Security Watch

SMB Fix Is In the Flaw

Plus: Users seeks transparency with SharePoint; Symantec chief retiring; a fool and his job are soon parted.

• By Jabulani Leffall
• 11/17/2008

Microsoft spent the end of last week coming clean about a patch that took seven years to work the kinks out of. The Server Message Block Patch, released on Nov. 11, was the culmination of years of work. Now as the software giant continues to roll out its cloud computing initiatives, a report has a emerged about SharePoint server and Microsoft is getting more serious about quantifying and measuring exploits. And to begin the week, security software company Symantec said its chief is retiring and that it completed an acquisition. The Payment Card Industry said it will provide more guidance to IT security pros for assessing risk and testing for hacks. Meanwhile a disillusioned and recently laid-off systems administrator from New Jersey was arrested for cyber-extortion when he allegedly asked his company for parting gifts lest he destroy their servers.

Report: More Transparency Needed for SharePoint Server
Many process owners and IT pros have less visibility of what's going on in their SharePoint environments and thus feel the workflow and collaboration puts them at risk of data theft. This, according to research firm Courion, which this week found that although SharePoint-powered sites are increasingly more prevalent in the enterprise space, 86 percent of the management-level respondents are still concerned that sensitive data is finding its way onto these sites without "proper safeguards." The study comes as Microsoft prepared on Monday for its formal launch of Exchange Online and SharePoint Online from beta form.

Redmond Touts 'Exploitability Index' as a success
"For each of the aforementioned issues, functioning exploit code was released publicly within the first two weeks," Microsoft said in this blog posting, adding that the new index, which just reached its one-month mark last week, will help IT pros make "deployment decisions." Redmond said further that before the advent of the index and the "additional layer of analysis" it fostered, its patch bulletins had no indication of the likelihood of the stated vulnerabilities being exploited.

Symantec Completes Deal, Makes Management Announcement
Symantec announced that John W. Thompson, chairman and chief executive officer, will retire as CEO at the end of the fiscal year. The board of directors has appointed Enrique T. Salem, Symantec chief operating officer, as president and CEO effective April 4, 2009. Following the transition, Thompson, 59, will remain chairman of the board and Salem, 43, will join the board of directors. The management change comes as the company announced it wrapped up its acquisition of MessageLabs, a deal in which it hopes to gain ground in the software-as-a-service market and expand Symantec's existing portfolio of SaaS offerings with messaging and Web security services from MessageLabs.

Payment Card Industry's QA Program for Security Pros
The Payment Card Indusry Standards Council, the governing body for rules around transaction security and Payment Application Data Security Standards, has established a quality assurance program for Qualified Security Assessors and Approved Scanning Vendors. The council said the new programs are designed to provide a roadmap for independent security vendors specializing in PCI consulting and information security audit programs.

VeriChip to offer products through MS HealthVault
VeriChip Corporation said that its VeriMed Health Link patient data system will be accessible through Microsoft HealthVault, an online platform designed to help consumers keep their records safe. Per the deal, VeriChip said its members will be given free MS HealthVault accounts to input, store, view and interact with and protect their data.

Paid in Fool
Federal prosecutors said they've arrested Viktor Savtyrev, 29, a New Jersey resident, who demanded extended medical coverage, "excellent" job references and a favorable severance package -- or else -- from his former employer where he was a systems administrator. In e-mails to his company, believed to be New York-based Third Avenue Management LLC, he threatened that if his demands weren't met he would crash the company servers. Savtyrev's attorney Robert Stahl said the former IT pro will plead not guilty even though he allegedly sent e-mails after being let go on Nov. 5.