Security Fixes to Be Patented

Security Fixes to Be Patented
Security Fixes to Be Patented

Forwarded with permission from: Security UPDATE 


ALERT: "How a Hacker Launches a SQL Injection Attack!" White Paper 

CIPA--Keeping Students Safe on the Net 

Managing Risk Through Security 

=== CONTENTS ==================================================
IN FOCUS: Security Fixes to Be Patented 

   - Solution to IIS Security Bug Is to Upgrade?
   - Google's Data Mining Reveals Web Server Security Trends
   - Watchfire to Become Part of IBM
   - Recent Security Vulnerabilities

   - Security Matters Blog: It All Started 30 Years Ago; Microsoft Releases 6 Security Bulletins for June
   - FAQ: Vista's Symbolic Link Capabilities
   - From the Forum: How to Block an IP Address in Windows 2003
   - Share Your Security Tips

   - Wireless Intrusion Prevention in Service Form
   - Product Evaluations from the Real World




=== SPONSOR: SPI Dynamics =====================================
ALERT: "How a Hacker Launches a SQL Injection Attack!" White Paper 
   It's as simple as placing additional SQL commands into a Web Form 
input box giving hackers complete access to all your backend systems! 
Firewalls and IDS will not stop such attacks because SQL Injections are 
NOT seen as intruders. Download this *FREE* white paper from SPI 
Dynamics for a complete guide to protection! 

=== IN FOCUS: Security Fixes to Be Patented ===================   by Mark Joseph Edwards, News Editor, mark at ntsecurity / net

Finding security vulnerabilities can sometimes be a tough, thankless 
job. But that might be about to change when people start patenting 
security fixes. 

Researchers spend untold amounts of time finding vulnerabilities, and 
in the somewhat distant past, there was no reward for that effort other 
than a possible public acknowledgment from the vendor whose product 
contained the vulnerability and the satisfaction of knowing that yet 
another security hole was closed, which benefits everyone who uses the 

Then came companies such as 3Com and iDefense, which began paying for 
vulnerability information. Discoverers receive cash for their hard 
work, and 3Com and iDefense earn income too by selling the information 
to their network of customers in one fashion or another. 

Now, yet another dimension is about to be added to the mix. In the 
latest evolution of vulnerability discovery, a company called 
Intellectual Weapons is offering to work with researchers to develop 
fixes for security vulnerabilities and then patent those fixes. 

Intellectual Weapons would then be in a position to license or sell the 
patent to vendors that need it. Of course, marketing a patent also 
requires aggressive enforcement of the patent, and the company says it 
does expect "major battles," which might occur when someone else 
discovers the same vulnerability or when a vendor designs around the 
intellectual property in the patent. 

The company says that it would give the discoverer 50 percent of any 
income generated by the patent. So how much does Intellectual Weapons 
intend to charge a vendor for some form of rights to the patents it 
obtains? According to a published FAQ, "The vendor [will be] asked to 
pay something close to the true value of the vulnerability, i.e. the 
cost to them if it goes unchecked." Exactly how that cost will be 
measured remains to be seen. 

In developing this concept into a business, Intellectual Weapons 
obviously saw gigantic dollar signs. The company cites numerous 
instances in which small companies have gained millions of dollars 
through patent infringement litigation. For example, according to 
Intellectual Weapons, Eolas won $520 million and Stac Electronics won 
$120 million from Microsoft. 

Clearly, there is big money to be made through patenting inventions, 
and I suspect that money is Intellectual Weapons' primary motive. I 
think the company name speaks pretty loudly. I also think that what the 
company is doing might change the patent process to some extent, if 
only to set some significant legal precedents over time. Furthermore, 
it could instigate other companies who routinely provide temporary 
third-party fixes to patent their methodology too, or even cause such 
companies to stop providing such fixes. Overall, something about this 
entire idea bothers me. 

To read more about Intellectual Weapons' proposed plan of operation 
visit the URL below. 

What's your opinion on this plan? Post your comments with this article 

Or post your thoughts on the Security Forum at 

=== SPONSOR: Cyberoam =========================================
CIPA--Keeping Students Safe on the Net
   Protecting students from the millions of sites that house 
pornography, adult chat rooms, violence & hacking can provide not just 
a safe surfing atmosphere to minors in schools and libraries, but also 
qualify the institutions for federal E-rate funding through CIPA 

=== SECURITY NEWS AND FEATURES ================================
Solution to IIS Security Bug Is to Upgrade?
   An authentication bug in Microsoft IIS 5.x surfaced last December, 
and recently Microsoft said that the fix is to upgrade to IIS 6.0. 

Google's Data Mining Reveals Web Server Security Trends
   Google recently launched its Online Security Blog, in which new 
information reveals which server platforms host the most malware, 
including drive-by downloads. 

Watchfire to Become Part of IBM
   IBM announced its intention to acquire privately held security and 
compliance testing company Watchfire. 

Recent Security Vulnerabilities
   If you subscribe to this newsletter, you also receive Security 
Alerts, which inform you about recently discovered security 
vulnerabilities. You can also find information about these 
discoveries at 

=== SPONSOR: Neverfail ========================================
Managing Risk Through Security
   Every business faces risk. Have you properly assessed your company's 
risk and put a focus on business continuity? Attend this free Web 
seminar and learn how you can ensure seamless recovery of your key 
systems and keep your users continuously connected. On-demand Web 

=== GIVE AND TAKE =============================================
SECURITY MATTERS BLOG: It All Started 30 Years Ago; Microsoft Releases 
6 Security Bulletins for June
by Mark Joseph Edwards, 

Who would have guessed that events in the summer of 1977 would lead us 
to where we are today? For some interesting history and nostalgia about 
Apple plus information about Microsoft's latest security bulletin 
release, go to 

FAQ: Vista's Symbolic Link Capabilities
by John Savill, 

Q: How do I create symbolic links in Windows Vista?

Find the answer at 

FROM THE FORUM: How to Block an IP Address in Windows 2003
   A forum participant has a VoIP switch hosted in the US. An intruder 
repeatedly tried to access all his SIP accounts one by one, so he 
changed the passwords to keep the intruder out, but the intruder kept 
coming back. The intruder's IP address was known, so the forum 
participant blocked it in Microsoft IIS. He wants to know how he can 
block the IP address in Windows Server 2003 to help prevent other 
possible types of access by the intruder. Join the discussion at 

   Share your security-related tips, comments, or problems and 
solutions in Security Pro VIP's Reader to Reader column. Email your 
contributions to If we print your submission, 
you'll get $100. We edit submissions for style, grammar, and length.

=== PRODUCTS ================================================== by Renee Munshi, 

Wireless Intrusion Prevention in Service Form
   VeriSign and AirMagnet launched VeriSign Wireless Intrusion 
Prevention Service (IPS), which uses AirMagnet's Enterprise solution to 
shield corporate wireless networks from theft and other security 
threats. By combining AirMagnet technology with VeriSign Teraguard, 
companies can integrate IPS for both wireless and wired networks. 
VeriSign designs and deploys the wireless IPS devices and then monitors 
them 24x7. VeriSign Wireless IPS is a new offering in VeriSign's 
Managed Security Services portfolio. For more information, go to 

   Share your product experience with your peers. Have you discovered a 
great product that saves you time and money? Do you use something you 
wouldn't wish on anyone? Tell the world! If we publish your opinion, 
we'll send you a Best Buy gift card! Send information about a product 
you use and whether it helps or hinders you to 

=== RESOURCES AND EVENTS ======================================   For more security-related resources, visit 

Join Paul Robichaux as he presents a checklist you can use to help 
guide your Exchange 2000/2003/2007 disaster recovery planning. Learn 
what you should do first, last, and in between to solidify your 
Exchange infrastructure and be assured of a successful disaster 
recovery operation. On-demand Web seminar 

IT Pro Connections in Amsterdam, 19-20 June 2007, offers the deepest, 
most relevant education for Microsoft IT professionals. The real-world 
experience of expert presenters will help you prepare for the newest 
technologies and products. Insider details help you make sense of new 
technologies, learn how to apply them to your environment, and master 
them quickly and effectively. Immerse yourself in PowerShell, Exchange 
Server 2007, Vista, Windows Server 2008, SharePoint Server, Live 
Communications Server, the System Center family, XP, Forefront, and 
more, with experts from Microsoft and world-renowned subject matter 
experts! Post-conference workshops 21 June 2007. 

Learn how to achieve ROI with your log management system in a matter of 
months without costly or complex investments. This Web seminar explains 
how to ensure that your organization gets the most out of its log 
management investment, the key requirements and architectural 
differences you need to consider, and the caveats and risks to watch 
for when you spec out your requirements and design. 

Disaster recovery isn't just theory for most businesses--it's a harsh 
business reality. Improve your own disaster recovery efforts today and 
learn from real-life disaster survivors. Make sure that your plan is 
ready before a disaster strikes--download this free white paper today! 

=== FEATURED WHITE PAPER ======================================
This paper begins with a brief review of the difference between high 
availability and disaster recovery, then describes the related features 
of Exchange 2007 with an eye toward how they map to specific types of 
failures and outages. Finally, it examines a solution that delivers 
additional value beyond what Microsoft offers in Exchange 2007. 

=== ANNOUNCEMENTS =============================================
Introducing a Unique Exchange and Outlook Resource 
   Exchange & Outlook Pro VIP is an online information center that 
delivers new articles every week on messaging topics such as 
administration, migration, security, and performance. Subscribers also 
receive tips, cautionary advice, direct access to our editors, and a 
host of other benefits! Order now at an exclusive charter rate and save 
up to $50! 

Special Invitation for VIP Access 
   Become a VIP subscriber and get continuous, inside access to ALL the 
content published in Windows IT Pro, SQL Server Magazine, Exchange & 
Outlook Pro VIP, Scripting Pro VIP, and Security Pro VIP. Subscribe 

Security UDPATE is brought to you by the Windows IT Pro Web site's 
Security page (first URL below) and Security Pro VIP (second URL 

Subscribe to Security UPDATE at 

Be sure to add 
to your antispam software's list of allowed senders.

To contact us: 
About Security UPDATE content -- 
About technical questions -- 
About your product news -- 
About your subscription -- 
About sponsoring Security UPDATE -- 

View the Windows IT Pro privacy policy at 

Windows IT Pro, a division of Penton Media, Inc.
221 East 29th Street, Loveland, CO 80538
Attention: Customer Service Department

Copyright 2007, Penton Media, Inc. All rights reserved.

Attend Black Hat USA, July 28-August 2 in Las Vegas, 
the world's premier technical event for ICT security 
experts. Featuring 30 hands-on training courses and 
90 Briefings presentations with lots of new content 
and new tools. Network with 4,000 delegates from 
70 nations.   Visit product displays by 30 top
sponsors in a relaxed setting. Rates increase on 
June 1 so register today. 

Site design & layout copyright © 1986-2014 CodeGods