Sunbelt W2Knews Electronic Newsletter
The secret of those "who always seem to know" - Over 500,000 Readers!
Mon, Aug 2, 2004 (Vol. 9, #30 - Issue #486)
Do They Think We Are Stupid Or Something?
This issue of W2Knews contains:
- EDITORS CORNER
- What's Everyone Planning With Windows and Linux?
- ZDNet Reports: Linux Added To Security Scanner
- WebCast: Microsoft and Sunbelt Software Present
- The Top 50 Tech Sites: Bookmarks
- TECH BRIEFING
- Updates to Understanding IPv6
- Do They Think We Are Stupid Or Something?
- Microsoft's Security Laws: Rebuttal
- NT/2000 RELATED NEWS
- 64-Bit Windows and W2K3 SP1 Pushed Back
- Microsoft Finishes SQL Server 2005 Beta 2
- The Window Shortens From Hole To Exploit
- SBS Is Really Doing Great
- NT/2000 THIRD PARTY NEWS
- Best Practices for Vulnerability Management
- Security Update: 7 New Vulnerabilities Discovered
- W2Knews 'FAVE' LINKS
- This Week's Links We Like. Tips, Hints And Fun Stuff
- PRODUCT OF THE WEEK
- What The MS Spell Checker Thinks Of WinXP RC2
SPONSOR: PANDA'S CENTRALIZED ADMIN MAKES VIRUS PROTECTION EASY
The demands on your time and budget are enormous. Panda
EnterpriSecure and BusinesSecure deliver completely centralized,
always updated corporate virus protection. You can administer the
entire network right from your desk, install, uninstall, or update AV
on any of your machines all at once or individually. Protect your
perimeter and email communications with hassle-free, centralized
management. Test drive it yourself click here.
Visit PANDA'S CENTRALIZED ADMIN MAKES VIRUS PROTECTION EASY for more information.
What's Everyone Planning With Windows and Linux?
The Yankee Group and Sunbelt Software invite you to participate
in the yearly Windows, Linux, Office and Active Directory Deployment
Survey. This has become a regular, reliable benchmark on the actual
deployment of these most popular technologies. We will come out
with an Executive Summary for W2Knews subscribers in a few weeks,
so you can see what your peers are planning and rolling out at
the moment. It's a fast survey and should take you just 2-3
minutes to fill out. Know where the market is heading, it's worth
your time! Here goes:
ZDNet Reports: Linux Added To Security Scanner
The new Sunbelt Network Security Scanner is taking off like a
rocket now that it does IP-scanning and is multi-platform.
See what ZiffDavis has to say over here:
WebCast: Microsoft and Sunbelt Software Present
"How to Protect Your Enterprise from Spam: Solutions for Microsoft
Exchange" The increasing volume of spam and the increasing ingenuity
of those who disseminate it have made the battle against spam a
priority in the enterprise environment. Current anti-spam weapons
must address end users? needs and concerns without placing excessive
demands on company resources or system administrators. Join us
online to see the ways that Sunbelt Software's iHateSpam for
Exchange can be deployed to easily and effectively protect an
enterprise. Spam filtering techniques will be presented along
with solutions specifically designed to support MS Exchange Server
5.5, 2000 and 2003 environments. Register at the Microsoft website:
Date: Wednesday, August 4, 2004
10:00-11:00am Pacific time
1:00-2:00pm Eastern time
(All times are US and Canada)
The Top 50 Tech Sites: Bookmarks
Carl Webster put these 50 sites in an HTML page so that you
can make that page a FAVE instead of having to spend all the
time to create your own faves by hand. Here you are!
(email me with feedback: [email protected])
SPONSOR: Disaster Recovery Is Now A Must-Have
But there are still a lot of questions about DR, here are a few:
- What is the difference between synchronization and replication?
- Does DOUBLE-TAKE replicate the entire file when it is changed?
- Are changes applied to the target server immediately?
- Can replicated data on the target be accessed by users?
- Will DOUBLE-TAKE replicate encrypted files?
And many more. We have an FAQ in PDF for you here (no registration!)
Visit Disaster Recovery Is Now A Must-Have for more information.
Updates to Understanding IPv6
Microsoft wrote a white paper about changes in Internet Protocol
version 6 (IPv6) standards and their implementation in Microsoft
Windows XP and the Windows Server 2003 family. IPSec for IPv6
support includes support for the Secure Hash Algorithm 1 (SHA1)
hashed message authentication code (HMAC) when using IPSec for
IPv6. It sits at itpapers.com. (You need to register)
Do They Think We Are Stupid Or Something?
Network World has a fairly critical/funny article. It starts like
this: "The marketing mavens at Microsoft, Sun, Novell, IBM and Apple
are looking at the removal, by a rival, of support for older operating
systems as an opening to a 'year of opportunity' (Steve Ballmer's words
at Microsoft's recent Partners Conference) for moving corporations
to new server operating systems. With Novell pushing folks to give
up NetWare and Microsoft dropping support for Windows NT, we see the
incredible sight of these two companies believing they can 'steal'
customers from the other! Even Apple is jumping on the conversion
bandwagon, with Steve Jobs chortling that 'the time is right to try
to win the hearts and minds of the disenfranchised Windows Server
base.'" The rest of the article is here:
Microsoft's Security Laws: Rebuttal
In the last Stu's News (company newsletter for Sunbelt customers)
I published Microsoft's 10 Security Laws and got an earful of
feedback. [grin] Bruce MacDonald, who is an Information Technology
Manager sent me this. Quite interesting and humorous reading actually!
(You can subscribe to Stu's News over here, it's a monthly):
"Stu, Here is my feedback on Microsoft's laws.
"Law #1: If a bad guy can persuade you to run his program on your
computer, It's not your computer anymore.
REBUTTAL #1: If an operating system writer sells an operating system that permits this, then the OS writer is an accomplice.
"Law #2: If a bad guy can alter the operating system on your computer,
it's not your computer anymore.
REBUTTAL #2: If the writer of that operating system make "everyone:
Full control" the default security setting, then the OS writer is
an accomplice and should be liable for any damage thus caused.
"Law #3: If a bad guy has unrestricted physical access to your computer,
It's not your computer anymore.
REBUTTAL #3: If ANYONE other than yourself and trusted individuals has
unrestricted physical access to your computer, then you are a fool and
deserve what you get.
"Law #4: If you allow a bad guy to upload programs to your Web site,
it's not your Web site any more.
REBUTTAL #4: If someone pretending to be a good guy does the same
thing, they become the bad guy.
"Law #5: Weak passwords trump strong security.
REBUTTAL #5: Once again, Microsoft reveals an astonishing degree of
hypocrisy by making this a 'law'. Installing Windows XP Pro does not
even prompt for an administrator password, let alone force even basic
password common sense. If Microsoft did their job properly, it would
be impossible to create a weak password.
"Law #6: A machine is only as secure as the administrator is trustworthy.
REBUTTAL #6: This is a universal security law, not a computer or
technological one. Stating the obvious.
"Law #7: Encrypted data is only as secure as the decryption key.
REBUTTAL #7: I guess they wanted 10 laws really bad. This is stating
the obvious again.
"Law #8: An out-of-date virus scanner is only marginally better than no
virus scanner at all.
REBUTTAL #8: No existing virus scanner is of any use whatsoever against
previously unknown viruses. At the vary basis of system design, it
should be totally impossible to introduce an executable piece of code,
without putting the machine deliberately into an 'installation mode'.
In such a mode, only specially designated installation programs would
run. Nothing could ever execute unless first "blessed" by such an
installer. A separate "execution" mode would not permit installers
to run. A further "developer" mode would permit both, but would be
restricted to running developer tools. Such an operating system would
be relatively easy to implement, and no malware could then exist.
"Law #9: Absolute anonymity isn't practical, in real life or on the Web.
REBUTTAL #9: Bullsh!t. Microsoft threw this in 'cuz they want people
become less protective of their privacy. Presumably so that Microsoft
can profit by exploiting it. This statement is detestable. By throwing
the word 'absolute' in there, they make their statement true, but its
intent is sinister. I see a day coming when all content generated for
use outside the confines of the computer that created it will be
required to be digitally signed by its originator, and further by each
distributor as it travels the internets of the world, and all accesses
of private systems will require prior permission, whereas access to
public systems will still be permissible anonymously. In Canada (I
don't know about the US) trespass on another's land is a tort (a civil
case), but peeking in their windows is a criminal offense (the
equivalent in the US of a felony). Microsoft, and many other internet
entities, by using information found on my computer without my
permission commit the same offence. The only difference is that it
is copper, not glass, that they are peeking through.
"Law #10: Technology is not a panacea. (noun: hypothetical remedy for all
ills or diseases; once sought by the alchemists)
REBUTTAL #10: LOL - and they finish off by stating the obvious once again.
"I'll finish off with a law of my own:
MacDonald's Law: Every communication originating from a corporation is
self-serving, and contains deceptions, misdirections and outright
falsehoods. Corollary: The purpose of the deception is to mine your
pockets. You have been warned."
NT/2000 RELATED NEWS
64-Bit Windows and W2K3 SP1 Pushed Back
Wanted to get one of those cool Athlon 64's in production? You will
have to wait a bit longer I'm afraid. The 64-bit Windows OS has been
postponed until the first part of 2005. Windows Server 2003 SP1 will
also be delayed until next year. A bit of a bummer for both AMD and
people that already bought the 64-bit CPUs. With this latest news,
W2K3 and XP 64-bit join the slipping slideware batch of products
with WinXP SP2 and most notably Longhorn. If you just die to run a
64-bit OS, your only choice is one of 64-bit Linux distros such as
SuSE 9.1 Pro, Gentoo, or Mandrake.
Microsoft Finishes SQL Server 2005 Beta 2
Redmond released its long-awaited Beta 2 for SQL Server 2005 this
week. It's the next major release of SQL that had the code-name
The Window Shortens From Hole To Exploit
I told you a few issues ago that the time it takes to find an
exploit in the wild for a known vulnerability is now about 10
days. ZDnet has an article about how come. Crackers now have
automated tools (!) to create hacks for known holes. They say
they can do it in a day. [grumble]. Here is the article that
describes the Black Hat Briefings that were held in Vegas this
week. Interesting reading.
SBS Is Really Doing Great
Microsoft Corp.?s Windows Small Business Server 2003 is a big
success with Small and Midsize Business (SMB) customers, Microsoft
Value Added Resellers (VARs) and consulting partners alike.
Windows Small Business Server?s (WSBS) success and fast adoption
rate is all the more notable because Microsoft?s marketing efforts
have been minimal in comparison to Windows Server 2003 and Office
2003. WSBS is in a very real sense, selling itself. The word of
mouth buzz is significant. In less than one year of deployment,
it has outsold its predecessor Windows Small Business Server 2000
SMB shops with one-to-75 users, are installing WSMB in record
numbers for its unparalleled functionality, ease of use and price
tag. At $599 for the base-level Standard Edition and $1,499 for
the Premium Edition, there is simply nothing like it for the
money. For that matter, there is simply no bundled package that
can match it. Linux and Open Source vendors have no products that
individually or collectively can compete with the bundled feature
set of Windows SBS 2003, customers say. Small businesses further
reported that Windows SBS 2003 has a near immediate ROI.
The product is actually a collection of software packages. It
incorporates the following packages: W2K3, Exchange 2003, IIS,
Fax, Management Console, Front Page 2003, SQL Server 2000 and
the Internet Security and Acceleration Server (ISA) in the
Premium Edition and a variety of tools and utilities.
Microsoft partners reported that their sales have soared by 100% to
even 300% or 400% in the past 12 months. This sales spike is
directly attributable to WSBS deployments, they said.
There is a certain irony to this last statement because the SMB
partners make miniscule profit margins from the actual sale of
Windows SBS. Rather, they realize the greatest return in assisting
customers with deployment, after market consulting and technical
service and support. These fees --which can range from $8,000 to
$15,000 -- more than compensate for the approximately $4 (US dollars)
they make on each unit sale of Windows SBS.
If Windows Small Business Server stays under wraps, don't blame
Harry Brelsford, the CEO of SMB Nation, Inc. a consultancy based
in Bainbridge Island, Washington that focuses on small and medium
business consulting and system integration. He is the driving force
behind SMB Nation touring conference complete with workshops
designed to highlight the features and functions of WSBS customers
on its usage. If you can't attend SMB Nation in person, check out,
Brelsford's third party SBS book, "Windows Small Business Server
2003 Best Practices" it's chock full of tactical, practical advice
and tips and tricks to make the most of the bundled package. It
lists for $59.95; you can order it at:
Senior Analyst, The Yankee Group
THIRD PARTY NEWS
Best Practices for Vulnerability Management
Eric Ogren, an analyst at the Yankee Group specializes in Security
Solutions & Services Research and Consulting. He came up with a
good article and I asked permission to use sections of it. He
started like this:
"Building a strong program based on mitigating known vulnerabilities
has transformed from a security-centric process to an operational
necessity for business success.
"Product vendors describe vulnerabilities as defects requiring a
patch, upgrade or configuration change; attackers target these
weaknesses in a security profile. Once a vulnerability is discovered,
it is only a matter of time before an attacker develops the worm,
virus or intrusion that can take advantage of the defect. For
example, the recent Sasser worm was launched a mere 18 days after
the vulnerability was announced in the form of an available patch.
Companies that rely on signature-based defenses against known
exploits are helpless against fast-moving exploits and zero-day
attacks that propagate globally at Internet speeds. The goal of
the security team is to reduce risk by identifying and eliminating
weaknesses in an effort to shrink the window of opportunity in
which an exploit or attacker could impact the organization.
Best Practices for Vulnerability Management:
Eric suggested some vendors, and noted it is a good thing to integrate
the vulnerability scanning and patching with asset discovery tools, to
expand the scanning into security profile management, and change the
way your organization thinks about security by sending your line managers
reports about the security of their business. He continued with:
- Classify network assets to effectively prioritize vulnerability
mitigation programs, such as patching and system upgrading.
The first best practice is to identify and classify network resources.
There are far too many assets in an enterprise network to manage
individually, and at an average cost of $235 to patch a desktop
(based on 2003 Yankee Group enterprise security spending survey),
patching all vulnerabilities as rapidly as possible becomes
cost prohibitive. The odds are great that unpatched systems will
exist when the exploit designed specifically for the announced
vulnerability strikes. Understanding and classifying assets to a
category allows IT to apply policies more efficiently, and if the
organization is time or resource constrained, it enables the
security team to focus on patching the most critical assets first.
- Reduce vulnerability exposure quickly to measure the effectiveness
of risk mitigation.
Vulnerability management systems test network
resources for the presence of known vulnerabilities. This produces
a record per scan of the number of vulnerabilities discovered, their
severity, and the asset classes affected. It is the true measure of
a patch and configuration control program.
- Integrate vulnerability management with discovery, patch management,
and configuration management processes to close vulnerabilities before
exploits can strike.
Vulnerability management bolsters the effectiveness
of patch management, configuration control, and early-warning services.
Integrate vulnerability management with network integrity systems to
assess new systems on the network, with patch management systems to
confirm completion of a patch process, and with management reporting
portals to raise the awareness among executive management for the
accomplishments of the security team.
- Audit the performance of security policy implementations, security
team performance and process improvements to build a culture of refining
Security executives regularly audit the
effectiveness of integrated vulnerability processes. Vulnerability
management delivers the fundamental metrics that management needs to
evaluate the state of the corporate network security program. Best
practices use the metrics to assess the success or failure of various
efforts to improve performance."
- Continually test critical assets for weaknesses. Test critical
assets a minimum of every 5 to 10 days. The software on the asset may
not change, but new vulnerabilities as well as reintroduced weaknesses
are discovered every day. Identifying and eliminating weakness is an
- Patch all critical systems within 21 days of the release of a critical
vulnerability, with a rollout procedure to other assets based on
their classified priority level. The rate at which vulnerabilities
are exploited continues to get shorter; build a sense of managed
urgency into your vulnerability process.
- Measure security team performance with vulnerability management metrics. The impact of an organization?s effectiveness in identifying risks and reducing vulnerabilities serves as the true measure of a security team?s performance. Use vulnerability management to measure and monitor security procedures for patching, upgrading and deploying networked systems."
Tools Recommended for Scanning and Patching:
SCANNER: Sunbelt Network Security Inspector (SNSI)
Security Update: 7 New Vulnerabilities Discovered
Sunbelt Network Security Inspector (SNSI) Version 188.8.131.52 now scans for these new vulnerabilities. Three new Windows checks, bringing the total Windows checks to 2216:
W2214 - BrowserAid Detected
W2215 - WinSCP3 Long URI Handling Vulnerability
W2216 - Acrobat/Reader File Name Handling Vulnerability
Three new Linux checks, bringing the total Linux checks to 567:
L565 - PHP - memory_limit/strip_tags
L566 - Ethereal - Dissector Bugs - Fedora
L567 - Samba - SWAT administration service - Red Hat
One new Solaris check, bringing the total Solaris checks to 226:
S226 - Solaris Volume Manager (SVM) Panic - Solaris 9
In addition, there were improvements in the following vulnerability checks:
H64 - X font server
H68 - X font server
L551 - Apache patch
W1142 - Anti-Virus
W1986 - Anti-Virus
W1999 - Anti-Virus
W2067 - Anti-Virus
SNSI uses the latest Mitre Common Vulnerabilities and Exposures
(CVE) list of computer incidents. It also contains the latest
SANS/FBI top 20 vulnerability list. SNSI also uses the latest
CERT, CIAC Microsoft and FedCIRC (Department of Homeland Security)
This Week's Links We Like. Tips, Hints And Fun Stuff
PRODUCT OF THE WEEK
What The MS Spell Checker Thinks Of WinXP RC2
Remember the article in last week's issue: WinXP SP2: Don't Tell
Me I Did Not Warn You . Some one decided to forward it and sent
the following copy to some co-workers: "CRN Test Lab guys downloaded
RC2 and pretty much trashed (BSOD) three out of five test systems.
I strongly suggest you tread lightly and TEST, TEST, TEST. Here
are the ugly details with some suggestion on how to recover."
When he hit send, the MS spell checker decided that he should
change "WinXP" to "wimp" and "RC2" to "cry". That makes it Product
Of The Week! [grin]