[ISN] Security UPDATE -- Proactive Honeypots, Part 2 -- August 24,
2005
InfoSec News
isn at c4i.org
Thu Aug 25 06:42:38 EDT 2005
====================
This email newsletter comes to you free and is supported by the
following advertisers, which offer products and services in which
you might be interested. Please take a moment to visit these
advertisers' Web sites and show your support for Security UPDATE.
Symantec LiveState Patch Manager
http://list.windowsitpro.com/t?ctl=11B86:4FB69
Get Rapid and Reliable Data and System Recovery
http://list.windowsitpro.com/t?ctl=11B71:4FB69
====================
1. In Focus: Proactive Honeypots, Part 2
2. Security News and Features
- Recent Security Vulnerabilities
- Symantec to Acquire Sygate
- 180solutions Sues Seven Former Distributors
- Microsoft Ships Windows 2000 Worm Removal Tool
3. Security Toolkit
- Security Matters Blog
- FAQ
4. New and Improved
- Fight Phishing Attacks
====================
==== Sponsor: Symantec ====
Symantec LiveState Patch Manager
Symantec LiveState Patch Manager allows you to reliably protect your
infrastructure from vulnerabilities. Its intuitive interface allows
organizations to scan, identify and install missing patches on hundreds
of clients and servers in minutes. Flexible grouping capabilities allow
the targeting of patches to specific groups of users. Provides detailed
patch status reports. Persistent delivery assures patches are
successfully delivered and applied, helping ensure clients are secure
and protected. LiveState Patch Manager is a member of a family of
modular solutions that work on their own - with tools you may already
have - and can be assembled into a broader suite if desired, leveraging
a common look-and-feel, management database and agent deployment
infrastructure. To learn more, visit us at:
http://list.windowsitpro.com/t?ctl=11B86:4FB69
====================
==== 1. In Focus: Proactive Honeypots, Part 2 ====
by Mark Joseph Edwards, News Editor, mark at ntsecurity / net
Last week, I wrote about Microsoft's Strider HoneyMonkey Exploit
Detection System, which is software that tries to find new exploits by
surfing the Web and waiting for something to infiltrate the system. I
don't know of many other such tools, but I have heard of two other
client-based honeypot projects.
One is being developed by Bing Yuan at the Laboratory for Dependable
Distributed Systems. Yuan is pursuing the technology as his diploma
project at the laboratory, and so far, no working code seems to be
available to the public. His project is Windows-based, will integrate
with Microsoft Internet Explorer (IE), and will work with other
software such as the Honeywall CD-ROM. I'm not sure how far along Yuan
is in the development process or whether the tool will eventually be
released to the public. You can however read more about it at the lab's
Web site.
http://list.windowsitpro.com/t?ctl=11B7B:4FB69
The second tool I know about is called Honeyclient. The tool is being
developed by Kathy Wang, who gave a related presentation at the recent
REcon 2005 conference (see the first URL below) in Montreal. You can
see the slides from the presentation at the second URL below.
Honeyclient is written in Perl and is designed to run on Windows
systems. It surfs the Web by using IE and tries to detect any file or
registry changes. As it stands now, the tool is made up of two Perl
scripts: one is a proxy and the other uses IE to drive a Web-surfing
session.
http://list.windowsitpro.com/t?ctl=11B89:4FB69
http://list.windowsitpro.com/t?ctl=11B77:4FB69
Wang's project isn't extensively documented, but the two Perl scripts
that make up Honeyclient contain a few comments that help you better
understand what it actually does. Of course, if you can read Perl code,
then you'll get an even better understanding. Honeyclient isn't nearly
as functional as HoneyMonkey, but it's similar and a good start. You
can learn more about Honeyclient and download the latest version at
Wang's Honeyclient Development Project Web site.
http://list.windowsitpro.com/t?ctl=11B84:4FB69
If you want to test Honeyclient, the readme file contains the basic
installation and usage instructions. One thing I learned when testing
the software (which isn't stated in the readme file) is that the
directories in the checklist.txt file (which you need to create) are
completely parsed, including any subdirectories. Another thing I
noticed is that Honeyclient has a lengthy startup time because it also
parses the registry HKEY_CLASSES_ROOT tree into a hash so that it can
later detect any modifications. A word of caution is in order too: Be
sure to use an isolated test machine or an OS running in a virtual
machine when testing the tool.
If you know of any other tools similar to these, send me an email
message with a link or details.
====================
==== Sponsor: Symantec ====
Get Rapid and Reliable Data and System Recovery
Even under the best circumstances, performing a bare metal recovery
from tape is tedious and unreliable. In this free white paper, learn
how you can achieve unprecedented speed and reliability in recovering
systems and data.
http://list.windowsitpro.com/t?ctl=11B71:4FB69
====================
==== 2. Security News and Features ====
Recent Security Vulnerabilities
If you subscribe to this newsletter, you also receive Security
Alerts, which inform you about recently discovered security
vulnerabilities. You can also find information about these
discoveries at
http://list.windowsitpro.com/t?ctl=11B76:4FB69
Symantec to Acquire Sygate
Symantec announced a deal to acquire Sygate Technologies, maker of
policy compliance solutions. The deal will close shortly after the
companies receive regulatory approval. Terms of the pending acquisition
weren't disclosed.
http://list.windowsitpro.com/t?ctl=11B7E:4FB69
180solutions Sues Seven Former Distributors
180solutions filed suit against seven former distributors of its
search software for allegedly causing the software to be installed on
people's computers without proper notice and consent. 180solutions
claims the distributors used botnets to facilitate the software
installations.
http://list.windowsitpro.com/t?ctl=11B7D:4FB69
Microsoft Ships Windows 2000 Worm Removal Tool
In response to widespread Windows 2000-based worm attacks last week,
Microsoft updated its Malicious Software Removal Tool (MSRT) to remove
the worms and updated its statement about the attacks.
http://list.windowsitpro.com/t?ctl=11B7F:4FB69
====================
==== Resources and Events ====
SQL Server 2005 Roadshow Is Coming to a City Near You
Get the facts about migrating to SQL Server 2005. SQL Server experts
will present real-world information about administration, development,
and business intelligence to help you implement a best-practices
migration to SQL Server 2005 and improve your database computing
environment. Attend and receive a 1-year membership to PASS and 1-year
subscription to SQL Server Magazine. Register now!
http://list.windowsitpro.com/t?ctl=11B74:4FB69
Microsoft Exchange Connections Conference
October 31 - November 3, 2005, Manchester Grand Hyatt, San Diego.
Microsoft and Exchange experts present over 40 in-depth sessions with
real-world solutions you can take back and apply today. Register by
September 12 to save $100 off your conference registration and attend
sessions at Windows Connections free!
http://list.windowsitpro.com/t?ctl=11B88:4FB69
Avoid the 5 Major Compliance Pitfalls
Based on real-world examples, this Web seminar will help C-level
executives, as well as IT directors and managers, avoid common mistakes
and give their organization a head start in ensuring a successful
compliance implementation. Register today and find out how you can
avoid the mistakes of others, improve IT security, and reduce the cost
of continually maintaining and demonstrating compliance.
http://list.windowsitpro.com/t?ctl=11B75:4FB69
Roll Back Data to Any Point in Time: Not Just the Last Snapshot or
Backup
Have you lost data because it was saved right after your last
backup? Most of us have been in this situation. Continuous, or real-
time, backup systems provide real-time protection, but are they right
for you? In this free Web seminar, you'll learn about the design
principles that underlie continuous data protection solutions, how to
integrate them with your existing backup infrastructure, and how to
best apply continuous protection technologies to your Windows-based
servers.
http://list.windowsitpro.com/t?ctl=11B72:4FB69
High Risk Internet Access: Are You in Control?
Defending against Internet criminals, spyware, phishing and
addressing the points of risk that Internet-enabled applications expose
your organization to can seem like an epic battle with Medusa. So how
do you take control of these valuable resources? In this free Web
seminar, you'll get the tools you need to help you analyze the impact
Internet-based threats have on your organization, and tools to aid you
in the construction of Acceptable-Use Policies (AUPs).
http://list.windowsitpro.com/t?ctl=11B73:4FB69
====================
==== Featured White Paper ====
Consolidate Your SQL Server Infrastructure
Shared data clustering is the breakthrough consolidation solution
for Microsoft Windows servers. In this free white paper, learn how
shared data clustering technology can reduce capital expenditures by at
least 50 percent, improve management efficiency, reduce operational
expense, ensure high availability across all SQL Server instances and
more! Download your free copy now.
http://list.windowsitpro.com/t?ctl=11B70:4FB69
====================
==== 3. Security Toolkit ====
Security Matters Blog: Mac OS X Security Update Fixes Dozens of
Vulnerabilities
by Mark Joseph Edwards, http://list.windowsitpro.com/t?ctl=11B83:4FB69
Apple released a major security update for Mac OS X. Security Update
2005-007 fixes dozens of vulnerabilities, including problems in Apache,
Kerberos, MySQL, OpenSSL, and many other system components. Apple
pulled the update to correct problems it caused with 64-bit
applications on the Tiger OS, then reissued it as Security Update 2005-
007 v1.1. If you loaded the initial release on Tiger, be sure to load
v1.1.
http://list.windowsitpro.com/t?ctl=11B78:4FB69
FAQ
by John Savill, http://list.windowsitpro.com/t?ctl=11B82:4FB69
Q: How can I determine which groups I'm a member of for my current
logon session?
Find the answer at
http://list.windowsitpro.com/t?ctl=11B80:4FB69
====================
==== Announcements ====
(from Windows IT Pro and its partners)
Try a Sample Issue of the Windows IT Security Newsletter!
Security Administrator is now Windows IT Security. We've expanded
our content to include even more fundamentals on building and
maintaining a secure enterprise. Each issue also features product
coverage of the best security tools available and expert advice on the
best way to implement various security components. Plus, paid
subscribers get online access to our entire online security article
database! Sign up to try a sample issue today:
http://list.windowsitpro.com/t?ctl=11B7C:4FB69
Windows IT Pro Gives IT Professionals What They Need
The August issue is a must have! Subscribe now and find out the best
ways to plan for Longhorn, what you need to know about VBScripts, and
how to make sense of SQL Server. If you order today, you'll also gain
exclusive access to the entire Windows IT Pro online article database
(over 9000 articles) and save 44% off the cover price!
http://list.windowsitpro.com/t?ctl=11B81:4FB69
====================
==== 4. New and Improved ====
by Renee Munshi, products at windowsitpro.com
Fight Phishing Attacks
CollectiveTrust has released ScamAlarm, a Windows application that
protects users from phishing, identity theft, and fraud. ScamAlarm
protects against all types of phishing attacks that try to collect
personal information by pretending to be the Web site of a legitimate
bank or investment firm. ScamAlarm uses a combination of contextual
analysis, a robust set of rules, and a continuously updated list of
dangerous sites. With ScamAlarm, users are notified immediately if the
site that they're trying to visit is on the list of suspicious sites or
if the Web site fails the program's security checks. ScamAlarm runs on
Windows 98/2000/XP/2003, currently supports Microsoft Internet Explorer
(IE) 5.5 or later, and costs $29.95 for a single-user license (volume
discounts are available). You can purchase ScamAlarm securely online or
download a free 30-day trial version at
http://list.windowsitpro.com/t?ctl=11B87:4FB69
Tell Us About a Hot Product and Get a T-Shirt!
Have you used a product that changed your IT experience by saving
you time or easing your daily burden? Tell us about the product, and
we'll send you a T-shirt if we write about the product in a future
Windows IT Pro What's Hot column. Send your product suggestions with
information about how the product has helped you to
whatshot at windowsitpro.com.
Editor's note: Share Your Security Discoveries and Get $100
Share your security-related discoveries, comments, or problems and
solutions in the Windows IT Security print newsletter's Reader to
Reader column. Email your contributions (500 words or less) to
r2rwinitsec at windowsitpro.com. If we print your submission, you'll
get $100. We edit submissions for style, grammar, and length.
====================
==== Sponsored Links ====
Professional and secure remote control from all major platforms
http://list.windowsitpro.com/t?ctl=11B6E:4FB69
Argent Versus MOM 2005
Experts Pick the Best Windows Monitoring Solution
http://list.windowsitpro.com/t?ctl=11B6D:4FB69
Tech jobs at Dice
Search 65K+ new IT jobs daily--Tech expert jobs at top companies!
http://list.windowsitpro.com/t?ctl=11B6F:4FB69
====================
==== Contact Us ====
About the newsletter -- letters at windowsitpro.com
About technical questions -- http://list.windowsitpro.com/t?ctl=11B85:4FB69
About product news -- products at windowsitpro.com
About your subscription -- windowsitproupdate at windowsitpro.com
About sponsoring Security UPDATE -- salesopps at windowsitpro.com
====================
This email newsletter is brought to you by Windows IT Security,
the leading publication for IT professionals securing the Windows
enterprise from external intruders and controlling access for
internal users. Subscribe today.
http://list.windowsitpro.com/t?ctl=11B7A:4FB69
View the Windows IT Pro privacy policy at
http://www.windowsitpro.com/AboutUs/Index.cfm?action=privacy
Windows IT Pro, a division of Penton Media, Inc.
221 East 29th Street, Loveland, CO 80538
Attention: Customer Service Department
Copyright 2005, Penton Media, Inc. All rights reserved.
More information about the ISN
mailing list