Sunbelt W2Knews Electronic Newsletter
The secret of those "who always seem to know" - Over 500,000 Readers!
Mon, Apr 15, 2002 (Vol. 7, #30 - Issue #361)
NEW: Sunbelt Now Sells L0phtCrack
This issue of W2Knews contains:
- EDITORS CORNER
- Finding Technical Information A Timesink?
- TECH BRIEFING
- Some Limitations In QChain and MBSA
- Biometrics And Live Fingers
- NT/2000 RELATED NEWS
- Am I Under Attack? Yup, You Sure Are!
- IIS Mega-Patch Released: "Critical"
- Windows Cheaper Than Unix? Maybe Not!
- NT/2000 THIRD PARTY NEWS
- NEW: Sunbelt Now Sells L0phtCrack!
- NEW: Military Strength Drive Encryption Tool: DriveCrypt
- W2Knews 'FAVE' LINKS
- This Week's Links We Like. Tips, Hints And Fun Stuff
- PRODUCT OF THE WEEK
I don't like you, your cubicle, your mouse or your stupid screensaver
and now with Altiris Client Mgmt Suite, I don't have to touch any of it!
Recent winner of "BEST of Show" at FOSE 2002, Altiris Client Mgmt Suite
conveniently allows you to deploy, manage and migrate desktops, notebooks
and handhelds from the quiet, comfortable place you call your office.
30-day FREE trial.
Visit Altiris for more information.
Finding Technical Information A Timesink?
Is it getting overwhelming? Getting in despair? Can't find what you
are looking for? You're not the only one. But we want to know how bad
(or how good) it actually is. So here is the new SunPoll: "Do you
find the information you are looking for when you search the Microsoft
Technical sites?" These are the answers you can vote for:
Vote here, leftmost column: http://www.sunbelt-software.com
- Pretty much always
- Frequently, but I have to click through all 100 links
- Sometimes, I generally get tired of clicking on links
- Hardly ever
- Oh, I have given up hope and use other sources!
And here are the final results of the last SunPoll:
Q: Ever Needed A Restore From Backups - And Did You Get It?
A: 975 responses:
So, do you think a utility that reads your backup logs and alerts you
when problems arise would be a good idea? Write me!
- Heck yes, this is priority one and I always run restore to be sure: 19.17%
- Occasionally I restore backups, but I always read the backup logs 54.46%
- I normally trust my backups but sometimes I'm looking at a dud 15.79%
- Once, I got completely wiped out by not having a reliable backup 6.25%
- I don't back up at all, I laugh in the face of job security! 4.3%
Sunbelt is excited! We can now provide you with the latest version
of the world famous L0phtCrack password cracker. This new Version 3
is way more powerful than its predecessors and still only 250 bucks.
BTW, we're calling it LC3 for short, and if they ask you what that
charge on your credit card is for, you can tell them that you were
able to get your hot little hands on the "World's Best Password
Auditing and Recovery Tool"... legally! [grin] See the story in
Third Party Tools.
Quote of the day:
"Best file compression around: DEL *.* = 100% compression."
(email me with feedback: [email protected])
SPONSOR: "Wireless Server Control"
Network Management from the Palm of Your Hand. It's simple. When
your systems are down, you are losing money. SonicAdmin is a complete
network and server administration utility that allows system admins and
support workers to diagnose and repair mission critical server and
network problems 24 hours a day, 7 days a week, from handheld wireless
devices. SonicAdmin lets you keep your systems up and productive, where
ever you are.
Visit "Wireless Server Control" for more information.
Some Limitations In QChain and MBSA
Got some useful feedback on these items in the last issue:
"We have been using QCHAIN but I don't find it as useful as it could be
- namely the hotfix has to support the -z or no reboot option and some
hotfixes do not. The only way to check is to run the hotfix with the
/? switch to see what command line arguments it takes. You cannot use
the file name either as some Q files don't support the /z switch either."
"Regarding the comments on qchain.exe: Despite the fact that the article
Q296861 says the following: "It is a solution that works on both Windows
2000 and Windows NT 4.0," none of the patches (and they are numerous)
that we've been installing in our NT environment since qchain came out
are qchain-able! None of them support the -z switch, and none of them
are in the format Qnnnnnn_w2k_spx_x86_en.exe. I searched long and hard
before an obscure website somewhere made this fact clear. Please do the
readers a service and point out the serious limitations of this tool.
No one ever seems to."
"Regarding the Microsoft Baseline Security Analyzer - you need Office
2000 installed to run it. I am quite happy with Office 97, it does
everything I want but it looks as if I'll have to upgrade to check
MBSA out. I suppose that MS Office is like the "washing machine syndrome"
- the washing machine has zillions of washing programs and you use 2!!!!
And this one came off the Sunbelt Security ListServer. Very useful list
indeed, and free to join. See link below:
"Current version of HFNetChk doesn't differentiate between DCs and
non-DCs, (it does differentiate between different SKUs of the product - Pro, Server, Adv Server, etc.). A future version of hfnetchk might be
able to do this, the XML schema would probably be changed to support
notation that a patch was only applicable to DCs. (MS01-011, 24, 36
were DC only patches as well.)
"In the meantime, consider a DC like a service on the system. Example:
There have been patches for the tlntsvr service - most people don't use
the service, but if we find earlier versions of tlntsvr.exe on the
system, we'll recommend that it be updated - because although you're
not using the service today, you might tomorrow, and the file should
be the most recent. DCs are a little different, you don't casually
decide to turn on a DC service, however.
"The files for 02-016 are marked in the XML file as change if exist,
so if any of those files in the patch are on your server system, and
they aren't the most recent (ie what's in the patch) it will tell you
you need to install the patch. It doesn't hurt a server to apply this
patch, but it's not necessary for this issue. Future versions of
hfnetchk will have a -ignore flag where you can specify issues that
you don't want to report on".
Subscribe to the Sunbelt Security Forum here:
Biometrics And Live Fingers
Thanks much, a lot of you mentioned that there are quite a few companies
out there that check for heat, heartbeat and other signs of life in
fingerprint scanners. I'm currently using the U.are.U device and tried to
lift my fingerprint off a glass with scotch tape and see if it took it.
No cigar. Looks like a real mantrap that completely locks in the
individual and takes several measurements is really fool-proof at the
moment. I'm sure this area is still very early stage, and that we'll
probably move to superfast DNA-testing at one point in time, and solutions
like radio-enabled smartcards combined with a short pin-code.
In the mean time, listen to this story!
"About 10 years ago I was a sub-contractor at a defense establishment
where they were trialing fingerprint biometrics to replace PIN numbers
and/or security swipe cards. I was not directly involved in this project
but caught enough of the talk and gossip to know what was going on.
The idea was place your finger on the pad, the secure door/safe/computer
etc opens. A clever foolproof system or so they thought.
This system was going to be deployed in all secure areas and considerable
money (millions of UKP) had been spent identifying where the system could
be used and designing all the associated infrastructure.
A team of external people (from a University I think) were then hired
to try and crack the system, before the roll-out started, to prove how
secure the system was.
Well in front of some top military official they correctly copied his
finger by taking an imprint in silicone putty and casting in silicone
another finger. Then by warming the copy up, infusing it with a warm
saline solution (from a syringe) to simulate blood flow the team correctly
opened one of the secure area doors using this finger !!!!
"OK" the biometrics team said "we will revoke this finger so it won't
work anymore". We have all 10 fingers said the cracking team, how will
you issue this person with new "fingers". Well you can see the crux of
the problem if the system is compromised, you can only revoke so many
"fingers" and how do you issue a new finger?
The project was dropped like a hot potato after this demo and I heard no
more. Oh also the saline in the silicone finger corroded the sensor
rendering it unusable after the demo."
NT/2000 RELATED NEWS
Am I Under Attack? Yup, You Sure Are!
Here is an interesting bit of a thread on the Sunbelt Security List,
which is an education for all of us:
I found the following new entries in my IIS 5.0 server logs starting
a couple of days ago.
Event Type: Failure Audit
Event Source: Security
Event Category: Account Management
Event ID: 627
Time: 8:48:20 AM
Change Password Attempt:
Target Account Name: Administrator
Target Domain: WWW
Target Account ID: WWW\Administrator
Caller User Name: Administrator
Caller Logon ID: (0x0,0xF6B24F)
This server is behind the firewall and only port 80 is passed to it.
Anyone have a clue what this might be. So far there are more than 50
of these attempts logged against different accounts (guest, admin,
ISInternetUser, IWAM_WWW, etc). Here are the log files from IIS and
SecureIIS when over 76 of the change password audit failures were logged:
- 2002-04-11 08:49:19 64.x.x.x - 10.x.x.x 80 GET /scripts/root.exe /c+dir 406 -
- 2002-04-11 08:49:19 64.x.x.x - 10.x.x.x 80 GET /MSADC/root.exe /c+dir 406 -
- 2002-04-11 08:49:19 64.x.x.x - 10.x.x.x 80 GET /c/winnt/system32/cmd.exe /c+dir 406 -
- 2002-04-11 08:49:19 64.x.x.x - 10.x.x.x 80 GET /d/winnt/system32/cmd.exe /c+dir 406 -
- 2002-04-11 08:49:19 64.x.x.x - 10.x.x.x 80 GET /scripts/..%5c../winnt/system32/cmd.exe /c+dir 406 -
< SNIP >
Secure IIS Logs:
DEBUG : 2002/04/11-08:45:59 : Web 2: No Lock Directory checks found
DEBUG : 2002/04/11-09:07:53 : Web 2: No Lock Directory checks found
No doubt about it. You are under attack. The calls to /root.exe are to see
if nimda has holed your server. Set the permissions on Cmd.exe so that only
Administrators and System have access to it.
Subscribe to the Sunbelt Security Forum here:
IIS Mega-Patch Released: "Critical"
Ten new vulnerabilities were discovered in IIS 4.0/5.0/5.1 running on
NT 4.0/2000/XP, the most serious of which could enable code of an
attacker's choice to be run on a target server.
Five of the holes could enable a hacker to gain control over your Web
server. Two others could enable some one to prevent either a Web server
or an FTP server from providing service. Three more holes enable a black
hat to "bounce" Web content to another user's browser session.
"Unlike past IIS buffer overflow vulnerabilities, (one of these flaws) is
within a core component of IIS, .ASP," says Marc Maiffret, chief hacking
officer at eEye Digital Security. "Since the buffer overflow is within
such a core component of ASP, it is probable that the number of affected
servers is potentially higher than any of the past IIS vulnerabilities."
This new patch is almost kind of a mini-service pack as it includes the
functionality of all security patches released for IIS 4.0 since NT 4.0
Service Pack 6a, plus all security patches released up to now for IIS
5.0/5.1. And always read the release notes before you apply the patch, and
TEST, TEST, TEST! because there are already reports that it breaks stuff.
Here is the link to the MS website that discusses this patch:
And here is a tool (by eEye) that will really protect your IIS web server:
Windows Cheaper Than Unix? Maybe Not!
Got some good feedback on this one that I did not want to hold back
from you. Name withheld at request.
Point one: Personal experience has showed me that the article is
certainly not correct in cases where you need to run "Other than
Microsoft" products. i.e. Oracle, SAP, People Soft, iPlanet....
I have a college down the hall from me that runs a 80 user Oracle
database on a Dell PE6300 with 4 Xeon 600 MHz processors, W2K, 2
Gig of RAM, RAID, blah, blah. Hardware cost: $65,000 & he reboots
every night so the server will (hopefully) stay up all day the
I run a LARGER 400 user Oracle database on a Sun E220 with a single
400 MHz SPARC processor, Solaris 8, 2 Gig of RAM, RAID, blah, blah.
Hardware cost: $20,000. $Uptime -> 12:27AM up 431 days - last time
I rebooted was to re-initialize kernel parameters changed by a patch.
And "oh by the way" (much to my chagrin) HE makes more than I do...
(he is the more senior Oracle DBA)
Point two: I'm quite happy that UNIX admins like myself cost more
"We found the average salary was far lower for support staff with
Windows skills compared with UNIX specialists," said Manter. " The
reason "we" cost more is because, amongst other skills, we know how
to properly size a server [grin] rather than just throwing [expensive]
hardware at a situation (see above).
Point three: If my only skill was administering W2K (or Windows OS's)
I would be QUITE dismayed by that article. I would be asking myself
"How long before my job is relegated to a secretary as an additional
task" (much like the [now] cliche of secretaries making the coffee)
An excellent example is found in my point one - we have an Oracle
DBA assigned the additional duties of maintaining the W2K server albeit
somewhat inefficiently. My company has adopted (for the most part)
this approach: We will never be able to rid ourselves of UNIX based
back ends, so we hire UNIX admins and assign them the additional task
of maintaining W2K machines. (this is why I like your newsletter ;)
In closing, I will concede that if the only thing a (small) company
was going to do was run MS SQL server and MS Exchange, etc. then the
Windows solution is definitely cheaper, easier, and faster. Any company
that has a few thousand people working for them (and is not a Windows
only software development firm) is probably going to at least need to
run one of the "free" NIX's for something - probably a DNS server that
FULLY complies with the RFC spec RATHER than Microsoft's rendition of
THIRD PARTY NEWS
NEW: Sunbelt Now Sells L0phtCrack!
Some very exciting news. Sunbelt is able to sell the very latest Version
3.0 of this world famous password cracking tool as per right now. For
short, it is called LC3. W2Knews readers have chosen LC3 two years in
a row as a Target Award Winner.
LC3 provides two critical capabilities to you as a network admin:
Security experts from industry, government, and academia cite weak
passwords as one of the most critical internet security threats. But
while many administrators recognize the danger of passwords based on
family or pet names, fewer recognize that even savvy users expose
networks to risk due to inadequate passwords. Consider that at one
of the largest technology companies, where policy required that
passwords exceed 8 characters, mix cases, and include numbers or
- Secure Windows-authenticated networks through comprehensive auditing
of Windows NT and Windows 2000 user account passwords.
- LC3 recovers Windows user account passwords to streamline migration
of users to another authentication system or to access accounts whose
passwords are lost.
LC3 provides reporting options to fit your diverse needs. Password
auditors can get a quantitative comparison of password strength from
LC3's report on the time required to crack each password. A 'Hide'
feature gives administrators the option to know whether or not a
password was cracked without knowing the password itself. Password
results can be exported to a tab-delimited file for sorting, formatting
or further manipulation in applications such as Microsoft Excel.
- LC3 obtained 18% of the passwords in 10 minutes
- 90% of the passwords were recovered within 48 hours on a Pentium II/300
- The Administrator and most Domain Admin passwords were cracked
LC3 makes password auditing accessible to less-experienced password
auditors. New password auditors will find LC3 easier to use. An optional
Wizard walks new users through the process of configuring and running
their password audit, letting them choose from pre-configured Quick,
Common, Strong or Custom configurations. Extensive documentation
explains potential complications to keep password audits from
It doesn't have to be this way. Crack-resistant passwords are achievable
and practical. But password auditing is the only sure way to identify
user accounts with weak passwords. LC3 offers you an easy and adaptable
way to address this threat and find vulnerable passwords. Check the new
screenshot of Version 3 and get a 15-day limited eval here. It is also
available on the Sunbelt OnLineShop for just $249. This is a great deal.
NEW: Military Strength Drive Encryption Tool: DriveCrypt
DriveCrypt allows you to securely encrypt all, or parts of your hard disk
making them only accessible to authorized users. DriveCrypt is the most
powerful, flexible and fast cryptographic program available on the market
today, bringing Military Strength Encryption to your computer and protecting
your data transparently and in a quick, reliable way: $39.95 per machine.
DriveCrypt securely and easily protects all proprietary data on notebooks
and desktop computers 100% of the time without users having to think about
security. Any organization, from a small company to a large international
firm with thousands of users in the field, can effectively protect business
plans, client lists, product specifications, confidential corporate memos,
stock information, and much more with this product.
256-bit Military Strength disk encryption using the best and most proven
cryptographic algorithms such as AES, Blowfish, Tea 16, Tea 32, Des and
Easily Install, Deploy & Use
DriveCrypt requires minimal administration and user training. It is completely transparent, requiring no change in the way users work with the computer.
Maximize Your Security, Minimize Your Risk
DriveCrypt protects your data with very fast and a true "on the fly" encryption
process. Other products that claim to be "on the fly" decrypt an entire file
and load it into memory, creating significant security risks. DriveCrypt is
smarter and more secure because it decrypts only the specific portion of a
file that is in use. Unprotected data never resides on a DriveCrypt encrypted
Invisible Encryption (Steganography)
Using special so called "Steganographic" functionalities, DriveCrypt allows
you to hide all your sensitive information into music files. Just authorized
users will be able to access secret information, anyone else will only find
harmless music on the computer.
Disk Partition and file volume encryption
DriveCrypt allows both, the encryption of an entire Hard Disk partition, as
well as the creation of a virtual container file that will store all the
Improve Password Security
DriveCrypt allows administrators to configure several password settings:
DriveCrypt integrates special functionalities that prevent passwords from
being sniffed by Hackers or Trojan horses such as Back Orifice and SubSeven.
- Master Password Settings
- Restricted second user Passwords
- Second user Password Expiration
- Console Lock-Out Password
- Password Sniffing Protection
Get your eval or full version now at the Sunbelt site:
This Week's Links We Like. Tips, Hints And Fun Stuff
This gentleman has build an honest-to-goodness monorail in his backyard.
Failed your MCSE exam and need to know why? Here is some news you'll like.
Receive free email alerts every time Microsoft publishes new support or Knowledge Base articles over at:
PRODUCT OF THE WEEK
MCSE Consulting Bible
According to the 1999 Salary Survey conducted by MCP Magazine, the average
MCSE has 6.8 years of experience. The average self-employed MCSE consultant
with 6 - 9 years of experience earns $85,000 - that's over $8,000 more than
the average salary +bonus and benefits package of other MCSEs. There is a
demand for MCSEs who can offer a variety of technical expertise and services,
and this book will show you how to create a successful consulting business.
MCSE CONSULTING BIBLE walks you through the issues to consider when making
the decision to start their own consulting business and then offers key
advice on each aspect of the business from deciding what services to offer,
to marketing, to maintaining customer relationships.