Security UPDATE--Honeywall CD-ROM; Internet Storm Center--August 4, 2004


To make sure that your copy of Security UPDATE isn't mistakenly blocked by antispam software, add [email protected] to your list of allowed senders and contacts.


==== This Issue Sponsored By ====

Free OpenNetwork White Paper

Free Security White Paper from Postini


1. In Focus: Honeywall CD-ROM and Internet Storm Center

2. Special Report: Black Hat USA 2004 Briefings

3. Security News and Features

- Recent Security Vulnerabilities

- News: New MyDoom Worm Variant Affects Search Engines Too

- News: Microsoft Promises IE Patch for Download.Ject Soon

- Feature: A First Look at Windows Firewall

4. Security Matters Blog

- MyDoom Strikes Again

- Windows Server 2003 Security Guide

5. Security Toolkit


6. New and Improved

- HTTP-Based Patch Distribution


==== Sponsor: Free OpenNetwork White Paper ====

Businesses are often overburdened with numerous identity repositories, authentication processes and administration systems. Having a sound identity management strategy eliminates this complexity while automating resource intensive management functions, such as password management, approval processes and the set up and deletion of users as they join and leave the company. In "Understanding the Identity Management Roadmap and Role of Your Microsoft Infrastructure" you will learn how companies are making progress on the road to identity management and how they've leveraged Active Directory to do it. Plus, you'll learn how to make identity management work with your existing infrastructure. Download this free white paper now!


==== 1. In Focus: Honeywall CD-ROM and Internet Storm Center ====

by Mark Joseph Edwards, News Editor, mark at ntsecurity dot net

In the May 19 edition of this newsletter, I discussed the new Honeywall CD-ROM available from the Honeynet Project. The Honeywall CD-ROM is based on a trimmed-down version of Linux and is configurable both before and after boot-up. You can add items you might need or make configuration changes to suit your environment. For example, you could add Secure Shell (SSH) keys, set your IP address preferences, and so on, then burn a CD-ROM so that when you boot to the CD-ROM, your system is configured and ready for use.

You can download a copy of the CD-ROM image (at the URL below, about 50MB in size,) from the Honeynet Project Web site. On July 20, the Honeynet Project announced a subscription program that serves as a way for you to support the project and gain some added value at the same time. For an annual contribution of $150 for corporations or $75 for individuals, the project mails in March and September a copy of the most recent Honeywall CD-ROM; another CD-ROM containing updated whitepapers, tools, and documentation; and a print newsletter that contains "all the new work that has occurred in the past six months." The subscription sounds like a great way to give something back to the project in exchange for its hard work in providing great tools and information to help you with your security endeavors.

Using a honeypot or network of honeypots can be helpful in learning how and why intruders attempt to penetrate your network. One of this month's SANS Institute Webcasts might address the use of honeypots. On August 11, Johannes Ullrich will present "Internet Storm Center: Threat Update," which "discusses recent threats observed by the Internet Storm Center, and discusses new software vulnerabilities or system exposures that were disclosed over the past month." The Webcast might help you more readily detect various activities trapped by your honeypots or by your other Intrusion Detection Systems (IDSs).

SANS Internet Storm Center helps track new threats, gathers information about those threats, and presents its findings to the public at the related Web site. Readers often contribute information that can help provide loads of useful details about the latest threats that might otherwise be harder to obtain, and sometimes you find links to other sites that have even more detailed information. If you haven't visited the Internet Storm Center Web site, you might consider doing so to help better understand the current trends in network attacks. or


==== Sponsor: Free Security White Paper from Postini ====

The Silent Killer: How spammers are stealing your email directory

Have you ever had your end users complain about how slow your email system seems to be responding when you have no visible reason for this problem in performance? Are your Microsoft Exchange Server deferral queues constantly full, slowing server performance to a crawl? All of these are signs that spammers are probing your email system in an attempt to identify and "harvest" legitimate email addresses from your organization. This is what is known as the "silent killer" or "directory harvest attack" (DHA). Download this whitepaper now and learn how you can protect your organization against the "silent killer".


==== 2. Special Report: Black Hat USA 2004 Briefings ====

by Mark Burnett

Black Hat, a computer security conference and training company, held the 8th annual Black Hat Briefings last week in Las Vegas. The conference included presentations by nearly 50 speakers from a variety of backgrounds. Among the key topics were electronic voting, privacy on the Internet, Google hacking techniques, and zero-day exploits.

"We spent more time picking speakers this year," said Jeff Moss, CEO of Black Hat. "We received a record number of submissions and the quality was remarkable." According to Moss, the focus of the talks has shifted to address new and upcoming security threats: "A couple years ago, the interest was in detecting \[known\] attacks. The new interest is how you defend against unknown attacks." Moss added that the speakers are "turning their focus to the more difficult problems."

One underlying issue addressed in many of the talks is the decreasing amount of time between the announcement of a vulnerability and the deployment of code to exploit it. "Time to attack has gotten so small," said Moss. "It used to be a two-week process that has shifted to one day." According to Stephen Toulouse, a Microsoft security product manager, "The biggest challenge we are dealing with now is people releasing attack code. We're seeing the time to attack shrinking."

Dr. Rebecca Mercuri and Bev Harris presented research and analysis on electronic voting and the possible manipulation of it. Mercuri and Harris spoke about the October 2003 California governor recall election, providing an analysis that dispelled erroneous assertions about the benefits of electronic voting and raised questions about the accuracy of election systems. Black Hat also announced the launch of "The Mezonic Agenda: Hacking the Presidency Contest," hosted by Syngress Publishing. Conference attendees received a copy of a CD-ROM that contains a game with the object of hacking and ultimately controlling the outcome of a mock US presidential election. Contestants must use their hacking skills to make themselves the winning candidate of the simulated election.

Other speakers presented sessions on the topics of Zero-Day Code, Phishing for Organized Crime, First Global Cyber-War, Secure Wireless Network Deployment, Customer Data Protection, and new Web application attacks. Speakers included Halvar Flake, Black Hat's resident reverse engineer, and Greg Hogland, author of "Exploiting Software."

Black Hat holds five conferences annually in North America, Europe, and Asia. For information about upcoming Briefings, visit

==== 3. Security News and Features ====

Recent Security Vulnerabilities

If you subscribe to this newsletter, you also receive Security Alerts, which inform you about recently discovered security vulnerabilities. You can also find information about these discoveries at

News: New MyDoom Worm Variant Affects Search Engines Too

A new MyDoom worm variant, [email protected], was discovered on July 26. Computers affected by the worm are used to perform queries on various search engines to harvest email addresses. According to reports, a significant number of computers were affected by the worm and caused some strain on popular search engines, including Lycos, AltaVista, Yahoo!, and Google.

News: Microsoft Promises IE Patch for Download.Ject Soon

Microsoft will finally issue a critical security patch for its infamously buggy Internet Explorer (IE) Web browser this week (possibly by the time you read this newsletter), out of sync with the company's planned monthly security fixes. The patch will fix the flaw that led to last month's Download.Ject malware attack and will be applicable to IE 6.0, IE 5.5, and IE 5.01. The patch follows an unprecedented configuration change update that the company released to partially fix the Download.Ject problem; security experts quickly denounced the change as ineffective.

Feature: A First Look at Windows Firewall

Paula Sharick notes that after plowing through more than 200 pages of documentation about the extensive changes in Windows XP Service Pack 2 (SP2), she wasn't optimistic about testing the XP SP2 beta. With the introduction of a real firewall; security controls for Distributed COM (DCOM), remote procedure call (RPC), and WWW Distributed Authoring and Versioning (WebDAV) operations; secure wireless networking; the ability to kill pop-ups; and hands-on management of Microsoft Internet Explorer (IE) plug-ins, SP2 has more in common with a new OS than a service pack with bug fixes. The upgrade also changes the open-access paradigm to a limited- or no-access orientation, which in theory can wreak havoc with network connectivity and server-based operations. Read the rest of Paula's first look at XP SP2 Windows Firewall on our Web site.


==== Announcements ====

(from Windows & .NET Magazine and its partners)

Get 2 Free Sample Issues of SQL Server Magazine!

If you're a SQL Server user, SQL Server Magazine is a must-read. Each issue offers a treasury of relevant articles, savvy tips, endless code listings, and expertise that will give you the answers you are looking for. Choose from a library of hot topic discussions relating to reporting services, security, high availability, and much more. Order now:

Finding the Right Antispam Solution When You Need It

In this free Web seminar, learn how to implement a "holistic" approach to email security that eliminates spam, minimizes risk from viruses, saves money, and reduces the administrative burden on IT staff. And, you'll find out the benefits of the "preemptive" email security approach compared with more traditional approaches. Register now!

Extending Microsoft Office with Integrated Fax Messaging

Are you "getting by" using fax machines or relying on a less savvy solution that doesn't offer truly integrated faxing from within user applications? Attend this free Web seminar and learn what questions to ask when selecting an integrated fax solution, discover how an integrated fax solution is more efficient than traditional faxing methods, and learn how to select the fax technology that's right for your organization. Register now!


==== 4. Security Matters Blog ====

by Mark Joseph Edwards,

Check out these recent entries in the Security Matters blog:

MyDoom Strikes Again

If you're looking for more details about the latest MyDoom worm variant, [email protected], you can find some interesting analysis, including links to analysis from several antivirus vendors, in the Handler's Diary for July 26 at the SANS Internet Storm Center Web site.

Windows Server 2003 Security Guide

The default installation of Windows Server 2003 is much more secure than previous Windows versions. Even so, you might consider making some additional adjustments to further tighten security, depending on your needs, by using Microsoft's new Windows Server 2003 security guide.

==== 5. Security Toolkit ====

FAQ: Why Can't I Update the Active Directory (AD) Schema for Microsoft Systems Management Server (SMS)?

by John Savill,

A. I recently had this problem too--I had a lab environment in which I repeatedly tried--and failed--to update the schema for SMS by running the extadsch.exe command. After I ran the command, the log file contained a lot of failure messages. After much investigation, I discovered the reason for the failed schema update: I had many domain controllers (DCs) that weren't running and consequently had replication errors. After I started the DCs and resolved the replication errors by forcing a replication, the schema update worked perfectly. You can review the log's failure messages and the subsequent success messages in the FAQ on our Web site.


==== Events Central ====

(A complete Web and live events directory brought to you by Windows & .NET Magazine: )

Free Roadshow in Your City Soon--HP Wireless & Mobility Roadshow 2004

In this free Roadshow, you'll discover trends in the wireless and mobility industry and come away with a better understanding of wireless and mobility solutions. And, talk firsthand about your wireless projects with leaders in the industry. See proven wireless and mobile solutions in action. Register now!


==== 6. New and Improved ====

by Jason Bovberg, [email protected]

HTTP-Based Patch Distribution

Configuresoft announced Security Update Manager (SUM) 2.5, software that lets you safely distribute patches and software updates across firewalls via HTTP. SUM 2.5 is an add-on module for Configuresoft's Enterprise Configuration Manager (ECM). SUM 2.5 reduces the risk and vulnerabilities associated with opening ports on network firewalls to deploy patches on systems within an organization's Demilitarized Zone (DMZ) and machines located outside the network perimeter. Pricing for SUM 2.5 starts at $25 per server and $5 per workstation. Pricing for ECM starts at $995 per server and $30 per workstation. For more information about SUM and ECM, contact Configuresoft at 719-447-4600 or on the Web.

Tell Us About a Hot Product and Get a T-Shirt!

Have you used a product that changed your IT experience by saving you time or easing your daily burden? Tell us about the product, and we'll send you a Windows & .NET Magazine T-shirt if we write about the product in a future Windows & .NET Magazine What's Hot column. Send your product suggestions with information about how the product has helped you to [email protected]


==== Sponsored Links ====


Comparison Paper: The Argent Guardian Easily Beats Out MOM;6480843;8214395;q?


Free Download--New - Launch NetOp Remote Control from a USB Drive;9571671;8214395;t?


Editor's note: Share Your Security Discoveries and Get $100

Share your security-related discoveries, comments, or problems and solutions in the Security Administrator print newsletter's Reader to Reader column. Email your contributions (500 words or less) to [email protected] If we print your submission, you'll get $100. We edit submissions for style, grammar, and length.


==== Contact Us ====

About the newsletter -- [email protected]

About technical questions --

About product news -- [email protected]

About your subscription -- [email protected]

About sponsoring Security UPDATE -- [email protected]


==== Contact Our Sponsors ====

Primary Sponsor:

OpenNetwork -- -- 1-877-561-9500

Secondary Sponsor:

Postini -- --1-888-584-3150


This email newsletter is brought to you by Windows & .NET Magazine, the leading publication for IT professionals deploying Windows and related technologies. Subscribe today.

View the Windows & .NET Magazine privacy policy at

Windows & .NET Magazine, a division of Penton Media, Inc.

221 East 29th Street, Loveland, CO 80538

Attention: Customer Service Department

Copyright 2004, Penton Media, Inc. All rights reserved.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.