[ISN] Security UPDATE--Honeywall CD-ROM; Internet Storm Center--August 4, 2004

InfoSec News isn at c4i.org
Thu Aug 5 06:09:31 EDT 2004

==== This Issue Sponsored By ====

Free OpenNetwork White Paper

Free Security White Paper from Postini


1. In Focus: Honeywall CD-ROM and Internet Storm Center

2. Special Report: Black Hat USA 2004 Briefings

3. Security News and Features
   - Recent Security Vulnerabilities
   - News: New MyDoom Worm Variant Affects Search Engines Too
   - News: Microsoft Promises IE Patch for Download.Ject Soon
   - Feature: A First Look at Windows Firewall

4. Security Matters Blog
   - MyDoom Strikes Again
   - Windows Server 2003 Security Guide

5. Security Toolkit
   - FAQ

6. New and Improved
   - HTTP-Based Patch Distribution


==== Sponsor: Free OpenNetwork White Paper ====
   Businesses are often overburdened with numerous identity
repositories, authentication processes and administration systems.
Having a sound identity management strategy eliminates this complexity
while automating resource intensive management functions, such as
password management, approval processes and the set up and deletion of
users as they join and leave the company. In "Understanding the
Identity Management Roadmap and Role of Your Microsoft Infrastructure"
you will learn how companies are making progress on the road to
identity management and how they've leveraged Active Directory to do
it. Plus, you'll learn how to make identity management work with your
existing infrastructure. Download this free white paper now!


==== 1. In Focus: Honeywall CD-ROM and Internet Storm Center ====
   by Mark Joseph Edwards, News Editor, mark at ntsecurity dot net

In the May 19 edition of this newsletter, I discussed the new
Honeywall CD-ROM available from the Honeynet Project. The Honeywall
CD-ROM is based on a trimmed-down version of Linux and is configurable
both before and after boot-up. You can add items you might need or
make configuration changes to suit your environment. For example, you
could add Secure Shell (SSH) keys, set your IP address preferences,
and so on, then burn a CD-ROM so that when you boot to the CD-ROM,
your system is configured and ready for use.

You can download a copy of the CD-ROM image (at the URL below, about
50MB in size,) from the Honeynet Project Web site. On July 20, the
Honeynet Project announced a subscription program that serves as a way
for you to support the project and gain some added value at the same
time. For an annual contribution of $150 for corporations or $75 for
individuals, the project mails in March and September a copy of the
most recent Honeywall CD-ROM; another CD-ROM containing updated
whitepapers, tools, and documentation; and a print newsletter that
contains "all the new work that has occurred in the past six months."
The subscription sounds like a great way to give something back to the
project in exchange for its hard work in providing great tools and
information to help you with your security endeavors.

Using a honeypot or network of honeypots can be helpful in learning
how and why intruders attempt to penetrate your network. One of this
month's SANS Institute Webcasts might address the use of honeypots. On
August 11, Johannes Ullrich will present "Internet Storm Center:
Threat Update," which "discusses recent threats observed by the
Internet Storm Center, and discusses new software vulnerabilities or
system exposures that were disclosed over the past month." The Webcast
might help you more readily detect various activities trapped by your
honeypots or by your other Intrusion Detection Systems (IDSs).

SANS Internet Storm Center helps track new threats, gathers
information about those threats, and presents its findings to the
public at the related Web site. Readers often contribute information
that can help provide loads of useful details about the latest threats
that might otherwise be harder to obtain, and sometimes you find links
to other sites that have even more detailed information. If you
haven't visited the Internet Storm Center Web site, you might consider
doing so to help better understand the current trends in network
   http://www.incidents.org or http://isc.sans.org


==== Sponsor: Free Security White Paper from Postini ====
   The Silent Killer: How spammers are stealing your email directory
   Have you ever had your end users complain about how slow your email
system seems to be responding when you have no visible reason for this
problem in performance? Are your Microsoft Exchange Server deferral
queues constantly full, slowing server performance to a crawl? All of
these are signs that spammers are probing your email system in an
attempt to identify and "harvest" legitimate email addresses from your
organization. This is what is known as the "silent killer" or
"directory harvest attack" (DHA). Download this whitepaper now and
learn how you can protect your organization against the "silent


==== 2. Special Report: Black Hat USA 2004 Briefings ====
   by Mark Burnett

Black Hat, a computer security conference and training company, held
the 8th annual Black Hat Briefings last week in Las Vegas. The
conference included presentations by nearly 50 speakers from a variety
of backgrounds. Among the key topics were electronic voting, privacy
on the Internet, Google hacking techniques, and zero-day exploits.

"We spent more time picking speakers this year," said Jeff Moss, CEO
of Black Hat. "We received a record number of submissions and the
quality was remarkable." According to Moss, the focus of the talks has
shifted to address new and upcoming security threats: "A couple years
ago, the interest was in detecting [known] attacks. The new interest
is how you defend against unknown attacks." Moss added that the
speakers are "turning their focus to the more difficult problems."

One underlying issue addressed in many of the talks is the decreasing
amount of time between the announcement of a vulnerability and the
deployment of code to exploit it. "Time to attack has gotten so
small," said Moss. "It used to be a two-week process that has shifted
to one day." According to Stephen Toulouse, a Microsoft security
product manager, "The biggest challenge we are dealing with now is
people releasing attack code. We're seeing the time to attack

Dr. Rebecca Mercuri and Bev Harris presented research and analysis on
electronic voting and the possible manipulation of it. Mercuri and
Harris spoke about the October 2003 California governor recall
election, providing an analysis that dispelled erroneous assertions
about the benefits of electronic voting and raised questions about the
accuracy of election systems. Black Hat also announced the launch of
"The Mezonic Agenda: Hacking the Presidency Contest," hosted by
Syngress Publishing. Conference attendees received a copy of a CD-ROM
that contains a game with the object of hacking and ultimately
controlling the outcome of a mock US presidential election.
Contestants must use their hacking skills to make themselves the
winning candidate of the simulated election.

Other speakers presented sessions on the topics of Zero-Day Code,
Phishing for Organized Crime, First Global Cyber-War, Secure Wireless
Network Deployment, Customer Data Protection, and new Web application
attacks. Speakers included Halvar Flake, Black Hat's resident reverse
engineer, and Greg Hogland, author of "Exploiting Software."

Black Hat holds five conferences annually in North America, Europe,
and Asia. For information about upcoming Briefings, visit

==== 3. Security News and Features ====

Recent Security Vulnerabilities
   If you subscribe to this newsletter, you also receive Security
Alerts, which inform you about recently discovered security
vulnerabilities. You can also find information about these discoveries

News: New MyDoom Worm Variant Affects Search Engines Too
   A new MyDoom worm variant, MyDoom.M at mm, was discovered on July 26.
Computers affected by the worm are used to perform queries on various
search engines to harvest email addresses. According to reports, a
significant number of computers were affected by the worm and caused
some strain on popular search engines, including Lycos, AltaVista,
Yahoo!, and Google.

News: Microsoft Promises IE Patch for Download.Ject Soon
   Microsoft will finally issue a critical security patch for its
infamously buggy Internet Explorer (IE) Web browser this week
(possibly by the time you read this newsletter), out of sync with the
company's planned monthly security fixes. The patch will fix the flaw
that led to last month's Download.Ject malware attack and will be
applicable to IE 6.0, IE 5.5, and IE 5.01. The patch follows an
unprecedented configuration change update that the company released to
partially fix the Download.Ject problem; security experts quickly
denounced the change as ineffective.

Feature: A First Look at Windows Firewall
   Paula Sharick notes that after plowing through more than 200 pages
of documentation about the extensive changes in Windows XP Service
Pack 2 (SP2), she wasn't optimistic about testing the XP SP2 beta.
With the introduction of a real firewall; security controls for
Distributed COM (DCOM), remote procedure call (RPC), and WWW
Distributed Authoring and Versioning (WebDAV) operations; secure
wireless networking; the ability to kill pop-ups; and hands-on
management of Microsoft Internet Explorer (IE) plug-ins, SP2 has more
in common with a new OS than a service pack with bug fixes. The
upgrade also changes the open-access paradigm to a limited- or
no-access orientation, which in theory can wreak havoc with network
connectivity and server-based operations. Read the rest of Paula's
first look at XP SP2 Windows Firewall on our Web site.


==== Announcements ====
   (from Windows & .NET Magazine and its partners)

Get 2 Free Sample Issues of SQL Server Magazine!
   If you're a SQL Server user, SQL Server Magazine is a must-read.
Each issue offers a treasury of relevant articles, savvy tips, endless
code listings, and expertise that will give you the answers you are
looking for. Choose from a library of hot topic discussions relating
to reporting services, security, high availability, and much more.
Order now:

Finding the Right Antispam Solution When You Need It
   In this free Web seminar, learn how to implement a "holistic"
approach to email security that eliminates spam, minimizes risk from
viruses, saves money, and reduces the administrative burden on IT
staff. And, you'll find out the benefits of the "preemptive" email
security approach compared with more traditional approaches. Register

Extending Microsoft Office with Integrated Fax Messaging
   Are you "getting by" using fax machines or relying on a less savvy
solution that doesn't offer truly integrated faxing from within user
applications? Attend this free Web seminar and learn what questions to
ask when selecting an integrated fax solution, discover how an
integrated fax solution is more efficient than traditional faxing
methods, and learn how to select the fax technology that's right for
your organization. Register now!


==== 4. Security Matters Blog ====
   by Mark Joseph Edwards, http://www.winnetmag.com/securitymatters

Check out these recent entries in the Security Matters blog:

MyDoom Strikes Again
   If you're looking for more details about the latest MyDoom worm
variant, MyDoom.M at mm, you can find some interesting analysis,
including links to analysis from several antivirus vendors, in the
Handler's Diary for July 26 at the SANS Internet Storm Center Web

Windows Server 2003 Security Guide
   The default installation of Windows Server 2003 is much more secure
than previous Windows versions. Even so, you might consider making
some additional adjustments to further tighten security, depending on
your needs, by using Microsoft's new Windows Server 2003 security

==== 5. Security Toolkit ====

FAQ: Why Can't I Update the Active Directory (AD) Schema for Microsoft
Systems Management Server (SMS)?
   by John Savill, http://www.winnetmag.com/windowsnt20002003faq

A. I recently had this problem too--I had a lab environment in which I
repeatedly tried--and failed--to update the schema for SMS by running
the extadsch.exe command. After I ran the command, the log file
contained a lot of failure messages. After much investigation, I
discovered the reason for the failed schema update: I had many domain
controllers (DCs) that weren't running and consequently had
replication errors. After I started the DCs and resolved the
replication errors by forcing a replication, the schema update worked
perfectly. You can review the log's failure messages and the
subsequent success messages in the FAQ on our Web site.


==== Events Central ====
   (A complete Web and live events directory brought to you by Windows
& .NET Magazine: http://www.winnetmag.com/events )

Free Roadshow in Your City Soon--HP Wireless & Mobility Roadshow 2004
   In this free Roadshow, you'll discover trends in the wireless and
mobility industry and come away with a better understanding of
wireless and mobility solutions. And, talk firsthand about your
wireless projects with leaders in the industry. See proven wireless
and mobile solutions in action. Register now!


==== 6. New and Improved ====
   by Jason Bovberg, products at winnetmag.com

HTTP-Based Patch Distribution
   Configuresoft announced Security Update Manager (SUM) 2.5, software
that lets you safely distribute patches and software updates across
firewalls via HTTP. SUM 2.5 is an add-on module for Configuresoft's
Enterprise Configuration Manager (ECM). SUM 2.5 reduces the risk and
vulnerabilities associated with opening ports on network firewalls to
deploy patches on systems within an organization's Demilitarized Zone
(DMZ) and machines located outside the network perimeter. Pricing for
SUM 2.5 starts at $25 per server and $5 per workstation. Pricing for
ECM starts at $995 per server and $30 per workstation. For more
information about SUM and ECM, contact Configuresoft at 719-447-4600
or on the Web.

Tell Us About a Hot Product and Get a T-Shirt!
   Have you used a product that changed your IT experience by saving
you time or easing your daily burden? Tell us about the product, and
we'll send you a Windows & .NET Magazine T-shirt if we write about the
product in a future Windows & .NET Magazine What's Hot column. Send
your product suggestions with information about how the product has
helped you to whatshot at winnetmag.com.


==== Sponsored Links ====

   Comparison Paper: The Argent Guardian Easily Beats Out MOM

   Free Download--New - Launch NetOp Remote Control from a USB Drive


Editor's note: Share Your Security Discoveries and Get $100
   Share your security-related discoveries, comments, or problems and
solutions in the Security Administrator print newsletter's Reader to
Reader column. Email your contributions (500 words or less) to
r2rsecadmin at winnetmag.com. If we print your submission, you'll get
$100. We edit submissions for style, grammar, and length.


==== Contact Us ====

About the newsletter -- letters at winnetmag.com
About technical questions -- http://www.winnetmag.com/forums
About product news -- products at winnetmag.com
About your subscription -- securityupdate at winnetmag.com
About sponsoring Security UPDATE -- emedia_opps at winnetmag.com


==== Contact Our Sponsors ====

Primary Sponsor:
   OpenNetwork -- http://www.opennetwork.com -- 1-877-561-9500

Secondary Sponsor:
   Postini -- http://www.postini.com --1-888-584-3150


This email newsletter is brought to you by Windows & .NET Magazine,
the leading publication for IT professionals deploying Windows and
related technologies. Subscribe today.

You received this email message because you asked to receive
additional information about products and services from the Windows &
.NET Magazine Network. To unsubscribe, send an email message to
mailto:Security-UPDATE_Unsub at list.winnetmag.com. Thank you!

View the Windows & .NET Magazine privacy policy at

Windows & .NET Magazine, a division of Penton Media, Inc.
221 East 29th Street, Loveland, CO 80538
Attention: Customer Service Department

Copyright 2004, Penton Media, Inc. All rights reserved.

More information about the ISN mailing list