[ISN] Security UPDATE -- Proactive Honeypots -- August 17, 2005

InfoSec News isn at c4i.org
Thu Aug 18 03:07:36 EDT 2005


This email newsletter comes to you free and is supported by the 
following advertiser, which offers products and services in which 
you might be interested. Please take a moment to visit this 
advertiser's Web site and show your support for Security UPDATE. 

Consolidate Your SQL Server Infrastructure


1. In Focus: Proactive Honeypots

2. Security News and Features
   - Recent Security Vulnerabilities
   - Recent Microsoft Security Bulletins: Exploits Already on the Loose 
   - Identity Theft Ring Used a Powerful Keyboard Logger 

3. Instant Poll

4. Security Toolkit
   - Security Matters Blog
   - FAQ

5. New and Improved
   - Filter Web and Email Content


==== Sponsor: PolyServe ====

Consolidate Your SQL Server Infrastructure
   Shared data clustering is the breakthrough consolidation solution 
for Microsoft Windows servers. In this free white paper learn how 
shared data clustering technology can reduce capital expenditures by at 
least 50 percent, improve management efficiency, reduce operational 
expense, ensure high availability across all SQL Server instances and 
more! Find out how you can reduce the overall Total Cost of Ownership 
(TCO) for SQL Server cluster deployments by as much as 60 percent over 
three years! Download your free copy now.


==== 1. In Focus: Proactive Honeypots ====
   by Mark Joseph Edwards, News Editor, mark at ntsecurity / net

Honeypots sit on a server and wait for intrusion attempts. When one 
occurs, they can perform a variety of actions. But what if a honeypot 
did the inverse--headed out on the Web to look for intruders? Microsoft 
has developed a new tool, Strider HoneyMonkey Exploit Detection System, 
that runs as a Web client by using "monkeys" to surf the Web for 
malicious Web-based content. 

HoneyMonkey's monkeys are programs that automate Web surfing and 
exploit detection. Instead of relying on databases of known exploits 
and malware, the monkeys launch a browser, connect to a site via its 
URL, and then wait for something to happen. The programs also monitor 
all file and registry access. Because the monkeys aren't designed to 
click links or dialog boxes on sites, it can be reasonably assumed that 
any executable file downloads or registry changes during monkey Web 
sessions might be hostile in one way or another. 

Microsoft says that HoneyMonkey also works in conjunction with Strider 
GhostBuster and Strider Gatekeeper to detect hidden processes and hooks 
that might use autostart features of the OS. HoneyMonkey runs inside a 
virtual machine (VM), which makes cleaning up after any potential 
exploit or infection much easier. When exploits are detected, 
HoneyMonkey alerts a controller, which destroys the VM, launches a new, 
fully patched VM, and passes the URL to another monkey. If an exploit 
is still detected, HoneyMonkey concludes that it's found a new (or 
zero-day, if you prefer) exploit and passes it on to Microsoft's 
Security Response Center for further research. 

HoneyMonkey works sort of like a search engine spider. It follows links 
and redirects at a detected exploit site to find more suspect sites. 
According to Microsoft, such sites often link to each other; if one 
site's exploit doesn't work, another site's might. 

Microsoft said that after a month of use, HoneyMonkey discovered 752 
URLs at 287 sites that can infiltrate an unpatched system running 
Windows XP. Of that lot, 204 URLs at 115 sites can infiltrate a system 
running XP with Service Pack 2 (SP2) and no additional patches. 
Microsoft said that the first new exploit was detected in July. It used 
known vulnerabilities in javaprxy.dll, for which no patch was 
available. Microsoft then created a patch, which was released in 
conjunction with Microsoft Security Bulletin MS05-037, "Vulnerability 
in JView Profiler Could Allow Remote Code Execution (903235)."

Here's some interesting information: Of those 752 URLs, 102 of them 
were available via search results at Google and 100 of them were 
available at Yahoo!. As of June 1, 49 of them were available at MSN 
Search, but by June 10, Microsoft had removed all 49. The company 
didn't say whether it shared its information with other search engine 
operators so that they could remove the URLs from their respective 

If you're interested in learning more about HoneyMonkey, visit the 
Microsoft Research Web site and click the link "Full research technical 
report on Strider HoneyMonkey" for a paper that contains a lot more 

==== 2. Security News and Features ====

Recent Security Vulnerabilities
   If you subscribe to this newsletter, you also receive Security 
Alerts, which inform you about recently discovered security 
vulnerabilities. You can also find information about these 
discoveries at

Recent Microsoft Security Bulletins: Exploits Already on the Loose 
   Just 48 hours after Microsoft issued its monthly security bulletins 
last week, three proof-of-concept exploits were released that take 
advantage of critical problems. On August 9, Microsoft issued six 
bulletins that explain numerous problems in Microsoft Internet Explorer 
(IE) and Windows Plug and Play and several other problems--many of 
these problems are considered critical. Are worms built on these 
exploits only a matter of time? 

Identity Theft Ring Used a Powerful Keyboard Logger 
   Last week, we reported that Sunbelt Software uncovered an identity 
theft ring. This week, we learned how that ring managed to gather so 
much sensitive information: by using a powerful keystroke logger. Learn 
all about it in this news item on our Web site. 


==== Resources and Events ====

Reduce Downtime with Continuous Data Protection
   Continuous or real-time backup systems help avoid the danger of 
losing data if your system fails after the point of backup by providing 
real-time protection. In this free Web seminar, learn how to integrate 
them with your existing backup infrastructure, how to apply continuous 
protection technologies to your Windows-based servers, and more. Sign 
up today and learn how you can quickly roll back data not just to the 
last snapshot or backup, but to any point in time!

Identify the Key Security Considerations for Wireless Mobility
   Wireless and mobile technologies are enabling enterprises to gain 
competitive advantage through accelerated responsiveness and increased 
productivity. In this free Web seminar, you'll receive a checklist of 
risks to factor in when considering your wireless mobility technology 
evaluations and design. Sign up today and learn all you need to know 
about Firewall security, Transmission security, OTA management, 
management of third-party security applications and more!

Deadline Extended--2005 Windows IT Pro Innovators Contest!
   If you've used Windows technology in creative ways to devise 
specific, beneficial solutions to problems your business has faced, we 
want you! Now's your chance to get the recognition you deserve. Enter 
the 2005 Windows IT Pro Innovators Contest now! You could win a 
complimentary conference pass to Exchange Connections and Windows 
Connections in San Diego in late October 2005.

SQL Server 2005 Roadshow is Coming to a City Near You
   Get the facts about migrating to SQL Server 2005. SQL Server experts 
will present real-world information about administration, development, 
and business intelligence to help you implement a best-practices 
migration to SQL Server 2005 and improve your database computing 
environment. Attend and receive a 1-year membership to PASS and 1-year 
subscription to SQL Server Magazine. Register now!

Avoid the 5 Major Compliance Pitfalls
   Based on real-world examples, this Web seminar will help C-level 
executives, as well as IT directors and managers, avoid common mistakes 
and give their organization a head start in ensuring a successful 
compliance implementation. Register today and find out how you can 
avoid the mistakes of others, improve IT security, and reduce the cost 
of continually maintaining and demonstrating compliance.


==== 3. Instant Poll ====

Results of Previous Poll: Do you regularly scan your external network 
IP addresses for open ports on your network and compare the results 
against a known good baseline?
   The voting has closed in this Windows IT Pro Security Hot Topic 
nonscientific Instant Poll. Here are the results from the 14 votes.
   - 7% Yes, I regularly scan my network and compare against a baseline.
   - 14% Yes, I periodically scan but merely review the results.
   - 64% No, I don't scan, but I think I should.
   - 14% No, I don't think scanning is useful.

New Instant Poll: Does your company use an encryption product to 
protect files and folders on Windows systems?
   Go to the Security Hot Topic and submit your vote for 
   - Yes, we use Microsoft Windows Encrypting File System (EFS).
   - Yes, we use a third-party product.
   - We haven't used encryption in the past, but we're considering it now.
   - No, we don't see any need to encrypt data.


==== Featured White Paper ====

Sort Through Sarbanes-Oxley, HIPAA, GLBA and Basel II Legislation 
Quicker and Easier!
   In this free white paper, get the tips you've been looking for to 
save time and money in achieving IT security and regulatory compliance. 
Find out how you can simplify these manually intensive, compliance-
related tasks that reduce IT efficiency. Turn these mandates into 
automated and cost effective solutions today!


==== 4. Security Toolkit ==== 

Security Matters Blog: Lawyer's Perspective on Cisco, ISS, and Mike 
Lynn at Black Hat 
   by Mark Joseph Edwards, http://list.windowsitpro.com/t?ctl=1117F:4FB69

Controversy ensued at the recent Black Hat USA 2005 conference in Las 
Vegas. Internet Security Systems (ISS) researcher Mike Lynn was slated 
to give a presentation at the show to discuss vulnerabilities in Cisco 
Systems routers. Cisco tried to prevent the presentation, but the show 
went on. Read the blog entry to learn more. 

   by John Savill, http://list.windowsitpro.com/t?ctl=1117D:4FB69 

Q: How can I use Group Policy to control the new Windows Firewall 
that's included with Windows Server 2003 Service Pack 1 (SP1) and 
Windows XP SP2?

Find the answer at


==== Announcements ====
   (from Windows IT Pro and its partners)

Try a Sample Issue of the Windows IT Security Newsletter!
   Security Administrator is now Windows IT Security. We've expanded 
our content to include even more fundamentals on building and 
maintaining a secure enterprise. Each issue also features product 
coverage of the best security tools available and expert advice on the 
best way to implement various security components. Plus, paid 
subscribers get online access to our entire online security article 
database! Sign up to try a sample issue today:

Windows IT Pro Gives IT Professionals What They Need
   The August issue is a must have! Subscribe now and find out the best 
ways to plan for Longhorn, what you need to know about VBScripts, and 
how to make sense of SQL Server. If you order today, you'll also gain 
exclusive access to the entire Windows IT Pro online article database 
(over 9000 articles) and save 44% off the cover price!


==== 5. New and Improved ====
   by Renee Munshi, products at windowsitpro.com

Filter Web and Email Content
   Aladdin Knowledge Systems offers eSafe 5.0, a gateway that checks 
Web content for spyware and blocks any malicious content. eSafe 
prevents downloads that use HTML vulnerability exploits and social 
engineering and downloads from known spyware sites, it uses signature 
and heuristic detection to identify and block spyware, and it prevents 
installed spyware from transmitting to its vendors and helps 
administrators identify infected PCs. eSafe also offers spam tagging, 
spam blocking, remote quarantine, and user-managed quarantine and 
reports, and its spam database is updated eight times a day. You can 
purchase eSafe pre-installed on a variety of hardware. For more 
information, visit

Tell Us About a Hot Product and Get a T-Shirt!
   Have you used a product that changed your IT experience by saving 
you time or easing your daily burden? Tell us about the product, and 
we'll send you a T-shirt if we write about the product in a future 
Windows IT Pro What's Hot column. Send your product suggestions with 
information about how the product has helped you to 
   whatshot at windowsitpro.com.

Editor's note: Share Your Security Discoveries and Get $100
   Share your security-related discoveries, comments, or problems and 
solutions in the Windows IT Security print newsletter's Reader to 
Reader column. Email your contributions (500 words or less) to 
r2rwinitsec at windowsitpro.com. If we print your submission, you'll 
get $100. We edit submissions for style, grammar, and length.


==== Sponsored Links ====

Professional and secure remote control from all major platforms

Argent Versus MOM 2005
   Experts Pick the Best Windows Monitoring Solution

Tech jobs at Dice
   Search 65K+ new IT jobs daily--Tech expert jobs at top companies!


==== Contact Us ==== 

About the newsletter -- letters at windowsitpro.com
About technical questions -- http://list.windowsitpro.com/t?ctl=11182:4FB69
About product news -- products at windowsitpro.com
About your subscription -- windowsitproupdate at windowsitpro.com
About sponsoring Security UPDATE -- emedia_opps at windowsitpro.com


This email newsletter is brought to you by Windows IT Security, 
the leading publication for IT professionals securing the Windows 
enterprise from external intruders and controlling access for 
internal users. Subscribe today.

View the Windows IT Pro privacy policy at

Windows IT Pro, a division of Penton Media, Inc.
221 East 29th Street, Loveland, CO 80538
Attention: Customer Service Department

Copyright 2005, Penton Media, Inc. All rights reserved.

More information about the ISN mailing list