Ill News for Illwill
Microsoft arms itself and users against hackers.
- By Roberta Bragg
Last week William Genovese, a.k.a. "illwill," was arrested and charged
with selling Windows 2000 and Windows NT 4.0 source code. The source code was
purportedly stolen from the drives of a computer owned by longtime Microsoft
partner Mainsoft Corp. The arrest was the result of the work of an online security
investigator hired by Microsoft, the U.S. Attorney's office and the FBI. Genovese
has a previous conviction, in March of 2003, for eavesdropping when he wrote
a virus used to hack into computers.
Genovese, 27, of Meriden, Connecticut, faces a maximum sentence of 10 years
in prison and a fine of $250,000 if convicted.
The arrest is good, and welcome, news. It's been disheartening of late to witness
the criminal activity concerning computers and computer information. In spite
of all we know, in spite of all we do, it seems we're deluged daily with, or
beaten down with, the news of new vulnerabilities, new malware, new incidents
of data theft, denial of service attacks and increasing evidence of criminal
and malicious intent behind them.
Just when I was ready to succumb to my paranoia and retire to my fortress,
two good things happened. First, the arrest shows that organizations are working
together to "do something" about it. A single arrest won't stop the
attempts or successful attacks on our information systems, but it does indicate
Second, you, the readers, continue to write me with not just questions, but
information on how you're engaged in the battle. Keep those letters coming.
I answer as many questions as I can, and I like hearing about your successes
in keeping the boogey man at bay.
Meanwhile, Microsoft has a slew of tools that may help in your efforts. These
tools, all part of the ALTools package, focus on Netlogon and the Windows event
log. They can be downloaded here.
Included in the package:
- LockoutStatus.exe. Displays information about
a locked-out account.
- ALockout.dll. Helps determine the program or process
sending the incorrect credentials in a scenario.
- AcctInfo.dll. Isolates and troubleshoots account
- ALoInfo.exe. Displays user account names and their
- EnableKerbLog.vbs. Startup script that enables
- EventCombMT.exe. Gathers events for event logs
at many locations for a centralized view.
- NLParse.exe. Extracts and displays desired entries
from Netlogon files.
But before you rush out and start using the tools, read the disclaimers. For
example, Microsoft warns that you shouldn't run ALockout.dll on servers that
host network programs such as Exchange, because the tool may make it impossible
for those programs to start.
Also check out the Microsoft document "Account
Passwords and Policies," which fully describes the tools, points to
more information on running them, and sternly warns against their frivolous
use. (The tools can be used with Windows Server 2003, Win2K and, in some cases,
NT 4.0.) As usual, before running any new tool, you should back up a copy of
the operating system and your valuable data.
Roberta Bragg, MCSE: Security, CISSP, Security+, and Microsoft MVP is a Redmond contributing editor and the owner of Have Computer Will Travel Inc., an independent firm specializing in information security and operating systems. She's series editor for Osborne/McGraw-Hill's Hardening series, books that instruct you on how to secure your networks before you are hacked, and author of the first book in the series, Hardening Windows Systems.