Security UPDATE, August 8, 2001

[InfoSec News <isn () c4i org>]

********************
Windows 2000 Magazine Security UPDATE--brought to you by Security
Administrator, a print newsletter bringing you practical, how-to
articles about securing your Windows 2000 and NT systems.
   http://www.secadministrator.com
********************


~~~~ THIS ISSUE SPONSORED BY ~~~~

IBM Infrastructure
   http://go.win2000mag.net/UM/T.asp?A2153.23115.1296.1.532985

~~~~~~~~~~~~~~~~~~~~

~~~~ IBM INFRASTRUCTURE ~~~~
   Not worried about hackers? You should be. Because they can put your
e-business out of business. If your customers don't feel comfortable
dealing with you online, they'll work with someone else. With IBM
infrastructure, you'll have the security your company needs to operate
effectively and to keep your clients comfortable. Your networks and
servers are the backbone of your company. It's time you treated them
that way. In today's ever-changing e-environment, keeping network
security tight is something that can't be ignored. So is keeping your
clients happy. Find out more from our latest security white paper
today.
   http://go.win2000mag.net/UM/T.asp?A2153.23115.1296.1.532985

********************

August 8, 2001--In this issue:

1. COMMENTARY
     - Surprise: Code Red II 

2. SECURITY RISKS
     - Command History Vulnerability in Windows 2000 and Windows NT

3. ANNOUNCEMENTS
     - Get 25 Percent Off Windows 2000 Magazine!
     - Tired of the Same Old Sales Pitch?

4. SECURITY ROUNDUP
     - News: Code Red II Worm on the Loose
     - News: Orbit Secures DirecPC Satellite Internet Service
     - News: Government Mulls Requesting Court to Block Windows XP

5. SECURITY TOOLKIT
     - Book Highlight: Counter Hack: A Step-By-Step Guide to Computer
Attacks and Effective Defenses
     - Virus Center 
         - Virus Alert: W32/MSInit.A
     - FAQ: Do I Have to Call Microsoft If I've Lost My Windows 2000
Server Terminal Services License Tokens?
     - Windows 2000 Security: Code Red and Proactive Security

6. NEW AND IMPROVED
     - Detect Trojan Horses
     - Learn About ISA Server

7. HOT THREADS
     - Windows 2000 Magazine Online Forums
         - Featured Thread: Unlocking Security Policy
     - HowTo Mailing List 
         - Featured Thread: How to Disable HTTP and SMTP Banner Version
Information

8. CONTACT US
   See this section for a list of ways to contact us.

1. ==== COMMENTARY ====

Hello everyone,
   You've probably read the news by now: A new version of the Code Red
worm, dubbed Code Red II, is spreading rapidly across the Internet. Is
that news any surprise? The new Code Red worm is far more dangerous than
previous versions--it spreads more effectively and also installs a
Trojan horse that creates back doors within Microsoft IIS.
   On Monday, we posted a survey on our Windows 2000 Magazine Security
Channel home page that asks whether any version of the Code Red worm has
infected your systems. (See the list of resources at the end of this
column for all related URLs.) As of today, 9 people have admitted that
the worm has infected their systems. If you ask me, that's 9 too many.
If you haven't patched your IIS systems to protect against the Code Red
worm, this is the time to do so. You'll find a link to the Microsoft
security bulletin MS01-033 and patch in the related news item in the
Security Roundup section of this newsletter. Also, be sure to read Randy
Franklin Smith's article, "Code Red and Proactive Security" on the
Security Channel Web page--it's good advice. (See the first paragraph of
his article and the URL to the Web site in the Security Toolkit section
of this newsletter.)
   Speaking of patches, I've read several recent posts on the Bugtraq
mailing list that indicate a problem might exist with the Microsoft
patch listed in Microsoft Bulletin MS01-033. A few people have reported
that after they installed the patch, their systems remain immune to Code
Red infection. However, when an infected system attempts to connect to
their system to infect it, several IIS services (e.g., FTP, the default
Web site, the administrative Web site, and the proxy service) stop
processing.
   In addition, users on our Win2KSecAdvice mailing list report that
Code Red worm variants are affecting Cisco 600 series routers because
the routers use a Web service on port 80. Users report that even when
their systems run Cisco's latest firm revision (which is generally CBOS
2.4.2, depending on the router) and they have disabled the Web
interface, the routers stop passing traffic when the worm confronts the
routers. Some readers have suggested workarounds that help deter the
effects of the Code Red worm.
   If you're interested in a detailed analysis of how the new Code Red
II operates, read eEye Digital Security's Code Red II report, which we
published on our Win2KsecAdvice mailing list last weekend. In addition,
the Computer Emergency Response Team (CERT) has published a good
overview of how the Code Red worm works. Until next time, have a great
week.

Resources:
  Security: Poll
  http://www.WindowsITsecurity.com

  Microsoft Bulletin MS01-033
  http://www.securityfocus.com/templates/archive.pike?list=1

  Win2KSecAdvice--Code Red II workarounds
  http://63.88.172.96/go/win2ks-l.asp?a1=ind0108a&l=win2ksecadvice

  eEye Digital Code Red II Report
http://63.88.172.96/go/win2ks-l.asp?a2=ind0108a&l=win2ksecadvice&p=1173

  CERT Incident Note
  http://www.cert.org/incident_notes/IN-2001-09.html

Sincerely,

Mark Joseph Edwards, News Editor, mark () ntsecurity net

2. ==== SECURITY RISKS ====
   (contributed by Ken Pfeil, ken () win2000mag com)

* COMMAND HISTORY VULNERABILITY IN WINDOWS 2000 AND WINDOWS NT
   Siffredi Dani reported that a vulnerability exists in Windows 2000
and Windows NT that lets a user crash the system by opening a command
prompt, running certain commands (e.g., ping, dir), and pressing F7
repeatedly during the command?s execution. Depending on the system's
configuration, Win2K or NT will either reboot or display the blue screen
common to system crashes. Microsoft is aware of the vulnerability but
hasn't released a fix or workaround for this problem.
   http://www.WindowsITsecurity.com/articles/index.cfm?articleID=22037

3. ==== ANNOUNCEMENTS ====

* GET 25 PERCENT OFF WINDOWS 2000 MAGAZINE!
   Every issue of Windows 2000 Magazine is packed with superb coverage
of security, Active Directory (AD), disaster recovery, Exchange (and
more!) and helps you navigate the rough waters of your job with ease.
Subscribe now (at 25 percent off the regular rate) and find out why your
peers think we're simply the best independent resource for Windows 2000
and Windows NT professionals.
   http://www.win2000mag.com/sub.cfm?code=diee201gup

* TIRED OF THE SAME OLD SALES PITCH?
   Now there's a better way to find the perfect IT vendor or
solution--absolutely free! The IT Buyer's Network (ITBN) lets you search
through thousands of vendor solutions. You'll love the ITBN's one-stop
shopping approach for hardware, network and systems software, IT
services, and much more. Visit the ITBN today.
   http://www.itbuynet.com

4. ==== SECURITY ROUNDUP ====

* NEWS: CODE RED II WORM ON THE LOOSE
   A new worm, dubbed Code Red II, is attacking Web servers and carries
an entirely different payload from the original Code Red worm. eEye
Digital Security performed a detailed analysis of the Code Red II worm
after the SecurityFocus ARIS Project came forward with information about
the new threat. Once inside a system, Code Red II creates files in the
MSDAC and SCRIPTS IIS-related directories. In addition, the worm creates
a Trojan horse on the system by injecting binary code into the
explorer.exe file, which runs the Win2K desktop.
   http://www.WindowsITsecurity.com/articles/index.cfm?articleID=22054

* NEWS: ORBIT SECURES DIRECPC SATELLITE INTERNET SERVICE
   Orbit Communications has released its new Orbitnet software, which
uses a two-way satellite to connect a network of computers to the
Internet through DirecPC's satellite Internet service. Targeted at small
office/home office (SOHO) users, Orbitnet is a server-based application
that's compatible with all Windows platforms. Orbitnet's server software
runs on an Intel-based computer and provides network address translation
(NAT), a firewall, a proxy server, and virus scanners. Orbit based the
firewall on stateful packet-inspection technology that uses fine-grain
control over a user's Internet access privileges.
   http://www.WindowsITsecurity.com/articles/index.cfm?articleID=22042

* NEWS: GOVERNMENT MULLS REQUESTING COURT TO BLOCK WINDOWS XP
   Quoting sources close to state and federal prosecutors, a report this
weekend in The Washington Post said that the government is seriously
considering asking the courts to block Windows XP's release or at least
require Microsoft to modify the OS before releasing it. According to the
report, lawyers from the offices of the New York, Wisconsin, and
California attorneys general are conducting XP research. None of the
parties involved will speak publicly about the government's legal
strategy.
   http://www.wininformant.com/articles/index.cfm?articleID=22050

5. ==== SECURITY TOOLKIT ====

* BOOK HIGHLIGHT: COUNTER HACK: A STEP-BY-STEP GUIDE TO COMPUTER ATTACKS
AND EFFECTIVE DEFENSES
   By Edward Skoudis
   List Price: $49.99
   Fatbrain Online Price: $39.99
   Softcover; 500 pages
   Published by Prentice Hall PTR, July 2001
   ISBN 0130332739

For more information or to purchase this book, go to
http://www1.fatbrain.com/asp/bookinfo/bookinfo.asp?theisbn=0130332739
and enter WIN2000MAG as the discount code when you order the book.

* VIRUS CENTER
   Panda Software and the Windows 2000 Magazine Network have teamed to
bring you the Center for Virus Control. Visit the site often to remain
informed about the latest threats to your system security.
   http://www.WindowsITsecurity.com/panda

Virus Alert: W32/MSInit.A
   W32/MSInit.A is a worm that uses a TCP/IP connection to access other
systems. The worm searches for IP addresses at random. When the worm
finds an IP address for a remote system that allows access to a disk
where Windows is installed, the worm creates a copy of itself in the
Windows\System directory of that remote system. The copy of the worm
resides in a file named Wininit.exe.
   http://63.88.172.96/panda/index.cfm?fuseaction=virus&virusID=798

* FAQ: DO I HAVE TO CALL MICROSOFT IF I'VE LOST MY WINDOWS 2000 SERVER
TERMINAL SERVICES LICENSE TOKENS?
   ( contributed by John Savill, http://www.windows2000faq.com )

A. With Windows 2000 Server Terminal Services licenses, you must contact
Microsoft to enable Client Access Tokens on the server. If you rebuild a
Terminal Services license server, you typically must contact Microsoft
to re-enable the licenses. However, Microsoft has released a hotfix at
its Web site (see the first URL below) that lets you recover any future
Client Access Licenses (CALs) that you apply. You must be running Win2K
Service Pack 1 (SP1) or Win2K Service Pack 2 (SP2) to apply this fix. Be
aware, however, that you'll still need to contact Microsoft to recover
any CALs that you install before applying the hotfix if you have no
backup of the license database. Microsoft has published a related news
bulletin at the second URL below:

http://support.microsoft.com/support/kb/articles/Q287/6/87.asp
http://www.microsoft.com/windows2000/server/evaluation/news/bulletins/tslichotfix.asp

* WINDOWS 2000 SECURITY: CODE RED AND PROACTIVE SECURITY
   By now, you've probably read about the Code Red Web server worm and
have loaded the fix on your Internet-connected Microsoft IIS servers.
Unlike a typical desktop worm, such as Melissa, the Code Red worm
spreads from one Web server to another. After infecting a Web server,
Code Red temporarily defaces the home page before creating 99 threads
that look for other Web servers to infect. However, because Code Red
uses an exploit for which a patch has been available for some time, your
systems might be safe. If you've practiced proactive security (e.g.,
reading Microsoft security bulletins and loading recommended hotfixes on
your Windows 2000 IIS servers), you were probably already protected from
Code Red before its release. Read the rest of Randy Franklin Smith's
article at the following URL:
   http://www.WindowsITsecurity.com/articles/index.cfm?articleID=21967

6. ========== NEW AND IMPROVED ==========
   (contributed by Scott Firestone, IV, products () win2000mag com)

* DETECT TROJAN HORSES
   Greatis Software released RegRun II software to manage the Windows
startup processes. RegRun II consists of eight subsystems for
controlling programs that load from the registry or Windows system
files. You can track and manage all startup processes to detect hidden
Trojan horses, viruses, or other unauthorized programs. RegRun II runs
on Windows 2000, Windows NT, Windows Me, and Windows 9x systems and
costs $19.95 for a single-user license. Contact Greatis Software at
a-team () greatis com.
   http://www.greatis.com

* LEARN ABOUT ISA SERVER
   Microsoft Press released "MCSE Training Kit: Microsoft Internet
Security and Acceleration Server 2000," a book that teaches you how to
set up and support Microsoft Internet Security and Acceleration (ISA)
Server 2000 to optimize network performance and security. Topics include
installing ISA Server, configuring and troubleshooting ISA Server
services, managing and troubleshooting policies and rules, configuring
the client PC, and monitoring and managing ISA Server use. The 656-page
book includes one CD-ROM and costs $59.99. Contact Microsoft Press at
800-677-7377.
   http://mspress.microsoft.com

7. ==== HOT THREADS ====

* WINDOWS 2000 MAGAZINE ONLINE FORUMS
   http://www.win2000mag.net/forums 

Featured Thread: Unlocking Security Policy
   (Three messages in this thread)

A user needs to change the user rights in Windows 2000 Professional, but
when he opens the Local Security Policy, all of the subheadings have a
lock next to them. He already has administrator rights and is not on a
domain. Also, he needs to know how to recover or retrieve his forgotten
password in Win2K Pro. Read more about the problem and the responses, or
lend a hand at the following URL:
   http://www.win2000mag.net/forums/rd.cfm?app=64&id=73704

* HOWTO MAILING LIST
   http://www.WindowsITsecurity.com/go/page_listserv.asp?s=HowTo

Featured Thread: How to Disable HTTP and SMTP Banner Version Info
   (Four messages in this thread)

As you know, versioning information recovered from service banners can
help an intruder determine a more effective way of penetrating a system.
In most cases, it's wise to mask this information from preying eyes. A
user on the HowTo mailing list wants to know how to remove Microsoft
version information from the banners presented during typical HTTP and
SMTP mail sessions. With Windows releases prior to Windows 2000, you
could use a hexadecimal editor to edit the text strings within the
binary file used to provide a service. However, with Microsoft system
file protection technology in Win2K, it's more difficult to replace the
text strings because the system file protection will notice those
changes and revert to an original copy of the edited file. Can you help
figure out how to effectively mask such banners? Read the responses or
lend a hand at the following URL:
   http://63.88.172.96/go/page_listserv.asp?A2=ind0108A&L=howto&p=82

8. ==== CONTACT US ====
   Here's how to reach us with your comments and questions:

* ABOUT THE COMMENTARY -- mark () ntsecurity net

* ABOUT THE NEWSLETTER IN GENERAL -- mlibbey () win2000mag com; please
mention the newsletter name in the subject line.

* TECHNICAL QUESTIONS -- http://www.win2000mag.net/forums

* PRODUCT NEWS -- products () win2000mag com

* QUESTIONS ABOUT YOUR SECURITY UPDATE SUBSCRIPTION? -- Email Customer
Support at securityupdate () win2000mag com.

* WANT TO SPONSOR SECURITY UPDATE? emedia_opps () win2000mag com

********************

   Receive the latest information about the Windows 2000 and Windows NT
topics of your choice. Subscribe to our other FREE email newsletters.
   http://www.win2000mag.net/email

|-+-+-+-+-+-+-+-+-+-|

Thank you for reading Security UPDATE.

SUBSCRIBE
To subscribe send a blank email to
subscribe-Security_UPDATE () list win2000mag net.

If you have questions or problems with your UPDATE subscription, please
contact securityupdate () win2000mag com. 
___________________________________________________________
Copyright 2001, Penton Media, Inc.




-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.