Security UPDATE--Security Through Obscurity--June 1, 2005

1. In Focus: Security Through Obscurity

2. Security News and Features

- Recent Security Vulnerabilities

- How Hotmail Filters Junk Mail

- Netcraft's New Anti-Phishing Tools

- IIS 6.0 Enhancements in Windows 2003 SP1

3. Security Toolkit

- Security Matters Blog

- FAQ

- Security Forum

4. New and Improved

- Detect and Stop Network Intrusions

==== Sponsor: Oracle ====

Converting a Microsoft Access Application to Oracle HTML DB

Get the most efficient, scaleable and secure approach to managing information using an Oracle Database with a Web application as the user interface. In this free white paper learn how you can use an Oracle HTML Database to convert a Microsoft Access application into a Web application that can be used by multiple users concurrently. You'll learn how to improve the original application by adding hit highlighting and an authorization scheme to provide access control to different types of users. Download this free white paper now!

http://www.windowsitpro.com/whitepapers/oracle/htmlaccess/index.cfm?code=sectop_601

==== 1. In Focus: Security Through Obscurity ====

by Mark Joseph Edwards, News Editor, mark at ntsecurity / net

Suddenly, I realized that if there's no such thing as security through obscurity (as some people claim), then maybe there's no such thing as strong security at all. This thought was brought on by reading an entry by George Ou in his blog at ZDNet. Ou writes about what he considers to be "the six dumbest ways to secure a wireless LAN." Although I agree with Ou that the items he lists don't offer much in the way of security, I think he's wrong that using the cited methods is dumb.

http://blogs.zdnet.com/Ou/index.php?p=43

First on Ou's list of dumb wireless security measures is MAC address filtering. His reasoning is that anybody with a sniffer can grab MAC addresses, therefore filtering connectivity to a wireless Access Point (AP) based on MAC addresses is useless. Second on the list is hiding Service Set Identifiers (SSIDs). Ou states that there are five ways that SSIDs are transmitted, only one of which can be shut off through simple configuration settings. The other ways can't be shut off, thus there's no such thing as hiding an SSID. Third on the list is Lightweight Extensible Authentication Protocol (LEAP) authentication. Ou thinks that LEAP is useless because it requires the use of strong passwords to be effective and it's impossible for humans to manage strong passwords. Also, LEAP is a proprietary Cisco Systems protocol.

Next on the list is disabling DHCP. Ou's idea here is that anybody with a sniffer can determine what addresses are in use and manually assign themselves an address from the same network block. Fifth on the list is antenna placement. Some people recommend placing antennas in the center of a building and running APs at minimum power to limit their wireless network's reach. This doesn't work because hackers use strong antennas. Last on the list is the use of 802.11a or Bluetooth, neither of which actually offers added security.

A basic tenet of information security is that no security mechanism is 100 percent effective. Another alleged tenet is that there is no security through obscurity. The first tenet might be true, but the second must be false because it seems to me that all forms of security are forms of obscurity with varying degrees of effectiveness. Here's a proof: Any form of strong encryption is extremely hard to crack, but somebody with enough time and computing power can eventually break even the strongest encryption. Strong encryption provides a barrier that significantly narrows the field of potential intruders but doesn't eliminate all possible intrusion. Therefore, strong encryption is a form of obscurity, and it certainly provides a good measure of security.

By obscuring a wireless network as much as possible, you can prevent a significant number of intrusions because some potential intruders will lack the resources needed to get past the obstacles. So even the most trivial measures, such as not broadcasting SSIDs, will in fact prevent some intruders from gaining access to a wireless network.

That said, I want to mention something about strong passwords, particularly since Ou claims they are impossible for humans to manage. It can be difficult at first to memorize a strong password, but it's certainly not impossible. One creative technique for forming a difficult-to-crack password is to assemble a passphrase that includes words from different languages. Why not pick one or more words in other languages that use the same character set (even if you don't speak the language), memorize those words, and use them in some way to create strong passwords and passphrases? After all, how many intruders will guess that your strong passwords comprise a dozen different words from a dozen different languages? And how many will collect dozens of dictionaries in an effort to attempt to crack your passwords and passphrases?

==== Sponsor: Postini ====

Anti-Spam product not working? What more companies are switching to... and why.

Many email administrators are experiencing increased frustration with their legacy anti-spam products as they battle new and more dangerous email threats. In-house software, appliances and even some services may no longer work effectively, require too much IT staff time to update and maintain, or satisfy the email security needs of different users. In this free white paper learn why many companies are switching to a managed service solution. You'll find out how to get better accuracy and effectiveness, lower overhead and administrative costs, get more flexible end user controls, improve service and support and more. Download your free copy now!

http://www.windowsitpro.com/whitepapers/postini/managedservice/index.cfm?code=sechot_601

==== 2. Security News and Features ====

Recent Security Vulnerabilities

If you subscribe to this newsletter, you also receive Security Alerts, which inform you about recently discovered security vulnerabilities. You can also find information about these discoveries at

http://www.windowsitpro.com/departments/departmentid/752/752.html

How Hotmail Filters Junk Mail

Microsoft launched a new MSN Postmaster Web site at which the company released details about how it filters junk email messages destined for Hotmail accounts. The company also launched a Web site to let companies view how much junk mail destined for Hotmail inboxes originates from their networks.

http://www.windowsitpro.com/Article/ArticleID/46532

Netcraft's New Anti-Phishing Tools

The Netcraft Toolbar helps prevent you from accidentally accessing phishing Web sites. The toolbar has been available for Microsoft Internet Explorer for quite some time and now is available for Mozilla Firefox.

http://www.windowsitpro.com/Article/ArticleID/46527

IIS 6.0 Enhancements in Windows 2003 SP1

Although most of the major Windows Server 2003 Service Pack 1 (SP1) changes are in the core OS, SP1 doesn't neglect Microsoft IIS. The service pack contains several significant IIS enhancements, including Secure Sockets Layer (SSL) support in kernel mode. Michael Otey outlines those changes in this article on our Web site.

http://www.windowsitpro.com/Article/ArticleID/46381

==== Resources and Events ====

Find Out What's New in SQL Server Analysis Services 2005

In this free Web seminar, gain an in-depth understanding of the many new features and capabilities Microsoft has introduced in SQL Server 2005 Analysis Services. You'll learn about data source views, user-defined hierarchies, measure groups, KPIs and more! Plus--get all you need to know about integration with Integration Services and Reporting Services and the new deployment and synchronization capabilities in SQL Server 2005 Analysis Services.

http://www.windowsitpro.com/seminars/SQLServerAnalysisServices/index.cfm?code=0601emailannc

Show Us How You've Used Windows Technology in Innovative Ways

If you've used Windows technology in creative ways to devise specific, beneficial solutions to problems your business has faced, we want you! Now's your chance to get the recognition you deserve. Enter the 2005 Windows IT Pro Innovators Contest now! You could win a complimentary conference pass to Exchange Connections and Windows Connections in San Diego in late October 2005.

http://www.windowsitpro.com/AWARDS/innovators_2005.cfm

PCII 2005 - Monday 6th June 2005, QEII Conference Centre, London

Keynote: The Rt. Hon the Lord Heseltine CH. Information Security Issues for Management (not just IT). With the ever-increasing risk of Electronic attack it pays to be up to date on the latest threats and solutions. Attend PCII and ensure your business is protected for the future! Relevant to Public and Private Sectors--Register now.

http://www.pcii-initiative.co.uk

True High Availability – Going Beyond Backup and Data Replication

In this free Web seminar discover the various categories of high availability and disaster recovery solutions available and the pros and cons of each. You'll learn what solutions help you take preemptive, corrective action without resorting to a full system failover, or in extreme cases, that perform a non-disruptive, automatic switchover to a secondary server. Register Now!

http://www.windowsitpro.com/seminars/truehighavailability/index.cfm?code=0601emailannc

Get Ready for SQL Server 2005 Roadshow in Europe

Get the facts about migrating to SQL Server 2005. SQL Server experts will present real-world information about administration, development, and business intelligence to help you implement a best-practices migration to SQL Server 2005 and improve your database computing environment. Receive a 1-year membership to PASS and 1-year subscription to SQL Server Magazine. Register now!

http://www.windowsitpro.com/roadshows/sqlservereurope/index.cfm?code=0601emailannc

==== Featured White Paper ====

Is Your Office Truly Fax Integrated?

Discover how to make your business more productive with easier ways for users to communicate and carry out mission-critical business processes. In this free white paper, learn how to integrate fax technology with Microsoft Office and Exchange Server and Outlook applications. Get usage examples of Office-to-Fax integration, learn the benefits, learn how fax works with Office, and more. Download your copy now!

http://www.windowsitpro.com/whitepapers/faxback/officefax/index.cfm?code=0601emailannc

==== Hot Release ====

Avoiding Availability Pitfalls in Microsoft Exchange Environments

When Microsoft Exchange is down, many businesses are down. Although many solutions are targeted at making Exchange email environments more reliable, a wide range of potential difficulties still lurk, waiting to interrupt service and, ultimately, your business. In this free white paper, discover the more common pitfalls that can lessen Exchange availability and the recommendations for what you can do to avoid the problem and better plan your Microsoft Exchange messaging environment.

http://www.windowsitpro.com/whitepapers/messageone/availabilitypitfalls/index.cfm?code=sechot_601

==== 3. Security Toolkit ====

Security Matters Blog: .NET Security Toolkit

by Mark Joseph Edwards, http://www.windowsitpro.com/securitymatters

Foundstone released its new .NET Security Toolkit, which can help developers create applications that are more secure. The free toolkit includes three tools: Validator.NET, .NETMon, and SecureUML.

http://www.windowsitpro.com/Article/ArticleID/46508

FAQ

by John Savill, http://www.windowsitpro.com/windowsnt20002003faq

Q: From which servers can you restore databases into Recovery Storage Groups?

Find the answer at

http://www.windowsitpro.com/Article/ArticleID/46474

Security Forum: Instant Messaging Security

An administrator for a network with 70 users writes that the network experiences a lot of virus attacks and worms through Instant Messaging (IM) clients. He doesn't want to prevent the use of IM, but he does want to secure messages, block messages that have certain keywords, block files with certain extensions, and so on. Offer a suggestion at

http://forums.windowsitpro.com/web/forum/messageview.aspx?catid=42&threadid=41541&enterthread=y

==== Announcements ====

(from Windows IT Pro and its partners)

Why Do You Need the Windows IT Pro Master CD?

There are three good reasons to order our latest Windows IT Pro Master CD. One, because it's a lightning-fast, portable tool that lets you search for solutions by topic, author, or issue. Two, because it includes our Top 100 Windows IT Pro Tips. Three, because you'll also receive exclusive, subscriber-only access to our entire online article database. Click here to discover even more reasons:

http://www.windowsitpro.com/rd.cfm?code=cdeu2255up

Try a Sample Issue of Exchange & Outlook Administrator!

If you haven't seen Exchange & Outlook Administrator, you're missing out on key information that will go a long way towards preventing serious messaging problems and downtime. Request a sample issue today, and discover tools and solutions you won't find anywhere else to help you migrate, optimize, administer, backup, recover, and secure Exchange and Outlook. Order now!

http://www.exchangeadmin.com/rd.cfm?code=fsep2355up

==== 4. New and Improved ====

by Renee Munshi, [email protected]

Detect and Stop Network Intrusions

EdgeForce Intrusion Prevention Service (IPS) software from ServGate Technologies detects and manages inappropriate data on the network and complements ServGate's firewall policies. EdgeForce IPS compares current network activity with a list of signatures known to represent malicious activity and employs other detection methods such as protocol analysis and heuristics to alert the administrator to unauthorized network activity. EdgeForce IPS can detect buffer overflows, stealth port scans, Common Gateway Interface (CGI) attacks, NetBIOS queries, HTTP-based attacks, and other network intrusions. For more information, visit

http://www.servgate.com

Tell Us About a Hot Product and Get a T-Shirt!

Have you used a product that changed your IT experience by saving you time or easing your daily burden? Tell us about the product, and we'll send you a T-shirt if we write about the product in a future Windows IT Pro What's Hot column. Send your product suggestions with information about how the product has helped you to

[email protected].

Editor's note: Share Your Security Discoveries and Get $100

Share your security-related discoveries, comments, or problems and solutions in the Windows IT Security print newsletter's Reader to Reader column. Email your contributions (500 words or less) to [email protected]. If we print your submission, you'll get $100. We edit submissions for style, grammar, and length.

==== Sponsored Links ====

Symantec and Gartner Present Client Resilience

Symantec Webcasts: Ensure devices are available and compliant.

http://ad.doubleclick.net/clk;16531258;8214395;k?http://sea.symantec.com/GWCWIPSL530

Optimizing Disk-Based Backups for SMBs and Distributed Enterprises

Combine disk-based backup with automated backup technology. Download now!

http://www.windowsitpro.com/whitepapers/emcdantz/diskbasedbackup/index.cfm?code=nlsplink

==== Contact Us ====

About the newsletter -- [email protected]

About technical questions -- http://www.windowsitpro.com/forums

About product news -- [email protected]

About your subscription -- [email protected]

About sponsoring Security UPDATE -- [email protected]