News

Wednesday, August 15, 2007

BotHunter: Another Useful Linux Tool

PLEASE VISIT OUR SPONSORS, WHO BRING YOU SECURITY UPDATE FOR FREE:

Ensuring Protection and Availability for Microsoft Exchange

http://list.windowsitpro.com/t?ctl=624B9:4160B336D0B60CB16CC6EEF27401E7B2

Eliminate the Achilles Heel of the Desktop - Admin Rights

http://list.windowsitpro.com/t?ctl=624B8:4160B336D0B60CB16CC6EEF27401E7B2

Gain Control of Software Usage and Reduce Audit Risks

http://list.windowsitpro.com/t?ctl=624B7:4160B336D0B60CB16CC6EEF27401E7B2


=== CONTENTS ===================================================

IN FOCUS: BotHunter: Another Useful Linux Tool

NEWS AND FEATURES
- RSA Expands Security Offerings with Tablus Acquisition
- Symantec's New Evidence Collection and Transfer Tools
- Oracle Expands Its Middleware with More Security
- Recent Security Vulnerabilities

GIVE AND TAKE
- Security Matters Blog: Cisco and Google Both Inflict DoS Upon
Themselves
- FAQ: How to List a User's SMTP Email Addresses
- From the Forum: Object Access Logging
- Share Your Security Tips

PRODUCTS
- Zip and Encrypt Outlook Email Attachments
- Product Evaluations from the Real World

RESOURCES AND EVENTS

FEATURED WHITE PAPER

ANNOUNCEMENTS


=== SPONSOR: Double-Take Software ==============================

Ensuring Protection and Availability for Microsoft Exchange
Microsoft Exchange is integral to an organization's day-to-day
operation. For many companies, an hour of Exchange downtime can cost
hundreds of thousands of dollars in lost productivity. This paper
discusses new ways to maintain Exchange uptime by using data
protection, failover, and application availability. When recoverability
matters, depend on Double-Take Software to protect and recover business
critical data and applications.

http://list.windowsitpro.com/t?ctl=624B9:4160B336D0B60CB16CC6EEF27401E7B2


=== IN FOCUS: BotHunter: Another Useful Linux Tool =============
by Mark Joseph Edwards, News Editor, mark at ntsecurity / net

BotHunter is a passive traffic monitoring system that can locate bot
activity on your network, but you need Linux to use it. Nevertheless,
it'll help protect your Windows-based network against bot infiltration.

The tool, which was recently released to the public, was developed by
the Cyber-Threat Analytics (Cyber-TA) Project. Extensive details about
BotHunter were presented at the 16th annual USENIX Security Symposium,
which took place August 6-10. The white paper prepared for the
symposium is available online and describes the technology used by the
tool.

According to the white paper, BotHunter tracks communication between
internal network devices and systems external to the local network. The
data exchanges are compared to a state-based infection model that can
detect a malware infection process and identify both the target and the
source of the attack.

Under the hood, BotHunter uses Snort along with custom malware-focused
rule sets. Added to Snort are two custom plug-ins called SLADE and
SCADE that were developed especially for BotHunter. SLADE performs
payload analysis, and SCADE performs port scan analyses of inbound and
outbound traffic.

It might sound somewhat simple on the surface, but it's actually
complex and quite effective. The BotHunter developers, Phillip Porras
of SRI International and Wenke Lee of Georgia Institute of Technology,
established a honeynet that uses BotHunter. The developers wrote that
"Over a 3-week period between March and April 2007, we analyzed a total
of 2,019 successful Windows XP and Windows 2000 remote-exploit bot or
worm infections." BotHunter detected 1,920 of those 2,019 infections,
which is roughly a 95 percent success rate. Not bad, especially for a
free tool!

A really slick feature of BotHunter is its integrated support for
"large-scale privacy-preserving data sharing." The feature lets
BotHunter operators send bot profiles to a central repository operated
by Cyber-TA, which is then made available to all who provide BotHunter
data and other researchers. The feature sends data by using Transport
Layer Security (TLS) over a TOR (The Onion Router) network to keep
reports reasonably anonymous and lets operators selectively obfuscate
IP addresses and other sensitive information before they share their
data.

As with many excellent security tools, BotHunter runs on Linux. If
you're not familiar with Linux, know that it's not so hard to use, so
consider building a system and learning the ins and outs. You'll find
that the OS comes in very handy.

BotHunter requires Fedora, Debian, or SUSE Linux, plus Sun
Microsystems' Java 2 Platform, Standard Edition (J2SE) 1.4.2 or later
Java Runtime Environment (JRE), which is used to read alert streams
from Snort. Of course, you'll also need a spunky system to run the
platform, so be sure that you use a system with a fast CPU, fast hard
drives, and plenty of RAM. You might also need other tools, such as
VMware, depending on how you plan to implement a test platform.

You can download the BotHunter source code at the Cyber-TA Web site at
the first URL below, and you can read the extensive white paper about
BotHunter at the second URL below. The white paper explains exactly how
the platform works and details the hardware that's running the honeynet
that the development team is currently using to test BotHunter.

http://list.windowsitpro.com/t?ctl=624C4:4160B336D0B60CB16CC6EEF27401E7B2

http://list.windowsitpro.com/t?ctl=624BF:4160B336D0B60CB16CC6EEF27401E7B2


=== SPONSOR: BeyondTrust =======================================

Eliminate the Achilles Heel of the Desktop - Admin Rights
BeyondTrust enables users without administrative privileges to run
all required applications, processes and ActiveX controls. By removing
the need to grant end users administrative rights, IT departments can
eliminate what is otherwise the Achilles heel of the desktop - end
users with administrative power that can be exploited by malware and
malicious users to change security settings, disable other security
solutions such as anti-virus and more. Free Download!

http://list.windowsitpro.com/t?ctl=624B8:4160B336D0B60CB16CC6EEF27401E7B2


=== SECURITY NEWS AND FEATURES =================================

RSA Expands Security Offerings with Tablus Acquisition
RSA said the acquisition will allow it to add data discovery and
classification, monitoring, and data loss prevention capabilities to
its existing portfolio of solutions.

http://list.windowsitpro.com/t?ctl=624C5:4160B336D0B60CB16CC6EEF27401E7B2

Symantec's New Evidence Collection and Transfer Tools
Symantec announced the release of new connectors for its Enterprise
Vault platform that help automate the collection and transfer of
electronic evidence.

http://list.windowsitpro.com/t?ctl=624C6:4160B336D0B60CB16CC6EEF27401E7B2

Oracle Expands Its Middleware with More Security
Oracle recently launched a beta preview of its Oracle Authentication
Services for Operating Systems, a new component of its Identity
Management offering, which is part of Oracle Fusion Middleware.

http://list.windowsitpro.com/t?ctl=624C7:4160B336D0B60CB16CC6EEF27401E7B2

Recent Security Vulnerabilities
If you subscribe to this newsletter, you also receive Security
Alerts, which inform you about recently discovered security
vulnerabilities. You can also find information about these
discoveries at

http://list.windowsitpro.com/t?ctl=624BD:4160B336D0B60CB16CC6EEF27401E7B2


=== SPONSOR: Macrovision =======================================

Gain Control of Software Usage and Reduce Audit Risks
Most organizations face serious challenges, including understanding
vendor licensing models, cost overruns, missed deadlines, business
opportunities, and lost user productivity. Learn to address these
challenges, and prepare for audits. Register for the free Web seminar,
available now!

http://list.windowsitpro.com/t?ctl=624B7:4160B336D0B60CB16CC6EEF27401E7B2


=== GIVE AND TAKE ==============================================

SECURITY MATTERS BLOG: Cisco and Google Both Inflict DoS Upon
Themselves
by Mark Joseph Edwards, http://list.windowsitpro.com/t?ctl=624CC:4160B336D0B60CB16CC6EEF27401E7B2

In what must be embarrassing moments for Cisco and Google, both
companies managed to inflict Denial of Service (DoS) upon themselves
last week. You can read about those incidents and about how hackers
have cracked AT&T's lock on the new iPhone. Check out the Security
Matters blog on our Web site.

http://list.windowsitpro.com/t?ctl=624BA:4160B336D0B60CB16CC6EEF27401E7B2

FAQ: How to List a User's SMTP Email Addresses
by John Savill, http://list.windowsitpro.com/t?ctl=624CA:4160B336D0B60CB16CC6EEF27401E7B2


Q: How can I generate a list of all the SMTP mail addresses a user has?

Find the answer at

http://list.windowsitpro.com/t?ctl=624C8:4160B336D0B60CB16CC6EEF27401E7B2

FROM THE FORUM: Object Access Logging
A forum participant wants to know if there's any value in having
auditing turned on for failures for Audit Object Access if there's
nothing turned on at the folder level.

http://list.windowsitpro.com/t?ctl=624B6:4160B336D0B60CB16CC6EEF27401E7B2

SHARE YOUR SECURITY TIPS AND GET $100
Share your security-related tips, comments, or problems and
solutions in Security Pro VIP's Reader to Reader column. Email your
contributions to r2r@securityprovip.com. If we print your submission,
you'll get $100. We edit submissions for style, grammar, and length.


=== PRODUCTS ===================================================
by Renee Munshi, products@windowsitpro.com

Zip and Encrypt Outlook Email Attachments
WinZip Computing, a Corel Company, announced the public beta of
WinZip E-Mail Companion 2.0, which lets you compress outgoing email
attachments and, if desired, use advanced AES encryption to protect
them. WinZip E-Mail Companion 2.0 Beta is the follow-up to WinZip
Companion for Outlook 1.0, adding support for Microsoft Outlook
Express, Microsoft Windows Mail (Windows Vista), and Outlook 2007 to
existing support for Outlook 2002 and 2003. WinZip E-Mail Companion 2.0
also includes new compression options, the ability to zip and encrypt
from within Microsoft Office applications, and improved file naming.
For more information or to download the beta, go to

http://list.windowsitpro.com/t?ctl=624CF:4160B336D0B60CB16CC6EEF27401E7B2

PRODUCT EVALUATIONS FROM THE REAL WORLD
Share your product experience with your peers. Have you discovered a
great product that saves you time and money? Do you use something you
wouldn't wish on anyone? Tell the world! If we publish your opinion,
we'll send you a Best Buy gift card! Send information about a product
you use and whether it helps or hinders you to
whatshot@windowsitpro.com.


=== RESOURCES AND EVENTS =======================================
For more security-related resources, visit

http://list.windowsitpro.com/t?ctl=624C9:4160B336D0B60CB16CC6EEF27401E7B2

Getting the Most from DFS
This Web seminar covers DFS: what it is, how it works, the server
and client OS versions that support it, how to configure it, its
limitations, using DFS-N and DFS-R, and how to manage DFS. Learn the
basics and get a quick "how-to" on implementing DFS-N and DFS-R in your
Windows Server 2003 environment. Don't miss this Web seminar.

http://list.windowsitpro.com/t?ctl=624BC:4160B336D0B60CB16CC6EEF27401E7B2

Don't miss Fall Connections 2007, the premier event for Microsoft
developers and DBAs, November 5-8, 2007, in Las Vegas. It will impact
how you build solutions, increase your productivity, and enhance your
development skills to give your company the competitive edge!

http://list.windowsitpro.com/t?ctl=624CD:4160B336D0B60CB16CC6EEF27401E7B2

File fragmentation is a serious problem. As a disk becomes fragmented,
the workload on the OS and hardware increases, making it more difficult
for applications to read and write data. File corruption becomes a
distinct possibility, the computer's performance degrades, and its
reliability is endangered. This white paper looks at the effect of disk
defragmentation on your users.

http://list.windowsitpro.com/t?ctl=624BB:4160B336D0B60CB16CC6EEF27401E7B2


=== FEATURED WHITE PAPER =======================================

KVM over IP in Distributed IT Environments
Keyboard/video/mouse (KVM) switches are a valuable management tool,
but they have weaknesses in distributed environments. This white paper
presents the complexities of managing the distributed data center and
highlights the advantages of using a KVM-over-IP solution for flexible,
scalable, affordable CAT5-based remote access.

http://list.windowsitpro.com/t?ctl=624BE:4160B336D0B60CB16CC6EEF27401E7B2


=== ANNOUNCEMENTS ==============================================

Search Thousands of SQL Articles Online and on CD
A SQL Server Magazine Master CD subscription buys you portable,
lightning-fast access to the entire SQL Server article database on CD,
plus exclusive, up-to-the-minute access to the new articles we publish
on SQLMag.com every day. Order your subscription now!

http://list.windowsitpro.com/t?ctl=624C1:4160B336D0B60CB16CC6EEF27401E7B2

Save 1/2 Off Security Pro VIP
Security Pro VIP is an online resource that delivers new articles
every week to help you defend your network. Subscribers also receive
tips, cautionary advice, direct access to our editors for technical
Q&As, and a host of other benefits! Order now, and save up to 50
percent!

http://list.windowsitpro.com/t?ctl=624C0:4160B336D0B60CB16CC6EEF27401E7B2


================================================================

Security UDPATE is brought to you by the Windows IT Pro Web site's
Security page (first URL below) and Security Pro VIP (second URL
below).

http://list.windowsitpro.com/t?ctl=624CB:4160B336D0B60CB16CC6EEF27401E7B2

http://list.windowsitpro.com/t?ctl=624D0:4160B336D0B60CB16CC6EEF27401E7B2

Subscribe to Security UPDATE at

http://list.windowsitpro.com/t?ctl=624C3:4160B336D0B60CB16CC6EEF27401E7B2

Unsubscribe by clicking

http://list.windowsitpro.com/u?id=4160B336D0B60CB16CC6EEF27401E7B2

Be sure to add Security_UPDATE@list.windowsitpro.com
to your antispam software's list of allowed senders.

To contact us:
About Security UPDATE content -- letters@windowsitpro.com
About technical questions -- http://list.windowsitpro.com/t?ctl=624CE:4160B336D0B60CB16CC6EEF27401E7B2

About your product news -- products@windowsitpro.com
About your subscription -- windowsitproupdate@windowsitpro.com
About sponsoring Security UPDATE -- salesopps@windowsitpro.com

View the Windows IT Pro privacy policy at

http://list.windowsitpro.com/t?ctl=624C2:4160B336D0B60CB16CC6EEF27401E7B2

Windows IT Pro, a division of Penton Media, Inc.
221 East 29th Street, Loveland, CO 80538
Attention: Customer Service Department

Copyright 2007, Penton Media, Inc. All rights reserved.

No comments:

Blog Archive