[ISN] Security UPDATE--Honeywall CD-ROM--May 19, 2004

InfoSec News isn at c4i.org
Fri May 21 10:54:14 EDT 2004


==== This Issue Sponsored By ====

Postini Preemptive Email Protection

Sybari Software


1. In Focus: Honeywall CD-ROM: A Honeynet on a Bootable Disk

2. Security News and Features
   - Recent Security Vulnerabilities
   - News: Serious Vulnerability in 802.11b and 802.11g Networks
   - News: You've Been Hacked, Now Rebuild Your System

3. Instant Poll

4. Security Toolkit
   - FAQ
   - Featured Thread

5. New and Improved
   - Extranet, Intranet, and Remote Access Policy Enforcement


==== Sponsor: Postini Preemptive Email Protection ====

   Free Whitepaper: Top 10 Reports for Email Admins
   This paper will show you the top ten reports every email
administrator really shouldn't live without including, dashboard views
of inbound email activity, SMTP connection, and delivery monitoring,
as well as outbound email and content. Assuring comprehensive email
security and management for your enterprise requires real-time
monitoring and detailed, flexible reporting. Postini provides an
award-winning web console "dashboard" that helps email administrators
manage their email protection more effectively and efficiently with a
host of monitoring and trending reports. Reports show inbound spam by
domain and recipient, as well as viruses by name and overall traffic
by domain and recipient.


==== 1. In Focus: Honeywall CD-ROM: A Honeynet on a Bootable Disk ====
   by Mark Joseph Edwards, News Editor, mark at ntsecurity dot net

In the April 28 edition of this newsletter, I mentioned the new
version of Network Security Toolkit (NST), which is the creation of
Paul Blankenbaker and Ron Henderson. NST is loaded with security tools
and is available as a bootable CD-ROM. The toolkit is based on Red Hat
Linux 9.0, and you can download it as an International Organization
for Standardization (ISO) image and make the CD-ROM yourself.

This week, I learned about another free security-related tool that you
might want to try. The Honeynet Project has released a new beta
version of Honeywall CD-ROM, which as you might suspect, lets you
create a bootable disk that offers the tools necessary to run a
honeypot network.

Honeywall CD-ROM is based on a trimmed-down version of Linux and is
configurable both before and after bootup. You can add items you might
need or make configuration changes that suit your environment. For
example, you could add Secure Shell (SSH) keys, set your IP address
preferences, and so on, then burn a CD-ROM so that when you boot to
the CD-ROM your system is already configured and ready for use.

To use Honeywall CD-ROM, you need a system with 256MB of RAM or more,
an IDE hard drive, at least two network cards, and of course a CD-ROM
drive to boot from. A Pentium III processor (or equivalent) is also
recommended. The Honeywall CD-ROM ISO image is a little over 50MB, and
you can download a copy by visiting the Honeynet Project's Honeywall
CD-ROM Web site.

If you're wondering what honeypots and honeynets are all about, we've
published numerous articles about them--most recently, "Honeypots for
Windows" by Roger Grimes in March. Grimes explains some basics about
honeypots and offers an inside peek into four commercial products that
let you build honeypots on Windows platforms.

We have many other articles related to honeypots available online,
including news and commentary. You can locate them quickly by using
our search engine. I've included a couple of shortcuts below that list
the most recent articles first.


==== Sponsor: Sybari Software ====

   Get on the Road to Secure Computing with Sybari and you could find
yourself in the driver's seat of a new 2004 MINI Cooper!
   Get your key to enter our giveaway by looking inside your TechEd
attendee bag or visit Sybari booth #417 and register to win! Not
attending TechEd, enter to win a MINI Cooper remote control car. Click
here to enter:


==== 2. Security News and Features ====

Recent Security Vulnerabilities
   If you subscribe to this newsletter, you also receive Security
Alerts, which inform you about recently discovered security
vulnerabilities. You can also find information about these discoveries

News: Serious Vulnerability in 802.11b and 802.11g Networks
   The Australian Computer Emergency Response Team (AusCERT) released
an advisory about a newly discovered Denial of Service (DoS)
vulnerability in 802.11 wireless networks. As you know, Access Points
(APs) broadcast on a given channel and frequency. An attacker can
exploit the Clear Channel Assessment (CCA) procedure used by 802.11
equipment, making the channel appear to be busy. Under such
conditions, all APs and client stations defer their transmissions
while they wait for the channel to become idle. However, an idle
condition won't ensue until the DoS attack ceases.

News: You've Been Hacked, Now Rebuild Your System
   Microsoft Security Program Manager Jesper Johannson has published
another article, "Help: I Got Hacked. Now What Do I Do?" The article
raises that question, outlines more than half a dozen things that you
can't do to correct the problem, and concludes that you must rebuild
your system.


==== Announcements ====
   (from Windows & .NET Magazine and its partners)

Windows Connections October 24-27, Orlando, Florida.
   Save these dates for the Fall 2004 Windows Connections conference,
which will run concurrently with Microsoft Exchange Connections.
Register early and receive admission to both conferences for one low
price. Learn firsthand from Microsoft product architects and the best
third-party experts. Go online or call 800-505-1201 for more

New Web Seminar: Preemptive Email Security Works for Chick-fil-A--It
Can Work for You
   Become the company hero! Save your company time and money by
preventing unwanted and lost email. In this free Web seminar, hear
from an email expert--and learn from a real-world Chick-fil-A case
study--about how you can reduce spam and viruses and improve email
security and employee productivity. Register now!

Windows & .NET Magazine Announces Best of Show Finalists
   Windows & .NET Magazine and SQL Server Magazine announced the
finalists for the Best of TechEd 2004 Awards. The field included more
than 260 entries in 10 categories. Winners will be announced at a
private awards ceremony on Wednesday, May 26. The winners will also be
announced at TechEd on Thursday, May 27 at 12:30 p.m. at the Windows &
.NET Magazine booth #625. Click here to find out this year's


==== Hot Release Access the expert's white paper library ====

   Get expert advice on Active Directory and Exchange from Quest, now
including the people and products of Aelita Software. Quest's library
of white papers details topics that simplify, automate, and secure
your Microsoft infrastructure. The authoritative leader on Active
Directory and Exchange, Quest Software is your single source for
Windows management solutions and expert industry information. Access
the white paper library today.


==== 3. Instant Poll ====

Results of Previous Poll
   The voting has closed in the Windows & .NET Magazine Network
Security Web page nonscientific Instant Poll for the question, "Has
your company become infected by the Sasser or Gaobot worm?" Here are
the results from the 138 votes.
   - 31% Yes
   - 57% No
   - 12% I'm not sure

New Instant Poll
   The next Instant Poll question is, "Which wireless intrusion
prevention system do you use?" Go to the Security Web page and submit
your vote for
   - AirDefense products
   - AirMagnet products
   - Red-M products
   - Aruba Wireless Networks products
   - Other products

==== 4. Security Toolkit ====

FAQ: What's acctinfo.dll?
   by John Savill, http://www.winnetmag.com/windowsnt20002003faq

A. Acctinfo.dll is a DLL that extends the functionality of the
Microsoft Management Console (MMC) Active Directory Users and
Computers snap-in. Acctinfo.dll is included in the Windows Server 2003
Resource Kit tools. Installing acctinfo.dll adds the Additional
Account Info tab to the user object's Properties page. This tab
contains a variety of information, including
   * the last time the password was set
   * domain password policies
   * password expiration date
   * lockout status
   * last good and bad logons

To install acctinfo.dll, run the command:

   regsvr32 acctinfo.dll

If the command doesn't work (i.e., if Regsvr32 can't locate
acctinfo.dll), specify the full path to acctinfo.dll on the command.
Acctinfo.dll is typically located in C:\program files\windows resource

Featured Thread: Risk Assessment--Lack of Physical Protection Over
Client Machines
   (Two messages in this thread)
   Paul writes that his server rooms have a high level of physical
protection; however, client machines could easily be accessed by a
member of the public. He can't do anything about the exposure because
of the nature of his organization. He's trying to assess the risks to
files stored locally and to overall network security. He's made some
relevant observations about how people might gain control over a
machine if they have physical access and he's come up with some
solutions to help guard client machines, but he wonders if anyone has
any other recommendations about how to protect machines against
physical access. Lend a hand or read the responses:


==== Events Central ====
   (A complete Web and live events directory brought to you by Windows
& .NET Magazine: http://www.winnetmag.com/events )

The Exchange Server Seminar Series--Coming to Your City Soon!
   Simplify your life and others' lives with Windows Server 2003 and
Exchange Server 2003. Learn the advantages of migrating to an
integrated communications environment, consolidating and simplifying
implementation of technology, and accelerating worker productivity.
Register now for this free event!


==== 5. New and Improved ====
   by Jason Bovberg, products at winnetmag.com

Extranet, Intranet, and Remote Access Policy Enforcement
   NetScreen Technologies announced the next-generation release of its
Secure Access product family, built on the new Neoteris Instant
Virtual Extranet (IVE) 4.0 platform, which includes sophisticated
enterprise-class access-management capabilities. NetScreen Secure
Access appliances running on the IVE 4.0 platform address the advanced
security needs of customers deploying partner extranets and intranets
with dynamic access privilege management, rich user self-service,
granular role-based delegation, and centralized management. Available
IVE 4.0 functionality and feature sets vary based on purchase and
deployment options. For more information about IVE 4.0, contact
NetScreen Technologies at 800-638-8296 or on the Web.

Tell Us About a Hot Product and Get a T-Shirt!
   Have you used a product that changed your IT experience by saving
you time or easing your daily burden? Tell us about the product, and
we'll send you a Windows & .NET Magazine T-shirt if we write about the
product in a future Windows & .NET Magazine What's Hot column. Send
your product suggestions with information about how the product has
helped you to whatshot at winnetmag.com.


==== Sponsored Links ====

   Comparison Paper: The Argent Guardian Easily Beats Out MOM

Microsoft(R) TechNet
   Microsoft(R) TechNet Webcasts: essential guidance, industry experts


==== Contact Us ====

About the newsletter -- letters at winnetmag.com
About technical questions -- http://www.winnetmag.com/forums
About product news -- products at winnetmag.com
About your subscription -- securityupdate at winnetmag.com
About sponsoring Security UPDATE -- emedia_opps at winnetmag.com


==== Contact Our Sponsors ====

Primary Sponsor:
   Postini -- http://www.postini.com --1-888-584-3150

Secondary Sponsor:
   Sybari Software -- http://www.sybari.com -- 1-631-630-8500

Hot Release Sponsor:
   Quest Software -- http://www.quest.com -- 1-949-754-8000


This email newsletter is brought to you by Windows & .NET Magazine,
the leading publication for IT professionals deploying Windows and
related technologies. Subscribe today.

Windows & .NET Magazine, a division of Penton Media, Inc.
221 East 29th Street, Loveland, CO 80538
Attention: Customer Service Department

Copyright 2004, Penton Media, Inc. All rights reserved.

More information about the ISN mailing list