Sunday, October 7, 2007

Hackers at Microsoft?! Now, wait a minute ...

Their existence is inarguable; it's the title that's weirding some folks out
For the record, there are hackers at Microsoft. Just don't call them hackers.

In August, a blogger using the handle "Techjunkie" started a Microsoft Developer Network blog called Hackers @ Microsoft that, he claimed, would introduce the world to some of the ethical "white hat" hackers working there.

White-hat hackers are security professionals who use many of the same techniques as the bad guys, but who learn how to break into systems for research purposes only. "The focus of this blog is likely to be a little different from most other blogs you'll see on," Techjunkie wrote.

Then he went silent for a month and a half.

Late Thursday, however, Techjunkie resurfaced, saying that he was dropping the Hackers @ Microsoft name. "There was some concerns raised that the average blog reading audience may not be able to discern the difference, and we may inadvertently associate Microsoft with the negative connotations of the word 'hacker' that is out there," he wrote.

Techjunkie didn't say whether the decision to drop the name came from Microsoft Corp.'s marketing department, but if it did, he's found a way to get even. "To alleviate that concern, I've changed the name of the blog to '%41%43%45%20%54%65%61%6d'," he wrote.

"%41%43%45%20%54%65%61%6d" may not be as memorable as Hackers @ Microsoft, but it does mean something. It is code for "ACE Team," a reference to Microsoft's Application Consulting & Engineering Team, which does performance, security and privacy development work at Microsoft. They have a blog too.

Microsoft's PR agency said Friday that Techjunkie is, in fact, Ahmad Mahdi, a manager with the ACE Team. The %41%43%45%20%54%65%61%6d name was chosen to "better reflect the intent of the blog, its posts and content, as well as the work conducted by security researchers at Microsoft," a spokeswoman said via email.

Microsoft has talked frequently about its growing use of ethical hackers to test its products for bugs. The software vendor even invites them onsite twice a year for its Blue Hat security conference.

Techjunkie followed up his Thursday evening post explaining the name change with a generic blog item on the need for security processes when developing software.

The debate over the term "hacker" is long running and bitter. Originally used to denote someone creative who enjoyed building new things with computers the term has also come to mean computer attacker in the popular culture, much to the dismay of the white hats.

One security professional who also maintains a hacking blog said he understood why Microsoft may have wanted to drop the name. "Unfortunately, I think there's a bit of a stigma associated with the word hacker," said Robert Hansen, CEO of security consultancy SecTheory LLC and also the man behind the Web site.

Though Hansen considers himself a hacker, he says that he sometimes downplays this fact in business situations. "There are definitely times at which I use the persona more than I use the SecTheory persona," he said. "Some people aren't comfortable with the concept."

(Theo ComputerWorld)

Microsoft offers IE7 to all, pirates included

Browser download in XP no longer requires a WGA check
Users running pirated or counterfeit copies of Windows XP or Windows Server 2003 can now download Internet Explorer 7, Microsoft announced yesterday.

From the moment it released IE7 almost a year ago, Microsoft has restricted the browser to users who can prove they own a legitimate copy of the operating system. Before Microsoft allows the browser to download, it runs the user's PC through a Windows Genuine Advantage (WGA) validation test, a prime part of XP's antipiracy software.

When it instituted the requirement in 2006, Microsoft said rights to IE7 was one of the rewards for being legal. It changed its mind yesterday, saying the move is in users' best interest.

"Because Microsoft takes its commitment to help protect the entire Windows ecosystem seriously, we're updating the IE7 installation experience to make it available as broadly as possible to all Windows users," said Steve Reynolds, an IE program manager in a posting to a Microsoft company blog. "With today's 'Installation and Availability Update,' Internet Explorer 7 installation will no longer require Windows Genuine Advantage validation and will be available to all Windows XP users."

Microsoft has consistently touted IE7 as a more secure browser, and post-launch patch counts back that up. In the past 11 months, IE6 for Windows XP SP2 has been patched for 22 vulnerabilities, 20 of them rated critical. IE7 for XP SP2, however, has been patched only 13 times; 10 of those fixes were ranked critical. In fact, when Microsoft announced that IE7 would not be offered to users running illegal copies of XP, some analysts questioned the company's commitment to security.

This is the first time that Microsoft has removed a WGA check for a major product. Among those that still require validation are Windows Defender, the company's antispyware software, and Windows Media Player 11.

Several people who left comments on Reynold's post wondered if there's more to the decision than meets the eye. "I am guessing that this is in reaction to Firefox's growing market share," said someone identified as Dileepa. "I am not surprised at this at all."

Mozilla Corp.'s Firefox has gained some ground on Internet Explorer since IE7's launch. According to Net Applications, a Web metrics company, Firefox's share is up by about two percentage points since October 2006, while IE's total -- IE6 and IE7 combined -- slipped by more than three points.

IE7's uptake was dramatic late last year, when it went from about a 3% share in October to 18% in December, but growth has slowed. Since April, for instance, it has increased its share by four percentage points, almost all of it at the expense of the older IE6.

The IE7 update also sports a few tweaks: The menu bar is now visible by default, for example, and a new administration kit that includes a revamped MSI installer is available to smooth corporate deployment.

Users can download IE7 from Microsoft's site immediately or wait for it to appear in Windows Update as a high-priority item. It will take several months for Windows Update to roll out IE7 to all XP customers, and anyone dissatisfied with the new browser can downgrade to IE6 by using the Add/Remove Programs control panel applet.

A blocking tool kit is still available for companies and organizations that don't use Windows Server Update Services and want to permanently prevent IE7 from automatically installing on PCs equipped with IE6.


Friday, October 5, 2007

UC Berkeley offers free course lectures on YouTube

The University of California at Berkeley took a dive into the Web 2.0 world with Wednesday's launch of a program that offers entire course lectures and special events on YouTube to all Internet users without charge.

Users can view more than 300 hours of videotaped courses on topics that include bioengineering, peace and conflict studies, and physics, the university said. Moving forward, Berkeley said that it will constantly expand its catalogue of YouTube videos.

"UC Berkeley on YouTube will provide a public window into university life - academics, events and athletics - which will build on our rich tradition of open educational content for the larger community," said Christina Maslach, UC Berkeley's vice provost for undergraduate education, in a statement.

Berkeley said that it is the first university to offer lectures on the YouTube site. However, it noted that it has used open-source video since 2001, when the campus's Educational Technology Services division launched, a local site that now provides course and event content via podcasts and streaming video.

The university noted that the number of courses available by podcast has increased from 15 to 86 since that program was launched in April, 2006.

Dan Herman, an analyst at research firm New Paradigm, blogged that while the university's YouTube project and previous podcasting efforts don't "allow for the engagement that makes academia what it is, it's a heck of an improvement over readings lists, course notes and audio recordings."

In addition, Herman noted that such programs could help improve access to post-secondary education in developing countries where budgets are focused on primary education.


Sun patches critical Java bugs

Sun Microsystems Inc. patched 11 vulnerabilities in the Windows, Linux and Solaris versions of its Java Runtime Environment and Java Web Start yesterday, including several rated critical by outside researchers.

The fixes to Java Runtime Environment (JRE) 1.3.1, 1.4.2, 5.0 and 6.0 plug holes that attackers could use to bypass security restrictions, manipulate data, disclose sensitive information or compromise an unpatched machine. Among the JRE bugs, Sun said in several security advisories, are two that allow attack code from malicious sites to make network connections on machines other than the victimized computer. One possible result, according to a paper by several Stanford University researchers that was cited by Sun: circumvented firewalls.

Other vulnerabilities in JRE and Java Web Start, a framework that lets Java-based applications launch directly from a browser, could be used by attackers to read local files, overwrite local files and hide Java-generated warnings.

Although Sun does not assign threat scores or label its advisories with terms such as "critical" or "low," Danish bug tracking vendor Secunia collectively tagged the five advisories and their 11 patches as "highly critical," its second-highest ranking.

Some of the vulnerabilities are limited to specific JRE versions, but pulling action items from the advisories is difficult since Sun does not use an easy-to-understand grid as does Microsoft, for instance, to indicate affected software. Neither JRE nor Web Start includes an automatic update mechanism; users must manually download and apply the updated versions Sun has posted on its Web site here.

Mention of Mac OS X was, as usual, absent in the security advisories. Sun does not post updated editions of JRE and other Java components for the Mac operating system. Instead, Apple Inc.'s implementation of Java requires that the company provide Java fixes as part of its own security updates. That's been a sticking point with some Mac users, who have expressed concern that Apple has not updated its Java code since February.


Wednesday, October 3, 2007

Web 2.0, social networking can endanger corporate security

With the Web becoming central to the way companies do business, cybercriminals are taking increasing advantage of Web 2.0 and social networking sites to launch attacks, according to IDC analyst Christian Christiansen.

The Web isn't the benign resource for information that people once saw it as, said Christiansen, who spoke today at Kaspersky Lab Inc.'s Surviving CyberCrime conference in Waltham, Mass. "One of the things that's happened that's disconcerting -- and it's been growing over the last 10 years -- is the blending of people's private lives with their corporate lives," he said.

Employees' personal lives -- their online shopping habits and interactions with friends and families -- get intermingled with the interactions they have at work with customers, fellow employees, partners and suppliers, he said. "So that creates a perforated perimeter where there isn't a hard, fast separation between the corporate world and the personal world," he said.

The problem is that employees don't always follow their companies' security policies -- probably because they don't know what those policies are, just as they don't know what their companies' acceptable use policies are. The result: employees don't know what's allowed and what they're barred from doing. Sometimes, Christiansen said, the very people who set up the corporate policies don't even follow them.

Problems also occur when an IT department no longer controls the products being connected to the corporate network. That list could include everything from smart phones to new and untested laptop and desktop computers to various application environments, he said.

"We're seeing the realization that the internal security problem is growing -- the threats are coming from inside the network," he said.

The latest threats to network security now are coming from collaboration and Web 2.0 environments -- where employees casually click on links that could lead them to malware. And they're coming from the wide variety of devices that may be accessing private as well as corporate networks, he said.

"We're seeing a change in the threat environment," he said. "Instead of the threats -- the malicious code -- being distributed as e-mail attachments, we're seeing more and more that they're being embedded in Web 2.0 links," he said. "In the past, what you saw was an immediate effect. Now we're seeing much greater levels of subterfuge and much more sophisticated attacks."

To better avoid potential problems, IT departments need to control user behavior, the types of devices being used to access information, the applications being used and content contributions.

"Risk reduction requires policy managements and layered protection -- at the gateway to the Internet as well as at the endpoint [desktops, laptops and servers]," he said. "You need a whole series of checks and balances."

(Computer World)

Microsoft launches enterprise 'get legal' program

Microsoft Corp. amped up its antipiracy campaign today, adding a program that targets large customers that need to "get legal" after being fingered for using counterfeit or illegally-applied volume licenses.

The program, dubbed Get Genuine Windows Agreement (GGWA), plugs a hole in the company's antipiracy efforts, said Cori Hartje, the director of Microsoft's 18-month-old initiative to identify phony copies of Windows or instances of unlicensed use of the software.

"This fills in the entire picture," said Hartje. "Consumers who had been identified as running a counterfeit [version of] Windows could simply push a button and have the purchase made right then. But we didn't have a good way to programmatically address the same for larger-scale customers, particularly through the [reseller] channel."

GGWA uses Microsoft's standard volume licensing -- and therefore is designed for organizations that generally acquire the company's software through that venue -- to sell full licenses of Windows XP Professional. Most customers looking to get legal using GGWA would go through their existing channel reseller, Hartje said.

"We also wanted something like this as a turnkey for the channel," she said. "This way, resellers will be able to offer [their customers] Microsoft financing, for example, as well as other services, such as Software Assurance."

Hartje said she expects that most organizations using GGWA would do so not because they find counterfeit copies of Windows on OEM-sourced PCs, but because they have "mislicensed" systems. "After an internal review, a company may find it has, for example, 2,000 machines that it got 'naked.' And they need a way to address that."

In "mislicensing," Hartje explained, a customer misunderstands the licensing rules. They think they can purchase "naked" computers -- PCs sans operating system -- and then apply their volume licensing agreements to load Windows. "The regular volume licensing agreements like the Select Agreement or Enterprise Agreement have upgrades available for purchase, so there must be an eligible licensed copy of the Windows software already on the machine to be able to use the upgrade available in those programs."

Other companies might find they're running a large number of illegal machines if they misuse a volume licensing key or let it leak. When it identifies a leaked key, Microsoft invalidates it; subsequent activations of Windows, or in Vista and the upcoming Windows Server 2008, regular checks of Windows legitimacy, would then finger PCs as noncompliant.

"We needed to have options for our business customers so that it was easy to get full Windows licenses, to help customers who found themselves in an unlicensed situation," said Hartje.

GGWA is in addition to the still-available Get Genuine Kit (GGK) packages, which contain one or 10 XP Pro licenses, but it comes with several new provisions that strip away the anonymity of GGK. According to information posted on Microsoft's site, GGWA requires customers to sign a legalization agreement and make a commitment to legalize all out-of-compliance PCs. The legalization agreement also contains what Microsoft describes as an "audit clause." Microsoft officials were not able to immediately confirm this, but the clause would presumably be similar to the one in an Open Value volume licensing agreement. Open Value's audit clause lets Microsoft request an internal audit of all Microsoft software used in an organization.

"Enterprises who want anonymity can still purchase the Get Genuine Kit," said Hartje, "though that's cumbersome in large volume, with the packs showing up on the loading dock and having to be opened."

The new program offers Windows XP Professional licenses rather than Vista licenses, she added, because XP Professional is what's in widespread use. "XP is where we have the gap. It has a large installed base, and that's where [companies] are discovering [noncompliant] PCs."

In other words, stocking GGWA with Windows XP is not an admission that Vista isn't selling well to corporate customers. "Most people are now buying new PCs that come with Vista," she said. "And so they don't need to get another license."

(Computer World)

Could Adobe be vulnerable to an AIR attack?

Adobe Systems Inc.'s moves to support rich Internet applications are exposing the software vendor -- and its developers and users -- to the threat of more Web-based malware and efforts to take advantage of security holes in its products.

"It's annoying to Adobe that suddenly they have become a target" for malicious hackers, said Chris Swenson, an analyst at NPD Group Inc. in Port Washington, N.Y.

For instance, a British security researcher claimed last month that an unpatched vulnerability in Adobe's Portable Document Format (PDF) technology could be exploited to take control of systems running Windows XP; at the time, Adobe said it was researching the reported flaw. And in January, Adobe issued a patch to fix a vulnerability in its PDF-based Adobe Reader and Acrobat software that made systems vulnerable to cross-site scripting attacks.

And then there are all the potential vulnerabilities lurking in Adobe's newer, less mature technologies, such as its still-in-beta Adobe Integrated Runtime (AIR) software.

The AIR framework enables Web applications built with HTML or Asynchronous JavaScript and XML (AJAX) to run offline. The problem, though, is that doing so exposes users of AIR-based applications to many of the same security issues that other users face, if not more of them, according to Ron Schmelzer, an analyst at ZapThink LLC in Waltham, Mass.

"The current generation of spyware, virus and malware [detection] products have no visibility into running AIR programs," Schmelzer wrote in an e-mail. "As such, there is a high possibility for malicious AIR applications -- which are no longer security-restricted to the browser sandbox and are free to manipulate local machines -- to spread into the wild."

John Landwehr, Adobe's director of security solutions and strategy, said at the company's Adobe MAX 2007 North America conference here that AIR applications are not only digitally signed to ensure authenticity, but also use security sandboxes to limit the ability of malware to take control of other applications on a compromised PC.


Thursday, September 27, 2007

Video security networks: IT's newest frontier

You may think you have security locked up. But unless you've brought video surveillance and building access control networks under the IT umbrella, you've still got some work to do.

"People still think of physical and information security as two separate entities. But to completely manage risk and identity you have to bring all the pieces of security together. It doesn't matter if you're talking people, products, data or data systems -- they're all assets that have to be protected," says Marene Allison, vice president of global security at Medco Health Solutions Inc. in Franklin Lakes, N.J.

Allison signed on at Medco three years ago to create a converged security application for the Fortune 50 pharmacy benefit company. With HIPAA, Sarbanes-Oxley, the Payment Card Industry Act and other mandates to comply with, she says the walls between physical and information security have come tumbling down and IT executives now are responsible for all aspects of data security. "Physical security is just one more peel of the onion skin that has to be dealt with, like firewalls and intrusion detection," she says.

In addition, she says video surveillance networks and access control are becoming more advanced and can ride on the IP network.

Moving video surveillance and access control, such as closed circuit television (CCTV) and building entry card readers, onto the IT platforms leads to reduced costs and management headaches for both IT and physical security teams.

To capitalize on the possibilities, Allison merged her physical security unit with the IT security team to take advantage of each group's knowledge base. She cross-trained the teams to learn each other's security approach. Her team also upgraded the CCTV and access control technology into a single, cohesive IP-based business intelligence network using Dallas-based TAC's integrated security systems.

"We use the CCTV in conjunction with alerting methodology and more traditional IT intrusion detection to know who is touching data and data systems when," she says. By integrating her video surveillance and network access control systems with her IP network, the unified security team can now set policies that dictate how long a building door should stay open.

Real-time video

If they receive an alert that an entryway has stayed open too long, they can call up real-time video, stored video and access control information right from their desktops. In the past, they would have had to wait for the physical team to notice an anomaly in its building access reports and then search through an analog videotape to find the culprit.

"This definitely narrows the window on solving security problems," Allison says. It also helps her prove a safe chain of command for data control, which many federal and private sector mandates require.

While Medco's approach might be cutting edge to some, a January 2007 IDC report finds a worldwide shift from analog surveillance cameras to digital network cameras. "In 2008, analog cameras will occupy 75% of the total market, yet as more usage of the network occurs for more than simple data transmission, we expect the network share to take off in 2009 and 2010," IDC says. In fact, the research firm predicts that global shipments of network cameras will increase at a five-year compound annual growth rate of 63%, moving from 540,817 in 2006 to 6.2 million in 2011.

IDC calls the use of the corporate network as a means to facilitate surveillance, security and monitoring "a natural extension of [network] capital expenditure."

Network cameras definitely offer advantages over analog cameras that transfer black-and-white images over coaxial cables to proprietary recorders with magnetic tapes. Companies then log the tapes and store them for certain periods of time before erasing and reusing them -- all of which consume human and monetary resources.


Tuesday, September 25, 2007

Lawsuit charging GPL violation is first ever

In what may be the first action of its kind in the U.S., the Software Freedom Law Center has filed a lawsuit to enforce an open-source license.
The SFLC filed the suit on Wednesday in the United States District Court for the Southern District of New York against Monsoon Multimedia Inc., on behalf of the developers of BusyBox, Erik Andersen and Rob Landley. The suit charges Monsoon with using BusyBox under the GNU General Public License version 2 but failing to publish its source code. Under the terms of the license, distributors of software that uses the licensed software must make their source code available. Failing to do so is considered copyright infringement.

BusyBox, members of the public and the SFLC legal team notified Monsoon of its responsibilities, but Monsoon has not yet published the code, said Dan Ravicher, legal director at SFLC. While it's relatively common for licensees to neglect to share their code, parties typically work through the issue without having to go to court, he said.

This case is a last resort after Monsoon failed to rectify the situation, he said. The suit is necessary because from a legal perspective, copyright owners can start to lose rights if they don't act to protect them, he said.

BusyBox is a lightweight set of Unix utilities used in embedded systems. Monsoon develops digital video products, including a Slingbox-like device that enables remote TV viewing.

If BusyBox ultimately prevails in the case, under copyright law the company is entitled to damages, an injunction prohibiting continued infringement and court costs, Ravicher said.

He believes this is the first case filed in the U.S. in order to enforce an open-source license.

The GPL Violations Project is a group that actively pursues license violators and has brought at least one case to court in Germany. Earlier this year, one of the project's team members publicly revealed violations that Cisco Systems Inc. made in its phone previously called the iPhone. Cisco subsequently corrected the problem.

Monsoon did not reply to a request for comment.

The IDG News Service is a Network World affiliate.


Vista Backlash: Microsoft Quietly Lets Vista Users Revert to XP

Hate Vista? If your PC is running Microsoft Windows Vista Business or Windows Ultimate and you're fed up with the OS you may be able to ditch Vista for XP Pro. Microsoft is quietly allowing you to downgrade to Windows XP Pro.

Dell, Hewlett-Packard, and Lenovo are just a few of the system manufacturers offering downgrades. Each of these PC makers offer an XP Pro recovery disc to those who request one that can be used to revert a Vista machine to XP Pro.

Dell, HP, and Lenovo customers can request a Windows XP Pro recovery disc to be included with their purchase of a Vista machine - should they want to revert in the future. Customers who already have purchased a Vista-PC can request an XP Pro recovery CD for between $15 to $20 by calling technical support.

Different Policies for Different Vendors

A Lenovo Website for downgrading to XP Pro states: "For a limited time only Lenovo customers that have Windows Vista Business or Ultimate installed on their machines will have the chance to purchase a Windows XP Recovery CD."

Dell small business sales told me if I purchased a system with either the Vista Business or Ultimate operating system I could pay an extra $20 to have XP Pro recovery discs shipped with the machine. Dell told me I wouldn't need an extra Windows license for the XP Pro software.

HP business sale's staff described a near identical downgrade plan, except for the fact the XP Pro recovery discs would not include a license to activate the OS.

The desire to revert to XP Pro from Vista is a business trend, not a consumer trend, says Chris Swenson, director, software industry analysis, for market research firm NPD Group.

"Retail consumers are not requesting to go back to XP," Swenson says. Businesses are more sensitive to upgrades because Vista requires a more robust computer to run programs at peak performance. Vista's requires better graphics and memory than XP, forcing companies to spend more on systems, he says.

Additionally some customers and businesses have complained about Vista's lack of support for software and hardware designed originally for XP.