Security UPDATE--Security Blog and Googling for Vulnerabilities--July 28, 2004

==== This Issue Sponsored By ====

Featured Download: Patch Management Software

http://www.stbernard.com/src/ue_landing.asp?utm_campaign=ue&utm_source=winnetsu_072804&utm_medium=sponsorship

Security Administrator

http://www.secadministrator.com/rd.cfm?code=fsep254xup

1. In Focus: Security Blog and Googling for Vulnerabilities

2. Security News and Features

- Recent Security Vulnerabilities

- Book Review: PDA Security: Incorporating Handhelds into the Enterprise

3. Security Matters Blog

- It Had to Happen Sooner or Later

- Stopping Malware That Travels Through SSL Connections

- XML-Based Security Information Feeds

4. Instant Poll

5. Security Toolkit

- FAQ

6. New and Improved

- Know Your Enemy

==== Sponsor: Featured Download: Patch Management Software ====

As a busy IT professional, do you really have time to inventory, research, test, validate and report on each patch? Let UpdateEXPERT Patch Management work for you. All the steps are automated and our scalable architecture works on large and small enterprises alike. Find out why UpdateEXPERT was named a TechTarget 2004 Product of the Year. Download a Free 15-day Live Trial Today!

http://www.stbernard.com/src/ue_landing.asp?utm_campaign=ue&utm_source=winnetsu_072804&utm_medium=sponsorship

==== 1. In Focus: Security Blog and Googling for Vulnerabilities ====

by Mark Joseph Edwards, News Editor, mark at ntsecurity / net

First, I want to let you know that we've added a new section to our Web site and this newsletter. If you visit the Web site regularly and subscribe to our security-related Really Simple Syndication (RSS) feed, then you know we recently launched a new blog: Security Matters. Each week in this newsletter, you'll find a summary of the most recent blog postings.

You can visit the Security Matters blog to add your comments to a given posting. If you have a tip, tidbit of information, resource, commentary, or other content that you think might be of interest to others, then certainly send me an email (mark at ntsecurity / net) with that content and I'll consider posting it to the blog.

Last week, I mentioned the Information Security Writers Web site, which publishes security papers written by many authors. In the past week, the site has published a few new papers, one of which is "Demystifying Google Hacks," by Debasis Mohanty.

http://www.infosecwriters.com/texts.php?op=display&id=191

The paper outlines several ways in which someone can use a particular search syntax in Google to query for sites that might have known vulnerabilities. For example, Google supports query syntax that includes the commands intitle:, inurl:, allinurl:, filetype:, intext:, and more. Google isn't the only search engine that provides the use of this sort of query syntax. MSN Search, AlltheWeb, Yahoo!, and others support a similar syntax to varying degrees.

If intruders are using search engines, you should try the same techniques to check your own Web sites for vulnerabilities. Repeating the searches when new Web-related vulnerabilities are published might also be wise. Think of it as another method for scanning your systems. You can also build false URLs into a honeypot that supports Web services, then add the honeypot URLs to various search engines.

A drawback of using search engines to search for vulnerabilities on your Web sites is that typing or pasting in query after query can become tedious work. One obvious solution is to use scripts to store queries and automate the actual querying and result gathering process. Foundstone released a free tool in May that automates the process of using Google to scan for vulnerabilities in a given site. I've used SiteDigger a few times, and it works really well.

http://www.foundstone.com/resources/proddesc/sitedigger.htm

Site Digger has a list of more than 100 predefined queries (vulnerability signatures) in which you simply enter a Web site address and click a button to start the Google query process. After the query is complete, you can easily export a report to HTML format.

The signatures are stored in XML format, so you can add more or customize the current rules if you need to. If you do, be aware that the tool also has an update feature that lets you download new queries from the Foundstone Web site when they're available. I'm not sure whether the update process totally overwrites the signature file or not; you might want to save a copy of your custom signatures in case it does.

Our Instant Poll this week asks, "Do you use search engines to look for vulnerabilities in the Web sites you manage?" Visit http://www.winnetmag.com/windowssecurity and give us your answer.

==== Sponsor: Security Administrator ====

Try a Sample Issue of Security Administrator!

Security Administrator is the monthly newsletter from Windows & .NET Magazine that shows you how to protect your network from external intruders and control access for internal users. Sign up now to get a 1-month trial issue--you'll feel more secure just knowing you did. Click here!

http://www.secadministrator.com/rd.cfm?code=fsep254xup

==== 2. Security News and Features ====

Recent Security Vulnerabilities

If you subscribe to this newsletter, you also receive Security Alerts, which inform you about recently discovered security vulnerabilities. You can also find information about these discoveries at

http://www.winnetmag.com/departments/departmentid/752/752.html

Book Review: PDA Security: Incorporating Handhelds into the Enterprise

According to information published on the companion Web site to the book "PDA Security: Incorporating Handhelds into the Enterprise," "PDAs have moved into the workplace. More than 25 million of them will soon be accessing company networks." Such a proliferation of PDAs represents another challenge for systems administrators who are already struggling to ensure that their company's information isn't violated in any way or by any means. Reviewer Tony Stevenson says the book will be useful to administrators tasked with developing a practical "handheld computing" strategy for their company or organization. Most important, the book provides the framework for assessing, and then addressing, the risks that PDAs present. Read the entire book review on our Web site.

http://www.windowsitlibrary.com/bookreviews/bookreview.cfm?bookreviewid=80

==== Announcements ====

(from Windows & .NET Magazine and its partners)

Get Your Free Small Business Servers Toolkit--Includes an eBook Plus 3 Web Seminars!

Don't miss your opportunity to evaluate your server options and discover which Windows version is right for your needs to lower licensing and operating costs. You'll learn how to create a centralized server environment and develop an IT infrastructure plan to get the most out of your systems while minimizing the costs involved. Get your Small Business Servers Toolkit now!

http://www.winnetmag.com/techxtraining/smbusinessservers/index.cfm?code=0726emailannc

Do You Find Monitoring Windows Servers a Daunting Task?

In this free eBook, we'll examine four main types of monitoring crucial to any network: performance, capacity, availability, and security. For each area, you'll find out the most important events and conditions to monitor to maximize performance, manage capacity, ensure availability, and stay on top of security. Download this free eBook today!

http://www.WindowsITlibrary.com/ebooks/monitoringwindowsservers/index.cfm?code=0726emailannc

==== Hot Release ====

SSL123 - New from thawte

The full 128-bit capable digital certificate issued within minutes for US$159.00. Free reissues and experienced 24/5 multi-lingual support included for the life of the certificate. Click here to read more:

http://ad.doubleclick.net/clk;9179262;9642913;v

==== 3. Security Matters Blog ====

by Mark Joseph Edwards, http://www.winnetmag.com/securitymatters

Check out these recent entries in the Security Matters blog:

It Had to Happen Sooner or Later

- It was inevitable that somebody somewhere would produce a virus that affects Windows CE devices, and it happened this week.

Stopping Malware That Travels Through SSL Connections

- Inspecting Secure Sockets Layer (SSL) traffic isn't possible through standard methods. However, it is possible with a third-party solution.

XML-Based Security Information Feeds

- Really Simple Syndication (RSS) feeds are a great way to quickly gather security-related information, including information about all the latest vulnerabilities.

==== 4. Instant Poll ====

Results of Previous Poll

The voting has closed in the Windows & .NET Magazine Network Security Web page nonscientific Instant Poll for the question, "Do you now use or do you plan to use 802.11i on your wireless LANs?" Here are the results from the 47 votes.

- 13% Yes, we use 802.11i now

- 4% Yes, we plan to use 802.11i in the next 3 months

- 9% Yes, we plan to use 802.11i in the next 6 months

- 17% Yes, we plan to use 802.11i in the next year

- 57% No, we don't plan to use 802.11i

New Instant Poll

The next Instant Poll question is, "Do you use search engines to look for vulnerabilities in the Web sites you manage?" Go to the Security Web page and submit your vote for

- Yes, I do so regularly

- Yes, but only when I become aware of new Web vulnerabilities

- No, but I plan to start

- No, and I don't plan to start

http://www.winnetmag.com/windowssecurity

==== 5. Security Toolkit ====

FAQ: Q. What Are the Relative Identifiers (RIDs) of a Domain's Built-in Accounts?

by John Savill, http://www.winnetmag.com/windowsnt20002003faq

A. Every object in a domain has a SID, which consists of the domain's SID and a RID. For built-in objects, such as built-in accounts, RIDs are hard-coded. A table at the URL below lists the built-in objects, their RID, and their object type. The fact that RIDs are hard-coded explains why merely renaming, say, the Domain Administrator object doesn't often thwart an intruder, who can simply locate the account by using the RID 500. However, you can create a honeypot by renaming the real Domain Administrator account and creating a new account called Domain Administrator that has no permissions. You can use the bogus Domain Administrator account to fool hackers into attacking it, then log the attacks and delay any real damage to the bona fide Domain Administrator account.

http://www.winnetmag.com/articles/misc/table071904.htm

==== Events Central ====

(A complete Web and live events directory brought to you by Windows & .NET Magazine: http://www.winnetmag.com/events )

We're Bringing the Experts Directly to You with 2 New IT Pro Workshop Series on Security and Exchange

Don't miss 2 intense workshops designed to give you simple and free tools to better secure your networks and Exchange servers. Discover how to prevent intruders from attacking your network and how to perform a security checkup on your Exchange deployment. Get a free 12-month subscription to Windows & .NET Magazine and enter to win an Xbox! Register now!

http://www.winnetmag.com/workshops/securingwindowsandexchange/index.cfm?tc=0726emailannc

====6. New and Improved ====

by Jason Bovberg, products@winnetmag.com

Know Your Enemy

O'Reilly Media released "Security Warrior" by Cyrus Peikari and Anton Chuvakin. Based on the principle that the best way to defend your systems is to understand your attacker in depth, "Security Warrior" covers everything from reverse engineering to SQL attacks and includes such topics as social engineering, antiforensics, and advanced attacks against UNIX and Windows systems. The book discusses a combination of formal science and real-life information-security experiences, multiple platforms, and attacks and defenses. The book costs $44.95. For more information, contact O'Reilly at 707-827-7000 or 800-998-9938 or on the Web.

http://www.oreilly.com

Tell Us About a Hot Product and Get a T-Shirt!

Have you used a product that changed your IT experience by saving you time or easing your daily burden? Tell us about the product, and we'll send you a Windows & .NET Magazine T-shirt if we write about the product in a future Windows & .NET Magazine What's Hot column. Send your product suggestions with information about how the product has helped you to whatshot@winnetmag.com.

==== Sponsored Links ====

Argent

Comparison Paper: The Argent Guardian Easily Beats Out MOM

http://ad.doubleclick.net/clk;6480843;8214395;q?http://www.argent.com/products/download_whitepaper.cgi?product=mom&&Source=WNTTextLink

CrossTec

Free Download--New - Launch NetOp Remote Control from a USB Drive

http://ad.doubleclick.net/clk;9571671;8214395;t?http://www.crossteccorp.com/html_ad/winnetmag.htm

Editor's note: Share Your Security Discoveries and Get $100

Share your security-related discoveries, comments, or problems and solutions in the Security Administrator print newsletter's Reader to Reader column. Email your contributions (500 words or less) to r2rsecadmin@winnetmag.com. If we print your submission, you'll get $100. We edit submissions for style, grammar, and length.

==== Contact Us ====

About the newsletter -- letters@winnetmag.com

About technical questions -- http://www.winnetmag.com/forums

About product news -- products@winnetmag.com

About your subscription -- securityupdate@winnetmag.com

About sponsoring Security UPDATE -- emedia_opps@winnetmag.com

==== Contact Our Sponsors ====

Primary Sponsor:

St. Bernard Software -- http://www.stbernard.com

Hot Release Sponsor:

thawte -- http://www.thawte.com -- 1-650-426-7400