Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-Virus
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

FW: Fw: zotob

from [jay.tomas@infosecguru.com] Network Security [Permanent Link]
Subject: FW: Fw: zotob
Date: Tue, 16 Aug 2005 15:03:25 -0400 
Just an observation ... by renaming admin accounts you'll thwart the simpliest 
of script kiddies.
Anyone with an 'ounce' of skill will enumerate your box and look at the sid of 
the user ids.

e.g. 

Username                 SID
WishICouldFoolYou       S-1-5-21-329067152-789339058-725245543-500      

500 is your admin.

Using a tool like DUMPSEC will give you this info as well as other info on 
inconspicuous admins on
box. I'm not saying it's completely worthless to do against a scripted attempt, 
but if you have a
live body, or a dead one juiced up on caffeine they will enumerate and continue 
their attack.

my2c                                                                            
                                                                                
                                
Jay

"John D. Patota" <jpatota@ccs.neu.edu>
08/16/2005 12:26 PM
 
        To:     Nick Wells <nick@clandestineresearch.com>
        cc:     focus-virus@securityfocus.com
        Subject:        Re: zotob


The first two points are really for securing the administrator account 
on a server or other secure machine. The admin which doesnt belong to 
any group has no access to the system. If a hacker of virus were trying 
to break into the Administrator, it would be nothing more than a decoy.

Blending the real administrator account is also a trick to hide its true 
identity. If you have a naming scheme like lastn.f, rename the admin 
account to match. That way when someone is enumerating your machine they 
wont know the first place to look.

This is a real great guide for locking down admin accounts but might be 
better suited for some sort of security list

http://www.microsoft.com/downloads/details.aspx?FamilyID=04d81d4f-3b02-4486-b37a-c3469048c662&Displa
yLang=en


The first and last chapters are fluff but the rest is good

Nick Wells wrote:

The first to points are interesting, but it would be easier to just 

rename

the admin account /me thinks.

Nick Wells
Windows Administrator
I-2000, Inc

-----Original Message-----
From: John D. Patota [mailto:jpatota@ccs.neu.edu] 
Sent: Monday, August 15, 2005 14:13
To: focus-virus@securityfocus.com
Subject: zotob

Its my estimate it will only be a few days until this hits windows XP.

Some useful information is at 

http://www.f-secure.com/v-descs/zotob_a.shtml


The biggest thing I can think of is to have users assign strong 
passwords to their Administrator accounts. If you want to do things 
right, take the following steps:

- Disable the Admin account entirely and take it out of every group
- Create a separate account with administrator permissions whose 
username is inconspicuous
- Primarily use an account with minimal permissions, when installing 
programs and doing other various administrative duties you can right 
click on the program and select "run as"

This is the type of mentality UNIX and subsequently macs use that most 
windows users haven't caught on to yet. I just hope when vista comes out 



Microsoft will smarten up and tighten administrator access.










-----------------------------------------
This communication is for informational purposes only. It is not intended
as an offer or solicitation for the purchase or sale of any financial
instrument or as an official confirmation of any transaction. All market
prices, data and other information are notwa rranted as to completeness or
accuracy and are subject to change without notice. Any comments or
statements made herein do not necessarily reflect those of J.P. Morgan
Chase & Co., its subsidiaries and affiliates.
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • RE: zotob, Brady McClenon
    • Re: zotob, John D. Patota
    • FW: Fw: zotob, jay.tomas@infosecguru.com <=
Previous by Date:  wintbp.exe, Schlegel, Justin
Next by Date:  Re: wintbp.exe, William O'Malley
Previous by Thread:  Re: zotob, John D. Patota
Next by Thread:  ms05-039, hc0d3
Indexes:  [Date] [Thread] [Top] [All Lists]