To secure your PC, arm yourself with security alerts from vendors and industry groups

HOME/ SITEMAP
SUBJECT INDEXES

	App Development

	Broadband

	Business Intell.

	Business News

	Business Strategies

	Careers & Mgmt

	Collab. Software

	Content Mgmt

	CRM

	Database

	E-Business

	End-User Apps

	End-User Hardware

	Enterprise Apps

	Ethics

	Government

	Licensing

	Middleware

	Mobile Computing

	Networking

	Online Community

	Operating Systems

	Processors

	Security

	Servers

	Storage

	Telecomm.

	Web Services

	Web Technologies

	Wireless

	XSPs

NEWS

CTO ZONE

TEST CENTER

FEATURES

COMMUNITY

OPINIONS

RESEARCH

EVENT

WEBCASTS

ABOUT InfoWorld

ABOUT US
	About InfoWorld

	Services

	Advertise

	Contact us

	Employment

WHITE PAPERS

	Learn to secure your PCs from new and unknown hacker attacks.


	Free IDC White Paper - Discover Secure File Sharing for the Enterpriseattacks.

		Window Manager Brian Livingston

To secure your PC, arm yourself with security alerts from vendors and industry groups

IT SEEMS THAT EVERY week brings us a new security threat to our Windows PCs and networks. The latest one, which became an issue just last week, involves a "digitally signed" Java program that affects Compaq computers and possibly others. The applet is intended to allow Compaq to update software over the Internet, but it can be directed by a rogue Web page to execute other instructions instead.

This problem, and others like it, are well covered in the news pages of InfoWorld, so that is not the focus of this column. Instead, I want to share with you some resources that can keep you informed about threats before they affect your PC or your network.

One of the best sources of information from Microsoft is its Security Notification Service. This free e-mail bulletin is sent to subscribers whenever Microsoft determines that an issue affects any Microsoft products. It is especially worthwhile for Windows NT administrators and serious users of Microsoft Office.

Microsoft maintains an archive of current and previous security bulletins going back almost three years. Its "Security Advisor" page is one of the first places where Microsoft releases its comments on threats like the Melissa virus and the ExploreZip worm.

For a list of recent advisories, go to www.microsoft.com/security. Click "Security Bulletins," then "Current" or "Archive" to go back through the list. To subscribe to the Security Notification Service, go to www.microsoft.com/security/services/bulletin.asp.

The alerts that Microsoft posts on these pages often provide software patches to close security holes.

For example, a recent bulletin recommends a patch to cure Word 97's bad habit of running macros (without any warning) from templates -- even when the template is on a malicious Web site.

Microsoft's security bulletins, of course, aren't the last word on high-tech threats. The alerts reflect only Microsoft's point of view. In the article, "What Customers Should Know About BackOrifice 2000," for instance, Microsoft says BackOrifice is similar to the Melissa virus in that "neither exploited any security vulnerabilities in Microsoft products."

The programmers who released BackOrifice -- a program that allows an intruder to access your network from the Internet with the same privileges you have -- might disagree. Still, Microsoft's notification service is a valuable improvement over simply denying that any problems exist at all.

The security bulletins that Microsoft publishes on its Web pages raise the question: Should this information be shouted about or kept quiet?

After all, many of the security holes described on the Microsoft site are said to have never been used by hackers in real life. Won't talking about these flaws make them more likely to be taken advantage of?

This question seems to have been decided squarely in favor of full disclosure. The Microsoft site, for example, describes in detail the L0phtCrack tool, a program that decrypts network passwords, sometimes in minutes. The Microsoft page even includes a convenient link so readers can download the utility for themselves: www.l0pht.com. (The first two characters of the domain name are lower-case "L" and zero.)

Although L0phtCrack can be misused in the wrong hands, it can also be a good friend to a network administrator who needs to test a network for weak user passwords. An earlier version of the product won a Golden Guardian award last year from InfoWorld security columnists Stuart McClure and Joel Scambray. (See Security Watch, www.infoworld.com/printlinks.)

The Web site of L0phtCrack's parent, L0pht Heavy Industries of Boston, is itself a great security-alert service. Its archive of warnings includes a withering criticism of security flaws in Microsoft's original Point to Point Tunneling Protocol (PPTP). Many of these problems are corrected, the site says, in Microsoft's Dial-Up Networking 1.3 upgrade for Windows 95/98 and Windows NT.

Another invaluable alert service is provided by the CERT Coordination Center, an outgrowth of the old Computer Emergency Response Team created by the U.S. government in 1988. CERT/CC, housed at Carnegie Mellon University, sends e-mail advisories whenever a virus threat or newly discovered security hole unnerves the Internet community. Go to www.cert.org, then click "Subscribe to our mailing list" for more information.

Perhaps equally important, the center helps to debunk virus hoaxes -- some of which are hilarious -- that run rampant on the Net. See the "Hoax" section of www.cert.org/other _sources/viruses.html.

These are a fraction of the Windows security alerts available. Send me your favorites. Use "alerts" as the subject of your e-mail.

Brian Livingston 's latest book is Windows 98 Secrets (IDG Books). Send tips to brian_livingston@infoworld.com. He regrets that he cannot answer individual questions.

RELATED SUBJECTS

Security

MORE >

SUBSCRIBE TO:�

� �

// Article

	ADVERTISEMENT
	SPONSORED LINKS FREE Storage Policy Management paper from BMC Software! Download the J.D. Edwards CRM white paper. Visit jdedwards.com/crmpaper Introducing Primus Quick Resolve. Click to download a fact sheet. Download the J.D. Edwards CRM white paper. Visit jdedwards.com/crmpaper Gateway: Your Reliable IT Provider of Business Technology Solutions

	<A HREF="http://ad.doubleclick.net/jump/idg.us.ifw.community/opinions;abr=!ie;pkey=security;pos=bot;sz=468x60;tile=4;ord=172515250902?"><IMG SRC="../../../../../../ad/house/verisign_cpc/open_24_guide_468x60_8_by.gif" BORDER="0" HEIGHT="60" WIDTH="468"></A>

ABOUT INFOWORLD | SITE MAP | EMPLOYMENT | PRIVACY | CONTACT US