Security UPDATE, November 6, 2002

[InfoSec News <isn () c4i org>]

********************
Windows & .NET Magazine Security UPDATE--brought to you by Security
Administrator, a print newsletter bringing you practical, how-to
articles about securing your Windows .NET Server, Windows 2000, and
Windows NT systems.
   http://www.secadministrator.com
********************

~~~~ THIS ISSUE SPONSORED BY ~~~~

Focus Your IT Resources
   http://www.ibm.com/e-business/playtowin/n326

VeriSign - The Value of Trust
   http://list.winnetmag.com/cgi-bin3/flo?y=eOLO0CJgSH0CBw05Kz0AM
   (below IN FOCUS)

~~~~~~~~~~~~~~~~~~~~

~~~~ SPONSOR: FOCUS YOUR IT RESOURCES ~~~~
   Learn how better infrastructure management practices can speed the
integration of e-business enterprises, while providing assurance of
continuous availability, flexibility and scalability. Get the IBM
white paper, "Infrastructure Resource Management: A Holistic
Approach," at http://www.ibm.com/e-business/playtowin/n326

~~~~~~~~~~~~~~~~~~~~

November 6, 2002--In this issue:

1. IN FOCUS
     - Antispam Honeypots Give Spammers Headaches

2. ANNOUNCEMENTS
     - Attend Our Free Tips & Tricks Web Summit
     - The Storage Solutions You've Been Searching for!

3. SECURITY ROUNDUP
     - News: Wi-Fi Alliance Announces WEP Replacement
     - News: Win2K Passes Security Test

4. SECURITY TOOLKIT
     - Virus Center
     - FAQ: How Can I Stop Windows from Caching a .dll File After I
       Close the Program That Was Accessing It?
 
5. NEW AND IMPROVED
     - Email and File Encryption Program for Windows
     - Provide Secure Transmission over the Internet
     - Submit Top Product Ideas

6. HOT THREADS
     - Windows & .NET Magazine Online Forums
         - Featured Thread: How Can I Remove or Disable the View Menu
           Item?
     - HowTo Mailing List
         - Featured Thread: Server Losing Permissions in Domain
 
7. CONTACT US
   See this section for a list of ways to contact us.

~~~~~~~~~~~~~~~~~~~~

1. ==== IN FOCUS ====
   (contributed by Mark Joseph Edwards, News Editor,
mark () ntsecurity net)

* ANTISPAM HONEYPOTS GIVE SPAMMERS HEADACHES

Filtering spam is a good idea, but keeping filtering rules up-to-date
without eliminating legitimate email traffic takes skill and effort.
In addition to using mail filter software, you can fight spam in other
ways, such as by using an antispam honeypot.
 
As you know, honeypots are traps or decoys that deliberately lure
intruders to help prevent unwanted activity against network sources.
Honeypots also gather forensic evidence, thereby helping us better
understand intruder methodologies. Other Windows & .NET Magazine
authors and I have written about various types of honeypots in use
today. You can find links to honeypot-related articles at the URLs
below:
   http://www.secadministrator.com/articles/index.cfm?articleid=26114
   http://www.secadministrator.com/articles/index.cfm?articleid=25679
   http://www.secadministrator.com/articles/index.cfm?articleid=22911
   http://search.winnetmag.com/query.html?col=secadmin&qt=honeypot

Last week, Security UPDATE reader Brad Spencer brought antispam
honeypots to my attention. Antispam honeypots are services that pose
as legitimate mail servers to thwart spammers. Spencer, who runs an
antispam honeypot (see the first URL below), described to me what
antispam honeypots do, how they operate, and where you can get one or
find out how to build one. According to Spencer, the real heroes of
this technology are Michael Tokarev, who operated an antispam honeypot
in Russia (see the second URL below) and Jack Cleaver, whose program
you'll read more about in a moment.
   http://fightrelayspam.homestead.com
   http://www.corpit.ru/cgi-bin/h0n5yp0t

An antispam honeypot operation first detects potential spammers, then
thwarts their efforts to send spam through the mail server. Spammers
often use mail systems that allow open mail relaying to deliver spam.
An open relay lets anyone use the mail server to deliver email
messages to anyone else, which is a spammer's dream. In the past,
people offered open relays as a courtesy to Internet users to help
facilitate easy email delivery. Now, operating an open relay will
eventually land your mail server on a blacklist that might prevent
legitimate email from arriving at your system. For more information
about blacklists, visit the Mail Abuse Prevention System (MAPS) Web
site at the URL below.
   http://west1.mail-abuse.org

Typically, spammers test a mail server for open relaying by simply
sending themselves an email message. If the spammer receives the email
message, the mail server obviously allows open relaying. Honeypot
operators, however, can use the relay test to thwart spammers. The
honeypot catches the relay test email message, returns the test email
message, and subsequently blocks all other email messages from that
spammer. Spammers continue to use the antispam honeypot for spamming,
but the spam is never delivered. Meanwhile, the honeypot operator can
notify spammers' ISPs and have their Internet accounts canceled. If
honeypot operators detect spammers who use open-proxy servers, they
can also notify the proxy server operator to lock down the server to
prevent further misuse.

If enough users take time to operate antispam honeypots and contact
ISPs and open-proxy server operators, they'll systematically make
spamming more difficult. Spencer believes that eventually spammers
will find it so hard to distinguish honeypots from actual open relays
that at least some of them might quit such activities altogether.

Two tools that can help you set up and run an antispam honeypot are a
Windows-based version of Sendmail (see the first URL below)
specifically configured as a honeypot and Cleaver's Jackpot
Mailswerver program (see the second URL below). Jackpot is written in
Java and runs on any system that supports the Java platform.
   http://www.sendmail.com
   http://jackpot.uk.net

Spencer uses a UNIX-based version of Sendmail to operate his antispam
honeypot. (I haven't used the Windows version recently but assume that
it's still a direct port that works well.) Spencer details his
configuration methods for using Sendmail on his related Web page.
Spencer also describes what happens when you operate Sendmail as he
does and what to do when Sendmail traps a potential spammer's message.

Jackpot is an SMTP mail server that prevents spam delivery and saves
mail traffic information for evidence and research. Jackpot also
creates Web-based reports that simplify analysis and tracking. Cleaver
writes, "Jackpot saves full details of all spam mail submitted to it
as a collection of web-pages. The information is organized into lists,
with messages sent from a given host grouped on a page. Jackpot tries
to gather some information about the host that sent the spam ... [it
also checks to see] if the source [of potential spam] is a known
open-proxy or a [known spam operation and uses sources such as]
abuse.net to see whether there's a registered [mail] abuse address for
the host."

Spencer mentions two additional resources that can help thwart spam:
SpamNet and Distributed Checksum Clearinghouse (DCC). According to its
Web site, Vipul's Razor, commonly know as SpamNet (see the first URL
below), "establishes a distributed and constantly updating catalogue
of spam in propagation. Clients use this catalogue to filter out known
spam." According to the DCC Web page (see the second URL below), DCC
resembles SpamNet in that it's "a system of many clients and more than
90 servers that collects and counts checksums related to several
million mail messages per day, [mostly] as seen by Internet Service
Providers." SMTP servers and mail user agents can use the counts to
"detect and reject or filter spam or unsolicited bulk mail."
   http://razor.sourceforge.net/
   http://www.rhyolite.com/antispam/dcc/

To help prevent spam, explore the resources I've mentioned in this
article and consider using them on your networks. Thanks to Brad
Spencer for his help in bringing this information to Security UPDATE
readers.

~~~~~~~~~~~~~~~~~~~~

~~~~ SPONSOR: VERISIGN - THE VALUE OF TRUST ~~~~
   FREE E-COMMERCE SECURITY GUIDE
   Is your e-business built on a strong, secure foundation? Find out
with VeriSign's FREE White Paper, "Building an E-Commerce Trust
Infrastructure." Learn how to authenticate your site to customers,
secure your web servers with 128-Bit SSL encryption, and accept secure
payments online. Click here:
   http://list.winnetmag.com/cgi-bin3/flo?y=eOLO0CJgSH0CBw05Kz0AM

~~~~~~~~~~~~~~~~~~~~

2. ==== ANNOUNCEMENTS ====
   (brought to you by Windows & .NET Magazine and its partners)

* ATTEND OUR FREE TIPS & TRICKS WEB SUMMIT
   Join us on December 19th for our Tips & Tricks Web Summit featuring
three eye-opening events: Disaster Recovery Tips & Tricks, Intrusion
Detection: Win2K Security Log Secrets, and Merging Exchange Systems:
Tips for Managing 5 Key Challenges. There is no charge for this event,
but space is limited so register today!
   http://list.winnetmag.com/cgi-bin3/flo?y=eOLO0CJgSH0CBw05nz0Av

* THE STORAGE SOLUTIONS YOU'VE BEEN SEARCHING FOR!
   Our popular IT Buyers' Directories (ITBDs) are online catalogs of
the hottest vendor solutions around. Our latest ITBD highlights the
solutions and services that will help you effectively manage your
enterprises' storage. Download your copy today!
   http://list.winnetmag.com/cgi-bin3/flo?y=eOLO0CJgSH0CBw05zm0Au

3. ==== SECURITY ROUNDUP ====

* NEWS: WI-FI ALLIANCE ANNOUNCES WEP REPLACEMENT
   The Wireless Ethernet Compatibility Alliance (WECA), which
certifies IEEE 802.11 wireless networking products with the Wi-Fi (the
802.11b wireless standard) marketing label, announced that it has
ratified a new standard for wireless security. Dubbed Wi-Fi Protected
Access (WPA), the technology will replace the compromised Wired
Equivalent Privacy (WEP) security technology found in most existing
Wi-Fi products today.
   http://www.secadministrator.com/articles/index.cfm?articleid=27160

* NEWS: WIN2K PASSES SECURITY TEST
   Microsoft announced that Windows 2000 has received the highest
level of security certification of any commercial OS. The
International Organization for Standardization (ISO) awarded Win2K
with the Common Criteria (CC) certification.
   http://www.secadministrator.com/articles/index.cfm?articleid=27149

4. ==== SECURITY TOOLKIT ====

* VIRUS CENTER
   Panda Software and the Windows & .NET Magazine Network have teamed
to bring you the Center for Virus Control. Visit the site often to
remain informed about the latest threats to your system security.
   http://www.secadministrator.com/panda

* FAQ: HOW CAN I STOP WINDOWS FROM CACHING A .DLL FILE AFTER I CLOSE
THE PROGRAM THAT WAS ACCESSING IT?
   ( contributed by John Savill, http://www.windows2000faq.com )

A. Windows caches .dll files to speed disk I/O. However, even after
you close the calling program, the .dll file remains cached. To stop
Windows from caching .dll files after you've closed the calling
program, perform the following steps:
   1. Start a registry editor (e.g., regedit.exe).
   2. Navigate to the
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
registry subkey.
   3. From the Edit menu, select New, DWORD Value.
   4. Enter the name AlwaysUnloadDLL, then press Enter.
   5. Double-click the new value, set it to 1, then click OK.
   6. Close the registry editor, then reboot the machine for the
change to take effect.

5. ==== NEW AND IMPROVED ====
   (contributed by Judy Drennen, products () winnetmag com)

* EMAIL AND FILE-ENCRYPTION PROGRAM FOR WINDOWS
   TAN$TAAFL Software released Top Secret Crypto Gold 2.00, an email
and file-encryption program for Windows XP, Windows 2000, Windows NT,
Windows Me, and Windows 9x. Use Top Secret Crypto Gold to protect your
sensitive personal, company, and corporate data as you transmit it
across town, across the country, and around the world. Top Secret
Crypto Gold will protect all of your email and files transmitted over
the Internet. Top Secret Crypto Gold uses the RSA Public Key
Encryption System with three powerful conventional encryption
algorithms. Top Secret Crypto Gold costs $34.95 for a single-user
license and $999.95 for an unlimited license. Contact TAN$TAAFL at
mkp () topsecretcrypto com or the Web site.
   http://www.topsecretcrypto.com

* PROVIDE SECURE TRANSMISSION OVER THE INTERNET
   ZyXEL Communications announced Prestige 652, an ADSL modem/router
with robust firewall and VPN capabilities. The product requires no
additional firewall devices on the network or VPN software on the
workstations to act as an ADSL firewall. Because it integrates
firewall and VPN capabilities, customers can expect to save money and
increase network efficiency. The Prestige 652's IP Security (IPSec)
VPN uses data encryption to provide transparent and secure
transmission over the Internet and between two or more sites. Prestige
652 costs $499. Contact ZyXEL at 714-632-0882 or visit the Web site.
   http://www.zyxel.com

* SUBMIT TOP PRODUCT IDEAS
   Have you used a product that changed your IT experience by saving
you time or easing your daily burden? Do you know of a terrific
product that others should know about? Tell us! We want to write about
the product in a future What's Hot column. Send your product
suggestions to whatshot () winnetmag com.

6. ==== HOT THREADS ====

* WINDOWS & .NET MAGAZINE ONLINE FORUMS
   http://www.winnetmag.com/forums

Featured Thread: How Can I Remove or Disable the View Menu Item?
   (Three messages in this thread)

A user writes that he needs to remove the View, Explorer Bar, Folders
option from a Windows XP system in a Windows 2000 domain. If he can't
do that, he wants to remove the View option altogether. He says that
he's looked through some policies and tried some registry changes, but
he can't seem to remove the menu option. Read the responses or lend a
hand:
   http://www.winnetmag.com/forums/rd.cfm?cid=42&tid=48770

* HOWTO MAILING LIST
   http://63.88.172.96/listserv/page_listserv.asp?a0=howto

Featured Thread: Server Losing Permissions in Domain
   (Three messages in this thread)

A user writes that two servers on his network have suddenly lost
permission to access the related domain. He says it's almost as if
someone has removed them from the domain and added another server of
the same name with a different SID, but that's not the case. He can
address the problem by removing, deleting the servers from the SAM
database, resynching the domain, then adding the servers back to the
domain. However, although the issue is simple to fix, he wonders why
it occurs. Read the responses or lend a hand at the following URL:
   http://63.88.172.96/listserv/page_listserv.asp?A2=IND0210E&L=HOWTO&P=601

7. ==== CONTACT US ====
   Here's how to reach us with your comments and questions:

* ABOUT IN FOCUS -- mark () ntsecurity net

* ABOUT THE NEWSLETTER IN GENERAL -- letters () winnetmag com (please
mention the newsletter name in the subject line)

* TECHNICAL QUESTIONS -- http://www.winnetmag.com/forums

* PRODUCT NEWS -- products () winnetmag com

* QUESTIONS ABOUT YOUR SECURITY UPDATE SUBSCRIPTION? Customer
Support -- securityupdate () winnetmag com

* WANT TO SPONSOR SECURITY UPDATE? emedia_opps () winnetmag com

********************

   This email newsletter is brought to you by Security Administrator,
the print newsletter with independent, impartial advice for IT
administrators securing a Windows 2000/Windows NT enterprise.
Subscribe today!
   http://www.secadministrator.com/sub.cfm?code=saei25xxup

   Receive the latest information about the Windows and .NET topics of
your choice. Subscribe to our other FREE email newsletters.
   http://www.winnetmag.com/email

|-+-|-+-|-+-|-+-|-+-|

Thank you for reading Security UPDATE.

MANAGE YOUR ACCOUNT
   You can manage your entire Windows & .NET Magazine Network email
newsletter account on our Web site. Simply log on and you can change
your email address, update your profile information, and subscribe or
unsubscribe to any of our email newsletters all in one place.
   http://www.winnetmag.com/email

Thank you!



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.