Security UPDATE--Hamachi Cross-Platform VPN--January 31, 2007


Why Juggle Multiple Systems? Combine & Save

Email Discovery and Compliance

The Essential Guide to Infrastructure Consolidation



IN FOCUS: Hamachi Cross-Platform VPN


- Abuse Policy Takes SecLists.Org Offline

- Researchers Find Fault with Extended Validation Certificates

- Recent Security Vulnerabilities


- Security Matters Blog: Want to Test-Drive Vista?

- FAQ: Get a Command Prompt During a Vista or Longhorn Install

- Share Your Security Tips


- Extend Group Policy Control over Passwords

- Wanted: Your Reviews of Products




=== SPONSOR: NetSuite


Why Juggle Multiple Systems? Combine & Save

Free trial. NetSuite's one system solution combines accounting, CRM & ecommerce in a single, powerful application. Learn more during a trial run.

=== IN FOCUS: Hamachi Cross-Platform VPN


by Mark Joseph Edwards, News Editor, mark at ntsecurity / net

Last week, I discussed Microsoft's Secure Socket Tunneling Protocol (SSTP) VPN technology, which will debut as part of Windows Vista Service Pack 1 (SP1) and Longhorn Server Beta 3. The VPN will work over standard Web ports and ease client-to-server connectivity. If you missed that editorial, you can read it at

This week, I learned about another VPN technology that I hadn't heard of before. LogMeIn Hamachi is a relatively simple tool that lets you connect systems together to build a VPN where such connectivity might not otherwise be possible.

A couple really great features of Hamachi make it a very useful tool. The first is that it runs on Windows 2000, Windows XP, Windows Server 2003, Linux, and Mac OS X. The second interesting feature is that it's a UDP-based VPN technology, where most other VPNs are TCP-based. Because it's UDP-based, it can work in networks where other VPNs might not because it can traverse some overly restrictive policies and can operate behind networks that use Network Address Translation (NAT).

The real "magic" of Hamachi is that it takes advantage of UDP operational characteristics. As you know, in order for TCP connections to take place, ports need to be open on firewalls, and when NAT is in use (with or without a firewall), the NAT router needs to forward traffic to the proper endpoint. In contrast, a NAT device (and sometimes a firewall) can be coaxed into accepting UDP traffic even when specific rules don't exist to allow that traffic.

To get an idea of how Hamachi works under the hood, we can take a look at the Skype VoIP technology because Skype also uses UDP to traverse NAT networks and firewalls. If you head over to the heise Security Web site, you'll find a very interesting article, "The hole trick," (at the URL below) that explains what's happening under the hood of a Skype client. If you read the article, you'll come away with an understanding that applies to Hamachi.

I've heard that Hamachi is especially useful for Windows administrators who need to use Microsoft Remote Desktop connectivity but can't due to restrictions on the network on which they happen to be at the moment, whether that network is at a hotel, conference center, library, coffee shop, or elsewhere. Hamachi can establish a VPN between two endpoints, and then Remote Desktop can be used over the Hamachi VPN. The same principle undoubtedly applies to many other tools that are useless without a VPN.

There is at least one downside to Hamachi, though: It doesn't work when a system is behind a proxy server. Nevertheless, it looks like an incredibly useful tool and I intend to give it a try soon. You can learn more about it and download a copy at the URL below.

If you're interested in more technical, nitty-gritty details about how tools like Hamachi and Skype work, then take a look at RFC3489, "Simple Traversal of User Datagram Protocol Through Network Address Translators" at the URL below. The document explains the technique in considerable detail.



Email Discovery and Compliance

You know you need to manage your email data; how do you do it? What steps are you taking? What additional measures should you enact? What shouldn't you do? Get answers to these questions and get control of your vital messaging data. Download the free eBook today!


======================= Abuse Policy Takes SecLists.Org Offline

SecLists.Org, a popular site that archives the messages from numerous popular security mailing lists, was temporarily shut down by after complaints by MySpace.

Researchers Find Fault with Extended Validation Certificates

Researchers from Stanford University and Microsoft Research have concluded that extended validation (high assurance) certificates used in conjunction with Microsoft Internet Explorer (IE) 7.0 don't necessarily improve a user's ability to detect phishing attacks.

Recent Security Vulnerabilities

If you subscribe to this newsletter, you also receive Security Alerts, which inform you about recently discovered security vulnerabilities. You can also find information about these discoveries at

=== SPONSOR: Hewlett-Packard


The Essential Guide to Infrastructure Consolidation

Learn the essentials about how consolidation and selected technology updates build an infrastructure that can handle change effectively.



SECURITY MATTERS BLOG: Want to Test-Drive Vista?

by Mark Joseph Edwards,

Want to test Windows Vista without having to install it? Now you can, to some extent anyway. Read this blog article to learn how.

FAQ: Get a Command Prompt During a Vista or Longhorn Install

by John Savill,

Q: How can I open a command prompt during Windows Vista or Longhorn Server installation?

Find the answer at


Share your security-related tips, comments, or problems and solutions in Security Pro VIP's Reader to Reader column. Email your contributions to [email protected] If we print your submission, you'll get $100. We edit submissions for style, grammar, and length.



by Renee Munshi, [email protected]

Extend Group Policy Control over Passwords

Special Operations Software announced the release of Specops Password Policy 2.0, which works with Group Policy in Active Directory (AD). Specops Password Policy lets you configure password policies in any number of group policies and not just at the domain level of Group Policy. Some of the new features in version 2.0 are the ability to disallow words from specified dictionaries in passwords, to disallow incremental passwords (e.g., changing from password1 to password2), and to send an email notification when a password is about to expire. For more information, go to

WANTED: your reviews of products you've tested and used in production. Send your experiences and ratings of products to [email protected] and get a Best Buy gift certificate.



For more security-related resources, visit

How at risk is your business? Attend this free Web seminar and learn how to

- differentiate alternative high-availability and disaster-recovery solutions

- ensure seamless recovery of your key systems and data

- keep your users continuously connected - benefit from real-time high availability and disaster recovery

Live Event February 22, 2007, at 12:00 pm EST

Did you know that 75% of corporate intellectual property resides in email? The challenges facing this vital business application range from spam to the costly impact of downtime and the need for effective, centralized email storage systems. Join us for a free Web seminar and learn the key features of a holistic approach to email security, availability, and control. Download this on-demand seminar now!

Microsoft System Center Data Protection Manager (DPM) is now shipping! Get a solid introduction to DPM: Download this eBook today to learn how to use DPM to augment your tape-based backups.



Learn to differentiate between computer records and business records. Learn the subjective meaning of business records and how to best manage regulatory requirements for email backup and retention. Download this special eGuide today!



Make Your Mark on the IT Community!

Nominate yourself or a peer to become "IT Pro of the Month." This is your chance to get the recognition you deserve! Winners will receive over $600 in IT resources and be featured in Windows IT Pro. It's easy to enter--we're accepting February nominations now, but only for a limited time! Submit your nomination today:

Ring in the New Year with Windows IT Pro

Don't miss Windows IT Pro in 2007! As a subscriber, you'll get full access to must-have coverage relating to Windows Vista deployment, virtualization, disaster recovery, Active Directory, the Office 2007 launch, SharePoint fundamentals, and much more. Order now and save 58% off the cover price.


Security UDPATE is brought to you by the Windows IT Pro Web site's Security page (first URL below) and Security Pro VIP (second URL below).

Subscribe to Security UPDATE at

Unsubscribe by clicking

Be sure to add [email protected] to your antispam software's list of allowed senders.

To contact us:

About Security UPDATE content -- [email protected]

About technical questions --

About your product news -- [email protected]

About your subscription -- [email protected]

About sponsoring Security UPDATE -- [email protected]

View the Windows IT Pro privacy policy at

Windows IT Pro, a division of Penton Media, Inc.

221 East 29th Street, Loveland, CO 80538

Attention: Customer Service Department

Copyright 2007, Penton Media, Inc. All rights reserved.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.