Security UPDATE, May 8, 2002

[InfoSec News <isn () c4i org>]

******************** 
Windows & .NET Magazine Security UPDATE--brought to you by Security 
Administrator, a print newsletter bringing you practical, how-to 
articles about securing your Windows .NET Server, Windows 2000, and 
Windows NT systems. 
   http://www.secadministrator.com 
******************** 

~~~~ THIS ISSUE SPONSORED BY ~~~~

Reliable Patch Management 
   http://list.winnetmag.com/cgi-bin3/flo?y=eLqv0CJgSH0CBw0rf10Ao

Connected Home Magazine Virtual Tour
   http://list.winnetmag.com/cgi-bin3/flo?y=eLqv0CJgSH0CBw0LTe0Ak
   (below IN FOCUS)

~~~~~~~~~~~~~~~~~~~~ 

~~~~ SPONSOR: RELIABLE PATCH MANAGEMENT ~~~~ 
   IT Managers scanning systems for security hotfixes and patches are 
left wondering whether the systems they thought were safely patched are 
actually vulnerable. UpdateEXPERT(tm) solves this patch management and 
deployment dilemma. It is the only remediation tool that uses a 
research database from third party test results and analytical 
information to make deployment reliable. Research available fixes, scan 
workstations and servers, deploy updates without remote agents and 
validate the job, all in a single tool.
   FREE Live Trial:
   http://list.winnetmag.com/cgi-bin3/flo?y=eLqv0CJgSH0CBw0rf10Ao

~~~~~~~~~~~~~~~~~~~~ 

May 8, 2002--In this issue: 

1. IN FOCUS
     - Intrusion Cleanup: What's the Cost? 

2. SECURITY RISKS
     - Multiple Vulnerabilities in BEA WebLogic
     - DoS in ISS's RealSecure Network Sensor

3. ANNOUNCEMENTS
     - Cast Your Vote for Our Readers' Choice Awards!
     - Mobile and Wireless Solutions--An Online Resource for a New Era

4. SECURITY ROUNDUP
     - News: ISS Teams with Network Associates
     - News: Gartner Says Most Attacks Will Exploit Known Flaws
     - News: Word Patch Fixes Outlook Email Vulnerability
     - Feature: Security Bug Fixes

5. SECURITY TOOLKIT
     - Virus Center
     - FAQ: What Is Windows Update Corporate Edition?

6. NEW AND IMPROVED
     - Defend Against Intruders and Malicious Code
     - Secure Enterprise Servers with Free Beta

7. HOT THREADS 
     - Windows & .NET Magazine Online Forums
         - Featured Thread: Screen Saver Passwords
     - HowTo Mailing List
         - Featured Thread: Security Policy Disciplinary Measures

8. CONTACT US 
   See this section for a list of ways to contact us. 

~~~~~~~~~~~~~~~~~~~~ 

1. ==== IN FOCUS ====
   (contributed by Mark Joseph Edwards, News Editor, 
mark () ntsecurity net) 

* INTRUSION CLEANUP: WHAT'S THE COST? 

Has your network ever suffered intrusion or misuse? If not, you're 
among the fortunate few. If so, the cause might have been a virus, 
worm, or Trojan horse; a workstation, server, or router breach; or an 
employee misusing company services and bandwidth. In any case, have you 
ever calculated the cost to clean up such messes and return everything 
to its prior state? Although you might find calculating such losses 
tedious, you can find ways to reach a fairly accurate figure. 

Dave Dittrich's online FAQ "Estimating the cost of damages due to a 
security incident" (see the first URL below) can help you think of the 
factors to consider and the costs to associate with each factor in the 
clean-up process. Dittrich notes that proposed Senate Bill S.2448, "The 
Internet Integrity and Critical Infrastructure Protection Act of 2000" 
(introduced in the 106th Congress, see the second URL below), defines 
how organizations can calculate loss. According to Senate Bill S.2448, 
"The term 'loss' means any reasonable cost to any victim, including the 
cost of responding to an offense, conducting a damage assessment, and 
restoring the data, program, system, or information to its condition 
prior to the offense, and any revenue lost, cost incurred, or other 
consequential damages incurred because of interruption of service." 
   http://staff.washington.edu/dittrich/misc/faqs/incidentcosts.faq
   http://www.senate.gov/search/index.html

According to Dittrich's interpretation of the bill's definition, 
tallied costs should include all staff time spent cleaning up damage; 
lost productivity time, including that of users (who lacked working 
systems) and business partners (who were denied service during this 
period); lost time in terms of e-commerce revenue; and the price of 
replacing hardware, software, and other damaged or stolen property. The 
loss calculation shouldn't include precautionary measures put in place 
to prevent similar attacks in the future. You should consider such 
measures part of ordinary systems administration.

Dittrich also cites the Incident Cost Analysis & Modeling Project 
(ICAMP--see the URL below) that the Committee on Institutional 
Cooperation (CIC) and the University of Chicago conducted. ICAMP 
figures the basic monetary loss relative to affected users by 
calculating an hourly wage (dividing an annual salary by 52 weeks, then 
by 40 hours) and multiplying that wage by hours of work lost. As you'll 
see, the ICAMP materials calculate additional costs as well.
   http://www.cic.uiuc.edu/groups/cic/listicampreports.shtml

Dittrich's FAQ is short, to the point, and a good place to start to 
learn how to calculate security-related losses. The FAQ includes a 
sample Microsoft's Excel spreadsheet that you can use as a model to 
help build a loss-calculation tool for your enterprise. 

For more information, read CIO Magazine's February 15, 2002, article 
"Finally, A Real Return on Security Spending" (see the first URL 
below), which discusses an approach to calculating Return on Investment 
(ROI) for Intrusion Detection Systems (IDSs). The February 15 article 
references another article's sidebar, "Calculating Return on Security 
Investment" (see the second URL below). The sidebar presents a 
relatively simple formula for the ROI calculation: (R - E) + T = ALE, 
in which R is the cost per year to recover from intrusions, E is the 
dollar savings gained by preventing intrusions, and T is the cost of an 
intrusion-detection tool. The result is your Annual Loss Expectancy 
(ALE). To calculate Return on Security Investment (ROSI), subtract your 
ALE from the annual cost of intrusion.
   http://www.cio.com/archive/021502/security.html
   http://www.cio.com/archive/021502/security_sidebar_content.html

Many of you have trouble getting your managers to approve budgets for 
security-related tools. You need clear ways to demonstrate the value of 
security-related measures and tools. You'll find calculating actual 
losses from intrusion or misuse a great way to justify a more adequate 
security budget, especially for preventive measures. 

~~~~~~~~~~~~~~~~~~~~ 

~~~~ SPONSOR: CONNECTED HOME MAGAZINE VIRTUAL TOUR ~~~~ 
   THE CONNECTED HOME VIRTUAL TOUR IS BACK AND BETTER THAN EVER!
   If you think you've already seen the Connected Home Magazine Virtual 
Tour, think again. Browse through the latest home entertainment, home 
networking, and home automation options and check out our special 
feature on wiring your home. Sign up for our prize drawings, too, and 
you might win a free cinema card courtesy of VisionTek and NVIDIA. Take 
the tour today!
   http://list.winnetmag.com/cgi-bin3/flo?y=eLqv0CJgSH0CBw0LTe0Ak
   
~~~~~~~~~~~~~~~~~~~~ 

2. ==== SECURITY RISKS ====
   (contributed by Ken Pfeil, ken () winnetmag com)

* MULTIPLE VULNERABILITIES IN BEA WEBLOGIC
   Multiple vulnerabilities exist in BEA Systems' BEA WebLogic 6.1 for 
Windows 2000 Service Pack 2 (SP2). A problem with the URL parser in BEA
WebLogic could let an attacker reveal the physical path to the Web 
root, cause a Denial of Service (DoS) attack, or reveal the source code 
of .jsp files. 
   By appending %00.jsp to a normal HTML request, an attacker can in 
some cases generate a compiler error that prints out the path to the 
physical Web root. 
   By requesting a DOS device and appending .jsp to the request, an 
attacker can exhaust working threads, which will cause the Web service 
to stop parsing HTTP and HTTP over Secure Sockets Layer (HTTPS) 
requests. 
   An attacker can use several methods to manipulate the URL in a way 
that will let the attacker read the contents of a .jsp file. For 
example, a malicious user can append %00x or "+." (exclamation marks 
excluded) to a request for a .jsp file and read the contents of the 
.jsp file. BEA has released a patch that resolves these 
vulnerabilities.
   http://www.secadministrator.com/articles/index.cfm?articleid=25069

* DoS IN ISS'S REALSECURE NETWORK SENSOR
   A Denial of Service (DoS) condition exists in Internet Security 
Systems' (ISS's) RealSecure Network Sensor. Specifically, a 
vulnerability in the three informational signatures associated with 
DHCP can result in a segmentation fault or exception error. An attacker
can exploit this vulnerability by sending specially crafted DHCP 
traffic, causing the sensor to malfunction or crash. ISS has issued X-
Press Update 4.3, which contains a fix for this vulnerability.
   http://www.secadministrator.com/articles/index.cfm?articleid=25070

3. ==== ANNOUNCEMENTS ====

* CAST YOUR VOTE FOR OUR READERS' CHOICE AWARDS!
   Which companies and products do you think are the best on the 
market? Nominate your favorites in four different categories for our 
annual Windows & .NET Magazine Readers' Choice Awards. You could win a 
T-shirt or a free Windows & .NET Magazine Super CD, just for submitting 
your ballot. Click here!
   http://list.winnetmag.com/cgi-bin3/flo?y=eLqv0CJgSH0CBw0zMs0Ad

* MOBILE AND WIRELESS SOLUTIONS--AN ONLINE RESOURCE FOR A NEW ERA
   Our mobile and wireless computing site has it all--articles, product 
reviews, and other resources to help you support a wireless network and 
mobile users. Check it out today!
   http://list.winnetmag.com/cgi-bin3/flo?y=eLqv0CJgSH0CBw0qsD0AL

4. ==== SECURITY ROUNDUP ====

* NEWS: ISS TEAMS WITH NETWORK ASSOCIATES
   Internet Security Systems (ISS) and Network Associates have 
announced an alliance to deliver integrated security products and 
services. Network Associates will combine its fault isolation and 
performance management software, Sniffer Technologies, with ISS's 
intrusion-detection software, RealSecure. ISS said it will combine 
Network Associates' McAfee antivirus software with RealSecure and also 
offer customers managed security services.  
   http://www.secadministrator.com/articles/index.cfm?articleid=25088

* NEWS: GARTNER SAYS MOST ATTACKS WILL EXPLOIT KNOWN FLAWS
   Speaking at the Gartner Symposium/ITxpo in San Diego, Gartner 
analysts predicted that by 2005, up to 90 percent of attacks will 
exploit known security vulnerabilities for which patches and 
workarounds are available but not applied. Gartner said that 
enterprises don't do enough to prepare for network intrusion.
   http://www.secadministrator.com/articles/index.cfm?articleid=25089

* NEWS: WORD PATCH FIXES OUTLOOK EMAIL VULNERABILITY
   Microsoft recommends that Outlook users who use Microsoft Word as 
their email editor--a configuration known as WordMail--install a new 
patch for Word. The update fixes a vulnerability that could let harmful 
scripts run if the user replies to or forwards an HTML message. 
Microsoft Office XP Service Pack 1 (SP1) or Office 2000 Service Release 
1/1a (SR1/1a) is a prerequisite.
   http://www.microsoft.com/technet/security/bulletin/ms02-021.asp

* FEATURE: SECURITY BUG FIXES
   The security subsystem correctly records account lockout events when 
a user reaches the bad password threshold while logging on with a 
domain account; however, a bug in the audit code prevents the system 
from recording the account lockout when a user reaches the bad password 
threshold while logging on with a local workstation or server account. 
   The Windows 2000 Post-Service Pack 2 (SP2) file system driver has a 
bug that might cause ntfs.sys to crash with a stop code of 0x00000003. 
The blue screen occurs when the file system driver attempts to release 
the same resource twice. 
   When a system has a bad print driver, you might see several 
different error messages when you try to print a file or document. To 
recover from this error, you need to delete the printer, delete the 
print-driver file, and clean up printing subsystem registry entries. 
Learn more about these problems in Paula Sharick's article on our Web 
site.
   http://www.secadministrator.com/articles/index.cfm?articleid=25033

5. ==== SECURITY TOOLKIT ==== 

* VIRUS CENTER
   Panda Software and the Windows & .NET Magazine Network have teamed to 
bring you the Center for Virus Control. Visit the site often to remain 
informed about the latest threats to your system security.
   http://www.secadministrator.com/panda

* FAQ: WHAT IS WINDOWS UPDATE CORPORATE EDITION?
   ( contributed by John Savill, http://www.windows2000faq.com )

A. Windows Update Corporate Edition, which Microsoft plans to release 
in second quarter 2002, will let administrators host their own version 
of the Windows Update Web site on a local intranet. Windows Update 
Corporate Edition will, at scheduled intervals, pull the latest fixes 
from the public Windows Update Web site. A client component will let 
administrators check the intranet-based Windows Update site and use 
Group Policy settings to automatically download updates to clients. 
   The Windows Update Corporate Edition will help companies preserve 
bandwidth that they now use to repeatedly download the same fixes and 
will offer greater control over which updates users can install. For 
more information, visit the Microsoft Web site.
   http://www.microsoft.com/technet/ittasks/support/corpwu.asp

6. ==== NEW AND IMPROVED ==== 
   (contributed by Judy Drennen, products () winnetmag com) 

* DEFEND AGAINST INTRUDERS AND MALICIOUS CODE
   Network Associates released McAfee Desktop Firewall 7.5, software 
that inspects inbound and outbound traffic and allows or blocks 
connections, stops malicious code, detects unauthorized intrusions and 
application connections, records the event, and alerts the 
administrator. Desktop Firewall 7.5 also protects remote and broadband 
users. Desktop Firewall 7.5 runs on Windows XP, Windows 2000, Windows 
NT, Windows Me, and Windows 9x. For pricing, contact Network Associates 
at 972-308-9960 or 888-847-8766.
   http://www.mcafeeb2b.com/products/desktop-protection.asp

* SECURE ENTERPRISE SERVERS WITH FREE BETA 
   Turillion Software Technologies released the eServer Secure Manager 
beta, software designed to help the enterprise manage 100 or more 
eServer Secure-protected servers from a single console. Turillion's 
eServer Secure Manager beta software is available now for free to 
qualified beta testers from Turillion's private beta Web site at 
http://www.turillion.com/beta. For more information, contact Turillion 
at 800-604-3228.
   http://www.turillion.com

7. ==== HOT THREADS ==== 

* WINDOWS & .NET MAGAZINE ONLINE FORUMS 
   http://www.winnetmag.net/forums

Featured Thread: Screen Saver Passwords
   (Three messages in this thread)

Claus wants to know how he can ensure that all network users (on 
systems including Windows 2000, Windows NT, and Windows 98) use 
password-protected screen savers.
   
http://www.secadministrator.com/forums/thread.cfm?cfapp=64&thread_id=103120#message268910

* HOWTO MAILING LIST
   http://www.secadministrator.com/listserv/page_listserv.asp?s=howto

Featured Thread: Security Policy Disciplinary Measures
   (One message in this thread)

Paul is developing a security policy and wants to include information 
about disciplinary measures that will apply to users who violate 
policies (the measures taken would depend upon the associated impact). 
He's looking for documentation or Web sites that offer generic 
information about such disciplinary measures. Can you help? Read the 
responses or lend a hand at the following URL:
   
http://63.88.172.96/listserv/page_listserv.asp?A2=ind0205a&l=howto&p=1230

8. ==== CONTACT US ==== 
   Here's how to reach us with your comments and questions: 

* ABOUT IN FOCUS -- mark () ntsecurity net

* ABOUT THE NEWSLETTER IN GENERAL -- vpatterson () winnetmag com (please 
mention the newsletter name in the subject line) 

* TECHNICAL QUESTIONS -- http://www.winnetmag.net/forums 

* PRODUCT NEWS -- products () winnetmag com 

* QUESTIONS ABOUT YOUR SECURITY UPDATE SUBSCRIPTION? Customer 
Support -- securityupdate () winnetmag com 

* WANT TO SPONSOR SECURITY UPDATE? emedia_opps () winnetmag com 

******************** 

   This email newsletter is brought to you by Security Administrator, 
the print newsletter with independent, impartial advice for IT 
administrators securing a Windows 2000/Windows NT enterprise. Subscribe 
today!
   http://www.secadministrator.com/sub.cfm?code=saei25xxup

   Receive the latest information about the Windows and .NET topics of 
your choice. Subscribe to our other FREE email newsletters. 
   http://www.winnetmag.net/email 


|-+-|-+-|-+-|-+-|-+-|

Thank you for reading Security UPDATE. 

You are subscribed as isn () c4i org.

MANAGE YOUR ACCOUNT
You can manage your entire Windows & .NET Magazine Network email 
newsletter account on our Web site. Simply log on and you can change 
your email address, update your profile information, and subscribe or 
unsubscribe to any of our email newsletters all in one place.
   http://www.winnetmag.net/email

SUBSCRIBE
To quickly subscribe, send a blank email to mailto:Security-UPDATE_Sub () list winnetmag com.

UNSUBSCRIBE
To quickly unsubscribe, send a blank email to 
mailto:Security-UPDATE_Unsub () list winnetmag com.

Thank you!



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.