[ISN] Security UPDATE -- Proactive Honeypots, Part 2 -- August 24, 2005

InfoSec News isn at c4i.org
Thu Aug 25 06:42:38 EDT 2005


This email newsletter comes to you free and is supported by the 
following advertisers, which offer products and services in which 
you might be interested. Please take a moment to visit these 
advertisers' Web sites and show your support for Security UPDATE. 

Symantec LiveState Patch Manager

Get Rapid and Reliable Data and System Recovery   


1. In Focus: Proactive Honeypots, Part 2

2. Security News and Features
   - Recent Security Vulnerabilities
   - Symantec to Acquire Sygate 
   - 180solutions Sues Seven Former Distributors 
   - Microsoft Ships Windows 2000 Worm Removal Tool 

3. Security Toolkit
   - Security Matters Blog
   - FAQ

4. New and Improved
   - Fight Phishing Attacks


==== Sponsor: Symantec ====

Symantec LiveState Patch Manager
   Symantec LiveState Patch Manager allows you to reliably protect your 
infrastructure from vulnerabilities. Its intuitive interface allows 
organizations to scan, identify and install missing patches on hundreds 
of clients and servers in minutes. Flexible grouping capabilities allow 
the targeting of patches to specific groups of users. Provides detailed 
patch status reports. Persistent delivery assures patches are 
successfully delivered and applied, helping ensure clients are secure 
and protected. LiveState Patch Manager is a member of a family of 
modular solutions that work on their own - with tools you may already 
have - and can be assembled into a broader suite if desired, leveraging 
a common look-and-feel, management database and agent deployment 
infrastructure. To learn more, visit us at:


==== 1. In Focus: Proactive Honeypots, Part 2 ====
   by Mark Joseph Edwards, News Editor, mark at ntsecurity / net

Last week, I wrote about Microsoft's Strider HoneyMonkey Exploit 
Detection System, which is software that tries to find new exploits by 
surfing the Web and waiting for something to infiltrate the system. I 
don't know of many other such tools, but I have heard of two other 
client-based honeypot projects.

One is being developed by Bing Yuan at the Laboratory for Dependable 
Distributed Systems. Yuan is pursuing the technology as his diploma 
project at the laboratory, and so far, no working code seems to be 
available to the public. His project is Windows-based, will integrate 
with Microsoft Internet Explorer (IE), and will work with other 
software such as the Honeywall CD-ROM. I'm not sure how far along Yuan 
is in the development process or whether the tool will eventually be 
released to the public. You can however read more about it at the lab's 
Web site. 

The second tool I know about is called Honeyclient. The tool is being 
developed by Kathy Wang, who gave a related presentation at the recent 
REcon 2005 conference (see the first URL below) in Montreal. You can 
see the slides from the presentation at the second URL below. 
Honeyclient is written in Perl and is designed to run on Windows 
systems. It surfs the Web by using IE and tries to detect any file or 
registry changes. As it stands now, the tool is made up of two Perl 
scripts: one is a proxy and the other uses IE to drive a Web-surfing 

Wang's project isn't extensively documented, but the two Perl scripts 
that make up Honeyclient contain a few comments that help you better 
understand what it actually does. Of course, if you can read Perl code, 
then you'll get an even better understanding. Honeyclient isn't nearly 
as functional as HoneyMonkey, but it's similar and a good start. You 
can learn more about Honeyclient and download the latest version at 
Wang's Honeyclient Development Project Web site.

If you want to test Honeyclient, the readme file contains the basic 
installation and usage instructions. One thing I learned when testing 
the software (which isn't stated in the readme file) is that the 
directories in the checklist.txt file (which you need to create) are 
completely parsed, including any subdirectories. Another thing I 
noticed is that Honeyclient has a lengthy startup time because it also 
parses the registry HKEY_CLASSES_ROOT tree into a hash so that it can 
later detect any modifications. A word of caution is in order too: Be 
sure to use an isolated test machine or an OS running in a virtual 
machine when testing the tool.

If you know of any other tools similar to these, send me an email 
message with a link or details. 


==== Sponsor: Symantec ====

Get Rapid and Reliable Data and System Recovery   
   Even under the best circumstances, performing a bare metal recovery 
from tape is tedious and unreliable. In this free white paper, learn 
how you can achieve unprecedented speed and reliability in recovering 
systems and data.


==== 2. Security News and Features ====

Recent Security Vulnerabilities
   If you subscribe to this newsletter, you also receive Security 
Alerts, which inform you about recently discovered security 
vulnerabilities. You can also find information about these 
discoveries at

Symantec to Acquire Sygate 
   Symantec announced a deal to acquire Sygate Technologies, maker of 
policy compliance solutions. The deal will close shortly after the 
companies receive regulatory approval. Terms of the pending acquisition 
weren't disclosed.

180solutions Sues Seven Former Distributors 
   180solutions filed suit against seven former distributors of its 
search software for allegedly causing the software to be installed on 
people's computers without proper notice and consent. 180solutions 
claims the distributors used botnets to facilitate the software 

Microsoft Ships Windows 2000 Worm Removal Tool 
   In response to widespread Windows 2000-based worm attacks last week, 
Microsoft updated its Malicious Software Removal Tool (MSRT) to remove 
the worms and updated its statement about the attacks. 


==== Resources and Events ====

SQL Server 2005 Roadshow Is Coming to a City Near You
   Get the facts about migrating to SQL Server 2005. SQL Server experts 
will present real-world information about administration, development, 
and business intelligence to help you implement a best-practices 
migration to SQL Server 2005 and improve your database computing 
environment. Attend and receive a 1-year membership to PASS and 1-year 
subscription to SQL Server Magazine. Register now!

Microsoft Exchange Connections Conference
   October 31 - November 3, 2005, Manchester Grand Hyatt, San Diego. 
Microsoft and Exchange experts present over 40 in-depth sessions with 
real-world solutions you can take back and apply today. Register by 
September 12 to save $100 off your conference registration and attend 
sessions at Windows Connections free!

Avoid the 5 Major Compliance Pitfalls
   Based on real-world examples, this Web seminar will help C-level 
executives, as well as IT directors and managers, avoid common mistakes 
and give their organization a head start in ensuring a successful 
compliance implementation. Register today and find out how you can 
avoid the mistakes of others, improve IT security, and reduce the cost 
of continually maintaining and demonstrating compliance.

Roll Back Data to Any Point in Time: Not Just the Last Snapshot or 
   Have you lost data because it was saved right after your last 
backup? Most of us have been in this situation. Continuous, or real-
time, backup systems provide real-time protection, but are they right 
for you? In this free Web seminar, you'll learn about the design 
principles that underlie continuous data protection solutions, how to 
integrate them with your existing backup infrastructure, and how to 
best apply continuous protection technologies to your Windows-based 

High Risk Internet Access: Are You in Control?
   Defending against Internet criminals, spyware, phishing and 
addressing the points of risk that Internet-enabled applications expose 
your organization to can seem like an epic battle with Medusa. So how 
do you take control of these valuable resources? In this free Web 
seminar, you'll get the tools you need to help you analyze the impact 
Internet-based threats have on your organization, and tools to aid you 
in the construction of Acceptable-Use Policies (AUPs).


==== Featured White Paper ====

Consolidate Your SQL Server Infrastructure
   Shared data clustering is the breakthrough consolidation solution 
for Microsoft Windows servers. In this free white paper, learn how 
shared data clustering technology can reduce capital expenditures by at 
least 50 percent, improve management efficiency, reduce operational 
expense, ensure high availability across all SQL Server instances and 
more! Download your free copy now.


==== 3. Security Toolkit ==== 

Security Matters Blog: Mac OS X Security Update Fixes Dozens of 
   by Mark Joseph Edwards, http://list.windowsitpro.com/t?ctl=11B83:4FB69

Apple released a major security update for Mac OS X. Security Update 
2005-007 fixes dozens of vulnerabilities, including problems in Apache, 
Kerberos, MySQL, OpenSSL, and many other system components. Apple 
pulled the update to correct problems it caused with 64-bit 
applications on the Tiger OS, then reissued it as Security Update 2005-
007 v1.1. If you loaded the initial release on Tiger, be sure to load 

   by John Savill, http://list.windowsitpro.com/t?ctl=11B82:4FB69 

Q: How can I determine which groups I'm a member of for my current 
logon session?

Find the answer at


==== Announcements ====
   (from Windows IT Pro and its partners)

Try a Sample Issue of the Windows IT Security Newsletter!
   Security Administrator is now Windows IT Security. We've expanded 
our content to include even more fundamentals on building and 
maintaining a secure enterprise. Each issue also features product 
coverage of the best security tools available and expert advice on the 
best way to implement various security components. Plus, paid 
subscribers get online access to our entire online security article 
database! Sign up to try a sample issue today:

Windows IT Pro Gives IT Professionals What They Need
   The August issue is a must have! Subscribe now and find out the best 
ways to plan for Longhorn, what you need to know about VBScripts, and 
how to make sense of SQL Server. If you order today, you'll also gain 
exclusive access to the entire Windows IT Pro online article database 
(over 9000 articles) and save 44% off the cover price!


==== 4. New and Improved ====
   by Renee Munshi, products at windowsitpro.com

Fight Phishing Attacks
   CollectiveTrust has released ScamAlarm, a Windows application that 
protects users from phishing, identity theft, and fraud. ScamAlarm 
protects against all types of phishing attacks that try to collect 
personal information by pretending to be the Web site of a legitimate 
bank or investment firm. ScamAlarm uses a combination of contextual 
analysis, a robust set of rules, and a continuously updated list of 
dangerous sites. With ScamAlarm, users are notified immediately if the 
site that they're trying to visit is on the list of suspicious sites or 
if the Web site fails the program's security checks. ScamAlarm runs on 
Windows 98/2000/XP/2003, currently supports Microsoft Internet Explorer 
(IE) 5.5 or later, and costs $29.95 for a single-user license (volume 
discounts are available). You can purchase ScamAlarm securely online or 
download a free 30-day trial version at

Tell Us About a Hot Product and Get a T-Shirt!
   Have you used a product that changed your IT experience by saving 
you time or easing your daily burden? Tell us about the product, and 
we'll send you a T-shirt if we write about the product in a future 
Windows IT Pro What's Hot column. Send your product suggestions with 
information about how the product has helped you to 
   whatshot at windowsitpro.com.

Editor's note: Share Your Security Discoveries and Get $100
   Share your security-related discoveries, comments, or problems and 
solutions in the Windows IT Security print newsletter's Reader to 
Reader column. Email your contributions (500 words or less) to 
r2rwinitsec at windowsitpro.com. If we print your submission, you'll 
get $100. We edit submissions for style, grammar, and length.


==== Sponsored Links ====

Professional and secure remote control from all major platforms

Argent Versus MOM 2005
   Experts Pick the Best Windows Monitoring Solution

Tech jobs at Dice
   Search 65K+ new IT jobs daily--Tech expert jobs at top companies!


==== Contact Us ==== 

About the newsletter -- letters at windowsitpro.com
About technical questions -- http://list.windowsitpro.com/t?ctl=11B85:4FB69
About product news -- products at windowsitpro.com
About your subscription -- windowsitproupdate at windowsitpro.com
About sponsoring Security UPDATE -- salesopps at windowsitpro.com


This email newsletter is brought to you by Windows IT Security, 
the leading publication for IT professionals securing the Windows 
enterprise from external intruders and controlling access for 
internal users. Subscribe today.

View the Windows IT Pro privacy policy at

Windows IT Pro, a division of Penton Media, Inc.
221 East 29th Street, Loveland, CO 80538
Attention: Customer Service Department

Copyright 2005, Penton Media, Inc. All rights reserved.

More information about the ISN mailing list