<Date> Wed Oct 13 09:08:04 PDT 2004
AdamCarheden <Q>Good Morning everyone. Please welcome Alan Sugano.
alansugano <A>Thank you for having me. Anyone have any questions?
<Date> Wed Oct 13 09:16:05 PDT 2004
jsmith <Q>Alan, what's your favorite anti-spyware software?
alansugano <A>I don't know if I have a favorite. We use Spyware Exterminator sometimes and the new NAV Corporate 9.0 includes some anti-spyware features. Although I'm a strong believer in Spyware tools, I still feel it's important to know how to remove Spyware manually. I don't know if you read my last article (The Blended Threat), but a client had a server that was infected with Spyware. When I installed the Spyware software and tried to download the latest "patterns" the server froze. When I rebooted the server it did not boot. I ended up having to clean the spyware manually by checking the run keys and deleting the programs off of the hard drive. I don't think the anti-Spyware software was the cause of the problem
<Date> Wed Oct 13 09:17:50 PDT 2004
grodcay <Q>Hi Alan, Liked your hacking article—lots of good info. I just updated my home machine to XP SP2 with Windows Firewall. I also run Norton Firewall and Antivirus. I've heard that they might conflict with each other. Should I disable Norton?
alansugano <A>Yes, I suggest disabling one or the other. From most of the reviews I read, the Norton firewall is probably a little better than Windows Firewall in XP SP2. But, Windows Firewall is "free" and Norton is not. If you already have Norton, I'd probably use it instead of Windows Firewall.
<Date> Wed Oct 13 09:21:51 PDT 2004
grendel <Q>Alan - what is the most common hacking vulnerabilities in Active Directory (AD)?
alansugano <A>Wow, that's a loaded question! It's not so much vulerabilities with AD, but with Windows itself. Once a Windows machine is compromised, AD is potentially wide open. If a machine gets hacked one common task a hacker will perform is to add a rogue user into AD with Administrator rights. I suggest entering a description for each user in AD. Usually a hacker will not enter in a description for the rogue user. If you suspect a hack, just sort your users in AD by description. All of the users without a description will appear at the top of the AD user list. This is a quick and dirty way to help you identify rogue users in AD.
<Date> Wed Oct 13 09:25:33 PDT 2004
woodymj <Q>Alan - do you have any recommendations for IDS?
alansugano <A>What's your environment and budget? - Number of users, servers, OS, locations etc. IDS can get quite expensive.
<Date> Wed Oct 13 09:32:20 PDT 2004
woodymj <Q>50-60 users, Windows 2000, 2003, XP; one location; 10 servers
alansugano <A>That's a tough one. We like the Cisco products, but for a company your size it's difficult to cost justify. The current problem with IDS is most of the products are for the Enterprise (200+ users with multiple locations). Maybe I should write an article on IDS for the small to midrange network?
<Date> Wed Oct 13 09:45:00 PDT 2004
woodymj <Q>That would be great, got a lot out of your last article.
alansugano <A>I'll submit the article proposal. Thank you for the question.
<Date> Wed Oct 13 09:29:44 PDT 2004
DRussell <Q>Hi Alan. Ever since I upgraded my Windows XP Home OS to SP2, I've been having problems accessing my work account through Webmail (my work account is a Lotus Notes account). I seem to be able to log in to Webmail OK, but my Inbox page won't load, and the machine hangs at the Inbox. I have to use Task Manager to close down the program. Could XP SP2 be causing this problem?
alansugano <A>Do you have the Windows Firewall Active? If so, try temporarily disabling the firewall and reconnect. There may be a patch available from Lotus to address the problem.
<Date> Wed Oct 13 09:53:44 PDT 2004
DRussell <Q>Yes, I'm using Windows Firewall. I'll try your suggestion. Thanks!
alansugano <A>Let us know if it works!
<Date> Wed Oct 13 09:35:22 PDT 2004
Mike_F <Q>You mention that not all AV scanners will find hacking programs on a machine. Are there other tools available that do a better job - like spyware scanners perhaps?
alansugano <A>Sometimes spyware scanners will help. The problem is that a lot of the hacking programs are "legitimate" programs and will not be picked up with any type of anti-virus software or anti-spyware. That's why it's important to have the skills to recognize these program by inspecting the Registry runs keys and other methods. After a computer's been hacked the only way to ensure the machine is clean is to format the drives and reload the OS from scratch.
<Date> Wed Oct 13 09:37:39 PDT 2004
jsmith <Q>In the article, you mention that some hacking tools can block Netstat from displaying open ports. How is that possible?
alansugano <A>The easiest way is to loading a hacking program that intercepts the Netstat program calls. The conservative answer is to always scan the computer using an port scanner from a different computer. That method is more reliable than using Netstat.
<Date> Wed Oct 13 09:38:45 PDT 2004
jsmith <Q>You recommend NetStumber for wireless scanning. Last time I tried it on Windows, it only showed me APs that broadcast the SSID, something I could also do with the software built into XP. Am I using NetStumbler wrong?
alansugano <A>Make sure you have a the latest version of NetStumbler. Also make sure that the wireless card you have is supported by NetStumbler.
<Date> Wed Oct 13 09:42:44 PDT 2004
jfeuerbacher <Q>Alan, I have a question about XP firewall. My home network has a router that has a firewall. I also use an Apple AirPort as my wireless hub. It, too, has a firewall. I have XP firewall turned off. I don't need to enable it, do I? I feel like I'm already pretty protected. Thanks!
alansugano <A>Wow excellent question! The conservative answer is to leave it turned on. Basically Windows firewall will reject any communication unless they are client initiated. Let's assume you get a virus on one of your computers. If you have the Windows firewall active on the XP machine (assuming that's not the one infected) there's a good chance that the Windows firewall will prevent the XP machine from getting infected.
<Date> Wed Oct 13 09:44:12 PDT 2004
Bill_Gates <Q>Do you have a recommended password generation program for a large scale deployment (500+ users). We don't want to use a single default upon installation.
alansugano <A>Probably a random number/word generator is best. If you want to be really secure, make the passwords 15 characters long.
<Date> Wed Oct 13 09:49:50 PDT 2004
Janet_R <Q>Alan, will you explain the difference between IDSs and vulnerability scanner products? Is it a good strategy to use both?
alansugano <A>Great question! IDS basically tells you "you're infected." It looks for unusual activity and traffic on the network and sends out alerts when it finds something. Scanner products typically run port scans on perimeter firewalls to find out if there are open ports that should be closed. Port scanners identify potential weaknesses on your firewall. IDS identifies the hack after its occurred. And, yes it's a good idea to use both, because they really serve two different functions.
<Date> Wed Oct 13 09:53:17 PDT 2004
tray <Q>Alan: Would you suggest using IPSEC policies to sort of allow / block traffic on the servers facing the internet so that only the ports you have open stay open and others stay closed?
alansugano <A>Hmm. I'm not sure I understand the question. IPSec is typically used to establish VPN tunnels. As long as the port on a firewall is closed it should remain closed. Open ports on the firewall may have a timeout period, but they should reopen when another open request is issued.
<Date> Wed Oct 13 10:01:13 PDT 2004
tray <Q>With IPSEC you can have policies configured so that certain subnets are allowed to communicate to certain ports on a server. MS is coming out with the server config wizard that does that. Say I was running a mail server and I have port 25 open. I close all other ports to the internet. If the mail server has a buffer overrun and someone gets control of the server, he/she can't open any ports on the server unless they figure out how to modify the IPSEC policy.
alansugano <A>Thanks for the clarification. You could do it, but the on-going maintenance could be very time consuming. If you require that much security, you could establish a VPN tunnel to selected locations and just let 25 traffic pass.
<Date> Wed Oct 13 10:07:54 PDT 2004
tray <Q>I figured that it would be one more line of defense. I have been at clients where, after the machine was hacked, hackers used it as a storage for porn and or pirated software, and with IPSEC you could at least cut that down.
alansugano <A>Yes, of course you want to block these addresses on the firewall from communicating to your network. The problems is that a lot of these addresses are spoofed so it's relatively easy for a hacker to use a different IP address. As you know, you want to address the vulnerability that allowed the hacker to get in the first place.
<Date> Wed Oct 13 10:26:36 PDT 2004
tray <Q>that's true
alansugano <A>Thank you for the excellent question!
<Date> Wed Oct 13 09:56:07 PDT 2004
BillStewart <Q>Hi Alan, what are some options for password auditing on a Windows Server 2003 AD domain?
alansugano <A>Probably the best is l0phtcrack. It's amazing how fast this program can crack weak passwords.
<Date> Wed Oct 13 10:02:24 PDT 2004
BillStewart <Q>Lophtcrack is rather expensive...do you know of any other options?
alansugano <A>Check out Rainbox crack. http://www.antsight.com/zsl/rainbowcrack/
<Date> Wed Oct 13 10:10:26 PDT 2004
alansugano <A>No problem. By the way that should be Rainbow crack, not Rainbox.
<Date> Wed Oct 13 10:23:47 PDT 2004
pyzr <Q>What is the best tool for IP tracing? Lets say I want to relate an IP address to a particular part of the country, or the world?
alansugano <A>Check out http://www.iana.org/ipaddress/ip-addresses.htm. You can search for any IP address in the world, and find the general location of the address.
<Date> Wed Oct 13 10:38:45 PDT 2004
AdamCarheden It looks like we're about out of time. Thank you everyone for participating. We will post the transcript of the chat later today.