Security UPDATE--Honeywall CD-ROM--May 19, 2004


==== This Issue Sponsored By ====

Postini Preemptive Email Protection

Sybari Software


1. In Focus: Honeywall CD-ROM: A Honeynet on a Bootable Disk

2. Security News and Features
- Recent Security Vulnerabilities
- News: Serious Vulnerability in 802.11b and 802.11g Networks
- News: You've Been Hacked, Now Rebuild Your System

3. Instant Poll

4. Security Toolkit
- Featured Thread

5. New and Improved
- Extranet, Intranet, and Remote Access Policy Enforcement


==== Sponsor: Postini Preemptive Email Protection ====

Free Whitepaper: Top 10 Reports for Email Admins
This paper will show you the top ten reports every email administrator really shouldn't live without including, dashboard views of inbound email activity, SMTP connection, and delivery monitoring, as well as outbound email and content. Assuring comprehensive email security and management for your enterprise requires real-time monitoring and detailed, flexible reporting. Postini provides an award-winning web console "dashboard" that helps email administrators manage their email protection more effectively and efficiently with a host of monitoring and trending reports. Reports show inbound spam by domain and recipient, as well as viruses by name and overall traffic by domain and recipient.


==== 1. In Focus: Honeywall CD-ROM: A Honeynet on a Bootable Disk ====
by Mark Joseph Edwards, News Editor, mark at ntsecurity dot net

In the April 28 edition of this newsletter, I mentioned the new version of Network Security Toolkit (NST), which is the creation of Paul Blankenbaker and Ron Henderson. NST is loaded with security tools and is available as a bootable CD-ROM. The toolkit is based on Red Hat Linux 9.0, and you can download it as an International Organization for Standardization (ISO) image and make the CD-ROM yourself.

This week, I learned about another free security-related tool that you might want to try. The Honeynet Project has released a new beta version of Honeywall CD-ROM, which as you might suspect, lets you create a bootable disk that offers the tools necessary to run a honeypot network.

Honeywall CD-ROM is based on a trimmed-down version of Linux and is configurable both before and after bootup. You can add items you might need or make configuration changes that suit your environment. For example, you could add Secure Shell (SSH) keys, set your IP address preferences, and so on, then burn a CD-ROM so that when you boot to the CD-ROM your system is already configured and ready for use.

To use Honeywall CD-ROM, you need a system with 256MB of RAM or more, an IDE hard drive, at least two network cards, and of course a CD-ROM drive to boot from. A Pentium III processor (or equivalent) is also recommended. The Honeywall CD-ROM ISO image is a little over 50MB, and you can download a copy by visiting the Honeynet Project's Honeywall CD-ROM Web site.

If you're wondering what honeypots and honeynets are all about, we've published numerous articles about them--most recently, "Honeypots for Windows" by Roger Grimes in March. Grimes explains some basics about honeypots and offers an inside peek into four commercial products that let you build honeypots on Windows platforms.

We have many other articles related to honeypots available online, including news and commentary. You can locate them quickly by using our search engine. I've included a couple of shortcuts below that list the most recent articles first.


==== Sponsor: Sybari Software ====

Get on the Road to Secure Computing with Sybari and you could find yourself in the driver's seat of a new 2004 MINI Cooper!
Get your key to enter our giveaway by looking inside your TechEd attendee bag or visit Sybari booth #417 and register to win! Not attending TechEd, enter to win a MINI Cooper remote control car. Click here to enter:


==== 2. Security News and Features ====

Recent Security Vulnerabilities
If you subscribe to this newsletter, you also receive Security Alerts, which inform you about recently discovered security vulnerabilities. You can also find information about these discoveries at

News: Serious Vulnerability in 802.11b and 802.11g Networks
The Australian Computer Emergency Response Team (AusCERT) released an advisory about a newly discovered Denial of Service (DoS) vulnerability in 802.11 wireless networks. As you know, Access Points (APs) broadcast on a given channel and frequency. An attacker can exploit the Clear Channel Assessment (CCA) procedure used by 802.11 equipment, making the channel appear to be busy. Under such conditions, all APs and client stations defer their transmissions while they wait for the channel to become idle. However, an idle condition won't ensue until the DoS attack ceases.

News: You've Been Hacked, Now Rebuild Your System
Microsoft Security Program Manager Jesper Johannson has published another article, "Help: I Got Hacked. Now What Do I Do?" The article raises that question, outlines more than half a dozen things that you can't do to correct the problem, and concludes that you must rebuild your system.


==== Announcements ====
(from Windows & .NET Magazine and its partners)

Windows Connections October 24-27, Orlando, Florida.
Save these dates for the Fall 2004 Windows Connections conference, which will run concurrently with Microsoft Exchange Connections. Register early and receive admission to both conferences for one low price. Learn firsthand from Microsoft product architects and the best third-party experts. Go online or call 800-505-1201 for more information.

New Web Seminar: Preemptive Email Security Works for Chick-fil-A--It Can Work for You
Become the company hero! Save your company time and money by preventing unwanted and lost email. In this free Web seminar, hear from an email expert--and learn from a real-world Chick-fil-A case study--about how you can reduce spam and viruses and improve email security and employee productivity. Register now!

Windows & .NET Magazine Announces Best of Show Finalists
Windows & .NET Magazine and SQL Server Magazine announced the finalists for the Best of TechEd 2004 Awards. The field included more than 260 entries in 10 categories. Winners will be announced at a private awards ceremony on Wednesday, May 26. The winners will also be announced at TechEd on Thursday, May 27 at 12:30 p.m. at the Windows & .NET Magazine booth #625. Click here to find out this year's finalists:


==== Hot Release Access the expert's white paper library ====

Get expert advice on Active Directory and Exchange from Quest, now including the people and products of Aelita Software. Quest's library of white papers details topics that simplify, automate, and secure your Microsoft infrastructure. The authoritative leader on Active Directory and Exchange, Quest Software is your single source for Windows management solutions and expert industry information. Access the white paper library today.


==== 3. Instant Poll ====

Results of Previous Poll
The voting has closed in the Windows & .NET Magazine Network Security Web page nonscientific Instant Poll for the question, "Has your company become infected by the Sasser or Gaobot worm?" Here are the results from the 138 votes.
- 31% Yes
- 57% No
- 12% I'm not sure

New Instant Poll
The next Instant Poll question is, "Which wireless intrusion prevention system do you use?" Go to the Security Web page and submit your vote for
- AirDefense products
- AirMagnet products
- Red-M products
- Aruba Wireless Networks products
- Other products

==== 4. Security Toolkit ====

FAQ: What's acctinfo.dll?
by John Savill,

A. Acctinfo.dll is a DLL that extends the functionality of the Microsoft Management Console (MMC) Active Directory Users and Computers snap-in. Acctinfo.dll is included in the Windows Server 2003 Resource Kit tools. Installing acctinfo.dll adds the Additional Account Info tab to the user object's Properties page. This tab contains a variety of information, including
* the last time the password was set
* domain password policies
* password expiration date
* lockout status
* last good and bad logons

To install acctinfo.dll, run the command:

regsvr32 acctinfo.dll

If the command doesn't work (i.e., if Regsvr32 can't locate acctinfo.dll), specify the full path to acctinfo.dll on the command. Acctinfo.dll is typically located in C:\program files\windows resource kits\tools.

Featured Thread: Risk Assessment--Lack of Physical Protection Over Client Machines
(Two messages in this thread)
Paul writes that his server rooms have a high level of physical protection; however, client machines could easily be accessed by a member of the public. He can't do anything about the exposure because of the nature of his organization. He's trying to assess the risks to files stored locally and to overall network security. He's made some relevant observations about how people might gain control over a machine if they have physical access and he's come up with some solutions to help guard client machines, but he wonders if anyone has any other recommendations about how to protect machines against physical access. Lend a hand or read the responses:


==== Events Central ====
(A complete Web and live events directory brought to you by Windows & .NET Magazine: )

The Exchange Server Seminar Series--Coming to Your City Soon!
Simplify your life and others' lives with Windows Server 2003 and Exchange Server 2003. Learn the advantages of migrating to an integrated communications environment, consolidating and simplifying implementation of technology, and accelerating worker productivity. Register now for this free event!


==== 5. New and Improved ====
by Jason Bovberg, [email protected]

Extranet, Intranet, and Remote Access Policy Enforcement
NetScreen Technologies announced the next-generation release of its Secure Access product family, built on the new Neoteris Instant Virtual Extranet (IVE) 4.0 platform, which includes sophisticated enterprise-class access-management capabilities. NetScreen Secure Access appliances running on the IVE 4.0 platform address the advanced security needs of customers deploying partner extranets and intranets with dynamic access privilege management, rich user self-service, granular role-based delegation, and centralized management. Available IVE 4.0 functionality and feature sets vary based on purchase and deployment options. For more information about IVE 4.0, contact NetScreen Technologies at 800-638-8296 or on the Web.

Tell Us About a Hot Product and Get a T-Shirt!
Have you used a product that changed your IT experience by saving you time or easing your daily burden? Tell us about the product, and we'll send you a Windows & .NET Magazine T-shirt if we write about the product in a future Windows & .NET Magazine What's Hot column. Send your product suggestions with information about how the product has helped you to [email protected]


==== Sponsored Links ====

Comparison Paper: The Argent Guardian Easily Beats Out MOM;6480843;8214395;q?

Microsoft(R) TechNet
Microsoft(R) TechNet Webcasts: essential guidance, industry experts;7759917;8214395;c?


==== Contact Us ====

About the newsletter -- [email protected]
About technical questions --
About product news -- [email protected]
About your subscription -- [email protected]
About sponsoring Security UPDATE -- [email protected]


==== Contact Our Sponsors ====

Primary Sponsor:
Postini -- --1-888-584-3150

Secondary Sponsor:
Sybari Software -- -- 1-631-630-8500

Hot Release Sponsor:
Quest Software -- -- 1-949-754-8000


This email newsletter is brought to you by Windows & .NET Magazine, the leading publication for IT professionals deploying Windows and related technologies. Subscribe today.

Manage Your Account You are subscribed as #EmailAddr#.

You received this email message because you asked to receive additional information about products and services from the Windows & .NET Magazine Network. To unsubscribe, send an email message to mailto:[email protected] Thank you!

View the Windows & .NET Magazine privacy policy at

Windows & .NET Magazine, a division of Penton Media, Inc. 221 East 29th Street, Loveland, CO 80538 Attention: Customer Service Department

Copyright 2004, Penton Media, Inc. All rights reserved.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.