- Sign-up Now!
 - Current Issue
 - Edit Your Profile/Unsubscribe

Subscribe | Media Kit | About Us | All Issues | Subscriber Feedback | Contact Us | Privacy Statement
Sunbelt W2Knews™ Electronic Newsletter
The secret of those "who always seem to know" - Over 500,000 Readers!
Mon, Oct 30, 2000 (Vol. 5, #52 - Issue #226)
How Was Microsoft Cracked?
  This issue of W2Knews™ contains:
  1. EDITORS CORNER
    • How was Microsoft Cracked?
  2. TECH BRIEFING
    • My Downtime Math Was Off!
  3. NT/2000 RELATED NEWS
    • You Can Now Rent MS-Apps in Web Cafes
    • MS Releases MINI-SQL
    • How To Avoid Sending 'Out Of Office' to mailing lists
    • The Page File Is A Possible Vulnerability
  4. NT/2000 THIRD PARTY NEWS
    • And What Happens When Your Plan B Fails?
    • Sybari Forms Strategic Alliance With CA
  5. W2Knews 'FAVE' LINKS
    • This Week's Links We Like. Tips, Hints And Fun Stuff
  6. PRODUCT OF THE WEEK
    • MCSE Training Guide (70-240): Windows 2000 Accelerated Exam
  SPONSOR: SURFCONTROL
FREE -- Internet Filtering Software Trial --
Internet seduction may be costing your company a fortune in
network bandwidth and lost productivity. Remove the mystery and
find out who's CyberSlacking with SurfControl. Monitor, report,
block and control access to all TCP/IP protocols. Get immediate
results & detailed reports. You've got responsibility for the
network, download an easy way to manage it. FREE 30-day trial!

Visit SURFCONTROL for more information.
  EDITORS CORNER

How was Microsoft Cracked?

Just last Friday, MS reported that system crackers broke into their corporate network. The Wall Street Journal reported on it both that day but provided more detail today (Monday 30-th) and gave a lot of specifics. Interesting to see that Corporate IT Security has become headline news at the largest newspapers in the USA.

A Senior official from MS said they detected the trespass from its earliest moment and monitored it while it was going on to make sure they would be able to provide enough evidence to the FBI. The attack lasted only 12 days instead of the 'weeks or months' that were reported last Friday. That was based on a false assumption, and it does not look like any source code was compromised. The 'crack' played from Oct. 14 to Oct. 25.

MS feels very comfortable that it accumulated enough data to identify the cracker and but cannot comment any further due to the criminal investigation. No arrests are imminent yet though. MS is considering how to further tighten their security measures.

So, how did they get in? Here's the most likely scenario. A common cracker's tool called the QAZ trojan was sent by email (spam) to a family computer of a MS employee. This person used that computer to check their email and work on the MS corporate network. The QAZ code (or a companion tool) stole some passwords from that PC and emailed them back to the cracker. This allowed them to later log onto the MS network posing as the authorized employee. It's not 100% confirmed, but it looks this is how they got in.

So, what is the QAZ worm? An attachment that when it inadvertently gets installed disguises itself as NOTEPAD. QAZ then sends a remote signal to a computer in Asia with the location of the infected PC. QAZ contains a backdoor that allows the remote attacker to gain control of the local machine over port 7597, and it spreads around over the machines in that domain. Then other cracker tools are used to penetrate further. As of September 14, there are at least four variants of the original virus.

More on this particular one over at the Symantec website, and a free tool you can download to run and search-and-destroy this particular critter on your own systems. I just tried it. Takes a minute per machine, depending on how big your C:\ drive is.
http://www.sarc.com/avcenter/venc/data/qaz.trojan.html

However, this opens up another can of worms: How are you going to stop this from happening to your own networks? Now the security perimeter has been moved outside your firewall! Food for thought.

If I see any good 'end-of-year' deals I'll send you a W2KnewsFlash.

Warm regards,

Stu Sjouwerman
(email me with feedback: [email protected])

  SPONSOR: ECORA
STILL MANUALLY DOCUMENTING YOUR NT AND EXCHANGE NETWORKS?
With ECORA you can automatically document and redocument your
servers at a fraction of the time and cost. Comprehensive text &
graphics. All formats. Behind your firewall or over Web. No
software to install or maintain. No agents to load. Free trial.

Visit ECORA for more information.
  TECH BRIEFING

My Downtime Math Was Off!

I was on the road last week (Paris and Amsterdam) and I did not have my normal resources at hand so I used my (now shown to be miserably failing) memory for the downtime math .

Here is the real scoop on downtime. Thanks to all of you that made me aware of my wayward wanderings. Here goes:

  • 1 year = 365 days = 8760 hours
  • Two 9s uptime = 99% = 87.6 hours (3.65 days) downtime a year.
  • Three 9s uptime = 99.9% = 0.1% downtime = 0.001 = 8.76 hours downtime a year i.e. three 9s is only about 1 working day.
  • Four 9s uptime = 99.99% = .876 hours = 52.56 minutes downtime a year, less than 1 hour.
  • Five 9s uptime = 99.999% = 5.256 minutes downtime a year.

Having corrected this now, there is still an incredible need to make sure that disasters do not hit you. Have you seen the Microsoft Cluster Server Disaster Recovery Video already? It's an online seminar that is also hosted on the MS online seminars website. The link to the seminar is at the bottom of this page, and you can choose for high or low bandwidth.
http://www.sunbelt-software.com/product.cfm?id=111

  NT/2000 RELATED NEWS

You Can Now Rent MS-Apps in Web Cafes

Like I have predicted a long time ago, it's finally happening. MS will rent its software on a per-use basis for the first time through a chain of budget Internet cafes called 'easyEverything'. This new humongous outfit in New York with 800 seats (yes you read that right) will open in Times Square on Nov 28. You will be able to rent MS- Office for a small fee per session, something like 2 bucks.

It's a trial balloon for MS, because under the .NET initiative they will start charging consumers a regular monthly fee rather than a lump sum up front. MS will learn from this pilot, and see where they need to tweak and adjust. easyEverything is planning on an aggressive expansion. They expect most users will be people that already use MS-Office at work or at home but are on the road and need to use it.

    How much for all of it?
  1. The customer buys Internet Access at the main desk for something like 1 Dollar for 15 minutes, Fees vary depending on peak times.
  2. They log onto a PC in the Café. They can see in realtime how much credit they have left.
  3. A separate 2 bucks per session is charged for use of MS-Office or Words and includes Encarta. Printing: 35 cents per b/w page and 70 cents for color.

MS Releases MINI-SQL

Last Thursday, MS introduced the smallest flavor of SQL Server yet, a special version designed for WinCE hardware. Redmond worked for more than a year on the new SQL code and it fits inside 1MB! The full name is "SQL Server 2000 Windows CE Edition" and can be used to replicate data from a CE-handheld to its Big Brother SQL that sits on your corporate server.

The small CE flavor lets users that are on the road run their SQL apps and then transfer data when the gadget is hooked up again to the home mothership. And, to make things easy, you get a so called 'CE unlimited deployment license' for free with the $499 SQL Server 2000 Developer Edition license.

There is a 'BUT' though. You do not need additional licenses to connect to a back-end SQL Server database if the back-end server is covered by a (quite expensive) per-processor license. Otherwise the WinCE client needs a SQL Server CAL. Gotta watch it there.

How To Avoid Sending 'Out Of Office' to mailing lists

Outlook has a very handy assistant that allows you to send the 'OOO' message when you are not in. But mailing lists generally put your account on hold, or delete you when they get these.

To avoid sending OOFs to mailing lists, you can do the following:

  1. Create a Public Folder & name it whatever you want to. Make a note of its SMTP address.
  2. Subscribe that SMTP address to the mailing list (for instance "MS-Exchange Admin Issues").
  3. Set your own mail subscription to the "no mail" option.

Then, the PF will receive all mail sent to the list & since PFs can't be out of the office, they won't return OOFs. You, however, can still have OOFs set up to go to the internet (if you really want to) AND can still post to the list. Then *everyone* will be happy!

The Page File Is A Possible Vulnerability

SearchWIN2000.com sent this tip that I thought was a good one. It came from Tertius Genis, who works for Weyerhaeuser Corp.

The tip discusses one way that security breaches can happen- through the page file-and how to avoid them. The page file, a hidden file called pagefile.sys, is the one your computer uses to page out programs and/or data to hard disk when memory resources are getting low. It's the same thing as the swap file in Unix. When you install Windows 2000, the installation program sets the size of the swap file to 1.5 times more than you have physical memory in your machine. For example, a 250 MB machine would have a default swap file size of 775 MB.

But the page file leads to a serious problem. A few of the attacks on Windows NT Security about which information is publicly available rely on the fact that the NT page file is left intact on shutdown and can subsequently be scanned for useful information. There's no good reason that the page file isn't erased, and doing so can plug a potential hole in your NT or Windows 2000 armor.

To clear the page file at shutdown, you need to change the registry. Make sure you back up the registry prior to implementing the change, so if you mess up, you can go back to where you were.

Change the following key in the registry:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\MemoryManagement\ClearPageFileAtShutdown

Drill down to the key, and set the value in the dialog box that appears when you double-click on it. To have the file cleared at shutdown, set the value of the key to 1. To leave the page file intact at shutdown, set the value to 0.

  THIRD PARTY NEWS

And What Happens When Your Plan B Fails?

Plan A is of course your Backup. Are you testing your Backups for the ability to recover? Some one told me they restored their backups to another machine every week, and that quickly getting files back to restore was a piece of cake that way. Not a bad idea actually.

But Plan B, how about that? Do you have one? Backup Tape not readable (we had one like that a week or so ago), or simply does not restore the way you thought it would? It could be a deadly virus, a worm or a bad rain storm. I was just in Paris and a rep from an Italian company told me a true story.

An Olivetti site in Italy was in the path of a river that had been fine for decades. Then, suddenly, something like 30cm of rain fell in that region. The river destroyed 40 bridges and large sections of their town were flooded. The Olivetti site wound up with a whopping 200 servers literally under water for a week. All hardware was ready to trash!

So here comes my question regarding your Plan B. Do you have the right business continuity plan in place? Is your business critical data off site at all times? Are you able to fail over to a machine that is still up & running somewhere? I strongly suggest you spend some time to ask yourself: "What would happen if Server so-and-so would completely die? Here is a link with some good white papers that will help you underway. Check the section White Papers, Documents and Other Files on this page:
http://www.sunbelt-software.com/product.cfm?id=111

Sybari Forms Strategic Alliance With CA

Sybari Software, a well respected antivirus and security specialist for Groupware solutions, announced it entered into a partnership with Computer Associates International, Inc. With this alliance, Sybari is able to offer existing and new Antigen users the ability to use CA's InoculateIT and Vet engines for virus scanning.

"We believe that CA's InoculateIT and VET are invaluable additions to our current product offering" said Robert Wallace, president and CEO of Sybari Software, Inc. "By integrating their leading engines with our comprehensive scanning methodology in Antigen further strengthens our position as leaders in the antivirus and security market."

Sybari's Antigen is a comprehensive antivirus and security solution specifically developed to protect Exchange and Notes environments. Through the integration of multiple virus scanning technologies, such as CA's InoculateIT and VET, Antigen is able to protect the most complex messaging infrastructures from malicious virus attacks. It is Antigen's ingenious architecture that enables mail admins to select from several of the leading scan engine technologies available in the market.

"With the rise in email-borne viruses and worms, Groupware antivirus solutions are essential," said Simon Perry, vice president, security solutions, Computer Associates. "Our partnership with Sybari will help organizations increase productivity by protecting email and other mission-critical applications from viruses." More at: www.sybari.com

  FAVE LINKS

This Week's Links We Like. Tips, Hints And Fun Stuff

  • If you run Exchange, this is your DISASTER BIBLE. Read it THREE TIMES.
    http://www.microsoft.com/exchange/techinfo/Disaster.htm
  • How does NLB work? Network Load Balancing is a good HA feature in W2K.
    http://www.microsoft.com/WINDOWS2000/library/howitworks/cluster/nlb.asp
  • Want to subscribe to a Windows specific SECURITY list server? Go here:
    http://63.88.172.96/go/loader.asp?id=/security/howto-faq.htm
  •   PRODUCT OF THE WEEK

    MCSE Training Guide (70-240): Windows 2000 Accelerated Exam

    This exam covers all of Windows 2000. This will be seen by many exam candidates as the first path to take to achieve Windows 2000 certification coming from the Windows NT Server 4 track. Written in keeping with the Training Guide series, you will find pre-chapter quizzes, chapter reviews, case studies, glossaries, and much more, written based on the exam objectives. To supplement the top-notch content, the Training Guide offers a version of ExamGear which gives you the chance to try your hand at adaptive testing and other new testing technologies--all with the look and feel of the real exams. Suggested Retail: $59.99 - But available at Sunbelt Bookclub: $38.99
    http://www.sunbelt-software.com/bookclub/