Security UPDATE--Proactive Honeypots--August 17, 2005

1. In Focus: Proactive Honeypots

2. Security News and Features

- Recent Security Vulnerabilities

- Recent Microsoft Security Bulletins: Exploits Already on the Loose

- Identity Theft Ring Used a Powerful Keyboard Logger

3. Instant Poll

4. Security Toolkit

- Security Matters Blog

- FAQ

5. New and Improved

- Filter Web and Email Content

==== Sponsor: PolyServe ====

Consolidate Your SQL Server Infrastructure

Shared data clustering is the breakthrough consolidation solution for Microsoft Windows servers. In this free white paper learn how shared data clustering technology can reduce capital expenditures by at least 50 percent, improve management efficiency, reduce operational expense, ensure high availability across all SQL Server instances and more! Find out how you can reduce the overall Total Cost of Ownership (TCO) for SQL Server cluster deployments by as much as 60 percent over three years! Download your free copy now.

http://www.windowsitpro.com/whitepapers/polyserve/dataclustering/index.cfm?code=WIN_SecMid_817

==== 1. In Focus: Proactive Honeypots ====

by Mark Joseph Edwards, News Editor, mark at ntsecurity / net

Honeypots sit on a server and wait for intrusion attempts. When one occurs, they can perform a variety of actions. But what if a honeypot did the inverse--headed out on the Web to look for intruders? Microsoft has developed a new tool, Strider HoneyMonkey Exploit Detection System, that runs as a Web client by using "monkeys" to surf the Web for malicious Web-based content.

HoneyMonkey's monkeys are programs that automate Web surfing and exploit detection. Instead of relying on databases of known exploits and malware, the monkeys launch a browser, connect to a site via its URL, and then wait for something to happen. The programs also monitor all file and registry access. Because the monkeys aren't designed to click links or dialog boxes on sites, it can be reasonably assumed that any executable file downloads or registry changes during monkey Web sessions might be hostile in one way or another.

Microsoft says that HoneyMonkey also works in conjunction with Strider GhostBuster and Strider Gatekeeper to detect hidden processes and hooks that might use autostart features of the OS. HoneyMonkey runs inside a virtual machine (VM), which makes cleaning up after any potential exploit or infection much easier. When exploits are detected, HoneyMonkey alerts a controller, which destroys the VM, launches a new, fully patched VM, and passes the URL to another monkey. If an exploit is still detected, HoneyMonkey concludes that it's found a new (or zero-day, if you prefer) exploit and passes it on to Microsoft's Security Response Center for further research.

HoneyMonkey works sort of like a search engine spider. It follows links and redirects at a detected exploit site to find more suspect sites. According to Microsoft, such sites often link to each other; if one site's exploit doesn't work, another site's might.

Microsoft said that after a month of use, HoneyMonkey discovered 752 URLs at 287 sites that can infiltrate an unpatched system running Windows XP. Of that lot, 204 URLs at 115 sites can infiltrate a system running XP with Service Pack 2 (SP2) and no additional patches. Microsoft said that the first new exploit was detected in July. It used known vulnerabilities in javaprxy.dll, for which no patch was available. Microsoft then created a patch, which was released in conjunction with Microsoft Security Bulletin MS05-037, "Vulnerability in JView Profiler Could Allow Remote Code Execution (903235)."

http://www.microsoft.com/technet/security/Bulletin/MS05-037.mspx

Here's some interesting information: Of those 752 URLs, 102 of them were available via search results at Google and 100 of them were available at Yahoo!. As of June 1, 49 of them were available at MSN Search, but by June 10, Microsoft had removed all 49. The company didn't say whether it shared its information with other search engine operators so that they could remove the URLs from their respective engines.

If you're interested in learning more about HoneyMonkey, visit the Microsoft Research Web site and click the link "Full research technical report on Strider HoneyMonkey" for a paper that contains a lot more detail.

http://research.microsoft.com/honeymonkey

==== 2. Security News and Features ====

Recent Security Vulnerabilities

If you subscribe to this newsletter, you also receive Security Alerts, which inform you about recently discovered security vulnerabilities. You can also find information about these discoveries at

http://www.windowsitpro.com/departments/departmentid/752/752.html

Recent Microsoft Security Bulletins: Exploits Already on the Loose

Just 48 hours after Microsoft issued its monthly security bulletins last week, three proof-of-concept exploits were released that take advantage of critical problems. On August 9, Microsoft issued six bulletins that explain numerous problems in Microsoft Internet Explorer (IE) and Windows Plug and Play and several other problems--many of these problems are considered critical. Are worms built on these exploits only a matter of time?

http://www.windowsitpro.com/Article/ArticleID/47431

Identity Theft Ring Used a Powerful Keyboard Logger

Last week, we reported that Sunbelt Software uncovered an identity theft ring. This week, we learned how that ring managed to gather so much sensitive information: by using a powerful keystroke logger. Learn all about it in this news item on our Web site.

http://www.windowsitpro.com/Article/ArticleID/47432

==== Resources and Events ====

Reduce Downtime with Continuous Data Protection

Continuous or real-time backup systems help avoid the danger of losing data if your system fails after the point of backup by providing real-time protection. In this free Web seminar, learn how to integrate them with your existing backup infrastructure, how to apply continuous protection technologies to your Windows-based servers, and more. Sign up today and learn how you can quickly roll back data not just to the last snapshot or backup, but to any point in time!

http://www.windowsitpro.com/seminars/continuousbackup/index.cfm?code=0817emailannc

Identify the Key Security Considerations for Wireless Mobility

Wireless and mobile technologies are enabling enterprises to gain competitive advantage through accelerated responsiveness and increased productivity. In this free Web seminar, you'll receive a checklist of risks to factor in when considering your wireless mobility technology evaluations and design. Sign up today and learn all you need to know about Firewall security, Transmission security, OTA management, management of third-party security applications and more!

http://www.windowsitpro.com/seminars/mobilesecurity/index.cfm?code=0817emailannc

Deadline Extended--2005 Windows IT Pro Innovators Contest!

If you've used Windows technology in creative ways to devise specific, beneficial solutions to problems your business has faced, we want you! Now's your chance to get the recognition you deserve. Enter the 2005 Windows IT Pro Innovators Contest now! You could win a complimentary conference pass to Exchange Connections and Windows Connections in San Diego in late October 2005.

http://www.windowsitpro.com/awards/innovators_2005.cfm

SQL Server 2005 Roadshow is Coming to a City Near You

Get the facts about migrating to SQL Server 2005. SQL Server experts will present real-world information about administration, development, and business intelligence to help you implement a best-practices migration to SQL Server 2005 and improve your database computing environment. Attend and receive a 1-year membership to PASS and 1-year subscription to SQL Server Magazine. Register now!

http://www.windowsitpro.com/roadshows/sqlserverusa/index.cfm?code=0817emailannc

Avoid the 5 Major Compliance Pitfalls

Based on real-world examples, this Web seminar will help C-level executives, as well as IT directors and managers, avoid common mistakes and give their organization a head start in ensuring a successful compliance implementation. Register today and find out how you can avoid the mistakes of others, improve IT security, and reduce the cost of continually maintaining and demonstrating compliance.

http://www.windowsitpro.com/seminars/compliance/index.cfm?code=0817emailannc

==== 3. Instant Poll ====

Results of Previous Poll: Do you regularly scan your external network IP addresses for open ports on your network and compare the results against a known good baseline?

The voting has closed in this Windows IT Pro Security Hot Topic nonscientific Instant Poll. Here are the results from the 14 votes.

- 7% Yes, I regularly scan my network and compare against a baseline.

- 14% Yes, I periodically scan but merely review the results.

- 64% No, I don't scan, but I think I should.

- 14% No, I don't think scanning is useful.

New Instant Poll: Does your company use an encryption product to protect files and folders on Windows systems?

Go to the Security Hot Topic and submit your vote for

- Yes, we use Microsoft Windows Encrypting File System (EFS).

- Yes, we use a third-party product.

- We haven't used encryption in the past, but we're considering it now.

- No, we don't see any need to encrypt data.

http://www.windowsitpro.com/windowssecurity#poll

==== Featured White Paper ====

Sort Through Sarbanes-Oxley, HIPAA, GLBA and Basel II Legislation Quicker and Easier!

In this free white paper, get the tips you've been looking for to save time and money in achieving IT security and regulatory compliance. Find out how you can simplify these manually intensive, compliance-related tasks that reduce IT efficiency. Turn these mandates into automated and cost effective solutions today!

http://www.windowsitpro.com/Whitepapers/bindview/regulatorycompliance/index.cfm?code=0817emailannc

==== 4. Security Toolkit ====

Security Matters Blog: Lawyer's Perspective on Cisco, ISS, and Mike Lynn at Black Hat

by Mark Joseph Edwards, http://www.windowsitpro.com/securitymatters

Controversy ensued at the recent Black Hat USA 2005 conference in Las Vegas. Internet Security Systems (ISS) researcher Mike Lynn was slated to give a presentation at the show to discuss vulnerabilities in Cisco Systems routers. Cisco tried to prevent the presentation, but the show went on. Read the blog entry to learn more.

http://www.windowsitpro.com/Article/ArticleID/47385

FAQ

by John Savill, http://www.windowsitpro.com/windowsnt20002003faq

Q: How can I use Group Policy to control the new Windows Firewall that's included with Windows Server 2003 Service Pack 1 (SP1) and Windows XP SP2?

Find the answer at

http://www.windowsitpro.com/Article/ArticleID/47381

==== Announcements ====

(from Windows IT Pro and its partners)

Try a Sample Issue of the Windows IT Security Newsletter!

Security Administrator is now Windows IT Security. We've expanded our content to include even more fundamentals on building and maintaining a secure enterprise. Each issue also features product coverage of the best security tools available and expert advice on the best way to implement various security components. Plus, paid subscribers get online access to our entire online security article database! Sign up to try a sample issue today:

http://www.secadministrator.com/rd.cfm?code=fseu2558su

Windows IT Pro Gives IT Professionals What They Need

The August issue is a must have! Subscribe now and find out the best ways to plan for Longhorn, what you need to know about VBScripts, and how to make sense of SQL Server. If you order today, you'll also gain exclusive access to the entire Windows IT Pro online article database (over 9000 articles) and save 44% off the cover price!

http://www.windowsitpro.com/rd.cfm?code=theu2058wu

==== 5. New and Improved ====

by Renee Munshi, [email protected]

Filter Web and Email Content

Aladdin Knowledge Systems offers eSafe 5.0, a gateway that checks Web content for spyware and blocks any malicious content. eSafe prevents downloads that use HTML vulnerability exploits and social engineering and downloads from known spyware sites, it uses signature and heuristic detection to identify and block spyware, and it prevents installed spyware from transmitting to its vendors and helps administrators identify infected PCs. eSafe also offers spam tagging, spam blocking, remote quarantine, and user-managed quarantine and reports, and its spam database is updated eight times a day. You can purchase eSafe pre-installed on a variety of hardware. For more information, visit

http://www.aladdin.com/eSafe5/default.asp

Tell Us About a Hot Product and Get a T-Shirt!

Have you used a product that changed your IT experience by saving you time or easing your daily burden? Tell us about the product, and we'll send you a T-shirt if we write about the product in a future Windows IT Pro What's Hot column. Send your product suggestions with information about how the product has helped you to

[email protected].

Editor's note: Share Your Security Discoveries and Get $100

Share your security-related discoveries, comments, or problems and solutions in the Windows IT Security print newsletter's Reader to Reader column. Email your contributions (500 words or less) to [email protected]. If we print your submission, you'll get $100. We edit submissions for style, grammar, and length.

==== Sponsored Links ====

Professional and secure remote control from all major platforms

http://a.windowsitpro.com/RealMedia/ads/click_lx.ads/www.windowsitpro.com/1112745096/x14/Penton/WN_Danware_Aug05_NLsplink_118338/1x1.gif/1

Argent Versus MOM 2005

Experts Pick the Best Windows Monitoring Solution

http://a.windowsitpro.com/RealMedia/ads/click_lx.ads/www.windowsitpro.com/TextLink/1112745096/x14/Penton/WN_Argent_Aug05_NLSplink116193/1x1.gif/1

Tech jobs at Dice

Search 65K+ new IT jobs daily--Tech expert jobs at top companies!

http://a.windowsitpro.com/RealMedia/ads/click_lx.ads/www.windowsitpro.com/TextLink/1112745096/x14/Penton/WN_Dice_AUG_eNL_Splink/1x1.gif/1

==== Contact Us ====

About the newsletter -- [email protected]

About technical questions -- http://www.windowsitpro.com/forums

About product news -- [email protected]

About your subscription -- [email protected]

About sponsoring Security UPDATE -- [email protected]