Security UPDATE--Hamachi Cross-Platform VPN--January 31, 2007

PLEASE VISIT OUR SPONSORS, WHO BRING YOU SECURITY UPDATE FOR FREE:

Why Juggle Multiple Systems? Combine & Save

http://findtechinfo.com/penton/nl/117

Email Discovery and Compliance

http://www.windowsitpro.com/go/ebooks/ilumin/discovery/?code=SECMid0131

The Essential Guide to Infrastructure Consolidation

http://www.windowsitpro.com/go/essential/hp/infrastructure/?code=SECHot0131

CONTENTS

===========================================

IN FOCUS: Hamachi Cross-Platform VPN NEWS AND FEATURES - GoDaddy.com Abuse Policy Takes SecLists.Org Offline - Researchers Find Fault with Extended Validation Certificates - Recent Security Vulnerabilities GIVE AND TAKE - Security Matters Blog: Want to Test-Drive Vista? - FAQ: Get a Command Prompt During a Vista or Longhorn Install - Share Your Security Tips PRODUCTS - Extend Group Policy Control over Passwords - Wanted: Your Reviews of Products RESOURCES AND EVENTS FEATURED WHITE PAPER ANNOUNCEMENTS === SPONSOR: NetSuite

================================

Why Juggle Multiple Systems? Combine & Save Free trial. NetSuite's one system solution combines accounting, CRM & ecommerce in a single, powerful application. Learn more during a trial run. http://findtechinfo.com/penton/nl/117 === IN FOCUS: Hamachi Cross-Platform VPN

=============

by Mark Joseph Edwards, News Editor, mark at ntsecurity / net Last week, I discussed Microsoft's Secure Socket Tunneling Protocol (SSTP) VPN technology, which will debut as part of Windows Vista Service Pack 1 (SP1) and Longhorn Server Beta 3. The VPN will work over standard Web ports and ease client-to-server connectivity. If you missed that editorial, you can read it at http://www.windowsitpro.com/Article/ArticleID/94977 This week, I learned about another VPN technology that I hadn't heard of before. LogMeIn Hamachi is a relatively simple tool that lets you connect systems together to build a VPN where such connectivity might not otherwise be possible. A couple really great features of Hamachi make it a very useful tool. The first is that it runs on Windows 2000, Windows XP, Windows Server 2003, Linux, and Mac OS X. The second interesting feature is that it's a UDP-based VPN technology, where most other VPNs are TCP-based. Because it's UDP-based, it can work in networks where other VPNs might not because it can traverse some overly restrictive policies and can operate behind networks that use Network Address Translation (NAT). The real "magic" of Hamachi is that it takes advantage of UDP operational characteristics. As you know, in order for TCP connections to take place, ports need to be open on firewalls, and when NAT is in use (with or without a firewall), the NAT router needs to forward traffic to the proper endpoint. In contrast, a NAT device (and sometimes a firewall) can be coaxed into accepting UDP traffic even when specific rules don't exist to allow that traffic. To get an idea of how Hamachi works under the hood, we can take a look at the Skype VoIP technology because Skype also uses UDP to traverse NAT networks and firewalls. If you head over to the heise Security Web site, you'll find a very interesting article, "The hole trick," (at the URL below) that explains what's happening under the hood of a Skype client. If you read the article, you'll come away with an understanding that applies to Hamachi. http://www.heise-security.co.uk/articles/82481 I've heard that Hamachi is especially useful for Windows administrators who need to use Microsoft Remote Desktop connectivity but can't due to restrictions on the network on which they happen to be at the moment, whether that network is at a hotel, conference center, library, coffee shop, or elsewhere. Hamachi can establish a VPN between two endpoints, and then Remote Desktop can be used over the Hamachi VPN. The same principle undoubtedly applies to many other tools that are useless without a VPN. There is at least one downside to Hamachi, though: It doesn't work when a system is behind a proxy server. Nevertheless, it looks like an incredibly useful tool and I intend to give it a try soon. You can learn more about it and download a copy at the URL below. http://hamachi.cc If you're interested in more technical, nitty-gritty details about how tools like Hamachi and Skype work, then take a look at RFC3489, "Simple Traversal of User Datagram Protocol Through Network Address Translators" at the URL below. The document explains the technique in considerable detail. http://tools.ietf.org/html/rfc3489 === SPONSOR: CA

======================================

Email Discovery and Compliance You know you need to manage your email data; how do you do it? What steps are you taking? What additional measures should you enact? What shouldn't you do? Get answers to these questions and get control of your vital messaging data. Download the free eBook today! http://www.windowsitpro.com/go/ebooks/ilumin/discovery/?code=SECMid0131 === SECURITY NEWS AND FEATURES

=======================

GoDaddy.com Abuse Policy Takes SecLists.Org Offline SecLists.Org, a popular site that archives the messages from numerous popular security mailing lists, was temporarily shut down by GoDaddy.com after complaints by MySpace. http://www.windowsitpro.com/Article/ArticleID/95001 Researchers Find Fault with Extended Validation Certificates Researchers from Stanford University and Microsoft Research have concluded that extended validation (high assurance) certificates used in conjunction with Microsoft Internet Explorer (IE) 7.0 don't necessarily improve a user's ability to detect phishing attacks. http://www.windowsitpro.com/Article/ArticleID/95002 Recent Security Vulnerabilities If you subscribe to this newsletter, you also receive Security Alerts, which inform you about recently discovered security vulnerabilities. You can also find information about these discoveries at http://www.windowsitpro.com/departments/departmentid/752/752.html === SPONSOR: Hewlett-Packard

=========================

The Essential Guide to Infrastructure Consolidation Learn the essentials about how consolidation and selected technology updates build an infrastructure that can handle change effectively. http://www.windowsitpro.com/go/essential/hp/infrastructure/?code=SECHot0131 === GIVE AND TAKE

====================================

SECURITY MATTERS BLOG: Want to Test-Drive Vista? by Mark Joseph Edwards, http://www.windowsitpro.com/securitymatters Want to test Windows Vista without having to install it? Now you can, to some extent anyway. Read this blog article to learn how. http://www.windowsitpro.com/Article/ArticleID/94923 FAQ: Get a Command Prompt During a Vista or Longhorn Install by John Savill, http://www.windowsitpro.com/windowsnt20002003faq Q: How can I open a command prompt during Windows Vista or Longhorn Server installation? Find the answer at http://www.windowsitpro.com/Article/ArticleID/94962 SHARE YOUR SECURITY TIPS AND GET $100 Share your security-related tips, comments, or problems and solutions in Security Pro VIP's Reader to Reader column. Email your contributions to [email protected]. If we print your submission, you'll get $100. We edit submissions for style, grammar, and length. === PRODUCTS

=========================================

by Renee Munshi, [email protected] Extend Group Policy Control over Passwords Special Operations Software announced the release of Specops Password Policy 2.0, which works with Group Policy in Active Directory (AD). Specops Password Policy lets you configure password policies in any number of group policies and not just at the domain level of Group Policy. Some of the new features in version 2.0 are the ability to disallow words from specified dictionaries in passwords, to disallow incremental passwords (e.g., changing from password1 to password2), and to send an email notification when a password is about to expire. For more information, go to http://www.specopssoft.com WANTED: your reviews of products you've tested and used in production. Send your experiences and ratings of products to [email protected] and get a Best Buy gift certificate. === RESOURCES AND EVENTS

=============================

For more security-related resources, visit http://www.windowsitpro.com/go/securityresources How at risk is your business? Attend this free Web seminar and learn how to - differentiate alternative high-availability and disaster-recovery solutions - ensure seamless recovery of your key systems and data - keep your users continuously connected - benefit from real-time high availability and disaster recovery Live Event February 22, 2007, at 12:00 pm EST http://www.windowsitpro.com/go/seminars/neverfail/managingrisk/?partnerref=0131sec Did you know that 75% of corporate intellectual property resides in email? The challenges facing this vital business application range from spam to the costly impact of downtime and the need for effective, centralized email storage systems. Join us for a free Web seminar and learn the key features of a holistic approach to email security, availability, and control. Download this on-demand seminar now! http://www.windowsitpro.com/go/seminars/symantec/messagingsecurity/?partnerref=0131sec Microsoft System Center Data Protection Manager (DPM) is now shipping! Get a solid introduction to DPM: Download this eBook today to learn how to use DPM to augment your tape-based backups. http://www.windowsitpro.com/go/ebooks/microsoft/dpm/?code=0131sec === FEATURED WHITE PAPER

=============================

Learn to differentiate between computer records and business records. Learn the subjective meaning of business records and how to best manage regulatory requirements for email backup and retention. Download this special eGuide today! http://www.windowsitpro.com/go/guide/messageone/regrequirements/?code=0130secfeatwp === ANNOUNCEMENTS

====================================

Make Your Mark on the IT Community! Nominate yourself or a peer to become "IT Pro of the Month." This is your chance to get the recognition you deserve! Winners will receive over $600 in IT resources and be featured in Windows IT Pro. It's easy to enter--we're accepting February nominations now, but only for a limited time! Submit your nomination today: http://www.windowsitpro.com/go/itpromonth Ring in the New Year with Windows IT Pro Don't miss Windows IT Pro in 2007! As a subscriber, you'll get full access to must-have coverage relating to Windows Vista deployment, virtualization, disaster recovery, Active Directory, the Office 2007 launch, SharePoint fundamentals, and much more. Order now and save 58% off the cover price. https://store.pentontech.com/index.cfm?s=1&promocode=eu2071uw

===========================================================

Security UDPATE is brought to you by the Windows IT Pro Web site's Security page (first URL below) and Security Pro VIP (second URL below).

http://www.windowsitpro.com/windowssecurity

http://www.securityprovip.com

Subscribe to Security UPDATE at

http://www.windowsitpro.com/Email/Index.cfm?action=archive

Unsubscribe by clicking

http://list.windowsitpro.com/u?id=%%SUBSCRIBER_ID_TAG%%

Be sure to add [email protected] to your antispam software's list of allowed senders.

To contact us:

About Security UPDATE content -- [email protected]

About technical questions -- http://www.windowsitpro.com/forums

About your product news -- [email protected]

About your subscription -- [email protected]

About sponsoring Security UPDATE -- [email protected]

View the Windows IT Pro privacy policy at

http://www.windowsitpro.com/AboutUs/Index.cfm?action=privacy

Windows IT Pro, a division of Penton Media, Inc.

221 East 29th Street, Loveland, CO 80538

Attention: Customer Service Department

Copyright 2007, Penton Media, Inc. All rights reserved.