- Sign-up Now!
 - Current Issue
 - Edit Your Profile/Unsubscribe

Subscribe | Media Kit | About Us | All Issues | Subscriber Feedback | Contact Us | Privacy Statement
Sunbelt W2Knews™ Electronic Newsletter
The secret of those "who always seem to know" - Over 500,000 Readers!
Tue, Nov 30, 1999
SP6a Confusion
  This issue of W2Knews™ contains:

-------------- SPONSOR: NT VULNERABILITY SCANNER ----------------
Ever had that feeling of ACUTE PANIC that a hacker has invaded 
your network?
Plug NT's holes before they plug you. There are many hundreds of 
known NT vulnerabilities. New ones are found daily. You just have 
to protect your LAN _before_ it gets attacked. STAT is a new tool 
that solves your NT security exposure in a completely unique 
fashion. STAT is not just a shrink-wrap product. It comes with a 
responsive web-update service and a dedicated Pro SWAT team that 
helps you to hunt down and kill Security holes. Originally built 
by anti-hacker experts for Secure Government sites. Download a 
demo copy before you become a statistic. 


Hi Everybody, sorry that I 'threw you a curve' and confused you.
I was mislead myself. I announced the SP6a last week, and despite
the Microsoft webpages indicating the 40-bit version was SP6a, 
it wasn't quite yet. Several of you downloaded it, ran SYSDIFF 
and other tools, found it was identical and had the same checksum. 

So we looked a bit more and did some double checking. The NTBUGTRAQ 
list owner came up with the same thing. No problems like that with 
the 128-bit version. Looks like MS was not quite ready yet and 
only now SP6a is being propagated out to their download sites. 

I'm still confused though. These are the numbers you get when you 
use the MS query engine at the following address:
4 Oct 1999 - Service Pack 6 - 36,011 kb
23 Nov 1999 - Service Pack 6a - 35,720 kb

But if you go here, the SP6 file size is different again. 

Here it indicates 34.5 Mb and the file name is identical 
to the old one. There are some inconsistencies here so I 
suggest you wait a few days until this has been cleared up. 
I'll let you know. Some one in MS, help me out here?
Email me at [email protected]


Since this is a specific NT-related hole I thought I'd better
send you a heads-up on it. If you run NT4, with IE5 and have
installed the so called 'Offline Browsing Pack' (this is not
installed by default) you need to fix this hole. 

A vulnerability in that component could allow a malicious user 
to gain additional privileges on a Windows NT machine that allows
them to create or change files. We don't want _that_ do we?
The FAQ about this hole is over here. 

From the viewpoint of managing a production environment, these
kinds of holes found pose a whole kind of different challenge.
The 'worst-case' scenario goes something like this:

1) You have been attacked, and they got through. There is damage.
Management is dismayed and asks "What are the IT guys paid for?"
2) You spend days or weeks cleaning up the mess, but it's futile
as it's near impossible to find out how they came through.
3) Security consultants are hired and they point out between 5
and 30 vulnerabilities per machine. Way too much work to fix.
4) Management now really is aghast and angry. Why weren't the
security policies implemented? Senior Execs demand change.
5) After another few weeks trying to fix things on the list, some 
other super urgent project comes along and 'fixing' is put on
hold, sometimes indefinitely. Until the next break-in and the
story starts again, with heads rolling this time.

The Internet is actually a pretty scary place when it comes to
security. As you know, I run a Dell 450 with 256Ram on a local
cable modem segment from GTE. Very fast but also a juicy target 
for hackers. A week ago I bought and installed the BlackICE 
defender on this box and I could not believe my eyes.

There have been over a 100 hack attempts since the 23-rd of Nov
varying from TCP Port scans, possible SMURF attacks, SOCKS port
probes, RPC port probes, SNMP discovery broadcasts, UDP port
probes and the like. YIKES! Later I'll tell you more about this.

The upshot? With this many holes existing and new ones found
daily, you just GOTTA, GOTTA, GOTTA! protect yourself. That means
a combination of 1) sufficient resources allocated by your company,
2) training for you all so that you CAN plug these holes, and 3) 
the right tools to do it. Here is a good article in ComputerWorld
that goes into more detail what the organizational challenge is.
This is worth to read, print, and give to your management.

Regarding security tools, one of the products you _cannot_ afford 
_not_ to have is STAT. By no means it is the only security tool
you need, but a vulnerability scanner is the thing that most sites
start off with, as this points out the holes, the priorities and
is updated regularly to find new ones. Since Y2K remedies are now 
mostly behind us, Security is the next thing that IS is focusing
on. Check out STAT. You might save yourself a whole lot of trouble.


If you run MAC's with your NT servers, these puppies pose a whole
type of different problems. And often it's not easy to find the
right answer. There is a MAC-NT list server where NT System Admins
running MACs discuss these and help each other. You can subscribe
over here: http://www.onelist.com/subscribe/Mac-NT

That's all for the moment!

Warm regards,

Stu Sjouwerman

Email me with 
feedback at
[email protected]

(email me with feedback: [email protected])