Security UPDATE--Blacklists Aren't for Everyone--March 8, 2006

1. In Focus: Blacklists Aren't for Everyone

2. Security News and Features

- Recent Security Vulnerabilities

- Oracle Secures Search with Authorized Results

- RedBrowser Trojan Targets J2ME-based Phones

- Viruses Jump from PCs to Mobile Devices

3. Security Toolkit

- Security Matters Blog

- FAQ

- Share Your Security Tips

4. New and Improved

- Limit User Privileges and Block Unwanted Apps

==== Sponsor: St.Bernard Software ====

The Next Generation in Patch Management

At last, a unique solution that speeds the tedious tasks of system vulnerability management with automated patching and settings configuration features found in no other solution:

- Manage an entire distributed network, including remote and disconnected machines, from a central console

- Assign Roles and Rights for optimum IT staffing and security

- Provide dual system security with integrated security settings management

- Wake on LAN lets you successfully patch machines that are turned off

- Low acquisition and renewal pricing and flexible licensing model

Download your free trial today and find out how easy and cost-effective securing your systems can be. Download Now!

http://www.stbernard.com/forms/trial/trial_ue_m.asp?oc=409

==== 1. In Focus: Blacklists Aren't for Everyone ====

by Mark Joseph Edwards, News Editor, mark at ntsecurity / net

Last week, I wrote about blacklist services (the article is at the URL below), and I received some responses that I'll share with you this week.

http://www.windowsitpro.com/Article/ArticleID/49553

One reader wrote to say that, lately, Spam and Open Relay Blocking System (SORBS) "is blocking almost all email from Yahoo, Hotmail, and some other large ISPs." He has quit using SORBS because it caused problems for a few clients.

Another reader also wrote about his problem with SORBS. He said that "one of our main mail servers received a piece of spam with a forged From address that went to one of \[SORBS's\] honeypots. We received an email to a nonexistent \[email address\] and sent a nondelivery response to the forged address at the honeypot. The result of a single email sent last November was that any \[host on the Internet\] using SORBS regarded our email server as a spam sender. The email had originated in Brazil and our email server was just the last link in the chain." He then described his ordeal in trying to get his server removed from SORBS's database.

At the SORBS site (URL below), you'll read that "affected IPs \[of the mail server which sent spam\] will only be delisted when US$50 is donated to a SORBS nominated charity or good cause. The charities and good causes SORBS approves will not have any connection with any member of the SORBS administrators, either past or present." I have no problem with donating to charity, but trying to force that on people is unprofessional and unreasonable. The reader found an alternative way to have his IP address removed from the SORBS database, but SORBS doesn't make the alternative clear on its Web site.

http://www.au.sorbs.net/overview.shtml

In my tests, the SORBS blacklist service was only marginally better than the service provided by dnsbl.net.au (DNS server: t1.dnsbl.net.au), so I might not continue using SORBS in light of what the two readers have revealed.

A third reader wrote to "strongly disagree with your recommendation to use blacklists, even though they are effective. My opinion is based on the fact that it is very easy to get blacklisted even without reason and very difficult to get out of the blacklist. This can cause long delays with email delivery and sometimes businesses depend on it--even though they shouldn't. I also don't like the attitude of some of the service providers for blacklisting, it is very frustrating to contact them."

What I recommend is that you do what works for your particular networks. If you find that blacklists work and aren't much of a management problem, then use them--they can be very effective. On the other hand, if you experience trouble with an entity such as SORBS, it might be best to drop that service in favor of another.

Some readers also offered comments about filtering particular languages. I think that some readers took offense to such filtering. I truly meant no offense. My point is simply that if no one in your organization reads a particular language, then any inbound mail in that language can be dropped. For example, approximately 48 percent of the email received by the mail servers I tested appears to be written in Asian languages--in particular, Japanese, Korean, and Taiwanese. None of the people that those mail servers support read any Asian languages, so we set the filters to drop all Asian language mail. As a result, processing overhead is reduced.

==== Sponsor: 8e6 Technologies ====

Stop Spyware Now - Free White Paper!

Spyware remains a problem for most companies, disrupting productivity, wasting time and money. Now 8e6 Technologies' free White Paper proposes breakthrough solutions to counteract the Spyware problem: recognize potential infections, stop unauthorized programs at the source. Get the Free White Paper:

http://a.gklmedia.com/pnsecurity/nl/110

==== 2. Security News and Features ====

Recent Security Vulnerabilities

If you subscribe to this newsletter, you also receive Security Alerts, which inform you about recently discovered security vulnerabilities. You can also find information about these discoveries at

http://www.windowsitpro.com/departments/departmentid/752/752.html

Oracle Secures Search with Authorized Results

Oracle announced its new enterprise search engine, Secure Enterprise Search 10g. One difference between Oracle's solution and other search engines is that Oracle's will return only the results that a person is authorized to access.

http://www.windowsitpro.com/Article/ArticleID/49569

RedBrowser Trojan Targets J2ME-based Phones

The first malware was discovered that intentionally targets mobile phones that use Sun Microsystems' Java 2 Platform, Micro Edition (J2ME). Dubbed RedBrowser, the Trojan horse program tries to send text messages to a high-cost toll number in Russia. According to Kaspersky Lab, the mobile phone owner is charged between $5 and $6 for accessing the toll number.

http://www.windowsitpro.com/Article/ArticleID/49549

Viruses Jump from PCs to Mobile Devices

Docking your mobile device to your PC is no longer without considerable risk. The Mobile Antivirus Researchers Association (MARA) reported the first virus that can jump from a PC to a Windows CE or Windows Mobile device. The virus was sent to MARA anonymously.

http://www.windowsitpro.com/Article/ArticleID/49531

==== Resources and Events ====

DevConnections Europe Early Bird Special extended through 15 March

Four conferences for the price of one! Don't miss DevConnections Europe--coming to Nice, France, April 24-27, 2006.

http://www.devconnectionseurope.com/?refer=0306emailannc

Use virtualization technology to leverage your IT assets, address critical business needs, and get the most out of your existing hardware with Windows Server 2003 R2. Live Event: April 4, 12:00 pm EST

http://www.windowsitpro.com/go/seminars/microsoft/virtualization/?partnerref=0308emailannc

Learn the best ways to manage your email security (and fight spam) using a variety of solutions and tips.

http://www.windowsitpro.com/go/ebooks/ironport/emailsecurity/?code=0308emailannc

Efficiently replicate file changes across WANS without worrying about your remote server backups using the improved Distributed File System in WSS R2. Live Event: March 14, 12:00 pm EST

http://www.windowsitpro.com/go/seminars/microsoft/branchoffice/?partnerref=0222emailannc

SPECIAL PODCAST OFFER: Expert Ben Smith describes the benefits of using server virtualization to make computers more efficient.

http://www.windowsitpro.com/go/podcasts/hp/virtualization/?code=0308emailannc

==== Featured White Paper ====

Manage your data growth, improve reliability, and speed data recovery using continuous data protection.

http://www.windowsitpro.com/go/whitepapers/symantec/dataprotection?code=0308featwp

==== Hot Spot ====

Automate IT security compliance now!

FREE White Paper demonstrates how you can reduce time spent on IT policy compliance by as much as 90%, while improving your security posture. Cambia's agentless software continuously discovers all changes to network assets, intelligently determines which changes pose a risk to security and compliance and works with administrators to fix breaches quickly.

http://a.gklmedia.com/pnsecurity/nl/125

==== 3. Security Toolkit ====

Security Matters Blog: Network Security Toolkit 1.4.0

by Mark Joseph Edwards, http://www.windowsitpro.com/securitymatters

This excellent bootable toolkit has been updated with several useful enhancements, including an updated OS, new Web interfaces, and updates to included applications. Learn more in the blog article.

http://www.windowsitpro.com/Article/ArticleID/49566

FAQ

by John Savill, http://www.windowsitpro.com/windowsnt20002003faq

Q: How can I delegate permission for a user or group to control certain services?

Find the answer at http://www.windowsitpro.com/Article/ArticleID/49514

Share Your Security Tips and Get $100

Share your security-related tips, comments, or problems and solutions in the Windows IT Security print newsletter's Reader to Reader column. Email your contributions (500 words or less) to [email protected]. If we print your submission, you'll get $100. We edit submissions for style, grammar, and length.

==== Announcements ====

(from Windows IT Pro and its partners)

Windows IT Pro Magazine Article Library--access available

Sign up for a Monthly Online Pass and get INSTANT access to all articles, tools, and helpful resources published on WindowsITPro.com, including exclusive subscriber-only content. You'll get 24/7 access to the full Windows IT article library (includes more than 9,000 articles) and get the latest digital issue of Windows IT Pro delivered right to your inbox. Sign up now:

https://store.pentontech.com/index.cfm?s=1&promocode=eu2063um

Windows IT Pro Magazine--SAVE 58%

Windows IT Pro is a must-have in 2006! Subscribe now and plug into the largest independent Windows IT community in the world. Along with loads of how-to articles, time-saving advice, and expert tips and solutions, you'll gain exclusive access to the entire online Windows IT Pro article library FREE. This is a limited-time offer, so order now:

https://store.pentontech.com/index.cfm?s=1&promocode=eu2063uw

==== 4. New and Improved ====

by Renee Munshi, [email protected]

Limit User Privileges and Block Unwanted Apps

Winternals Software announced the release of Protection Manager, which enables granular control of user and application privilege levels and blocks all unauthorized executables. You install Protection Manager on a central console and deploy it to clients throughout the network. Then for each user role, you can specify one of four execution attributes for each application: denied from executing under any circumstances, allowed to execute with administrator privileges when required, allowed to execute in the user's context with limited user privileges, or allowed to execute normally. Protection Manager is licensed by server and workstation and works with Windows Server 2003, Windows XP, and Windows 2000 computers; for more information, go to

http://www.winternals.com/Products/ProtectionManager

Tell Us About a Hot Product and Get a T-Shirt!

Have you used a product that changed your IT experience by saving you time or easing your daily burden? Tell us about the product, and we'll send you a T-shirt if we write about the product in a future Windows IT Pro What's Hot column. Send your product suggestions with information about how the product has helped you to

[email protected].

==== Contact Us ====

About the newsletter -- [email protected]

About technical questions -- http://www.windowsitpro.com/forums

About product news -- [email protected]

About your subscription -- [email protected]

About sponsoring Security UPDATE -- [email protected]