[ISN] Security UPDATE, November 6, 2002

From: InfoSec News (isnat_private)
Date: Thu Nov 07 2002 - 02:51:03 PST

  • Next message: InfoSec News: "[ISN] Launch of Asymmetric Warfare / Homeland Defense Conference and Exhibition"

    ********************
    Windows & .NET Magazine Security UPDATE--brought to you by Security
    Administrator, a print newsletter bringing you practical, how-to
    articles about securing your Windows .NET Server, Windows 2000, and
    Windows NT systems.
       http://www.secadministrator.com
    ********************
    
    ~~~~ THIS ISSUE SPONSORED BY ~~~~
    
    Focus Your IT Resources
       http://www.ibm.com/e-business/playtowin/n326
    
    VeriSign - The Value of Trust
       http://list.winnetmag.com/cgi-bin3/flo?y=eOLO0CJgSH0CBw05Kz0AM
       (below IN FOCUS)
    
    ~~~~~~~~~~~~~~~~~~~~
    
    ~~~~ SPONSOR: FOCUS YOUR IT RESOURCES ~~~~
       Learn how better infrastructure management practices can speed the
    integration of e-business enterprises, while providing assurance of
    continuous availability, flexibility and scalability. Get the IBM
    white paper, "Infrastructure Resource Management: A Holistic
    Approach," at http://www.ibm.com/e-business/playtowin/n326
    
    ~~~~~~~~~~~~~~~~~~~~
    
    November 6, 2002--In this issue:
    
    1. IN FOCUS
         - Antispam Honeypots Give Spammers Headaches
    
    2. ANNOUNCEMENTS
         - Attend Our Free Tips & Tricks Web Summit
         - The Storage Solutions You've Been Searching for!
    
    3. SECURITY ROUNDUP
         - News: Wi-Fi Alliance Announces WEP Replacement
         - News: Win2K Passes Security Test
    
    4. SECURITY TOOLKIT
         - Virus Center
         - FAQ: How Can I Stop Windows from Caching a .dll File After I
           Close the Program That Was Accessing It?
     
    5. NEW AND IMPROVED
         - Email and File Encryption Program for Windows
         - Provide Secure Transmission over the Internet
         - Submit Top Product Ideas
    
    6. HOT THREADS
         - Windows & .NET Magazine Online Forums
             - Featured Thread: How Can I Remove or Disable the View Menu
               Item?
         - HowTo Mailing List
             - Featured Thread: Server Losing Permissions in Domain
     
    7. CONTACT US
       See this section for a list of ways to contact us.
    
    ~~~~~~~~~~~~~~~~~~~~
    
    1. ==== IN FOCUS ====
       (contributed by Mark Joseph Edwards, News Editor,
    markat_private)
    
    * ANTISPAM HONEYPOTS GIVE SPAMMERS HEADACHES
    
    Filtering spam is a good idea, but keeping filtering rules up-to-date
    without eliminating legitimate email traffic takes skill and effort.
    In addition to using mail filter software, you can fight spam in other
    ways, such as by using an antispam honeypot.
     
    As you know, honeypots are traps or decoys that deliberately lure
    intruders to help prevent unwanted activity against network sources.
    Honeypots also gather forensic evidence, thereby helping us better
    understand intruder methodologies. Other Windows & .NET Magazine
    authors and I have written about various types of honeypots in use
    today. You can find links to honeypot-related articles at the URLs
    below:
       http://www.secadministrator.com/articles/index.cfm?articleid=26114
       http://www.secadministrator.com/articles/index.cfm?articleid=25679
       http://www.secadministrator.com/articles/index.cfm?articleid=22911
       http://search.winnetmag.com/query.html?col=secadmin&qt=honeypot
    
    Last week, Security UPDATE reader Brad Spencer brought antispam
    honeypots to my attention. Antispam honeypots are services that pose
    as legitimate mail servers to thwart spammers. Spencer, who runs an
    antispam honeypot (see the first URL below), described to me what
    antispam honeypots do, how they operate, and where you can get one or
    find out how to build one. According to Spencer, the real heroes of
    this technology are Michael Tokarev, who operated an antispam honeypot
    in Russia (see the second URL below) and Jack Cleaver, whose program
    you'll read more about in a moment.
       http://fightrelayspam.homestead.com
       http://www.corpit.ru/cgi-bin/h0n5yp0t
    
    An antispam honeypot operation first detects potential spammers, then
    thwarts their efforts to send spam through the mail server. Spammers
    often use mail systems that allow open mail relaying to deliver spam.
    An open relay lets anyone use the mail server to deliver email
    messages to anyone else, which is a spammer's dream. In the past,
    people offered open relays as a courtesy to Internet users to help
    facilitate easy email delivery. Now, operating an open relay will
    eventually land your mail server on a blacklist that might prevent
    legitimate email from arriving at your system. For more information
    about blacklists, visit the Mail Abuse Prevention System (MAPS) Web
    site at the URL below.
       http://west1.mail-abuse.org
    
    Typically, spammers test a mail server for open relaying by simply
    sending themselves an email message. If the spammer receives the email
    message, the mail server obviously allows open relaying. Honeypot
    operators, however, can use the relay test to thwart spammers. The
    honeypot catches the relay test email message, returns the test email
    message, and subsequently blocks all other email messages from that
    spammer. Spammers continue to use the antispam honeypot for spamming,
    but the spam is never delivered. Meanwhile, the honeypot operator can
    notify spammers' ISPs and have their Internet accounts canceled. If
    honeypot operators detect spammers who use open-proxy servers, they
    can also notify the proxy server operator to lock down the server to
    prevent further misuse.
    
    If enough users take time to operate antispam honeypots and contact
    ISPs and open-proxy server operators, they'll systematically make
    spamming more difficult. Spencer believes that eventually spammers
    will find it so hard to distinguish honeypots from actual open relays
    that at least some of them might quit such activities altogether.
    
    Two tools that can help you set up and run an antispam honeypot are a
    Windows-based version of Sendmail (see the first URL below)
    specifically configured as a honeypot and Cleaver's Jackpot
    Mailswerver program (see the second URL below). Jackpot is written in
    Java and runs on any system that supports the Java platform.
       http://www.sendmail.com
       http://jackpot.uk.net
    
    Spencer uses a UNIX-based version of Sendmail to operate his antispam
    honeypot. (I haven't used the Windows version recently but assume that
    it's still a direct port that works well.) Spencer details his
    configuration methods for using Sendmail on his related Web page.
    Spencer also describes what happens when you operate Sendmail as he
    does and what to do when Sendmail traps a potential spammer's message.
    
    Jackpot is an SMTP mail server that prevents spam delivery and saves
    mail traffic information for evidence and research. Jackpot also
    creates Web-based reports that simplify analysis and tracking. Cleaver
    writes, "Jackpot saves full details of all spam mail submitted to it
    as a collection of web-pages. The information is organized into lists,
    with messages sent from a given host grouped on a page. Jackpot tries
    to gather some information about the host that sent the spam ... [it
    also checks to see] if the source [of potential spam] is a known
    open-proxy or a [known spam operation and uses sources such as]
    abuse.net to see whether there's a registered [mail] abuse address for
    the host."
    
    Spencer mentions two additional resources that can help thwart spam:
    SpamNet and Distributed Checksum Clearinghouse (DCC). According to its
    Web site, Vipul's Razor, commonly know as SpamNet (see the first URL
    below), "establishes a distributed and constantly updating catalogue
    of spam in propagation. Clients use this catalogue to filter out known
    spam." According to the DCC Web page (see the second URL below), DCC
    resembles SpamNet in that it's "a system of many clients and more than
    90 servers that collects and counts checksums related to several
    million mail messages per day, [mostly] as seen by Internet Service
    Providers." SMTP servers and mail user agents can use the counts to
    "detect and reject or filter spam or unsolicited bulk mail."
       http://razor.sourceforge.net/
       http://www.rhyolite.com/antispam/dcc/
    
    To help prevent spam, explore the resources I've mentioned in this
    article and consider using them on your networks. Thanks to Brad
    Spencer for his help in bringing this information to Security UPDATE
    readers.
    
    ~~~~~~~~~~~~~~~~~~~~
    
    ~~~~ SPONSOR: VERISIGN - THE VALUE OF TRUST ~~~~
       FREE E-COMMERCE SECURITY GUIDE
       Is your e-business built on a strong, secure foundation? Find out
    with VeriSign's FREE White Paper, "Building an E-Commerce Trust
    Infrastructure." Learn how to authenticate your site to customers,
    secure your web servers with 128-Bit SSL encryption, and accept secure
    payments online. Click here:
       http://list.winnetmag.com/cgi-bin3/flo?y=eOLO0CJgSH0CBw05Kz0AM
    
    ~~~~~~~~~~~~~~~~~~~~
    
    2. ==== ANNOUNCEMENTS ====
       (brought to you by Windows & .NET Magazine and its partners)
    
    * ATTEND OUR FREE TIPS & TRICKS WEB SUMMIT
       Join us on December 19th for our Tips & Tricks Web Summit featuring
    three eye-opening events: Disaster Recovery Tips & Tricks, Intrusion
    Detection: Win2K Security Log Secrets, and Merging Exchange Systems:
    Tips for Managing 5 Key Challenges. There is no charge for this event,
    but space is limited so register today!
       http://list.winnetmag.com/cgi-bin3/flo?y=eOLO0CJgSH0CBw05nz0Av
    
    * THE STORAGE SOLUTIONS YOU'VE BEEN SEARCHING FOR!
       Our popular IT Buyers' Directories (ITBDs) are online catalogs of
    the hottest vendor solutions around. Our latest ITBD highlights the
    solutions and services that will help you effectively manage your
    enterprises' storage. Download your copy today!
       http://list.winnetmag.com/cgi-bin3/flo?y=eOLO0CJgSH0CBw05zm0Au
    
    3. ==== SECURITY ROUNDUP ====
    
    * NEWS: WI-FI ALLIANCE ANNOUNCES WEP REPLACEMENT
       The Wireless Ethernet Compatibility Alliance (WECA), which
    certifies IEEE 802.11 wireless networking products with the Wi-Fi (the
    802.11b wireless standard) marketing label, announced that it has
    ratified a new standard for wireless security. Dubbed Wi-Fi Protected
    Access (WPA), the technology will replace the compromised Wired
    Equivalent Privacy (WEP) security technology found in most existing
    Wi-Fi products today.
       http://www.secadministrator.com/articles/index.cfm?articleid=27160
    
    * NEWS: WIN2K PASSES SECURITY TEST
       Microsoft announced that Windows 2000 has received the highest
    level of security certification of any commercial OS. The
    International Organization for Standardization (ISO) awarded Win2K
    with the Common Criteria (CC) certification.
       http://www.secadministrator.com/articles/index.cfm?articleid=27149
    
    4. ==== SECURITY TOOLKIT ====
    
    * VIRUS CENTER
       Panda Software and the Windows & .NET Magazine Network have teamed
    to bring you the Center for Virus Control. Visit the site often to
    remain informed about the latest threats to your system security.
       http://www.secadministrator.com/panda
    
    * FAQ: HOW CAN I STOP WINDOWS FROM CACHING A .DLL FILE AFTER I CLOSE
    THE PROGRAM THAT WAS ACCESSING IT?
       ( contributed by John Savill, http://www.windows2000faq.com )
    
    A. Windows caches .dll files to speed disk I/O. However, even after
    you close the calling program, the .dll file remains cached. To stop
    Windows from caching .dll files after you've closed the calling
    program, perform the following steps:
       1. Start a registry editor (e.g., regedit.exe).
       2. Navigate to the
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
    registry subkey.
       3. From the Edit menu, select New, DWORD Value.
       4. Enter the name AlwaysUnloadDLL, then press Enter.
       5. Double-click the new value, set it to 1, then click OK.
       6. Close the registry editor, then reboot the machine for the
    change to take effect.
    
    5. ==== NEW AND IMPROVED ====
       (contributed by Judy Drennen, productsat_private)
    
    * EMAIL AND FILE-ENCRYPTION PROGRAM FOR WINDOWS
       TAN$TAAFL Software released Top Secret Crypto Gold 2.00, an email
    and file-encryption program for Windows XP, Windows 2000, Windows NT,
    Windows Me, and Windows 9x. Use Top Secret Crypto Gold to protect your
    sensitive personal, company, and corporate data as you transmit it
    across town, across the country, and around the world. Top Secret
    Crypto Gold will protect all of your email and files transmitted over
    the Internet. Top Secret Crypto Gold uses the RSA Public Key
    Encryption System with three powerful conventional encryption
    algorithms. Top Secret Crypto Gold costs $34.95 for a single-user
    license and $999.95 for an unlimited license. Contact TAN$TAAFL at
    mkpat_private or the Web site.
       http://www.topsecretcrypto.com
    
    * PROVIDE SECURE TRANSMISSION OVER THE INTERNET
       ZyXEL Communications announced Prestige 652, an ADSL modem/router
    with robust firewall and VPN capabilities. The product requires no
    additional firewall devices on the network or VPN software on the
    workstations to act as an ADSL firewall. Because it integrates
    firewall and VPN capabilities, customers can expect to save money and
    increase network efficiency. The Prestige 652's IP Security (IPSec)
    VPN uses data encryption to provide transparent and secure
    transmission over the Internet and between two or more sites. Prestige
    652 costs $499. Contact ZyXEL at 714-632-0882 or visit the Web site.
       http://www.zyxel.com
    
    * SUBMIT TOP PRODUCT IDEAS
       Have you used a product that changed your IT experience by saving
    you time or easing your daily burden? Do you know of a terrific
    product that others should know about? Tell us! We want to write about
    the product in a future What's Hot column. Send your product
    suggestions to whatshotat_private
    
    6. ==== HOT THREADS ====
    
    * WINDOWS & .NET MAGAZINE ONLINE FORUMS
       http://www.winnetmag.com/forums
    
    Featured Thread: How Can I Remove or Disable the View Menu Item?
       (Three messages in this thread)
    
    A user writes that he needs to remove the View, Explorer Bar, Folders
    option from a Windows XP system in a Windows 2000 domain. If he can't
    do that, he wants to remove the View option altogether. He says that
    he's looked through some policies and tried some registry changes, but
    he can't seem to remove the menu option. Read the responses or lend a
    hand:
       http://www.winnetmag.com/forums/rd.cfm?cid=42&tid=48770
    
    * HOWTO MAILING LIST
       http://63.88.172.96/listserv/page_listserv.asp?a0=howto
    
    Featured Thread: Server Losing Permissions in Domain
       (Three messages in this thread)
    
    A user writes that two servers on his network have suddenly lost
    permission to access the related domain. He says it's almost as if
    someone has removed them from the domain and added another server of
    the same name with a different SID, but that's not the case. He can
    address the problem by removing, deleting the servers from the SAM
    database, resynching the domain, then adding the servers back to the
    domain. However, although the issue is simple to fix, he wonders why
    it occurs. Read the responses or lend a hand at the following URL:
       http://63.88.172.96/listserv/page_listserv.asp?A2=IND0210E&L=HOWTO&P=601
    
    7. ==== CONTACT US ====
       Here's how to reach us with your comments and questions:
    
    * ABOUT IN FOCUS -- markat_private
    
    * ABOUT THE NEWSLETTER IN GENERAL -- lettersat_private (please
    mention the newsletter name in the subject line)
    
    * TECHNICAL QUESTIONS -- http://www.winnetmag.com/forums
    
    * PRODUCT NEWS -- productsat_private
    
    * QUESTIONS ABOUT YOUR SECURITY UPDATE SUBSCRIPTION? Customer
    Support -- securityupdateat_private
    
    * WANT TO SPONSOR SECURITY UPDATE? emedia_oppsat_private
    
    ********************
    
       This email newsletter is brought to you by Security Administrator,
    the print newsletter with independent, impartial advice for IT
    administrators securing a Windows 2000/Windows NT enterprise.
    Subscribe today!
       http://www.secadministrator.com/sub.cfm?code=saei25xxup
    
       Receive the latest information about the Windows and .NET topics of
    your choice. Subscribe to our other FREE email newsletters.
       http://www.winnetmag.com/email
    
    |-+-|-+-|-+-|-+-|-+-|
    
    Thank you for reading Security UPDATE.
    
    MANAGE YOUR ACCOUNT
       You can manage your entire Windows & .NET Magazine Network email
    newsletter account on our Web site. Simply log on and you can change
    your email address, update your profile information, and subscribe or
    unsubscribe to any of our email newsletters all in one place.
       http://www.winnetmag.com/email
    
    Thank you!
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Thu Nov 07 2002 - 05:07:50 PST