- Sign-up Now!
 - Current Issue
 - Edit Your Profile/Unsubscribe

Subscribe | Media Kit | About Us | All Issues | Subscriber Feedback | Contact Us | Privacy Statement
Sunbelt W2Knews™ Electronic Newsletter
The secret of those "who always seem to know" - Over 500,000 Readers!
Mon, Oct 25, 2004 (Vol. 9, #42 - Issue #498)
Don't Get Hacked Like UC Berkeley!
  This issue of W2Knews™ contains:
  1. EDITORS CORNER
    • Microsoft Is "Doing Fine, Thank You"
    • A New Book On Spam
    • Heads Up -- New MS Stuff Coming Down The Pike
    • SunPoll: The Google Results & A New One On Spyware
  2. ADMIN TOOLBOX
    • Admin Tools We Think You Shouldn't Be Without
  3. TECH BRIEFING
    • Best Practices For Your Exchange 2003 Migration
    • Frequently Asked Questions: ACTIVE DIRECTORY
    • Five Reasons To Deploy IPSec Policies On Your Network
    • How Do I Stop XP/SP2 From Deploying To Users?
    • Feds Declare War On Spyware Scams
  4. NT/2000 RELATED NEWS
    • Microsoft Shifts Toward Hybrid Firewall Approach
    • Administrator?s Guide to Windows Server 2003
    • Windows Systems More Spyware Infected Than Ever
  5. NT/2000 THIRD PARTY NEWS
    • Security Event Management
    • Linux and Solaris Patch Management
    • Don't Get Hacked Like UC Berkeley!
  6. W2Knews 'FAVE' LINKS
    • This Week's Links We Like. Tips, Hints And Fun Stuff
  7. PRODUCT OF THE WEEK
    • Prevent Downtime and Intrusions
  SPONSOR: Still Using Software for Web Filtering?
Software filters like Websense and SurfControl can't give you the
ease of use and low maintenance that you'll get from iPrism
, the
leading Internet filtering appliance. Whether you are switching
to an appliance or choosing one from the start, iPrism's low cost
and powerful features are the perfect fit for any network. Switch
to iPrism today and you can qualify for an extra year of Web
filtering at no cost! Try out 5 Free Web Tools today.
Visit Still Using Software for Web Filtering? for more information.
  EDITORS CORNER

Microsoft Is "Doing Fine, Thank You"

Redmond reported Q1 2005 revenue (Yes, they run from June to June) of $9.19 billion and net income of $2.9 billion. Those are pretty healthy numbers and are actually higher than what they told the market in July and is a 12% increase over the same period last year. The section I'm most interested in is the server software and tools division, which grew by 18.8%. They also reported continued strength in SQL and Exchange. Other related tidbits: they now have pushed out 106 million copies of XP SP2. Of these, 90 mil downloads and 16 million CDs. Consumers were faster to adopt than bizz, the problems with SP2 (like application compatibility and all the testing I insisted on [grin]) make bizz slower to implement. But wait, MS is planning a tool to automate some of this testing! Expect a beta of this thing in the very near future.

A New Book On Spam

I was asked to write the foreword to a new book from Syngress about spam. So of course I read it. This was the inside story from a spammer. Dang. The data in this book is revealing. It shows the various ways that spammers get their email across, and goes into great technical detail on how to do it. The most surprising is an underground cooperation between hackers and spammers, that have as their common nefarious goal to steal the email databases of companies and exploit these lists. It is a detailed handbook on how to spam, and get around the many barriers that have been thrown up by the anti-spam community.

This book is a must read for any system and/or network admin that run mail servers and have as their job to make their organization as safe as possible against the many dangers lurking behind the firewall. A good defense against spam starts with knowing the enemy. This book shows how he thinks, how he operates, how he gets paid, the advanced state of dedicated automation he utilizes and what holes in the Net are being exploited. I will warn you when it is available!

Heads Up -- New MS Stuff Coming Down The Pike

The first Service Pack for W2K3 is expected Q1 next year, they are readying the beta for testers right about now. SP1 has new security features and of course all known bug fixes. With a bit of luck you'll see it at the end of the year, but don't hold your breath. On the other hand, MS Office 12's arrival date is not going to be before July 2006. Oh, and Redmond in its infinite generousness decided it will not charge more for multi-core CPU's which I'm sure makes Intel and AMD suitably grateful.

SunPoll: The Google Results & A New One On Spyware

SunPoll Results: The majority of you are not very happy with that new Google Desktop Search tool thingie. Only 20% said you'd allow it.

And here is the new SunPoll: "What is your fave Enterprise Spyware Zapper?" Here are your four choices:

  • PestPatrol Corporate Edition
  • SpySweeper
  • Ad-Aware Pro
  • None of the above is making the grade. I'm holding out for a real enterprise-ready anti-spyware product!
Click here to vote, third column:
http://www.w2knews.com/rd/rd.cfm?id=041025ED-SunPoll

Quotes of the week: "I intend to leave after my death a large fund for the promotion of the peace idea, but I am skeptical as to its results." ? Alfred Bernhard Nobel, born in 1833
"We'd all like to vote for the best man, but he's never a candidate." Kin Hubbard 1868 - 1930

Warm regards,
Stu Sjouwerman (email me with feedback: [email protected])

  ADMIN TOOLBOX

Admin Tools We Think You Shouldn't Be Without

  TECH BRIEFING

Best Practices For Your Exchange 2003 Migration

Are you thinking about migrating to Exchange 2003 or already in the process of doing so? Here is a collection of best practices, tips, expert advice ? plus lessons-learned from a company that recently converted to Exchange from Sendmail. Free registration may be required.
http://www.w2knews.com/rd/rd.cfm?id=041025TB-Exchange

Frequently Asked Questions: ACTIVE DIRECTORY

Editors at SearchWin2000.com converted common questions from its popular Ask the Expert feature into 11 FAQs on a range of critical Windows admin topics. In this Active Directory FAQ, Paul Hinsberg, principle consultant at managed hosting company Data Return answers queries on domains, replication and DNS and more. Other FAQs in the series cover Group Policy, certification, desktop administration, management tools, network management, OS troubleshooting, terminal services, server administration, SMS and SUS, and IIS and Web administration. It's all at SearchWin2000 (free registration may be required):
http://www.w2knews.com/rd/rd.cfm?id=041025TB-Active_Directory

Five Reasons To Deploy IPSec Policies On Your Network

If you need to encrypt the sensitive traffic flowing across an IP-based network, consider the benefits of deploying the IPSec protocol, Microsoft?s built-in solution for Windows Server 2000 and Windows Server 2003. This is at the new searchWindowsSecurity site and you need to register (free) to get access to this article.
http://www.w2knews.com/rd/rd.cfm?id=041025TB-5_Reasons

How Do I Stop XP/SP2 From Deploying To Users?

The "Critical Update" might trigger this. So you should check out the MS website, they have created an ADM template to stop that XP/SP2 from being automatically downloaded until YOU say that it won't cause any problems. There's also other little gotchas to help you with the process.
http://www.w2knews.com/rd/rd.cfm?id=041025TB-XP_SP2

Feds Declare War On Spyware Scams

Last week's federal complaint against an alleged spyware purveyor is only an opening salvo in what promises to be an all-out effort against spyware-related scams on the Web, according to regulators and industry. The Network World Site has the story:
http://www.w2knews.com/rd/rd.cfm?id=041025TB-Spyware

  NT/2000 RELATED NEWS

Microsoft Shifts Toward Hybrid Firewall Approach

Microsoft ISA Server 2004-based Hardware Firewalls Bridge the Hardware/Software Firewall Gap. After over a decade of packet filter-based approaches to firewall security, the word is finally getting out that application layer inspection is required to protect your corporate information assets. Hackers and other Internet criminals know there's little profit in it for them by launching a simple network layer DoS against your perimeter stateful filtering firewall. These malcontents want your corporate assets and sell them for hard cash or perhaps use that information for profitable identify theft schemes. They use application layer exploits to get what they want and they know your stateful filtering only firewall is helpless against their attacks.

Check out what WindowSecurity.com ace reporter Magie Semilof has to say about how hardware based ISA Server 2004 firewall appliances bridge the gap between stateful filtering hardware firewalls and third generation blended hardware/software firewalls that perform stateful filtering and stateful application layer inspection. Find it at:
http://www.w2knews.com/rd/rd.cfm?id=041025RN-Firewall

Administrator?s Guide to Windows Server 2003

Get all the answers you need for Windows Server 2003 FAST! Get proven solutions to minimize the WS2K3 learning curve. TechRepublic's IT pros bring you real-world techniques for deploying, troubleshooting, securing, and optimizing Microsoft's latest server technology: The Administrator's Guide to Windows Server 2003. This book-and-CD package gives you how-to steps for critical tasks and clear explanations of key concepts. As a W2Knews subscriber you save 20%, MSRP: $89.00 Your price: $71.20 (your discount will be given at checkout):
http://www.w2knews.com/rd/rd.cfm?id=041025RN-Admin_Guide

Windows Systems More Spyware Infected Than Ever

All large hardware manufacturer helpdesks are getting flooded with spyware related calls. Microsoft's help lines are also seeing red with problems caused by spyware. More and more people are doing something about it. The Internet Education Foundation and Dell last week launched a large campaign to help consumers fend off spyware. The foundation announced a new Web site, which has video tutorials and tips for Internet users to keep spyware off their computers and detect any spyware already installed. It directs visitors to free and commercial tools to easily remove spyware. Now, this is for consumers. We are still waiting for a real enterprise ready anti-spyware product. The site is here, and check the Dell and Sunbelt option while you are there...
http://www.w2knews.com/rd/rd.cfm?id=041025RN-Spyware

  THIRD PARTY NEWS

Security Event Management

Practically all of us are hooked up to the net. That causes significant extra work because you need to log and monitor the security events that are happening. You'd be surprised how much data that really is and what may happen when you do not keep a very alert eye on it. Managing security events has four phases:

  • Collect
  • Analyze
  • Correlate
  • Respond intelligently
Detecting threats in this jungle of data ain't easy. Yes, you can script it, but many system admins are not really programmers, and tools have sprung up to help out with this challenge. They are called event log monitors, and when they are used for the security log specifically they are also sometimes given the SEM moniker: "Security Event Managers". These tools allow you to automate the four phases you need to go through to keep your systems secure.

Events are dumped in the logs by the OS. Collection of all events should always be done, and in many organizations they also need to be archived for later security auditing purposes. You can apply filters to the events, so that only the relevant ones are retained, and then presented in high-level reports. It is extremely important to have this automated, but also be able to go back to 6 months earlier in case a security breach needs to be tracked back.

Analysis is the next phase. You can do this scheduled, which is what most system admins do, but also in real-time for critical servers so you can respond to threats immediately. A good example is a series of failed login attempts that would prompt you to immediately investigate what the problem is.

You have to have the ability to analyze logs over longer time intervals so that you can look at weaknesses in your security posture. Some hacker behavior is only recognizable over several weeks or months of log analysis as they are sneaky and smart using low-impact and distributed techniques. You need to be able to do both real time and scheduled analysis.

Now that you a) have your events and b) analyzed them, you need to c) correlate these data points to see if there are any patterns. If there are, you need to determine if these patterns are threats and if so, what severity level they are. By investigating the data, you can quickly see if a certain kind of behavior comes from the same IP address for example.

When you have identified a valid threat, there is a response required. You will definitely need to know your domains, and have knowledge of software forensics to not destroy evidence. Enough books exist about this kind of careful approach to find and catch the bad guys. You could script automated responses but you need to be cautious with these as it is hard to program in real intelligence.

Security Event Management, when done well, is a crucial foundation of your organization's security posture. The combination of low-cost off-the-shelf tools and admin expertise is killer combo to keep your domains free from intruders. ServerVision is just the tool to do this, and at the insanely low price of just $50 per server you can afford to replace any other event monitor you have currently lying around.
http://www.w2knews.com/rd/rd.cfm?id=041025TP-ServerVision

Linux and Solaris Patch Management

Patch management is an issue that goes beyond the realm of Windows operating systems, even though Microsoft issues security and other vulnerability patches almost weekly. Recently, universities, research institutions and high performance computing centers have become the targets for some sophisticated Linux and Solaris attacks.

These unknown attackers were able to compromise computers using a variety of techniques, ultimately escalating to root privileges and triggering a number of local exploits. Like Microsoft, Linux and Solaris may issue patches that fix these security holes; however, successfully deploying them while maintaining the integrity of your Windows networks puts more stress on already overburdened system admins. This could be a significant problem considering how many organizations are employing mixed platforms that include MS, Red Hat Linux and Solaris operating systems. UpdateEXPERT gets you the tool you need to successfully address patching on a variety of operating systems including Windows, Red Hat Linux, Solaris and Novell. In addition, its newest version includes important new features such as Patch Rollback Support, Scan and Manage by IP Address and Scheduled Installs that make the deployment of patches easy and reliable no matter what operating systems you might be using. 30-day evals here:
http://www.w2knews.com/rd/rd.cfm?id=041025TP-UpdateEXPERT

Don't Get Hacked Like UC Berkeley!

A computer hacker accessed names and Social Security numbers of about 1.4 million Californians after breaking into a University of California, Berkeley, computer system in possibly the worst attack of its kind ever suffered by the school. You need to scan for vulnerabilities the moment they come out, and patch 'em like greased lightning.

SNSI has just been updated with the enormous slew of MS holes, but there are also new vulnerabilities in other platforms. New vulnerability updates for this release include:

29 new Windows checks, bringing the total Windows checks to 2287. 10 new Linux checks, bringing the total to 611, and 4 new Solaris checks, bringing the total to 246:

ID - Name
L602 - Squid - NTLM authentication helper - RH
L603 - Spamassassin - Improper email handling - RH
L604 - Ruby - insecure file permissions - RH
L605 - Heimdal - race condition in tnftpd - Suse
L606 - Samba - Arbitrary file access - RH, Suse
L607 - XFree86 - Xpm image decoding - RH, Suse
L608 - Openmotif - Xpm image decoding - Suse
L609 - Squid - clientAbortBody() Vulnerability - FC2
L610 - Cyrus-SASL Buffer overflow and SASL_PATH vulnerabilities: FC; MDK;
L611 - Xine-lib multiple string & heap vulnerabilities- MDK
S243 - TCP Loopback Connection System Hang - Solaris 7 - 9
S244 - Gzip -f File Permissions - Solaris 8
S245 - Cluster RPC Request Timeout - Solaris 8 - 9
S246 - Who Incorrect Hostname/IP- Solaris 9
W2259 - JPEG Processing (GDI+) Vulnerability - Visio 2002
W2260 - JPEG Processing (GDI+) Vulnerability - Visio 2003
W2261 - JPEG Processing (GDI+)Vulnerability - Visual Studio 2003
W2262 - JPEG Processing (GDI+) Vulnerability - Visual Studio 2002
W2263 - JPEG Processing (GDI+) Vulnerability - Miscellaneous
W2264 - RealPlayer .RM File Vulnerability
W2265 - Apache Satisfy Directive Vulnerability W2266 O Trojan Horse Detected
W2267 - JPEG Processing (GDI+) Vulnerability - Discreet 3ds max
W2268 - JPEG Processing (GDI+) Vulnerability - Project 2002
W2269 - Project 2002 Service Pack Not Installed
W2270 - JPEG Processing (GDI+) Vulnerability - Project 2003
W2271 - RPC Runtime Library Buffer Vulnerability - NT 4.0 - MS04-029
W2272 - WebDAV XML Message Handler Vulnerability - W2K - MS04-030
W2273 - WebDAV XML Message Handler Vulnerability - XP - MS04-030
W2274 - WebDAV XML Message Handler Vulnerability - W2K3 - MS04-030
W2275 - NetDDE Vulnerability - MS04-031
W2276 - Window Management Vulnerability - MS04-032
W2277 - Virtual DOS Machine Vulnerability - MS04-032
W2278 - Graphics Rendering Engine Vulnerability - MS04-032
W2279 - Windows Kernel Vulnerability - W2K3 - MS04-032
W2280 - Excel 2000 Parameter Vulnerability - MS04-033
W2281 - Excel 2002 Parameter Vulnerability - MS04-033
W2282 - Compressed Folder Vulnerability - MS04-034
W2283 - Exchange Server 2003 SMTP Vulnerability - MS04-035
W2284 - NNTP Component Vulnerability - MS04-036
W2285 - Windows Shell Function Vulnerability - MS04-037
W2286 - Program Group Vulnerability - MS04-037
W2287 - Internet Explorer Not Updated- MS04-038

In addition, there were improvements in the following vulnerability checks:

H4,H13,H17,H19,H23,H30,H31,H37,H40,H41,H43,H45,H51,H52,H56,H58, H60,H64,H65,H68,H74,H75,H78,H91

L348,L482,L521,L570,L593,L599, L578, L562, L590,L587, L595

W1142,W1986,W1999,W2067 - Anti-virus
W2051,W2063,W2037,W2216

SNSI uses the latest Mitre Common Vulnerabilities and Exposures (CVE) list of computer incidents. It also contains the latest SANS/FBI top 20 vulnerability list. SNSI also uses the latest CERT, CIAC Microsoft and FedCIRC (Department of Homeland Security) advisories. To get the latest SNSI version, visit:
http://www.w2knews.com/rd/rd.cfm?id=041025TP-SNSI

  FAVE LINKS

This Week's Links We Like. Tips, Hints And Fun Stuff

  PRODUCT OF THE WEEK

Prevent Downtime and Intrusions

ServerVision keeps your domains secure and gives you the power to see the health and status of your distributed servers in a single glance, at the same time. Its best feature is that it is easy to set up, easy to run, and easy to afford. System Admins love it. Here is a quote from one: "It seems to be an impressive product. It has much of the functionality we've been drooling over in MS Ops Manager, but less expensive and much easier to get going." Why was ServerVision built from scratch, despite many other monitor products out there? They are just hard to use. Download the 30-day eval and see for yourself how easy ServerVision really is, how much time it will save you, and how easy it is to use as a low-cost Intrusion Detection System. The price is insanely low for such a good product.

http://www.w2knews.com/rd/rd.cfm?id=041025PW-ServerVision