- Sign-up Now!
 - Current Issue
 - Edit Your Profile/Unsubscribe

Subscribe | Media Kit | About Us | All Issues | Subscriber Feedback | Contact Us | Privacy Statement
Sunbelt W2Knews™ Electronic Newsletter
The secret of those "who always seem to know" - Over 500,000 Readers!
Mon, May 9, 2005 (Vol. 10, #19 - Issue #524)
Criminal Enterprise Moves Into Net
  This issue of W2Knews™ contains:
    • It's 2005 Target Awards Time!
    • Webinar: "Data Availability Solutions"
    • Admin Tools We Think You Shouldn't Be Without
    • Mark Minasi's New Windows Tech Newsletter Is Out
    • Criminal Enterprise Moves Into Net
    • WinHEC Was Geared To Get The Longhorn Buzz Going
    • Get Up To Speed: Virtualization
    • Service Pack 1 For MS Live Comm Server
    • From The Trenches: AD Problems And Solutions
    • Virtualization Being Included In Longhorn
    • Learn, Solve, Grow at Tech.Ed 2005, June 5-10
    • ServerVision V1.1 Released
    • SANS Study: Microsoft Not The Only Hacker Target
    • San Diego Source Technology Column Likes CounterSpy
  6. W2Knews 'FAVE' LINKS
    • This Week's Links We Like. Tips, Hints And Fun Stuff
    • CounterSpy Compared To Spyware Doctor And MSAS
  SPONSOR: iPrism's Make the Switch Program
If you are using anything but iPrism as your Internet filtering
solution you may be paying more for less. Don't pay extra to block
malware or phishing sites. And don't pay huge renewal fees! iPrism
from St. Bernard Software wants to help you make the switch to
superior email filtering with two great offers. For a limited time,
new iPrism customers can get three years subscription for the price
of two or you can lock-in your list renewal price for life! Click
here and make the switch!
Visit iPrism's Make the Switch Program for more information.

It's 2005 Target Awards Time!

Yes, it's that time again. You can vote for your fave system admin tools at the W2Knews 2005 Target Awards. Our editorial team (me) has been keeping a weather eye on the market all year, and again selected the most popular tools in over 30 refreshed categories, 130 Best Of Breed products from 77 developers!

These Target Awards Finalists are the ultimate shortlist if you want to get a quick idea of which are the most popular tools for a specific function. (Employees of developers are not allowed to participate) "One IP, One Vote", voting closes at May 31, 2005.

Webinar: "Data Availability Solutions"

Sunbelt Software and NSI Software Present "Data Availability Solutions". Don't Miss This free Webinar - Brought to You by Sunbelt Software.

In today's diverse environments, you face a wide variety of data protection and availability issues. These range from protecting key applications like e-mail and databases to protecting branch office data. NSI Software and Sunbelt Software invite you to attend this Webinar that will focus on leveraging replication technology to solve real-world business problems. May 19th, 11AM - 12 PM (EST) Register Today!

Quotes Of The Week:
"Computo, ergo sum" -- Curt Suplee
"World domination. Fast" -- Linus Torvalds
"The great tragedy of Science: the slaying of a beautiful hypothesis by an ugly fact" -- Thomas Henry Huxley.

Warm regards,
Stu Sjouwerman (email me with feedback: [email protected])


Admin Tools We Think You Shouldn't Be Without


Mark Minasi's New Windows Tech Newsletter Is Out

This month, AD/Exchange names: the final chapter. Then a GREAT tip he found about a Windows command that fixes IP stacks broken by anti-spyware apps. (Yes, that's the ANTI-SW apps that break the IP stack.) But best of all, he's got a long article on the Log Parser tool, one of Microsoft's downloads that can do really neat analysis and report-writing on all kinds of useful stuff.

Criminal Enterprise Moves Into Net

TechWeb News interviewed Microsoft's David Aucsmith, architect and CTO, Security Business & Technology Unit.

Stronger authentication, better firewalls and use of the latest software are needed to battle an expanding Internet threat environment. At least that is the view of Microsoft's David Aucsmith. Malware, spam, phishing, spyware, bots and root kits are raking in big bucks and fighting them effectively is a huge challenge, Aucsmith said in a presentation at the Windows Hardware Engineering Conference in Seattle during WinHEC.

"We've seen an explosion of criminal enterprise moving onto the Net in the last 18 months or so," he said in describing hacker motivation trends. "It's no longer just for kicks. It is for making money." The Wall Street Journal had an article on Thursday May 5 about true Mafia tactics where e-commerce sites were sent extortion emails, and told to pay up 10 grand protection money, or else be attacked. Looks like true crime has arrived in the neighborhood. More of the article here:

WinHEC Was Geared To Get The Longhorn Buzz Going

Microsoft's Windows Hardware Engineering Conference (WinHEC) last week was a calculated move to build up the buzz over Longhorn. It did. Not a tremendous buzz. Certainly not the tremendous roar it would have caused if Microsoft had announced it was changing its mind and shipping Longhorn by the end of this year. But the schedule stayed the same -- Longhorn is expected to ship just in time for December of 2006. The SystemsManagementPipeline site has the technical "lowdown on longhorn" and an interesting technical background on it:

Get Up To Speed: Virtualization

Will virtualization change the way IT departments manage enterprise-wide computing? Find out what the buzz is about in this collection of technical articles, news and tips at the SearchWin2000.com site, but also read the article below on virtualization being included in Longhorn!


Service Pack 1 For MS Live Comm Server

A lot of companies allow IM-type traffic. Many others don't and for good reason. IM is very insecure. The only way around this security problem and to shore up IM traffic is to have it run through MS's Live Communications Server 2005 (LCS). We finally have one set up here at Sunbelt and it works well. Redmond released the first service pack for its LCS 2005. There is more to it, like the companion client is still in beta but the full story is worth reading if you have a lot of IM traffic. At the NetworkWorld site:

From The Trenches: AD Problems And Solutions

Have you ever wished you could turn to your peers and ask what they have done to solve an intricate Active Directory problem? You can! Below is a sampling of field-tested solutions to AD problems, directly from your colleagues in IT. Find solutions for:

  • Accounts being locked in Active Directory 2003
  • Secondary controller unable to access primary controller
  • Group policy: restricting users from accessing control panel
  • Windows 2003 Group Policy and NT4 Workstation
  • Group Policy changes and cached information
  • Default GPOs in Active Directory for Windows 2000 Server

Check out this data at the SearchWin2000 site:

You can also subscribe to Sunbelt's AD-List and discuss AD issues, configuration and solutions in real-time at:

Virtualization Being Included In Longhorn

Last week Redmond described the details of their plan to build virtualization features directly into Windows to try to catch up to VMware. Microsoft is working on an architecture that looks a lot like VMware actually, and explained the road map for a lightweight "hypervisor" layer of code that will be included into Longhorn. The hypervisor will allow you to create virtual machines. It is going to be interesting to see how this will play out with the current Virtual Server and Virtual PC products. The latter might be trashed and replaced by the hypervisor code which at this time of course is still vaporware.

Why? Virtual Server requires you to run a copy of W2K3 as the host OS. That causes overhead, which will be reduced with the hypervisor code which is a layer that runs directly on the hardware. This code is able to load balance a system's resources among different VM's. Hypervisor's support for new upcoming virtualization extensions in chips from Intel and AMD will also increase performance.

From a system admin perspective though, it's going to be a real challenge to manage dozens or hundreds of these VM's in your racks. You're going to need tools to do that. Looks like MS is spending money to develop stuff in that direction.

Learn, Solve, Grow at Tech.Ed 2005, June 5-10

Learn how to get the most from the applications, languages, and code for the Microsoft® platform you work with every day. Experience a hands-on evaluation of the newest software and talk to the architects and engineers who built it. Network with people from all branches of the industry. Attend important Breakout Sessions like "Developing solutions on Microsoft's Identity and Access Platform" and "Managing the Software Lifecycle with Visual Studio 2005 Team System." Take back knowledge you can share with your peers. Give you and your company a competitive edge. Choose from 16 Technical Tracks, 440 Breakout Sessions and hundreds of Cabana Sessions, panel discussions, and Hands-on Labs. Tech.Ed 2005 will be in sunny Orlando, FL. Join thousands of your peers in formal and informal networking sessions. Experience the Expo Hall with hundreds of Microsoft and Microsoft Partner exhibitors and sponsors. Tech.Ed 2005 is the place to learn, solve and grow.


ServerVision V1.1 Released

V1.1 adds new connectivity options, added external data storage capabilities, groups and policies. The new connectivity options allow you to connect to a computer using protocol independent named pipes or TCP/IP if you know a Windows logon for that computer. You can also deploy to computers in another domain, provided that you know an administrative logon for that domain.

The new external data storage lets you store all captured performance data in an external SQL Server, and can also capture all OS events from the event logs and store those. This data can then be queried using whatever third party tool you want.

Groups lets you assign computers to groups, based on:

  1. Computer name
  2. The services running
  3. The operating system and role
  4. Programs installed

You can also add individual computers to a group, and build a group up from sub-groups.

Policies are predefined configuration settings that can be applied to one or more computers. For example, a "SQL Server" policy might define key services to monitor, and have 10 performance items that should be monitored, together with suitable thresholds. Out of the box, several polices will be provided, but you can add your own as well. Get a 30-day eval here:

SANS Study: Microsoft Not The Only Hacker Target

Internet miscreants turned their focus to AV products and media players in Q1'05, trying to find new vectors to break into PC's. Sure, they continued trying to exploit holes in Windows, but increasingly used flaws in other software developer's products, SANS found. Examples of new targets are Oracle Corp, Computer Associates, Apple's iTunes, RealNetworks Inc.'s RealPlayer and the very popular Winamp. Antivirus tools from Symantec F-Secure, Trend Micro and McAfee turned out to have holes too.

To some degree this is expected. A lot of Windows users now get patched automatically, and the target is moving. So other software is taking more flak. "Operating systems have gotten better at finding and fixing things and autoupdating, so it's less fertile territory for the hackers," said SANS CEO Alan Paller.

Most hacking attempts try to create "botnets". These are being utilized for a variety of fraud like spamming, phishing, sniffing traffic for passwords, and click fraud that targets online ads. At least 1 million PC's are compromised and being used in botnets.

About 70% of current spam is being sent by botnets now, trying to fly under the radar of RBL's. More over, botnets are now running their own DNS name servers on systems that they have compromised, making the task of shutting down malicious sites harder. Using "Black DNS Servers" (BDNSS), fraudsters are able to keep their phishing sites open longer by distributing their name servers amongst their thousands of compromised machines in the botnet.

In 2005 so far, more than 600 new Internet-related security holes have surfaced. About two dozen of these were assigned "dangerous" as they were not fixed on large amounts of internet users. More at the SANS website:

The above story illustrates that it is highly recommended to use a vulnerability scanner that looks for more than just Microsoft patches that might not be applied. Sunbelt's Network Security Inspector is a multiplatform product that includes searching for known holes in many third party vendors' products. Separate updates were released on 04/29/05 and on 05/02/05. New vulnerability updates for the release on 04/29/05 include:

14 new Windows checks, 16 new Linux checks, 1 new HP-UX check, 1 new Mac check, 1 new Cisco check, and 4 new Solaris checks. Just check this list and you'll see SNSI is incredibly thorough:

ID         Name
W2463  IE DHTML Object Memory Corruption Vulnerability
W2464  IE URL Parsing Memory Corruption Vulnerability
W2465  IE Content Advisor Memory Corruption Vulnerability
W2466  PHP EXIF Vulnerability
W2467  SQL Server Mixed Mode Enabled
W2468  Mozilla JavaScript Vulnerability
W2469  BrightStor ARCserve UniversalAgent Vulnerability
W2470  Firefox Javascript Vulnerability
W2471  Opera Validation Vulnerability
W2472  RealPlayer RAM File Vulnerability
W2473  Message Queuing Vulnerability - NT 4.0
W2474  TCP/IP Vulnerabilities - NT 4.0
W2475  Kernel Validation Vulnerabilities - NT 4.0
W2476  Windows Shell Application Vulnerability - NT 4.0
S290   Sun ONE and JES Directory Server Bounds Checking Solaris 8 - 10
S291   GSS-API Library validation Solaris 7 - 9
S293   Potential for theft or spoof of non-privileged services - Solaris 8-9
S294   Xsun, Xprt font alias file handling - Solaris 7-9
N49    Cisco - IOS Crafted ICMP Messages
M39    Kernel vulnerabilities
L800   Dhcp - DNS replies - RHE
L801   Gaim - HTML/IRC/Jabber message parsing - RHE, FC, MDK
L802   Kdegraphics - Kfax, libtiff bugs - RHE
L803   OpenOffice Load Function memory error - FC
L804   Sharutils Local insecure file creation error - FC
L805   Vixie-Cron Missing temp file check error - FC
L806   PHP4 - Multiple vulnerabilities - SuSE
L807   Wget - HTTP redirect statements - SuSE
L808   Midnight Commander - insert_text() function - SuSE
L809   PHP multiple exif and php_handle vulnerabilities - FC
L810   CVS - buffer overflow/memory access - SuSE, FC, MDK
L811   Logwatch - Parsing of /var/log/secure file - RHE
L812   Kernel - Multiple vulnerabilities - RHE
L813   Helixplayer - Malformed RAM files - RHE
L814   Realplayer - Malformed RAM files - RHE
L815   Firefox - Multiple vulnerabilities -  RHE
H115   Mozilla JavaScript Handling - HP-UX 11
L816   Kernel 2.4 - Multiple vulnerabilities - RHE
L817   Mozilla - Multiple vulnerabilities - RHE
S295   Libtiff image file handling - Solaris 7 - 10
S296   libxview vulnerabilities - Solaris 2.5 - 8
W2477  Office 2003 Smart Tag Issue
W2478  Office XP Debugging Permission Issue
W2479  Office XP SharePoint Vulnerabilities
W2480  Groove Virtual Office Vulnerabilities

Grab an eval of SNSI and try it out:

San Diego Source Technology Column Likes CounterSpy

This is a small quote of their May 2nd High-Tech Commentary: "There was a glimmer of hope for PC users tired of spyware and adware that slow down computing and invade privacy. Eliot Spitzer, attorney general of New York, filed suit against Intermix Media of Los Angeles for infecting millions of machines and then making it impossible to remove their software.

"It may be a drop in the bucket, but something needs to be done to prevent these companies from allowing their greed to harm us all. This problem is so severe that I found 135 invasions on a new PC in just three days. And that was on a computer loaded with protective software. If you wonder about your PC, download a free trial copy of CounterSpy from www.sunbelt-software.com ($19.95). It's one of the best new programs that finds and removes adware and spyware." We agree.

And here is an (abbreviated) story from a new CounterSpy user:

"If I could have a moment of your time, I'd like to tell you a little story about something that happened to me. I am considered an "advanced" PC user, and my wife is a network administrator (by profession). We have a broadband connection with a firewall and we run Norton System Tools, including NAV on all of our computer. We felt safe, and man, we were wrong.

"One morning (March 19th) I got up and found that there were 23 iterations of Internet Explorer open on my laptop computer, Norton said that it had detected the bloodhound virus on my machine and quarantined it, but I had new and unfamiliar programs running in my system tray, and my laptop was virtually unusable because of the hijacker, malware, adware, and numerous other applications that had somehow found their way onto my computer, seemingly while I was sleeping.

"About 3 days later, I was at work, and my wife called and asked, "Um, Have you recently made a $1000 purchase from some company called Alden Marketing Group?" I immediately went to the bank, and found that another "company" called DLC Marketing had been approved for a $900 debit to my account. Thankfully, this transaction was stopped, and I recovered the $1000 that had been taken. It seems that somehow, my bank information had been compromised from the attack that I'd suffered a few nights before.

"I had already scanned the whole system with Norton, and it found nothing at all (aside for that initial bloodhound virus) I scanned the system with several antispyware products and some stuff was removed but an hour later, it seemed to heal itself and came right back. My wife and I spent 2 days rooting around in the registry, trying to identify hidden instances of the malicious crap that had infested my computer. My wife had suggested that I should just format my hard drive but it's such a hassle to try to back up everything (and risk that you are also backing up the malware and hijacker code), so I kept searching for something.

"When I downloaded and installed Counterspy, I wondered what it would find, but I was still leery about how much good it would do. When the scan finished, the software had identified 17 different threats and over 140 infected file and over 200 infected registry keys.

"Since the moment Counterspy corrected and removed the problem files on my computer, I have not had a moment's trouble with it. I'd been wishing, also, that I could easily turn off some of the stuff in my start menu, and found that it has that, too. I just wanted to tell you that I've come to realize, first hand, that isn't only inexperienced or complacent Internet users who can fall prey to the miscreants who get rich duping honest people out of their money. I want to say that Sunbelt Software has a wonderful product, an excellent attitude, and is a rare breed in today's software market. -- Steven W. Sharp, Huntsville, Alabama"

You can try out the client version of CounterSpy here:


This Week's Links We Like. Tips, Hints And Fun Stuff


CounterSpy Compared To Spyware Doctor And MSAS

As you know, PC World compared a whole bunch of antispyware tools in April. CounterSpy came up as the 2005 Best Buy. Chart:

BUT... two products were not in that review: Spyware Doctor and the Microsoft antispyware beta. PC World decided to do another review, and compare CounterSpy to the two they could not do in April. Here's one line from the review: "For its part, CounterSpy continues to detect both Hotbar and WhenUSearch--and its detection rate in this latest round of tests increased from an 85 percent overall average to an excellent 92 percent." This is a link to the NEW review from the PC World June 2005:

Find out how much spyware sits on your PC: