to infect with its code.

Several other tools have been created by other research groups to comb for flaws using Google’s database.

Google could not immediately be reached for comment on SiteDigger.

Johnny Long, a senior engineer at Computer Sciences Corp. and author of the book Google Hacking for Penetration Testers, said such tools are necessary for Web administrators to keep their sites safe. “There is no way for a security team to stay on top of Google without automation,” he said. “They can’t spend all the time trolling through Google.” Long maintains a site of more than 800 signatures of common security problems that can be searched for with Google.

SiteDigger and other tools use the signatures to query the search engine for the problems. While stressing that SiteDigger benefits Web sites with knowledgeable security personnel — usually the larger sites — Long acknowledged that smaller, less security-conscious sites would likely be at a disadvantage against potential attackers. Such sites typically aren’t aware of the threats posed by Google hacking. “The little guys are going to lose whenever a new tool comes out,” he said. “The smaller site you are, the more you have to worry about.”

http://news.zdnet.co.uk/communications/networks/0,39020345,39183591,00.htm

Microsoft is on target to release a public beta of antispyware software by Jan. 16, one month after the company acquired the software by purchasing Giant Company Software Inc., a company spokeswoman said.

Simultaneously, Microsoft is delaying elements of Exchange Edge Services, a package of e-mail security technologies, until the next major release of Exchange Server, according to a statement sent to reporters in December.

Microsoft plans to release a free evaluation version of Giant AntiSpyware software within a month of its Dec. 16 purchase of Giant, but a spokeswoman declined to comment on an exact release date, or the functionality that will be in the release program. Microsoft would not comment on information published on Microsoft enthusiast Web site Neowin.net that a beta version of the software, code named “Atlanta,” has already been distributed to internal testers. Neowin.net also posted screenshots supposedly taken from a product called “Microsoft AntiSpyware.”

Microsoft commonly tests products internally first, a process it calls “dogfooding,” but the company spokesman would not say whether the AntiSpyware software had been distributed to employees.

At the time of the Giant purchase, Microsoft said that the beta would run on Windows 2000, Windows XP and Windows Server 2003 systems and that it would use that public beta release to collect and evaluate customer feedback on the product, and make decisions about how it wants to distribute the AntiSpyware product in the future.

The future is more cloudy for Exchange Edge Services, an add-on for Exchange Server announced by Chairman and Chief Software Architect Bill Gates in February 2004 at the RSA Security (Profile, Products, Articles) Conference in San Francisco.

The company last month axed Edge Services, saying it will not be released this year as an addition to Exchange, but will instead be rolled into the next version of the Exchange Server product.

With many customers still in the process of upgrading their Exchange e-mail servers to Exchange Server 2003, released in 2003, the change in timing for Edge Services will have little impact on customers, according to Microsoft. “The new (Exchange) road map means there will be no major upgrades for customers who bought upgrade rights on Exchange in late 2001 and early 2002,” Rob Helm, director of research at Directions on Microsoft Inc., wrote in a research note.

Microsoft plans to release some elements of Edge Services with Exchange Server 2003 Service Pack 2, due in the second half of 2005. However, it needs more time to build a product that meets customer requests for broader capabilities such as support for messaging policies to help meet regulatory compliance requirements, the company said.

http://www.infoworld.com/article/05/01/05/HNmicrosoftrushesantispyware_1.html