Sunbelt W2Knews Electronic Newsletter
The secret of those "who always seem to know" - Over 500,000 Readers!
Thu, Feb 14, 2002 (Vol. 7, #13 - Issue #344)
This Is A Good One!
This issue of W2Knews contains:
- EDITORS CORNER
- More on the IRS Audit Scam
- TECH BRIEFING
- Terminal Server On Linux? Yes And No.
- NT/2000 RELATED NEWS
- Whoops! Simple Network Management Protocol (SNMP) has a flaw
- MS Battles More Holes In Internet Explorer
- NT/2000 THIRD PARTY NEWS
- AutoPilot Boosts A Maxed-out Mail Server
- Run BlackICE Defender? Better Fix This Hole!
- Symantec Flags Remote Admin As A Virus [grumble]
- How Often Is YOUR Vulnerability Scanner Being Updated?
- W2Knews 'FAVE' LINKS
- This Week's Links We Like. Tips, Hints And Fun Stuff
- PRODUCT OF THE WEEK
- Small Business Server 2000 Best Practices
SPONSOR: "pcAnywhere Killer"
Sunbelt Remote Admin Declared "pcAnywhere Killer" By User
You might want to give Remote Admin a try too. Currently the version
under NT4.0 is blisteringly fast, and soon a new version for W2K with
a new W2K-specific video driver will make it even faster on W2K. It's
as if you are there, with all the admin tools to control remote systems.
This puppy was "made by and for" system administrators. Pricing is dirt
cheap. Get your 30-day eval here:
Visit "pcAnywhere Killer" for more information.
More on the IRS Audit Scam
Many of you (thanks!) send me links to sites that document Internet
hoaxes. This IRS scam is indeed on several of these sites. The reason
I sent it anyway, is that I know the man who sent this, it's a trusted
personal contact of mine, he is active in the Federal Law Enforcement
Officers Association, and he received the warning from a federal agent.
Based on that information, I thought it was legit.
However, I was sent an email from the IRS public relations people who
indeed confirmed it was a hoax, earlier this year. It's a muddy world
of "scam or hoax". The IRS told me though that there are real tax scams
out there, and it's best to take it as a general warning about identity
theft instead. You could send something like this to your users:
"There are a number of email scams that are taking place across the
Internet. These scams ask for personal information such as social
security numbers, bank account numbers, etc. Under no circumstances
should you give out any personal or business information as a reply
to unsolicited email.
"A current example that later turned out to be a bad publicity stunt
is as follows: An email from a non-IRS source indicating that the
taxpayer is under audit and needs to complete a questionnaire within
48 hours to avoid the assessment of penalties and interest. The e-mail
refers to an "e-audit" and references IRS form 1040. The taxpayer is
asked for social security numbers, bank account numbers and other
confidential information. The IRS does not conduct e-audits, nor does
it notify taxpayers of a pending audit via e-mail. Again, this one was
not real, but there are many that are.
"A second example is referencing available funds from over-invoicing
and supplies from foreign contracts. The email states the contractors
are paid in full and that a portion of the remainder of the funds can
be transferred to bank accounts in lieu of providing specific personal
information. There is a whole slew of these, especially coming from
Nigeria. You provide them with bank information and instead of them
putting money on it, they empty your bank account".
I came to find that the best site to check for hoaxes is the following:
Two new buzzwords I ran into while reading Wired Magazine...
PS, you should check out the Fave Links. The zoom into the Olympics
is amazing. Forward that link to your friends too!
- Hackacdemy: special school where they learn to penetrate systems.
- Wetware Exploit: Social engineering to get passwords.
(email me with feedback: [email protected])
SPONSOR: DOWNTIME PREVENTION
DISASTER WILL STRIKE, NOT IF... BUT WHEN?
2001 Best Seller Double-Take provides real-time (and open file) data
replication. You can use it for either High Availability and/or
Disaster Recovery. It is your main job to prevent downtime for NT and
W2K networks. Double-Take is the industry leading product that will help
you do just that. Because it is not a matter of "if" disaster strikes.
Fires, floods and other mayhem always happens when you least expect it.
Visit DOWNTIME PREVENTION for more information.
Terminal Server On Linux? Yes And No.
In the last issue of W2Knews there was made mention of running MS
Terminal Server on a Red Hat box. I have received MANY questions
about that particular setup and have made a few clarifications as
well. Here is a little background data: I had heard rumors that
there was a Terminal Server client that ran well on Linux so I went
to have a look. It was an amazingly short search to find the client,
which is aptly named "rdesktop". The developer is a fellow in
Australia named Matt Chapman. Nice piece of software. Download
at the end of this article.
First of all, the setup is a Dell Optiplex GX110 with an Intel
933MHz processor with 512 MB of RAM. This setup is much more than
is necessary to run Linux, but what can I say. :-) The version
of Linux is Red Hat 7.2 (Enigma) and an out-of-the-box install
(I know, I know but it was just to test the client). The client
itself is a 48 KB download, 216 KB uncompressed. Once installed,
the client is called from the command line and all parameters can
be entered in the command. The client can be totally configured
to do all of the basic option of the RDP client. The options
are as follows:
The -l option is interesting, in that it doesn't request a license
from the terminal server itself. With the use of some scripting,
you could have the Red Hat box boot up, logon and start the rdesktop
client all without the user doing anything. Once the client is
started in full screen mode you really can't tell that your aren't
on a Windows machine; even Ctrl-Alt-Del works. It really is a
slick client and could potentially save you quite a bit of money.
- Usage: rdesktop [options] server
-u: user name
-c: working directory
-p: password (autologon)
-n: client hostname
-k: keyboard layout (hex)
-g: desktop geometry (WxH)
-f: full-screen mode
-b: force bitmap updates
-e: disable encryption (French TS)
-m: do not send motion events
-l: do not request license
If you run rdesktop, you will, at a minimum, save on one
Windows license. Potentially more if you also used Sun's StarOffice.
In either case, rdesktop is a pretty good implementation of the
terminal server client and if you are using Linux, it will give
you a way to connect to your MS server. We have mirrored the
NT/2000 RELATED NEWS
Whoops! Simple Network Management Protocol (SNMP) has a flaw
It was all over the news yesterday, it even made CNN. This hole may
leave a large amount of devices open to an attack. It could allow
attackers to gain control, or take down your network. Everything
from servers to routers to printers use the protocol. More than 200
vendors' products are affected, and millions of devices.
The Oulu University Secure Programming Group from Finland found the
hole in V1 of SNMP. They then alerted CERT (Computer Emergency Response
Team). Ever since they have been working with all parties to fix this
liability. So far, no exploits have been reported.
CERT said that the hole is in stuff from MS, HP, Cisco, Novell, 3Com
and many others. Some of these have patches ready but many others
are still in the process of making fixes available.
BACKGROUND: SNMP is a dinosaur and hails from the late '80s. At that
time, security was not as big a deal as it is now. However, the foundation
of email turns out to be built on quicksand. Or, if you will, you just
found out that your datacenter was built on an allegedly extinct volcano.
The problems were caused by programming errors that have been in the
SNMP implementations for a long time, but only recently discovered.
A further complication is that SNMP V1 is debugged, stable and works
great. Getting to V3 (which is more secure) is a mother of an upgrade.
CERT suggests disabling SNMP if you do not need it on that machine.
If you absolutely must run SNMP, get the patch from your hardware or
software vendor. They are all working on patches right now. It also
makes sense for you to filter traffic destined for SNMP ports
(assuming the system doing the filtering is patched).
To block SNMP access, block traffic to ports 161 and 162 for TCP and
UDP. In addition, if you are using Cisco, block UDP for port 1993.
This will help minimize the potential this hole will be exploited.
Here is the link to the original CERT advisory:
Here is what MS told CERT what the best fix is. Better check:
And here is Microsoft's Security Bulletin:
MS Battles More Holes In Internet Explorer
MS released a patch this week that fixes a whopping six holes
in IE. At the same time a nasty new worm was wiggling its way
into users' machines threatening to overwrite certain PC files.
The so called "cumulative" fix repairs holes in IE V5.01, 5.5
and 6.0. MS gave the holes a "critical" rating. That means it's
time to push this patch out, after TESTING, TESTING and MORE
TESTING! Here it is:
THIRD PARTY NEWS
AutoPilot Boosts A Maxed-out Mail Server
Sunbelt is now running two newsletters. W2Knews and WinXPnews. The
latter is a more consumer/power user oriented list, so the circulation
is (waay) higher. Sending WinXPnews pegged the Compaq server we have
in a co-location up to 100% CPU for hours on end. The send speed was
about 20 messages per second. I had a look at that machine and found
out we had not installed AutoPilot. It's a single Pentium 500, 512RAM
So I decided to simply try AutoPilot and see if it would do anything.
Nothing to lose with a CPU that's already maxed out. We installed it,
rebooted the server and fired the same job back up, which had been
set on "pause" during the install. And to my astonishment, after a
minute of monitoring the system, AutoPilot kicked in and the CPU came
down to about 60%, with mail send speed increasing to 32 messages per
second. That was a massive performance improvement that made me a
very happy camper. If you have really busy machines, try out AP. It
might help significantly! Here's a 30-day eval:
Run BlackICE Defender? Better Fix This Hole!
A patch to fix a serious security "ping flood" vulnerability found
in the popular Internet firewall program, BlackICE Defender, is now
You can download a product update to solve this problem at:
But since I'm running BlackICE at my home office and ran into
problems with this update, ISS also published a workaround that
will protect systems running BlackICE Defender and BlackICE Defender
for Server: It is very important that you implement this workaround
or apply the product update as soon as possible.
- Go to your Program Files directory and open the Network ICE folder.
- Open the BlackICE folder, and open the firewall.ini file.
- Go to the [MANUAL ICMP ACCEPT] section, and add the following line:
REJECT, 8:0, ICMP, 2001-10-15 20:28:53, PERPETUAL, 4000, BIGUI
- Save the firewall.ini file.
- The next time you open BlackICE, click OK when the following pop-up
window appears: "A configuration file change was detected."
Symantec Flags Remote Admin As A Virus [grumble]
One of the Sunbelt Radmin users sent us this:
"I've been using Remote Admin for about 6 months and love it! The latest
Norton AntiVirus updates flagged Remote Admins r_server.exe as
infected, but RA's tech support was quick to respond and let me know it
was a "false-positive" reaction and that they were working with Norton
to fix the problem. I highly back your recommendation of this product!"
In the mean time, Symantec fixed this error but it is a bit odd for a
company that produces a remote control tool to plug a competitive remote
control tool in its virus list, just after that company advertised itself
as a "pcAnywhere Killer". I have to assume it was a mistake and no ill
will. But still...[grumble] Radmin can be found here and is NO virus.
How Often Is YOUR Vulnerability Scanner Being Updated?
"Holes" in your systems and networks are invitations for crackers to
come and visit. Just like virus protection software that often gets
updates every night, your vulnerability scanners should get updates
soon and often. Some products only get updates once a month. That
is just not good enough. Here is a question from a user about
Retina's update schedule.
Q: I just finished reading the article from network-fusion. Good work.
Does your company have a response to the fact that it missed a few
vulnerabilities that the other scanners picked up?
A: eEye updates its Retina Network Scanner on a regular basis with
the latest vulnerabilities discovered by security research organization.
These updates occur on a weekly basis, and in some cases on a daily
basis depending on the severity.
In the case of the two vulnerabilities that Retina did not find in
the Network World review, these were addressed immediately and can
now be detected by the latest version of the product. To receive the
latest version of the product, use the AUTO-UPDATE feature in Retina.
eEye prides itself on the comprehensive nature of its scanning database.
eEye is one of the premiere network security research companies, in
addition to being a developer of best-of-breed security software.
eEye allocates a significant portion of its resources to security
research for two reasons:
Retina incorporates a powerful AUTO-UPDATE feature that provides you
with easy access to your most recent updates to the vulnerability
database. You can launch the update feature manually, or you can set
it to run at regular intervals. Here is an eval version of the just
designated #1 vulnerability scanner by Network World Magazine:
- to maintain the integrity of the Retina product;
- to further the overall state of computing security.
This Week's Links We Like. Tips, Hints And Fun Stuff
Pretty cool cartoon/graphics on PC screen. This stuff gets good.
Waaay cool MPEG zooming in on Earth straight to the Olympics. Forward
this one to your friends that have not yet subscribed to W2Knews!
Housecall is a quick virus scan you can run on one machine. Recommended!
This site is a very useful resource if you want to cluster Windows.
PRODUCT OF THE WEEK
Small Business Server 2000 Best Practices
Finally, the third-party Microsoft Small Business Server 2000
book that everyone has been waiting for. Based on shipping code
and written six months after the SBS 2000 release, this book is
packed with real world, detailed SBS 2000 topics. The planning,
setup, administration and management topics dominate the first
half of the book and include references to KBase articles, hard
learned workarounds and in-the-trenches best practices. It's here: