Sunbelt W2Knews Electronic Newsletter
The secret of those "who always seem to know" - Over 500,000 Readers!
Mon, Aug 26, 2002 (Vol. 7, #58 - Issue #389)
This issue of W2Knews contains:
- EDITORS CORNER
- Trade Show Blunders Continued
- Remarks About X10 Cameras
- TECH BRIEFING
- Protect Against Web Application Brute Force Attacks
- NT/2000 RELATED NEWS
- SP3's Unexpected Automatic Updates Behavior
- More SP3 Bugs Surface
- SP3 Refusniks
- International Information Security Standard
- NT/2000 THIRD PARTY NEWS
- How To Stay Connected On A DHCP XP Pro Laptop - Redux
- What Do YOU Think The IT Future Is Going To Bring?
- W2Knews 'FAVE' LINKS
- This Week's Links We Like. Tips, Hints And Fun Stuff
- PRODUCT OF THE WEEK
- Securing Windows NT/2000: From Policies to Firewalls
Calling it a migration is ironic since you don't actually have to move.
Altiris provides a flexible, web-based technology that allows you to
migrate your LAN, WAN, mobile, and remote users to XP without ever
leaving your desk. Client Mgmt Suite is the only single-vendor, end-
to-end technology that supports all six steps of a successful Windows
migration. Download your free 30-day trial of Client Mgmt Suite today.
Visit Altiris for more information.
Trade Show Blunders Continued
Have a look at what some one else wrote about Microsoft's Europe
shows, quite entertaining.
"Making blunders like this by HP is by no means restricted to HP.
Microsoft in their great wisdom have moved the European MEC (now called
MS IT Forum) from its location of the past two years in Nice, South
France to "sunny" Copenhagen in late November. (Three years ago it
was in Hamburg, North Germany but at least it was late September so
the weather wasn't that bad). Add that location (at that cold and
miserable time) to the fact that the attendance fee has added to it
Danish taxes (at 25% - France and Germany were somewhat less) and
that Danish hotels are not that cheap (to say the least) and you have
perhaps the reason why in addition to the 300 Euro (roughly the same
in dollars) early bird registration reduction they are also offering
an alternative 600 Euro reduction to anyone *from the same company*
as someone who attended this year's European Tech-Ed.
Obviously MS has its own share of rocket scientists who didn't realise
that a cold and miserable and expensive Copenhagen doesn't have quite
the pull of a warm, sunny and relatively cheap Nice. Especially for
people who are based even further North than Copenhagen and have all
the "benefits" of cold and miserable weather already at that time of
year". (Editor's note: The gentleman in question lives in Helsinki,
Remarks About X10 Cameras
Lots of newsgroup comments make it clear that if you are near to an
802.11b wireless ethernet, the X10 cameras won't work. Both systems
use the unlicensed 2.4 Ghz spectrum, and the spread spectrum ethernet
will interfere with the camera signals. Second, you do not want to
point these things to sensitive things. You can dream up examples
yourself. There are people driving around with laptops and X10 receivers hoping to pick up signals of nannycams and other in-house views. There is no legislation against this yet, so take care.
"Definition Of The Week": MEME. (pron. 'meem') A contagious idea that
replicates like a virus, passed on from mind to mind. Memes function
the same way genes and viruses do, propagating through communication
networks and face-to-face contact between people. The root of the
word "memetics," a field of study which postulates that the meme is
the basic unit of cultural evolution. Examples of memes include
melodies, icons, fashion statements and phrases.
(email me with feedback: [email protected])
SPONSOR: Content Inspector
Is Your Organization Secure from Email Threats?
New viruses, confidential information leaks, inappropriate email content,
s~pam , court ordered discovery of email records. Is your organization
prepared for all of these potential security issues? If not, then your
email system, your users, and your organization are at risk. Download a
full trial copy of Content Inspector, the easy-to-use, non-invasive
Exchange content security product that protects your entire Exchange
system and organization against the most damaging email threats.
Visit Content Inspector for more information.
Protect Against Web Application Brute Force Attacks
Here's an article from the eEye Digital Security team inspired by one
of the technical sessions at the Black Hat conference in Las Vegas.
The Black Hat conference a few weeks ago featured several sessions on
web application attack techniques. One of the more interesting
techniques discussed was the practice of brute forcing another
person's session ID based on analysis of the URL.
Based on a URL, one can detect certain patterns in the creation scheme
and then guess what other likely session IDs are being used. Based on
that information it is possible, within some web applications, to
retrieve information from other users.
This becomes a serious concern for home-grown web applications housing
sensitive financial, medical, and legal information. We have already
received reports of users from an unnamed medical site accidentally
being able to pull up another patient's records. This particular
incident was not an intentional misdirection, but with a little
manipulation it is quite possible that every patient record could
have been compromised from anywhere on the Internet.
The good news is that detecting this type of attack is fairly easy.
The attack method is similar in nature to a port scan of a computer,
which attempts to try every door until it finds one it can access,
since a brute force attack of session IDs uses the same logic. For
example, the following are valid session IDs within a URL ? referred
to as a URL space: (stretched to prevent firewalls and filters
killing this newsletter before it reaches you)
c g i - b i n /session.c g i?sessargs=ae555YFrBTdYExs=
c g i - b i n /session.c g i?sessargs=ae555GjXifhgYExs=
c g i - b i n /session.c g i?sessargs=ae555EdasddkYExs=
c g i - b i n //session.c g i?sessargs=ae555JeasklskYExs=
c g i - b i n /session.c g i?sessargs=ae555GalslkekYExs=
From the above data, an attacker would attempt to brute force a key.
When administrators understand the logic of the brute force URL space
hack, the best method of detection is to set up booby-trapped IDs
which will trigger an alarm. Most web applications have functions
that will generate these IDs, and creating booby-trapped IDs is
simply a matter of creating an exception list inside of the app.
This exception list would contain IDs that would never generate data
and upon attempted use, and that would alert the administrator that
someone is attempting to brute force a web application. Another way
to simply prevent a brute force attack from occurring, if you use IIS
as your web server, is by using an IIS application firewall (such
as eEye's SecureIIS) which has an automated alerting mechanism for
this type of attack built in.
Similar to the methodology used by an attacker, administrators would
analyze what the patterns are and create an algorithm to guess the
unknown parts within the URL space (referred to as "fuzzing"). As
admins, guessing isn't necessary since in this scenario the code
generation algorithms are at our disposal. Looking at the session
arguments listed above (sessargs), we can see that the attacker will
most likely fuzz inside the "=ae555" and "YExs=" boundaries.
Fuzzers are meticulous -- they usually try every possible combination
within reason. This works to an administrator's advantage since we
can be fairly certain that obvious IDs will be used such as:
c g i - b i n /session.c g i?sessargs=ae555AAAAAAYExs=
c g i - b i n /session.c g i?sessargs=ae555BBBBBBYExs=
c g i - b i n /session.c g i?sessargs=ae555CCCCCCYExs=
c g i - b i n /session.c g i?sessargs=ae555DDDDDDYExs=
Adding these obviously illicit session IDs to a keyword list within
the application firewall and to an exception list within the web
application code itself will allow administrators to monitor how
many attempts are being made and also to drop those malicious
requests before they can steal any vital information through the
Thus, with a bit of investigation about how your web apps expose
data in URLs, and a few customized changes to sidestep any possible
fuzzers, your web application content can be more secured from
Full Eval of SecureIIS here:
NT/2000 RELATED NEWS
SP3's Unexpected Automatic Updates Behavior
Perhaps some of you are installing Service Pack 3 for Windows 2000. If
so, I want to bring the following bug to your attention. While SP3 is
being seen as very solid, it does seem to break Windows Update on some
systems. If after installing SP3, the Windows Update program breaks with
the error code "0x800A138F", then you will need to execute the below
procedure to fix the problem.
Here is an article in WinNetMag with more on this issue:
- go to Start, then Run Type in "regsvr32 iuctl.d l l /u" to unregister
- Find iuctl.d l l and iuengine.d l l and delete all instances of them
More SP3 Bugs Surface
Several people reported back to me they had run into problems with SP3.
This is of course inevitable, and the amount of bug reports is fairly
low, but there are a few pitfalls and beartraps some of you have run
into. Here are the examples. Lesson: proceed, but with caution!
"I've found a genuine bug with Windows 2000 SP3 in a Terminal Services
/ Citrix Metaframe XP environment on Proliants. The problem was
experienced on 2 servers. Fortunately I chose to archive the updated
files so it was easy to roll it back to SP2. I removed SP3 from one
server. The following day, when under user load, the customer
confirmed that it was operating normally. The other server was still
experiencing slowdowns, so the customer removed SP3 from the 2nd
server, and it was also back to normal. The issue: When people log in
and out using the Citrix ICA client that have locally connected printers,
the CPU seems to take a hit and freeze the server for several seconds
while the printers are being auto-created, purged, and deleted. The
problem could be reproduced. Good old MS have started pointing the
finger at Citrix already."
"Try to install Exceed (by Hummingbird) ver 6.2 or 7.1.1 on w2k machine
with sp3 and you will not get X terminal session. When applying sp3 on
a w2k machine with sp2 and Exceed already installed - it works.
I am waiting for Hummingbird's reply on that...still nothing. I have been
talking with them for 3 days since Exceed didn't work and we ran through
the trouble shooting a few times. Finally I noticed that it's the problem
as described. Yet it's interesting, since the Xerrors file on the SUN
machine makes it look like a name resolution problem. I double checked - it's not the problem. Other pc-x software works like Starnet (Cygwin for some reason did not work)."
Some people object to the licensing terms in SP3. They are similar to
the ones of the new Media Player. MS reserves many rights. Read the
articles in the links below and you will see what they are referring to.
There is just one snag. Think about security. SP3 is crucial and would
leave them open for hacking. The tradeoff is not that difficult but
definitely means a "choice between two evils" Unless you hack SP3
of course...[grin] More about that in the links below.
Item about Win2k SP3, the 'snooper' license, and the workaround
And here is an interesting article on how to defang SP3 all together!
International Information Security Standard
A W2Knews subscriber sent me this, you should check it out too.
"You might like to take a look at the BS7799 Information Security
Standard. I've just done the auditors course, and rather than being
boring it was as enlightening as heck, and really good to see someone
has put all the things you SHOULD be doing about security of your
information into one place. The standard is becoming international
too, with Part I (the guidelines) already Approved as ISO 17799,
and Part 2 (The standard) under review."
THIRD PARTY NEWS
How To Stay Connected On A DHCP XP Pro Laptop - Redux
Quite a few of you came back to me with the remark there are easier ways
to do this. For instance, use the free option under
Apart from using it yourself when you are on the road, or want to access
systems from home to the office (where your DSL gateways may have a dynamic
IP address), there are many commercial users who use no-ip to switch
hosting servers etc. etc. Other examples are:
and something else which is called dns2go and is available from the good
folks at http://www.w2knews.com/rd/rd.cfm?id=020826TP-DeerField. Check it out. Some one wrote in they use it all over the place and have had excellent success with it. But keep in mind that these "free" sites suddenly might change to a "For Pay" model once they have locked you in. This happened just last week with one of them.
What Do YOU Think The IT Future Is Going To Bring?
Sunbelt and SG Gowen are currently conducting an online study examining
current and future information technology trends. As a leader in the
information technology space, we are very interested in your thoughts
The survey should take no more than 10 minutes to complete. To thank
you for completing the survey, we will enter you into a drawing to win
a cash prize of $1,000.
Please take part in this research by clicking on the link below or pasting
it into your browser:
The data you submit will remain confidential and will not be released,
sold, or used in advertising. It will only be used to compile aggregate
statistics for a summary report. Neither you nor your company will be
identified in any way. Your input is important, so please respond now,
or no later than August 31, at 5pm.
This Week's Links We Like. Tips, Hints And Fun Stuff
Online "museum" of many now dead computer brands. Oh Nostalgia!
Wanted to go to LinuxWorld but could not make it? eWeek has a good roundup.
Told ya so, told ya so. In issue #368 I mentioned Big Pharma would be the
next "tobacco" of class action lawsuits because of their business practices
in the anti-depressant market. That includes Ritalin (while not in that
same class of drugs and more a close relative of cocaine) and here are the
lawsuits starting. Got "busy" kids? Better read this.
And then watch this video:
Cool shareware for Outlook users. Does some good things:
TechTarget have their own Fave Links. They call 'em discoveries and they
are all on one page:
Pretty much all the important websites on one (long) page. Useful.
Wardriving? Naaah, the Aussies discover hackable wireless networks with airplanes!
PRODUCT OF THE WEEK
Securing Windows NT/2000: From Policies to Firewalls
In today's business environment it is no longer safe to conduct
any business on the Internet without first protecting it. Small,
medium, and large corporations require a massive dose of security
to protect themselves and their digital assets from unwanted
intruders. A managerial guide and practical technical tutorial,
this book provides viable security solutions for your organization.
The book includes the steps required to define a corporate security
policy, how to implement that policy, and how to structure the
project plan. Tables, charts, and work templates provide a starting
point to begin assessing and implementing a solution that will fit
the unique needs of your organization. Part two provides the reader
with practical hands-on applications for the preparation, installation, and tuning of Windows NT/2000 operating systems. Securing Windows NT/2000 provides step-by-step instructions that guide you through performing a secure installation and in preparing the system for secure operation on the Internet. Although a multitude of firewall application software can be used in conjunction with the sections detailing the securing of the operating system, Check Point FireWall-1 /VPN-1 is used as it best demonstrates the effectiveness of translating the corporate security policy into a practical reality.