Category: Product

With the recent leaps in cryptanalysis tools that can even crack enterprise grade wireless LANs that use dynamically rotating WEP keys, the encryption bar has been raised to a minimum of TKIP or preferably AES. In order to run these newer encryption algorithms, hardware and software must be certified to a minimum of WPA or the newest WPA2 standard. Unfortunately, performing the upgrade is easier said than done especially if firmwares, drivers, and configuration changes have to be replicated across hundreds or even thousands of clients. While it doesn’t address all of these issues, Windows 2003 Service Pack 1 at least makes the last piece (configuration changes) relatively simple and is a huge step forward for any business grade wireless LAN.

While the original version of Windows 2003 Server already made substantial strides in easing the pain of a large secure wireless LAN deployment, its major weakness was that it couldn’t deal with WPA capable networks. SP1 addresses these weaknesses and really makes it easy to deploy a large secure a wireless LAN. The following summarizes the original feature set of Windows 2003 server and the enhancements of SP1.

Windows 2003 added PEAP authentication capability to its IAS (Internet Authentication Service) RADIUS component. This meant that client side certificates were no longer needed for TLS encrypted authentication which makes it possible to only use a server side Digital Certificate to support thousands of clients who don’t have Digital Certificates. By using the TLS tunnel to secure the password exchange, dictionary attacks on the popular LEAP authentication protocol could be avoided altogether.

The built-in Windows XP WZC (Wireless Zero Configuration) client could now be centrally managed via Windows 2003 Server using Active Directory Group Policy configuration. This meant that every single client computer on a corporate network could be centrally configured to connect to a secure wireless LAN in minutes. Since WPA was only starting to appear at the time Windows 2003 was being released, the policy configuration could only work for 802.1x/PEAP dynamic WEP based wireless LANs. WPA using TKIP or AES encryption was not supported and had to be manually configured from the client side which made it very difficult to deploy.

Fast reconnect for EAP authentication support was added to IAS. Note that this can cause problems with some Access Point manufacturers that don’t deal well with fast reconnect.

Active Directory Group Policy can now configure WPA TKIP or AES encryption settings. Any Windows XP SP1 (with WPA patch) or Windows XP SP2 client machine could now be centrally configured to connect to a TKIP or AES encrypted wireless LAN.

Clients (Windows XP SP2 only) can now also be locked down to a narrow set of administrator approved Digital Certificates and Certificate Signing Authorities. In the past, there was a potential for unsuspecting users to fall victim to man-in-the-middle attacks if an attacker could coax a user into trusting a rogue Access Point which used a fake RADIUS Authentication Server with an alternate Digital Certificate and Signing Authority. The importance of central management cannot be overstressed. This isn’t just a convenience issue but a security issue as well.

http://blogs.zdnet.com/Ou/index.php?p=47

Called protexIP/OnDemand, the Internet-based service helps developers more quickly deal with compliance requirements related to intellectual property, which typically stem from things such as customer procurement, outsourced project validations, and internal compliance programs.

“Increasingly, businesses are being required to provide evidence that they are managing the origins of their software intellectual property. Consequently, development teams are being called on for in-depth compliance validations in support of specific business transactions,” said Doug Levin, Black Duck’s CEO.

The company has had approximately a dozen beta testers of the product over the past few months, including Kayak.com, which is in the business of providing objective travel information through its simultaneous search of almost 100 travel sites.

“Open source software has gained a strong foothold in the lower levels of the software stack and is likely to have a greater impact higher up in the software stack in the future. Organizations would be wise to gain a better understanding of open source license and intellectual property to comply with various licensing obligations,” said Dan Kusnetzky, program vice president at IDC’s System Software, Enterprise Computing Group.

Typically, developers are asked to manually analyze code line by line to validate its origins, with management and legal counsel often working in concert with them to evaluate those results and assure compliance.

An online service such as protexIP/On Demand, however, serves to automate that review process, thereby producing more accurate results, company officials contend.

The product uses Black Duck’s Code Print technology and open source Knowledgebase to identify thousands of open source programs that might have been inserted into the source code. After it identifies the code, the service can identify the license associated with the inserted code by polling its database of hundreds of different license types.

http://www.itworldcanada.com/Pages/Docbase/ViewArticle.aspx?id=idgml-4de06927-3389-4cde

The first product from the Aeon project, which is being tested with a handful of clients in the financial industry, was expected to be released in April but has been pushed back until June, one industry executive said. With Aeon, Cisco is expected to compete with a number of smaller companies already in the field that build devices designed to speed up XML or process Web services security protocols.

http://www.zdnet.com.au/news/business/0,39023166,39186268,00.htm

The new Monitored and Managed IPS Service includes support for an extensive list of network-based IPS technologies available, including ISS, Juniper Networks, Tipping Point, McAfee, and Cisco, as well as its own Symantec Network Security 7100 Series appliances. This new offering reinforces Symantec’s commitment to providing customers with vendor choice and flexibility for their network environment.

Current Perspective: Positive on Symantec’s expansion of its MSS services, because the company continues to embrace its vendor agnostic approach to managed security services, while also addressing clients’ need for flexibility. Additionally, the enhanced offering resonates with a stronger sales message that can be pitched to a broader audience.

Vendor Importance: Moderate to Symantec, because the company expands its support for additional IPS technologies, providing some differentiation in the market compared to competitors that are slow in expanding support for Symantec’s IPS product.

Market Impact: Moderate on the managed security market, as the announcement will primarily impact competitors such as ISS, which offer their own IPS products and are not seen as vendor-agnostic.

In addition to providing added flexibility for clients and the ability for clients to upgrade to preventative (proactive) offerings from intrusion detection services (IDS) vendors (reactive), the announcement offers proof of Symantec’s commitment to delivering vendor-neutral offerings with its managed security solutions. The enhancements will primarily impact those competitors with their own branded offerings and are often cited with promoting their own brand of products over competitor’s offerings such as ISS, which may be better suited for a specific enterprises needs and budgets.

The impact on competitors in the managed security market will be moderate, as many have taken steps to move to a vendor-neutral platform themselves, recognizing the benefit of offering clients a wider array of technologies.

Symantec is not the only managed security provider that touts vendor-agnostic support for multiple technologies, as competitors such as IBM, VeriSign, Counterpane, and RedSiren (Getronics) have marketed a similar messages to attract a larger enterprise audience.

http://www.csoonline.com/analyst/report3455.html

RootkitRevealer successfully detects all persistent rootkits published at www.rootkit.com, including AFX, Vanquish and HackerDefender (note: RootkitRevealer is not intended to detect rootkits like Fu that don’t attempt to hide their files or registry keys). If you use it to identify the presence of a rootkit please let us know!

The reason that there is no longer a command-line version is that malware authors have started targetting RootkitRevealer’s scan by using its executable name. We’ve therefore updated RootkitRevealer to execute its scan from a randomly named copy of itself that runs as a Windows service. This type of execution is not conducive to a command-line interface. Note that you can use command-line options to execute an automatic scan with results logged to a file, which is the equivalent of the command-line version’s behavior.

The term rootkit is used to describe the mechanisms and techniques whereby malware, including viruses, spyware, and trojans, attempt to hide their presence from spyware blockers, antivirus, and system management utilities.

There are several rootkit classifications depending on whether the malware survives reboot and whether it executes in user mode or kernel mode.

Persistent Rootkits are ones associated with malware that activates each time the system boots. Because such malware contain code that must be executed automatically each system start or when a user logs in, they must store code in a persistent store, such as the Registry or file system, and configure a method by which the code executes without user intervention.

Memory-based rootkits are malware that has no persistent code and therefore does not survive a reboot.

User-mode Rootkits, for example, a user-mode rootkit might intercept all calls to the Windows FindFirstFile/FindNextFile APIs, which are used by file system exploration utilities, including Explorer and the command prompt, to enumerate the contents of file system directories. W

Kernel-mode rootkits can be even more powerful since, not only can they intercept the native API in kernel-mode, but they can also directly manipulate kernel-mode data structures.

It is theoretically possible for a rootkit to hide from RootkitRevealer. Doing so would require intercepting RootkitRevealer’s reads of Registry hive data or file system data and changing the contents of the data such that the rootkit’s Registry data or files are not present. The bottom line is that there will never be a universal rootkit scanner, but the most powerful scanners will be on-line/off-line comparison scanners that integrate with antivirus.

There are also antivirus products, such as Kaspersky Antivirus, that use rootkit techniques to hide data they store in NTFS alternate data streams. RootkitRevealer should never report this discrepancy since it uses mechanisms that allow it to access any file, directory, or registry key on a system.

http://www.sysinternals.com/ntw2k/freeware/rootkitreveal.shtml

IBM announced the release of FairUCE, or “Fair use of Unsolicited Commercial Email” for the company’s alphaWorks advanced technology program, citing a newly released IBM survey that found spam is 76 percent of all e-mail and may cost U.S. companies US$17 billion to fight this year.

The technology uses identity management features to link inbound e-mail back to its original IP (Internet Protocol) address, establishing a connection between an e-mail message, the Internet domain and the computer from which the e-mail was sent, IBM said.

AlphaWorks is a program that distributes technological innovations to developers around the world who sign on as “early adopters” of technology developed by IBM’s global research labs.

FairUCE will allow alphaWorks software developers and third party vendors to build more effective spam filtering technology, IBM said. IBM researchers acknowledge that FairUCE is not a fully-blown antispam product, only an early version of technology that could one day be used in the marketplace. “We’d like to see whether early adopters consider the technology an innovative approach to handling a massive problem,” said Mark Goubert, manager of alphaWorks. “We want to find out how innovators and early adopters would use it in their environments and get their feedback.”

The solution allows IBM to spot messages from compromised, or “zombie” computers, as well as legitimate e-mail servers, IBM said. Other logic built into the technology allows FairUCE to weed out good and bad IP addresses from large Internet service providers like Yahoo Inc., so that not all mail from those domains is blocked. [Editors note: Similar to Symantec Appliance solution.]

Recent data from e-mail security company CipherTrust Inc. suggests that e-mail “bad senders” frequently use new IP addresses, which may not be listed in databases of known spammers. The company’s Security Intelligence Services found that one of every 1.3 e-mail messages was spam, and that one of every 46 e-mail messages carried a virus, Trojan horse program or other malicious content, the company said.

Lost productivity from workers who must sort through the reams of spam e-mail, inconveniences caused by legitimate mail that is incorrectly labeled as spam and blocked and calls to corporate help desks are major sources of spam related expenses, IBM said.

http://www.itworldcanada.com/Pages/Docbase/ViewArticle.aspx?id=idgml-122926e1-050e-43f4