- Sign-up Now!
 - Current Issue
 - Edit Your Profile/Unsubscribe

Subscribe | Media Kit | About Us | All Issues | Subscriber Feedback | Contact Us | Privacy Statement
Sunbelt W2Knews™ Electronic Newsletter
The secret of those "who always seem to know" - Over 500,000 Readers!
Mon, Feb 18, 2002 (Vol. 7, #14 - Issue #345)
Do You Deserve To Be Hacked?
  This issue of W2Knews™ contains:
    • Now Here's A Question For You!
    • More On Rdesktop - Conclusion
    • Two Tools To Combat The Latest SNMP Holes
    • IE Flaw Exploited For MSN Messenger Worm
    • The State Of W2K: Windows 2000 At Two Years
    • "You Deserve To Be Hacked, And By The Way, You Will Be"
    • Need To Perform Penetration Tests On Your Own Networks?
  5. W2Knews 'FAVE' LINKS
    • This Week's Links We Like. Tips, Hints And Fun Stuff
    • Windows 2000 Admin Black Book - Second Edition
  SPONSOR: Microsoft Management Summit / Altiris
Looking for the latest on Microsoft SMS, MOM and App. Center, and
third-party tools like Altiris and NetIQ to effectively manage your
Windows environment? The 5th annual Microsoft Management Summit is
the place to be April 29 - May 3, 2002 in Las Vegas. Sign-up before
March 15 and enter to win a Microsoft Xbox to be given away. This is
THE management event of the year. Sponsored by Microsoft, Altiris
and NetIQ, presented by myITforum.com. Labs sponsored by Compaq.
Visit Microsoft Management Summit / Altiris for more information.

Now Here's A Question For You!

But to begin with, here is our new XBOX winner: Debbie Berg from San Antonio, TX. Congrats Deb! To get a chance to win your own XBOX, fill out your profile and invite up to three friends to subscribe:

Next, we're considering a paid version of W2Knews. For 10 bucks a year (20 cents per issue) you would get more news, less commercials, and in-depth technical solutions and product reviews. Would you plunk down 10 bucks for that?

  • Naah, I'm already getting enough stuff.
  • Welllll, maybe.
  • Could be pretty useful if the content is relevant.
  • I would definitely sign up for that!
Please vote here:

And here are the results of the last SunPoll: "How much time do you have per month to evaluate new soft- and/or hardware?"

  • I have no time at all for that kind of stuff [grumble]: 15.45%
  • I usually download stuff but 80% of the time it does not get installed: 48.81%
  • I'm able to play/test new stuff once a month for a couple of hours: 24.78%
  • We have a day or two scheduled in, and it's part and parcel of our normal routine to keep up-to-date with the market: 10.94%
Now, the last item of the editor's corner. How are we doing? I need your opinion. Time to let me know what I can do to improve. This is a confidential survey to help me know a bit more about you, and what kinds of articles you are looking for. You can win one of 5 XBOX-games or one of 5 $50 Amazon Gift Certificates. Please fill out this survey now at:

PS, We found a new KILLER ad for the XBOX. It's from the European XBOX site, they are announcing it in a couple of weeks. Forward this link to your friends. You want to watch this one a few times, it's 5MB but worth it.

Warm regards,
Stu Sjouwerman (email me with feedback: [email protected])

OpalisRobot automates a broad range of admin tasks
including system monitoring, corrective action and job
scheduling. It detects and corrects system errors &
automates jobs, enabling proactive management of
business-critical servers. Download & test-drive today!
Visit OPALIS for more information.

More On Rdesktop - Conclusion

Jacco de Leeuw from Holland sent me this email that I thought was a great conclusion of the rdesktop story. Here goes:

"I hadn't heard of W2Knews before (shame on me) but I'm glad you brought rdesktop to the attention of Windows admins. If you don't mind, I have a couple of additions to your article.

As you wrote, rdesktop was made by Matt Chapman. You might be interested to know that Matt is also a Samba team member. Samba is an implementation of the SMB/CIFS file and print protocol used by Windows. Recent versions can now also run as a PDC and authenticating users against Samba could really save a bundle in client licenses.

Matt is apparently a busy man, going for his PhD as well, and so far he has released just two versions of rdesktop, 1.0.0 and 1.1.0. But since rdesktop is released under the GNU Public License, anyone can add extensions to the program. And that's exactly what has happened.

Several patches have been submitted by rdesktop users from all over the globe, and they have been bundled by a Swedish guy called Peter Bystroem. Because of these efforts, rdesktop now not only runs on Linux but also on several other flavors of Unix, MacOS X, Acorn and OS/2.

You mentioned the -l parameter, "do not request license". Unfortunately, that does not always work. I don't know the details (depends on the TS settings apparently) but in Peter's patch there's an even more interesting parameter: --built-in-license. When specified, rdesktop emulates a Windows 2000 Professional TS CAL!

IANAL (I am not a lawyer) but I don't necessarily think this will mean a saving on TS CALs. There was some discussion on the rdesktop mailing list and the consensus is that admins still have to obtain the correct number of CALs. The plus side is that you won't have the hassle of dealing with (temporary) licenses, license servers etc. Apparently these are a bit flaky on TS...

However, there are savings in license costs for the *client* OS. Until rdesktop, the only TS clients were made by Microsoft and they run on Windows platforms: Windows CE (WBT), Win3.x, Win32 and PocketPC. That means you always had to pay for the underlying OS. Except if you run rdesktop on a free platform.

rdesktop is at: http://www.rdesktop.org

Peter Bystroem's patch is at:

RedHat and Mandrake RPM packages (make installation a breeze) were made by me and can be found at:

Chris Scott wrote this: "The version you mirrored was 1.0.0. Version 1.1.0 worked much better for me. Actually, 1.0.0 didn't work at all. The later version adds 16bpp color depth support and works well on RedHat 7.2--actually it is faster than using the Terminal Services client on a Windows box on the same LAN segment. Another thing that isn't referenced on the rdesktop.org site but is in the mailing list archives is that it requires the XFree86-devel library to compile on Linux."
And to end off, Frank Dragun sent this in:

"I read the article on the available Linux client in this issue. I wanted to bring our product, WinConnect, to your attention. WinConnect is a fairly new product that, similar to rdesktop, offers users access to their Windows NT/2000/XP server via a Linux based machine. We fully support RDP 5 (and derivatives). Besides supporting the ctrl-alt-del key sequence, we will even deliver the MS theme music if the terminal device has speakers, supports sound, and the user likes that catchy little tune.

"Yes, our product is commercial, but the low price ($50) provides more features than Rdesktop, and includes technical support. Currently, with one or two foreign language releases excepted, WinConnect works with any release of Linux. We have tested the software on old 486 class machines as well as the newest P4s. In fact, we have the software working on a Compaq iPaq palm computer that has an embedded Linux OS installed." They are at: http://www.thincomputinginc.com


Two Tools To Combat The Latest SNMP Holes

First of all, I had a "momentary lapse", and need to UNDO a remark I made last issue. I combined SNMP and email in the same sentence. That caused some feedback, and I have to admit that in the heat of the moment I confused SNMP (Simple Network Management Protocol) with SMTP (Simple Mail Transfer Protocol). Whoopsie. If you want to know more about SNMP there is a link to a good little tutorial at the end of this article.

In regards to the CERT advisory references to Cisco SNMP on port 1993, this has not been enabled in Cisco IOS software versions since 11.0, and appears to be an erroneous report at this time. Port 1993 was previously used for TCP-based SNMP.

But in the mean time we have a humongous amount of devices out there that are SNMP enabled and could be an entry point for attacks. Here are two tools that can help combat this hole. The first one scans for devices that SNMP enabled and is free. The second one is Retina, which has a lot more power in detecting SNMP related issue. And I was just informed that the SANS institute also makes something available. Info at this email address: [email protected] .

  1. Foundstone announced SNScan, a freeware tool to detect SNMP- (Simple Network Management Protocol) enabled devices on a network. SNScan gives a way to determine some of your level of exposure to SNMP-related holes across your network. Once these devices have been identified, you can determine whether to fix the SNMP service, disable SNMP or implement filters to restrict access. The recently detected SNMP vulnerabilities range from allowing host administrative access to Denial of Service (DoS) attacks.

    I do not want you to get the feeling that you are going to be safe after running it, as it does not specifically scan for the recently published SNMP vulnerabilities. It searches for SNMP servers, and tries to "brute force" some community names. Don't get confused thinking this freeware will actually tell you if you truly have vulnerable SNMP servers or not, but it IS free (!).

  2. eEye's Retina already has, and continues to have, extensive SNMP auditing capabilities. If you want real full SNMP auditing, check out Retina and if you are a current Retina user, you already have extensive SNMP auditing at your disposal. Mark Maiffret at eEye said "We have been researching the latest vulnerabilities found within SNMP and Retina will currently detect if there are SNMP servers within your network that are accessible from outside attackers. Retina has been performing such functionality for many months now. As new SNMP holes are researched or current ones are expanded on, we will continue to update Retina to give you fullest protection for your network."
Professional Vulnerability Scanner that includes real full SNMP scanning:

Free SNMP sniffer:

SNMP Tutorial:

IE Flaw Exploited For MSN Messenger Worm

ComputerWorld just reported that a new worm that uses the MS instant messenger to propagate has been spotted by several antivirus software vendors.

The worm arrives in an instant message that contains text telling the recipient to go to one of several Web sites. The text says either "URGENT -- go to (url) now" or "ATTeNT!oN -- go to (url) now." Clicking on the link in the message opens a Web page with malicious JavaScript code that sends instant messages advertising the Web page, or other Web pages with the code, to all the MSN Messenger users on the victim's contacts list, Symantec Corp. and F-Secure Corp. said in advisories today.

Dubbed "JS.Menger.Worm" by Cupertino, Calif.-based Symantec and "Coolnow" by Helsinki, Finland-based F-Secure, the worm sends instant messages but does no damage to a user's system, the antivirus software vendors said. F-Secure said that it's trying to shut down the sites hosting the malicious code before it becomes very widespread. Full Story at the ComputerWorld site. If you have MS IM users, better alert them!

The State Of W2K: Windows 2000 At Two Years

This is an article on the ENT site that I like. Gives you a good overview. No use to repeat here what they are saying. [grin]


"You Deserve To Be Hacked, And By The Way, You Will Be"

Strong words! They were uttered by Richard Clarke in Wired Magazine, March 2002. Here is the full quote: "Most Fortune 500 companies spent .0025 percent of revenue on IT security. Now if you spent .0025 percent, you deserve to be hacked. And by the way, you will be."

Scott Kelly, the Director of Conference Enrollment of the free Security Decisions sent me this invitation: "According to Richard Clarke, current special advisor of cyberspace security for President Bush, "You can't buy a security product and say you're done - you have to worry every day."

Clarke stated in the current article how most IT pros think that if they have a firewall, an intrusion detection system, and antivirus software, they are safe. But any serious security pro today knows that's a huge misconception that could spell disaster for any organization."

He is right. These tools are pieces of the puzzle, but there is a lot more to be done about security. Part of it is PEOPLE. And that means training and awareness. So Kelly invites you to attend his conference coming to Chicago June 19-21 at the Hilton Chicago Hotel where you'll get unprecedented technical content delivered by the industry's best independent security strategists, leading security analysts, and top CEOs.

No hype. No golf outings. Just serious must-know techniques and insight on how to make the smartest security decisions right now. Plus, how to establish the most cost-effective security budget based on your shop's requirements. You can apply for the conference here:

And if you are interested in a Top-Down, "People And Technology" high-end, strategic approach to wall-to-wall enterprise security, first have a look at this page, and then fill out the form for a web-demo:

Need To Perform Penetration Tests On Your Own Networks?

If you need to prove to management, outside auditors or perhaps shareholders that (no) holes exist in your networks, you should do your very own penetration tests. "Hacking your own networks from the outside in." If you do this, you may suddenly find that your organization underestimates their exposure to crackers. If you can identify soft spots in your own networks, this kind of penetration test gives you a baseline for a project to fix the holes. Here is the tool you can do it with:


This Week's Links We Like. Tips, Hints And Fun Stuff

  • Bart's Network Boot Disk: a highly professional network boot disk.
  • Killer new XBOX ad on video. Really worth it. Forward to your friends!
  • The technical specs of the IBM Metapad. Pretty cool.
  • Is Your Home A TechHome? Here is a rating system for buyers and sellers:
  • Running XP at 60 mph:

    Windows 2000 Admin Black Book - Second Edition

    I'm one of the authors of this one. The topics covered are: MS W2K, explained mostly in a series of procedures, for installing, configuring, and managing the operating system for a medium-to-large organization; how to perform key work in disk management, Active Directory setup, Registry management, and print services provision; migration from NT 4.0 to W2K, IntelliMirror, and the Microsoft Management Console (MMC).

    Windows 2000 Systems Administrator's Black Book is a must-have reference for system administrators and IS professionals who install, configure, and support workstations and servers on Windows 2000 networks, and who require a detailed guide to Windows 2000 security, start-up and shut-down, disk and file systems management, networking, Internet Information Server, and the Active Directory. Windows 2000 Systems Administrator's Black Book provides details of the upgrade process from Windows NT 4.0. Amazon has a special at the moment, where they offer this one together with an Active Directory one for a special low price. Recommended! Link to Amazon: