Niche Konsult Limited's Newsletter December 2007 Edition

This email message is being sent to all individuals who have expressed interest in Niche Konsult or Niche Konsult partner products and solutions in accordance with Niche Konsult’s privacy policy. You may opt out of future mails by sending a mail to newsletter@nichekonsult.com with “Unsubscribe” in the Subject line.

View in Browser   Privacy Policy

Feature Story: SANS Top 20 2007 Annual Update

Sorry this may be said to be stale news. It occurred in November 2007, but because of its relevance we decided to make it the feature article.

Some Seven years ago, the SANS Institute and the National Infrastructure Protection Center (NIPC) of the FBI started a joint project – documenting the ten most important threats to IT security. This project later metamorphosed into the SANS Top 20. The SANS Top 20 is a list of the 20 most important vulnerabilities. st important threats to IT security. This project later metamorphosed into the SANS Top 20. The SANS Top 20 is a list of the 20 most important vulnerabilities.

The SANS Top 20 is a living document. It is not a dry list but includes actionable information so administrators can take steps to remedy those vulnerabilities. It is also a consensus document (Regretably, to the best of our knowledge and belief, Nigerians are yet to begin to contribute to it.) To contribute, send your suggestions to top20@sans.org.

The following points are worth noting: the dominance of web application insecurity (over 50%), client-side vulnerabilities and enterprise insecurity arising from browser usage, (on the one hand) and the reduction (decline) in operating system vulnerabilities, on the other.

The SANS Top 20 is broken into the following parts:

  • Client-side Vulnerabilities (discussing web browsers, office software, email clients, Media players)
  • Server-side Vulnerabilities (in web applications, windows services, Unix and MAC OS services, Backup software, antivirus software, management servers and databases)
  • Security Policy and Personnel (excessive user rights and unauthorized devices, phishing and spear phishing, unencrypted laptops and removable media)
  • Application Abuse (Instant Messaging and peer-to-peer programs)
  • Network Devices (VOIP servers and phones) 6. Zero day attacks
  • Zero day attacks

According to the press release on the SANS Top 20 2007, attackers are now zeroing on users who are easily misled implying that organizations may need to be doing a lot more in terms of user education and custom-built applications.

For More Information

PRESS RELEASE/EXECUTIVE SUMMARY:

SANS TOP 20 2007 Media Speak

SANS TOP 20:

http://www.sans.org/top20/

Disclosure: Niche Konsult resells software solutions and provides value added services that can be used to resolve vulnerabilities raised in the SANS Top 20. These include the following:

Client-side Vulnerabilities:

GFI LANguard Network Security Scanner /GFI LANguard VulnerabilityManager for client-side vulnerability scanning

GFI LANguard Network Security ScannerGFI LANguard PatchManager for patch management

Server-side Vulnerabilities:

Acunetix Web Vulnerability Scanner to scan web servers (both Windows and Apache) and database servers for vulnerabilities

GFI LANguard Network Security Scanner /GFI LANguard VulnerabilityManager for windows services, MAC OS services and Linux OS services vulnerability scanning; as well as Backup software, antivirus software, management servers and databases vulnerability scanning

 Security Policy and Personnel

GFI EndPointSecurity to exercise control over the use of unauthorized devices,

GFI MailEssentials to combat phishing and spear phishing,

Pointsec Protector to encrypt laptops and removable media

GFI LANguard Network Security Scanner to scan for unauthorized wireless access points/USB devices

BROWSER SECURITY: New Section

From the December 2007 edition henceforth, a new Section that will be devoted to issues of web browser security.

BROWSER SECURITY: Internet Explorer Download Zones Mix-up leads to cross-site scripting

Yair Amit of Watchfire recently discovered that Internet Explorer could - under certain conditions - be exploited against a large number of web-applications. The flaw results in XSS holes in websites that allow the downloading of user-controlled HTML files (for example, webmail and forum services).

For More Information:

For more details, you are welcome to read the blog post at:

http://blog.watchfire.com/wfblog/2007/12/internet-explor.html

BROWSER SECURITY: Netscape Navigator: End-of-LifeCycle Warning

AOL official support for all Netscape client products will end on February 1st, 2008. Niche Konsult therefore recommends that administrators add Netscape Navigator to the list of banned applications on the corporate network, as well as add it to the list of issues to be considered when conducting vulnerability scanning. Niche Konsult forecasts that malware purveyors will begin creating malicious payloads targeted at Netscape Navigator users .

For More Information:

http://browser.netscape.com/

http://en.wikipedia.org/?search=Netscape%20Navigator

http://blog.netscape.com/2007/12/28/end-of-support-for-netscape-web-browsers/

Disclosure: Niche Konsult resells GFI LANguard Network Security Scanner which can be used to scan for banned applications that may be installed on the corporate network, as well as GFI WebMonitor for ISA Server, as well as GFI WebMonitor for ISA Server, a Real-time HTTP/FTP monitoring, anti-virus & access control as well as WebMarshall from Marshall

BROWSER SECURITY: How Safe are Websites Labeled Hacker Safe?

Geeks.com, a website with the HackerSafe certificate was hacked. In the circumstance, it is important to take note of what the HackerSafe certificate stands for and what it doesn’t. Additionally, IT administrators need to find a way to bring this information to the attention of end-users.

http://www.informationweek.com/news/showArticle.jhtml?articleID=205900444&pgno=1&queryText

HACKERSAFE - WHAT IT IS/NOT

http://www.hackersafe.jp/product/pdf/ScanAlert_Technology_WhatIsHackerSafe.pdf

WHID 2008-01: INFORMATION LEAKAGE IN A SITE THAT HAS HACKER SAFE CERTIFICATE

http://www.informationweek.com/news/showArticle.jhtml?articleID=205900444&pgno=1&queryText

HACKERSAFE - WHAT IT IS/NOT

http://www.hackersafe.jp/product/pdf/ScanAlert_Technology_WhatIsHackerSafe.pdf

WHID 2008-01: INFORMATION LEAKAGE IN A SITE THAT HAS HACKER SAFE CERTIFICATE

( http://www.webappsec.org/projects/whid/byid_id_2008-01.shtml)

BROWSER SECURITY: February 12, 2008: Microsoft Internet Explorer 7 Force-Install on Corporate Networks

Since October 2007, Microsoft stopped requiring proof of legitimacy of the underlying operating system before an installation of Microsoft Internet Explorer 7 on end-user PCs. Now Microsoft intends to ensure rapid adoption of its latest browser by distributing Microsoft Internet Explorer 7 via WSUS.

For More Information:

http://support.microsoft.com/kb/946202 

http://blogs.zdnet.com/microsoft/?p=1114 

Disclosure: Niche Konsult resells GFI LANguard Network Security Scanner and GFI LANguard PatchManager which can be used to deploy applications across the enterprise. For a comparison of GFI LANguard Network Security Scanner and competitive patch management/software deployment tools, please send an email to idara@nichekonsult.com and we will be glad to provide you the details.

DATABASE SECURITY: First Mass SQL Injection Worm of 2008

SQL Injection attacks targeted at both Microsoft SQL server and Sybase databases have recently been spotted.

For More Information:

http://www.computerworld.com.au/index.php/id;683627551 

http://www.acunetix.com/websitesecurity/sql-injection2.htm 

Disclosure: Niche Konsult resells Acunetix Web Vulnerability Scanner.

Acunetix Web Vulnerability Scanner is

  • An automatic JavaScript analyzer allowing for security testing of Ajax and Web 2.0 applications
  •  Industries' most sophisticated SQL injection and Cross site scripting testing
  • Visual macro recorder makes testing web forms and password protected areas easy
  • Extensive reporting facilities including VISA PCI compliance reports
  • Multi-threaded and lightning fast scanner crawls hundreds of thousands of pages with ease
  • Intelligent crawler detects web server type and application language
  • Acunetix crawls and analyzes websites including flash content, SOAP and AJAX
  • A free version is available at www.acunetix.com

DATABASE SECURITY: Swingbench - Load Generator and Benchmark tool for Oracle

Swingbench is a free load generator (and benchmark tool) designed to stress test an Oracle database (9i,10g,11g). SwingBench consists of a load generator, a coordinator and a cluster overview. The software enables a load to be generated and the transactions/response times to be charted.

Whilst it is primarily used to demonstrate Real Application Clusters it can also be used to demo functionality such as online table rebuilds, standby databases, online backup and recovery etc. The code that ships with SwingBench includes two benchmarks, OrderEntry and CallingCircle. OrderEntry is based on the "oe" schema that ships with Oracle9i/Oracle10g. It has been modified so that Spatial, Intermedia and the Oracle9i schema's do not need to be installed. It can be run continuously (that is until you run out of space). It introduces heavy contention on a small number of tables and is designed to stress interconnects and memory. It is installed using the "oewizard" located in the bin directory.

CallingCircle simulates the SQL that is generated for an online telco application. It requires data files to be generated and copied from the database server to the load generator before each run, it typically requires between 1 and 8 Gig of disk space. Both benchmarks are heavily CPU intensive. Experience has shown that you require at least 1 processor of load generator to every 2 processors of database server. It is designed to stress the CPU and memory without the need for a powerful I/O subsystem. Its is installed using the "ccwizard" located in the bin directory.

The entire framework is developed in Java and as a result can be run on wide variety of platforms. It also provides a simple API to allow developers to build their own benchmarks.

Try SwingBench by visiting http://www.dominicgiles.com/swingbench.html

For More Information:

http://www.dominicgiles.com/swingbenchfaq.html 

DATABASE SECURITY: Microsoft SQL Server 2008 Set for Release between April and June 2008

The Global launch of Microsoft SQL Server 2008 is set to occur between April and June 2008. How about grabbing a copy of the CTP today?

New features in SQL Server 2008 include Transparent Data Encryption for the encryption of entire databases, data files, and log files, Superior External Key Management, improved auditing of data such as reads and modifications, better Database Mirroring amongst others.

For More Information:

http://www.microsoft.com/sql/2008/default.mspx 

http://www.microsoft.com/sql/2008/learning/webcasts.mspx 

http://forums.microsoft.com/MSDN/ShowForum.aspx?ForumID=1626&SiteID=1  http://www.microsoft.com/sql/techinfo/whitepapers/sql2008Overview.mspx 

DATABASE SECURITY: 70,000 Web Pages Hacked By Database Attack

Website owners need to pay attention to database security as well. It has been reported that over 70,000 web pages have been hacked.

For More Information:

http://www.webhostingfinds.com/blog/post/154 

http://news.yahoo.com/s/cmp/20080109/tc_cmp/205600653 

DATABASE SECURITY: Free SQL Injection cheat sheets for Oracle, MS-SQL, etc

So just what is SQL Injection? And how can it come about? We found a couple of resources we feel like sharing

For More Information:

http://www.ferrah.mavituna.com/makale/oracle-sql-injection-cheatsheet/ 

http://www.ferrah.mavituna.com/makale/sql-injection-cheatsheet/ 

http://www.pentestmonkey.net/blog/oracle-sql-injection-cheat-sheet/ 

DATABASE SECURITY: Free, cross-platform database security assessment toolkit

Scuba by Imperva is a free, lightweight Java utility that scans Oracle, DB2, MS-SQL, and Sybase databases for known vulnerabilities and configuration flaws. Based on its data security assessment results, Scuba creates clear, informative reports with detailed test descriptions. Summary reports, available in Java and HTML format, illustrate overall risk levels. With Scuba by Imperva, you are quickly on your way to meeting industry-leading best practices for database configuration and management.

Scuba by Imperva Benefits include:

 • Detect vulnerabilities before malicious users do. Databases are easy targets for attacks and internal abuse. Uncover your security risk level and remediate open vulnerabilities.

• Bolster security for business and regulatory requirements. Many compliance laws mandate that organizations protect sensitive data, test systems and processes, and ensure effective internal controls. Scuba by Imperva helps organizations meet these requirements.

• Assess your database infrastructure in minutes. Scuba by Imperva scans your database for vulnerabilities and generates HTML or Java assessment reports on demand in record time.

• Unbeatably low price - free.

Scuba by Imperva is available free of charge

Scuba by Imperva Database Supports:

• Oracle*

• IBM DB2*

• Microsoft SQL Server*

• Sybase*

• All database operating systems are supported.

Scuba by Imperva Client Requirements

• Windows 98/NT/2000/XP

• Sun Java JRE 1.5+

For More Information:

 http://www.imperva.com/products/scuba.html/

 http://www.imperva.com/lg/lgw.asp?pid=213 

EMAIL SECURITY: University of Liverpool now uses GFI MailSecurity

 Email is the University of Liverpool’s primary mode of communication and the computer network – hosting 34,000 mailboxes – delivers over 8 million email messages each month to over 50,000 different locations – or 400,000 email messages a day at peak times. This high dependency on email means that providing protection against viruses, malware and other malicious attacks is a critical function. To address this issue the University sought an anti-virus product that offered optimum protection at server level and ensured that each email was clean of malicious content before it reached each one of the University’s 34,000 mailboxes.

Apart from buying a solution that offered multiple anti-virus engines Read More

For More Information:

EXECUTIVE SUMMARY

http://www.gfi.com/news/en/liverpoolcs.htm

FULL CASE STUDY

 http://www.gfi.com/documents/cs/liverpooluni.htm 

Disclosure: Niche Konsult resells GFI MailSecurity.

ENTERPRISE SECURITY: Log collection and Analysis infrastructure: Part 2

TYPES OF EVENT LOGS

Windows Event Logs

According to the Microsoft Knowledge Base Article 308427, an event is any significant occurrence in the system or in a program that requires users to be notified, or an entry added to a log.

On a Windows XP computer there are three main types of logs, the Application log which contains events written by the operating system and windows applications, the Security log which contains entries written to Local Security Authority Subsystem Service (LSASS) and the System log which contains events logged by Windows XP system components.

On a Windows Server computer, additional logs include, the Directory Service log contains events written to by Active Director Service, the File Replication Service Log which contains events written by the Windows File Replication Service and the DNS Server log which contains events written by the Windows DNS Service.

On a Windows Vista computer, there are two new additional logs Setup and Forwarded Events ( As a matter of fact, the Windows Event Log was totally overhauled in Windows Vista, but that is a matter for another day).

W3C Logs

W3C logs are used mainly by web servers to log web related events including web logs. W3C logs are recorded in text-based flat files using any one of the two W3C logging formats currently available:

• W3C Common Log file format

• W3C Extended Log File format

The W3C common log file format was the first format to be released and to date it is still the default format used by a variety of popular web servers including Apache. There is however one downside - the information about each server transaction is fixed and does not provide for certain important fields such as referrer, agent, transfer time, domain name, or cookie information. To overcome this problem, the W3C Extended log file format was released. This newer type of log is in customizable ASCII text-based format, permitting a wider range of data to be captured. The W3C Extended log file format is the default log file format used by Microsoft Internet Information Server (IIS).

Syslogs

Syslog is the standard for logging messages, such as system events, in an IP network. The syslog standard is most commonly used for the logging of events by computer systems running on UNIX and Linux as well by network devices and appliances such as Cisco routers and the Cisco PIX firewall. Syslog events are not directly recorded by applications running on the computer systems. Whenever an event is generated, the respective computer will send a small textual message (known as syslog message) to a dedicated server commonly known as ‘Syslog Server’. The syslog server will then save the received message into a log file. Syslog messages are generally sent as clear text; however, an SSL wrapper can be used to provide for a layer of encryption.

Syslog is typically used for computer system management and security auditing. While it has a number of shortcomings, its big plus is that syslog is supported by a wide variety of devices and receivers. Because of this, syslog can be used to integrate log data from many different types of systems into a central repository using the syslog server as a log aggregator.

The above list is not comprehensive, yet it treats the most common logs an administrator needs to interact with. In the next edition, we will look at event log monitoring tools.

For More Information:

http://technet2.microsoft.com/windowsserver/en/library/ff00cacf-3a04-49eb-8676-c5eb9262a9291033.mspx?mfr=true  http://www.microsoft.com/technet/technetmag/issues/2006/11/EventManagement/default.aspx  http://www.computerperformance.co.uk/vista/vista_event_viewer.htm#New_Event_Logs_in_Vista  http://www.lockergnome.com/it/2005/02/09/windows-server-2003-event-viewer/

http://kbase.gfi.com/showarticle.asp?id=KBID002767

http://kbase.gfi.com/showarticle.asp?id=KBID002769 

http://www.w3.org/TR/WD-logfile.html 

Disclosure: Niche Konsult resells the following event log monitoring solutions - GFI EventsManager and Netikus EventSentry.

ENTERPRISE SECURITY: Who Polices the police?

Microsoft’ sixth immutable law of security reads: A computer is only as secure as the administrator is trustworthy.

Every computer must have an administrator: someone who can install software, configure the operating system, add and manage user accounts, establish security policies, and handle all the other management tasks associated with keeping a computer up and running. By definition, these tasks require that he have control over the computer. This puts the administrator in a position of unequalled power. An untrustworthy administrator can negate every other security measure you've taken. He can change the permissions on the computer, modify the system security policies, install malicious software, add bogus users, or do any of a million other things. He can subvert virtually any protective measure in the operating system, because he controls it. Worst of all, he can cover his tracks. If you have an untrustworthy administrator, you have absolutely no security.

When hiring a system administrator, recognize the position of trust that administrators occupy, and only hire people who warrant that trust. Call his references, and ask them about his previous work record, especially with regard to any security incidents at previous employers. If appropriate for your organization, you may also consider taking a step that banks and other security-conscious companies do, and require that your administrators pass a complete background check at hiring time, and at periodic intervals afterward. Whatever criteria you select, apply them across the board. Don't give anyone administrative privileges on your network unless they've been vetted – and this includes temporary employees and contractors, too.

Next, take steps to help keep honest people honest. Use sign-in/sign-out sheets to track who's been in the server room. (You do have a server room with a locked door, right? If not, re-read Law #3). Implement a "two person" rule when installing or upgrading software. Diversify management tasks as much as possible, as a way of minimizing how much power any one administrator has. Also, don't use the Administrator account—instead, give each administrator a separate account with administrative privileges, so you can tell who's doing what. Finally, consider taking steps to make it more difficult for a rogue administrator to cover his tracks. For instance, store audit data on write-only media, or house System A's audit data on System B, and make sure that the two systems have different administrators. The more accountable your administrators are, the less likely you are to have problems.

Source: Microsoft’s 10 Immutable Laws of Security

For More Information

YUNG-HSUN LIN OF MEDCO HEALTH SYSTEMS FAILED LOGIC BOMB http://www.newark.fbi.gov/dojpressrel/2007/nko91907.htm 

ROGER DURONIO OF USB PAINEWEBBER SUCCESSFUL LOGIC BOMB http://www.usdoj.gov/criminal/cybercrime/duronioIndict.htm 

JUSTIN A. PERRAS

http://www.usdoj.gov/criminal/cybercrime/perrasSent.htm 

http://www.sans.edu/resources/securitylab/log_bmb_trp_door.php 

MICROSOFT’S 10 IMMUTABLE LAWS OF SECURITY http://www.microsoft.com/technet/archive/community/columns/security/essays/10imlaws.mspx?mfr=true  http://www.scmagazineus.com/Former-New-Jersey-systems-administrator-gets-30-months-in-prison-for-logic-bomb/article/100582/ 

ENTERPRISE SECURITY: Network printers - An emerging attack vector

According to Aaron weaver: "Many network printers listen on port 9100 for a print job (RAW Printing or Direct IP printing). You can telnet directly to the printer port and enter text. Once you disconnect from the printer it will print out the text that you send it. Network printers also accept PostScript, and Printer Control language. The security around this is usually minimal - connect to the port, send the print job, disconnect and the printer prints the page. Within the last year there have been new discoveries on attacking the Intranet from the Internet1. This involves setting an image tag or script tag to an internally addressable IP address and then the browser will request the "image" resource. Several attacks can be accomplished; port scanning, fingerprinting devices, and changing internal router settings."

According to Aaron weaver: "Many network printers listen on port 9100 for a print job (RAW Printing or Direct IP printing). You can telnet directly to the printer port and enter text. Once you disconnect from the printer it will print out the text that you send it. Network printers also accept PostScript, and Printer Control language. The security around this is usually minimal - connect to the port, send the print job, disconnect and the printer prints the page. Within the last year there have been new discoveries on attacking the Intranet from the Internet1. This involves setting an image tag or script tag to an internally addressable IP address and then the browser will request the "image" resource. Several attacks can be accomplished; port scanning, fingerprinting devices, and changing internal router settings."

For More Information

AARON WEAVER IN FULL

http://aaron.weaver2.googlepages.com/CrossSitePrinting.pdf

PRESS MENTIONS

http://infotech.indiatimes.com/Beware_your_printer_can_be_hijacked/articleshow/2692428.cms 

http://www.heise-security.co.uk/news/101646 

GENERAL SECURITY: Internet Access From Cybercafe Or Hotel Computers – How Safe?

Spyware is software/hardware that is capable of capturing passwords, usernames and that is used to steal money and identities. Usually invisible to the untutored eye, it may unobtrusively record every keystroke, emailing the same on a set schedule or posting the same to a website under the control of its creator. As regards the reality of the threat of spyware, we think the news item in the For More Information Section will be quite instructive. Niche Konsult recommends avoiding internet café, airports, libraries and public kiosk internet facilities like the plague if handling information you would rather not share.

For More Information

 http://www.hotel-online.com/News/PR208_1st/Jan08_BizCenters.html  http://www.sans.edu/resources/securitylab/superclick_privacy.php  

http://www.k-state.edu/infotech/news/tuesday/ 

http://michaelcoates.wordpress.com 

http://lawfuel.com/show-release.asp?ID=16492

http://www.microsoft.com/technet/archive/community/columns/security/essays/10imlaws.mspx#E2C  http://www.microsoft.com/technet/archive/community/columns/security/essays/10imlaws.mspx#ESB   

GENERAL SECURITY: Master Boot Records: A Re-emerging attack vector

 A new rootkit that targets Windows Operating System (both Windows XP and Windows Vista) and that hides in the MBR was reported during December. The rootkit is based on proof-of-concepts by eEye and Kumar

For More Information:

http://en.wikipedia.org/wiki/Rootkit

 http://en.wikipedia.org/wiki/Master_boot_record 

http://www.blackhat.com/presentations/bh-usa-05/bh-US-05-soeder.pdf 

http://www.blackhat.com/presentations/bh-europe-07/kumar/presentation/bh-eu-07-kumar-april.pdf 

http://www2.gmer.net/mbr/ 

www.zdnetasia.com/news/security/0,39044215,62036414,00.htm  http://www.symantec.com/enterprise/security_response/weblog/2008/01/from_bootroot_to_trojanmebroot.html 

GENERAL SECURITY: Targeted Attacks - A must-read Presentation by Martin Horenbeck of the ISC

Niche Konsult encourages all IT administrators to forward a copy of the presentation by Martin Horenbeck of the ISC to their Management. It is one of the best examples of targeted attacks one can find on the internet.

For More Information:

 http://isc.sans.org/diary.html?storyid=3835 

GENERAL SECURITY: HP Software Update tool

The software that comes pre-installed on new HP laptops, i.e., HP Software Update Tool, has been found to have a flaw that makes it vulnerable to exploitation by hackers. As a matter of fact, three such vulnerabilities were discovered during 2007. The flaw is so serious that a hacker can use it to make such laptops unbootable. HP has supplied a patch though.

For More Information:

http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9054038  http://www.eweek.com/article2/0,1895,2237376,00.asp 

http://seclists.org/bugtraq/2007/Dec/0273.html 

http://www.securityfocus.com/archive/1/485325 

GOVERNMENT SECURITY: A must-read for Cyber Security practitioners

This article which is over s hundred and twenty pages long should make required reading for those in charge of cybersecurity in Nigeria as well as those aspiring to gain some understanding of the inner workings of cybersecurity in governance.

For More Information:

http://www.demos.co.uk/publications/nationalsecurityforthetwentyfirstcentury/  http://www.businessweek.com/technology/special_reports/2007121/techhomelan.htm 

INSTANT MESSAGING SECURITY: Ooops! No News!!

OFFICE SECURITY: Office 2003 update locks out older file formats

Microsoft once again scored a low point with a number of its clients for making an Office 2003 update that locked users out of files with pre-Office 2003 file formats.

For More Information:

http://www.informationweek.com/news/showArticle.jhtml?articleID=205207131  http://www.itnews.com.au/News/NewsStory.aspx?story=67522 

PORTABLE DEVICE SECURITY: Portable Electronic devices: Balancing convenience & Security

Given the number of news articles in the breach involving information leakage as a result of the mismanagement of portable storage devices, as well as the prevalence of these devices on the market, Niche Konsult intends to do a podcast that highlights the dangers that corporations face from the uncontrolled use of these portable devices, a copy of this podcast will be posted to the web in three days time, i.e., on January 24, 2008 and will feature prominently on our home page http://www.nichekonsult.com. We trust our readers find the podcast relevant.

Disclosure: Niche Konsult resells GFI EndPointSecurity and PointSec Protector which can be used to control the use of portable storage devices in the enterprise.

PORTABLE DEVICE SECURITY: Sensitive NHS Patient Data Lost to portable storage devices

Once again, another British agency in the news for information leakage due to the mismanagement of portable storage devices. This could happen to anyone and to any organization. If your organization does not have policies for managing these kinds of devices, then its high time someone begun the process.

For More Information:

http://www.manchestereveningnews.co.uk/news/s/1031694_personal_info_lost_in_oldham

Disclosure: Niche Konsult resells GFI EndPointSecurity and PointSec Protector which can be used to control the use of portable storage devices in the enterprise.

WEB APPLICATION SECURITY: Section Re-Name

From the December 2007 edition henceforth, the Web Security Section of the newsletter will be named Web Application Security.

WEB APPLICATION SECURITY: Another Free MAX World Platinum Pass

Kurt Grutzmacher grutz@jingojango.net has for the second time in two years discovered that one did not have to pay a dime to attend Steve Job’s MacWorld. By the way, a Platinum Pass costs $1,895.00.

Last year Kurt disclosed a method of obtaining a free Platinum Pass, and even made contact with the web application developer, and the problem was resolved. This year again, Kurt found out that a free Platinum Pass could once again be obtained. The question is how?

 FOR MORE INFORMATION:

 http://grutztopia.jingojango.net/2008/01/another-free-macworld-platinum-pass-yes.html

WEB APPLICATION SECURITY: Flash Files, Cross Site Scripting & Web Application Vulnerabilities

According to Rich Cannings, Critical vulnerabilities exist in a large number of widely used web authoring tools that automatically generate Shockwave Flash (SWF) files, such as Adobe (r) Dreamweaver (r), Adobe Acrobat (r) Connect (tm) (formerly Macromedia Breeze), InfoSoft FusionCharts, and Techsmith Camtasia. The flaws render websites that host these generated SWF files vulnerable to Cross-Site Scripting (XSS).

This problem is not limited to authoring tools. Autodemo, a popular service provider, used a vulnerable controller SWF in many of their projects.

Simple Google hacking queries reveal that hundreds of thousands of SWFs are vulnerable on the Internet, and a considerable percentage of major Internet sites are affected. We are only reporting XSS vulnerabilities that have been fixed by the vendors.

FOR MORE INFORMATION:

 http://docs.google.com/Doc?docid=ajfxntc4dmsq_14dt57ssdw

WEB APPLICATION SECURITY: OWASP Asia Pacific & Australia 2008 Application Security Conference

Join us at the 8th Application Security Conference for OWASP at the Gold Coast Convention Centre in Queensland Australia.

The Conference offers a three day program including an initial day of Application Security Awareness Training, and then two days of technical and business presentations.

The Conference includes a number of leading Industry Experts in the Application Security Field, including Mark Curphey (Microsoft Europe who started OWASP way back), as well as published author Brian Chess and local speakers including Jean Marie Abighanem, Matthew Hackling, Darren Skidmore and Paul Theriault and many more.

Presentations include a diverse offering of Application Security Topics from both a technical and business nature and include topics such as

- Secure Development Lifecycles

- Enterprise Testing Projects & Considerations

- Understanding Attack Vectors such as XSS, CSRF etc - Security in a Web 2.0 World

- Static Analysis and Dynamic Analysis

- PCI Security Standards for Application Security

- Hacking Techniques for the Web and Google

- Web Services and XML Security

- Flash based Malware Detection & Analysis

- Legal Risk & Compliance Issues with Application Security

Registrations are now open and can be completed online through the OWASP web site. http://www.owasp.org/index.php/OWASP_Australia_AppSec_2008_Conference

EarlyBird Registrations are available to the 25th January 2008 to save $50 off your registration costs.

Standard Conference Registration is $475.00 USD or OWASP Members $425.00 USD Conference Training Day provided at $650.00 USD

The Conference fees include access to the presentations as well as day meals, and a Gala Dinner for the Conference Attendees. Be sure to register today to secure place at the Leading Asia Pacific & Australia Application Security Conference. http://www.owasp.org

WINDOWS SECURITY: Is your operating system running in Secure Mode?

If your PC is not fully patched, running antivirus software, a firewall and antispyware software, then most probably it isn’t.

If such a PC is personal, then how about trying Secunia PSI? Secunia PSI is a free solution from Secunia that allows private users to map, patch, and secure the software installed on their computers. As of January 2008, the Secunia PSI has been installed on more than 215,000 computers, the Secunia PSI monitors more than 17,6 million applications, categorised as either Insecure, End-of-Life, or Patched. The first version of the Secunia PSI was released July 2007, it is currently in version 0.9.0.0 (Release Candidate 1)

For More Information:

Personal PCs   https://psi.secunia.com/

Corporate/Enterprise networks: GFI LANguard Network Security Scanner

WINDOWS SECURITY: Microsoft Vista Service Pack 1 Near-Final “Release Candidate” Now Available

Microsoft has incorporated bug fixes, performance improvements, capability improvements as well a few new features into the Windows Vista Service Pack 1.

For More Information:

http://blogs.zdnet.com/microsoft/?p=1106

WIRELESS SECURITY: Which way to go? Open wireless or Secure wireless?

Those of us with modern laptops are often notified of the existence of open or secure wireless networks within the reach of machines. There is a raging controversy over whether it is wrong or right to run an open or a secure wireless network. The argument on both sides of the camp makes an interesting read.

For More Information:

PRO OPEN WIRELESS:  

http://www.wired.com/politics/security/commentary/securitymatters/2008/01/securitymatters_0110  www.boingboing.net/2008/01/10/why-its-goog-to-leav.html

www.tertdirt.com/articles/20080110/100007.shtml 

 http://blogs.computerworld.com/open_wireless_oh_my

CONS OPEN WIRELESS:

 http://www.wifinetnews.com/archives/008126.html

www.dslreports.com/shownews/Bruce_Schneier-Wants_You_To_Steal_his_Wifi_90869

THE CONTROVERSY RAGES ON

http://www.hardware.slashdot.org/article.pl?sid=08/01/10/1449228

http://www.schneier.com/blog/archives/2008/01/my_open_wireless.html#comments

OTHER NEWS: New! BlackBerry Professional Software Exclusively for Small and Medium Business!

In the September 2007 edition of the Niche Konsult newsletter, we spoke of BlackBerry’s three flavours, BlackBerry Enterprise Server (BES), BlackBerry Web Client (BWC) and BlackBerry Internet Server (BIS).

Now, that is stale news. Things have changed! Mike Lazardis, President and CO-CEO, Research-in-Motion recently announced the release of Blackberry Professional Software.

BlackBerry Professional Software is targeted at smaller companies with up to a maximum of 30 users running Novell Groupwise, Microsoft Exchange Server or IBM Lotus Domino. It is a lot cheaper than its enterprise cousins, its easier to install but yet has practically the same featureset as its enterprise cousins.

With BlackBerry Professional Software, small and medium size businesses can stay connected on the go with mobile access to business data, wireless email and virtual real-time communications.

For More Information:

http://www.blackberry.com/select/professional/express.shtml?CPID=NLC-27  

OTHER NEWS: rIP - New Reverse IP Tool!

According to disfigure: “There is a new reverse IP tool located at http://crushmachine.com. The application takes a hostname or IP address as input and tries to return all the hosts running on that IP. See the FAQ at http://crushmachine.com/about.php.”

OTHER NEWS: Windows XP: Going! Going!! Going!!! Gone? Should It or Shouldn’t It?

Microsoft intends to retire Windows XP on June 30, 2008. However, not everyone is happy with that decision. As a matter of fact, Infoworld has even launched a website aimed at saving Windows XP from certain extinction. Those in favour of the continued existence of Windows XP are enjoined to sign a petition to that effect.

For More Information:

NEWS RELEASE:

http://www.infoworld.com/archives/emailPrint.jsp?R=printThis&A=/article/08/01/14/02FE-save-xp-drive_1.html

PETITION WEBSITE:

www.SaveXP.com

OTHER NEWS: Divulging Encryption Keys, Law and Technology – The Delicate Balance

Section 24 (2) (f) and Section 25 (a) and (b) of the proposed Computer Security and Critical Information Infrastructure Protection Bill of 2005 reads: An authorized officer of any law enforcement agency, upon reasonable suspicion that an offence has been committed or about to be committed by any person or body corporate, shall have the power to require any person in possession of encrypted data to provide access to any information necessary to decrypt such data; for the purposes of investigation and prosecution under the Act. Any person who willfully obstructs any law enforcement agency in the exercise of any power under this Act, or fails to comply with any lawful enquiry or requests made by any authorized officer of any law enforcement agency in accordance with the provisions of this Act commits an offence and shall be liable on conviction to a fine of not less than N500, 000.00 or imprisonment for a term of not less than 3 years or to both such fine and imprisonment.

In the light of the above, there is a legal case in the America’s that cyber law practitioners and IT administrators in Nigeria should be closely watching. In that case, the Magistrate Judge held that to force a suspect to enter a password into his computer would be in contravention of the Fifth Amendment, amounting to self-incrimination. The suspect in the instant case had encrypted his laptop and law enforcement is having a hard time getting access to the child porn believed to be housed therein.

The American government is obviously dissatisfied with the ruling and has appealed. Observers note that the case turns on which of two arguments is superior: Is a password part of an individual’s brain (and to which the state has no right to) or is it equivalent to the key to a safe (in which case law has numerous precedents where these have been ordered to be handed over)?

Matters Arising? Is it proper for a suspect to testify against himself in Nigeria? How would a case with similar facts be decided in Nigeria? The answers to these questions will be treated in the next edition.

For More Information:

http://www.news.com/8301-13578-3-9834495-38.html?tag=nefd.blgs

http://yro.slashdot.org/article.pl?sid=07/12/15/1459243volokh.com/posts/1197670606.shtml

 http://www.washingtonpost.com/wp-dyn/content/article/2008/01/15/AR2008011503663_pf.html

http://www.heise-security.co.uk/news/101935

OTHER NEWS: Avast! Antivirus Family welcomes three new members

Avast Software is proud to announce the general availability of three new products: avast! Mac Edition, avast! Windows Home Server Edition, and avast! Professional Family pack.

TIPS AND TRICKS: How to wipe personal data from cellphones and PCs

http://www.computerworld.com/action/article.do?command=printArticleBasic&articleId=9053959

TIPS AND TRICKS: Test drive Windows Server 2008, Visual Studio 2008 and SQL Server 2008

http://www.microsoft.com/heroeshappenhere/testdrive/windows-server-2008/default.mspx

TIPS AND TRICKS: Get Ready for Microsoft SQL Server 2008 Now

http://www.microsoft.com/sql/2008/default.mspx

TIPS AND TRICKS: Windows XP Short-cuts

Desk.cpl – Display properties

Ncpa.cpl – Network Connections folder

Powercfg.cpl – Power option properties

Sysdm.cpl – System properties dialog box

cmd.exe – Command Prompt

Perfmon.msc – Performance Monitor

Compmgmt.msc – Computer Management Console

hcp://system/netdiag/dglogs.htm – Network Diagnostics

hcp://system/sysinfolaunch.htm - Advanced System diagnostics

Note: Next edition will cover Windows Vista Shortcuts

Wanted: Resellers

Niche Konsult is desirious of establishing resellers throughout Nigeria, if you would like to work with us, please drop us a line telling us you are the one we have been looking for.

OFFERS/PROMOTIONS: 20% off All for Kaspersky Antivirus orders

Niche Konsult can provide 20% off all orders for any antivirus product from the Kaspersky stable provided that such orders are received on or before close of work on January 31, 2008

OFFERS/PROMOTIONS: GFI Promotion Extended to January 31, 2008

 Fantastic reductions from GFI till December 31, 2007 on GFI FAXmaker,GFI MailEssentials, GFI MailSecurity, and GFI MailEssentials and GFI MailSecurity.

GFI FAXmaker 15%                                           http://www.gfi.com/offers/q4offer.htm#fax

FI MailEssentials 25%                                          http://www.gfi.com/offers/q4offer.htm#me

GFI MailSecurity 50%                                          http://www.gfi.com/offers/q4offer.htm#msec

GFI MailEssentials/GFI MailSecurity bundle 25%  http://www.gfi.com/offers/q4offer.htm#suite

Offers/PROMOTIONS: Microsoft Branch Office Infrastructure Solution Enterprise Promotion Ends January 31, 2008

Products Included

Windows Server 2003 R2 Standard Edition,

Microsoft Internet Security and Acceleration (ISA) Server 2006 Enterprise Edition,

Microsoft System Center Operations Manager 2007 Enterprise Edition,

Microsoft Systems Management Server (SMS) 2003 R2, and

Microsoft Virtual Server 2005

Microsoft Volume Licensing Programs and License Agreement Types

 This promotion is available for the following Volume Licensing programs and license agreement types:

Open License: Corporate, Academic, and Government

Open Value: Corporate and Government

Select License: Corporate, Academic, and Government

Enterprise Agreement: Corporate and Government

Software Maintenance Options

 Microsoft Software Assurance for Volume Licensing provides customers upgrades, new versions of software, and technical support. Software Assurance benefits vary with each Volume Licensing program. In addition, server licenses come with benefits that are different from those for desktop licenses.

Customer Eligibility Requirements

None

Discount

About 50% off the estimated retail price (prices may vary) of ISA Server 2006 Enterprise Edition licenses, 30% off the estimated retail price (prices may vary) of System Center Operations Manager 2007 Enterprise Edition server operations management licenses (OMLs), and 30% off the estimated retail price (prices may vary) of SMS 2003 R2 server configuration management licenses (CMLs) when acquiring the following packaged set:

10 licenses or licenses and Software Assurance for Windows Server 2003 R2 Standard Edition

 10 licenses or licenses and Software Assurance for ISA Server 2006 Enterprise Edition

 10 server OMLs or server OMLs and Software Assurance for System Center Operations Manager 2007 Enterprise Edition

 10 server CMLs or server CMLs and Software Assurance for SMS 2003 R2

10 licenses or licenses and Software Assurance for Virtual Server 2005  

Offers/PROMOTIONS: Microsoft Forefront Security for Exchange Server Promotion Ends January 31, 2008

 Products Included:

Microsoft Forefront Security for Exchange Server

Microsoft Volume Licensing Programs and License Agreement Types:

This promotion is available for the following Volume Licensing programs and license agreement types:

Open Value: Corporate and Government

Select License: Corporate, Academic, and Government

Services Provider License Agreement (SPLA): Corporate and Academic

Software Maintenance Options

N/A

Customer Eligibility Requirements

Customers who are renewing an existing or signing a new Volume Licensing program agreement. 

Discount

About 30% off the list price of per-user and per-device monthly subscriptions for Forefront Security for Exchange Server (prices may vary).

For more information, call 234 805 547 7646 or email: idara@nichekonsult.com

About Niche Konsult

Niche Konsult is an information technology security firm with expertise in content, messaging, network and web application security.

Niche Konsult provides software and solutions that help individuals, small and medium size businesses, large companies and governments optimize and secure their information technology infrastructure. For more information, please visit http://www.nichekonsult.com.

Having trouble viewing this Niche Konsult Newsletter? Visit http://www.nichekonsult.com/Newsletters/01_17_08.aspx  or copy it into your browser. If you no longer wish to receive these emails simply click on the following link: Remove Me.

To view previous editions, please visit http://www.nichekonsult.com/Newsletters/Newsletter.aspx

You're receiving this message because you've either subscribed to receive timely security news and product/company updates from Niche Konsult or have indicated interest in Niche Konsult partner solutions in the past.

Contributions

Have you got something to say? If yes, please feel free to submit your contributions to us.

Newsletter Reminder

We hope that you have found this issue to be informative and useful. Subscription is entirely free (although 'opt-in' only). Please feel free to pass this copy on to your friends and colleagues. If your friends or colleagues wish to receive the newsletter directly, they should simply send an email to: newsletter@nichekonsult.com with a title of 'Subscribe'.

Niche Konsult

43 Cotonou Crescent

Wuse Zone 6

Abuja

Tel: 234 805 547 7646, 234 9 5240555

© 2008 Niche Konsult. All rights reserved worldwide. Reproduction in whole or in part of any text, photograph or illustration without permission of the publisher is prohibited.

Contact Niche Konsult

Like This Page!

PANDA SECURITY HEALTH-CHECK

PANDA SECURITY One step ahead. 23% of PCs with updated antivirus are infected ...is yours? Find out now for free !


analytics