Security UPDATE, August 7, 2002

[InfoSec News <isn () c4i org>]

********************
Windows & .NET Magazine Security UPDATE--brought to you by Security
Administrator, a print newsletter bringing you practical, how-to
articles about securing your Windows .NET Server, Windows 2000, and
Windows NT systems.
   http://www.secadministrator.com
********************

~~~~ THIS ISSUE SPONSORED BY ~~~~

CipherTrust IronMail
   http://list.winnetmag.com/cgi-bin3/flo?y=eMxj0CJgSH0CBw03q30Au 

Real-World Strategies for Infrastructure Success
   http://www.ibm.com/e-business/playtowin/n161 
   (below IN FOCUS)

~~~~~~~~~~~~~~~~~~~~

~~~~ SPONSOR: CIPHERTRUST IRONMAIL ~~~~
   Secure the Email Gateway **FREE Email Security White Paper
   IronMail secures email traffic entering and leaving enterprise
email systems.
   *Stop SPAM from consuming resources and annoying end-users
   *Prevent HACKERS and INTRUDERS from penetrating or taking down
email systems
   *Block VIRUSES, WORMS and TROJAN HORSES before they reach mail
servers and users
   *Protect WEB MAIL systems including OWA and iNotes
   *Secure your email systems with APPLICATION-SPECIFIC gateway
protection for Exchange, Notes, GroupWise, Sendmail and other mail.
   IronMail integrates defenses against these threats in a secure,
hardened gateway appliance.
   FREE white paper on email security risks:
   http://list.winnetmag.com/cgi-bin3/flo?y=eMxj0CJgSH0CBw03q30Au 

~~~~~~~~~~~~~~~~~~~~

August 7, 2002--In this issue:

1. IN FOCUS
     - Warchalking Wireless Networks

2. SECURITY RISKS
     -Buffer-Overrun Vulnerability in MDAC 2.7, 2.6, and 2.5

3. ANNOUNCEMENTS
     - The Backup and Recovery Solutions You've Been Searching For!
     - Get a Free Digital or Print Sample Issue Today!

4. SECURITY ROUNDUP
     - Feature: Protect Your IM Use
     - Feature: Security Holes Pop Up in Unexpected Places

5. INSTANT POLL
     - Results of Previous Poll: Security Budget
     - New Instant Poll: Wireless Security

6. SECURITY TOOLKIT
     - Virus Center
     - FAQ: How Can I Configure Microsoft's Secure Desktop Restriction
       Setting in Win2K SP1 and Later?

7. NEW AND IMPROVED
     - ITsecurity.com Launches Security Clinic Compendium
     - Upgrades to Existing Security Software
     - Submit Top Product Ideas

8. HOT THREADS
     - Windows & .NET Magazine Online Forums
        - Featured Thread: Can You Audit Removable Media Drives for
          Access?

9. CONTACT US
   See this section for a list of ways to contact us.

~~~~~~~~~~~~~~~~~~~~

1. ==== IN FOCUS ====
   (contributed by Mark Joseph Edwards, News Editor,
mark () ntsecurity net)

* WARCHALKING WIRELESS NETWORKS

About 20 years ago, attackers used "war dialers" to find computer
systems to crack. War-dialer software calls phone numbers looking for
answering modems. With the advent of wireless technology, the term
"war dialers" morphed into "war drivers," which I discussed in last
week's Security UPDATE in conjunction with Science Applications
International Corporation's (SAIC's) new wireless honeypot network.
The network is designed to trap war drivers--people who drive around
with wireless connectivity devices looking for unprotected wireless
networks. Intruders then use those unprotected networks to gain free
Internet access for various online activities.
   http://www.secadministrator.com/articles/index.cfm?articleid=26113

This week, I encountered the relatively new trend called
"warchalking," which is related to war driving. War drivers use chalk
to identify buildings that run wireless networks. According to what
I've read, four men sitting at a pizza parlor in London developed
warchalking, after at least one of them saw UK Architectural
Association students design an office floor plan on the pavement. One
of the men mentioned that hobos had once used symbols (see the URL
below) to pass along useful information, such as identifying houses at
which they could get meals. The four men then decided that they could
use a similar technique to identify unprotected wireless networks.
   http://www.worldpath.net/~minstrel/hobosign.htm

Soon thereafter, a Web site appeared where users can log ideas and
share information (see the first URL below), and the idea has taken
off like a Colorado wildfire. As far as I know, three basic symbols
are in use, and you can download a PDF file of the symbols (see the
second URL below). The first symbol, two halves of circle joined back
to back at the curved edges, represents completely open wireless
nodes. The second symbol, a circle, represents a closed node. The
third symbol, a circle with the letter "W" in the center, represents a
Wired Equivalent Privacy (WEP) node that probably won't allow easy
public access. In addition, each symbol might have a Service Set
Identifier (SSID) indicated above it, which tells people how to access
that particular wireless node. To obtain SSIDs, intruders use sniffer
software that can crack wireless LAN codes.
   http://www.warchalking.us
   http://www.blackbeltjones.com/warchalking/warchalking0_9.pdf

Using chalk to identify available wireless connectivity points might
seem somewhat useless at first: Someone can rub off the chalk and it
washes away in the rain. But chalk is less intrusive and less damaging
than other media such as spray paint. In addition, any given wireless
network might change its configuration over time--and warchalkers can
easily adjust symbols accordingly.

Some wireless network operators have complained in online public forms
about having warchalkers mark their networks. However, because the
symbols are visible, network operators know that others have
identified their premises as having wireless networks. Those operators
can decide whether and how they want to react to the situation. If
operators don't want unknown persons connecting to their network, they
can apply various forms of security to prevent such access. Some
operators think warchalking is a good idea and plan to print the
relevant symbol on paper and put it in their building windows. Others
propose adding symbols to identify networks that are voluntarily open
to the public as a means to share unused bandwidth.

All in all, warchalking is a relative invasion of privacy that
heightens the security risks and liabilities involved with maintaining
a network. However, as wireless nodes become more commonplace,
warchalking will probably disappear.

~~~~~~~~~~~~~~~~~~~~

~~~~ SPONSOR: REAL-WORLD STRATEGIES FOR INFRASTRUCTURE SUCCESS ~~~~
   Learn how your company can tackle the challenge of continually
integrating to remain competitive as e-business technologies evolve.
The IBM white paper, "Managing e-business integration challenges," can
help you understand how to identify key integration components. So
even as today's systems becomes tomorrow's legacy systems, you'll be
able to support ever-changing business goals. Also included is a
discussion of how to assess your integration requirements for whatever
state of e-business adoption your infrastructure has reached. Visit us
online to get your complimentary copy today at
   http://www.ibm.com/e-business/playtowin/n161 

~~~~~~~~~~~~~~~~~~~~

2. ==== SECURITY RISKS ====
   (contributed by Ken Pfeil, ken () winnetmag com)

* BUFFER-OVERRUN VULNERABILITY IN MDAC 2.7, 2.6, AND 2.5
   David Litchfield of Next Generation Security Software discovered a
buffer-overflow vulnerability in Microsoft Data Access Components
(MDAC) that could result in the SQL service failing or executing
arbitrary code from a potential attacker. This vulnerability results
from an unchecked buffer in the MDAC functions that handle the
OpenRowSet command. Microsoft has released Security Bulletin MS02-040
(Unchecked Buffer in MDAC Function Could Enable SQL Server Compromise)
to address this vulnerability and recommends that affected users apply
the appropriate patch mentioned in the security bulletin.
   http://www.secadministrator.com/articles/index.cfm?articleid=26126

3. ==== ANNOUNCEMENTS ====
   (brought to you by Windows & .NET Magazine and its partners)

* THE BACKUP AND RECOVERY SOLUTIONS YOU'VE BEEN SEARCHING FOR!
   Our popular Interactive Product Guides (IPGs) are online catalogs
of the hottest vendor solutions around. Our latest IPG highlights the
backup and recovery solutions and services that will help you recover
your data and your network when disaster strikes. Download the IPG for
free at:
   http://list.winnetmag.com/cgi-bin3/flo?y=eMxj0CJgSH0CBw03lL0AG

* GET A FREE DIGITAL OR PRINT SAMPLE ISSUE TODAY!
   SQL Server Magazine is the premiere independent resource for
Microsoft SQL Server database solutions--packed with hands-on, how-to
articles to keep your database running at peak performance. This
technical handbook is now available in two convenient formats. Select
your free digital or print sample issue at:
   http://list.winnetmag.com/cgi-bin3/flo?y=eMxj0CJgSH0CBw03oc0Ag

4. ==== SECURITY ROUNDUP ====

* FEATURE: PROTECT YOUR IM USE
   Unfortunately, Instant Messaging (IM) provides new avenues for
electronic assault. Intruders constantly use IM to achieve their
mischievous or malicious purposes. Some IM networks are so overrun by
malicious users that no one else participates. No signs accurately
warn users about the IM risks and how to reduce those risks. Roger A.
Grimes introduces you to the different IM models, discusses how four
popular IM networks operate, and describes how you can protect
yourself from malicious attacks.
   http://www.secadministrator.com/articles/index.cfm?articleid=25669

* FEATURE: SECURITY HOLES POP UP IN UNEXPECTED PLACES
   With so many obvious security holes that systems administrators
have to watch out for, keeping up with all the potential problem areas
that the Windows OSs present is tough. It's even worse when the
security problems occur in a little-used but ubiquitous application
such as the Windows Media Player (WMP).
   http://www.secadministrator.com/articles/index.cfm?articleid=25840

5. ==== INSTANT POLL ====

* RESULTS OF PREVIOUS POLL: SECURITY BUDGET
   The voting has closed in Windows & .NET Magazine's Security
Administrator Channel nonscientific Instant Poll for the question, "Is
your current level of network security a function of budget
constraints?" Here are the results (+/- 2 percent) from the 162 votes:
   -  9% Yes--We need more security staff
   - 26% Yes--We need additional security tools
   - 49% Yes--We need additional staff and tools
   - 10% No--We budget for adequate network security
   -  6% No--We "spare no expense" for network security

* NEW INSTANT POLL: WIRELESS SECURITY
   The next Instant Poll question is, "Does your company use some form
of security to prevent unauthorized access to its wireless network?"
Go to the Security Administrator Channel home page and submit your
vote for a) Yes, b) No, c) No--We leave the wireless network
unprotected to offer open access.
   http://www.secadministrator.com

6. ==== SECURITY TOOLKIT ====

* VIRUS CENTER
   Panda Software and the Windows & .NET Magazine Network have teamed
to bring you the Center for Virus Control. Visit the site often to
remain informed about the latest threats to your system security.
   http://www.secadministrator.com/panda

* FAQ: HOW CAN I CONFIGURE MICROSOFT'S SECURE DESKTOP RESTRICTION
SETTING IN WIN2K SP1 AND LATER?
   ( contributed by John Savill, http://www.windows2000faq.com )

A. Users who interactively log on to a computer running Windows 2000
or later can perform tasks that might be security risks, such as
gaining access to display and input devices that a computer process
with wider-reaching privileges owns. These users then can create a
process to capture passwords or sensitive data. For more information
about the problem, see Microsoft Security Bulletin MS00-200 (Patch
Available for 'Desktop Separation' Vulnerability).
   Win2K SP1 corrected this vulnerability by adding a Secure Desktop
Restriction setting, but the new locked-down functionality might
adversely affect certain applications. If your application vendor
advises you to disable this security setting, perform the following
steps:
   1. Start a registry editor (e.g., regedit.exe).
   2. Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
 NT\CurrentVersion\Windows.
   3. From the Edit menu, select New, DWORD Value.
   4. Enter a name of SecureDesktop.
   5. Double-click the new value, set it to 0 to disable the setting
(you can set the value to 1 to reenable the default configuration),
then click OK.
   6. Restart the machine for the change to take effect.

7. ==== NEW AND IMPROVED ====
   (contributed by Judy Drennen, products () winnetmag com)

* ITSECURITY.COM LAUNCHES SECURITY CLINIC COMPENDIUM
   ITsecurity.com has produced the first volume of Security Clinic
Compendium, a compilation of real-life security problems and the
experts' answers to them. The Security Clinic Compendium contains
about 400 information security problems and solutions in one fully
searchable application. The experts provide their help and advice
completely free of charge. The Security Clinic Compendium costs $75
for a single workstation license. Send orders to sales () ITsecurity com.
Site and educational discounts are available.
   http://www.itsecurity.com/asktecs/volumeone.htm

* UPGRADES TO EXISTING SECURITY SOFTWARE
   SecureWave released SecureEXE 2.5 and SecureNT 2.5, upgrades to
SecureEXE and SecureNT, respectively. SecureEXE 2.5 is an Application
Execution Control security solution that lets an organization define
which applications users can execute. No other applications will
execute, including viruses and Trojan horses. SecureNT 2.5 gives
businesses the ability to control and manage end-user access to I/O
devices such as the floppy disk drive, memory-sticks, PDAs, USB
external storage, CD-ROMs, serial and parallel ports, and Plug and
Play (PnP) devices. Version 2.5 introduces Device White List Driver
(WLD), an optional component that filters out all devices that don't
fall into one of the device classes that SecureNT manages. Both
releases run on Windows XP, Windows 2000, and Windows NT. For pricing,
contact SecureWave at the Web site or email marco () securewave com.
   http://www.securewave.com

* SUBMIT TOP PRODUCT IDEAS
   Have you used a product that changed your IT experience by saving
you time or easing your daily burden? Do you know of a terrific
product that others should know about? Tell us! We want to write about
the product in a future What's Hot column. Send your product
suggestions to whatshot () winnetmag com.

8. ==== HOT THREADS ====

* WINDOWS & .NET MAGAZINE ONLINE FORUMS
   http://www.winnetmag.com/forums

Featured Thread: Can You Audit Removable Media Drives for Access?
   (Two messages in this thread)

Rod wants to know if he can audit access to removable media drives,
such as Zip drives, floppy disk drives, and CD-ROMs. Read the
responses or lend a hand at:
   http://www.secadministrator.com/forums/thread.cfm?thread_id=110095

9. ==== CONTACT US ====
   Here's how to reach us with your comments and questions:

* ABOUT IN FOCUS -- mark () ntsecurity net

* ABOUT THE NEWSLETTER IN GENERAL -- vpatterson () winnetmag com (please
mention the newsletter name in the subject line)

* TECHNICAL QUESTIONS -- http://www.winnetmag.com/forums

* PRODUCT NEWS -- products () winnetmag com

* QUESTIONS ABOUT YOUR SECURITY UPDATE SUBSCRIPTION? Customer
Support -- securityupdate () winnetmag com

* WANT TO SPONSOR SECURITY UPDATE? emedia_opps () winnetmag com

********************

   This email newsletter is brought to you by Security Administrator,
the print newsletter with independent, impartial advice for IT
administrators securing a Windows 2000/Windows NT enterprise.
Subscribe today!
   http://www.secadministrator.com/sub.cfm?code=saei25xxup

   Receive the latest information about the Windows and .NET topics of
your choice. Subscribe to our other FREE email newsletters.
   http://www.winnetmag.com/email

|-+-|-+-|-+-|-+-|-+-|

Thank you for reading Security UPDATE.

MANAGE YOUR ACCOUNT
   You can manage your entire Windows & .NET Magazine Network email
newsletter account on our Web site. Simply log on and you can change
your email address, update your profile information, and subscribe or
unsubscribe to any of our email newsletters all in one place.
   http://www.winnetmag.com/email

Thank you!




-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.