Petkov said that MET is the culmination of months of study centered around the Google API . The tool can do things like locate VPN configuration files, download the cached files of an entire Web site, download all the images from a site, download individual Web pages, gather statistics, and of course mine URL strings that might lead to known vulnerabilities. MET also supports “Johnny’s Google Hacking Database ” (GHDB) XML format.

It’s yet another item to add to your toolkit. Check it out over at the GNUCITIZEN Web site. While you’re Web surfing you can download a copy of the book, The Google Hacker’s Guide, at the GHDB site.

Since Labor weekend is upon us and you’re already sitting there with your Web browser open you might as well check out Emeril’s recipe for Watermelon Margaritas and Bobby Flay’s recipe for Tandoori Spiced Chicken Breast with Grilled Tomato Jam and Herbed Yogurt Sauce. Oh man, I can hardly wait to fire up the grill !

http://www.windowsitpro.com/Article/ArticleID/47456

http://www.windowsitpro.com/Article/ArticleID/47508

Because honeypots present an attack point for potential intruders, they’re useful in determining what sort of intrusion attempts are being launched against your network. In some cases, they can detect intrusion methods that are completely unknown to even the most up-to-date Intrusion Detection Systems (IDSs).

I recently learned about two new honeypots. The first is mwcollect (at the URL below), which was released in April 2005 and is partially funded by The Honeynet Project. Mwcollect is designed specifically to collect malware–thus the “mw” prefix in the mwcollect name. The tool runs on Linux and OpenBSD and can also run on Cygwin, a Linux environment that runs on Windows platforms.

http://www.mwcollect.org

Mwcollect is a little different from typical honeypots because it was originally designed to collect bot software, but the current version collects worms and other forms of malware that take advantage of vulnerabilities that mwcollect exposes. According to the mwcollect Web site, systems that run the tool can’t be infected with malware due to the way mwcollect operates internally. It binds to specified ports, waits for an exploit attempt, scans for shell code, and tries to download any related malware. Captured malware can then be added to a database at the mwcollect Web site.

The next version of mwcollect will allow three levels of network interactivity. The first level is the same as I describe above. The second level will passively analyze network traffic (like a sniffer in promiscuous mode would) and will try to download any related malware. The third or lowest level of interactivity will also passively analyze network traffic but won’t try to download related malware. You can learn a little more about the tool at the Web site, and join in an Internet Relay Chat (IRC) for further discussion.

The second new honeypot, Nepenthes, was released earlier this month and is similar to mwcollect. It too presents known vulnerabilities to the network and waits for intrusion attempts. Current modules for Nepenthes allow it to emulate problems with DCOM, Local Security Authority Service (LSASS), WINS, ASN1, NetBIOS, SQL Server, and a lot more Microsoft services. Because Nepenthes runs on Linux systems, none of those services would actually be available, which means exploits against them would have little or no effect on the underlying OS.

Just like mwcollect, when Nepenthes detects intrusion attempts, it tries to download any related malware through a variety of methods including FTP, Trivial FTP (TFTP), and HTTP. Captured malware is then sent to a center server hosted by the developers of the tool.

http://nepenthes.sourceforge.net

Documentation for Nepenthes doesn’t explain what goes on under the hood. But as best I can determine (I haven’t actually installed the tool yet), it captures shell-code exploits; looks for instructions that try to download code from the Internet (which many types of malware have); and if it finds such instructions, proceeds to try to download the malware in accordance with the intruder’s intent–for example, if the captured code indicates that the system should use FTP to download a file, Nepenthes will try to do that. I suspect that mwcollect works in a similar fashion. Nepenthes doesn’t appear to run on Windows platforms using Cygwin, so you’ll probably need a Linux-based system to put it to use on your networks.

If you use honeypots as do so many administrators these days, be sure to take a closer look at mwcollect and Nepenthes.

As a result of the free offer the site is busy, but it is still responding.

I’ve been testing the upcoming Opera 8.1 (Preview 2 release for Windows) over the last three weeks and I can safely say that I am very impressed. It’s faster than Firefox, has a built-in BitTorrent client, mail client, contact manager, note taking system, and RSS feed reader, and has a highly customizeable user interface. During my tests I’ve been able to configure the interface to mirror the uncluttered layout I use in my Firefox browser so I feel right at home using Opera now.

Opera also has lots of great security features and a lot of bells and whistles, such as the ability to read Web pages out loud, the ability to quickly enable or disable Javascript, Java, plugins, pop-up windows, and much more. All of that in a relatively small download of only 3.7MB — which by the way is smaller than Firefox! OK, the voice capabilities are an extra 10MB download, but the rest of the features are included in the base package.

If you think Firefox is a great browser then you might want to have a close look at Opera, particular Opera 8.1 Preview 2.

French security research organization FrSIRT issued a bulletin stating that the problem relates to processing of malformed HTML which can lead to memory corruption that might allow a remote intruder to run arbitrary commands on an affected system.

With widespread use of Windows XP the problem could potentially affect millions of computers. However no patch is available at this time and no workaround information is known at this time. Ferris said he notified Microsoft of his findings and the company is researching his report. Ferris won’t disclose any more information about the flaw until Microsoft releases a patch.

Igor Franchuk discovered  the problem, which was made public in a bulletin posted by Secunia. The end result is that intruder and propagators of spyware could use the tool vulnerabilities to help hide malware on a system. A complicating factor is that all keys that reside under a long key might also remain invisible even if those subkeys are shorter than 254 characters.

SANS made light of the discovery last week and readers shared insights of their own research of the problem. Current versions of tools such as Spybot Search and Destroy, HiJackThis, Sysinternals Autorun, Regedt32, and others can read the excessively long keys. Other popular tools, such as Microsoft Antispyware beta reportedly cannot read long keys. You can learn more about readers’ discoveries in the SANS Handler’s Diary entries dated August 24, August 25 , and August 26.

The bottom line is that to ensure nothing has been slipped into the registry you should check the registry using a tool that is known to be able to handle long keys.

Aluria Software also makes a spam filtering solution, a desktop Web caching solution,  and pop-up blocking software. The company also offers an enterprise spyware solution, Paladin, which is based on Spyware Eliminator and used by over 35 million people worldwide.

Earthlink said that Aluria’s assets will become part of a new division. The company already offers a TotalAccess security solution to its customers, which includes products that overlap with those of Aluria Software. At least part of Earthlink’s current security offerings are part of a partnership with Symantec where customers pay a monthly subscription fee to as opposed to a yearly renewal fee typical of Symantec’s sales program. Earthlink hasn’t disclosed whether it will continue its partnership with Symantec.

Last week Symantec announced a deal to acquire policy compliance solution maker Sygate. Symantec intends to integrate Sygate solutions with its own offerings.

CyberGuard’s offerings including firewall and VPN solutions as well as a content management suite that protects against spam, viruses, and malicious Web content, and also protects instant messaging clients. The company also offers a centralized security management system for policy enforcement. The products compliment Secure Computing offerings, which include the well-known Sidewinder firewall and VPN appliances, Web content filtering, and hardware-based authentication solutions that integrate with Active Directory and are meant to replace traditional access passwords for popular services such as Outlook Web Access, Citrix Metaframe, VPNs, and more.

“This transaction meets important strategic priorities and better positions Secure Computing in two of the fastest growing markets of the security industry,” said John McNulty, president and CEO at Secure Computing. “By combining the companies, Secure Computing will be the leader in the [unified threat management] market, the fastest growing segment of the IT security market according to IDC. It will also accelerate our ability to further penetrate the [secure content management] market, and clearly positions Secure Computing as the number two player in web filtering with approximately 21.0 million licensed seats.”