If you’ve been dying to get your hands on Microsoft’s NAP (Network Access Protection) technology, but just somehow haven’t gotten around to deploying Vista yet, today is your lucky day. Microsoft released Service Pack 3 for Windows XP today and one of the major components of the massive update is NAP, the company’s network access control system. However, you do need to be running Windows Server 2008 in order to use the NAP capability. Along with NAP, SP3 also includes every update, security-related and otherwise–that Microsoft has released since it pushed out SP2 in 2004.

There are a handful of other security updates included in SP3, and Microsoft has a good description of all of the new features in Windows XP SP3. Here are some highlights:

• IPSec Simple Policy Update for Windows Server 2003 and Windows XP. This is a tool to help simplify the creation of IPSec filters.
• Digital Identity Management Service. This allows users on any PC that’s a member of a domain to access all of their digital certificates and encryption keys for applications and services on that domain.
• Support for the WPA2 wireless security standard.
• Black hole router detection turned on by default.

The other major news with Windows XP SP3 is the fact that it does not include Internet Explorer 7. Some users have complained about IE 7 being pushed to their PCs as a critical update and Microsoft even went so far as to release a special toolkit to block the delivery of the browser last year. For users who don’t update their machines regularly, SP3 is a good opportunity to get back on the right track all at once.

I recently tripped over a blog write-up from independent analyst Eric Ogren about his irritation with security vendors using FUD to sell products. It’s an older posting from 2006 but his message is as relevant today as it was two years ago.

Building his case around a threat report Websense released at the time, he wrote, “I’m not sure that the world is better off with yet another security vendor telling us that Phishing, malicious websites, malicious code, hacking tools, P2P, IM and Chat attacks have all increased.”

He dismissed the report as FUD marketing designed to create demand for security products, but that he believed the reports could actually have the opposite effect by pointing out the futility of security products to stop attacks.

He’s not the first security expert to rail against the FUD factor. Security luminary Bruce Schneier has devoted huge chunks of his time speaking out against security ‘theatre’ — policies and products that are more about offering the perception of security rather than addressing the actual risks.

And, rightly or wrongly, the Apple crowd is constantly crying FUD whenever something is written about a security flaw or malware affecting their beloved Macs.

I bring up the issue because it’s long been a source of irritation for me. As a security writer, I’m constantly buried beneath tons of voicemail and email from vendors looking for attention, and the PR machinery almost always uses FUD to make a case for buying the latest compliance-out-of-the-box appliance or the “first of its kind” bot/spyware/worm/common cold zapper.

Along the way, the PR community likes to invent new words or phrases to define the threat, many of which start with the letters “ph” (phishing, pharming, phlooding).

I’ve been looking back through four years of writing for the sake of nostalgia. The big thing that strikes me is that we’ve written a lot of stories about the latest flaw or exploit and someone is always banging on the alarm bell with a hammer.

In the final analysis, it’s prudent to flag the latest flaws and exploits because IT security professionals need to be aware of these things and incorporate the information into their patch management process. Heck, alerting them to these things is what we’re here for. But the tone and level of alarm that should go into these stories is always something we wrestle with.

Everyone has a role to play in information security, from the IT pros to the vendors, analysts and media. But from the content I look back on, I see little evidence that vendor-generated fear has ever made a difference.

Warnings about some flaw or exploit opening the door for a catastrophic Internet-ending event are never followed by the big doom. On the other side of the spectrum, the epidemic of data security breaches shows that all the FUD and security spending in the world can’t prevent the bad guys from punching through. The recent Hannaford supermarkets breach proves you can respond to the fear and spend a lot of money on new technology and still get whacked.

I recently asked Rhode Island-based network engineer Edward Ziots whether he jumps at every exploit warning. Here’s what he told me by email:

“We don’t jump, it would be imprudent to do so. Basically I read up on how the exploit works, even look at the code offline to ascertain if it would be available to be downloaded or how much effort would it take to be in a working exploit. Next, you basically need to adjust your risk assessment based on the controls you have in house, and how many systems could be affected and in what manner.

“Lastly communicate the adjusted risk assessment to management, security and await decision on whether to raise priority for patching, or to deploy other security measures to mitigate until all systems can be patched.

“Honestly, it makes it very difficult with exploit code in the wild and reports of working exploits not to raise your risk level and deploy extra manpower and time and effort to get all systems patched. It’s just due diligence.”

My advice is to take the FUD with a grain of salt and remember that while cyberspace is a dangerous place and you’ll sometimes have to raise your level of alertness as Ziots does, most enterprises will survive with the proper mix of security tools, policies and a calm awareness of the risks.

About Security Blog Log: Senior News Writer Bill Brenner peruses security blogs each day to see what’s got the information security community buzzing. In this column he lists the weekly highlights. If you’d like to comment on the column or bring new security blogs to his attention, contact him at bbrenner@techtarget.com.

Yesterday I wrote a story about the reaction from Windows administrators to Microsoft’s release of Vista SP1, and the response was mostly one of caution and frustration.

The challenges people are running into are the same ‘ol items: incompatibility with third-party programs, device driver glitches, a sleep mode problem and endless reboots.

One of the folks I touched base with is Michael Pietroforte, a systems administrator who heads up the IT department at the University Library of the Ludwig-Maximilian University in Munich, Germany. He tested Vista SP1 extensively and created a useful list of challenges and possible solutions in his 4Sysops blog.

Pietroforte’s entry inspired me to dig further for blogs with something useful to share about the service pack. Here’s a bit of what I found:

Longtime computer product reviewer Scot Finnie wrote that Vista SP1 has been running on a couple of his test machines for the past month and a half. He offered IT pros this verdict:

“You don’t need this thing right away. If you’ve kept up with Vista security patches, then you’re fine. There’s no need to rush into it.”

For those who dare to tackle the service pack now, he said the biggest pain one will likely encounter is the driver trouble during or after installation.

He writes that Vista SP1 has only one true reason for being — to help Microsoft sell Vista to enterprise customers, among whom the conventional wisdom has been to wait for the first service pack. “What’s actually new and not available separately is, to my perception, more marketing hype than reality,” he says. “There’s nothing wrong with SP1, but there’s absolutely nothing compelling about it either.”

Over at Blorge.com, Triston McIntyre wrote up this warning:

“The list of users who are experiencing more than a little difficulty with the new Service Pack 1 grows longer every day; it seems more and more users who boot multiple operating systems are experiencing grief as well,” he writes. “Before installing Vista Service Pack 1, be sure to check out the boot systems you’re currently using if you use Windows Vista Enterprise or Vista Ultimate, otherwise your PC might end up the victim of a faulty SP1 install.”

John Rundag, technology coordinator for the Logan Elm School District in Ohio, wrote in his blog about the slow Vista SP1 download process he endured. He warned that the process will take longer than anyone would want.

Once downloading Vista SP1, he says he clicked on the install and left for the day. When he returned to the office the next day, his computer looked the same as he had left it, with the exception of the install screen for SP1.

“One of the issues I had been experiencing was slow file copying to and from network drives,” he wrote. “A lot of times I just copied large files to a flash drive and then moved it to the server on my MacBook. Moving large directories was a nightmare. The first thing I did after I verified I was running SP1 was to move some files to the server.”

Fortunately, he reported, the system has been stable since installation and he hasn’t experienced any major issues.

Nick White, a product manager in Microsoft’s Vista department, offered a laundry list of the feedback Microsoft has received in the Windows Vista Team blog and promised to keep the lines of communication open.

Expect more frustration to flow from the blogosphere as IT pros try to get their arms around Vista SP1. But whatever the problems may be, Microsoft does deserve credit for trying to keep customers informed.

Eventually we’ll all get a grip on Vista. But it’s going to take a long time.

About Security Blog Log: Senior News Writer Bill Brenner peruses security blogs each day to see what’s got the information security community buzzing. In this column he lists the weekly highlights. If you’d like to comment on the column or bring new security blogs to his attention, contact him at bbrenner@techtarget.com.

It worked for Microsoft, and it seems to have worked for Oracle — releasing security patches on a set schedule instead of rolling them out whenever they may be ready. Now Cisco is giving it a try.

The networking giant announced that starting March 26, it will release bundles of IOS security advisories on the fourth Wednesday of the month in March and September of each calendar year. That means IT admins can expect some Cisco security patches on March 26.

Cisco had this to say on its website:

“Cisco is adopting this approach in response to extensive feedback from customers, who seek further predictability for support planning and deployment cycles. This schedule change will not restrict us from promptly publishing an individual IOS security advisory for a serious vulnerability which is publicly disclosed or for which we are aware of active exploitation. The current format of IOS security advisories will remain the same. The software table in the advisory includes a list of recommended releases (where possible) for each software train that addresses all of the security vulnerabilities included in the bundle.”

I’ve talked to plenty of IT admins who like that they can plan their Microsoft and Oracle patching cycles around a set schedule from the vendor, so this would seem to be a smart move on Cisco’s part.

Beta testers in the security blogosphere have a new toy to salivate over — the first beta release of Microsoft Internet Explorer 8 (IE 8). The software giant said IE 8 can be installed on Windows Vista and Vista Service Pack 1 (SP1), Windows XP Service Pack 2 (SP2), Windows Server 2008 and Windows Server 2003 Service Pack 2 (SP2).

Microsoft says this version is the most secure yet. Of course, the company touted IE 7 as the most secure version yet when it was released a couple years ago, but it has since been releasing security patches for it on a regular basis.

To be fair, IE 7 was a huge improvement security-wise over the much-attacked IE 6, and Microsoft has more than proved its security seriousness in recent years. The results are not always pretty, especially when you consider all the compatibility headaches that come with Vista. But there is no doubt Microsoft security is much better than it was in the days of Slammer and Sasser.

Surprisingly, a look around the blogosphere reveals only a small amount of discussion about the security features.

Andy’s Tech blog focuses on the domain highlighting feature, writing, “Many malicious sites have stupidly complex URLs that make it difficult to figure out what the actual domain is. This features makes the top level domain stand out from the rest of the address.”

Andy Lianto writes in his Communication Technology blog that IE will always be full of security holes no matter which version it is, and so he remains a devotee of Mozilla’s Firefox browser.

“In my opinion, and most people in the world, Firefox owns IE,” he wrote. “Firefox is far too good for IE 8 to even smell its feet, mainly because IE has too many bugs. IE has to much patches. If you use Windows Update, you will often see “security update for Internet Explorer.” He says he prefers the Mozilla approach of simply pushing an updated version of the browser to users when a security fix is made. No patch deployment. Just a push of a button. That, he said, is much better than anything Microsoft can offer with IE 8.

The AskTheAdmin.com blog has a detailed look at all the IE 8 features, including security, saying the browser will build upon Microsoft’s security and privacy investments to address users’ security concerns. In the months ahead, additional new protection, prevention, and privacy services will be added, the blog said.

The blog offers the following details about the security features, taken directly from Microsoft:

• Enhanced protection from deceptive websites: As part of an ongoing commitment to privacy and security, Microsoft is making enhancements to the phishing filter in Internet Explorer 8 to provide additional protection against evolving threats to the consumer. With the Safety Filter, Internet Explorer 8 will now protect against a broader set of online threats by analyzing the full URL string. The Safety Filter provides a more granular detection, and these prevention capabilities enable Microsoft to protect against more targeted and sophisticated attacks.
• What Is Domain Highlighting? Domain Highlighting is a technology that highlights the top level domain in the address bar, allowing users to quickly confirm that the website they are visiting is the site they intended to visit. The domain name is in bold and black font, standing out from other characters in the URL which are gray.

I hope to see more blog chatter on the security side, but for now I’m interested in any feedback from those who have started to take this one for a spin.

Thanks, as always!

About Security Blog Log: Senior News Writer Bill Brenner peruses security blogs each day to see what’s got the information security community buzzing. In this column he lists the weekly highlights. If you’d like to comment on the column or bring new security blogs to his attention, contact him at bbrenner@techtarget.com.

The ugly reaction to Microsoft’s handling of Vista SP1 continues, with reams upon reams of Windows administrators taking the software giant to task in the TechNet plus blog for keeping the final service pack out of their hands for another six weeks.

One TechNet member, tziegmann, wrote of the delayed release, “I think this is a stupid decision on Nash’s part. He allows Server 2008 to go out the door to TechNet / MSDN folk, but doesn’t let Vista SP1, which by the way comes from the exact same codebase, and was RTMed today as well. IT Pros and developers pay hundreds if not thousands of dollars to have access to these resources, only to be given a dog and pony show. If you give us one, why not give us both?”

Another member, Brett, agreed, writing, “This is so silly. We are waiting on SP1 to try and prep our systems for vista deployment too. We need the code. Let us download, from our Volume Licensing site, or download center..or something. If it’s done….let us have. If there are driver issues…we can fix them….at least I can…that what I get paid to do. C’mon MS…set SP1 free!”

This comes on top of the sour reaction of Windows administrators I’ve interviewed regarding their experiences testing the Vista SP1 beta.

I’ve reached out to Microsoft in hopes of getting an interview with Mike Nash and have been rebuffed because of “his busy schedule.” My sense is that he’d be much more eager to do an interview if the reaction to SP1 was glowing.

Message to Microsoft: Customers do not like it when the top decision makers go into hiding in the face of a negative reaction to something as big as this.

In early December I wrote about where to go to in search of Windows Vista SP1 beta testers. At the time there was a lot of hope in the air that this service pack would fix the problems that have kept enterprises from deploying it up to this point. Now Vista SP1 has been released to manufacturing and users are expected to have access to it in March.

Here’s Microsoft bigwig Mike Nash’s take on the service pack from the Windows Vista Team Blog:

“Service Pack 1 is a very important milestone because it addresses many of the key issues that our customers have identified with Windows Vista over the last year both, directly and through programs like the Customer Experience Improvement Program,” he says. “With Service Pack 1, we have made great progress in performance, reliability and compatibility. One of the great things about my job is that I get to play with the latest builds of our products — I’ve personally been running Windows Vista SP1 pretty exclusively for a few months and I’ve noticed that my systems run faster and more reliably than they did with the Gold release of Windows Vista.”

Unfortunately, based on some blogosphere chatter and my own reporting on the subject, Nash is probably one of the few who can offer such glowing praise.

So far, the IT administrators I’ve talked to have given Vista SP1 the raspberry. Here’s some particularly harsh criticism from Jeffrey Jarzabek, IT director for Matocha Associates:

“I’ve been beta testing Vista SP1 for some time now and I can honestly say that we will not be moving to it for some time. There are still major problems with installing it and then restarting the system after you get it installed. A lot of what came out Monday was hype. It still isn’t 100%.” Specifically, he takes issue with what he found to be driver and reboot problems that led do system crashes and blue screens. He has found that other beta testers are running into similar trouble. “This has been a disaster since day one,” he told me. “I tried installing it on some Lenovo ThinkPads and it failed. I ran all the updates and SP1 executable and it failed right away.”

I’ve known Jarzabek for some time now and he’s not one to overstate things. So when he offers an assessment like this, I have trouble dismissing it.

But after poking around the blogosphere, I can report that the reviews aren’t all bad.

Arizona-based software consultant Robert McLaws shares his early Vista SP1 experiences in his blog. Unlike some of the acidic views I’ve heard so far, he reports relatively good experiences. After offering a blow-by-blow account of what he did during testing and how things turned out, he offered a fairly sunny assessment:

“While some people are willing to spell doom and gloom for SP1, I think most people will see a decent performance boost in real-world scenarios. For machines like the Q1 Ultra, the boost is much-needed enhancement to the hardware. For beefier machines, you might even get more bang for your buck. The 15% performance boost on the XPS 410 is much better than the 10% boost that XPSP3 has over XPSP2, and not even close to the numbers that Devil Mountain came up with for SP1.“

Of course, it’s not hard to find people who are having problems.

The ArsGeek blog offers detailed released notes under the heading of “Release notes for Vista SP1 — or things that will break your computer.”

A blogger from the Phillipines named Rollchan details some of the troubles he came across, writing that “after installing SP1 on my desktop, it installed fine. But… the situation with my VAIO SZ lappy is the main problem. At the least, two problems; major and minor. The minor is that my Alps touch pad driver got abhorred by SP1 even after uninstalling and reinstalling it. Major problem then again, is my graphics card. It was abhorred by SP1 and after uninstalling and reinstalling it wasn’t detected by Vista with SP1 installed. I’m still working my way out for the least bit on these two pesky problems that troubles me and I may not install SP1 in an event I decide to fresh intall my system again before the end of the month.”

In the final analysis, I think Vista SP1 is going to be a mixed bag, solving problems for some but causing more pain for folks like Jarzabek. Like anything else, it will depend on individual IT setups. It’s also worth noting that some folks are working off earlier beta versions, not the final product that was released to manufacturing.

So before tackling this service pack, it might be helpful to look at the reams of notes IT pros are posting online. There’s enough of the good and the bad that you can get a pretty good picture of what to watch for before doing your own testing.

Good luck, folks.

About Security Blog Log: Senior News Writer Bill Brenner peruses security blogs each day to see what’s got the information security community buzzing. In this column he lists the weekly highlights. If you’d like to comment on the column or bring new security blogs to his attention, contact him at bbrenner@techtarget.com.

Security software makers have taken a step toward creating a more standardized approach for anti-malware testing, with the formation of the Anti-Malware Testing Standards Organization (AMTSO).

More than 40 security software technologists and anti-malware testers from around the world recently met in Bilbao, Spain to formalize the AMTSO charter, vowing to close the divide between what anti-malware technologies actually do and the testing methodologies used to evaluate them.

“As anti-malware solutions become more complex, many existing tests are unable to evaluate product effectiveness properly, resulting in product reviews that are sometimes incomplete, inaccurate and misleading,” the group said in its inaugural press release. “AMTSO is focused on addressing the global need for improvement in the objectivity, quality and relevance of testing methodologies.”

According to the preliminary charter, AMTSO will:

* Provide a forum for discussions related to the testing of anti-malware and related products;
* Develop and publicize objective standards and best practices for testing of anti-malware and related products;
* Promote education and awareness of issues related to the testing of anti-malware and related products;
* Provide tools and resources to aid standards-based testing methodologies; and,
* Provide analysis and review of current and future testing of anti-malware and related products.

Splashed across the Windows Vista Team blog is a message from Mike Nash declaring that Windows Vista SP1 has been released to manufacturing, which means it’ll start being available to customers in March, starting with Microsoft Volume Licensing customers.

“Service Pack 1 is a very important milestone because it addresses many of the key issues that our customers have identified with Windows Vista over the last year both, directly and through programs like the Customer Experience Improvement Program,” he writes. “With Service Pack 1, we have made great progress in performance, reliability and compatibility.”

Sounds exciting, doesn’t it? This is the moment IT administrators have been waiting for, after all, a service pack that fixes everything that’s kept them from deploying Vista up to this point.

But don’t expect this announcement to hasten Vista adoption across the Windows universe. I’ve talked to a lot of IT pros about Vista in the past year, and many of them say they’re going to hold off on this OS as long as they can, SP1 or not. There are just too many compatibility concerns, and those who have had a peek at Vista SP1 aren’t feeling much better about it. A look at some of the comments on Microsoft’s own Channel 9 discussion board for developers shows that people are still struggling to get their arms around this monster.

I’m going to spend the day working on an analysis piece about this, so please give me a shout if you’re interested in sharing your Vista experiences and what the coming release of Vista SP1 may or may not mean for your IT environment.

Microsoft has added yet another big name to is Windows Security team: Crispin Cowan. These hirings have become old hat at this point, but this one has an interesting twist in that Cowan is renowned as a Linux security expert. He is the brains behind the StackGuard compiler, which is designed to turn out applications that are resistant to buffer overflows. Cowan also was the CTO and founder of Immunix, which produced a hardened Linux OS and was acquired by Novell in 2005.

Here’s what Microsoft’s Michael Howard had to say about Cowan’s hiring:

He’s well published, wicked smart, a non-zealot and brutally pragmatic. In my opinion, AppArmor is shining example of his pragmatism, it’s simple and it works. What excites me the most is he’ll bring a different perspective to the Windows team, and I’m a big believer in stirring the pot! Crispin will work in the same team that worked on User Account Control (UAC) and integrity levels, an area he knows a great deal about.

Cowan is probably as respected as anyone in the security community and he is unafraid to speak his mind. It should be fascinating to see how he works inside the ropes in Redmond and what effect his open-source background will have on the ways things work.