Security UPDATE--Proactive Honeypots, Part 2--August 24, 2005

1. In Focus: Proactive Honeypots, Part 2

2. Security News and Features

- Recent Security Vulnerabilities

- Symantec to Acquire Sygate

- 180solutions Sues Seven Former Distributors

- Microsoft Ships Windows 2000 Worm Removal Tool

3. Security Toolkit

- Security Matters Blog

- FAQ

4. New and Improved

- Fight Phishing Attacks

==== Sponsor: Symantec ====

Symantec LiveState Patch Manager

Symantec LiveState Patch Manager allows you to reliably protect your infrastructure from vulnerabilities. Its intuitive interface allows organizations to scan, identify and install missing patches on hundreds of clients and servers in minutes. Flexible grouping capabilities allow the targeting of patches to specific groups of users. Provides detailed patch status reports. Persistent delivery assures patches are successfully delivered and applied, helping ensure clients are secure and protected. LiveState Patch Manager is a member of a family of modular solutions that work on their own - with tools you may already have - and can be assembled into a broader suite if desired, leveraging a common look-and-feel, management database and agent deployment infrastructure. To learn more, visit us at:

http://sea.symantec.com/PMWITP824

==== 1. In Focus: Proactive Honeypots, Part 2 ====

by Mark Joseph Edwards, News Editor, mark at ntsecurity / net

Last week, I wrote about Microsoft's Strider HoneyMonkey Exploit Detection System, which is software that tries to find new exploits by surfing the Web and waiting for something to infiltrate the system. I don't know of many other such tools, but I have heard of two other client-based honeypot projects.

One is being developed by Bing Yuan at the Laboratory for Dependable Distributed Systems. Yuan is pursuing the technology as his diploma project at the laboratory, and so far, no working code seems to be available to the public. His project is Windows-based, will integrate with Microsoft Internet Explorer (IE), and will work with other software such as the Honeywall CD-ROM. I'm not sure how far along Yuan is in the development process or whether the tool will eventually be released to the public. You can however read more about it at the lab's Web site.

http://lufgi4.informatik.rwth-aachen.de/diplomas/show/27

The second tool I know about is called Honeyclient. The tool is being developed by Kathy Wang, who gave a related presentation at the recent REcon 2005 conference (see the first URL below) in Montreal. You can see the slides from the presentation at the second URL below. Honeyclient is written in Perl and is designed to run on Windows systems. It surfs the Web by using IE and tries to detect any file or registry changes. As it stands now, the tool is made up of two Perl scripts: one is a proxy and the other uses IE to drive a Web-surfing session.

http://www.recon.cx

http://www.synacklabs.net/honeyclient/Wang-Honeyclients-RECON.pdf

Wang's project isn't extensively documented, but the two Perl scripts that make up Honeyclient contain a few comments that help you better understand what it actually does. Of course, if you can read Perl code, then you'll get an even better understanding. Honeyclient isn't nearly as functional as HoneyMonkey, but it's similar and a good start. You can learn more about Honeyclient and download the latest version at Wang's Honeyclient Development Project Web site.

http://www.synacklabs.net/honeyclient

If you want to test Honeyclient, the readme file contains the basic installation and usage instructions. One thing I learned when testing the software (which isn't stated in the readme file) is that the directories in the checklist.txt file (which you need to create) are completely parsed, including any subdirectories. Another thing I noticed is that Honeyclient has a lengthy startup time because it also parses the registry HKEY_CLASSES_ROOT tree into a hash so that it can later detect any modifications. A word of caution is in order too: Be sure to use an isolated test machine or an OS running in a virtual machine when testing the tool.

If you know of any other tools similar to these, send me an email message with a link or details.

==== Sponsor: Symantec ====

Get Rapid and Reliable Data and System Recovery

Even under the best circumstances, performing a bare metal recovery from tape is tedious and unreliable. In this free white paper, learn how you can achieve unprecedented speed and reliability in recovering systems and data.

http://www.windowsitpro.com/whitepapers/symantec/eliminatingsysvul/index.cfm?code=SecMid_824

==== 2. Security News and Features ====

Recent Security Vulnerabilities

If you subscribe to this newsletter, you also receive Security Alerts, which inform you about recently discovered security vulnerabilities. You can also find information about these discoveries at

http://www.windowsitpro.com/departments/departmentid/752/752.html

Symantec to Acquire Sygate

Symantec announced a deal to acquire Sygate Technologies, maker of policy compliance solutions. The deal will close shortly after the companies receive regulatory approval. Terms of the pending acquisition weren't disclosed.

http://www.windowsitpro.com/Article/ArticleID/47463

180solutions Sues Seven Former Distributors

180solutions filed suit against seven former distributors of its search software for allegedly causing the software to be installed on people's computers without proper notice and consent. 180solutions claims the distributors used botnets to facilitate the software installations.

http://www.windowsitpro.com/Article/ArticleID/47464

Microsoft Ships Windows 2000 Worm Removal Tool

In response to widespread Windows 2000-based worm attacks last week, Microsoft updated its Malicious Software Removal Tool (MSRT) to remove the worms and updated its statement about the attacks.

http://www.windowsitpro.com/Article/ArticleID/47462

==== Resources and Events ====

SQL Server 2005 Roadshow Is Coming to a City Near You

Get the facts about migrating to SQL Server 2005. SQL Server experts will present real-world information about administration, development, and business intelligence to help you implement a best-practices migration to SQL Server 2005 and improve your database computing environment. Attend and receive a 1-year membership to PASS and 1-year subscription to SQL Server Magazine. Register now!

http://www.windowsitpro.com/roadshows/sqlserverusa/index.cfm?code=0824emailannc

Microsoft Exchange Connections Conference

October 31 - November 3, 2005, Manchester Grand Hyatt, San Diego. Microsoft and Exchange experts present over 40 in-depth sessions with real-world solutions you can take back and apply today. Register by September 12 to save $100 off your conference registration and attend sessions at Windows Connections free!

http://www.winconnections.com

Avoid the 5 Major Compliance Pitfalls

Based on real-world examples, this Web seminar will help C-level executives, as well as IT directors and managers, avoid common mistakes and give their organization a head start in ensuring a successful compliance implementation. Register today and find out how you can avoid the mistakes of others, improve IT security, and reduce the cost of continually maintaining and demonstrating compliance.

http://www.windowsitpro.com/seminars/compliance/index.cfm?code=0831emailannc

Roll Back Data to Any Point in Time: Not Just the Last Snapshot or Backup

Have you lost data because it was saved right after your last backup? Most of us have been in this situation. Continuous, or real-time, backup systems provide real-time protection, but are they right for you? In this free Web seminar, you'll learn about the design principles that underlie continuous data protection solutions, how to integrate them with your existing backup infrastructure, and how to best apply continuous protection technologies to your Windows-based servers.

http://www.windowsitpro.com/seminars/continuousbackup/index.cfm?code=0824emailannc

High Risk Internet Access: Are You in Control?

Defending against Internet criminals, spyware, phishing and addressing the points of risk that Internet-enabled applications expose your organization to can seem like an epic battle with Medusa. So how do you take control of these valuable resources? In this free Web seminar, you'll get the tools you need to help you analyze the impact Internet-based threats have on your organization, and tools to aid you in the construction of Acceptable-Use Policies (AUPs).

http://www.windowsitpro.com/seminars/internetsecurity/index.cfm?code=0824emailannc

==== Featured White Paper ====

Consolidate Your SQL Server Infrastructure

Shared data clustering is the breakthrough consolidation solution for Microsoft Windows servers. In this free white paper, learn how shared data clustering technology can reduce capital expenditures by at least 50 percent, improve management efficiency, reduce operational expense, ensure high availability across all SQL Server instances and more! Download your free copy now.

http://www.windowsitpro.com/whitepapers/polyserve/dataclustering/index.cfm?code=0824emailannc

==== 3. Security Toolkit ====

Security Matters Blog: Mac OS X Security Update Fixes Dozens of Vulnerabilities

by Mark Joseph Edwards, http://www.windowsitpro.com/securitymatters

Apple released a major security update for Mac OS X. Security Update 2005-007 fixes dozens of vulnerabilities, including problems in Apache, Kerberos, MySQL, OpenSSL, and many other system components. Apple pulled the update to correct problems it caused with 64-bit applications on the Tiger OS, then reissued it as Security Update 2005-007 v1.1. If you loaded the initial release on Tiger, be sure to load v1.1.

http://www.windowsitpro.com/Article/ArticleID/47445/47445.html

FAQ

by John Savill, http://www.windowsitpro.com/windowsnt20002003faq

Q: How can I determine which groups I'm a member of for my current logon session?

Find the answer at

http://www.windowsitpro.com/Article/ArticleID/47202

==== Announcements ====

(from Windows IT Pro and its partners)

Try a Sample Issue of the Windows IT Security Newsletter!

Security Administrator is now Windows IT Security. We've expanded our content to include even more fundamentals on building and maintaining a secure enterprise. Each issue also features product coverage of the best security tools available and expert advice on the best way to implement various security components. Plus, paid subscribers get online access to our entire online security article database! Sign up to try a sample issue today:

http://www.secadministrator.com/rd.cfm?code=fseu2558su

Windows IT Pro Gives IT Professionals What They Need

The August issue is a must have! Subscribe now and find out the best ways to plan for Longhorn, what you need to know about VBScripts, and how to make sense of SQL Server. If you order today, you'll also gain exclusive access to the entire Windows IT Pro online article database (over 9000 articles) and save 44% off the cover price!

http://www.windowsitpro.com/rd.cfm?code=theu2058bu

==== 4. New and Improved ====

by Renee Munshi, [email protected]

Fight Phishing Attacks

CollectiveTrust has released ScamAlarm, a Windows application that protects users from phishing, identity theft, and fraud. ScamAlarm protects against all types of phishing attacks that try to collect personal information by pretending to be the Web site of a legitimate bank or investment firm. ScamAlarm uses a combination of contextual analysis, a robust set of rules, and a continuously updated list of dangerous sites. With ScamAlarm, users are notified immediately if the site that they're trying to visit is on the list of suspicious sites or if the Web site fails the program's security checks. ScamAlarm runs on Windows 98/2000/XP/2003, currently supports Microsoft Internet Explorer (IE) 5.5 or later, and costs $29.95 for a single-user license (volume discounts are available). You can purchase ScamAlarm securely online or download a free 30-day trial version at

http://www.collectivetrust.com

Tell Us About a Hot Product and Get a T-Shirt!

Have you used a product that changed your IT experience by saving you time or easing your daily burden? Tell us about the product, and we'll send you a T-shirt if we write about the product in a future Windows IT Pro What's Hot column. Send your product suggestions with information about how the product has helped you to

[email protected].

Editor's note: Share Your Security Discoveries and Get $100

Share your security-related discoveries, comments, or problems and solutions in the Windows IT Security print newsletter's Reader to Reader column. Email your contributions (500 words or less) to [email protected]. If we print your submission, you'll get $100. We edit submissions for style, grammar, and length.

==== Sponsored Links ====

Professional and secure remote control from all major platforms

http://a.windowsitpro.com/RealMedia/ads/click_lx.ads/www.windowsitpro.com/1112745096/x14/Penton/WN_Danware_Aug05_NLsplink_118338/1x1.gif/1

Argent Versus MOM 2005

Experts Pick the Best Windows Monitoring Solution

http://a.windowsitpro.com/RealMedia/ads/click_lx.ads/www.windowsitpro.com/TextLink/1112745096/x14/Penton/WN_Argent_Aug05_NLSplink116193/1x1.gif/1

Tech jobs at Dice

Search 65K+ new IT jobs daily--Tech expert jobs at top companies!

http://a.windowsitpro.com/RealMedia/ads/click_lx.ads/www.windowsitpro.com/TextLink/1112745096/x14/Penton/WN_Dice_AUG_eNL_Splink/1x1.gif/1

==== Contact Us ====

About the newsletter -- [email protected]

About technical questions -- http://www.windowsitpro.com/forums

About product news -- [email protected]

About your subscription -- [email protected]

About sponsoring Security UPDATE -- [email protected]