SecurityFocus.com Microsoft Newsletter #23

[Stephen Entwisle <se () SECURITYFOCUS COM>]

SecurityFocus.com Microsoft Newsletter #23
------------------------------------------
I. FRONT AND CENTER
     1. The Field Guide for Investigating Computer Crime, Part 7: Information
        Discovery - Basics and Planning
     2. Studying Normal Traffic, Part Two: Studying FTP Traffic
II. MICROSOFT VULNERABILITY SUMMARY
     1. Microsoft Windows NT PPTP DoS Vulnerability
     2. Microsoft Windows 2000 Domain Controller DoS Vulnerability
III. MICROSOFT FOCUS LIST SUMMARY
     1. Details on a hacked NT server (possible kit?)   (Thread)
     2. TO WHOM IT MAY CONSERN Registry entrys regarding Denial of...(Thread)
     3. OT: P*rn Site Urls   (Thread)
     4. Outlook Text Preview option   (Thread)
     5. NT 4 with IIS 4 install checklist   (Thread)
     6. pcAnywhere   (Thread)
     7. iis unicode bug...   (Thread)
     8. Possible FTP Site DDoS   (Thread)
     9. P*rn Site Urls   (Thread)
     10. Laptop Security   (Thread)
     11. Troubleshooting disk permission schemes ...   (Thread)
     12. Win2K Terminal Service as Web Server Admin Tool   (Thread)
     13. FW: Outlook Text Preview option   (Thread)
     14. NT/w2k kiosk or hardening software?   (Thread)
     15. NT: Restrict Users from Installing Software?   (Thread)
     16. Win2k Telnet Service   (Thread)
     17. VNCViewer   (Thread)
     18. MS Security Issue   (Thread)
     19. Is my IIS proxying for people?   (Thread)
     20. SecurityFocus.com Microsoft Newsletter #22   (Thread)
IV.NEW PRODUCTS FOR MICROSOFT PLATFORMS
     1. Ethenticator MS 3000
     2. EGTSOFT System Locker
V. NEW TOOLS FOR MICROSOFT PLATFORMS
     1. DoorWatch
     2. Random Number Generator
     3. Advanced Password Generator 2.74
     4. WebClicker 2.0
     5.aTrans
VI. SUBSCRIBE/UNSUBSCRIBE INFORMATION

I. FRONT AND CENTER
-------------------
1. The Field Guide for Investigating Computer Crime, Part 7: Information
   Discovery Basics and Planning
by Timothy E. Wright

This is the seventh installment in SecurityFocus.com's Field Guide for
Investigating Computer Crime. The previous installment in this series,
"Search and Seizure, Evidence Retrieval and Processing", concluded the
overview of search and seizure with a discussion of the retrieval and
processing of computer crime scene evidence. In this installment, we will
begin our discussion of information discovery, the process of viewing log
files, databases, and other data sources on unseized equipment, in order
to find and analyze information that may be of importance to a computer
crime investigation.

http://www.securityfocus.com/focus/ih/articles/crimeguide7.html

2. Studying Normal Traffic, Part Two: Studying FTP Traffic
by Karen Frederick

This is the second article in a three-part series devoted to studying
normal traffic. Many intrusion detection analysts concentrate on
identifying the characteristics of suspicious packets. However, it is also
important to be familiar with what normal traffic looks like. A great way
to do this is to generate some normal traffic, capture the packets and
examine them. The first article in this series explained how to capture
packets using WinDump and reviewed some simple examples of normal TCP/IP
traffic. In this article, we will be examining FTP traffic, which, from a
traffic flow standpoint, is more complicated than many other protocols.

http://www.securityfocus.com/focus/ids/articles/normaltraf2.html

II. BUGTRAQ SUMMARY

-------------------

1. Microsoft Windows NT PPTP DoS Vulnerability
BugTraq ID: 2368
Remote: Yes
Date Published: 2001-02-13
Relevant URL:
http://www.securityfocus.com/bid/2368
Summary:

Point to Point Tunneling Protocol (PPTP) is a protocol which enables
remote users to connect to a network through a secure connection.

Due to a memory leak in the implementation of PPTP it is possible for a
remote user to cause a denial of service condition on a server running
Windows NT with PPTP enabled.

An attacker could exploit this vulnerability by submitting multiple
malformed packets to the PPTP services on the target server. Each
malicious packet could consume system memory until all available system
resources were exhausted.

A restart of the server is required in order to gain normal functionality.

Successful exploitation of this vulnerability could assist in further
attacks against the victim.

2. Microsoft Windows 2000 Domain Controller DoS Vulnerability
BugTraq ID: 2394
Remote: Yes
Date Published: 2001-02-20
Relevant URL:
http://www.securityfocus.com/bid/2394
Summary:

Domain controllers in a Windows 2000 network handle user authentication
and various other required tasks.

Microsoft Windows 2000 domain controllers are subject to a denial of
service condition.

Unfortunately Windows 2000 domain controllers do not properly validate a
user request before attempting to process it. Submitting numerous
specially crafted invalid requests to a domain controller, could initiate
the domain controllers attempt to carry out the request. This constant
processing attempt will eventually exhaust nearly all available system
resources, preventing the domain controller from handling various
mandatory tasks.

A restart of the server is required in order to gain normal functionality.

Successful exploitation of this vulnerability could assist in further
attacks against the victim host.

III. MICROSOFT FOCUS LIST SUMMARY
---------------------------------

1. Details on a hacked NT server (possible kit?)   (Thread)
Relevant URL:

http://www.securityfocus.com/frames/index.html?content=%2ftemplates%2farchive.pike%3flist%3d88%26date%3d2001-02-26%26thread%3dF221C7Mzx6ClF6OuyyF0000955e
 () hotmail com


2. TO WHOM IT MAY CONSERN Registry entrys regarding Denial of Service Attacks   (Thread)
Relevant URL:

http://www.securityfocus.com/frames/index.html?content=%2ftemplates%2farchive.pike%3flist%3d88%26date%3d2001-02-26%26thread%3d001601c09e58$df026280$8401a8c0@tricompc


3. OT: P*rn Site Urls   (Thread)
Relevant URL:

http://www.securityfocus.com/frames/index.html?content=%2ftemplates%2farchive.pike%3flist%3d88%26date%3d2001-02-26%26thread%3d006001c09dde$d634f7f0$b6079818@ndr113


4. Outlook Text Preview option   (Thread)
Relevant URL:

http://www.securityfocus.com/frames/index.html?content=%2ftemplates%2farchive.pike%3flist%3d88%26date%3d2001-02-26%26thread%3d006201c09de3$78b579b0$37866a3f@ssternw2kw


5. NT 4 with IIS 4 install checklist   (Thread)
Relevant URL:

http://www.securityfocus.com/frames/index.html?content=%2ftemplates%2farchive.pike%3flist%3d88%26date%3d2001-02-26%26thread%3dGLEFJOAAJFENFGKOJPBGIELLCDAA.patrick
 () whitefrog com


6. pcAnywhere   (Thread)
Relevant URL:

http://www.securityfocus.com/frames/index.html?content=%2ftemplates%2farchive.pike%3flist%3d88%26date%3d2001-02-26%26thread%3dDAEIJNEKMPIGLADFMEICMEAODBAA.smoulec
 () cuisinesolutions com


7. iis unicode bug...   (Thread)
Relevant URL:

http://www.securityfocus.com/frames/index.html?content=%2ftemplates%2farchive.pike%3flist%3d88%26date%3d2001-02-26%26thread%3d3A96CCA5.1E9B0197
 () moquijo com


8. Possible FTP Site DDoS   (Thread)
Relevant URL:

http://www.securityfocus.com/frames/index.html?content=%2ftemplates%2farchive.pike%3flist%3d88%26date%3d2001-02-26%26thread%3d200102232145.f1NLjFA54681
 () robin cts com


9. P*rn Site Urls   (Thread)
Relevant URL:

http://www.securityfocus.com/frames/index.html?content=%2ftemplates%2farchive.pike%3flist%3d88%26date%3d2001-02-26%26thread%3dNDBBJLMHNCGAJNMCLPHFIEMIEDAA.karl
 () lovink net


10. Laptop Security   (Thread)
Relevant URL:

http://www.securityfocus.com/frames/index.html?content=%2ftemplates%2farchive.pike%3flist%3d88%26date%3d2001-02-26%26thread%3dPine.LNX.4.10.10102221221490.11153-100000
 () KWAN ca


11. Troubleshooting disk permission schemes ...   (Thread)
Relevant URL:

http://www.securityfocus.com/frames/index.html?content=%2ftemplates%2farchive.pike%3flist%3d88%26date%3d2001-02-26%26thread%3d01F1E3781779D411B63B00D0B7B0E0D03824EE
 () atv-ga4b-213 rasserver net


12. Win2K Terminal Service as Web Server Admin Tool   (Thread)
Relevant URL:

http://www.securityfocus.com/frames/index.html?content=%2ftemplates%2farchive.pike%3flist%3d88%26date%3d2001-02-26%26thread%3d31ACC2D3E8B4D411BC4A00306E0061EF016207@IGHMSG01


13. FW: Outlook Text Preview option   (Thread)
Relevant URL:

http://www.securityfocus.com/frames/index.html?content=%2ftemplates%2farchive.pike%3flist%3d88%26date%3d2001-02-26%26thread%3d49EFF2B5759ED2118F0F00805FE67FE0039F2F03
 () dasmttayz026 army pentagon mil


14. NT/w2k kiosk or hardening software?   (Thread)
Relevant URL:

http://www.securityfocus.com/frames/index.html?content=%2ftemplates%2farchive.pike%3flist%3d88%26date%3d2001-02-26%26thread%3dDJEGKFFMGLMAKALIEECAOENOCDAA.judy
 () colorado edu


15. NT: Restrict Users from Installing Software?   (Thread)
Relevant URL:

http://www.securityfocus.com/frames/index.html?content=%2ftemplates%2farchive.pike%3flist%3d88%26date%3d2001-02-26%26thread%3d3A936B60.F4CFC954
 () ifi uib no


16. Win2k Telnet Service   (Thread)
Relevant URL:

http://www.securityfocus.com/frames/index.html?content=%2ftemplates%2farchive.pike%3flist%3d88%26date%3d2001-02-26%26thread%3d00b901c09bd1$69578f30$af05a8c0
 () anchorsign com


17. VNCViewer   (Thread)
Relevant URL:

http://www.securityfocus.com/frames/index.html?content=%2ftemplates%2farchive.pike%3flist%3d88%26date%3d2001-02-26%26thread%3d000b01c09bab$5415c680$1fef0b18
 () truckee1 ca home com


18. MS Security Issue   (Thread)
Relevant URL:

http://www.securityfocus.com/frames/index.html?content=%2ftemplates%2farchive.pike%3flist%3d88%26date%3d2001-02-26%26thread%3d4.3.2.7.2.20010220122932.00faa890
 () pop qut edu au


19. Is my IIS proxying for people?   (Thread)
Relevant URL:

http://www.securityfocus.com/frames/index.html?content=%2ftemplates%2farchive.pike%3flist%3d88%26date%3d2001-02-26%26thread%3d603D8EA4BB33D31197600006290532CE06AEEC03
 () Server1b office isaserver be


20. SecurityFocus.com Microsoft Newsletter #22   (Thread)
Relevant URL:

http://www.securityfocus.com/frames/index.html?content=%2ftemplates%2farchive.pike%3flist%3d88%26date%3d2001-02-26%26thread%3dPine.GSO.4.30.0102191038510.13831-100000@mail


IV.NEW PRODUCTS FOR MICROSOFT PLATFORMS
----------------------------------------

1. Ethenticator MS 3000
by Ethentica
Platforms: Windows NT
Relevant URL: http://www.securityfocus.com/products/1385
Summary:

The Ethenticator's unique ability to grant access to networks and
protected websites without having to remember or type passwords makes it a
lifesaver while you're on the road with a thousand other things on your
mind. Its secure access features put your mind at ease, too, with reliable
protection from unauthorized use and data theft. The Ethenticator MS 3000
also eliminates the need to remember passwords and lets you instantly
access any web site on the Internet that requires your password, any
application or other text-based information secured by a password or user
name / password combination on your mobile computer.

2. EGTSOFT System Locker
by EGTSOFT
Platforms: Windows 95/98
Relevant URL: http://www.securityfocus.com/products/1384
Summary:

System Locker is a handy utility that locks your keyboard and mouse thus
allowing you to protect your personal computer from unauthorized access.
System Locker is highly configurable utility and could be tuned to fully
satisfy customers' needs.


V.NEW TOOLS FOR MICROSOFT PLATFORMS
------------------------------------

1. DoorWatch
Platforms: Windows 2000
by corea2k
Relevant URL: http://www.securityfocus.com/tools/1936
Summary:

IP/PORT/NetBios/Trojan Scanning
Whois
Ping Test
Ping Attack
NetStatus
Whois
NSLookup
Finger


2. Random Number Generator
Platforms: Windows 95/98
by Segobit
Relevant URL: http://www.securityfocus.com/tools/671
Summary:

Random Number Generator is a Windows95 based application designed to
generate random numbers of any length.

Random Number Generator v.1.1 allow users to do choice random number
generator, which built into this application.This is linear congruential
and bit shift random number generators.This feature is used to generate an
extremely random seed value. Random number generators written in low-level
language, and some of random number generators, which built into this
application, is ipossible to write in high-level language
(Basic,Pascal,C++ and other). Random Number Generator will generate to 200
numbers.

3. Advanced Password Generator 2.74
Platforms: Windows 2000, Windows 95/98 and Windows NT
by Segobit Software
Relevant URL: http://www.securityfocus.com/tools/1907

Advanced Password Generator is a application designed to generate
passwords of any length and character content. Advanced Password Generator
allow users to do choice random number generator, which built into this
application.This feature is used to generate an extremely random seed
value. Random number generators written in low-level language, and some of
random number generators, which built into this application, is impossible
to write in high-level language (Basic,Pascal,C++ and other). After
registration user can to obtain the application with the own additional
random number generator. Advanced Password Generator will create
alphabetic, numeric, alphanumeric or all keyboard characters password of
user-defined lengths.Password can be generated in lowercase or mixed
case.All passwords can be printed.


4. WebClicker 2.0
Platforms: Windows 2000, Windows 95/98 and Windows NT
by Moritz Bartl
Relevant URL: http://www.securityfocus.com/tools/1859

Uses public proxies to create artificial banner ad clicks. Emulates
complete browser HTTP transfer and can be used for banner/link exchanges
and toplists as well.

5.aTrans
Platforms: Windows 2000, Windows 95/98 and Windows NT
by DataRescue Inc
Relevant URL: http://www.securityfocus.com/tools/1942

Easy to move, easy to use, P2P secure file transfer and chat on the
windows 32 platform. AES encryption / RSA authentication / Diffie-Hellman
EKE, on the fly compression, secure migration in a 400 kb self extracting
encrypted package.

VI. SUBSCRIBE/UNSUBSCRIBE INFORMATION
-------------------------------------

1.  How do I subscribe?

Send an e-mail message to LISTSERV () SECURITYFOCUS COM with a message body
of:

  SUBSCRIBE FOCUS-MS Lastname, Firstname

You will receive a confirmation request message to which you will have
to anwser.

2.  How do I unsubscribe?

Send an e-mail message to LISTSERV () SECURITYFOCUS COM from the subscribed
address with a message body of:

  UNSUBSCRIBE FOCUS-MS

If your email address has changed email aleph1 () securityfocus com and I
will manualy remove you.

3.  How do I disable mail delivery temporarily?

If you will are simply going in vacation you can turn off mail delivery
without unsubscribing by sending LISTSERV the command:

  SET FOCUS-MS NOMAIL

To turn back on e-mail delivery use the command:

  SET FOCUS-MS MAIL

4.  Is the list available in a digest format?

Yes. The digest generated once a day.

5.  How do I subscribe to the digest?

To subscribe to the digest join the list normally (see section 0.2.1)
and then send a message to LISTSERV () SECURITYFOCUS COM with with a message
body of:

  SET FOCUS-MS DIGEST

6. How do I unsubscribe from the digest?

To turn the digest off send a message to LISTSERV with a message body
of:

  SET FOCUS-MS NODIGEST

If you want to unsubscribe from the list completely follow the
instructions of section 0.2.2 next.

7. I seem to not be able to unsubscribe. What is going on?

You are probably subscribed from a different address than that from
which you are sending commands to LISTSERV from. Either send email from
the appropiate address or email the moderator to be unsubscribed manually.