AOH :: ISN-3186.HTM

The Onion Router Downside

The Onion Router Downside
The Onion Router Downside


Security Measurement is Vital to Program Success 

Making the Case for E-mail Archiving and Litigation Readiness 

The Starter PKI Program 

=== CONTENTS ==================================================
IN FOCUS: The Onion Router Downside

   - Microsoft Releases WPA2 Support, Modifies Wi-Fi Client Behavior
   - Zero-Day Vulnerability in PowerPoint
   - Microsoft Re-releases Security Bulletin for Windows 2000
   - McAfee Acquires Onigma, Introduces Data Loss Prevention Solution
   - Recent Security Vulnerabilities

   - Security Matters Blog: Bitter News for VM Users, There's a Rootkit 
Made Just for You
   - FAQ: Command Lists All Members of an AD Group 
   - From the Forum: Making the C Drive Invisible Yet Readable
   - Know Your IT Security Contest
   - Make Your Mark on the IT Community!

   - Comprehensive Protection for Endpoints at Work and at Home
   - Wanted: Your Reviews of Products 




=== SPONSOR: Solutionary ======================================
Security Measurement is Vital to Program Success
   Security managers face challenges technically and organizationally 
in gaining program support and focus. Effective security measurement 
can help ingrain the issue into the performance management process and 
culture of the organization. Read this white paper. 

=== IN FOCUS: The Onion Router Downside =======================   by Mark Joseph Edwards, News Editor, mark at ntsecurity / net

Two weeks ago, I wrote about a portable Web browser, Torpark, that's 
designed to keep you relatively anonymous as you browse. Torpark is 
based on the Mozilla Firefox source code, and you might recall that one 
of the big advantages of using Torpark is that it comes with The Onion 
Router (Tor) built in. So you don't need to install and configure that 
separately. If you missed that editorial, you can read it at the URL 

Tor is a client and server SOCKS-based proxy that's designed to route 
traffic through a series of anonymous servers, the number of which 
varies depending on how you configure the Tor client. Anyone can run a 
Tor client or server without having to reveal anything to the outside 
world except an IP address, and that address is made known only to the 
first Tor server your traffic passes through.

Traffic is encrypted by Tor along the route, and Tor routers know only 
about the hops of the routers immediately before and after them. Tor 
handles its own traffic encryption, so in theory, Tor server operators 
shouldn't be able to snoop on the contents of your network traffic. 

The exception is the Tor server operator of the exit router--the last 
hop along your traffic's route through Tor servers. Other servers on 
the Internet don't understand Tor encryption, so obviously they can't 
receive and process traffic that originates from a Tor network. 
Therefore the traffic must be decrypted before being passed on to its 
final destination. And therein resides Tor's inherent weakness. You 
must trust an unknown Tor server operator to not snoop on your traffic 
as it exits the Tor network. Inevitably, some Tor server operators do 
snoop on traffic. That's why I said that Tor provides "relative" 
anonymity. It protects your actual IP address but not the nature of 
what you're doing on the Internet. 

Anyone that can see your Internet traffic can also manipulate it. This 
certainly holds true for Tor exit server operators. This presents 
another danger of using Tor. In one of many possible scenarios, someone 
could monitor for traffic destined for port 80, typically used for Web 
traffic, and then manipulate Web pages, cookies, headers, and so on in 
just about any way you can image. Now someone has proven just how easy 
it is to use this weakness to discover your real IP address, which in 
effect destroys your anonymity and thus defeats the purpose of using 

"Practical Onion Hacking, Finding the real address of Tor clients" (at 
the URL below), is a white paper produced by the FortConsult Security 
Research Team and published on the Packet Storm Security Web site. The 
paper shows, step by step, how the researchers were able to use readily 
available scripts and software packages to inject a "Web bug" into Web 
traffic. The Web bug is a typical cookie designed and used in 
conjunction with browsers that have JavaScript or Adobe Flash enabled. 
When Tor is used directly (i.e., without a go-between, which I'll 
explain in a moment), either of those two technologies will reveal the 
cookie and thus the real IP address of the user. 

JavaScript code can be written to collect a system's IP address, and 
the address can be placed in a cookie that can be read by a Web server. 
Flash doesn't understand the SOCKS protocol at all, so if a Flash 
object requires network connectivity for whatever reason, it completely 
bypasses the Tor network.

As I suggested earlier, there is a way to eliminate both of these 
weaknesses--by using a standard proxy server as a go-between between 
client applications and the Tor client. One such proxy server is 
Privoxy, which can strip out JavaScript, cookies, and other unwanted 
content. Privoxy understands the SOCKS protocol, so it can be 
configured to send traffic through Tor. With Privoxy as a go-between, 
even Flash would run its connectivity needs through Tor. 

If you're interested in Tor's weaknesses, or even in how easy it is to 
manipulate network traffic, then be sure to read the white paper. 

A note from Mark Minasi: I wanted to pass along some information about 
a show that I'm not speaking at but that looks like a good deal. It's a 
$129, one-day interoperability road show from Penton, the folks who put 
out this newsletter.
   If you're like most folks, "interop" isn't just a buzzword, it's a 
daily headache. If we all used the same operating system, directory 
service, and database engines, then life would be a lot easier, but 
most of us can't. Worse yet, interop info can be hard to come by, 
because no vendor's all that excited about helping you use any products 
but theirs.
   In response to that, Penton's put together a show with four tracks, 
each geared to a solution. One features Dustin Puryear talking about 
making Windows, Linux, and Unix work together. The second offers a day 
of Active Directory expert Gil Kirkpatrick on integrating AD with other 
LDAP directory services. At the same time, database techie Randy Dyess 
explains how to solve data interoperability problems by making 
different databases replicate amongst one another and produce 
integrated reports, as well as how to integrate dissimilar relational 
database engines. Last but not least, popular Windows IT Pro veteran 
author Mike Otey tackles what may be the single best new IT technology 
of the past few years--virtualization. 
   Tech X World is coming to Chicago, Dallas, and San Francisco in the 
next week, and you can find out more at 

=== SPONSOR: Symantec =========================================
Making the Case for E-mail Archiving and Litigation Readiness
   Are your messages easily accessible, yet secure, in the case of an 
e-discovery request? With the phenomenal email volume growth, and 
increasing costs when companies fail to comply, you can't afford to 
lose an email. Download this free whitepaper today and implement a 
strong email retention and management system today! 

=== SECURITY NEWS AND FEATURES ================================
Microsoft Releases WPA2 Support, Modifies Wi-Fi Client Behavior
   Microsoft announced the release of a security update for Windows XP 
SP2 that introduces support for WPA2 and changes the behavior of 
wireless clients to be more secure. 

Zero-Day Vulnerability in PowerPoint
   A zero-day vulnerability has been discovered in Microsoft 
PowerPoint. According to available information, the vulnerability can 
potentially be exploited to execute arbitrary code on an affected 
system if a user opens an infected PowerPoint file. Proof-of-concept 
code has been published to demonstrate the problem. Microsoft is aware 
of the problem and is investigating the matter, however no patch is 
available at this time. 

Microsoft Re-releases Security Bulletin for Windows 2000
   Late last week, Microsoft re-released Security Bulletin MS06-061 
(Vulnerabilities in Microsoft XML Core Services Could Allow Remote Code 
Execution) to correct a problem with the previous update, which didn't 
correctly set the kill bit for Microsoft XML Parser 2.6. 

McAfee Acquires Onigma, Introduces Data Loss Prevention Solution
   McAfee announced that it acquired data protection solutions provider 
Onigma. The acquisition brings McAfee the ability to offer solutions to 
monitor and report on confidential data as well as to prevent its loss. 

Recent Security Vulnerabilities
   If you subscribe to this newsletter, you also receive Security 
Alerts, which inform you about recently discovered security 
vulnerabilities. You can also find information about these 
discoveries at 

=== SPONSOR: Thawte ===========================================
The Starter PKI Program
   Securing multiple domains or host names? Learn how the Starter PKI 
program can save time and reduce costs, and provide you with a multiple 
digital certificate account. 

=== GIVE AND TAKE =============================================
SECURITY MATTERS Blog: Bitter News for VM Users, There's a Rootkit Made 
Just for You
by Mark Joseph Edwards, 

With every innovation comes a setback, sometimes vitriolic in nature. 
Virtual machine (VM) technology is a good case in point. Read this blog 
article to discover how intruders are bound to invade VMs, by hook or 

FAQ: Command Lists All Members of an AD Group
by John Savill, 

Q: How can I use a command to list all the members of an Active 
Directory (AD) group? 

Find the answer at 

FROM THE FORUM: Making the C Drive Invisible Yet Readable
   A forum participant wants to know how to make the C drive invisible 
yet still readable. He wants the drive hidden from users but wants them 
to be able to access all the programs on the system. Join the 
discussion at: 

   Share your security-related tips, comments, or solutions in 1000 
words or less, and you could be one of 13 lucky winners of a Zune media 
player. Tell us how you do patch management, share a security script, 
or write about a security article you've read or a Webcast you've 
viewed. Submit your entry between now and December 13. We'll select the 
13 best entries, and the winners will receive a Zune media player--
plus, we'll publish the winning entries in the Windows IT Security 
newsletter. Email your contributions to 
   Prizes are courtesy of Microsoft Learning Paths for Security: 

   Nominate yourself or a peer to become an "IT Pro of the Month." 
Winners will receive over $600 in IT resources and be featured in 
Windows IT Pro magazine and the TechNet Flash email newsletter. It's 
easy to enter--accepting October nominations for a limited time! Submit 
your nomination today: 

=== PRODUCTS ================================================== by Renee Munshi, 

Comprehensive Protection for Endpoints at Work and at Home
   eEye Digital Security released version 2.5 of Blink Professional, 
its host-based firewall, intrusion prevention, and anti-malware 
solution, and added portable-storage?device control, application 
control, and "dynamic" control that allows different policies to be in 
effect depending on whether the client is physically connected to the 
network or is outside the network perimeter. A new offering, Blink 
Personal, which includes most of the functionality of Blink Pro, is 
available for free to home users, who are invited to participate in a 
Neighborhood Watch program that sends "attack data" anonymously and 
automatically from Blink Pro to the eEye Research Lab. The data will 
help eEye continue to improve its products' attack detection and 
prevention capabilities. For more information, go to 

WANTED: your reviews of products you've tested and used in 
production. Send your experiences and ratings of products to and get a Best Buy gift certificate. 

=== RESOURCES AND EVENTS ======================================   For more security-related resources, visit 

In an environment where there is no one true OS, users must access a 
variety of applications across several platforms. Get the tools you 
need to analyze and improve how you manage access across Windows 
Terminal Services, UNIX and Linux X, Windows, legacy telnet, and even 
SSH. TechX World events start October 24--register today! 

How will compliance regulations affect your IT infrastructure? Help 
design your retention and retrieval, privacy and security policies to 
make sure that your organization is compliant. Download the free eBook 

Did you know that 75% of corporate intellectual property resides in 
email? With security concerns from viruses and malware, increasing 
amounts of spam, and ever-stronger performance demands for availability 
and recovery, email systems have become the most important business 
application. Join us for this free Web seminar and learn a holistic 
approach to managing the challenges of security, availability and 
control. Live Event: Thursday, November 16 

How do you manage vulnerabilities? If you depend on vulnerability 
assessments to determine the state of your IT security systems, you 
can't miss this Web seminar. Special research from Gartner indicates 
that deeper penetration is needed to augment your vulnerability 
management processes. Learn more today! 

Take the necessary steps for application management, from conversion of 
legacy applications to MSI to customizing applications to fit corporate 
standards. Don't overlook an important component of an OS migration--
join us for the free on-demand Web seminar. 

=== FEATURED WHITE PAPER ======================================
Help your small- or medium-sized business protect one of its most 
valuable assets--business information. Easily store, manage, protect 
and share information with hardware designed with the needs of your 
business in mind. Manage IT without the large staff and extensive 
training--learn how today! 

Special Offer: Download any white paper from Windows IT Pro before 
October 31 and enter to win a Casio Exilim Card Camera! The more you 
download, the more chances to win! Visit for a full listing of white 
papers and contest rules.

=== ANNOUNCEMENTS =============================================
Invitation for VIP Access  
   Become a VIP Monthly Pass subscriber and get instant online access 
to every article published in our network. You'll get full Web access 
to Windows IT Pro, SQL Server Magazine, and the Exchange and Outlook 
Administrator, Windows Scripting Solutions, and Windows IT Security 
newsletters--that's more than 26,000 articles at your fingertips. Sign 
up now for only $29.95 per month:

Get $40 off on Windows IT Pro  
   Subscribe to Windows IT Pro today and SAVE up to $40! Along with 
your 12 issues, you'll get FREE access to the entire Windows IT Pro 
online article archive, which houses more than 9,000 helpful IT 
articles. This is a limited-time offer, so order now:

Security UDPATE is brought to you by the Windows IT Pro Web site's 
Security page (first URL below) and the Windows IT Security newsletter 
(subscribe at the second URL below).

Subscribe to Security UPDATE at 

Be sure to add 
to your antispam software's list of allowed senders.

To contact us: 
About Security UPDATE content -- 
About technical questions -- 
About your product news -- 
About your subscription -- 
About sponsoring Security UPDATE -- 

View the Windows IT Pro privacy policy at 

Windows IT Pro, a division of Penton Media, Inc.
221 East 29th Street, Loveland, CO 80538
Attention: Customer Service Department

Copyright 2006, Penton Media, Inc. All rights reserved.

Visit the InfoSec News store! 

Site design & layout copyright © 1986-2014 CodeGods