Resources
Bit9’s newsletter for February 28, 2007
Microsoft: Vista's UAC Not Built for SecurityMark Russinovich, a Technical Fellow in Microsoft's Platform and Services Division, described in his blog how "Vista makes tradeoffs between security and convenience, and both UAC and Protected Mode IE have design choices that required paths to be opened in the IL [integrity level] wall for application compatibility and ease of use." What this means is there are ways to get around the protection offered by UAC – and Microsoft does not consider them security bugs.
Russinovich’s posting was in response to an analysis of UAC by hacker Joanna Rutkowska, of Blue Pill fame. In her blog, she referred to the Vista security model as a "big joke." Due to the evolving nature of malware, "If Microsoft won’t change their attitude soon, then in a couple of months the security of Vista (from the typical malware’s point of view) will be equal to the security of current XP systems (which means, not too impressive)."
Neighborhood Watch on the Information Superhighway
It’s nice to have a powerful friend in your corner. StopBadware.org is a non-profit organization led by groups within Harvard Law School and Oxford University, with the support of companies including Google, Lenovo, and Sun Microsystems. They aim to put badware developers on notice by defining what badware is, spotlighting the worst offenders, and offering legal, policy, and technical analysis to the public.
The organization is having an impact, working with the FTC to identify and shut down badware providers such as Team Taylor Made and FastMP3Search.com.ar. Find out more about how you can help.
Disaster Stories from the ePolicy Institute
Does your company have a written policy for electronic communication and commerce? Is it enforced? You may not be surprised to learn that many employees simply don’t know what is considered acceptable usage when operating online. That’s why creating meaningful policies that can be both effectively communicated and easily enforced is critical to mitigate a variety of risks and liabilities.
Here are some interesting disaster stories from the ePolicy Institute showing what can happen when online activities get out of control.
Computer Viruses Can Spread by Voice
The SANS Institute recently reported an innovative vulnerability in Windows Vista, involving the operating system’s speech recognition capabilities. A virus could conceivably be downloaded simply by playing a sound file. How does this work? The sound file could include spoken instructions that would be picked up by the speech recognition engine and executed. These instructions could, for example, open a browser, direct it to a malicious website, and cause the browser to download malware and execute it.
Of course, a system’s exposure to this type of attack is dependent on a number of conditions, as described in this Microsoft blog entry. Still, this is a fascinating example of how seemingly benign technology can be manipulated into an attack.
February's eBook is Now Available
"Windows Server 2003 Group Policies" from Microsoft Windows Server 2003 Unleashed by Morimoto, Gardinier, Noel, and DroubiDownload your eBook today.
Group policies are used to deliver a standard set of security, controls, rules, and options to a user. In addition, they can be used to configure everything from login scripts and folder redirection to disabling Active Desktop and preventing users from installing software on their workstations. This month's eBook will guide you through some of the more advanced Group Policy tasks.
