- Sign-up Now!
 - Current Issue
 - Edit Your Profile/Unsubscribe

Subscribe | Media Kit | About Us | All Issues | Subscriber Feedback | Contact Us | Privacy Statement
Sunbelt W2Knews™ Electronic Newsletter
The secret of those "who always seem to know" - Over 500,000 Readers!
Mon, Aug 26, 2002 (Vol. 7, #58 - Issue #389)
SP3 Refusniks
  This issue of W2Knews™ contains:
  1. EDITORS CORNER
    • Trade Show Blunders Continued
    • Remarks About X10 Cameras
  2. TECH BRIEFING
    • Protect Against Web Application Brute Force Attacks
  3. NT/2000 RELATED NEWS
    • SP3's Unexpected Automatic Updates Behavior
    • More SP3 Bugs Surface
    • SP3 Refusniks
    • International Information Security Standard
  4. NT/2000 THIRD PARTY NEWS
    • How To Stay Connected On A DHCP XP Pro Laptop - Redux
    • What Do YOU Think The IT Future Is Going To Bring?
  5. W2Knews 'FAVE' LINKS
    • This Week's Links We Like. Tips, Hints And Fun Stuff
  6. PRODUCT OF THE WEEK
    • Securing Windows NT/2000: From Policies to Firewalls
  SPONSOR: Altiris
Calling it a migration is ironic since you don't actually have to move.
Altiris provides a flexible, web-based technology that allows you to
migrate your LAN, WAN, mobile, and remote users to XP without ever
leaving your desk. Client Mgmt Suite is the only single-vendor, end-
to-end technology that supports all six steps of a successful Windows
migration. Download your free 30-day trial of Client Mgmt Suite today.
Visit Altiris for more information.
  EDITORS CORNER

Trade Show Blunders Continued

Have a look at what some one else wrote about Microsoft's Europe shows, quite entertaining. "Making blunders like this by HP is by no means restricted to HP. Microsoft in their great wisdom have moved the European MEC (now called MS IT Forum) from its location of the past two years in Nice, South France to "sunny" Copenhagen in late November. (Three years ago it was in Hamburg, North Germany but at least it was late September so the weather wasn't that bad). Add that location (at that cold and miserable time) to the fact that the attendance fee has added to it Danish taxes (at 25% - France and Germany were somewhat less) and that Danish hotels are not that cheap (to say the least) and you have perhaps the reason why in addition to the 300 Euro (roughly the same in dollars) early bird registration reduction they are also offering an alternative 600 Euro reduction to anyone *from the same company* as someone who attended this year's European Tech-Ed.

Obviously MS has its own share of rocket scientists who didn't realise that a cold and miserable and expensive Copenhagen doesn't have quite the pull of a warm, sunny and relatively cheap Nice. Especially for people who are based even further North than Copenhagen and have all the "benefits" of cold and miserable weather already at that time of year". (Editor's note: The gentleman in question lives in Helsinki, Finland)[grin]

Remarks About X10 Cameras

Lots of newsgroup comments make it clear that if you are near to an 802.11b wireless ethernet, the X10 cameras won't work. Both systems use the unlicensed 2.4 Ghz spectrum, and the spread spectrum ethernet will interfere with the camera signals. Second, you do not want to point these things to sensitive things. You can dream up examples yourself. There are people driving around with laptops and X10 receivers hoping to pick up signals of nannycams and other in-house views. There is no legislation against this yet, so take care.

"Definition Of The Week": MEME. (pron. 'meem') A contagious idea that replicates like a virus, passed on from mind to mind. Memes function the same way genes and viruses do, propagating through communication networks and face-to-face contact between people. The root of the word "memetics," a field of study which postulates that the meme is the basic unit of cultural evolution. Examples of memes include melodies, icons, fashion statements and phrases.

Warm regards,
Stu Sjouwerman (email me with feedback: [email protected])

  SPONSOR: Content Inspector
Is Your Organization Secure from Email Threats?
New viruses, confidential information leaks, inappropriate email content,
s~pam , court ordered discovery of email records. Is your organization
prepared for all of these potential security issues? If not, then your
email system, your users, and your organization are at risk. Download a
full trial copy of Content Inspector, the easy-to-use, non-invasive
Exchange content security product that protects your entire Exchange
system and organization against the most damaging email threats.
Visit Content Inspector for more information.
  TECH BRIEFING

Protect Against Web Application Brute Force Attacks

Here's an article from the eEye Digital Security team inspired by one of the technical sessions at the Black Hat conference in Las Vegas. The Black Hat conference a few weeks ago featured several sessions on web application attack techniques. One of the more interesting techniques discussed was the practice of brute forcing another person's session ID based on analysis of the URL.

Based on a URL, one can detect certain patterns in the creation scheme and then guess what other likely session IDs are being used. Based on that information it is possible, within some web applications, to retrieve information from other users.

This becomes a serious concern for home-grown web applications housing sensitive financial, medical, and legal information. We have already received reports of users from an unnamed medical site accidentally being able to pull up another patient's records. This particular incident was not an intentional misdirection, but with a little manipulation it is quite possible that every patient record could have been compromised from anywhere on the Internet.

The good news is that detecting this type of attack is fairly easy. The attack method is similar in nature to a port scan of a computer, which attempts to try every door until it finds one it can access, since a brute force attack of session IDs uses the same logic. For example, the following are valid session IDs within a URL ? referred to as a URL space: (stretched to prevent firewalls and filters killing this newsletter before it reaches you)

c g i - b i n /session.c g i?sessargs=ae555YFrBTdYExs=
c g i - b i n /session.c g i?sessargs=ae555GjXifhgYExs=
c g i - b i n /session.c g i?sessargs=ae555EdasddkYExs=
c g i - b i n //session.c g i?sessargs=ae555JeasklskYExs=
c g i - b i n /session.c g i?sessargs=ae555GalslkekYExs=

From the above data, an attacker would attempt to brute force a key. When administrators understand the logic of the brute force URL space hack, the best method of detection is to set up booby-trapped IDs which will trigger an alarm. Most web applications have functions that will generate these IDs, and creating booby-trapped IDs is simply a matter of creating an exception list inside of the app.

This exception list would contain IDs that would never generate data and upon attempted use, and that would alert the administrator that someone is attempting to brute force a web application. Another way to simply prevent a brute force attack from occurring, if you use IIS as your web server, is by using an IIS application firewall (such as eEye's SecureIIS) which has an automated alerting mechanism for this type of attack built in.

Similar to the methodology used by an attacker, administrators would analyze what the patterns are and create an algorithm to guess the unknown parts within the URL space (referred to as "fuzzing"). As admins, guessing isn't necessary since in this scenario the code generation algorithms are at our disposal. Looking at the session arguments listed above (sessargs), we can see that the attacker will most likely fuzz inside the "=ae555" and "YExs=" boundaries.

Fuzzers are meticulous -- they usually try every possible combination within reason. This works to an administrator's advantage since we can be fairly certain that obvious IDs will be used such as:

c g i - b i n /session.c g i?sessargs=ae555AAAAAAYExs=
c g i - b i n /session.c g i?sessargs=ae555BBBBBBYExs=
c g i - b i n /session.c g i?sessargs=ae555CCCCCCYExs=
c g i - b i n /session.c g i?sessargs=ae555DDDDDDYExs=

Adding these obviously illicit session IDs to a keyword list within the application firewall and to an exception list within the web application code itself will allow administrators to monitor how many attempts are being made and also to drop those malicious requests before they can steal any vital information through the web application.

Thus, with a bit of investigation about how your web apps expose data in URLs, and a few customized changes to sidestep any possible fuzzers, your web application content can be more secured from unauthorized users.

Full Eval of SecureIIS here:
http://www.w2knews.com/rd/rd.cfm?id=020826TB-SecureIIS

  NT/2000 RELATED NEWS

SP3's Unexpected Automatic Updates Behavior

Perhaps some of you are installing Service Pack 3 for Windows 2000. If so, I want to bring the following bug to your attention. While SP3 is being seen as very solid, it does seem to break Windows Update on some systems. If after installing SP3, the Windows Update program breaks with the error code "0x800A138F", then you will need to execute the below procedure to fix the problem.

RESOLUTION:

  • go to Start, then Run Type in "regsvr32 iuctl.d l l /u" to unregister the program
  • Find iuctl.d l l and iuengine.d l l and delete all instances of them
Here is an article in WinNetMag with more on this issue:
http://www.w2knews.com/rd/rd.cfm?id=020826RN-W2K_SP3

More SP3 Bugs Surface

Several people reported back to me they had run into problems with SP3. This is of course inevitable, and the amount of bug reports is fairly low, but there are a few pitfalls and beartraps some of you have run into. Here are the examples. Lesson: proceed, but with caution!

"I've found a genuine bug with Windows 2000 SP3 in a Terminal Services / Citrix Metaframe XP environment on Proliants. The problem was experienced on 2 servers. Fortunately I chose to archive the updated files so it was easy to roll it back to SP2. I removed SP3 from one server. The following day, when under user load, the customer confirmed that it was operating normally. The other server was still experiencing slowdowns, so the customer removed SP3 from the 2nd server, and it was also back to normal. The issue: When people log in and out using the Citrix ICA client that have locally connected printers, the CPU seems to take a hit and freeze the server for several seconds while the printers are being auto-created, purged, and deleted. The problem could be reproduced. Good old MS have started pointing the finger at Citrix already."

"Try to install Exceed (by Hummingbird) ver 6.2 or 7.1.1 on w2k machine with sp3 and you will not get X terminal session. When applying sp3 on a w2k machine with sp2 and Exceed already installed - it works. I am waiting for Hummingbird's reply on that...still nothing. I have been talking with them for 3 days since Exceed didn't work and we ran through the trouble shooting a few times. Finally I noticed that it's the problem as described. Yet it's interesting, since the Xerrors file on the SUN machine makes it look like a name resolution problem. I double checked - it's not the problem. Other pc-x software works like Starnet (Cygwin for some reason did not work)."

SP3 Refusniks

Some people object to the licensing terms in SP3. They are similar to the ones of the new Media Player. MS reserves many rights. Read the articles in the links below and you will see what they are referring to. There is just one snag. Think about security. SP3 is crucial and would leave them open for hacking. The tradeoff is not that difficult but definitely means a "choice between two evils" Unless you hack SP3 of course...[grin] More about that in the links below.

Item about Win2k SP3, the 'snooper' license, and the workaround
http://www.w2knews.com/rd/rd.cfm?id=020826RN-License_Workaround

And here is an interesting article on how to defang SP3 all together!
http://www.w2knews.com/rd/rd.cfm?id=020826RN-Defang_SP3

International Information Security Standard

A W2Knews subscriber sent me this, you should check it out too.

"You might like to take a look at the BS7799 Information Security Standard. I've just done the auditors course, and rather than being boring it was as enlightening as heck, and really good to see someone has put all the things you SHOULD be doing about security of your information into one place. The standard is becoming international too, with Part I (the guidelines) already Approved as ISO 17799, and Part 2 (The standard) under review."

  THIRD PARTY NEWS

How To Stay Connected On A DHCP XP Pro Laptop - Redux

Quite a few of you came back to me with the remark there are easier ways to do this. For instance, use the free option under
http://www.w2knews.com/rd/rd.cfm?id=020826TP-No_IP

Apart from using it yourself when you are on the road, or want to access systems from home to the office (where your DSL gateways may have a dynamic IP address), there are many commercial users who use no-ip to switch hosting servers etc. etc. Other examples are:
http://www.w2knews.com/rd/rd.cfm?id=020826TP-DynDNS
http://www.w2knews.com/rd/rd.cfm?id=020826TP-Dynu
and something else which is called dns2go and is available from the good folks at http://www.w2knews.com/rd/rd.cfm?id=020826TP-DeerField. Check it out. Some one wrote in they use it all over the place and have had excellent success with it. But keep in mind that these "free" sites suddenly might change to a "For Pay" model once they have locked you in. This happened just last week with one of them.

What Do YOU Think The IT Future Is Going To Bring?

Sunbelt and SG Gowen are currently conducting an online study examining current and future information technology trends. As a leader in the information technology space, we are very interested in your thoughts and opinions.

The survey should take no more than 10 minutes to complete. To thank you for completing the survey, we will enter you into a drawing to win a cash prize of $1,000.

Please take part in this research by clicking on the link below or pasting it into your browser:

http://www.w2knews.com/rd/rd.cfm?id=020826TP-Survey

The data you submit will remain confidential and will not be released, sold, or used in advertising. It will only be used to compile aggregate statistics for a summary report. Neither you nor your company will be identified in any way. Your input is important, so please respond now, or no later than August 31, at 5pm.

  FAVE LINKS

This Week's Links We Like. Tips, Hints And Fun Stuff

  • Online "museum" of many now dead computer brands. Oh Nostalgia!

  • http://www.w2knews.com/rd/rd.cfm?id=020826FA-Computer_Brands
  • Wanted to go to LinuxWorld but could not make it? eWeek has a good roundup.

  • http://www.w2knews.com/rd/rd.cfm?id=020826FA-LinuxWorld
  • Told ya so, told ya so. In issue #368 I mentioned Big Pharma would be the next "tobacco" of class action lawsuits because of their business practices in the anti-depressant market. That includes Ritalin (while not in that same class of drugs and more a close relative of cocaine) and here are the lawsuits starting. Got "busy" kids? Better read this.

  • http://www.w2knews.com/rd/rd.cfm?id=020826FA-BigPharma
    And then watch this video:
    http://www.w2knews.com/rd/rd.cfm?id=020826FA-Ad_Video
  • Cool shareware for Outlook users. Does some good things:

  • http://www.w2knews.com/rd/rd.cfm?id=020826FA-Outlook_Shareware
  • TechTarget have their own Fave Links. They call 'em discoveries and they are all on one page:

  • http://www.w2knews.com/rd/rd.cfm?id=020826FA-TechTarget
  • Pretty much all the important websites on one (long) page. Useful.

  • http://www.w2knews.com/rd/rd.cfm?id=020826FA-HotSheet
  • Wardriving? Naaah, the Aussies discover hackable wireless networks with airplanes!

  • http://www.w2knews.com/rd/rd.cfm?id=020826FA-Plane_Wardriving
      PRODUCT OF THE WEEK

    Securing Windows NT/2000: From Policies to Firewalls

    In today's business environment it is no longer safe to conduct any business on the Internet without first protecting it. Small, medium, and large corporations require a massive dose of security to protect themselves and their digital assets from unwanted intruders. A managerial guide and practical technical tutorial, this book provides viable security solutions for your organization.

    The book includes the steps required to define a corporate security policy, how to implement that policy, and how to structure the project plan. Tables, charts, and work templates provide a starting point to begin assessing and implementing a solution that will fit the unique needs of your organization. Part two provides the reader with practical hands-on applications for the preparation, installation, and tuning of Windows NT/2000 operating systems. Securing Windows NT/2000 provides step-by-step instructions that guide you through performing a secure installation and in preparing the system for secure operation on the Internet. Although a multitude of firewall application software can be used in conjunction with the sections detailing the securing of the operating system, Check Point FireWall-1 /VPN-1 is used as it best demonstrates the effectiveness of translating the corporate security policy into a practical reality.

    http://www.w2knews.com/rd/rd.cfm?id=020826BW-Securing_Windows