[ISN] Security UPDATE -- Reading EULAs Can Help Prevent Spyware
Infiltration -- September 28, 2005
InfoSec News
isn at c4i.org
Thu Sep 29 00:27:16 EDT 2005
====================
This email newsletter comes to you free and is supported by the
following advertisers, which offer products and services in which
you might be interested. Please take a moment to visit these
advertisers' Web sites and show your support for Security UPDATE.
Symantec LiveState Patch Manager
http://list.windowsitpro.com/t?ctl=14B65:4FB69
Filtering the Spectrum of Internet Threats: Defending Against
Inappropriate Content, Spyware, IM, and P2P at the Perimeter
http://list.windowsitpro.com/t?ctl=14B4E:4FB69
====================
1. In Focus: Reading EULAs Can Help Prevent Spyware Infiltration
2. Security News and Features
- Recent Security Vulnerabilities
- Microsoft Boosts Its Ability to Provide End-to-End PKI Solutions
- New Microsoft Tool Locks Down Shared XP Systems
3. Security Toolkit
- Security Matters Blog
- FAQ
- Security Forum Featured Thread
4. New and Improved
- Control Endpoint Media Devices
====================
==== Sponsor: Symantec ====
Symantec LiveState Patch Manager
Symantec LiveState Patch Manager allows you to reliably protect your
infrastructure from vulnerabilities. Its intuitive interface allows
organizations to scan, identify and install missing patches on hundreds
of clients and servers in minutes. Flexible grouping capabilities allow
the targeting of patches to specific groups of users. Provides detailed
patch status reports. Persistent delivery assures patches are
successfully delivered and applied, helping ensure clients are secure
and protected. LiveState Patch Manager is a member of a family of
modular solutions that work on their own--with tools you may already
have--and can be assembled into a broader suite if desired, leveraging
a common look-and-feel, management database and agent deployment
infrastructure. To learn more, visit us at:
http://list.windowsitpro.com/t?ctl=14B65:4FB69
====================
==== 1. In Focus: Reading EULAs Can Help Prevent Spyware Infiltration
by Mark Joseph Edwards, News Editor, mark at ntsecurity / net
Does anybody (except lawyers) really like reading End User License
Agreements (EULAs)? For that matter, does anybody like reading privacy
statements? I doubt it. But it's something we all should do because if
we don't, we can eventually wind up with all kinds of spyware on our
networks that could lead to serious problems.
For example, you might download a slick-looking desktop tool, click to
accept the EULA without reading it, then later find out that the tool
has been recording all your Web and email activity and sending that
information to someone's data collection center. In another scenario,
you might install the latest IM and chat tool. If you don't read the
privacy policy, you might not know that the company providing the tool
reserves the right to track who you contact, how often you transfer
data, and more.
That's just the tip of iceberg. In fact, poorly written EULAs and
privacy statements, along with people's unwillingness to read them
carefully, have spawned an entire multimillion- (if not billion-)
dollar industry that now focuses exclusively on the elimination of
spyware.
When surfing the Web last week, I came across an interesting story at
Techdirt that points out just how lackadaisical people can be when it
comes to reading EULAs. Techdirt pointed out an experiment conducted by
PC Pitstop (at the URL below). The company embedded in one of its EULAs
an offer of $1000 to the first person who simply asked for it! More
than 3000 people downloaded the software before somebody actually asked
for the check!
http://list.windowsitpro.com/t?ctl=14B63:4FB69
A few weeks ago, I learned about a new tool, EULAlyzer from Javacool
Software (at the URL below), which as the name implies is designed to
help you analyze EULAs to look for areas that might need extra
attention. It works by scanning for keywords. It then links to areas
that contain those keywords so that you can review those spots. I
tested EULAlyzer on a EULA and found that it did point me to some key
phrases that I needed to read more closely, but it certainly didn't
eliminate the need for me to read the entire EULA carefully.
http://list.windowsitpro.com/t?ctl=14B61:4FB69
Last week, I learned about another tool, currently called Project Truth
Serum (read about it at the first URL below), that will help analyze
EULAs. That tool is being developed by Facetime Communications (at the
second URL below) and is currently in closed beta testing, so I didn't
have a chance to try it. But based on the sample output, which you can
view at the third URL below, the tool provides similar functionality to
EULAlyzer.
http://list.windowsitpro.com/t?ctl=14B5B:4FB69
http://list.windowsitpro.com/t?ctl=14B67:4FB69
http://list.windowsitpro.com/t?ctl=14B54:4FB69
I don't see any reason why EULA analyzers couldn't be made to analyze
privacy statements. But when I tried EULAlyzer on a tool's privacy
statement, it didn't flag anything as suspect, even though the
statement did indicate that my use of the tool would be tracked. But
maybe at some point, Javacool and/or Facetime will upgrade their
analyzers to also work on privacy statements.
At any rate, both of these tools are essentially designed to help guard
against spyware. Although they're useful to some extent, they certainly
aren't replacements for careful reading, nor are they designed to offer
you legal advice. They are simply helper applications that might
prevent you from overlooking something in a given EULA. If you're
interested in this sort of helper application, try EULAlyzer and keep
an eye out for Facetime's eventual product release.
====================
==== Sponsor: St. Bernard Software ====
Filtering the Spectrum of Internet Threats: Defending Against
Inappropriate Content, Spyware, IM, and P2P at the Perimeter
Because of the proliferation of Web-based threats, you can no longer
rely on basic firewalls as your sole network protection. Attackers
continue to evolve clever methods for reaching victims, such as sending
crafty Web links through Instant Messaging (IM) clients or email, or by
simply linking to other Web sites that your employees might surf. This
free white paper examines the threats of allowing unwanted or offensive
content into your network and describes the technologies and
methodologies to combat these types of threats. Get your free copy now!
http://list.windowsitpro.com/t?ctl=14B4E:4FB69
====================
==== 2. Security News and Features ====
Recent Security Vulnerabilities
If you subscribe to this newsletter, you also receive Security
Alerts, which inform you about recently discovered security
vulnerabilities. You can also find information about these
discoveries at
http://list.windowsitpro.com/t?ctl=14B56:4FB69
Microsoft Boosts Its Ability to Provide End-to-End PKI Solutions
Microsoft announced that it has acquired privately held Alacris,
maker of identity and access-management solutions. The acquisition puts
Microsoft in a better position to offer end-to-end solutions and to
take the solutions beyond the enterprise environment and out to
consumers.
http://list.windowsitpro.com/t?ctl=14B5C:4FB69
New Microsoft Tool Locks Down Shared XP Systems
Microsoft released a new toolkit that helps you lock down shared
Windows XP systems. The new Shared Computer Toolkit for Windows XP
includes three parts, including a disk protection tool, user
restrictions tool, and an accessibility tool.
http://list.windowsitpro.com/t?ctl=14B5F:4FB69
====================
==== Resources and Events ====
Exploit the Opportunities of a Wireless Fleet
With the endless array of mobile and wireless devices and
applications, it's hard to decide what you can do with the devices
beyond providing mobile email access. It's even tougher to know how to
keep it all secure. Join industry guru Randy Franklin Smith in this
free Web seminar and discover what you can do to leverage your mobile
and wireless infrastructure, how to pick devices that are right for
you, and more!
http://list.windowsitpro.com/t?ctl=14B50:4FB69
Get Ready for the SQL Server 2005 Roadshow in Europe
Back By Popular Demand--Get the facts about migrating to SQL Server
2005! SQL Server experts will present real-world information about
administration, development, and business intelligence to help you
implement a best-practices migration to SQL Server 2005 and improve
your database-computing environment. Receive a one-year membership to
PASS and a one-year subscription to SQL Server Magazine. Register now.
http://list.windowsitpro.com/t?ctl=14B52:4FB69
Are You Walking the Tightrope Between Recovery and Continuity?
There's a big difference between the ability to quickly recover lost
or damaged data and the ability to keep your messaging operations
running normally before, during, and after an outage. In this free Web
seminar, you'll learn what the technical differences are between
recovery and continuity, when each is important, and what you can do to
make sure that you're hitting the right balance between them.
http://list.windowsitpro.com/t?ctl=14B51:4FB69
Streamline Desktop Deployments--Free Web Seminar and White Paper!
Managing desktop software configurations doesn't have to be a manual
process, resulting in unplanned costs, deployment delays, and client
confusion. In this on-demand Web seminar, find out how to manage the
software package preparation process and increase your desktop
reliability, user satisfaction, and IT cost effectiveness. Plus--
register today and receive a free industry white paper on standardizing
the software packaging process.
http://list.windowsitpro.com/t?ctl=14B4F:4FB69
Deploy VoIP and FoIP Technologies
Voice over IP (VoIP) is the future of telecommunications and many
companies are already enjoying the benefits of transporting voice over
IP networks to significantly reduce telephone and facsimile costs. Join
industry expert David Chernicoff for this free Web seminar to learn the
ins and outs of boardless fax in IP environments, tips for rolling out
fax, integrating fax with telephony technologies, and more!
http://list.windowsitpro.com/t?ctl=14B55:4FB69
====================
==== Featured White Paper ====
Supercharging SMS for Effective Asset Management
Cost control and license compliance have risen to the top of the IT
asset and desktop management agenda. Learn to map Microsoft's SMS to
specific business objectives and examine the pitfalls of relying solely
on SMS to achieve business IT asset management objectives. Download
this free white paper now and find out how you can leverage technology
to bridge the gap between technical professionals and your CFO.
http://list.windowsitpro.com/t?ctl=14B4C:4FB69
====================
==== 3. Security Toolkit ====
Security Matters Blog: Are Most Desktop Firewalls too Complicated?
by Mark Joseph Edwards, http://list.windowsitpro.com/t?ctl=14B62:4FB69
An interesting assertion is that Windows Firewall is enough for most
people because they aren't capable of making informed decisions about
whether to allow certain outbound network traffic. If that's true, is
it just that such people need a more intuitive interface and possibly a
little education? Read the rest of this blog entry for more about this
subject and post your comments to share your opinion with other
readers.
http://list.windowsitpro.com/t?ctl=14B5E:4FB69
FAQ
by John Savill, http://list.windowsitpro.com/t?ctl=14B60:4FB69
Q: How do I log on to Windows Vista using a domain account?
Find the answer at
http://list.windowsitpro.com/t?ctl=14B5D:4FB69
Security Forum Featured Thread: Problem with Windows Update
A forum participant writes that when he tries to access Windows
Update he receives the message "The website has encountered a problem
and cannot display the page you are trying to view." This occurs just
after the site informs him that it's checking for the latest updates.
He said this happens only on one server and wonders if anyone knows
what the problem might be. Join the discussion at
http://list.windowsitpro.com/t?ctl=14B4D:4FB69
====================
==== Announcements ====
(from Windows IT Pro and its partners)
Stay Up-to-Date with the Windows IT Security Newsletter
Every issue of Windows IT Security features related product coverage
of the best security tools available and expert advice on the best way
to implement security. Our expanded content includes even more
fundamentals on building and maintaining a secure enterprise. In
addition, paid subscribers get access to our entire online security
article database (more than 1900 articles)! Subscribe today:
http://list.windowsitpro.com/t?ctl=14B58:4FB69
VIP Monthly Online Pass = Quick Security Answers!
Sign up today for your VIP Monthly Online Pass and get 24/7 access
to the entire Windows IT Security online article database, including
exclusive subscriber-only content. That's a database of more than 1900
security articles to help you get all the answers you need, when you
need them. Sign up now:
http://list.windowsitpro.com/t?ctl=14B59:4FB69
====================
==== 4. New and Improved ====
by Renee Munshi, products at windowsitpro.com
Control Endpoint Media Devices
Ecora Software announced the latest version of its endpoint security
solution, Ecora DeviceLock. DeviceLock provides centralized management
and access control for USB and FireWire ports, Wi-Fi and Bluetooth
adapters, CD-ROM/DVD and floppy drives, and other removable media
devices according to user, schedule, and/or specific device. DeviceLock
now lets you define a discrete list of administrator accounts so that
users with local administrator privileges can't disable or remove
DeviceLock services from computers. The product's USB whitelist can now
limit access to devices whose serial numbers are on the list. And
DeviceLock can now display custom messages when an access attempt is
denied. DeviceLock pricing starts at $35 per endpoint. For more
information, visit
http://list.windowsitpro.com/t?ctl=14B68:4FB69
Tell Us About a Hot Product and Get a T-Shirt!
Have you used a product that changed your IT experience by saving
you time or easing your daily burden? Tell us about the product, and
we'll send you a T-shirt if we write about the product in a future
Windows IT Pro What's Hot column. Send your product suggestions with
information about how the product has helped you to
whatshot at windowsitpro.com.
Editor's note: Share Your Security Discoveries and Get $100
Share your security-related discoveries, comments, or problems and
solutions in the Windows IT Security print newsletter's Reader to
Reader column. Email your contributions (500 words or less) to
r2rwinitsec at windowsitpro.com. If we print your submission, you'll
get $100. We edit submissions for style, grammar, and length.
====================
==== Sponsored Links ====
Argent Versus MOM 2005
Download Argent Versus Microsoft Operations Manager 2005
http://list.windowsitpro.com/t?ctl=14B4B:4FB69
Is Your Office Truly Fax Integrated?
Download this free whitepaper from Faxback and find out!
http://list.windowsitpro.com/t?ctl=14B53:4FB69
Admins rush to install BLOG servers
How to run your own blog server. Free 5 user license.
http://list.windowsitpro.com/t?ctl=14B66:4FB69
====================
==== Contact Us ====
About the newsletter -- letters at windowsitpro.com
About technical questions -- http://list.windowsitpro.com/t?ctl=14B64:4FB69
About product news -- products at windowsitpro.com
About your subscription -- windowsitproupdate at windowsitpro.com
About sponsoring Security UPDATE -- salesopps at windowsitpro.com
====================
This email newsletter is brought to you by Windows IT Security,
the leading publication for IT professionals securing the Windows
enterprise from external intruders and controlling access for
internal users. Subscribe today.
http://list.windowsitpro.com/t?ctl=14B5A:4FB69
View the Windows IT Pro privacy policy at
http://www.windowsitpro.com/AboutUs/Index.cfm?action=privacy
Windows IT Pro, a division of Penton Media, Inc.
221 East 29th Street, Loveland, CO 80538
Attention: Customer Service Department
Copyright 2005, Penton Media, Inc. All rights reserved.
More information about the ISN
mailing list