Security Watch

Ill News for Illwill

Microsoft arms itself and users against hackers.

• By Roberta Bragg
• 11/22/2004

Last week William Genovese, a.k.a. "illwill," was arrested and charged with selling Windows 2000 and Windows NT 4.0 source code. The source code was purportedly stolen from the drives of a computer owned by longtime Microsoft partner Mainsoft Corp. The arrest was the result of the work of an online security investigator hired by Microsoft, the U.S. Attorney's office and the FBI. Genovese has a previous conviction, in March of 2003, for eavesdropping when he wrote a virus used to hack into computers.

Genovese, 27, of Meriden, Connecticut, faces a maximum sentence of 10 years in prison and a fine of $250,000 if convicted.

The arrest is good, and welcome, news. It's been disheartening of late to witness the criminal activity concerning computers and computer information. In spite of all we know, in spite of all we do, it seems we're deluged daily with, or beaten down with, the news of new vulnerabilities, new malware, new incidents of data theft, denial of service attacks and increasing evidence of criminal and malicious intent behind them.

Just when I was ready to succumb to my paranoia and retire to my fortress, two good things happened. First, the arrest shows that organizations are working together to "do something" about it. A single arrest won't stop the attempts or successful attacks on our information systems, but it does indicate progress.

Second, you, the readers, continue to write me with not just questions, but information on how you're engaged in the battle. Keep those letters coming. I answer as many questions as I can, and I like hearing about your successes in keeping the boogey man at bay.

Meanwhile, Microsoft has a slew of tools that may help in your efforts. These tools, all part of the ALTools package, focus on Netlogon and the Windows event log. They can be downloaded here.

Included in the package:

• LockoutStatus.exe. Displays information about a locked-out account.
• ALockout.dll. Helps determine the program or process sending the incorrect credentials in a scenario.
• AcctInfo.dll. Isolates and troubleshoots account lockouts.
• ALoInfo.exe. Displays user account names and their password age.
• EnableKerbLog.vbs. Startup script that enables Kerberos logging.
• EventCombMT.exe. Gathers events for event logs at many locations for a centralized view.
• NLParse.exe. Extracts and displays desired entries from Netlogon files.

But before you rush out and start using the tools, read the disclaimers. For example, Microsoft warns that you shouldn't run ALockout.dll on servers that host network programs such as Exchange, because the tool may make it impossible for those programs to start.

Also check out the Microsoft document "Account Passwords and Policies," which fully describes the tools, points to more information on running them, and sternly warns against their frivolous use. (The tools can be used with Windows Server 2003, Win2K and, in some cases, NT 4.0.) As usual, before running any new tool, you should back up a copy of the operating system and your valuable data.