- Sign-up Now!
 - Current Issue
 - Edit Your Profile/Unsubscribe

Subscribe | Media Kit | About Us | All Issues | Subscriber Feedback | Contact Us | Privacy Statement
Sunbelt W2Knews™ Electronic Newsletter
The secret of those "who always seem to know" - Over 500,000 Readers!
Thu, May 31, 2001 (Vol. 6, #39 - Issue #274)
Interesting Articles
  This issue of W2Knews™ contains:
    • Nasty Viruses: Hoax [blush]
    • When Was Your Last CyberDisaster Drill?
    • Insurer Considers Microsoft NT High-Risk
    • Get StorageCeNTral Before The Price Hike!
    • Cisco Router Software Flaws
    • Testing Intrusion-Detection Systems
  5. W2Knews 'FAVE' LINKS
    • This Week's Links We Like. Tips, Hints And Fun Stuff
    • Configuring ISA Server 2000
  SPONSOR: Prism MicroSystems
Keep track of changes of critical servers and workstations!
Ever wonder why that computer that was working correctly till now is
suddenly acting strange? Want to know what changed? WhatChanged (TM)
for Windows is powerful but friendly software to let you track,
examine, understand and manage change. Use the Enterprise Edition to
implement centralized Change Management in your Intranet today. Must
have software for critical servers and desktops. Get your free copy
of the Windows 98/Me edition (a $29 value) at:
Visit Prism MicroSystems for more information.

Nasty Viruses: Hoax [blush]

Hi NT/W2K-ers,

Well, just ONCE (because I was in a hurry) I failed to check some virus alerts if they perhaps were a hoax. And sure enough, as if the devil played with it, they were hoaxes. Sorry 'bout that! However, there still are a bunch of these nasties out there, so make sure you protect your networks against them.

Let's have a look at the news!

UNDO Dept: We un-intentionally dropped the "Win98/ME" from our sponsors text on 5/17. The free version was indeed for Win98/ME only. The same download was a 7-day trial for NT/W2K users. This has now been upgraded to 30-days for NT/W2K. WhatChanged is our sponsor again today.

Warm regards,

Stu Sjouwerman
(email me with feedback: [email protected])

Few people have the time, expertise, and dedication to sweat the
tiniest details. But those are the ones that hackers find and exploit.
Get your network assessed by an external, high-level anti-hacker. A
three-day assessment will show you how bad it is, and what needs to
be done to fix it. It's something your management cannot afford not
to do. Check out the brand new Sunbelt Security Consulting Service:
Visit IS YOUR NETWORK SAFE? for more information.

When Was Your Last CyberDisaster Drill?

On ships they do them all the time: fire drills. The FEMA (Federal Emergency Management Agency) does this for a living. When did your users see black screens, networks down and no power for the last time - just as a test?

Just a few days ago, attackers shut down the CERT site. This is a site dedicated to tracking hacker attacks. CERT is short for Computer Emergency Response Team, and is funded by the federal government. The attack lasted 30 hours and denied access to practically everyone trying to get to the site. This was a so called Distributed Denial of Service attack (DDOS for short). There was even a USA Today article about it. I have the link at the end.

One of the commercial providers of disaster recovery, an outfit called Comdisco, said that the #1 cause for downtime is hardware and equipment failure. The #2 reason is power outages and fires.

Steve Hunt from the Giga Information Group commented that it is "finally dawning on people that computer disaster drills are important. You don't want the firemen to show up at the fire without ever having seen one before," he said.

So, what kind of disaster drills are done by what kind of companies?

  • IBM's consulting division conducted 10% more disaster drills in the first quarter of this year over last year, the company says. Comdisco's drills are up 10% to 15% in the last 12 months from a year earlier, division President John Jackson says. Clients are asking for longer tests, IBM manager Todd Gordon says.
  • Software company SolutionInc recently held its first disaster drill. Randy Currie, the company's technology director, tested his staff by replacing a data-filled computer drive with a blank one. Five workers recreated all the "lost" data in about 8 hours.
  • Pharmaceutical company Abbott Laboratories has run twice-yearly drills on its mainframe computers for more than 20 years. But it decided after undergoing Y2K preparedness tests that employees could benefit from additional training. Now, 20 to 25 workers are tested on computers of all sizes every month.
  • Texas Instruments has run mainframe drills since 1991. The company began expanding its training program 2 years ago. Now, it tests a variety of systems two or three times a year. The drills help TI identify "data that is missing ... holes in the procedures ... and changes in the environment that we may not have accounted for," says Greg Petersen, manager of disaster recovery planning.
  • Sophos Anti-Virus, a computer security software firm, holds monthly classes in Europe that let technology workers test their skills on computers infected with viruses. The courses are so popular that Sophos hopes to start them in the USA.
So, having an infrastructure that allows you to get critical data off site, and then testing to see if everything actually works is important. It will help you (and your organization) to diagnose problems in both the hard- & software and the procedures themselves. More importantly, it will keep your data-recovery skills current. When was the last time you tested if your backups are really able to be restored?

USA Today article:

Video instruction for Disaster Recovery with intro by Small Business Administration Director:


Insurer Considers Microsoft NT High-Risk

ZiffDavis' Interactive Week Mag had an article that is very interesting indeed. It claims Microsoft's server software is easy to install, loaded with features and fairly reliable, but may also be more costly to insure against hack attacks.

J.S. Wurzler Underwriting Managers, one of the first companies to offer hacker insurance, has begun charging its clients 5 percent to 15 percent more if they use Microsoft's Windows NT software in their Internet operations. Although several larger insurers said they won't increase their NT-related premiums, Wurzler's announcement indicates growing frustration with the ongoing discoveries of vulnerabilities in MS products.

Some industry observers believe other insurers may follow Wurzler's lead, which could affect the overall hacker insurance market, a sector that the Insurance Information Institute estimates may generate $2.5 billion in annual premiums by 2005. "We saw that our NT-based clients were having more downtime" due to hacking, says John Wurzler, founder and CEO of the Michigan company, which has been selling hacker insurance since 1998.

Wurzler said the decision to charge higher premiums was not mandated by the syndicates affiliated with Lloyd's of London that underwrite the insurance he sells. Instead, the move was based on findings from 400 security assessments that his firm has done on small and midsize businesses over the past three years.

Wurzler found that system administrators working on open source systems tend to be better trained and stay with their employers longer than those at firms using Windows software, where turnover can exceed 33 percent per year. That turnover contributes to another problem: System administrators are not implementing all the patches that have been issued for Windows NT, Wurzler said.

Microsoft spokesman Jim Desler said the hacker insurance market is still too young to declare Wurzler's move a trend. "There's not enough history or business to draw conclusions about rate-setting practices," Desler said. As the market matures, rates are likely to be based on best practices, rather than on platforms or products, he predicted. "We provide unparalleled support in the area of security."

American International Group, the country's largest insurance underwriter, said it will not raise its rates for Windows NT-based systems. Nor will Aon, the world's second largest insurance broker. The use of NT is "just one factor in the overall assessment of risks. It can be an indicator of other vulnerabilities, but you may also have other things in place to counter that, like firewalls and intrusion-detection systems," said Kevin Kalinich, a director in Aon's technology and telecommunications group.

However, Harry Croydon, CEO of Safeonline, a London risk analysis firm that works with underwriters at Lloyd's, predicted that Wurzler's decision to charge more for Windows NT machines is "a trend we will see increasing." Just as drivers who own rare cars pay more to insure them, Croydon said, "certain types of software expose you to different risks."

You should check with your own insurer if this is going to be an issue or not. Are you insured for hacking in the first place? That might be a novel idea! Rest of the article here: (and free subscriptions too)

Tools to protect your networks from hacking are over here:


Get StorageCeNTral Before The Price Hike!

Through usually reliable sources I got word of the fact that Industry leading Storage Resource Management tool StorageCeNTral is going to get more expensive in July. So that opens up the possibility for you to get hold of this award winning suite of tools before the deadline, and still only pay the old price.

StorageCeNTral was recently chosen by Microsoft to be included in their NAS Appliance Storage Management Kit. According to Microsoft: "Licensing WQuinn's StorageCentral SRM software enables OEMs using the Windows 2000 Server Appliance Kit to deliver a richer NAS solution to their customers and to get that solution to market quickly," said Keith White, senior director of marketing for the Embedded and Appliance Platforms Group at Microsoft. "The StorageCentral SRM software complements the proven reliability, manageability and availability of Windows 2000 technologies."

Kelly Meagher, a product manager at Microsoft says, "In this case, we were looking for the best technology to make available to our customers, and W. Quinn had it, hands down." Well, who am I to quarrel with that. [grin]

Get your hands on the industry's best-of-breed tool to solve the storage problem. For the old price of $ 895 for a single server license. Prices in Europe may vary. Get your 30-day eval here:

Cisco Router Software Flaws

The SANS Newsbytes e-zine reported that Cisco Systems issued an alert that acknowledged not one but four(!) security holes in CBOS. This is the OS for its 600 series routers. Cisco advised their customers to upgrade. The comment here is that these are not just ordinary bugs, in this case defined as basically a good design but a small error in the implementation. These flaws are really fairly gross, suggesting that Cisco has had some newbie software engineers working on CBOS, and insufficient code review done on their work.

The things they admitted to included passwords stored in clear text in router memory, predictable TCP Initial Sequence Numbers, and the possibility that the router will stop passing traffic when certain ECHO REPLY and ECHO REQUEST packets are sent through. These are holes you can drive a truck through when you are an experienced hacker. Here is the link to Cisco's site for your upgrade:

Testing Intrusion-Detection Systems

ComputerWorld has a good article on IDS-testing. One of their columns is called "The Security Manager", and this article explains how you can separate product hype from reality. I'm quoting the first paragraph, and if you are intrigued, you should just click on the link and read the rest of the article. It's about 5 minutes work, and very instructive:

"When you buy a sports car, it's a no-brainer that you'll take it for a test drive to make sure you like the way it handles, the comfort level and its performance. And if you're like me, when purchasing a security product for your company, you show the same due diligence to make sure you're getting the performance you need.

My company recently tested and acquired a network-based intrusion-detection system (IDS). Over the past few months, I've received many e-mails from readers asking me to explain the performance-testing methodology I used, so I've decided to share how I tested our network-based IDS. (A network- based IDS server watches traffic destined for all host systems on a subnet while a host-based IDS typically runs on each host system to be protected.)

Performance is only one possible criterion for choosing an IDS. Depending on the level of expertise of you and your staff and the amount of resources available, your requirements and testing criteria may be different from mine. You might focus on ease of use and strong reporting, ease of creating new attack signatures or price. Performance is critical to me because of the high amount of bandwidth our site must sustain. I can't afford to miss any potential events because of the performance limitations of the IDS infrastructure". Interested? Continue to read here:


This Week's Links We Like. Tips, Hints And Fun Stuff

  • Paul Thurott's view on the Itanium announcement and what 64-bit means
  • Instead of Battery Backups: Try your own MicroTurbine @ the same cost
  • It's like the old times for MS. Here's an update on their current scene

    Configuring ISA Server 2000

    If you are into building firewalls for W2K, this is a MUST-Have book. This time, instead of a short dry description, one of the Amazon.com Reader Reviews from May 17, 2001. Reviewer: James Glenn from Phoenix: "One of the best computer books I've read. I bought this book after having read the Shinders Windows 2000 TCP/IP book, and also several of their MCSE study guides, and I'm very glad I did. Anyone who has worked at all with ISA Server knows just how complex it really is. This book will make you truly understand all of these complexities".