AOH :: ISNQ4316.HTM

WabiSabiLabi: A Really Bad Idea?




WabiSabiLabi: A Really Bad Idea?
WabiSabiLabi: A Really Bad Idea?



Forwarded with permission from: Security UPDATE 

Security UPDATE--WabiSabiLabi: A Really Bad Idea?--July 18, 2007


PLEASE VISIT OUR SPONSORS, WHO BRING YOU SECURITY UPDATE FOR FREE:

Keep Unsecured Machines Off Your Network
http://list.windowsitpro.com/t?ctl=5E7E0:57B62BBB09A692792C494A7CE886F240 

Reducing Costs and Risks of Data Protection
http://list.windowsitpro.com/t?ctl=5E7DD:57B62BBB09A692792C494A7CE886F240 

ALERT: "How A Hacker Launches A LDAP Injection Attack!"- White Paper 
http://list.windowsitpro.com/t?ctl=5E7E3:57B62BBB09A692792C494A7CE886F240 


=== CONTENTS ==================================================
IN FOCUS: WabiSabiLabi: A Really Bad Idea?

NEWS AND FEATURES
   - Survey Says Pay for Certifications Is Dropping, Except in Security
   - Google Adds Security to Its Hosted Application Offerings
   - Recent Security Vulnerabilities

GIVE AND TAKE
   - Security Matters Blog: Microsoft's Malware Removal Starter Kit
   - FAQ: Preparing Exchange Server 2007 For Active Directory
   - From the Forum: Problems with Symantec Anti-Virus Corp. 10.2
   - Share Your Security Tips
   - Microsoft Learning Paths for Security: Managing Network Security 
Challenges 

PRODUCTS
   - Wanted: Your Reviews of Products 

RESOURCES AND EVENTS

FEATURED WHITE PAPER

ANNOUNCEMENTS


=== SPONSOR: St. Bernard Software ========================================
Keep Unsecured Machines Off Your Network
   IT departments tend to spend a lot of time and energy on creating 
and managing firewall rules and router tables, yet overlooking a direct 
channel between the Internet and computers on the corporate network. 
Without any type of filtering solution in place - this connection is 
managed purely by the user. Do you trust your users enough to make the 
right decisions? Even if you believe that your users are capable of 
safely using the Internet, it really only takes one bad apple to ruin 
the lot by downloading a virus or viewing highly objectionable content. 
Here are five steps to build a world-class web filtering solution -- 
end-to-end.
http://list.windowsitpro.com/t?ctl=5E7E0:57B62BBB09A692792C494A7CE886F240 

=== IN FOCUS: WabiSabiLabi: A Really Bad Idea? ============   by Mark Joseph Edwards, News Editor, mark at ntsecurity / net

About a month ago, I wrote about a new twist in the world of 
vulnerability research in which Intellectual Weapons announced that 
it's offering to work with researchers to develop fixes for security 
vulnerabilities and then patent those fixes. The idea is to profit 
through the sale of patent rights or infringement case settlements. If 
you missed that column you can read it at the URL below:
http://list.windowsitpro.com/t?ctl=5E7E5:57B62BBB09A692792C494A7CE886F240 

By now you probably know that other companies, such as 3Com and 
iDefense, also have programs that pay researchers for vulnerability 
information. In those two programs, discoverers receive cash for their 
hard work, and 3Com and iDefense earn income too by selling the 
information to their network of customers in one fashion or another. 
 
This month yet another company, Switzerland-based WabiSabiLabi (at the 
URL below), entered the mix by offering an auction platform for 
vulnerabilities. Researchers submit their vulnerabilities for sale in 
one of four auction formats (traditional, dutch, buy now, and buy 
exclusively) and if the vulnerability sells, then the researcher earns 
money and WabiSabiLabi earns its cut too. 
http://list.windowsitpro.com/t?ctl=5E7F4:57B62BBB09A692792C494A7CE886F240 

Reaction to the auction has been mixed. Some people think it's an 
incredibly bad idea because there's no telling who might actually buy a 
vulnerability. Although WabiSabiLabi says that it will diligently work 
to verify the identity of a buyer, that's no real guarantee because a 
real bad guy could easily use a front man to do the buying. 

Furthermore, WabiSabiLabi leaves it up to the discoverer to inform any 
particular vendor affected by a vulnerability. This too is another 
cited bad aspect of the auction site. With this policy, WabiSabiLabi is 
basically standing behind "traditional Swiss neutrality", as it openly 
states. 

So far, WabiSabiLabi has four vulnerabilities posted for sale, one each 
for Yahoo! Instant Messenger, SquirrelMail GPG Plugin, Pidgin Instant 
Messenger, and the Linux kernel. As was pointed out by Montasano 
Security on its company blog, the nature of GPG problem can be 
discovered by anyone well-versed in PHP code analysis. And, someone 
already publicly posted an exploit for the Linux kernel problem. So 
half of WabiSabiLabi's auction items are already mostly worthless in 
terms of cash value. And the Linux kernel exploit clearly points out 
that WabiSabiLabi is already having a negative effect on overall system 
security around the globe. 

According to a statement in a company press release, "[WabiSabiLabi] 
decided to set up this portal for selling security research because 
although there are many researchers out there who discover 
vulnerabilities very few of them are able or willing to report it to 
the right people due to the fear of being exploited."


What I don't completely understand is why any company would willingly 
pay developers to write code and to put that code through some amount 
of quality assurance testing yet be totally unwilling to pay an 
outsider who found significant problems with that code ? especially 
security problems. A solution to this long-time standoff would be to 
form a new group whose member companies would be willing to pay anyone 
for vulnerability information as long as acceptable disclosure policies 
were maintained by the discoverers ? basically like 3Com and iDefense 
are already doing except with widespread vendor participation.

I do support the need for security researchers to be compensated for 
their hard work, and it's troubling that many vendors can't bring 
themselves to pay independent researchers. Nevertheless I don't see how 
WabiSabiLabi is an effective solution. It'll be interesting to watch 
over time to see if people continue to neutralize WabiSabiLabi by 
revealing the nature of the vulnerabilities that it tries to sell.

=== SPONSOR: Double-Take Software =======================================
Reducing Costs and Risks of Data Protection
   Get yourself up-to-speed on the latest data protection strategies 
for branch and remote offices including how to protect and recover 
customer databases, e-mail servers, and financial information that is 
critical to every company's day-to-day operation. Download this free 
whitepaper today! 
http://list.windowsitpro.com/t?ctl=5E7DD:57B62BBB09A692792C494A7CE886F240 

=== SECURITY NEWS AND FEATURES ================================
Survey Says Pay for Certifications Is Dropping, Except in Security
   New survey results show that the premium base pay for those having 
various certifications hasn't increased over the past six months, 
unless the certification was in the area of security.
http://list.windowsitpro.com/t?ctl=5E7EA:57B62BBB09A692792C494A7CE886F240 

Google Adds Security to Its Hosted Application Offerings
   Google took another leap forward, adding security to its hosted 
application offerings by entering into a deal to acquire email security 
firm Postini.
http://list.windowsitpro.com/t?ctl=5E7EB:57B62BBB09A692792C494A7CE886F240 

Recent Security Vulnerabilities
   If you subscribe to this newsletter, you also receive Security 
Alerts, which inform you about recently discovered security 
vulnerabilities. You can also find information about these 
discoveries at
http://list.windowsitpro.com/t?ctl=5E7E4:57B62BBB09A692792C494A7CE886F240 


=== SPONSOR: SPI Dynamics =======================================
ALERT: "How A Hacker Launches A LDAP Injection Attack!"- White Paper 
It's as simple as placing additional LDAP query commands into a Web 
form input box giving hackers complete access to all your backend 
systems! Firewalls and IDS will not stop such attacks because LDAP 
Injections are seen as valid data. Download this *FREE* white paper 
from SPI Dynamics for a complete guide to protection! 
http://list.windowsitpro.com/t?ctl=5E7E3:57B62BBB09A692792C494A7CE886F240 

=== GIVE AND TAKE =============================================
SECURITY MATTERS BLOG: Microsoft's Malware Removal Starter Kit
by Mark Joseph Edwards, http://list.windowsitpro.com/t?ctl=5E7F1:57B62BBB09A692792C494A7CE886F240 
Microsoft published a new toolkit to help small and medium businesses 
remove malware from infected systems.
http://list.windowsitpro.com/t?ctl=5E7DF:57B62BBB09A692792C494A7CE886F240 

FAQ: Preparing Exchange Server 2007 For Active Directory
by John Savill, http://list.windowsitpro.com/t?ctl=5E7EF:57B62BBB09A692792C494A7CE886F240 

Q: How do I manually prepare my AD forest and domain for Exchange Serve 
2007?

Find the answer at
http://list.windowsitpro.com/t?ctl=5E7EC:57B62BBB09A692792C494A7CE886F240 


FROM THE FORUM: Problems with Symantec Anti-Virus Corp. 10.2
   (Two messages in this thread)
A forum participant writes that anytime he tries to install anything on 
his server, including patches, upgrades, new programs, etc., the 
installation process causes the server to hang to the point that it 
becomes unresponsive and he then has to reboot the system. If he 
disables all of the Symantec services then installations work fine. He 
wants to know if anyone has ideas why this happens? 
http://list.windowsitpro.com/t?ctl=5E7DB:57B62BBB09A692792C494A7CE886F240 

SHARE YOUR SECURITY TIPS AND GET $100
   Share your security-related tips, comments, or problems and 
solutions in Security Pro VIP's Reader to Reader column. Email your 
contributions to r2r@securityprovip.com. If we print your submission, 
you'll get $100. We edit submissions for style, grammar, and length.

MICROSOFT LEARNING PATHS FOR SECURITY: Managing Network Security 
Challenges 
http://list.windowsitpro.com/t?ctl=5E7ED:57B62BBB09A692792C494A7CE886F240 


=== PRODUCTS ==================================================
WANTED: your reviews of products you've tested and used in 
production. Send your experiences and ratings of products to 
whatshot@windowsitpro.com and get a Best Buy gift certificate. 

=== RESOURCES AND EVENTS ======================================   For more security-related resources, visit
http://list.windowsitpro.com/t?ctl=5E7EE:57B62BBB09A692792C494A7CE886F240 

Learn about a disaster-recovery and high-availability solution for 
conscientious IT professionals. Find out how WANsync works to protect 
data and how it can ensure the integrity of the application as well as 
the data. Download your free copy today!     
http://list.windowsitpro.com/t?ctl=5E7E2:57B62BBB09A692792C494A7CE886F240 

To achieve the secure mail and messaging infrastructure that's crucial 
to today's businesses, every organization needs to plan for three 
fundamental mail and message management services from the start. This 
eBook introduces those services--security, availability, and control 
services--and explains how you can implement them in a Microsoft-
centric email and messaging environment. Download now!      
http://list.windowsitpro.com/t?ctl=5E7DE:57B62BBB09A692792C494A7CE886F240 

Learn how high-speed data connectors for the new SQL Server Integration 
Services environment make plug-and-play with mainframe, legacy, 
Teradata, and other database systems a reality. ETI's new connectors 
are cost-effective drop-in solutions that provide best-of-breed 
bidirectional data movement. On-demand Web seminar.   
http://list.windowsitpro.com/t?ctl=5E7E1:57B62BBB09A692792C494A7CE886F240 

=== FEATURED WHITE PAPER ======================================
When customers depend on your IT services to communicate with you, 
purchase your products, or manage orders, what happens when your 
applications or Web sites become unavailable? Download this free white 
paper and learn how to eliminate application downtime disruptions and 
ensure the continuity of your business. 
http://list.windowsitpro.com/t?ctl=5E7DC:57B62BBB09A692792C494A7CE886F240 


=== ANNOUNCEMENTS =============================================
Windows IT Pro: Buy 1, Get 1With Windows IT Pro's real-life solutions, 
news, tips, tricks, AND access to over 10,000 articles online, 
subscribing is like hiring your very own team of Windows consultants. 
Subscribe now, and get 2 years for the price of 1!  
http://list.windowsitpro.com/t?ctl=5E7E6:57B62BBB09A692792C494A7CE886F240 

Got a Tough Exchange or Outlook Question?
Rely on Exchange & Outlook Pro VIP, the new online resource with in-
depth articles on administration, migration, security, and performance. 
Subscribers get direct access to our top-flight editors, so subscribe 
and receive personalized solutions to your toughest technical 
questions. It beats a support call to Microsoft!    
http://list.windowsitpro.com/t?ctl=5E7E7:57B62BBB09A692792C494A7CE886F240 

===============================================================
Security UDPATE is brought to you by the Windows IT Pro Web site's 
Security page (first URL below) and Security Pro VIP (second URL 
below).
http://list.windowsitpro.com/t?ctl=5E7F0:57B62BBB09A692792C494A7CE886F240 
http://list.windowsitpro.com/t?ctl=5E7F3:57B62BBB09A692792C494A7CE886F240 

Subscribe to Security UPDATE at
http://list.windowsitpro.com/t?ctl=5E7E9:57B62BBB09A692792C494A7CE886F240 

Be sure to add Security_UPDATE@list.windowsitpro.com 
to your antispam software's list of allowed senders.

To contact us: 
About Security UPDATE content -- letters@windowsitpro.com 
About technical questions -- http://list.windowsitpro.com/t?ctl=5E7F2:57B62BBB09A692792C494A7CE886F240 
About your product news -- products@windowsitpro.com 
About your subscription -- windowsitproupdate@windowsitpro.com 
About sponsoring Security UPDATE -- salesopps@windowsitpro.com 

View the Windows IT Pro privacy policy at
http://list.windowsitpro.com/t?ctl=5E7E8:57B62BBB09A692792C494A7CE886F240 

Windows IT Pro, a division of Penton Media, Inc.
221 East 29th Street, Loveland, CO 80538
Attention: Customer Service Department

Copyright 2007, Penton Media, Inc. All rights reserved.


_____________________________________________________
Attend Black Hat USA, July 28-August 2 in Las Vegas, 
the world's premier technical event for ICT security 
experts. Featuring 30 hands-on training courses and 
90 Briefings presentations with lots of new content 
and new tools. Network with 4,000 delegates from 
70 nations.   Visit product displays by 30 top
sponsors in a relaxed setting. Rates increase on 
June 1 so register today. http://www.blackhat.com 

Site design & layout copyright © 1986-2014 CodeGods