Special Reports > Securing Windows
Securing Windows against worms and viruses
http://www.eweek.com/category2/0,4148,1252525,00.asp
Saturday, September 13, 2003
Friday, September 12, 2003
New Worm Headed Our Way?
Administrators and security specialists hoping for a breather now that Blaster has faded and SoBig.F has expired may be in for a long weekend.
The nature of the new vulnerabilities revealed yesterday in the RPC DCOM implementation in Windows is so similar to the one that Blaster exploits that security experts believe it's only a matter of days, if not hours, before someone releases a worm to attack the new weaknesses. Even though it infected close to a million machines, experts say the Blaster worm was poorly coded and as a result did not do nearly the damage that a more efficient worm could have done. Blaster easily could be modified to work much better, and because the source code for the worm is readily available online, it's likely that someone is already at work on that task.
"It all adds up to a situation where we'll probably see a worm in the next 24 hours or so," said Jerry Brady, chief technology officer at managed security provider Guardent Inc., based in Waltham, Mass. "This could be worse. It wouldn't take very much—just some very minor changes to the way the RPC connections work or the duration of the connections."
Like the vulnerability that Blaster exploits, two of the three new flaws reported in the RPC DCOM implementation in Windows are buffer overruns that could enable an attacker to run arbitrary code on a vulnerable machine. The flaws affect Windows NT 4.0, 2000, XP and Windows Server 2003.
Although the vulnerability itself isn't found in other operating systems, Brady said that some of Guardent's customers had Blaster-related problems on non-Windows systems. Some of the customers' problems stemmed from the fact that Unix-based management systems have a hard time handling the volume of RPC requests that were being generated by infected PCs.
"Some of these systems were seeing 15 to 22 times the normal number of connection attempts, which doesn't sound like that much but it's still out of bounds for these workstations," Brady said.
Another issue causing concern in the security community is the fact that many of the control systems for utilities such as water plants and nuclear power plants use RPC to link their supervisory control and data acquisition (SCADA) systems to their Internet-connected networks. SCADA systems comprise central controllers and sensors and are used to remotely control complex systems such as power grids and water treatment facilities.
There have been some reports that Blaster played some role in causing the large blackout last month that affected much of the Northeast United States and parts of the Midwest. Brady said he fears that an improved RPC worm could produce far worse results.
Three New Critical RPC Flaws Found http://www.eweek.com/article2/0,4149,1261390,00.asp
http://www.eweek.com/article2/0,4149,1264676,00.asp
Administrators and security specialists hoping for a breather now that Blaster has faded and SoBig.F has expired may be in for a long weekend.
The nature of the new vulnerabilities revealed yesterday in the RPC DCOM implementation in Windows is so similar to the one that Blaster exploits that security experts believe it's only a matter of days, if not hours, before someone releases a worm to attack the new weaknesses. Even though it infected close to a million machines, experts say the Blaster worm was poorly coded and as a result did not do nearly the damage that a more efficient worm could have done. Blaster easily could be modified to work much better, and because the source code for the worm is readily available online, it's likely that someone is already at work on that task.
"It all adds up to a situation where we'll probably see a worm in the next 24 hours or so," said Jerry Brady, chief technology officer at managed security provider Guardent Inc., based in Waltham, Mass. "This could be worse. It wouldn't take very much—just some very minor changes to the way the RPC connections work or the duration of the connections."
Like the vulnerability that Blaster exploits, two of the three new flaws reported in the RPC DCOM implementation in Windows are buffer overruns that could enable an attacker to run arbitrary code on a vulnerable machine. The flaws affect Windows NT 4.0, 2000, XP and Windows Server 2003.
Although the vulnerability itself isn't found in other operating systems, Brady said that some of Guardent's customers had Blaster-related problems on non-Windows systems. Some of the customers' problems stemmed from the fact that Unix-based management systems have a hard time handling the volume of RPC requests that were being generated by infected PCs.
"Some of these systems were seeing 15 to 22 times the normal number of connection attempts, which doesn't sound like that much but it's still out of bounds for these workstations," Brady said.
Another issue causing concern in the security community is the fact that many of the control systems for utilities such as water plants and nuclear power plants use RPC to link their supervisory control and data acquisition (SCADA) systems to their Internet-connected networks. SCADA systems comprise central controllers and sensors and are used to remotely control complex systems such as power grids and water treatment facilities.
There have been some reports that Blaster played some role in causing the large blackout last month that affected much of the Northeast United States and parts of the Midwest. Brady said he fears that an improved RPC worm could produce far worse results.
Three New Critical RPC Flaws Found http://www.eweek.com/article2/0,4149,1261390,00.asp
http://www.eweek.com/article2/0,4149,1264676,00.asp
Thursday, September 11, 2003
Product Security Notification
To subscribe to the Microsoft Security Notification Service, please visit the Microsoft Profile Center at http://register.microsoft.com/regsys/pic.asp
To unsubscribe to the Microsoft Security Notification Service, please visit the Microsoft Profile Center at http://register.microsoft.com/regsys/pic.asp
This is a free e-mail notification service that Microsoft uses to send information to subscribers about the security of Microsoft products.
The goal of this service is to provide accurate information to our customers that they can use to inform and protect themselves from malicious attacks. Our security team investigates issues reported directly to Microsoft, as well as issues discussed in certain popular security newsgroups. When we publish bulletins, they'll contain information on what the issue is, what products it affects-if any, how to protect yourself against, what we plan to do to fix the problem, and links to other sources of information on the issue.
This service supplements our existing security reporting procedures. You can continue to read security bulletins and other information about Microsoft product security on http://www.microsoft.com/technet/security.
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/notify.asp
To subscribe to the Microsoft Security Notification Service, please visit the Microsoft Profile Center at http://register.microsoft.com/regsys/pic.asp
To unsubscribe to the Microsoft Security Notification Service, please visit the Microsoft Profile Center at http://register.microsoft.com/regsys/pic.asp
This is a free e-mail notification service that Microsoft uses to send information to subscribers about the security of Microsoft products.
The goal of this service is to provide accurate information to our customers that they can use to inform and protect themselves from malicious attacks. Our security team investigates issues reported directly to Microsoft, as well as issues discussed in certain popular security newsgroups. When we publish bulletins, they'll contain information on what the issue is, what products it affects-if any, how to protect yourself against, what we plan to do to fix the problem, and links to other sources of information on the issue.
This service supplements our existing security reporting procedures. You can continue to read security bulletins and other information about Microsoft product security on http://www.microsoft.com/technet/security.
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/notify.asp
Microsoft Security Bulletin MS03-039
Buffer Overrun In RPCSS Service Could Allow Code Execution (824146)
Originally posted: September 10, 2003
Summary
Who should read this bulletin: Users running Microsoft ® Windows ®
Impact of vulnerability: Three new vulnerabilities, the most serious of which could enable an attacker to run arbitrary code on a user’s system.
Maximum Severity Rating: Critical
Recommendation: System administrators should apply the security patch immediately
End User Bulletin:
An end user version of this bulletin is available at:
http://www.microsoft.com/security/security_bulletins/ms03-039.asp.
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/ms03-039.asp
Buffer Overrun In RPCSS Service Could Allow Code Execution (824146)
Originally posted: September 10, 2003
Summary
Who should read this bulletin: Users running Microsoft ® Windows ®
Impact of vulnerability: Three new vulnerabilities, the most serious of which could enable an attacker to run arbitrary code on a user’s system.
Maximum Severity Rating: Critical
Recommendation: System administrators should apply the security patch immediately
End User Bulletin:
An end user version of this bulletin is available at:
http://www.microsoft.com/security/security_bulletins/ms03-039.asp.
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/ms03-039.asp
PC Client Helps Those Desperately Seeking WiFi
WiNc works with almost all WiFi hardware and provides a simple way to find, save, link up to, and manage personal WiFi connections. Even better, Cirond has developed a smaller version for PocketPC, so mobile users can enjoy WiNc's capabilities as well.
How It Works
The interface looks roughly the same on both platforms. It provides three tabs to help you locate, select, and connect to wireless networks. The Connection Management tab is where you identify and select wireless networks. By default, the software scans for new networks every 10 seconds, but you can reduce the frequency to every 2 minutes. The software sorts networks by signal strength initially, but you can sort by SSID, channel, WEP-key status (locked or unlocked), and more.
This window also helps you select the best network. For example, the software uses a closed padlock symbol to mark networks secured by WEP keys. You can even use WiNc to bypass potential areas of congestion. Typically, your system connects to the most powerful WiFi signal. But if two or more access points are operating on the same channel—say 6—you can select an AP using 11 instead, even if the signal strength is lower. You'll likely get a better connection than from the AP with the best signal, because you'll avoid interference. You can mark a network you like as preferred, and when that network is available, your system will automatically connect to it.
Once you connect, the General tab gives you details on the connection—how fast the link is, total packets sent and received, and more. This is also where you can enter the WEP key for a network.
Another really nice WiNc feature automates the often frustrating process of setting up an ad hoc network—a peer-to-peer connection between two WiFi computers. You do this for quick file transfers or head-to-head gaming.
The IP Properties tab is a bit geeky, but longtime wireless users will appreciate both the information and the capabilities it gives. Here you can track exactly what Internet address parameters have been granted to your computer through DHCP, the automatic network configuration protocol used by most networks today. Many WiFi connection problems result from faulty or old IP configurations. Even if you don't know what all the stuff on this screen means, you can easily ask the network's server to reconfigure you, making obtaining a new IP address easy.
http://www.pcmag.com/print_article/0,3048,a=59192,00.asp
WiNc works with almost all WiFi hardware and provides a simple way to find, save, link up to, and manage personal WiFi connections. Even better, Cirond has developed a smaller version for PocketPC, so mobile users can enjoy WiNc's capabilities as well.
How It Works
The interface looks roughly the same on both platforms. It provides three tabs to help you locate, select, and connect to wireless networks. The Connection Management tab is where you identify and select wireless networks. By default, the software scans for new networks every 10 seconds, but you can reduce the frequency to every 2 minutes. The software sorts networks by signal strength initially, but you can sort by SSID, channel, WEP-key status (locked or unlocked), and more.
This window also helps you select the best network. For example, the software uses a closed padlock symbol to mark networks secured by WEP keys. You can even use WiNc to bypass potential areas of congestion. Typically, your system connects to the most powerful WiFi signal. But if two or more access points are operating on the same channel—say 6—you can select an AP using 11 instead, even if the signal strength is lower. You'll likely get a better connection than from the AP with the best signal, because you'll avoid interference. You can mark a network you like as preferred, and when that network is available, your system will automatically connect to it.
Once you connect, the General tab gives you details on the connection—how fast the link is, total packets sent and received, and more. This is also where you can enter the WEP key for a network.
Another really nice WiNc feature automates the often frustrating process of setting up an ad hoc network—a peer-to-peer connection between two WiFi computers. You do this for quick file transfers or head-to-head gaming.
The IP Properties tab is a bit geeky, but longtime wireless users will appreciate both the information and the capabilities it gives. Here you can track exactly what Internet address parameters have been granted to your computer through DHCP, the automatic network configuration protocol used by most networks today. Many WiFi connection problems result from faulty or old IP configurations. Even if you don't know what all the stuff on this screen means, you can easily ask the network's server to reconfigure you, making obtaining a new IP address easy.
http://www.pcmag.com/print_article/0,3048,a=59192,00.asp
Wednesday, September 10, 2003
The Blaster School of Hard Knocks
Blaster is teaching Microsoft how to better communicate. But there are other lessons Redmond could stand to learn.
Microsoft learned a lot from the Blaster worm that blasted onto the scene last month. But it could have learned more.
Thanks to Blaster, the Redmond software giant has come to realize:
It needed to make its emergency communications with its customers simpler and quicker. The recently rolled-out 1-2-3 Protect Your PC campaign shows Microsoft learned this lesson quite well — and quickly, to boot.
Security is a customer-satisfaction issue. Microsoft understands its current and future users might be less-than-thrilled to be approached if their Blaster pain isn't thoroughly acknowledged. The company has cautioned its sales force and partners to lead with an acknowledgement that Blaster has wreaked havoc on customers' businesses before pitching them on new business.
There's nothing wrong with saying you are sorry (even if you don't really believe something is your fault). Right after the Blaster attack, Redmond held a series of conference calls with key customers. (It even published the transcript of one of them.) The key message: We are sorry that Blaster blasted you. And we are pulling out all the stops to make sure this doesn't happen again.
Making Windows and other key infrastructure software more secure is Priority No. 1. No exceptions. It matters more to users than getting their hands on a Longhorn beta, receiving a sneak peek of a Motorola Smartphone, or being granted another round of Software Assurance licensing concessions. Accordingly, Redmond seems to be accelerating its schedule for patching its software-patching mechanisms as a key first step.
But school's not out for Microsoft on Blaster. There are a few lessons that Redmond seemingly hasn't taken to heart.…
http://www.microsoft.com/security/protect/default.asp
http://www.microsoft-watch.com/article2/0,4248,1237609,00.asp
Blaster is teaching Microsoft how to better communicate. But there are other lessons Redmond could stand to learn.
Microsoft learned a lot from the Blaster worm that blasted onto the scene last month. But it could have learned more.
Thanks to Blaster, the Redmond software giant has come to realize:
It needed to make its emergency communications with its customers simpler and quicker. The recently rolled-out 1-2-3 Protect Your PC campaign shows Microsoft learned this lesson quite well — and quickly, to boot.
Security is a customer-satisfaction issue. Microsoft understands its current and future users might be less-than-thrilled to be approached if their Blaster pain isn't thoroughly acknowledged. The company has cautioned its sales force and partners to lead with an acknowledgement that Blaster has wreaked havoc on customers' businesses before pitching them on new business.
There's nothing wrong with saying you are sorry (even if you don't really believe something is your fault). Right after the Blaster attack, Redmond held a series of conference calls with key customers. (It even published the transcript of one of them.) The key message: We are sorry that Blaster blasted you. And we are pulling out all the stops to make sure this doesn't happen again.
Making Windows and other key infrastructure software more secure is Priority No. 1. No exceptions. It matters more to users than getting their hands on a Longhorn beta, receiving a sneak peek of a Motorola Smartphone, or being granted another round of Software Assurance licensing concessions. Accordingly, Redmond seems to be accelerating its schedule for patching its software-patching mechanisms as a key first step.
But school's not out for Microsoft on Blaster. There are a few lessons that Redmond seemingly hasn't taken to heart.…
http://www.microsoft.com/security/protect/default.asp
http://www.microsoft-watch.com/article2/0,4248,1237609,00.asp
SoBig Not Gone Yet
Like Ben and J. Lo, the SoBig.F virus long ago overstayed its welcome and seems to be intent on hanging around to annoy as many people as possible. But, unlike Bennifer, the virus mercifully is set to expire on Wednesday, providing worm-weary administrators and users with a bit of relief.
The original SoBig virus appeared in early January, welcoming workers back from the holidays with a raft of infected messages from big@boss.com. In the intervening eight months, five more variants have been set loose, with varying degrees of success.
But none of the previous versions even remotely approached the infection rates that SoBig.F has achieved.
The latest iteration of the virus hit the Internet on Aug. 18 and spawned more than a million copies of itself in the first 24 hours of its existence. At its peak later that week, one in every 17 pieces of e-mail inspected by e-mail security provider MessageLabs Inc. was infected with SoBig.F. Since then, the infection rate has slowed, but MessageLabs continues to stop as many as 600,000 copies of the virus each day.
The respite from SoBig may be short-lived however, as many anti-virus experts expect another variant to be released soon after this one expires. There is some debate in the community on this point, as well as the question of whether all of the previous versions of SoBig have been created by one person. But if history is any guide, it won't be long before another variant is flooding inboxes with maddening levels of junk.…
http://www.eweek.com/article2/0,4149,1252887,00.asp
Like Ben and J. Lo, the SoBig.F virus long ago overstayed its welcome and seems to be intent on hanging around to annoy as many people as possible. But, unlike Bennifer, the virus mercifully is set to expire on Wednesday, providing worm-weary administrators and users with a bit of relief.
The original SoBig virus appeared in early January, welcoming workers back from the holidays with a raft of infected messages from big@boss.com. In the intervening eight months, five more variants have been set loose, with varying degrees of success.
But none of the previous versions even remotely approached the infection rates that SoBig.F has achieved.
The latest iteration of the virus hit the Internet on Aug. 18 and spawned more than a million copies of itself in the first 24 hours of its existence. At its peak later that week, one in every 17 pieces of e-mail inspected by e-mail security provider MessageLabs Inc. was infected with SoBig.F. Since then, the infection rate has slowed, but MessageLabs continues to stop as many as 600,000 copies of the virus each day.
The respite from SoBig may be short-lived however, as many anti-virus experts expect another variant to be released soon after this one expires. There is some debate in the community on this point, as well as the question of whether all of the previous versions of SoBig have been created by one person. But if history is any guide, it won't be long before another variant is flooding inboxes with maddening levels of junk.…
http://www.eweek.com/article2/0,4149,1252887,00.asp
Tuesday, September 09, 2003
Using nested positioned DIVs to automatically adjust to variable sized DIVs using CSS positioning.
An explanation of their use in the Adaptive Path redesign by Doug Bowman
http://www.stopdesign.com/log/2003/09/03/absolute.html
An explanation of their use in the Adaptive Path redesign by Doug Bowman
http://www.stopdesign.com/log/2003/09/03/absolute.html
Listamatic
Can you take a simple list and use different Cascading Style Sheets to create radically different list options? The Listamatic shows the power of CSS when applied to one simple list using samples from Eric Meyer, ProjectSeven, SimpleBits, Jeffrey Zeldman and others.
http://www.maxdesign.com.au/presentation/listamatic/
Can you take a simple list and use different Cascading Style Sheets to create radically different list options? The Listamatic shows the power of CSS when applied to one simple list using samples from Eric Meyer, ProjectSeven, SimpleBits, Jeffrey Zeldman and others.
http://www.maxdesign.com.au/presentation/listamatic/
Monday, September 08, 2003
Get ready for the latest Microsoft products and technologies:
Microsoft Windows Server™ 2003, Microsoft Exchange Server 2003, and Microsoft Visual Studio® .NET. Receive a free analysis of your current skills; a personalized learning plan to improve your skills, including Microsoft Official Curriculum courses, Microsoft Press books, and Microsoft TechNet resources; and a comparison of your skills to those of others, with high scores posted daily.
http://www.microsoft.com/traincert/assessment/
Microsoft Windows Server™ 2003, Microsoft Exchange Server 2003, and Microsoft Visual Studio® .NET. Receive a free analysis of your current skills; a personalized learning plan to improve your skills, including Microsoft Official Curriculum courses, Microsoft Press books, and Microsoft TechNet resources; and a comparison of your skills to those of others, with high scores posted daily.
http://www.microsoft.com/traincert/assessment/
Sunday, September 07, 2003
A Hearty Buffet of Look-Up Databases
Need to look up an address, postal code, place name or similar information? Forget search engines -- this one-stop source provides free access to lookup databases.
The Lookup Directory from Melissa Data provides a first-rate collection of 18 look-up databases, accessible from a single page. All of these tools are available for free!
Specialized databases like these can save you large amounts of time versus using a general web engine to search, and search, and search and hope to find an answer.
http://www.melissadata.com/Lookups/index.htm
http://searchenginewatch.com/searchday/article.php/2245831
Need to look up an address, postal code, place name or similar information? Forget search engines -- this one-stop source provides free access to lookup databases.
The Lookup Directory from Melissa Data provides a first-rate collection of 18 look-up databases, accessible from a single page. All of these tools are available for free!
Specialized databases like these can save you large amounts of time versus using a general web engine to search, and search, and search and hope to find an answer.
http://www.melissadata.com/Lookups/index.htm
http://searchenginewatch.com/searchday/article.php/2245831
Subscribe to:
Posts (Atom)
Posts
