- Sign-up Now!
 - Current Issue
 - Edit Your Profile/Unsubscribe

Subscribe | Media Kit | About Us | All Issues | Subscriber Feedback | Contact Us | Privacy Statement
Sunbelt W2Knews™ Electronic Newsletter
The secret of those "who always seem to know" - Over 500,000 Readers!
Mon, Aug 15, 2005 (Vol. 10, #33 - Issue #538)
Sunbelt Researchers Discover Massive ID Theft Ring
  This issue of W2Knews™ contains:
  1. EDITORS CORNER
    • Sunbelt Researchers Discover Massive ID Theft Ring
    • One In 4 Spams Is Now Malicious
    • Are ISP's Safe?
    • New SunPoll: Who is your fave AV-vendor?
  2. ADMIN TOOLBOX
    • Admin Tools We Think You Shouldn't Be Without
  3. TECH BRIEFING
    • Be Careful When Moving Exchange Public Folder Objects
    • How To Prevent VPN Users To Log In With Insecure PC's?
    • The Case Of The Stolen Wi-Fi: What You Need To Know
    • New WinXP Media Center Remote Keyboard Interview
    • BellSouth Launches Pre-WiMAX Service
  4. NT/2000 RELATED NEWS
    • Would A Guarantee Sway Software Assurance Customers?
    • Microsoft Will Reissue W2K SP4
    • Microsoft Unwraps HoneyMonkey Detection Project
    • Longhorn Server Beta Out To 5,000 Testers
  5. NT/2000 THIRD PARTY NEWS
    • CounterSpy Enterprise Security Advisory
    • Q3: iHateSpam For Exchange with Maintenance "2 for 1"
    • More On: What Really IS The State Of Adware Detections?
  6. W2Knews 'FAVE' LINKS
    • This Week's Links We Like. Tips, Hints And Fun Stuff
  7. PRODUCT OF THE WEEK
    • BOOK: Extreme Exploits. Advanced Defenses...
  SPONSOR: Is Your Antivirus Not Effective In Detecting Spyware?
If you have found your AV vendor to be less than effective at
detecting and quarantining spyware, you are not the only one. The
leading AV companies now claim they catch spyware but in reality,
their results are not even close to the dedicated stand-alone tools.
You cannot afford to have a false sense of security when your
organization's security and compliance is at stake! eWEEK said this
about Symantec: "Unfortunately, deficiencies with the anti-spyware
cleaning and blocking routines make it difficult to recommend this
solution for companies battling the spyware scourge." 30-day eval
CounterSpy with the best antispyware database in the industry.

Visit Is Your Antivirus Not Effective In Detecting Spyware? for more information.
  EDITORS CORNER

Sunbelt Researchers Discover Massive ID Theft Ring

It did not make it in before the W2Knews deadline last week, and we were already sending W2Knews out when this scoop broke all over the IT press and even Slashdot. Our spyware researchers found a massive amount of keylogger information. In the last week we had tons of press mentions and even had a couple of local news channels put it in their nightly news. It's one of those horror stories that keep you awake at night, and many people seem to think the same. Go to Google and search on: "ID theft ring Sunbelt". when I last looked, we were close to 50,000 hits! When you see it, there are likely to be more.

One In 4 Spams Is Now Malicious

Yes, the topic is getting a little tired, however the Spam problem continues to get worse. Now one in 4 spams carries some kind of malicious payload. Either a virus is attached, it sends the user to a spyware site, or it has links in it that could lead to ID theft. Jeez, it's getting uglier out there by the year. You wonder if these guys could get a real job and spend all that brainpower for something a bit more constructive than fraud!

Are ISP's Safe?

A recent question that I got was: "We all connect to the Internet via our ISP. All these ISP must have the latest firewalls and spyware filters to protect their servers, yet in order for me to get some trojan horse it has to pass through these servers. Why can't this be filtered out by my ISP before it gets to me?

Answer: You would assume that ISPs are completely secure. That they would be watching out for attacks, and always protect their customers. But the reality is that only some do and some others fail to do even the basics.

You would assume that ISPs do not allow hacking across their networks. The reality is that port scans and hack attempts happen all the time, and your ISP never even warns you.

You would assume that an ISP provides you with fully secure firewalls. The reality is that their firewalls may not be monitored, and your ISP's security policies may not be set up sufficiently to protect your networks.

You would assume that if your PC gets attacked, you can call your ISP for help. The reality is that support engineers are often hard to get hold of, and often ISP's need to communicate between them since the attack is passing through several of them before it hits you. Often these lines of "emergency communication" are broken as well. Hackers know this and exploit this "organizational broken lines" as well as the technical vulnerability in your computer.

In other words kids, firewalls UP! and antispyware ON!

New SunPoll: Who is your fave AV-vendor?

Which AV Company is your fave at the moment for enterprise-wide antivirus protection? (As opposed to dedicated for Exchange) Symantec / Trend / McAfee / Sophos / Panda / CA eTrust / Clam AV Bitdefender / Other
Vote here:
http://www.w2knews.com/rd/rd.cfm?id=050815ED-Sun_Poll

Quotes Of The Week:
"That which does not kill us is going to wish it had" -- Unknown
"Constantly choosing the lesser of two evils is still choosing evil." -- Jerry Garcia

Warm regards, Stu Sjouwerman (email me with feedback: [email protected])

  ADMIN TOOLBOX

Admin Tools We Think You Shouldn't Be Without

  TECH BRIEFING

Be Careful When Moving Exchange Public Folder Objects

Unpredictable things can happen if a public folder's objects are moved out of the Exchange System Objects organizational unit. This tip from Serdar Yegulalp explains what to watch out for and how to fix it. Good article at the SearchExchange site:
http://www.w2knews.com/rd/rd.cfm?id=050815TB-Public_Folder

How To Prevent VPN Users To Log In With Insecure PC's?

Randy Franklin Smith, a contributor to Windows IT Pro Magazine wrote the following Q&A which I thought was extremely useful. (Grateful acknowledgements to WinITPro)

Q: I want to prevent VPN users from logging on to our corporate network unless specific software (e.g., antivirus software) is installed and running on the remote system. I know that I could use a third-party utility, such as Zone Labs' Integrity Desktop, but I'd like to accomplish the task just with Windows. Is that possible?

A: If you use Windows Server 2003's Internet Authentication Service (IAS) as your RADIUS server, you can take advantage of IAS's Network Access Quarantine Control feature and Connection Manager Admin Kit (CMAK). With these two technologies, you can write a script for the VPN client to run. The script can perform any checks or modifications that are necessary to bring the client into compliance with your policy. CMAK takes care of the client side and installs a notifier component; Quarantine Control implements the server-side listener component.

When a VPN client connects and authenticates, IAS restricts the client from accessing the network until the client's notifier component verifies that the script has finished and sends the IAS server's listener component the results of the script's checks. When the script reports that the client complies with your policy, IAS allows the client typical network access.

To install CMAK, open the Control Panel Add/Remove Programs applet and click Add/Remove Windows Components. In the Components list box, click Management and Monitoring Tools (don't change the check box), then click Details. Select the Connection Manager Admin Kit check box. Click OK, then click Next and Finish. For instructions about how to set up Quarantine Control, look up "IAS Network Access Quarantine Control" in Windows 2003 Help. For a Microsoft white paper about Quarantine Control VPNs, go to:
http://www.w2knews.com/rd/rd.cfm?id=050815TB-Insecure_PCs

The Case Of The Stolen Wi-Fi: What You Need To Know

ComputerWorld has a good story about Wi-Fi Stealing. You need to know this when you have WAP's in your offices! It starts like this: "Benjamin Smith III and Gregory Straszkiewicz both were arrested for allegedly stealing something no one could see, hear or feel. That thing was valuable enough for victims to press charges in both cases. But the arrests were over something many consumers throw out their windows every day: a Wi-Fi signal.

"The idea of a police car roaring down the street to catch a roving Doom junkie using someone else's wireless LAN may seem silly, but there are real dangers if your network plays host to strangers. The hazards you might face include eavesdropping, theft of data, painful legal hassles or even a conviction for computer-related crimes. And if you casually tap into your neighbor's Wi-Fi sometimes, these arrests -- Smith was arrested in Florida and Straszkiewicz in Isleworth, U.K. -- signal that it's at least possible you might run afoul of a law and an irritated fellow citizen. The rest of the story is here:
http://www.w2knews.com/rd/rd.cfm?id=050815TB-Stolen_WiFi

New WinXP Media Center Remote Keyboard Interview

Have a XP Media Center running? I have. Love it. There is now a special keyboard for XP, and of course it is wireless. It has a mouse too. Here is an interview with Wendy Apperson, Product Manager: Microsoft Remote Keyboard for Windows XP Media Center Edition and Wireless Optical Desktop 5000:
http://www.w2knews.com/rd/rd.cfm?id=050815TB-Keyboard

BellSouth Launches Pre-WiMAX Service

Told ya! WiMAX is getting to be installed in test cities. ;-)

(Courtesy of TechWeb News) Computer users in a Georgia community are being introduced to broadband WiMAX this week as BellSouth launches its fixed wireless service and WiMAX modems hit electronics stores. Because the WiMAX Forum is still putting the finishing touches on the WiMAX standard, the technology is officially called "pre-WiMAX," but providers of both the service and the hardware generally are guaranteeing the high-speed solution will operate after the standard is set. More at:
http://www.w2knews.com/rd/rd.cfm?id=050815TB-WiMAX

  NT/2000 RELATED NEWS

Would A Guarantee Sway Software Assurance Customers?

What will it take for IT executives and financial managers to stop hating Microsoft's Software Assurance? More assurance would be a good start -- like 24-hour support. Story at SearchWin2000.com
http://www.w2knews.com/rd/rd.cfm?id=050815RN-Assurance

Microsoft Will Reissue W2K SP4

Redmond is going to roll out a new version of SP4. Quite a bit of problems are dogging users who have installed the SP4 update rollup that was released late June instead of SP5. A bunch of problems with third-party security apps and stuff like network-printing issues have surfaced. As you all know, Redmond ended mainstream support for W2K client and server on June 30.

On their website they said: "We plan to reissue Update Rollup 1 for Windows 2000 SP4 soon. Several hotfixes will be integrated into the new version of Update Rollup 1 for Windows 2000 SP4," They also mentioned that the problems with the Rollup are "isolated" and "affect few customers." You are advised to again, as usual, TEST, TEST, TEST and check the known bugs at:
http://www.w2knews.com/rd/rd.cfm?id=050815RN-W2K_SP4

Microsoft Unwraps HoneyMonkey Detection Project

Wow, that's a pretty funky name, but oh well. Phileas and SPECTRE are also a bit "creative". What are we talking about here? Anti-spyware vendors need to check thousands of sites for new versions of malware. All three projects do something similar. Redmond has called its crawler it HoneyMonkey. Webroot calls its spider after Phileas, and Sunbelt calls its crawler SPECTRE. These projects automate a lot of the process of finding new threats, as they are designed to crawl the "dark side" of the Internet. [grin]

Longhorn Server Beta Out To 5,000 Testers

There was a lot of noise these last few weeks about Windows Vista beta 1 being released. We have it and it looks good, but somewhat lost amid the recent fanfare, Redmond actually also shipped the first beta of its server version to 5,000 early beta testers! It's not going to be called Vista Server, so we're probably looking at Windows 2007 which is fine with me actually, and I'd make a new abbreviation like "W2K7". Expect the server to arrive 12 months after the Vista's target ship date of late 2006.

  THIRD PARTY NEWS

CounterSpy Enterprise Security Advisory

CounterSpy Enterprise Protects Against New Spyware Keylogger

A newly identified spyware keylogger, named 'Srv.SSA-KeyLogger', was discovered by Sunbelt's Research team, uncovering a massive online identity theft ring in which thousands of unsuspecting computer users' personal data was compromised.

The keylogger itself is a new variant of existing trojans known as Dumaru or Nibu. Among other things, it secretly steals data from Internet Explorer users' internet sessions, including logins and passwords from online banking sessions, eBay, PayPal, and any other programs that use web-based forms to collect personal information.

To protect CounterSpy Enterprise end-users from this harmful keylogger, a set of new definitions (version 217) have been added to CounterSpy's spyware threat database. Make sure the definitions of CounterSpy Enterprise are updated to version 217 or later and for the consumer version of CounterSpy, it would be definition 216.

IF one of your end-user's PC's is infected, and Srv.SSA-KeyLogger shows up as quarantined by CounterSpy, that means corporate data may have been compromised. We advise to immediately take the appropriate action and investigate. The new definition version 217 is available for downloading.

Also, visit our new CounterSpy Research Center for the details about this new keylogger in the new Advisory Section at:
http://www.w2knews.com/rd/rd.cfm?id=050815TP-Advisory

Q3: iHateSpam For Exchange with Maintenance "2 for 1"

The new iHateSpam for Exchange V1.7 is being very well received. Its efficiency is close to 100% with low false positives. Sunbelt wants to give all customers the opportunity to get this award winning tool during the third quarter of 2005 with 2 years worth of maintenance, but only pay ONE year! That also will make you eligible for the awesome NINJA product which is the successor of iHateSpam for Exchange. Talk to your Reseller or Rep, and make sure your purchase order is received before midnight Sept 30, 2005

On July 18, 2005 Sunbelt Software announced the release of iHateSpam for Exchange V1.7 complete with, not one but, two spam detection engines!

The two engines offer administrators a choice of how to protect their users from spam as well as provide almost 100% spam detection with low false positives when both engines are used. The new V1.7 delivers the industry's only system with dual spam detection engines. You can opt for the Sunbelt Software antispam engine only, the Cloudmark antispam engine only, or both engines. I suggest using both for maximum effectiveness.

iHateSpam for Exchange was uniquely developed for the Exchange Admin. Control spam according to the needs of your company, your users and especially your own needs! iHateSpam for Exchange is still the best-selling antispam solution for Exchange with more than 5,000 enterprise installations. Test it in your own environment for 30 spam-free days. Download your eval copy now.
http://www.w2knews.com/rd/rd.cfm?id=050815TP-iHSE

More On: What Really IS The State Of Adware Detections?

A lot of people that went to the SpywareWarrior site to check out which product detected what threats, came back and asked us a good question. Despite the fact that CounterSpy was detecting practically all the threats, it was not in the recommended list. Why? Well, both Suzi and Eric who run the site are consulting for Sunbelt. They feel it is a conflict of interest to recommend a tool on their site from a company that has hired them as consultants. And we agree, this is an ethical position to take, and we respect their personal integrity.

  FAVE LINKS

This Week's Links We Like. Tips, Hints And Fun Stuff

  PRODUCT OF THE WEEK

BOOK: Extreme Exploits. Advanced Defenses...

McGraw-Hill Osborne sent me this one for review. Wow, this is good but advanced security stuff. Some of it I got pretty quick, other bits went over my head but at the end of each chapter is a check-list of security configurations and policies. If you want to keep your organization free from intruders, you need to check out this book. I gave it to our CTO to check our own networks. Here is their sales blurb.

"Protect your network and web sites from malicious attacks with help from this cutting-edge guide. Extreme Exploits is packed with never- before-published advanced security techniques and concise instructions that explain how to defend against devastating vulnerabilities in software and network infrastructure. This book will give a detailed analysis of modern threats and their solutions along with a checklist for developing defenses at the end of each chapter. You'll also be introduced to a winning methodology for custom vulnerability assessments including attack profiling and the theatre of war concept. Through in-depth explanations of underlying technologies, you'll learn to prepare your network and software from threats that don't yet exist. This is a must-have volume for anyone responsible for network security.

http://www.w2knews.com/rd/rd.cfm?id=050815PW-Extreme_Exploits