Sunbelt W2Knews Electronic Newsletter
The secret of those "who always seem to know" - Over 500,000 Readers!
Mon, Aug 15, 2005 (Vol. 10, #33 - Issue #538)
Sunbelt Researchers Discover Massive ID Theft Ring
This issue of W2Knews contains:
- EDITORS CORNER
- Sunbelt Researchers Discover Massive ID Theft Ring
- One In 4 Spams Is Now Malicious
- Are ISP's Safe?
- New SunPoll: Who is your fave AV-vendor?
- ADMIN TOOLBOX
- Admin Tools We Think You Shouldn't Be Without
- TECH BRIEFING
- Be Careful When Moving Exchange Public Folder Objects
- How To Prevent VPN Users To Log In With Insecure PC's?
- The Case Of The Stolen Wi-Fi: What You Need To Know
- New WinXP Media Center Remote Keyboard Interview
- BellSouth Launches Pre-WiMAX Service
- NT/2000 RELATED NEWS
- Would A Guarantee Sway Software Assurance Customers?
- Microsoft Will Reissue W2K SP4
- Microsoft Unwraps HoneyMonkey Detection Project
- Longhorn Server Beta Out To 5,000 Testers
- NT/2000 THIRD PARTY NEWS
- CounterSpy Enterprise Security Advisory
- Q3: iHateSpam For Exchange with Maintenance "2 for 1"
- More On: What Really IS The State Of Adware Detections?
- W2Knews 'FAVE' LINKS
- This Week's Links We Like. Tips, Hints And Fun Stuff
- PRODUCT OF THE WEEK
- BOOK: Extreme Exploits. Advanced Defenses...
SPONSOR: Is Your Antivirus Not Effective In Detecting Spyware?
If you have found your AV vendor to be less than effective at
detecting and quarantining spyware, you are not the only one. The
leading AV companies now claim they catch spyware but in reality,
their results are not even close to the dedicated stand-alone tools.
You cannot afford to have a false sense of security when your
organization's security and compliance is at stake! eWEEK said this
about Symantec: "Unfortunately, deficiencies with the anti-spyware
cleaning and blocking routines make it difficult to recommend this
solution for companies battling the spyware scourge." 30-day eval
CounterSpy with the best antispyware database in the industry.
Visit Is Your Antivirus Not Effective In Detecting Spyware? for more information.
Sunbelt Researchers Discover Massive ID Theft Ring
It did not make it in before the W2Knews deadline last week, and we
were already sending W2Knews out when this scoop broke all over the
IT press and even Slashdot. Our spyware researchers found a massive
amount of keylogger information. In the last week we had tons of
press mentions and even had a couple of local news channels put
it in their nightly news. It's one of those horror stories that keep
you awake at night, and many people seem to think the same. Go to
Google and search on: "ID theft ring Sunbelt". when I last looked,
we were close to 50,000 hits! When you see it, there are likely to
One In 4 Spams Is Now Malicious
Yes, the topic is getting a little tired, however the Spam problem
continues to get worse. Now one in 4 spams carries some kind of
malicious payload. Either a virus is attached, it sends the user to
a spyware site, or it has links in it that could lead to ID theft.
Jeez, it's getting uglier out there by the year. You wonder if these
guys could get a real job and spend all that brainpower for something
a bit more constructive than fraud!
Are ISP's Safe?
A recent question that I got was: "We all connect to the Internet
via our ISP. All these ISP must have the latest firewalls and spyware
filters to protect their servers, yet in order for me to get some
trojan horse it has to pass through these servers. Why can't this
be filtered out by my ISP before it gets to me?
Answer: You would assume that ISPs are completely secure. That they
would be watching out for attacks, and always protect their customers.
But the reality is that only some do and some others fail to do even
You would assume that ISPs do not allow hacking across their networks.
The reality is that port scans and hack attempts happen all the
time, and your ISP never even warns you.
You would assume that an ISP provides you with fully secure firewalls.
The reality is that their firewalls may not be monitored, and your
ISP's security policies may not be set up sufficiently to protect
You would assume that if your PC gets attacked, you can call your
ISP for help. The reality is that support engineers are often hard
to get hold of, and often ISP's need to communicate between them since
the attack is passing through several of them before it hits you.
Often these lines of "emergency communication" are broken as well.
Hackers know this and exploit this "organizational broken lines" as
well as the technical vulnerability in your computer.
In other words kids, firewalls UP! and antispyware ON!
New SunPoll: Who is your fave AV-vendor?
Which AV Company is your fave at the moment for enterprise-wide
antivirus protection? (As opposed to dedicated for Exchange)
Symantec / Trend / McAfee / Sophos / Panda / CA eTrust / Clam AV
Bitdefender / Other
Quotes Of The Week:
"That which does not kill us is going to wish it had" -- Unknown
"Constantly choosing the lesser of two evils is still choosing
evil." -- Jerry Garcia
(email me with feedback: [email protected])
Admin Tools We Think You Shouldn't Be Without
Be Careful When Moving Exchange Public Folder Objects
Unpredictable things can happen if a public folder's objects are
moved out of the Exchange System Objects organizational unit.
This tip from Serdar Yegulalp explains what to watch out for
and how to fix it. Good article at the SearchExchange site:
How To Prevent VPN Users To Log In With Insecure PC's?
Randy Franklin Smith, a contributor to Windows IT Pro Magazine
wrote the following Q&A which I thought was extremely useful.
(Grateful acknowledgements to WinITPro)
Q: I want to prevent VPN users from logging on to our corporate
network unless specific software (e.g., antivirus software) is
installed and running on the remote system. I know that I could
use a third-party utility, such as Zone Labs' Integrity Desktop,
but I'd like to accomplish the task just with Windows. Is that
A: If you use Windows Server 2003's Internet Authentication
Service (IAS) as your RADIUS server, you can take advantage of
IAS's Network Access Quarantine Control feature and Connection
Manager Admin Kit (CMAK). With these two technologies, you can
write a script for the VPN client to run. The script can perform
any checks or modifications that are necessary to bring the client
into compliance with your policy. CMAK takes care of the client
side and installs a notifier component; Quarantine Control
implements the server-side listener component.
When a VPN client connects and authenticates, IAS restricts the
client from accessing the network until the client's notifier
component verifies that the script has finished and sends the
IAS server's listener component the results of the script's checks.
When the script reports that the client complies with your policy,
IAS allows the client typical network access.
To install CMAK, open the Control Panel Add/Remove Programs applet
and click Add/Remove Windows Components. In the Components list box,
click Management and Monitoring Tools (don't change the check box),
then click Details. Select the Connection Manager Admin Kit check
box. Click OK, then click Next and Finish. For instructions about
how to set up Quarantine Control, look up "IAS Network Access
Quarantine Control" in Windows 2003 Help. For a Microsoft white
paper about Quarantine Control VPNs, go to:
The Case Of The Stolen Wi-Fi: What You Need To Know
ComputerWorld has a good story about Wi-Fi Stealing. You need
to know this when you have WAP's in your offices! It starts
like this: "Benjamin Smith III and Gregory Straszkiewicz both
were arrested for allegedly stealing something no one could see,
hear or feel. That thing was valuable enough for victims to press
charges in both cases. But the arrests were over something many
consumers throw out their windows every day: a Wi-Fi signal.
"The idea of a police car roaring down the street to catch a
roving Doom junkie using someone else's wireless LAN may seem
silly, but there are real dangers if your network plays host
to strangers. The hazards you might face include eavesdropping,
theft of data, painful legal hassles or even a conviction for
computer-related crimes. And if you casually tap into your
neighbor's Wi-Fi sometimes, these arrests -- Smith was arrested
in Florida and Straszkiewicz in Isleworth, U.K. -- signal that
it's at least possible you might run afoul of a law and an
irritated fellow citizen. The rest of the story is here:
New WinXP Media Center Remote Keyboard Interview
Have a XP Media Center running? I have. Love it. There is now a
special keyboard for XP, and of course it is wireless. It has
a mouse too. Here is an interview with Wendy Apperson, Product
Manager: Microsoft Remote Keyboard for Windows XP Media Center
Edition and Wireless Optical Desktop 5000:
BellSouth Launches Pre-WiMAX Service
Told ya! WiMAX is getting to be installed in test cities. ;-)
(Courtesy of TechWeb News) Computer users in a Georgia community
are being introduced to broadband WiMAX this week as BellSouth
launches its fixed wireless service and WiMAX modems hit
electronics stores. Because the WiMAX Forum is still putting
the finishing touches on the WiMAX standard, the technology is
officially called "pre-WiMAX," but providers of both the service
and the hardware generally are guaranteeing the high-speed
solution will operate after the standard is set. More at:
NT/2000 RELATED NEWS
Would A Guarantee Sway Software Assurance Customers?
What will it take for IT executives and financial managers to
stop hating Microsoft's Software Assurance? More assurance would
be a good start -- like 24-hour support. Story at SearchWin2000.com
Microsoft Will Reissue W2K SP4
Redmond is going to roll out a new version of SP4. Quite a bit
of problems are dogging users who have installed the SP4 update
rollup that was released late June instead of SP5. A bunch of
problems with third-party security apps and stuff like network-printing issues have surfaced. As you all know, Redmond ended
mainstream support for W2K client and server on June 30.
On their website they said: "We plan to reissue Update Rollup 1
for Windows 2000 SP4 soon. Several hotfixes will be integrated
into the new version of Update Rollup 1 for Windows 2000 SP4,"
They also mentioned that the problems with the Rollup are
"isolated" and "affect few customers." You are advised to again,
as usual, TEST, TEST, TEST and check the known bugs at:
Microsoft Unwraps HoneyMonkey Detection Project
Wow, that's a pretty funky name, but oh well. Phileas and SPECTRE
are also a bit "creative". What are we talking about here? Anti-spyware vendors need to check thousands of sites for new versions
of malware. All three projects do something similar. Redmond has
called its crawler it HoneyMonkey. Webroot calls its spider after
Phileas, and Sunbelt calls its crawler SPECTRE. These projects
automate a lot of the process of finding new threats, as they are
designed to crawl the "dark side" of the Internet. [grin]
Longhorn Server Beta Out To 5,000 Testers
There was a lot of noise these last few weeks about Windows Vista
beta 1 being released. We have it and it looks good, but somewhat
lost amid the recent fanfare, Redmond actually also shipped the
first beta of its server version to 5,000 early beta testers!
It's not going to be called Vista Server, so we're probably
looking at Windows 2007 which is fine with me actually, and I'd
make a new abbreviation like "W2K7". Expect the server to arrive
12 months after the Vista's target ship date of late 2006.
THIRD PARTY NEWS
CounterSpy Enterprise Security Advisory
CounterSpy Enterprise Protects Against New Spyware Keylogger
A newly identified spyware keylogger, named 'Srv.SSA-KeyLogger',
was discovered by Sunbelt's Research team, uncovering a massive
online identity theft ring in which thousands of unsuspecting
computer users' personal data was compromised.
The keylogger itself is a new variant of existing trojans known
as Dumaru or Nibu. Among other things, it secretly steals data
from Internet Explorer users' internet sessions, including
logins and passwords from online banking sessions, eBay, PayPal,
and any other programs that use web-based forms to collect personal
To protect CounterSpy Enterprise end-users from this harmful
keylogger, a set of new definitions (version 217) have been added
to CounterSpy's spyware threat database. Make sure the definitions
of CounterSpy Enterprise are updated to version 217 or later and for
the consumer version of CounterSpy, it would be definition 216.
IF one of your end-user's PC's is infected, and Srv.SSA-KeyLogger
shows up as quarantined by CounterSpy, that means corporate data
may have been compromised. We advise to immediately take the
appropriate action and investigate. The new definition version
217 is available for downloading.
Also, visit our new CounterSpy Research Center for the details
about this new keylogger in the new Advisory Section at:
Q3: iHateSpam For Exchange with Maintenance "2 for 1"
The new iHateSpam for Exchange V1.7 is being very well received.
Its efficiency is close to 100% with low false positives. Sunbelt
wants to give all customers the opportunity to get this award
winning tool during the third quarter of 2005 with 2 years worth
of maintenance, but only pay ONE year! That also will make you
eligible for the awesome NINJA product which is the successor
of iHateSpam for Exchange. Talk to your Reseller or Rep, and make
sure your purchase order is received before midnight Sept 30, 2005
On July 18, 2005 Sunbelt Software announced the release of iHateSpam
for Exchange V1.7 complete with, not one but, two spam detection
The two engines offer administrators a choice of how to protect
their users from spam as well as provide almost 100% spam detection
with low false positives when both engines are used. The new V1.7
delivers the industry's only system with dual spam detection engines.
You can opt for the Sunbelt Software antispam engine only, the
Cloudmark antispam engine only, or both engines. I suggest using
both for maximum effectiveness.
iHateSpam for Exchange was uniquely developed for the Exchange
Admin. Control spam according to the needs of your company, your
users and especially your own needs! iHateSpam for Exchange is
still the best-selling antispam solution for Exchange with more
than 5,000 enterprise installations. Test it in your own environment
for 30 spam-free days. Download your eval copy now.
More On: What Really IS The State Of Adware Detections?
A lot of people that went to the SpywareWarrior site to check
out which product detected what threats, came back and asked us
a good question. Despite the fact that CounterSpy was detecting
practically all the threats, it was not in the recommended list.
Why? Well, both Suzi and Eric who run the site are consulting for
Sunbelt. They feel it is a conflict of interest to recommend a tool
on their site from a company that has hired them as consultants.
And we agree, this is an ethical position to take, and we respect
their personal integrity.
This Week's Links We Like. Tips, Hints And Fun Stuff
PRODUCT OF THE WEEK
BOOK: Extreme Exploits. Advanced Defenses...
McGraw-Hill Osborne sent me this one for review. Wow, this is good
but advanced security stuff. Some of it I got pretty quick, other
bits went over my head but at the end of each chapter is a check-list of security configurations and policies. If you want to keep
your organization free from intruders, you need to check out this
book. I gave it to our CTO to check our own networks. Here is their
"Protect your network and web sites from malicious attacks with help
from this cutting-edge guide. Extreme Exploits is packed with never-
before-published advanced security techniques and concise instructions
that explain how to defend against devastating vulnerabilities in
software and network infrastructure. This book will give a detailed
analysis of modern threats and their solutions along with a checklist
for developing defenses at the end of each chapter. You'll also be
introduced to a winning methodology for custom vulnerability
assessments including attack profiling and the theatre of war
concept. Through in-depth explanations of underlying technologies,
you'll learn to prepare your network and software from threats
that don't yet exist. This is a must-have volume for anyone
responsible for network security.