[ISN] Security UPDATE -- Proactive Honeypots -- August 17, 2005
isn at c4i.org
Thu Aug 18 03:07:36 EDT 2005
This email newsletter comes to you free and is supported by the
following advertiser, which offers products and services in which
you might be interested. Please take a moment to visit this
advertiser's Web site and show your support for Security UPDATE.
Consolidate Your SQL Server Infrastructure
1. In Focus: Proactive Honeypots
2. Security News and Features
- Recent Security Vulnerabilities
- Recent Microsoft Security Bulletins: Exploits Already on the Loose
- Identity Theft Ring Used a Powerful Keyboard Logger
3. Instant Poll
4. Security Toolkit
- Security Matters Blog
5. New and Improved
- Filter Web and Email Content
==== Sponsor: PolyServe ====
Consolidate Your SQL Server Infrastructure
Shared data clustering is the breakthrough consolidation solution
for Microsoft Windows servers. In this free white paper learn how
shared data clustering technology can reduce capital expenditures by at
least 50 percent, improve management efficiency, reduce operational
expense, ensure high availability across all SQL Server instances and
more! Find out how you can reduce the overall Total Cost of Ownership
(TCO) for SQL Server cluster deployments by as much as 60 percent over
three years! Download your free copy now.
==== 1. In Focus: Proactive Honeypots ====
by Mark Joseph Edwards, News Editor, mark at ntsecurity / net
Honeypots sit on a server and wait for intrusion attempts. When one
occurs, they can perform a variety of actions. But what if a honeypot
did the inverse--headed out on the Web to look for intruders? Microsoft
has developed a new tool, Strider HoneyMonkey Exploit Detection System,
that runs as a Web client by using "monkeys" to surf the Web for
malicious Web-based content.
HoneyMonkey's monkeys are programs that automate Web surfing and
exploit detection. Instead of relying on databases of known exploits
and malware, the monkeys launch a browser, connect to a site via its
URL, and then wait for something to happen. The programs also monitor
all file and registry access. Because the monkeys aren't designed to
click links or dialog boxes on sites, it can be reasonably assumed that
any executable file downloads or registry changes during monkey Web
sessions might be hostile in one way or another.
Microsoft says that HoneyMonkey also works in conjunction with Strider
GhostBuster and Strider Gatekeeper to detect hidden processes and hooks
that might use autostart features of the OS. HoneyMonkey runs inside a
virtual machine (VM), which makes cleaning up after any potential
exploit or infection much easier. When exploits are detected,
HoneyMonkey alerts a controller, which destroys the VM, launches a new,
fully patched VM, and passes the URL to another monkey. If an exploit
is still detected, HoneyMonkey concludes that it's found a new (or
zero-day, if you prefer) exploit and passes it on to Microsoft's
Security Response Center for further research.
HoneyMonkey works sort of like a search engine spider. It follows links
and redirects at a detected exploit site to find more suspect sites.
According to Microsoft, such sites often link to each other; if one
site's exploit doesn't work, another site's might.
Microsoft said that after a month of use, HoneyMonkey discovered 752
URLs at 287 sites that can infiltrate an unpatched system running
Windows XP. Of that lot, 204 URLs at 115 sites can infiltrate a system
running XP with Service Pack 2 (SP2) and no additional patches.
Microsoft said that the first new exploit was detected in July. It used
known vulnerabilities in javaprxy.dll, for which no patch was
available. Microsoft then created a patch, which was released in
conjunction with Microsoft Security Bulletin MS05-037, "Vulnerability
in JView Profiler Could Allow Remote Code Execution (903235)."
Here's some interesting information: Of those 752 URLs, 102 of them
were available via search results at Google and 100 of them were
available at Yahoo!. As of June 1, 49 of them were available at MSN
Search, but by June 10, Microsoft had removed all 49. The company
didn't say whether it shared its information with other search engine
operators so that they could remove the URLs from their respective
If you're interested in learning more about HoneyMonkey, visit the
Microsoft Research Web site and click the link "Full research technical
report on Strider HoneyMonkey" for a paper that contains a lot more
==== 2. Security News and Features ====
Recent Security Vulnerabilities
If you subscribe to this newsletter, you also receive Security
Alerts, which inform you about recently discovered security
vulnerabilities. You can also find information about these
Recent Microsoft Security Bulletins: Exploits Already on the Loose
Just 48 hours after Microsoft issued its monthly security bulletins
last week, three proof-of-concept exploits were released that take
advantage of critical problems. On August 9, Microsoft issued six
bulletins that explain numerous problems in Microsoft Internet Explorer
(IE) and Windows Plug and Play and several other problems--many of
these problems are considered critical. Are worms built on these
exploits only a matter of time?
Identity Theft Ring Used a Powerful Keyboard Logger
Last week, we reported that Sunbelt Software uncovered an identity
theft ring. This week, we learned how that ring managed to gather so
much sensitive information: by using a powerful keystroke logger. Learn
all about it in this news item on our Web site.
==== Resources and Events ====
Reduce Downtime with Continuous Data Protection
Continuous or real-time backup systems help avoid the danger of
losing data if your system fails after the point of backup by providing
real-time protection. In this free Web seminar, learn how to integrate
them with your existing backup infrastructure, how to apply continuous
protection technologies to your Windows-based servers, and more. Sign
up today and learn how you can quickly roll back data not just to the
last snapshot or backup, but to any point in time!
Identify the Key Security Considerations for Wireless Mobility
Wireless and mobile technologies are enabling enterprises to gain
competitive advantage through accelerated responsiveness and increased
productivity. In this free Web seminar, you'll receive a checklist of
risks to factor in when considering your wireless mobility technology
evaluations and design. Sign up today and learn all you need to know
about Firewall security, Transmission security, OTA management,
management of third-party security applications and more!
Deadline Extended--2005 Windows IT Pro Innovators Contest!
If you've used Windows technology in creative ways to devise
specific, beneficial solutions to problems your business has faced, we
want you! Now's your chance to get the recognition you deserve. Enter
the 2005 Windows IT Pro Innovators Contest now! You could win a
complimentary conference pass to Exchange Connections and Windows
Connections in San Diego in late October 2005.
SQL Server 2005 Roadshow is Coming to a City Near You
Get the facts about migrating to SQL Server 2005. SQL Server experts
will present real-world information about administration, development,
and business intelligence to help you implement a best-practices
migration to SQL Server 2005 and improve your database computing
environment. Attend and receive a 1-year membership to PASS and 1-year
subscription to SQL Server Magazine. Register now!
Avoid the 5 Major Compliance Pitfalls
Based on real-world examples, this Web seminar will help C-level
executives, as well as IT directors and managers, avoid common mistakes
and give their organization a head start in ensuring a successful
compliance implementation. Register today and find out how you can
avoid the mistakes of others, improve IT security, and reduce the cost
of continually maintaining and demonstrating compliance.
==== 3. Instant Poll ====
Results of Previous Poll: Do you regularly scan your external network
IP addresses for open ports on your network and compare the results
against a known good baseline?
The voting has closed in this Windows IT Pro Security Hot Topic
nonscientific Instant Poll. Here are the results from the 14 votes.
- 7% Yes, I regularly scan my network and compare against a baseline.
- 14% Yes, I periodically scan but merely review the results.
- 64% No, I don't scan, but I think I should.
- 14% No, I don't think scanning is useful.
New Instant Poll: Does your company use an encryption product to
protect files and folders on Windows systems?
Go to the Security Hot Topic and submit your vote for
- Yes, we use Microsoft Windows Encrypting File System (EFS).
- Yes, we use a third-party product.
- We haven't used encryption in the past, but we're considering it now.
- No, we don't see any need to encrypt data.
==== Featured White Paper ====
Sort Through Sarbanes-Oxley, HIPAA, GLBA and Basel II Legislation
Quicker and Easier!
In this free white paper, get the tips you've been looking for to
save time and money in achieving IT security and regulatory compliance.
Find out how you can simplify these manually intensive, compliance-
related tasks that reduce IT efficiency. Turn these mandates into
automated and cost effective solutions today!
==== 4. Security Toolkit ====
Security Matters Blog: Lawyer's Perspective on Cisco, ISS, and Mike
Lynn at Black Hat
by Mark Joseph Edwards, http://list.windowsitpro.com/t?ctl=1117F:4FB69
Controversy ensued at the recent Black Hat USA 2005 conference in Las
Vegas. Internet Security Systems (ISS) researcher Mike Lynn was slated
to give a presentation at the show to discuss vulnerabilities in Cisco
Systems routers. Cisco tried to prevent the presentation, but the show
went on. Read the blog entry to learn more.
by John Savill, http://list.windowsitpro.com/t?ctl=1117D:4FB69
Q: How can I use Group Policy to control the new Windows Firewall
that's included with Windows Server 2003 Service Pack 1 (SP1) and
Windows XP SP2?
Find the answer at
==== Announcements ====
(from Windows IT Pro and its partners)
Try a Sample Issue of the Windows IT Security Newsletter!
Security Administrator is now Windows IT Security. We've expanded
our content to include even more fundamentals on building and
maintaining a secure enterprise. Each issue also features product
coverage of the best security tools available and expert advice on the
best way to implement various security components. Plus, paid
subscribers get online access to our entire online security article
database! Sign up to try a sample issue today:
Windows IT Pro Gives IT Professionals What They Need
The August issue is a must have! Subscribe now and find out the best
ways to plan for Longhorn, what you need to know about VBScripts, and
how to make sense of SQL Server. If you order today, you'll also gain
exclusive access to the entire Windows IT Pro online article database
(over 9000 articles) and save 44% off the cover price!
==== 5. New and Improved ====
by Renee Munshi, products at windowsitpro.com
Filter Web and Email Content
Aladdin Knowledge Systems offers eSafe 5.0, a gateway that checks
Web content for spyware and blocks any malicious content. eSafe
prevents downloads that use HTML vulnerability exploits and social
engineering and downloads from known spyware sites, it uses signature
and heuristic detection to identify and block spyware, and it prevents
installed spyware from transmitting to its vendors and helps
administrators identify infected PCs. eSafe also offers spam tagging,
spam blocking, remote quarantine, and user-managed quarantine and
reports, and its spam database is updated eight times a day. You can
purchase eSafe pre-installed on a variety of hardware. For more
Tell Us About a Hot Product and Get a T-Shirt!
Have you used a product that changed your IT experience by saving
you time or easing your daily burden? Tell us about the product, and
we'll send you a T-shirt if we write about the product in a future
Windows IT Pro What's Hot column. Send your product suggestions with
information about how the product has helped you to
whatshot at windowsitpro.com.
Editor's note: Share Your Security Discoveries and Get $100
Share your security-related discoveries, comments, or problems and
solutions in the Windows IT Security print newsletter's Reader to
Reader column. Email your contributions (500 words or less) to
r2rwinitsec at windowsitpro.com. If we print your submission, you'll
get $100. We edit submissions for style, grammar, and length.
==== Sponsored Links ====
Professional and secure remote control from all major platforms
Argent Versus MOM 2005
Experts Pick the Best Windows Monitoring Solution
Tech jobs at Dice
Search 65K+ new IT jobs daily--Tech expert jobs at top companies!
==== Contact Us ====
About the newsletter -- letters at windowsitpro.com
About technical questions -- http://list.windowsitpro.com/t?ctl=11182:4FB69
About product news -- products at windowsitpro.com
About your subscription -- windowsitproupdate at windowsitpro.com
About sponsoring Security UPDATE -- emedia_opps at windowsitpro.com
This email newsletter is brought to you by Windows IT Security,
the leading publication for IT professionals securing the Windows
enterprise from external intruders and controlling access for
internal users. Subscribe today.
Windows IT Pro, a division of Penton Media, Inc.
221 East 29th Street, Loveland, CO 80538
Attention: Customer Service Department
Copyright 2005, Penton Media, Inc. All rights reserved.
More information about the ISN