The technique of island hopping—penetrating a network through a weak link and then hopping around systems within that network—has been around for years. But it continues to take on new dimensions. In today's security-conscious IT environments, people are often the weakest link, and malicious users are finding ways to use this to their advantage (think phishing and other forms of social engineering). This combination of carbon and silicon can prove fatal to your network.

Managing AutoPlay in Your Network:
http://www.microsoft.com/technet/technetmag/issues/2008/01/SecurityWatch/default.aspx

Urs

Windows' built-in security capabilities offer endpoint alternative to NAP/NAC
Microsoft’s support of the IP Security (IPSec) standard was enhanced with the release of Windows Vista this year, and interest in the technology will likely grow with the introduction of Windows 2008. For smaller organizations, IPSec could prove to be a cheap alternative to other network access control (NAC) technologies, or a stepping stone to a full implementation of Microsoft's Network Access Protection (NAP) in large enterprises. Either way, it’s time for organizations to take a closer look at IPSec’s capabilities.

http://www.darkreading.com/document.asp?doc_id=141929

Urs

Microsoft has filed a patent claim for the Strider HoneyMonkey malware/exploit detection system created by our internal research unit. The claim, currently being reviewed at Peer-to-Patent. The HoneyMonkey system, first discussed in August 2005, is best described as an automated Web patrol that uses multiple Windows computers -- some unpatched and some fully updated -- to streamline the process of finding zero-day Web-based exploits. The entire system consists of a "pipeline of monkey programs" running on VMs (Virtual Machines) with different patch levels in order to detect exploit sites with different capabilities.

http://securitywatch.eweek.com/exploits_and_attacks/microsoft_files_patent_for_honeymonkey_exploit_finder_1.html

Urs

Updates are available, but users haven't installed them, says Secunia. One in five applications installed on Windows PCs are missing security patches, a Copenhagen-based vulnerability tracker has reported.

http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9054502&source=NLT_PM&nlid=8

Urs

Forget the Nigerian prince. Phishing scams are moving beyond the misspelled, far-fetched ruses that clog your in-box and beg for your bank codes. In the year to come, security professionals are warning of bank code-stealing exploits that are much slicker and more convincing--hidden in guises as harmless as a banner ad on a reputable Web site or a message from a friend on a social network.

http://www.forbes.com/technology/2007/12/27/phishing-hacking-virus-tech-security-cx_ag_1228phish.html?feed=rss_technology

Urs