Arm yourself with security alerts |
It seems that every week brings us a new security threat to our Windows PCs and networks. Many of these are covered in the Bugs and Fixes section of the Help Screen, but there are plenty of other resources that can help to keep you informed about threats before they affect your PC or your network. One of the best sources of information from Microsoft is its Security Notification Service. This free e-mail bulletin is sent to subscribers whenever Microsoft determines that an issue affects any Microsoft products. It is especially worthwhile for Windows NT administrators and serious users of Microsoft Office. Microsoft maintains an archive of current and previous security bulletins going back almost three years. Its "Security Advisor" page is one of the first places where Microsoft releases its comments on threats like the Melissa virus and the ExploreZip worm. For a list of recent advisories, go to www.microsoft.com/security. Click "Security Bulletins," then "Current" or "Archive" to go back through the list. To subscribe to the Security Notification Service, go to www.microsoft.com/security/services/bulletin.asp. The alerts that Microsoft posts on these pages often provide software patches to close security holes. For example, a recent bulletin recommends a patch to cure Word 97's bad habit of running macros (without any warning) from templates ù even when the template is on a malicious Web site. Microsoft's security bulletins, of course, aren't the last word on high-tech threats. The alerts reflect only Microsoft's point of view. In the article, "What Customers Should Know About BackOrifice 2000", for instance, Microsoft says BackOrifice is similar to the Melissa virus in that "neither exploited any security vulnerabilities in Microsoft products". The programmers who released BackOrifice ù a program that allows an intruder to access your network from the Internet with the same privileges you have ù might disagree. Still, Microsoft's notification service is a valuable improvement over simply denying that any problems exist at all. The security bulletins that Microsoft publishes on its Web pages raise the question: should this information be shouted about or kept quiet? After all, many of the security holes described on the Microsoft site are said to have never been used by hackers in real life. Won't talking about these flaws make them more likely to be taken advantage of? This question seems to have been decided squarely in favour of full disclosure. The Microsoft site, for example, describes in detail the L0phtCrack tool, a program that decrypts network passwords, sometimes in minutes. The Microsoft page even includes a convenient link so readers can download the utility for themselves: www.l0pht.com. (The first two characters of the domain name are lower-case "L" and zero.) Although L0phtCrack can be misused in the wrong hands, it can also be a good friend to a network administrator who needs to test a network for weak user passwords. (An earlier version of the product won a Golden Guardian award last year from InfoWorld security columnists Stuart McClure and Joel Scambray). The Web site of L0phtCrack's parent, L0pht Heavy Industries of Boston, is itself a great security-alert service. Its archive of warnings includes a withering criticism of security flaws in Microsoft's original Point to Point Tunneling Protocol (PPTP). Many of these problems are corrected, the site says, in Microsoft's Dial-Up Networking 1.3 upgrade for Windows 95/98 and Windows NT. Another invaluable alert service is provided by the CERT Coordination Center, an outgrowth of the old Computer Emergency Response Team created by the US Government in 1988. CERT/CC, housed at Carnegie Mellon University, sends e-mail advisories whenever a virus threat or newly discovered security hole unnerves the Internet community. Go to www.cert.org, then click "Subscribe to our mailing list" for more information. Perhaps equally important, the centre helps to debunk virus hoaxes ù some of which are hilarious ù that run rampant on the Net. See the "Hoax" section of www.cert.org/other_sources/viruses.html. - Brian Livingston |
Category:Windows Manager Issue: October 1999 |
These Web pages are produced by Australian PC World © 1999 IDG Communications