How to Enable Processor Based Security

At last PCs operating under Windows have a security level similar to that used by high performance servers. This technology known under names that vary from manufacturer to manufacturer, such as NX (No eXecute), EVP (Enhanced Virus Protection), XD (eXecute Disable), or DEP (Data Execution Protection) allows the processor itself to detect when a malicious code (such as a virus or a Trojan horse) is attempting to run and automatically disables such code, "drowning" the virus. In this short tutorial we will teach you how to enable this feature.

This technology works creating separate areas for the execution of programs and for data storage in the RAM memory of the computer, If a code in the area set aside for data storage tries to run, the processor understands that as something suspicious and prevents the execution of the code. How to Enable Processor-Based Security Hardware Secrets

Delete Hiberfil.sys in Windows XP before defragmenting

If you use the Windows XP's Hibernation feature on your laptop, you may want to delete the Hiberfil.sys file from the hard disk before defragmenting. When you put your computer in hibernation, Windows XP writes all memory content to the Hiberfil.sys file before shutting down the system. Then, when you turn your computer back on, the OS uses the Hiberfil.sys file to put everything back into memory, and the computer resumes where it left off. However, Windows XP leaves the Hiberfil.sys file on the hard disk, even though it's no longer needed.

The Hiberfil.sys file, which can be very large, is a special system file that Disk Defragmenter cannot defragment. Therefore, the presence of the Hiberfil.sys file will prevent Disk Defragmenter from performing a thorough defragmenting operation.

Follow these steps to remove the Hiberfil.sys file from the hard disk:

1. Access the Control Panel and double-click Power Options.
2. Select the Hibernate tab in the Power Options Properties dialog box.
3. Clear the Enable Hibernation check box and click OK.
   

As soon as you clear the check box, Windows XP automatically deletes the Hiberfil.sys file from the hard disk. Once you complete the defrag operation, you can re-enable the Hibernation feature.

Examining a Blue Screen of Death error with the Watchdog Event Log

Troubleshooting Blue Screen of Death (BSoD) errors, or as Microsoft calls them, Stop messages, can be extremely frustrating due to the fact that, by default, Windows XP automatically restarts the computer as soon as a BSoD error occurs. There's not enough time for you to analyze, let alone read, the error code before the message disappears.
You could disable the Automatically Restart option in the Startup And Recovery dialog box, but doing so might lock your system into an unrecoverable error situation. As such, that's not an advisable solution.
Fortunately, Windows XP keeps a special log of all BSoD errors, called a Watchdog Event Log. Unlike a memory dump, whose creation is the result of a BSoD error, a Watchdog Event Log is a straight text file that is easier to read and understand.

Here's how you access a Watchdog Event Log:

1. Use Windows Explorer to access the C:\Windows\LogFiles\Watchdog folder.
2. Locate and right-click the most recently dated .WDL file.
3. Select the Open command from the context menu.
4. In the Windows dialog box, choose the Select The Program From A List option and click OK.
5. When you see the Open With dialog box, select Notepad and click OK.

Launch Windows Explorer with administrative privileges on Windows XP Pro

When you're working on a user's computer and need to perform an administrative task from within her Windows XP Pro limited user account, you can use the Run As command to launch certain utilities with administrative account privileges.

However, if you try to use Run As to launch Windows Explorer with administrative privileges, nothing happens. This is because Explorer.exe is already running and only one instance of Explorer can run at a time. More specifically, when you launch Explorer.exe, the first thing it does is check to see if it is already running. When the second instance of Explorer.exe sees that the first instance of Explorer.exe is already running, the second instance of Explorer.exe closes without any outward notification. Here's how you can work around it.

Internet Explorer 6
Internet Explorer 6 will work with Run As and will allow you to tap into Windows Explorer. Here's how:
1. Right-click the Internet Explorer icon in the Quick Launch toolbar and choose Run As. (Keep in mind that you cannot access Run As from the Internet Explorer icon that appears on the desktop or on the Start menu.)
2. Fill in the appropriate administrative account credentials in the Run As dialog box.
When Internet Explorer launches, type C:\ in the Address bar.
3. After you follow these steps, Windows Explorer will appear in the same window, and it will be running with administrative privileges.

Internet Explorer 7
If you're using Internet Explorer 7, the steps for Internet Explorer 6 won't work because, as part of the new security features in version 7, Internet Explorer is no longer integrated with Windows Explorer. You must use the standard method for launching Windows Explorer with administrative privileges. Here's how:
1. Log on to the computer with the Administrator account.
2. Access the Control Panel and launch Folder Options.
3. When you see the Folder Options dialog box, select the View tab.
4. Scroll down the Advanced Settings list and select the Launch Folder Windows In A Separate Process check box, click OK, and then log off.

The next time you work on that user's computer and need to perform an administrative task from within her limited user account, you can use Run As to launch Windows Explorer with administrative privileges.
Note: This tip only applies to Windows XP Professional.

Don't be misled by these Windows Vista myths

1. You’ll have to buy a new, high-end PC to run Vista

Many in the mainstream media are claiming that to run Vista, you’ll almost certainly have to buy a new computer. This myth is undoubtedly being encouraged by hardware vendors, but it’s not true. I was able to install Vista on my existing Dell Dimension mid-priced system with no problems, and the existing video card, an ATI x600, runs Aero Glass.

If your computer is older or a low-end machine, you can still probably install and use Vista but you may not get the Aero Glass interface. Although Glass adds a lot of “wow” factor, it’s not something that’s essential to getting work done. You'll still benefit from Vista’s security enhancements, search functionality, and added features. If you do want the Glass look, you still may not need to buy a new system. Instead, you can add RAM to bring your system up to the 1 GB recommended for Glass and install a new video card that supports it.

Another myth I’ve heard is that only PCI Express (PCIe) video cards support Aero Glass, so if your computer doesn’t have a PCIe slot, you’re out of luck. That’s not true either. Video card vendors have regular PCI cards that will run Glass. I’m running it on a system with a relatively inexpensive GeForce 5200 card with 256 MB of memory in a regular PCI slot.
If you do choose to buy a new PC, you don't need a high-end one that costs thousands of dollars to run Vista. Just a couple of days after the launch, retailers began offering machines preloaded with Vista Home Premium, complete with LCD monitors, for as low as $600.

2. Vista will solve all your security problems

Microsoft is touting Vista’s improved security, but no operating system is perfectly secure (and no OS ever will be). Running Vista doesn’t mean you don’t still need perimeter firewalls, antivirus protection, and other third-party security mechanisms.

Because much of operating system, including its networking technologies, has been redesigned and new code written, Vista is likely to present some vulnerabilities that weren’t in older versions of the OS even as it fixes many that were. This is true of any new software and Vista, despite its focus on security and Microsoft’s best efforts, is no exception.

In fact, Microsoft shipped the first critical security update for Vista over a year ago, when it was still in the beta testing stage. It will be just as important with Vista as with any other operating system to ensure that updates are installed regularly. The danger is that novice users, hearing that Vista is more secure, may let their guard down and fail to take the protective measures necessary to prevent attacks, virus infestations, etc.

3. Vista is no more secure than XP SP2

On the other hand, some of Vista’s detractors have been claiming that the new operating system offers no security advantage at all. I’ve heard computer “experts” on the radio say that Vista is no more secure than Windows XP with Service Pack 2, and an eWeek article last summer went so far as to report that Symantec security researchers were contending that Vista “could harbor a range of vulnerabilities that will make it less secure than previous iterations of Windows.”

It’s true that, properly updated, Windows XP is a pretty secure OS. But Vista includes a number of new security enhancements that XP doesn’t have. For example, User Account Control (UAC) in Vista protects against attacks that rely on elevation of privileges. Internet Explorer 7, when running on Vista, leverages UAC to run in Protected Mode, which keeps Web applications from writing to system folders. IE7 doesn’t run in Protected Mode on XP.

BitLocker drive encryption, available in Vista Enterprise and Ultimate versions, provides a way to keep unauthorized persons from accessing sensitive data on a stolen or lost laptop. The Windows Firewall in Vista allows you to block outgoing traffic as well as incoming. Windows service hardening reduces the potential for damage if one of Windows’ services is compromised. Vista includes the Network Access Protection client, which allows administrators to restrict computers that are properly updated or don’t have antivirus, anti-spyware, or firewalls from connecting to company networks.
Those are just a few of the new security improvements included in Vista.

4. You can’t dual boot Vista with another operating system

One of the strangest and most inaccurate statements I heard was that “With Vista, you can’t run two operating systems on the same computer like you could in the past.” That’s news to me, as I’m currently running two computers that dual boot Vista and XP. As with previous versions, a boot menu is displayed when the computer starts, and you can choose either Vista or Previous version of Windows.

5. Most old applications and peripherals won’t work with Vista

Circulating amongst the FUD (fear, uncertainty, and doubt) being spread about Vista is the idea that upgrading will subject you to all kinds of application incompatibilities. Some programs made for XP, especially those that hook into the kernel, like antivirus programs and some system utilities, won’t work with Vista. However, the majority of applications that run on XP will also run on Vista.
In some cases, you may need to install or run older programs in Compatibility mode (right-click the program file, select Properties, and click the Compatibility tab to select compatibility options) and/or run the program as an administrator for it to work properly.
You don’t have to figure out most compatibility issues for yourself. Vista comes with the Program Compatibility Assistant, which can detect what changes need to be made to run a program and resolve conflicts with UAC that may be preventing a program from running correctly. It runs automatically when it detects an older program that has compatibility issues. You can also use the Program Compatibility Wizard, a tool that you run manually from the Control Panel Programs and Features section (in native view).

There have also been many reports about hardware peripherals, especially printers and scanners, that don’t work with Vista. It’s true that some hardware vendors were slow to provide Vista drivers during the Vista beta testing period. By the time Vista launched to the consumer market, though, many hardware drivers were included on the installation DVD and many more will be made available in the next few months.

My older HP OfficeJet G55 had no problems working with Vista, and if you peruse the list of supported printers (Control Panel Printers Add A Printer Wizard), you’ll see that Vista supports a large number of printers from HP, IBM, Brother, Canon, Citizen, Dell, Epson, Fujitsu, Konica, Kyocera Mita, Lexmark, Minolta, NEC, Oki, Panasonic, Ricoh, Samsung, Sharp, Sony, Xerox, and other major printer vendors.

6. You have to buy a Premium version of Vista if you have a dual core machine

There was initially some confusion over the specification that Vista Home Editions support only a single processor. Some folks took this to mean that that version of Vista wouldn’t run on dual core machines.
Dual core CPUs do contain two processors—but they’re combined on one chip or die. This is called chip-level multiprocessing and it’s different from having two separate physical processors installed on the same machine. Even though a dual core machine will show the activity of two processors in Windows performance monitoring tools, Microsoft’s definition of “processor” refers to the number of physical CPUs, not the number of cores.

7. You won’t be able to play ripped music in Vista

Have you heard about the horrors of Vista’s DRM (Digital Rights Management)? Some people have implied that it will prevent you from playing any music or movie files unless you download and pay for them online. Others are speculating that even the media you do buy may be blocked.

Interestingly, the people who are spreading this one all seem to be folks who have never used Vista (and, according to many of them, never will). The real story: I have no problem playing music files that were ripped from CDs on Windows Media Player 10 or in Vista’s Windows Media Center application. Yes, I legally own the CDs, but Vista has no way of knowing that. All of the media that imported from my XP Windows Media Center computer, including recorded TV programs, played without a problem.

Pharming Attack Slams 65 Financial Targets

An Internet based attack aimed at about 65 financial targets in the United States, Europe and Australia was shut down after a two and a half day run. Hackers launched the "pharming" attack on Monday, Feb. 19 and authorities shut it down on Wednesday. (...Read more)

Microsoft starts feeding antipiracy tool to users in 21 countries

Microsoft Corp. has updated its antipiracy software for Windows XP for English speakers, and begun rolling out the optional tools to users in 21 additional countries, including some the company has tagged as centers of counterfeiting. (...Read more)

Firefox 3 To Support Offline Apps

An interesting tidbit came out of the recent Foo Camp New Zealand (which unfortunately I wasn’t able to attend). Robert O’Callahan from Mozilla, who is based in NZ but drives the rendering engine of Mozilla/FireFox, spoke about how Firefox 3 will deliver support for offline applications. This is significant because you’ll be able to use your web apps - like Gmail, Google Docs&Spreadsheets, Google Calendar, etc - in the browser even when offline. I deliberately mentioned all Google web apps there, because of course this plays right into Google’s hands.

Although Mozilla is an open source organization, some of its top workers are employed by Google.So it’s a very cozy relationship. We’ve discussed before how Firefox 3 as information broker suits Google very nicely, because the Mountain View company has a number of best of breed web apps - and if it’s not building them, it’s acquiring them Firefox 3 To Support Offline Apps

Windows Genuine Advantage (WGA) to be upgraded

Microsoft's controversial anti piracy application, Windows Genuine Advantage (WGA), is to be upgraded next week. The WGA Notifications tool allows Microsoft to see whether or not your copy of Windows and other Microsoft software programs were purchased and installed legally when your PC is connected to the internet.The WGA programme has caused a storm in some quarters, with many claiming that it is an invasion of privacy

Shockwave Trojan Information and Removal

What is the Shockwave Trojan Virus?

Remember all those warnings you hear about never opening an .exe attachment! This virus is why those warnings appear. Discovered on November 30, 2000 this virus has the subject "A great Shockwave flash movie" and the attachment is "CREATIVE.EXE." Using Outlook, the trojan sends itself as an attachment to every address listed in the address book of the infected user. This Trojan also changes the filenames of all JPG and ZIP files and then moves the files to the C:\ root directory. Because Shockwave is a standard format for animation, most people will just think its a "cute" file and open it...then the trouble starts.

How to Clean/Delete the Shockwave Trojan?

Delete the Creative.exe file from the Windows Startup folder and restart the computer. Then use the file called C:\ MESSAGEFORU.TXT to manually move and rename the JPG and ZIP files that the virus changed. The filenames of these files are then appended with the text "change atleast now to LINUX". For example, "XXXX.ZIP" becomes "XXXX.ZIPchange atleast now to LINUX". The file C:\MESSAGEFORU.TXT logs the original location of all files so it can be used to restore all moved files.

When viewed, the file C:\ MESSAGEFORU.TXT contains the following text:
Hi, guess you have got the message. I have kept a list of files that I have infected under this. If you are smart enough just reverse back the process. i could have done far better damage, i could have even completely wiped your harddisk. Remember this is a warning & get it sound and clear... - The Penguin

How to Remove BlazeFind (BlazeFind Removal)

BlazeFind is a spyware implemented as Internet Explorer Browser Helper Object. This program redirects browser search requests to its controlling server and displays popup advertisements on your computer. It may also slow down the performance of Internet Explorer.

Follow these removal steps to remove this spyware from your computer:

1. Reboot the computer to Safe Mode (Press F8 when Windows starts).
2. Open a DOS command prompt window ( Start > Run , type 'cmd' (on Windows NT/2000/XP ) or 'command' (on Windows 95/98/Me)) and enter the following commands,... Remove BlazeFind - Adware & Spyware Removal Instructions

Firefox Flaw Could Let Attackers Change Cookies

A bug was recently uncovered in Firefox that could allow a malicious Web site to appear authentic. The bug affects the way Firefox handles writing to the "location.hostname" DOM property, according to a posting by security researcher Michal Zalewski on the security mailing list Full Disclosure. The vulnerability could potentially allow a malicious Web site to manipulate the authentication cookies for a third-party Web site.

By bypassing same-origin policy, attackers can possibly tamper with the way these sites are displayed or how they work. For users, this means the bug could allow for the browser to appear as if the user were connecting to a bank, when in fact the user would instead be receiving data from an attacker. Firefox Flaw Could Let Attackers Change Cookies

Windows Genuine Advantage (WGA) to be upgraded

Microsoft's controversial anti piracy application, Windows Genuine Advantage (WGA), is to be upgraded next week. The WGA Notifications tool allows Microsoft to see whether or not your copy of Windows and other Microsoft software programs were purchased and installed legally when your PC is connected to the internet.

The WGA programme has caused a storm in some quarters, with many claiming that it is an invasion of privacy. Anti-piracy tool to be upgraded - Web User News

Storm Worm DDoS Attack

number of antispam websites came under a distributed denial of service attack on January 12, 2007. The trojan responsible for the attack was one of several dropped onto systems infected by a seeding of the email virus which later came to be called "Storm Worm", also W32/Small.DAM and Trojan.Peacomm.Researching further back in time, we find that variants of the same malware family were released in similar fashion in November, December and early January. Many AV companies labeled the previous variant "Win32/Nuwar".When Storm Worm runs, it attempts to link up with other infected hosts via peer-to-peer networking. Through this conduit it gets a URL which points to a second-stage executable, which in turn downloads additional stages onto the infected system. Storm Worm DDoS Attack - Research - SecureWorks Linked by shanmuga Saturday, 10th February 2007 9:41AM

10 tips for troubleshooting slowdowns in small business networks

Network congestion and slowdowns--whether caused by faulty hardware, negligent users, viruses or spyware applications gone wild, or other factors--lead to serious headaches for network administrators and support personnel. By keeping a wary eye tuned for the following 10 items, IT professionals can help prevent the most common causes of network slowdowns.

#1: Bad NICs
Intermittent network errors, particularly those isolated to a specific workstation or server, can often be traced to a failing network interface card. When you believe a network adapter may be failing, visually inspect the card's LED link lights.
A solid green (or amber) LED indicates the NIC has a good active physical connection with another network device, such as a network switch or router (blinking LEDs typically indicate the NIC possesses an active connection and is processing network traffic). If the LED is not lit green, it's likely the network adapter is disabled within Windows or doesn't have an active connection to the network. It's also possible the cable plugged into the NIC is connected to a nonfunctioning wall-jack or faulty network port.
If you can rule out nonfunctioning wall-jacks and faulty network ports (the easiest method of doing so is to connect the same network connection to a laptop known to have a properly functioning network adapter), and if the network adapter is properly enabled and configured in Windows, it's likely the NIC is bad and requires replacement.

#2: Failing switches/routers
Many network slowdowns are foreshadowed by strange occurrences. For example, regular Web traffic may work properly, but e-mail may stop functioning. Or, regular Web traffic may work properly but attempts to connect to any secure (HTTPS) sites may fail. In other cases, Internet access simply ceases across the board.
Often the best remedy for inconsistent network outages and/or slowdowns is to reboot or power cycle the network's routers/switches. If local network connectivity exists (if users can view and access network shares) but they are not receiving e-mail from external users or cannot access the Internet, rebooting or power cycling the WAN modem can often return the network to proper operation.
If you're having to reboot or power cycle a piece of network equipment consistently, make sure that it's connected to a quality uninterruptible power supply. Power fluctuations often result in confused switches and routers. If a network device is connected to a good UPS and still frequently experiences trouble, it may be necessary to replace the failing switch, router, or modem.

#3: Daisy chaining
As organizations grow, particularly small businesses, outside IT contractors often implement simple solutions. Many consultants choose to simply add a five-port router to an existing four-port router/firewall. Small businesses everywhere boast just such a setup.
However, as switches are added to a network, data packets must navigate additional hops to reach their destination. Each hop complicates network routing. Depending upon the amount of traffic a network must support--and even a small dentist's or doctor's office can easily stress 10/100 Mbps systems due to X-ray imagery, patient file information, and other data--the addition of an extra hop or two can spell the difference between a smooth running network and one that frequently slows employee productivity to unacceptable levels.
Resist the urge to daisy chain multiple network switches and routers. Instead, plan for capacity. Or if unforeseen growth has resulted in successive connected switches, eliminate as many devices as possible through consolidation to a more potent and scalable unit.

#4: NetBIOS conflicts
NetBIOS, still in use on many Windows NT 4.0 networks in particular, contains many built-in processes to catch and manage conflicts. Occasionally, however, those processes don't handle conflicts properly. The result can be inaccessible file shares, increased network congestion, and even outages.
Guard against NetBIOS conflicts by ensuring older Windows systems all receive the most recent service packs. In some cases, Windows NT 4.0 systems having different service packs will generate telltale NetBT (ID 4320) errors.
Strange network behavior can also occur when two systems are given the same computer name or when two systems both believe they serve the master browser role. Sometimes the error will log itself as Event ID 8003 in a server's system log. Disabling WINS/NetBT name resolution (only if it's not required) can eliminate such issues.
If disabling NetBT is not an option, such errors can often be eliminated by identifying the second system that has the same computer name within the same domain and giving it a new name or by restarting the Netlogon Service on the domain controller. Yet another option for eliminating legacy NetBT issues is to search a system's LMHOSTS file for inaccurate or outdated entries. Some IT professionals claim they've solved similar errors by disabling and re-enabling the NIC on the offending system.

#5: IP conflicts
Windows typically prevents two devices with the same IP address from logging on to the same network (when using DHCP). But occasionally, two systems with the same address wind up on the same network. For example, one system could receive an address automatically, while another computer logs on using a static address specified by a user. When such conflicts occur, network slowdowns result (and the systems sharing the same address frequently experience outages).
Troubleshoot IP address conflicts by ensuring you don't have a rogue DHCP server on the network. Confirm, too, that configured DHCP scopes don't contain overlapping or duplicate entries and that any systems (such as servers and routers) that have been assigned static IP addresses have been excluded from the DHCP pools.

#6: Excessive network-based applications
Occasionally, networks are overrun by the applications they power. For example, a physician's office that uses a Web-based patient and practice application will commonly have every workstation logged on to the program during business hours. Retrieving data from the patient database and consistent monitoring of appointment and scheduling information alone can place stress on even a well-architected network.
Add in the fact that each workstation is likely tuned to e-mail (and many offices are turning to VoIP) and it's easy to see how introducing a few streaming audio/video files to the mix (either in the form of online music services, news videos, or instructional medical presentations and Webinars) can unacceptably slow a 10/100 Mbps network's performance.
Implement policies--and if necessary, hardware-based Web filtering tools--to prevent applications from overwhelming available network bandwidth. Make sure employees understand they're not to stream unnecessary audio and video files. Further, when working with VoIP, be sure adequate data pipes are in place to manage both voice and data traffic.

#7: Spyware infestation
Spyware, the scourge of the last few years, finally appears to be meeting its match in business environments. The development of potent anti-spyware tools, combined with effective end user policies, is reducing the impact of spyware in many organizations. Windows Vista includes Defender, a decent anti-spyware application powered by the popular Giant engine.
However, infestations still occur, particularly on older systems that haven't been properly safeguarded. Implement strong user policies and either gateway-based protection or individual client applications to prevent spyware programs from consuming precious network bandwidth.

#8: Virus infestation
Just as spyware is proving containable within business environments, so too are viruses. That said, despite an administrator's best efforts--including firewall deployment, routine and consistent Windows patching, and the use of regularly updated antivirus programs--viruses do get through. The result can bring a network to a standstill.
For example, many viruses place Trojan programs on Windows systems, where they can wreak havoc. In addition to leveraging a system's ability to send e-mail to forward hundreds (if not thousands) of spam messages an hour, viruses can corrupt network configuration.
Defend against virus threats to network performance by ensuring firewalls, Windows updates, and antivirus programs are properly configured and maintained.

#9: Insufficient bandwidth
Sometimes, a network just doesn't have the throughput it requires. As with # 6--excessive network-based applications--some environments demand more bandwidth than others.
When a network does bog down, several options typically exist for increasing capacity. Besides boosting up- and downstream speeds, some offices may require additional dedicated connections. From multiple T1s to DS3s to even optical carrier-grade connectivity, many potential solutions exist.
Further, some organizations may need to upgrade existing 10/100 Mbps networks to gigabit speeds. By upgrading NICs, cabling, and devices to 10/100/1000 Mbps equipment--and replacing any remaining hubs with switches--many firms can realize significant capacity gains. In other cases, it may be necessary to subnet networks to localize particularly intense traffic to specific network segments.

#10: DNS errors
DNS configuration errors can lead to numerous network failures and generalized slow performance. When no DNS server is available on a local LAN, local systems may have trouble finding one another or accessing local resources because they'll have trouble finding service locator records that assist Windows systems in communicating with Active Directory. Worse, systems with no local DNS server or those workstations having DNS servers several hops away may experience delays or flat outages in accessing Web sites and extranets.
Try placing DNS servers as close to network systems as possible. Although adding DNS services to existing servers places greater demand on those boxes, properly configured machines can remain secure and noticeably enhance response times to external resources.
Also, always check to ensure systems are configured to use the proper DNS servers. Network architectures change over time, yet older workstations (particularly those set to use static addressing) occasionally are forgotten and continue operating using outdated DNS settings. As your organization and ISP update DNS systems, be sure workstations and other routing equipment actually receive the updates.

The frustration of bot fighters

This last week I was among those at the "secretive conference" of security folks, ISPs and law enforcement agents to discuss bots. Much like at last year's VB conference, there was much discussion about the need for more cooperation and information sharing between bot fighters. Not just within the three groups but within each of the individual disciplines. People within all of the three groups were clear that none of us have all the pieces of the puzzle, and that in order for us to truly make a dent in the growth of bots and botnets, we need to share more of our information with each other.There has been much made of turf wars within the bot herder community, but the more notable thing in terms of fighting these bots is actually how much they’re cooperating. We know they’ve been pooling resources to code their bots, but apparently they’re also sharing botnet resources quite widely (for instance, to take down a particularly robust website that they wish to attack). Computer Security Research - McAfee Avert Labs Blog

Storm Worm Hits Computers Around the World

Computer virus writers started to use raging European storms on Friday to attack thousands of computers in an unusual real time assault, head of research at Finnish data security firm F Secure told Reuters. The virus, which the company named "Storm Worm," is sent to hundreds of thousands of email addresses globally, with the email's subject line saying "230 dead as storm batters Europe."The attached file contains the so-called malware that can infiltrate computer systems. Storm Worm Hits Computers Around the World - News and Analysis by PC Magazine

Myth #6:A wireless IDS is unnecessary if other rogue AP

While exposing the myth about the prevention of rogue APs could be a blow to wireless IDS vendors, there is another common Wi-Fi myth that has been having the opposite effect. Many networking professionals are under the mistaken impression that a wireless IDS is unnecessary if other rogue AP prevention measures are in place.

It’s easy to understand why the average network administrator might be hesitant to get behind a wireless IDS. They are very expensive and there’s not a whole heck of a lot of folks out there who actually understand everything that a wireless IDS is doing. Even most of the folks who have invested in a wireless IDS only did so because they need to prevent rogue access points.

The reality is that there’s a whole other area of troubleshooting and Wi-Fi optimization features that make wireless IDS products a valuable addition to most networks. Some of today’s wireless IDS offerings do location tracking, remote packet captures, and analysis of RF interference levels.

When you think about it, these other wireless IDS features are much more likely to make a networking person’s job easier than the ability to neutralize rogue APs. Instead of having to send field technicians out to every location that has a problem, a wireless IDS allows the experts that own your network to troubleshoot the wireless medium from a centralized location.


One more thing to think about is the fact that so many Wi-Fi users are new to the technology. New users are often reluctant to report problems or call the support team. A wireless IDS may be the best way to find out if some area of a facility is likely to be unsuitable for time-sensitive applications like VOIP or video conferencing.

This myth about the ways the use a wireless IDS really has more to do with the performance of the network than the security of the network. Let’s look at three more myths that really touch on the performance of Wi-Fi networks.

Myth #5:You need a wireless IDS to prevent rogue access

The previous Wi-Fi myth was a chance to examine a well-known relationship of safety and security: The more secure something gets, the less accessible it becomes to the folks who need to use it. There is another, more fascinating dichotomy as it pertains to technological advances in safety and security: As any entity becomes safer or more secure, the advance of technology will continue to create new ways to push the limits of this new security.

Take the security of automobiles. With airbags, crumple zones, and enhanced braking technology, cars and trucks are safer than ever. But as these safety enhancements have been introduced, more and more cars are capable of faster and more dangerous speeds due to ever-improving engine, cooling, and suspension technology.

In the world of Wi-Fi, things are no different. As Wi-Fi security has evolved from WEP to WPA and WPA2, people have become more and more comfortable buying Wi-Fi access points and station devices. With this boom in the number of wireless devices, network administrators have been forced to deal with the ever-increasing threat of rogue devices being attached to the network.

While the number of potential rogue access points has surely risen, the potential for intrusion has long been present. Many companies have introduced wireless intrusion detection systems (wireless IDS) as a way to counteract such intrusions. A wireless IDS can identify, locate, and even contain rogue access points. Over the last several years, many wireless IDS vendors have touted their products as essential tools for counteracting the threat of rogues.

There’s little question that a wireless IDS will help prevent rogue access points, but the question has to be asked: Is a wireless IDS the best tool for preventing rogue access points? The answer is a clear, “No.”

A wise man once said, “To thwart thy enemy, one must first know thy enemy.” (Actually, we’re not sure if anyone said that, but it sounds great, though.) Knowing rogue access points means knowing exactly what type of threat they pose to a network. A rogue access point is a threat because it could allow unauthorized users to gain access to network resources through a wireless link. Since a rogue AP is not managed by the network administrator, the authentication and encryption quality being used on a rogue AP cannot be verified. Without the guarantee of strong authentication and encryption, an intruder could use any number of means to gain network access from outside the walls of the organization.

In understanding these the nature of rogue access points, two important principles come to light: They must be identified separately than any authorized APs in the area and they must be blocked from network access.

A wireless IDS does a superb job of identifying 802.11a/b/g rogue APs. If an ACL is configured on the wireless IDS, the network administrator will receive an alarm every time an unauthorized device is nearby.

Unfortunately, a wireless IDS does a much less impressive job of identifying non-802.11a/b/g rogue APs. If someone plugs in a legacy AP that was based on 900 MHz and/or FHSS technology, that device will remain undetected. The same applies for certain newer non-802.11a/b/g APs like those based on Bluetooth and MIMO technology. Some newer wireless IDS vendors now offer products that can identify some of these non-standard APs, but comprehensive AP identification is virtually impossible.

A wireless IDS also does a less-than-superb job of blocking rogue APs from gaining network access. Almost every wireless IDS vendor offers some method of rogue AP suppression. Some vendors send a wireless DoS to the rogue AP and its associated stations. This technique is weak because a Wi-Fi adapter can have its drivers manipulated to ignore de-authentication or disassociation frames that are used to cause a DoS attack. Other vendors shut down the wired port that the rogue AP is plugged in to. Another weakness of this technique is that a rogue AP configured with encryption and authentication (yes, even WEP) will not allow the wireless IDS
to send the message onto the wired side of the network so that the correct port can be identified.

Really, the problem with using a wireless IDS to prevent rogue APs begins and ends with the nature of the system itself. A wireless IDS is designed to be an overlay to a network. Heck, that’s part of its allure. You know: Installing the wireless IDS where Wi-Fi is not allowed. The best way to stop rogue APs is going to be something that is integrated with the network. It has to be something that allows a network manager to block access on every network port.
Wired 802.1X authentication is the perfect solution for blocking access on every network port.

When wired 802.1X is enabled, network access is denied until a device authenticates as an 802.1X supplicant. This is even more effective than using MAC address authentication for a couple of reasons. First of all, if you’re using 802.1X for your wireless users then you can use the same infrastructure that may already be in place. Secondly, 802.1X authentications generally include the negotiation of an encryption key. When encryption is used, MAC address spoofing becomes impossible because the intruder will not have the correct encryption key.

The myth that a wireless IDS is the best way to prevent rogue access points has benefited wireless IDS vendors for quite some time. Numerous students who attend our classes enter class with the idea that they need a wireless IDS to stop rogue APs, but by the end of the week, they usually see that wired 802.1X and wired MAC authentication are both more comprehensive methods.

Myth #4: Disabling the SSID broadcast will hide your

We’ve made it through a darn good portion of this paper without relying on analogies. As anyone who’s taken our classes knows, though, we love them. They tend to lighten up class a bit, and they let us talk about topics that we really know something about: movies and sports cars.We know you’re not exactly in a class right now, but let’s tackle our fourth myth by starting with an analogy of a really good Western movie.

Imagine your local bank. Imagine that Butch Cassidy and The Sundance Kid live nearby. Your bank clearly needs security, but it also needs to stay open to customers. Let’s now imagine that instead of installing a safe, some locks, and thick steel bars between the tellers and customers, you decide to simply take down the sign advertising the name of your bank. Your bank has now performed the financial equivalent of disabling the SSID broadcast.

Disabling the SSID broadcast has been touted by a number of network security professionals because the SSID will stay hidden from Wi-Fi client software. When users want to connect, they must manually configure the SSID (and accompanying security settings). Since hackers and wardrivers won’t know the SSID, they won’t be able to connect, right? Not exactly.

Forcing users to configure the SSID offers minimal security to a wireless network. As in our Wild West banking analogy, network intruders can see that a Wi-Fi network is there. Just as Butch and Sundance would have been able to identify the bank by watching the clientele that entered, wardrivers can identify the SSID by capturing frames with applications like Wildpackets Omnipeek when authorized users connect.

When stations are connected to the network, they are constantly looking for other APs with the same SSID. They must do that to enable roaming. When APs respond to these probing stations, the SSID is sent in the clear, viewable text whether encryption is being used or not.

Now, it should be pointed out that your SSID will stay hidden as long as the network remains unused. For an AP to respond with the SSID in clear text, a station must probe the AP using the correct SSID. But think about it; how often is your network in use? If your network is like most enterprise Wi-Fi networks, it’s in use darn near all day. That means attackers have the ability to uncover your hidden SSID in a matter of seconds whenever they darn well please.

In the end, what you’ve got is a security method that gives you no real protection against malicious intruders, but causes your novice Wi-Fi users to have a tougher time getting connected. Why put your users (and the support team) through all of that? Once you consider the good and bad of leaving the SSID broadcast enabled, you’ll probably find that it’s summarized best by paraphrasing Butch Cassidy’s thoughts from the first scene in the movie: “It’s a small price to pay for manageability.”