Security UPDATE--The Onion Router Downside--October 25, 2006


Security Measurement is Vital to Program Success

Making the Case for E-mail Archiving and Litigation Readiness

The Starter PKI Program



IN FOCUS: The Onion Router Downside


- Microsoft Releases WPA2 Support, Modifies Wi-Fi Client Behavior

- Zero-Day Vulnerability in PowerPoint

- Microsoft Re-releases Security Bulletin for Windows 2000

- McAfee Acquires Onigma, Introduces Data Loss Prevention Solution

- Recent Security Vulnerabilities


- Security Matters Blog: Bitter News for VM Users, There's a Rootkit Made Just for You

- FAQ: Command Lists All Members of an AD Group

- From the Forum: Making the C Drive Invisible Yet Readable

- Know Your IT Security Contest

- Make Your Mark on the IT Community!


- Comprehensive Protection for Endpoints at Work and at Home

- Wanted: Your Reviews of Products




=== SPONSOR: Solutionary


Security Measurement is Vital to Program Success

Security managers face challenges technically and organizationally in gaining program support and focus. Effective security measurement can help ingrain the issue into the performance management process and culture of the organization. Read this white paper.

=== IN FOCUS: The Onion Router Downside


by Mark Joseph Edwards, News Editor, mark at ntsecurity / net

Two weeks ago, I wrote about a portable Web browser, Torpark, that's designed to keep you relatively anonymous as you browse. Torpark is based on the Mozilla Firefox source code, and you might recall that one of the big advantages of using Torpark is that it comes with The Onion Router (Tor) built in. So you don't need to install and configure that separately. If you missed that editorial, you can read it at the URL below.

Tor is a client and server SOCKS-based proxy that's designed to route traffic through a series of anonymous servers, the number of which varies depending on how you configure the Tor client. Anyone can run a Tor client or server without having to reveal anything to the outside world except an IP address, and that address is made known only to the first Tor server your traffic passes through.

Traffic is encrypted by Tor along the route, and Tor routers know only about the hops of the routers immediately before and after them. Tor handles its own traffic encryption, so in theory, Tor server operators shouldn't be able to snoop on the contents of your network traffic.

The exception is the Tor server operator of the exit router--the last hop along your traffic's route through Tor servers. Other servers on the Internet don't understand Tor encryption, so obviously they can't receive and process traffic that originates from a Tor network. Therefore the traffic must be decrypted before being passed on to its final destination. And therein resides Tor's inherent weakness. You must trust an unknown Tor server operator to not snoop on your traffic as it exits the Tor network. Inevitably, some Tor server operators do snoop on traffic. That's why I said that Tor provides "relative" anonymity. It protects your actual IP address but not the nature of what you're doing on the Internet.

Anyone that can see your Internet traffic can also manipulate it. This certainly holds true for Tor exit server operators. This presents another danger of using Tor. In one of many possible scenarios, someone could monitor for traffic destined for port 80, typically used for Web traffic, and then manipulate Web pages, cookies, headers, and so on in just about any way you can image. Now someone has proven just how easy it is to use this weakness to discover your real IP address, which in effect destroys your anonymity and thus defeats the purpose of using Tor.

"Practical Onion Hacking, Finding the real address of Tor clients" (at the URL below), is a white paper produced by the FortConsult Security Research Team and published on the Packet Storm Security Web site. The paper shows, step by step, how the researchers were able to use readily available scripts and software packages to inject a "Web bug" into Web traffic. The Web bug is a typical cookie designed and used in conjunction with browsers that have JavaScript or Adobe Flash enabled. When Tor is used directly (i.e., without a go-between, which I'll explain in a moment), either of those two technologies will reveal the cookie and thus the real IP address of the user.

JavaScript code can be written to collect a system's IP address, and the address can be placed in a cookie that can be read by a Web server. Flash doesn't understand the SOCKS protocol at all, so if a Flash object requires network connectivity for whatever reason, it completely bypasses the Tor network.

As I suggested earlier, there is a way to eliminate both of these weaknesses--by using a standard proxy server as a go-between between client applications and the Tor client. One such proxy server is Privoxy, which can strip out JavaScript, cookies, and other unwanted content. Privoxy understands the SOCKS protocol, so it can be configured to send traffic through Tor. With Privoxy as a go-between, even Flash would run its connectivity needs through Tor.

If you're interested in Tor's weaknesses, or even in how easy it is to manipulate network traffic, then be sure to read the white paper.


A note from Mark Minasi: I wanted to pass along some information about a show that I'm not speaking at but that looks like a good deal. It's a $129, one-day interoperability road show from Penton, the folks who put out this newsletter.

If you're like most folks, "interop" isn't just a buzzword, it's a daily headache. If we all used the same operating system, directory service, and database engines, then life would be a lot easier, but most of us can't. Worse yet, interop info can be hard to come by, because no vendor's all that excited about helping you use any products but theirs.

In response to that, Penton's put together a show with four tracks, each geared to a solution. One features Dustin Puryear talking about making Windows, Linux, and Unix work together. The second offers a day of Active Directory expert Gil Kirkpatrick on integrating AD with other LDAP directory services. At the same time, database techie Randy Dyess explains how to solve data interoperability problems by making different databases replicate amongst one another and produce integrated reports, as well as how to integrate dissimilar relational database engines. Last but not least, popular Windows IT Pro veteran author Mike Otey tackles what may be the single best new IT technology of the past few years--virtualization.

Tech X World is coming to Chicago, Dallas, and San Francisco in the next week, and you can find out more at

=== SPONSOR: Symantec


Making the Case for E-mail Archiving and Litigation Readiness

Are your messages easily accessible, yet secure, in the case of an e-discovery request? With the phenomenal email volume growth, and increasing costs when companies fail to comply, you can't afford to lose an email. Download this free whitepaper today and implement a strong email retention and management system today!



Microsoft Releases WPA2 Support, Modifies Wi-Fi Client Behavior

Microsoft announced the release of a security update for Windows XP SP2 that introduces support for WPA2 and changes the behavior of wireless clients to be more secure.

Zero-Day Vulnerability in PowerPoint

A zero-day vulnerability has been discovered in Microsoft PowerPoint. According to available information, the vulnerability can potentially be exploited to execute arbitrary code on an affected system if a user opens an infected PowerPoint file. Proof-of-concept code has been published to demonstrate the problem. Microsoft is aware of the problem and is investigating the matter, however no patch is available at this time.

Microsoft Re-releases Security Bulletin for Windows 2000

Late last week, Microsoft re-released Security Bulletin MS06-061 (Vulnerabilities in Microsoft XML Core Services Could Allow Remote Code Execution) to correct a problem with the previous update, which didn't correctly set the kill bit for Microsoft XML Parser 2.6.

McAfee Acquires Onigma, Introduces Data Loss Prevention Solution

McAfee announced that it acquired data protection solutions provider Onigma. The acquisition brings McAfee the ability to offer solutions to monitor and report on confidential data as well as to prevent its loss.

Recent Security Vulnerabilities

If you subscribe to this newsletter, you also receive Security Alerts, which inform you about recently discovered security vulnerabilities. You can also find information about these discoveries at

=== SPONSOR: Thawte


The Starter PKI Program

Securing multiple domains or host names? Learn how the Starter PKI program can save time and reduce costs, and provide you with a multiple digital certificate account.



SECURITY MATTERS Blog: Bitter News for VM Users, There's a Rootkit Made Just for You

by Mark Joseph Edwards,

With every innovation comes a setback, sometimes vitriolic in nature. Virtual machine (VM) technology is a good case in point. Read this blog article to discover how intruders are bound to invade VMs, by hook or crook.

FAQ: Command Lists All Members of an AD Group

by John Savill,

Q: How can I use a command to list all the members of an Active Directory (AD) group?

Find the answer at

FROM THE FORUM: Making the C Drive Invisible Yet Readable

A forum participant wants to know how to make the C drive invisible yet still readable. He wants the drive hidden from users but wants them to be able to access all the programs on the system. Join the discussion at:


Share your security-related tips, comments, or solutions in 1000 words or less, and you could be one of 13 lucky winners of a Zune media player. Tell us how you do patch management, share a security script, or write about a security article you've read or a Webcast you've viewed. Submit your entry between now and December 13. We'll select the 13 best entries, and the winners will receive a Zune media player--plus, we'll publish the winning entries in the Windows IT Security newsletter. Email your contributions to [email protected]

Prizes are courtesy of Microsoft Learning Paths for Security:


Nominate yourself or a peer to become an "IT Pro of the Month." Winners will receive over $600 in IT resources and be featured in Windows IT Pro magazine and the TechNet Flash email newsletter. It's easy to enter--accepting October nominations for a limited time! Submit your nomination today:



by Renee Munshi, [email protected]

Comprehensive Protection for Endpoints at Work and at Home

eEye Digital Security released version 2.5 of Blink Professional, its host-based firewall, intrusion prevention, and anti-malware solution, and added portable-storage–device control, application control, and "dynamic" control that allows different policies to be in effect depending on whether the client is physically connected to the network or is outside the network perimeter. A new offering, Blink Personal, which includes most of the functionality of Blink Pro, is available for free to home users, who are invited to participate in a Neighborhood Watch program that sends "attack data" anonymously and automatically from Blink Pro to the eEye Research Lab. The data will help eEye continue to improve its products' attack detection and prevention capabilities. For more information, go to

WANTED: your reviews of products you've tested and used in production. Send your experiences and ratings of products to [email protected] and get a Best Buy gift certificate.



For more security-related resources, visit

In an environment where there is no one true OS, users must access a variety of applications across several platforms. Get the tools you need to analyze and improve how you manage access across Windows Terminal Services, UNIX and Linux X, Windows, legacy telnet, and even SSH. TechX World events start October 24--register today!

How will compliance regulations affect your IT infrastructure? Help design your retention and retrieval, privacy and security policies to make sure that your organization is compliant. Download the free eBook today!

Did you know that 75% of corporate intellectual property resides in email? With security concerns from viruses and malware, increasing amounts of spam, and ever-stronger performance demands for availability and recovery, email systems have become the most important business application. Join us for this free Web seminar and learn a holistic approach to managing the challenges of security, availability and control. Live Event: Thursday, November 16

How do you manage vulnerabilities? If you depend on vulnerability assessments to determine the state of your IT security systems, you can't miss this Web seminar. Special research from Gartner indicates that deeper penetration is needed to augment your vulnerability management processes. Learn more today!

Take the necessary steps for application management, from conversion of legacy applications to MSI to customizing applications to fit corporate standards. Don't overlook an important component of an OS migration--join us for the free on-demand Web seminar.



Help your small- or medium-sized business protect one of its most valuable assets--business information. Easily store, manage, protect and share information with hardware designed with the needs of your business in mind. Manage IT without the large staff and extensive training--learn how today!

Special Offer: Download any white paper from Windows IT Pro before October 31 and enter to win a Casio Exilim Card Camera! The more you download, the more chances to win! Visit for a full listing of white papers and contest rules.



Invitation for VIP Access

Become a VIP Monthly Pass subscriber and get instant online access to every article published in our network. You'll get full Web access to Windows IT Pro, SQL Server Magazine, and the Exchange and Outlook Administrator, Windows Scripting Solutions, and Windows IT Security newsletters--that's more than 26,000 articles at your fingertips. Sign up now for only $29.95 per month:

Get $40 off on Windows IT Pro

Subscribe to Windows IT Pro today and SAVE up to $40! Along with your 12 issues, you'll get FREE access to the entire Windows IT Pro online article archive, which houses more than 9,000 helpful IT articles. This is a limited-time offer, so order now:


Security UDPATE is brought to you by the Windows IT Pro Web site's Security page (first URL below) and the Windows IT Security newsletter (subscribe at the second URL below).

Subscribe to Security UPDATE at

Unsubscribe by clicking

Be sure to add [email protected] to your antispam software's list of allowed senders.

To contact us:

About Security UPDATE content -- [email protected]

About technical questions --

About your product news -- [email protected]

About your subscription -- [email protected]

About sponsoring Security UPDATE -- [email protected]

View the Windows IT Pro privacy policy at

Windows IT Pro, a division of Penton Media, Inc.

221 East 29th Street, Loveland, CO 80538

Attention: Customer Service Department

Copyright 2006, Penton Media, Inc. All rights reserved.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.