On Tuesday, Microsoft released security fixes for desktop users and network administrators alike. Seven security bulletins address 10 vulnerabilities, three of them critical.

Security researchers say the critical patches that affect Windows desktop users should be given the highest priority.

There are also three important patches, MS08-034, MS08-035 and MS08-036, that affect Windows servers, as well as a moderate patch. Managers of Windows servers should install these patches. MS08-032 is the moderate patch and addresses the “kill bit” for Windows. The patch disables code with a known security bug.

Betting on Bluetooth

“The vulnerability in the Bluetooth stack is especially noteworthy because it allows an attacker in range of a Bluetooth-enabled device running Windows XP or Vista to take control of that device,” said Ben Greenbaum, senior research manager for Symantec Security Response. “User interaction is not required. All that is required is for the device to have Bluetooth on and to be within range of the attacker.”

Tyler Reguly, a security engineer with nCircle, a network security firm that works with companies like ESPN and Safeway and government agencies like the FCC, said he finds the Bluetooth patch interesting because it’s a vulnerability in a popular wireless protocol.

“It is remote code execution in both XP and Vista. People traveling with laptops are probably the most likely to have Bluetooth enabled,” Reguly said. “It’s important to keep in mind the limited range of Bluetooth, which is what, in my opinion, somewhat limits the severity of the vulnerability.”

The IE Trend

According to Amol Sarwate, manager of the vulnerability research lab at Qualys, the most serious of this month’s patches is the vulnerability in Internet Explorer, MS08-031, which is a zero-day threat.

“Victims would only need to visit a compromised site in order to be affected by the remote code for viruses, worms and other…

Today’s business practices are clearly much different than yesterdays. Even very small businesses today have to digitalize all their data and to make a presence online. As most small and medium businesses do not have that much technical knowledge, capital and systems to fulfill all their IT requirements, there are now many IT support services available for SMBs. Here are some important ones.

• Database management, data back-up and data recovery services.
• Equipment leasing services, who lease computers, networks, servers, etc.
• Server management, hosting and website management services.
• Online customer service and form processing services.
• Network security and spam protection services.
• Mailing and newsletter management services.
• IT consulting services.
• Communication management and business process management (BPM) services.
• Project/product/service outsourcing management services.

There are many companies which offer above services to SMBs. The best option is to choose companies which offer more than one service at affordable costs. It is also good to stick with companies which do not want any large upfront investments or which offer their service for fixed monthly rate. Other things to look on include accessibility, customization ability, updates, security, installation costs, etc.

Think your company is too small to attract a hacker? Think again.

“Small businesses are a hacker’s dream … Hackers know that most small business owners have the ‘It won’t happen to me’ or ‘I don’t have anything that they’d want’ mentality and prey on it,” said Renee Chronister, co-owner of Parameter Security, an ethical hacking firm. “They also know that small business owners rarely invest in information technology security or integrate only minimal security measures.”

Chronister said a lack of budget for network security leaves most small businesses vulnerable to an outside attack. Most businesses only allocate 3 to 6 percent of the corporation’s budget to IT Security, she said.

“With hackers attacking every 39 seconds, you’d think that the budget would be higher,” Chronister said. “Businesses think they are invincible that because they have a firewall and an IT department, they are safe.”

Parameter Security tests for security vulnerabilities by emulating the thoughts and behaviors of malicious hackers to identify security vulnerabilities before they become real-world threats.

“Once inside your network, hackers have complete control and can watch you type in real-time, turn on your webcam and/or microphone, access your passwords, turn off your virus protection and shut down your desktop,” said Chronister.

Dave Shores, vice president-operations of First Advantage Bank in St. Charles, [Missouri,]said the banking industry has to be extremely cognizant of the possible security threats.

“Banks need to be especially conscious of customer identification and information is always secure,” said Shores. “We need to make sure we comply with every regulatory requirement and make sure we don’t decimate customer information.”

First Advantage Bank utilized a network penetration audit to make sure its network was really as secure as they thought it was.

“Network security audits emulate a real-world attack, where ethical hackers hack your network to exploit your vulnerabilities,” said Chronister….

The last service pack for Microsoft Windows XP was released almost four years ago. In the meantime, engineers in Redmond were busy on a little project called Vista. Now that Vista has been out the door for a year, Microsoft has finished up Service Pack 3 for Windows XP and released it to manufacture. The new release will be available for public download next Tuesday, April 29.

“Windows XP SP3 bits are now working their way through our manufacturing channels to be available to OEM and enterprise customers,” Chris Keroack, release manager for Windows serviceability, posted to Microsoft’s TechNet forum. “We are also in the final stages of preparing for release to the Web (i.e. you!) on April 29th, via Windows Update and the Microsoft Download Center.”

SP3 will be distributed to home users via Automatic Update in early June, the company said. Online documentation for Windows XP SP3 will be updated next week.

The new service pack is a 70MB download to update Window XP and can be installed on top of either SP1 or SP2. It doesn’t work with the 64-bit version of XP, however.

Previous Patches

Much of SP3 consists of previously released patches, according to Andrew Storms, director of security operations for nCircle Network Security. “In terms of functionality, SP3 delivers eight mainline items, which had already been previously available by download,” Storms noted in an e-mail.

While consumers won’t notice much difference, “enterprises will welcome the added functionality of Digital Identity Management Service (DIMS) and support for WPA2,” Storms said. WPA2 is a wireless security solution derived from the 802.11e standard. DIMS allows users to access all their certificates and private keys for applications and services.

As for the new items in XP, enterprises will be mostly concerned with Network Access Protection, a platform that enforces compliance with network policies, and…

The name PayPal is almost synonymous with phishing scams. According to anti-phishing service PhishTank statistics from last year, PayPal was the number-one target of scams — more than twice as often as PayPal’s parent, eBay, the second most popular target.

On Friday, PayPal announced it was taking an unusual step to combat phishing abuse: blocking old and insecure browsers from its site. It is “an alarming fact that there is a significant set of users who use very old and vulnerable browsers, such as Internet Explorer 4,” the company said.

PayPal now supports only the use of Extended Validation SSL Certificates. Browsers that support the technology highlight the address bar in green when users are on a legitimate site. The latest version of Microsoft Internet Explorer supports EV SSL certificates. Firefox 2 supports them with an add-on, but Apple’s Safari browser doesn’t.

Protecting Consumers and Vendors

“By displaying the green glow and company name, these newer browsers make it much easier for users to determine whether or not they’re on the site they thought they were visiting,” said PayPal.

“While refusing to do business with people who don’t use one of these browsers may seem disruptive,” said Andrew Storms, director of security operations at nCircle Network Security, “it is actually a rather old technique used by software vendors.” Just as software vendors specify approved and required components, “providers of services not only protect their bottom line by making such demands, but also in the long run protect the consumer,” Storms explained.

The problem is that it’s relatively easy to impersonate browsers. “Exactly how and if PayPal attempts to act on this initiative will be interesting. Apple’s iTunes Store is in essentially the same situation. If someone wants to use the iTunes Store, they need to use iTunes. So far, that limitation hasn’t seemed to…