Category Archives: General Stuff

We interrupt our regular security discussions to bring you this news bulletin: America’s health insurance situation sucks. While I can’t reform it on my own, I can ask you loyal readers to help find a full-time job for a smart, experienced programmer who just happens to need insurance for his ill son. Brad Choate, legendary MT plugin guy, is even offering a reward: a free Xbox, PS2, or Gamecube. Details here, or Brad’s original post here.

I’ve been thinking about physical security a lot, mostly because I happen to be revising chapter 5. Take a minute right now to look around and see whether your physical security procedures are adequate. Could someone easily walk off with a server? (If someone can steal a DC, they can 0wn you totally, basically forever). Do you have adequate environmental protections– power conditioning? heating/cooling? fire warning & suppression? I could write on and on about this, but I bet that if you spend a few minutes thinking about your environment you’ll see what you need to do to improve it, probably at very low cost. The US Army’s Field Manual 3-19.30 has some interesting thoughts that may help you.

This is really cool: as part of the Exchange Server 2003 RTM, Microsoft is passing out 7-day trial OWA accounts. This is a great idea for two reasons: it gives MS a chance to further dogfood OWA in xSP-scale deployments, and it gives those who don’t have immediate plans to migrate to Exchange 2003 a taste of what the new OWA looks like. Sign up here.

RTM for Exchange Server 2003 is today, June 30th. That means that the product will be available very, very soon for most customers, depending on your license plan:

• Availability for Select licensing customers is August 1st
• Availability for Open licensing customers is also August 1st.
• Retail availability depends on the availability of Outlook Standard 2003. that means for English versions, you should see the CD in stores mid-September; other languages will follow, although I don’t have exact dates.

Evaluation versions will be available for download or purchase on CD after noon Pacific time today.

So, SurfControl has been in place for the last five days. It has a fairly sophisticated set of tools, but with a much more approachable interface than Praetor. I’ve been using three rules: one screens out malformed MIME messages, one blocks messages with high dictionary scores (according to the spam dictionary that ships with the product), and one blocks messages that are on the collaborative filtering list that SurfControl maintains.
So far, the combination is working reasonably. There are still too many uncaught spams slipping through, largely of the variety that consist only of images (I added a rule for “Please wait while this email loads”; I bet that’ll catch a bunch of them). More troubling is the rules service’s tendency to abruptly stop processing inbound messages– so far, I’ve gotten three or four messages from Microsoft that have choked the rules service. I have a call in to SurfControl tech support, so we’ll see how competent they are at diagnosing and fixing the problem.
Update: the problem that caused MailMarshal SurfControl to choke on inbound messages was quickly identified. They fixed it in a patch, and their tech support was very helpful in answering some questions I had about the way the product worked. (Originally I’d typed “MailMarshal” in the above; to clarify, I haven’t had to call MailMarshal support so far.)

SurfControl finally bit the dust; its eval period expired, so I knew it was time to try something else. SurfControl is a decent product; my big complaint was that its “Anti-Spam Agent” (a collaborative filtering tool that requires you to download updates from SurfControl) wasn’t catching much. Turns out that was due to SurfControl’s failure to allow eval customers to get the updates.
As I type this, MailMarshal SMTP is installing. It has a good reputation, so I’m eager to see how it stacks up against the others I’ve been testing. In the meantime, I have inbound SMTP queueing up for filtering, so MailMarshal should have a fertile set of messages to start with.
Update: Wow. MailMarshal has caught something like 99.2% of the inbound spam so far. I’m very impressed.
Update again: over a five-day test period, MailMarshal flagged 362 messages as spam. 49 (13.6%) of those were actually legitimate messages, most of which should have been allowed through by the “friendly listserver” and “friendly senders” features. None of these messages were critical, and frankly, many of them should probably be considered as spam. During the same time period, I only got *two* real spams. A number of legitimate messages (including some from our customers at MS and from the ntbugtraq mailing list) were flagged because they triggered the double-extension filter (like “document-1.0.5-pk.doc”) or because they contained JavaScript. I appreciate the protection, but it’s been a bit of a hassle.
I’m impressed with MailMarshal’s efficacy, but its reporting tools don’t seem to be as good as the ones in SurfControl (which tells you at a glance how long it’s been up, how many messages were flagged as spam, and how many passed through.)
Update: Carrie Ward of NetIQ was kind enough to send me pricing info on MailMarshal:

NetIQ MailMarshal 5.5 SMTP is priced by the number of users in an organization and is available as a small business server license for up to
75 users for $1,295 or as an Enterprise version including a four-server license for $2,000 plus $750 per 100 users.

Here’s an interesting article: Foundstone is accused of piracy, being buttheads, and probably mopery on the high seas. Interestingly, the article also claims that Microsoft dropped Foundstone as a vendor shortly after the problems came to light.

This is fascinating. Two folks at Rice’s computer science department have written a paper about algorithmic complexity attacks. The basic idea is that an attacker who knows how a program processes input can overwhelm it by choosing patterns of data, or data with specific contents– not the typical DoS caused by flooding. Here’s the abstract:

We present a new class of low-bandwidth denial of service attacks that exploit algorithmic deficiencies in many common applications’ data structures. Frequently used data structures have “average-case” expected running time that’s far more efficient than the worst case. For example, both binary trees and hash tables can degenerate to linked lists with carefully chosen input. We show how an attacker can effectively compute such input, and we demonstrate attacks against the hash table implementations in two versions of Perl, the Squid web proxy, and the Bro intrusion detection system. Using bandwidth less than a typical dialup modem, we can bring a dedicated Bro server to its knees; after six minutes of carefully chosen packets, our Bro server was dropping as much as 71% of its traffic and consuming all of its CPU. We show how modern universal hashing techniques can yield performance comparable to commonplace hash functions while being provably secure against these attacks.

TechEd 2003 is right around the corner. In addition to my session, there are a number of other useful sessions that security-minded folks should consider:

• Mortimore, SEC301, Best Practices for Security and Patch Management (Arena, Monday, 1330-1445)
• Attwell, MSG328, Reducing Spam with Exchange Server 2003 and Outlook 2003 (Ballroom C1/2, Tuesday, 1045-1200)
• Riley, SEC304, Enhancing Exchange, OWA, and IIS Security with ISA Server Feature Pack 1 (Arena, Tuesday, 1045-1200)
• Morris, MSG329, Controlling Viruses with Exchange Server and Outlook (D171/D173, Thursday, 1700-1815)
• Riley, SEC499, IPSec Internals and Implementation Examples (Arena, Friday, 1300-1415)
• Batthish, MSG345, Deploying OWA and FE/BE Topologies for Client Access (Ballroom C1/2, Thursday, 1330-1445)
• Riley, MSG308, Secure Access to Exchange From the Internet (Ballroom C1/2, Wednesday, 1700-1815)

I won’t be able to attend all of these, but I always make it a point to hit Steve Riley’s presentations, and if you’re interested in baseline security and patch management, Mark Mortimore’s session is a must-attend too.

TechEd is just around the corner, and I’ve been invited to give a security session.

SEC306 Secure Messaging and Communications with Exchange Server
This session delivers the critical information that Exchange administrators, security architects, and messaging designers need to understand to protect their Exchange systems. Protecting your organization from malicious content, and misuse of messaging communications is becoming ever more critical as we depend on our messaging systems to provide anytime, anywhere access from a wide variety of devices. If you are serious about secure messaging and communications, you must attend this session. This session will focus on security updates in Exchange 2003 including relay restrictions, OWA security improvements, authenticated and restricted DLs, improved AV & Anti-spam features, and RPC-over-HTTP. Key security concepts for Exchange 2000 and Exchange 5.5 will also be summarized. Come in, sit down, and hold on tight for this fast-paced and demo-packed presentation.