Microsoft Baseline Security Analyzer (MBSA) version 1.2.1 is available

“This article contains information about the Microsoft Baseline Security Analyzer tool (MBSA). This tool centrally scans Windows-based computers for common security misconfigurations and generates individual security reports for each computer that it scans. MBSA runs on computers that run Windows Server 2003, Windows 2000, and Windows XP. MBSA can scan for security vulnerabilities on computers that run Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003. MBSA scans for common security misconfigurations in Windows, Internet Information Services (IIS), SQL Server, Internet Explorer, and Microsoft Office. MBSA also scans for missing security updates in Windows, IIS, SQL Server, Internet Explorer, Windows Media Player, Exchange Server, Microsoft Data Access Components (MDAC), Microsoft XML (MSXML), Microsoft virtual machine (VM), Content Management Server, Commerce Server, BizTalk Server, Host Integration Server, and Office (local scans only). A graphical user interface (GUI) and command-line interface are available in version 1.2.1.

MBSA version 1.1 replaced the stand-alone HFNetChk tool and fully exposes all HFNetChk switches in the MBSA command-line interface (Mbsacli.exe). For additional information about MBSA, visit the following Microsoft Web site:

http://www.microsoft.com/technet/security/tools/mbsahome.mspx

Download Information

English, French, German, and Japanese versions of MBSA are available from the Microsoft Download Center. Visit the following the MBSA Web page for direct links to download these versions:

http://www.microsoft.com/technet/security/tools/mbsahome.mspx#XSLTsection124121120120

For additional information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base:

119591 How to obtain Microsoft support files from online services

Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help to prevent any unauthorized changes to the file. ”
‘’…
http://support.microsoft.com/default.aspx?scid=kb;en-us;320454

Back up, Edit, and Restore the Registry in Windows XP

“SUMMARY

Important This article contains information about modifying the registry. Before you modify the registry, make sure to back it up and make sure that you understand how to restore the registry if a problem occurs. For information about how to back up, restore, and edit the registry, click the following article number to view the article in the Microsoft Knowledge Base:

256986 Description of the Microsoft Windows Registry

NoteThe registry in 64-bit versions of Windows XP and Windows Server 2003 is divided into 32-bit and 64-bit subkeys. Many of the 32-bit subkeys have the same names as their 64-bit counterparts, and vice versa. The default 64-bit version of Registry Editor that is included with 64-bit versions of Windows XP and Windows Server 2003 displays the 32-bit subkeys in the following registry subkey, or "hive":

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node

For additional information about how to view the registry on 64-bit versions of Windows, click the following article number to view the article in the Microsoft Knowledge Base:

305097 How to view the system registry by using 64-bit versions of Windows

REFERENCES

314837 How to manage remote access to the registry

310595 Description of HKEY_CURRENT_USER registry subkeys

310593 Description of the RunOnceEx registry key

307545 How to recover from a corrupted registry that prevents Windows XP from starting

286422 How to back up and restore a Windows Server 2003 cluster

104169 Files that are automatically skipped by the backup program (NTBackup.exe) during the backup and restore processes

310426 How to use the Windows XP and Windows Server 2003 Registry Editor features ”

For a Microsoft Windows 2000 version of this article, see 322755.
For a Microsoft Windows NT 4.0 version of this article, see 323170.

For a Microsoft Windows 95, 98, and Millennium Edition version of this article, see 322754.

http://support.microsoft.com/kb/322756

The six dumbest ways to secure a wireless LAN

by ZDNet's George Ou

“ For the last three years, I've been meaning to put to rest once and for all the urban legends and myths on wireless LAN security. Every time I write an article or blog on wireless LAN security, someone has to come along and regurgitate one of these myths. If that weren't bad enough, many "so called" security experts propagated these myths through speaking engagements and publications and many continue to this day. Many wireless LAN equipment makers continue to recommend many of these schemes to this day. One would think that the fact that none of these schemes made it in to the official IEEE 802.11i security standard would give a clue to their effectiveness, but time and time again ...”

http://blogs.zdnet.com/Ou/index.php?p=43

Mozilla fixes risky Firefox flaw

By Robert Lemos, CNET News.com

“The Mozilla Foundation issued a patch for a major security flaw in its Firefox browser on Wednesday and advised people to update their software.

The problem is caused by a buffer overflow in legacy Netscape code still included in the browser for animating GIF images, Chris Hofmann, director of engineering for Mozilla, said. Similar memory problems have affected Mozilla's browsers and Microsoft's Internet Explorer in the past. A malicious attacker could exploit them by creating carefully crafted image files that, when viewed by a victim in a browser, execute a program and compromise the system.

The flaw was discovered by Internet Security Systems, a network protection company, and patched before the public learned of the issue, Hofmann said.

"We are staying ahead and being proactive in fixing the code," he said. "The deciding factor, in this case, was the potential for this: It's a little easier for hackers to turn it into an exploit that could be dangerous."

The Mozilla Foundation released version 1.02 of Firefox on Wednesday to fix the problem and asked that all users to download and apply the patch.

Recently published data has prompted questions about the security of Firefox. Security technology provider Symantec said in this week's Internet Threat Report that during the second half of last year, 21 vulnerabilities affected Mozilla browsers and 13 flaws affected Internet Explorer.

However, only seven of the flaws in Firefox were considered "highly severe," compared with nine in Internet Explorer.”

http://news.zdnet.com/2100-1009_22-5632148.html?tag=nl.e589

Father of Word and Excel shoots for three-peat with Intentional Software

by ZDNet's David Berlind
“ Father of Word and Excel shoots for three-peat with Intentional Software

-- Like the blockbuster movie producer or director who works behind the scenes but whose celebrity is often confined to Hollywood insiders, Dr. Charles Simonyi is a giant among giants here at PC Forum in Scottsdale, Ariz. If you strike up a conversation with the easily approachable, mild-mannered, Hungarian-born software legend and passers-by such as Jeff Bezos (founder of Amazon.com) or Tim O'Reilly detect that Simonyi is even slightly engaged, they'll stop and tune-in.After leaving Xerox PARC, Simonyi joined Microsoft in 1981 and fathered two of the three biggest franchises in Microsoft's history -- Word and Excel. After a storied 21-year tenure with the Redmond, Wash.-based company, Simonyi is looking for a three-peat. But this time, it's not with Microsoft....
Trackback URL for this post: http://blogs.zdnet.com/BTL/wp-trackback.php/1190 ”

http://blogs.zdnet.com/BTL/index.php?p=1190&tag=nl.e539

“Description of the undiscovered tips about Excel

•	Join text in multiple columns
•	Set the print area
•	Exclude duplicate items in a list
•	Multiply text values by 1 to change text to numbers
•	Use the Text Import Wizard to change text to numbers
•	Sort decimal numbers in an outline
•	Use a data form to add records to a list
•	Enter the current date or time
•	View the arguments in a formula
•	Enter the same text or formula in a range of cells
•	Link a text box to data in a cell
•	Link a picture to a cell range
•	Troubleshoot a long formula
•	View a graphical map of a defined name
•	Fill blank cells in a column with contents from a previous cell
•	Switch from a relative reference to an absolute reference
•	Use the OFFSET function to modify data in cells that are inserted
•	Use the Advanced Filter command
•	Use conditional sums to total data
•	Use conditional sums to count data
•	Use the INDEX function and the MATCH function to look up data
•	Drag the fill handle to create a number series
•	Automatically fill data
•	Use the VLOOKUP function with unsorted data
•	Return every third number
•	Round to the nearest penny
•	Install and use Microsoft Excel Help
•	Do not open and save directly from a floppy disk
•	Use one keystroke to create a new chart or worksheet
•	Set up multiple print areas on the same worksheet”

http://support.microsoft.com/default.aspx?scid=kb;en-us;843504

They should call it "Boys Wreck Ignition"

By Alfred Ingram

Remember when ‘touch tone terror’ first entered our lives?

In all innocence we called a bank, or a pharmacy, or, most likely, the dtmf (dual tone multi frequency)-ing phone company itself, got a menu of choices too long to remember, started over and became even more confused the second time around.

Remember finally giving up in total frustration, perhaps even paying a charge we just knew was wrong?

Well they've fouled it up beyond all “wreck ignition,” again.

SBC has managed to do the barely possible, crossbreed help desk hell with touch tone hell, add a not ready for public technical capability, and give birth to voice recognition that has a hard time recognizing standard english.

Anyway, that's what I discovered when I had both a dead router and a bad DSL line and had to contact SBCYahoo for service at my State Representative's office.

Of course, now that I, along with the rest of the industrializedworld, am used to punching the keypad for menu selections, I wasn't able to do so.

The first day a total waste because SBC couldn't identify the state representative as a DSL customer. I'd say the number of the phone I was calling from (whatever happened to caller id?) and the machine consistently read back a number I'd never given it, finally driving me to hang up to try again the next day.

On day two I decided to call on from the half of the line (DSL splits a standard line) that wasn't hooked to the router and wound up talking to someone with an Indian accent who “insisted” that his name was “Matt.” That's when I discovered that I had a bad router, a bad line, and a help desk on another continent. After checking the line “Matt” told me they'd known of the problem for a week, but, apparently, doing anything about it called for someone on this side of the planet.

“Matt” arranged for SBC to call the next day at eleven, (so somone here in the United States could analyse the problem) so of course no one called. When I called to find out why, they claimed to be waiting for my call. “Matt” from India was not available to verify or deny either side of this foul up.…

more coming soon…

The Failure of Two-Factor Authentication

Schneier on Security

“Two-factor authentication isn't our savior. It won't defend against phishing. It's not going to prevent identity theft. It's not going to secure online accounts from fraudulent transactions. It solves the security problems we had ten years ago, not the security problems we have today.

The problem with passwords is that they're too easy to lose control of. People give them to other people. People write them down, and other people read them. People send them in e-mail, and that e-mail is intercepted. People use them to log into remote servers, and their communications are eavesdropped on. They're also easy to guess. And once any of that happens, the password no longer works as an authentication token because you can't be sure who is typing that password in.

Two-factor authentication mitigates this problem. If your password includes a number that changes every minute, or a unique reply to a random challenge, then it's harder for someone else to intercept. You can't write down the ever-changing part. An intercepted password won't be good the next time it's needed. And a two-factor password is harder to guess. Sure, someone can always give his password and token to his secretary, but no solution is foolproof.

These tokens have been around for at least two decades, but it's only recently that they have gotten mass-market attention. AOL is rolling them out. Some banks are issuing them to customers, and even more are talking about doing it. It seems that corporations are finally waking up to the fact that passwords don't provide adequate security, and are hoping that two-factor authentication will fix their problems.

Unfortunately, the nature of attacks has changed over those two decades. Back then, the threats were all passive: eavesdropping and offline password guessing. Today, the threats are more active: phishing and Trojan horses.…”

http://www.schneier.com/blog/archives/
2005/03/the_failure_of.html

Adobe Pushes DNG Image Format

By Kathy White

“Many photographers work in RAW-format files from their
digital cameras and are frustrated by the many versions out
there—varying not just from manufacturer to manufacturer but also from
camera to camera. But Adobe is trying to solve that problem with its
Digital Negative Specification.

Adobe Systems Inc. in September 2004 introduced DNG, a public format
for RAW digital camera files, along with a free software tool, Adobe
DNG Converter, which translates many of the RAW photo formats (images
before any in-camera processing) used today into the new DNG file
format.

Adobe is also letting any manufacturer that wants to use the format in
its cameras, printers and software applications do that for free
without any limitations in the hopes of encouraging them to accept it
as the standard.

Shooting RAW images means photographers can avoid dealing with the
compression and loss of image quality involved with shooting JPEGs.
But with that change comes the problem that Adobe has addressed: Each
manufacturer uses a proprietary format that is specific to its cameras
and might not be compatible with Adobe's Photoshop or other editing
software.

The Digital Negative Specification, Adobe hopes, will become the
single format, allowing users to store information from a diverse
range of cameras.…”

http://www.publish.com/article2/0,1759,1776862,00.asp

Alternative Browsers and Java Lead Spyware to IE

By Michael Myser

“Windows and Microsoft products are going to be the first targets because they're so ubiquitous. Other applications will become targets as they become more popular.”

According Christopher Boyd, the Vitalsecurity.org researcher, versions of alternative browsers including Firefox, Mozilla, Netscape and Avant all allow the execution of code within IE.…

“A malicious batch of adware and spyware has appeared that can use Firefox and other alternative browsers to infect Microsoft's IE.

According to a researcher at Vitalsecurity.org in the United Kingdom, if a user visits a site hosting the malicious code and agrees to install the applications despite security warnings, Internet Explorer will automatically run and deluge the computer with pop-up ads and offers, regardless of IE security settings.

While the security and infection threat is relatively low—in addition to the security warnings, the code only affects users of Sun's JRE (Java Runtime Environment), and so far is only found at a Neil Diamond lyrics site—it illustrates the continued expansion of malicious code targeting alternative browsers, as well as a unique cross-browser capability.…

"Firefox will retain an edge in security for some time, but the notion that you'll be impervious to threats due to using Firefox is an illusion," said Jim Slaby, a senior analyst with the Yankee Group.

"The criminal element has decided that it's profitable enough to write malware that targets it."

This code, however, doesn't work only through Firefox to get at IE.…”

http://www.eweek.com/article2/0,1759,1776347,00.asp

How to Record a Podcast

by Glenn Fleishman
“Podcasting involves two distinct tasks. First you have to record the audio and prepare it for listening. Then you need to syndicate it via RSS so others can subscribe to your programs. In this tutorial, Glenn Fleishman shows you some nifty tricks for recording your audio, especially if you want to capture phone interviews for syndication.”

http://www.macdevcenter.com/pub/a/mac/2005/01/25/podcast.html

Frequently asked questions about the automated portion of the Microsoft Protect Your PC Web site

“This article contains a list of answers to frequently asked questions (FAQ) about the automated portion of the Microsoft Protect Your PC Web site.”

•	Q1: What is the automated portion of the Protect Web site?
•	Q2: How do I access the automated portion of the Protect Your PC Web site?
•	Q3: What versions of Windows does the automated portion of the Protect Your PC Web site Support?
•	Q4: Who should use the automated portion of the Protect Your PC Web site?
•	Q5: What credentials must my account have to use the automated portion of the Protect Your PC Web site?
•	Q6: How does the automated portion of the Protect Your PC Web site work?
•	Q7: What does each step of the automated portion of the Protect Your PC Web site Do?
•	Q8: After I turn on ICF/WF, some of my games and other programs do not work correctly. How can I work around this?
•	Q9: Where can I find more information about the automated portion of the Protect Your PC Web site?

http://support.microsoft.com/default.aspx?scid=kb;en-us;828931

Has Your Address Been Spoofed?

Deb Shinder, Editor WinXPnews
“Are you getting e-mail messages from administrators of other mail domains, notifying you that the messages you sent were undeliverable? When you open these, do you find that you never sent a message to the supposed recipient? Sometimes these messages indicate that you have a virus sending e-mail from your account without your knowledge. Other times, though, the mail didn't come from your account at all - instead, somebody spoofed your e-mail address and used it as their return address.

Either way, it's more than just an anomaly or an annoyance. If your address is used to send spam, it may be reported to various "spam cop" organizations, resulting in your address - or even your entire domain - being added to various public blacklists of known spammers. And that means the legitimate e-mail you send won't get through to a lot of recipients. Not a good situation. You can read more about how e-mail spoofing is done in my article at http://www.winxpnews.com/rd/rd.cfm?id=050308ED-Spoofing.

What can you do about it? The federal CAN SPAM Act makes it illegal to send unsolicited commercial e-mail with false or misleading headers (return addresses). Unfortunately, you can't prosecute someone for this or any other crime unless you know who the perpetrator is.

Okay, what if your name ends up on a black list? Is there anything you can do about that? The answer is: sometimes. There are many different black lists, so the first challenge is to find out which list(s) are identifying you as a spammer. There is a list of some black lists at http://www.winxpnews.com/rd/rd.cfm?id=050308ED-Black_Lists. In some cases, you can write to those who maintain the lists and explain what happened and ask to have your address removed. Here is an article that contains info on how to get off of specific blacklists: http://www.winxpnews.com/rd/rd.cfm?id=050308S1-Off_Blacklists. Have you been blacklisted? If others are telling you that your e-mails don't reach them, it might be because you're on a blacklist. Many ISPs use blacklists to block spam at the server level.”

http://www.winxpnews.com/?id=166

Understanding E-mail Spoofing

Deb Shinder
“Spam and e-mail-laden viruses can take a lot of the fun and utility out of electronic communications, but at least you can trust e-mail that comes from people you know – except when you can’t. A favorite technique of spammers and other “bad guys” is to “spoof” their return e-mail addresses, making it look as if the mail came from someone else. In effect, this is a form of identity theft, as the sender pretends to be someone else in order to persuade the recipient to do something (from simply opening the message to sending money or revealing personal information). In this article, we look at how e-mail spoofing works and what can be done about it, examining such solutions as the Sender Policy Framework (SPF) and Microsoft’s Sender ID, which is based on it.

If you receive a snail mail letter, you look to the return address in the top left corner as an indicator of where it originated. However, the sender could write any name and address there; you have no assurance that the letter really is from that person and address. E-mail messages contain return addresses, too – but they can likewise be deliberately misleading, or “spoofed.” Senders do this for various reasons, including:

• The e-mail is spam and the sender doesn’t want to be subjected to anti-spam laws
• The e-mail constitutes a violation of some other law (for example, it is threatening or harassing)
• The e-mail contains a virus or Trojan and the sender believes you are more likely to open it if it appears to be from someone you know
• The e-mail requests information that you might be willing to give to the person the sender is pretending to be (for example, a sender might pose as your company’s system administrator and ask for your network password), as part of a “social engineering” attack
• The sender is attempting to cause trouble for someone by pretending to be that person (for example, to make it look as though a political rival or personal enemy said something he/she didn’t in an e-mail message)

Note:
“Phishing” – the practice of attempting to obtain users’ credit card or online banking information, often incorporates e-mail spoofing. For example, a “phisher” may send e-mail that looks as if it comes from the bank’s or credit card’s administrative department, asking the user to log onto a Web page (which purports to be the bank’s or credit card company’s site but really is set up by the “phisher”) and enter passwords, account numbers, and other personal information.

Whatever the motivation, the objective of spoofed mail is to hide the real identity of the sender. This can be done because the Simple Mail Transfer Protocol (SMTP) does not require authentication (unlike some other, more secure protocols). A sender can use a fictitious return address or a valid address that belongs to someone else.

Receiving mail from spoofed addresses ranges from annoying to dangerous (if you’re taken in by a “phisher”). Having your own address spoofed can be even worse. If a spammer uses your address as the return address, you may suddenly find yourself inundated with angry complaints from recipients or even have your address added to “spammer” lists that results in your mail being banned from many servers.…”

http://www.windowsecurity.com/articles/Email-Spoofing.html

Finding Free Content in the Creative Commons

By Chris Sherman, Associate Editor Searchday
“Looking for photos, music, text, books and other content that's free to share or modify for your own purposes? The Creative Commons search engine can help you find tons of (legally) free stuff on the web.

The Creative Commons was founded in 2001 to introduce a new form of copyright that's less restrictive than the "all rights reserved" approach generally in practice today. The goal was to restore "balance, compromise, and moderation—once the driving forces of a copyright system that valued innovation and protection equally."

By using a Creative Commons license, content creators adopt a "some rights reserved" form of copyright that encourages sharing and modifying content by others.

Today, the Creative Commons organization estimates that more than 5 million web sites link to its license. That's a lot of content, most of which is available for free or nominal charge.

The Creative Commons search engine (powered by Nutch, which we've previously covered) makes it easy to find this content. You can search for Creative Commons audio, images, text, video, and other formats that are free to share online.

You can also limit your search to works that you are free to modify, adapt, or build upon, or even use for commercial purposes.…”

http://searchenginewatch.com/searchday/article.php/3487206

4 steps to take if you've responded to a phishing scam

“What to do if you've responded to a phishing scam

You can do your best to prevent having your identity stolen by a phishing scam, but no method or system can guarantee total safety and security.

If you suspect that you've already responded to a phishing scam with personal or financial information or entered this information into a fake Web site, there may be ways you can minimize any damage.”

http://www.microsoft.com/athome/security/email/phishingrespond.mspx

5 don'ts and 3 do's for handling spam e-mail

“Despite your best efforts, you no doubt have received e-mail and instant messages you didn't ask for. Here's what you can do about all that junk.…

Beware of fake e-mail

Thieves use a method known as phishing to send e-mail or instant message spam that meticulously imitates messages from reputable, well-known companies, including Microsoft and others. The forged message capitalizes on your trust of the respected brand by enticing you to click a link on a Web page or in a pop-up window. Clicking it could download a virus or lead you to reveal confidential information such as account and Social Security numbers. Get more details from our video on phishing. ”

http://www.microsoft.com/athome/security/email/options.mspx

Using Microsoft Windows AntiSpyware (Beta)

“Microsoft Windows AntiSpyware (Beta) is a new security technology that helps to protect your computer from spyware and other unwanted software. You can manually scan your computer for spyware or schedule the program to perform a scan automatically on a regular basis at any time.

How to install and set up Windows AntiSpyware (Beta)
How to scan your computer for spyware
How to help remove spyware from your computer
How to set up a scheduled spyware scan
Understanding real-time protection”


http://www.microsoft.com/athome/security/spyware/software/howto/default.mspx

Microsoft Patches Windows 98, ME Flaws

By Ryan Naraine
“Microsoft Corp. on Tuesday updated two previously released bulletins to add critical security fixes for customers running Windows 98, 98SE and ME.

Patches for Windows 98 and ME are a "bonus" because of the critical nature of the vulnerabilities being addressed, a Microsoft spokeswoman said. "Those products are out of lifecycle, but we made a commitment to provide critical updates, and that's what you're seeing."

She said priority was given to rolling out patches for supported products. "After further testing on the out-of-lifecycle platforms, we updated the advisories." The patches cover two remote code execution vulnerabilities.

First, MS05-002, fixes a hole in the cursor and icon format handling feature that could open the door for an attacker to take complete control of an affected system.

Microsoft also added patches to MS05-015 to protect users against a remote code execution vulnerability in the Hyperlink Object Library.”

http://www.eweek.com/article2/0,1759,1774106,00.asp?kc=ewnws030905dtx1k0000599

Shooting Web video: How to put your readers at the scene

By Regina McCombs

Freelance writers, bloggers and independent journalists yearning to use video on the Internet, grab your PDAs. Use these tips to help you begin shooting and editing your own Web video stories.

“As anyone who’s ever watched a great documentary knows, stories told in video can be amazingly powerful. And as anyone who has sat through home movies knows, they can be mind-numbingly boring as well. If you’re a freelance writer, a blogger or an independent journalist with a story to tell in video, there are steps you can take to make sure your story tilts more toward the powerful than the sleep-inducing. (See Sonya Doctorian's video essays for RockyMountainNews.com.)

The story

First, it’s about content. One of the great things about the Web is that there are so many tools at our fingertips. We can use text, animated graphics, photos, audio or video to tell a story. But that means we need to be thoughtful about which we choose. Video is experiential, immersive, emotional – it puts you at the scene, gives flavor and personality, and of course, shows motion.

Video isn’t cheap in terms of time or equipment. Shooting, editing and posting video all demand more effort and gear than text. So first you need to decide why you want to tell a video story, and then you can gather what you will need to get video on the Web.

If you’re just interested in posting video from your Webcam, this article is not for you. Check out audioblog.com or Vlog it! from seriousmagic.com. Here, we’re going to talk about taking your camera out into the world and shooting video.

A common storytelling exercise is to state your story in one sentence, using an active verb. Who is doing what? “Neighborhood garbage burner” is not a story. On the other hand, “Neighbors hate the smelly garbage burner” has real potential.

Refining your story into a sentence helps focus your idea and keeps you from shooting everything that might have only a tangential relationship to the main idea. If it’s your first time out, start small. Really small. Simple, interesting stories deserve to be told, and they won’t make you insane while you deal with the steep video learning curve.

Cameras should be DV with firewire. If not, you’ll need additional hardware to capture video to your computer. There are plenty of good microphones available for under $100. A tripod is important because keeping shots steady is critical for Web encoded video. Every change in pixels makes the encoder work harder and makes your picture fuzzier.

A list of audio and video equipment options at several price points is available here on Visual Edge's site.…”

http://www.jr.org/ojr/stories/050303mccombs/