Security UPDATE, October 8, 2003


==== This Issue Sponsored By ====

TNT Software

Shavlik HFNetChkPro Patch Management


1. In Focus: The Dangers of Uncontrolled Software Use

2. Announcements - New White Paper on Exchange 2003 Deployment - Check Out Our 2 New Web Seminars!

3. Security News and Features - Recent Security Vulnerabilities - News: Microsoft Preps Major Security Strategy Shift - News: XP Security Rollup Package in Beta - News: Microsoft Faces Security Class-Action Suit - Feature: How to Build a Snort Server

4. Security Toolkit - Virus Center - Virus Alert: Trj/Hatoy.A - FAQ: How do I prevent administrators from successfully using L0phtCrack? - Featured Thread: How to Stop Viruses from Spreading

5. Event - The Mobile & Wireless Road Show Is Coming to Tampa and Atlanta!

6. New and Improved - Control USB and FireWire Devices - Secure All Data - Tell Us About a Hot Product and Get a T-Shirt

7. Contact Us See this section for a list of ways to contact us.

==== Sponsor: TNT Software ==== FREE Download: Automate Event Log Monitoring Automate event log monitoring, provide real-time intrusion detection, and satisfy mandated auditing requirements all with TNT Software's ELM Log Manager. Preferred by small businesses because of its ease of use and Fortune 500 companies because of its reliability, ELM 3.1 is the affordable solution with the scalability to consolidate MILLIONs of events and Syslog messages a day, display them in custom views, launch critical alerts, and schedule reports. Download your FREE 30 day fully functional evaluation software NOW and start experiencing the benefits of automated log monitoring.


==== 1. In Focus: The Dangers of Uncontrolled Software Use ==== by Mark Joseph Edwards, News Editor, [email protected]

Surely, most of you know about various peer-to-peer (P2P) software packages, such as KaZaA and the soon-to-be-revived Napster. Millions of people use P2P software to trade files, sometimes in violation of copyright laws.

Businesses should be aware of such software and control its use on their networks. One reason for doing so is that P2P software can consume huge amounts of bandwidth. Another reason is that employees might use P2P software to break the law while using company resources. Yet another reason is that employees should be spending their time working and not trading files on company time.

A new reason surfaced last week. I read an interesting post on a security mailing list regarding the P2P software and network called Earth Station 5 (ES5). The makers of ES5 claim to provide stealth activity and cloaking to protect users' privacy. They also claim to provide protection against viruses and other erroneous files, along with a variety of Web services.

What was so interesting about the post I read regarding ES5 is that the product has a serious security hole that lets any ES5 user delete files on another user's computer. The person who discovered the hole is convinced that due to the nature of the problem he found, the creators must have intentionally built in the ability to delete files on users' computers as some sort of back door.

That's a strong accusation to make, and although the product definitely has the security hole, I don't yet know whether the makers of ES5 actually put a back door in on purpose. The makers later issued a statement that said the ability to delete files was part of an automated upgrade process. Whether the back door was intentional or not, the matter points out the seriousness of not controlling what types of traffic are allowed to traverse your network and what sort of software users can install on their machines, if any. In the case of ES5, a remote user could wipe out critical files on your systems, leading to all sorts of problems.

Chances are that your company frowns on P2P use, but does it try to prevent it? You might recall that I mentioned a new hybrid technology, Passive Vulnerability Scanners (PVSs), last week. A PVS would be a great way to find out immediately whether someone had installed unwanted software (such as a P2P client) on your company's computer, as opposed to finding out later through some sort of periodic audit. But you don't necessarily have to use a PVS to detect the use of unwanted software in real time.

If you have a flexible Intrusion Detection System (IDS) in place, you might be able to create IDS rules that can detect traffic from unwanted software the instant it moves traffic across your network. As you know, one very popular IDS tool, Snort, allows users plenty of flexibility to create custom rules. So you could develop a Snort rule that detects traffic from various types of software.

Martin Roesch (creator of Snort) and Hugh Njemanze (founder of ArcSight) gave a Webcast last week that was sponsored by The SysAdmin, Audit, Network, Security (SANS) Institute. Roesch discussed "the use of passive network discovery, behavioral profiling and vulnerability analysis techniques" along with "intrusion detection, reducing false positives and negatives as well as opportunities for evasion." Njemanze discussed "how the context and robust correlation techniques of centralized security management take maximum advantage of the alarms and alerts produced not only by IDSs but also all the other security-relevant sources of information that are available."

The Webcast is archived at SANS, so you can check it out after registering. You can find the synopsis and links to it at the SANS Web site. Be sure to check out the list of upcoming Webcasts too--at the second URL below.


==== Sponsor: Shavlik HFNetChkPro Patch Management ==== Get Patched Now with Shavlik HFNetChkPro Immediately deploy critical patches, including MS03-040, with Shavlik HFNetChkPro patch management software and make a powerful impact on your enterprise security. HFNetChkPro is a must-have for any busy network administrator in charge of security updates. Its easy-to-use interface makes patch management a breeze. Create machine groups or patch groups for quick scanning and deployment and produce management reports in minutes. Download the free version of HFNetChkPro with no time-outs at


==== 2. Announcements ==== (from Windows & .NET Magazine and its partners)

New White Paper on Exchange 2003 Deployment In this timely white paper, Microsoft Exchange expert Kieran McCorry, from HP's Exchange consulting group, outlines the best options for organizations migrating to Exchange Server 2003. The paper outlines inter- and intra-organizational migration issues and the benefits of server consolidation during deployment. Get your copy today!

Check Out Our 2 New Web Seminars! "Plan, Migrate, Manage: Shifting Seamlessly from NT4 to Windows 2003" will help you discover tips and tricks to maximize planning, administration, and performance. "The Secret Costs of Spam ... What You Don't Know Can Hurt You" will show you how to quantify costs and find antispam solutions. Register today!


==== Virus Update from Panda Software ==== Check for the latest anti-virus information and tools, including weekly virus reports, virus forecasts, and virus prevention tips, at Panda Software's Center for Virus Control.

Viruses routinely infect "fully protected" networks. Is total protection possible? Find answers in the free guide HOW TO KEEP YOUR COMPANY 100% VIRUS FREE from Panda Software. Learn how viruses enter networks, what they do, and the most effective weapons to combat them. Protect your network effectively and permanently - download today!


==== 3. Security News and Features ====

Recent Security Vulnerabilities If you subscribe to this newsletter, you also receive Security Alerts, which inform you about recently discovered security vulnerabilities. You can also find information about these discoveries at

News: Microsoft Preps Major Security Strategy Shift Under attack from various quarters because of the perceived lack of security in its products, Microsoft is close to announcing a strategy shift in its Trustworthy Computing initiative. According to executives from the software giant, Microsoft's short-term strategy will shift from patch management to what the company calls "securing the perimeter."

News: XP Security Rollup Package in Beta Microsoft hasn't officially made any announcements yet; however, according to, Microsoft has released a beta version of its forthcoming Security Rollup Package 1 (SRP1) for Windows XP.

News: Microsoft Faces Security Class-Action Suit A consumer in California filed a class-action lawsuit on behalf of potentially millions of additional plaintiffs against Microsoft this week, claiming that the software giant's dominant Windows platform is vulnerable to dangerous virus attacks that could trigger "massive" and "cascading" failures of the world's networks. Given Microsoft's unbelievable security problems this year and public admissions by the company's executives that the worst was yet to come, it's likely that this lawsuit and others like it were inevitable.

Feature: How to Build a Snort Server Intrusion Detection Systems (IDSs) are an important part of any network. One free, open-source tool for implementing an IDS on networks is Snort. (If you're unfamiliar with IDSs, see "Protect Your Network from Intrusion" at the first URL below and "Deploy Your Network IDS Effectively" at the second URL below.) To build a Snort server in a Windows 2000 environment, you need to install and secure Win2K Server, install Snort and its companion files, and test Snort's various modes. Read Morris Lewis's article (at the third URL below) for details.


==== Hot Release: Free Trial SSL Certificate from Thawte ==== Take your first step towards giving your online business a competitive advantage. Test-drive a Thawte SSL certificate – our easy online guide will show you how. Click here to get started:;6247068;8447243;q


==== 4. Security Toolkit ====

Virus Center Panda Software and the Windows & .NET Magazine Network have teamed to bring you the Center for Virus Control. Visit the site often to remain informed about the latest threats to your system security.

Virus Alert: Trj/Hatoy.A Panda Software reports that a new Trojan horse, Hatoy.A, is spreading via Web browsers. Hatoy.A affects users of Microsoft Internet Explorer (IE) by exploiting a known vulnerability in the browser for which no patch is currently available. The Trojan horse manipulates users' systems to change DNS entries so that users are redirected to a site different from the one whose URL they entered. For more information about Hatoy.A, see Panda's report:

FAQ: How do I prevent administrators from successfully using L0phtCrack? contributed by John Savill,

A: In Windows 2000, thanks to automatic activation of the Syskey utility, @stake's L0phtCrack is useless against password hashes in the SAM or Active Directory (AD) unless the user has Administrator access. You can't stop administrators who use L0phtCrack from cracking passwords; you can only slow them down. To do so, begin by adding the NoLmHash registry value described in the Microsoft article "How to Prevent Windows from Storing a LAN Manager Hash of Your Password in Active Directory and Local SAM Databases" (at the URL below). However, keep in mind that even after you set the new registry key, an administrator can use L0phtCrack to crack passwords. Syskey encrypts password hashes stored on disk in the SAM or in AD on domain controllers (DCs). However, an administrator can use L0phtCrack to dump password hashes from OS memory because password hashes in memory aren't encrypted. When you enable NoLmHash, Win2K doesn't automatically delete the LAN Manager hash for users. To get rid of the hash, you must reset each user's password. Even after you reset passwords, however, administrators can use L0phtCrack because Win2K stores two hashes for each account: the old, weak LAN Manager hash and a stronger Windows NT hash. L0phtCrack can use either hash but takes longer to crack accounts when only the NT hash is present.

Featured Thread: How to Stop Viruses from Spreading (Five messages in this thread) A user writes that he's an administrator for 200 computers. He wants to know whether he should put a firewall on every workstation on his network to stop viruses from spreading or use some other approach. Lend a hand or read the responses:

==== 5. Event ====

The Mobile & Wireless Road Show Is Coming to Tampa and Atlanta! Learn more about the wireless and mobility solutions that are available today, plus discover how going wireless can offer low risk, proven performance, and compatibility with existing and emerging industry standards. Register now for this free, 12-city event!

==== 6. New and Improved ==== by Jason Bovberg, [email protected]

Control USB and FireWire Devices SmartLine released DeviceLock 5.5, a security solution that lets you restrict access to USB and FireWire (IEEE 1394) devices on Windows 2003/XP/2000/NT 4.0 machines. Standard Windows access-control solutions don't permit the assignment of permissions for USB and FireWire ports. DeviceLock gives you control over which users can access these ports and certain devices (e.g., floppy-disk drives, CD-ROM drives, tape devices) on a local computer. DeviceLock costs $35 for a single-user license. A free, fully functional demonstration version is available for download from SmartLine's Web site. For more information about DeviceLock, contact SmartLine on the Web.

Secure All Data Cypherix announced Cryptainer LE, 128-bit data-encryption software. Cryptainer LE stores all sensitive information in encrypted 5MB ghost drives that appear and disappear at your convenience. Only the user who owns a specific passkey can view, access, browse, or modify files inside a ghost drive. You can install and run programs inside this encrypted drive. Cryptainer LE runs on Windows XP/2000/Me/9x and conforms to international standards. It runs as a special Windows device driver operating on a 128-bit implementation of the Blowfish algorithm in Cipher Block Chaining (CBC) mode, with a block size of 64 bytes. Cryptainer LE is a free, fully functional product that you can download from Cypherix's Web site. For more information about Cryptainer LE, contact Cypherix on the Web.

Tell Us About a Hot Product and Get a T-Shirt! Have you used a product that changed your IT experience by saving you time or easing your daily burden? Tell us about the product, and we'll send you a Windows & .NET Magazine T-shirt if we write about the product in a future Windows & .NET Magazine What's Hot column. Send your product suggestions with information about how the product has helped you to [email protected]


==== Sponsored Links ====

CrossTec Free Download - NEW NetOp 7.6 - faster, more secure, remote support;5930423;8214395;j?

Microsoft Attend a Microsoft(R) Office System Launch Event -- Get a FREE Eval Kit;6233617;8214395;l?


==== 7. Contact Us ====

About the newsletter -- [email protected] About technical questions -- About product news -- [email protected] About your subscription -- [email protected] About sponsoring Security UPDATE -- [email protected]

This email newsletter is brought to you by Security Administrator, the print newsletter with independent, impartial advice for IT administrators securing Windows and related technologies. Subscribe today.

__________________________________________________________ Copyright 2003, Penton Media, Inc.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.