Security Watch

Microsoft's 'Geneva' Convention

Plus: DirectShow bug not fixed yet; MasterCard makes PCI auditing even more difficult; accidently hacking Twitter via shortened URLs.

• By Jabulani Leffall
• 06/23/2009

In recently releasing the Beta 2 version of its cloud identity program, codenamed "Geneva," the company is also showing its cards on the future of identity management and its willingness to foster interoperability with third parties in the name of security.

With the Beta 2 release, Redmond kicked in new bells and whistles that leverage its Security Assertion Markup Language (SAML) 2.0 specification that will, going forward, work with similar identity software from CA, Novell, SAP and Sun/Oracle.

The idea is to create an integrated identity layer in the theoretical cloud that can be the basis for sign-on access controls and capabilities across server applications from various vendors rolling out similar "cloud-based services."

As part of Beta 2, there will also be support services for SAML 2.0. Given that one big criticism of SAML technology is that solving single sign-on integration via a Web browser is difficult with different hosted servers, this support should be a step in the right direction and definitely create an atmosphere of détente among third parties who are also ramping up cloud computing products and services that they want secured.

Symantec: DirectShow Bug Endangers Windows Users
Many security experts were surprised and delighted earlier this month when Redmond's patch cycle contained what seemed to be every hotfix except one for the kitchen sink in any given corporate kitchen.

Conversely, the ITSEC community was both surprised and chagrined that the software giant didn't patch a bug in DirectShow for Windows XP and Server 2003.

Symantec said the bug has been added to a multi-strike attack toolkit. "This will likely lead to widespread use in a short time," wrote Liam Murchu, a researcher with Symantec's security response group, on the company's blog last Friday.

Microsoft has yet to issue a fix for the DirectShow bug, which affects Windows 2000, XP and Server 2003 (it doesn't affect Vista or Server 2008).

In its original security advisory, Microsoft said the vulnerability could be triggered if an unsuspecting user opens a specially crafted media file. A hacker successfully deploying this bug could increase his privileges within a Windows-based network. However, accounts configured with fewer administrative privileges aren't as vulnerable, Redmond said

MasterCard in New PCI Mandate
PCI compliance regulations in general have had merchants, particularly retailers in a tizzy since their inception. Here's something new to be mad at: This week MasterCard, one of the industry-borne arbiters of Payment Card Industry security and assessment standards through the subsidized PCI Council, announced it has changed what it calls key security requirements for all businesses handling between 1 and 6 million card transactions annually.

According to the card company, beginning on Dec. 31, 2010, companies that fall into what they designate as Level 2 merchants will have to essentially host an on-site audit of their security controls by a third-party, MasterCard-sanctioned assessor.

Right now the process is pretty much an enterprise IT security check list for Level 2 merchants that amounts to little more than a survey. But not for long. Such a move is likely to stem the raging tide of debate among vendors, payment processors and assessors alike who want less of a pay-as-you-go regulation and something a little more clear and uniform across all merchant categories.

What retail lobbyists and some enterprises will say about this promises to be interesting.

More Twitter attacks = More Bad Puns
I promise no alliteration this time, even though it's tempting to tap attacks on Twitter as tantamount to the timeliness of the ongoing security snafus at the micro blogging site with the peculiar name. Oops, I did it again. And apparently so did someone else.

News emerged last week that a URL-truncation service -- those Web address shortening services used to condense lengthy URLS for easy cutting and pasting into tweets -- was hacked last week, sending millions of Twitter users to an unintended destination. It all started shortly after Cligs, a rival to the better known TinyURL and Bit.ly shortening services, was attacked two Sunday's ago, after which some 2.2 million Web addresses were redirected to, of all places, the Orange County Register's Web site.

Graham Cluley of Sophos, a frequent source of mine who has been following the Twitter travails, seems to think it was a mistake on the part of hackers, that perhaps the URL addresses were so short that someone typed it in wrong.

Usually, Cluley and others say, the intention of directing a user to a different site is so that they can click on a malicious Web page and trigger malware. Had the OC Register not gotten wind of the issue and reported it and the hackers had got it right, it would have been much worse.

I can't guarantee that the different corny entry ways into what I like to call "Twitter-mark-up language" will continue, but it is almost certain that microblogging sites will continue to be targets for bug writers and hackers.