Security UPDATE, February 19, 2003

[InfoSec News <isn () c4i org>]

********************
Windows & .NET Magazine Security UPDATE--brought to you by Security
Administrator, a print newsletter bringing you practical, how-to
articles about securing your Windows Server 2003, Windows 2000, and
Windows NT systems.
   http://www.secadministrator.com
********************

~~~~ THIS ISSUE SPONSORED BY ~~~~

Security on All Workstations Compromised in Minutes
   http://list.winnetmag.com/cgi-bin3/flo/y/ePen0CJgSH0CBw07sL0AF

Windows & .NET Magazine Network Web Seminars
    http://list.winnetmag.com/cgi-bin3/flo/y/ePen0CJgSH0CBw02lB0Ar
   (below IN FOCUS)

~~~~~~~~~~~~~~~~~~~~

~~~~ SPONSOR: SECURITY ON ALL WORKSTATIONS COMPROMISED IN MINUTES ~~~~
   In just a few minutes any of your domain users could become the
administrator of ALL your machines without your knowledge. A quick
search of Google.com for password crackers is all it takes. There is a
solution. Download our guide to plugging the DISTRIBUTED CREDENTIALS
FLAW in Windows.
   http://list.winnetmag.com/cgi-bin3/flo/y/ePen0CJgSH0CBw07sL0AF

~~~~~~~~~~~~~~~~~~~~

February 19, 2003--In this issue:

1. IN FOCUS
     - Security Reconnaissance with Honeyd and HoneyWeb

2. SECURITY RISKS
     - Multiple Vulnerabilities in Opera Web Browser
     - Brute-Force Vulnerability in Aprelium's Abyss Web Server
     - Buffer-Overrun Vulnerability in Celestial Software's Absolute
       Telnet

3. ANNOUNCEMENTS
     - Pharma-IT Summit: Real-World Solutions for Today's Pharma-IT
       Challenges, March 31, 2003
     - Try Windows & .NET Magazine!

4. SECURITY ROUNDUP
     - News: Sanctum Announces AppScan Developer Edition
     - News: Microsoft Offers Less-Technical Security Information
     - News: KeyLabs Says Sygate OutperformsSymantec
     - News: Peace of Mind While Shopping Online

5. INSTANT POLL
     - Results of Previous Poll: Slammer/Sapphire Worm
     - New Instant Poll: Early Warning Network

6. SECURITY TOOLKIT
     - Virus Center
     - FAQ: How Can I Prevent Users from Importing or Exporting Their
       Microsoft Internet Explorer (IE) Favorites?

7. NEW AND IMPROVED
     - Block User-Installed Wireless Networks
     - Secure Servers Attached to KVM Switches
     - Submit Top Product Ideas

8. HOT THREAD
     - Windows & .NET Magazine Online Forums
         - Featured Thread: ISA Feature Pack 1 and SSL Certificates

9. CONTACT US
   See this section for a list of ways to contact us.

~~~~~~~~~~~~~~~~~~~~

1. ==== IN FOCUS ====
   (contributed by Mark Joseph Edwards, News Editor,
mark () ntsecurity net)

* SECURITY RECONNAISSANCE WITH HONEYD AND HONEYWEB

Do you have layered security in place? If so, do your layers include
features that help you determine which kinds of attacks are targeting
your networks? Many of you probably have probing and attack-detection
tools in place, such as an Intrusion Detection System (IDS), but you
can take that sort of attack-detection technology further by adding a
honeypot to your network.

I've written about various honeypot technologies in the past,
including information about various network, system, and service
emulators. For example, some honeypot technologies can mimic
particular system architecture, and others can emulate services such
as SMTP mail servers to help thwart spammers. You can find several
articles about honeypots through the search URL below.
   http://search.winnetmag.com/query.html?qt=honeypot&site=security

On Lance Spitzner's Tracking Hackers Web site (see the first URL
below), he defines a honeypot as "a security resource [whose] value
lies in being probed, attacked, or compromised." If you're interested
in honeypot technology, know that a new version of Honeyd (see the
second URL below) was released over the weekend, along with a new
challenge for people to contribute to the project.
   http://www.tracking-hackers.com
   http://www.citi.umich.edu/u/provos/honeyd/

Niels Provos, who developed Honeyd, explains that "Honeyd is a virtual
honeypot running as a small daemon to create virtual hosts on a
network. The hosts can be configured to run arbitrary services, and
their personality can be adapted so that they appear to be running
certain operating systems." Honeyd monitors unused IP addresses on a
network to develop a virtual network of honeypots to help detect
probing and intrusion.

Honeyd listens for TCP, UDP, and some types of Internet Control
Message Protocol (ICMP) traffic to help detect activity directed at
your network's unused IP addresses, to which no one should be sending
traffic in the first place. If you want to establish bogus services to
interact with potential intruders, you can use Honeyd to do that as
well. One of Honeyd's slick features is its ability to spoof a given
system type at the kernel level to help thwart tools such as Xprobe
and Nmap, which are designed to detect exact OS types, such as Windows
or a Cisco Systems router OS.

Along with the release of Honeyd 0.5, Provos has issued an invitation
to contribute to the Honeyd project by developing useful feature
additions and improvements. Potential contributors can work on
developments such as additional service emulators and forensics tools
for analysis and visualization of Honeyd log files and a GUI. You can
read more about the challenge at the Honeyd Web site, hosted at the
University of Michigan.
   http://www.citi.umich.edu/u/provos/honeyd/challenge.html

Other useful honeypot tools work in conjunction with Honeyd, or you
can run them standalone. One such tool is HoneyWeb, written by Kevin
Timm and available at the URL below. HoneyWeb is a new tool that can
emulate various Web server platforms, including Apache, Netscape, and
Microsoft IIS. HoneyWeb deceives intruders by emulating HTTP headers
and delivering Web pages.
   http://www.var-log.com/files

For example, HoneyWeb looks at incoming URL requests, determines which
platform they suit, and returns headers and Web pages that emulate
that platform. As I interpret the somewhat sparse documentation, the
tool can also track URL requests persistently. So if the same user
makes a UNIX-style request and then a Microsoft-style request (in a
configurable time frame), the system can return a 404 error to
maintain consistency with the type of Web platform being emulated.
HoneyWeb can spoof other kinds of content, and it can return bogus
directory listings for a given root path URL or a bogus rendition of
an .htaccess file.

Timm developed HoneyWeb in the Python programming language. To learn
more about HoneyWeb, visit the first URL below and also read the
readme text in the program archive file. If you want to try HoneyWeb,
you need to obtain a copy of Python for your platform at the second
URL below. HoneyWeb also supports Secure Sockets Layer (SSL) by using
Stunnel as an add-on. You can obtain Stunnel at the third URL below.
   http://www.var-log.com/files/HoneyWeb.txt
   http://www.python.org
   http://www.stunnel.org

If you don't use a honeypot on your network, why not consider
installing one? It might pick up on subtle forms of probing and
identify attacks that your IDS might not be able to detect. Using a
honeypot can increase your awareness of the type of attacks your
network faces and help you keep your network more secure.

~~~~~~~~~~~~~~~~~~~~

~~~~ SPONSOR: WINDOWS & .NET MAGAZINE NETWORK WEB SEMINARS ~~~~
    DON'T MISS OUR WEB SEMINARS IN MARCH!
    Windows & .NET Magazine has 3 new Web seminars to help you address
your security and storage concerns.  There is no fee to attend
"Selling the Importance of Security: 5 Ways to Get Your Manager's
Attention", " Building an Ultra Secure Extranet on a Shoe String", or
"An Introduction to Windows Powered NAS," but space is limited, so
register for all 3 events today!
   http://list.winnetmag.com/cgi-bin3/flo/y/ePen0CJgSH0CBw02lB0Ar

~~~~~~~~~~~~~~~~~~~~

2. ==== SECURITY RISKS ====
   (contributed by Ken Pfeil, ken () winnetmag com)

* MULTIPLE VULNERABILITIES IN OPERA WEB BROWSER
   Opera Software's Opera Web Browser 7.0 and earlier contains five
newly discovered vulnerabilities. Three of these vulnerabilities
permit full read access to the user's file system and let an intruder
list contents of directories, read files, and access email messages on
the vulnerable system. The other two vulnerabilities expose sensitive
private information about the user by permitting Web access to URLs
that the user has recently visited. Opera Software has released Opera
Web Browser 7.01, which isn't vulnerable to these conditions.
   http://www.secadministrator.com/articles/index.cfm?articleid=38021

* BRUTE-FORCE VULNERABILITY IN APRELIUM'S ABYSS WEB SERVER
   A vulnerability in Aprelium Technologies' Abyss Web Server 1.1.2
and earlier lets an attacker gain administrative access to the Web
server. An attacker can connect to the remote Web management interface
at http://abyss_server:9999 and use a brute-force method to access the
server. An attacker can use an indefinite number of attempts to enter
a valid username and password; the software uses no delay to penalize
wrong attempts. Abyss has no logging for port 9999 (unlike the
access.log file for port 80). Aprelium has been notified and will
release a patch or new version that isn't vulnerable to these
conditions.
   http://www.secadministrator.com/articles/index.cfm?articleid=38022

* BUFFER-OVERRUN VULNERABILITY IN CELESTIAL SOFTWARE'S ABSOLUTE TELNET
   A vulnerability in Celestial Software's Absolute Telnet 2.11 and
Absolute Telnet 2.00 can lead to arbitrary execution of code on the
vulnerable system. This vulnerability is a result of insufficient
bounds checking in the code that sets the program's title bar.
Celestial Software has released Absolute Telnet 2.12 Release Candidate
10 (RC10), which isn't vulnerable to this condition.
   http://www.secadministrator.com/articles/index.cfm?articleid=37999

3. ==== ANNOUNCEMENTS ====
   (brought to you by Windows & .NET Magazine and its partners)

* PHARMA-IT SUMMIT: REAL-WORLD SOLUTIONS FOR TODAY'S PHARMA-IT
CHALLENGES, MARCH 31, 2003
   Annual executive conference highlights the increased focus on IT
security in global pharmaceutical enterprises. Networking, case
studies, intensive workshops forums help CIOs, CTOs, CFOs, VPs and
other top-decision-makers leverage pharmaceutical IT solutions
successfully. Keynote presentations by executives from Aventis,
Novartis, Astrazeneca, Hoffman-Laroche and Pfizer, plus US Dept. of
Health & Human Services.
   http://list.winnetmag.com/cgi-bin3/flo/y/ePen0CJgSH0CBw07QH0Ab

* TRY WINDOWS & .NET MAGAZINE!
  Every issue of Windows & .NET Magazine includes intelligent,
impartial, and independent coverage of security, Active Directory,
Microsoft Exchange Server, and more. Our expert authors deliver how-to
content you simply can't find anywhere else. Try a sample issue today,
and find out what more than 100,000 readers know that you don't!
   http://list.winnetmag.com/cgi-bin3/flo/y/ePen0CJgSH0CBw07q40An

4. ==== SECURITY ROUNDUP ====

* NEWS: SANCTUM ANNOUNCES APPSCAN DEVELOPER EDITION
   Sanctum announced AppScan Developer Edition (DE) 1.5, which helps
create secure Web applications. AppScan DE is integrated seamlessly
into Microsoft Visual Studio .NET for support using the C#, C++, and
J# programming languages. The product helps developers create unit
tests and validation processes, provides defect analysis, and offers
recommendations for code improvement.
   http://www.secadministrator.com/articles/index.cfm?articleid=38007

* NEWS: MICROSOFT OFFERS LESS-TECHNICAL SECURITY INFORMATION
   Microsoft now offers news about product security problems to
less-technical users, such as home users and corporate executives who
don't need exact details. Users can subscribe to the new security
alerting service at the Microsoft Security Update Web site.
   http://www.secadministrator.com/articles/index.cfm?articleid=38011

* NEWS: KEYLABS SAYS SYGATE OUTPERFORMS SYMANTEC
   Sygate Technologies announced that independent testing laboratory
KeyLabs conducted a comparison test that showed that the company's
Sygate Secure Enterprise 3.0 outperformed Symantec's Client Security
2.0.
   http://www.secadministrator.com/articles/index.cfm?articleid=38006

* NEWS: PEACE OF MIND WHILE SHOPPING ONLINE
   ScanAlert is helping e-commerce sites increase sales while offering
online shoppers a little more peace of mind. The company's HACKER SAFE
service helps consumers determine whether a given e-commerce site is
secure enough to trust with handling sensitive information, such as
credit card numbers.
   http://www.secadministrator.com/articles/index.cfm?articleid=38018

5. ==== INSTANT POLL ====
 
* RESULTS OF PREVIOUS POLL: SLAMMER/SAPPHIRE WORM
   The voting has closed in Windows & .NET Magazine's Security
Administrator Channel nonscientific Instant Poll for the question,
"Did the Slammer/Sapphire worm directly affect your network,
connectivity, or computerized activities directly?" Here are the
results from the 250 votes. (Deviations from 100 percent are due to
rounding errors.)
   - 24% Yes
   - 76% No
 
* NEW INSTANT POLL: EARLY WARNING NETWORK
   The next Instant Poll question is, "Do you participate in an 'early
warning' network that gathers forensic information from firewall and
Intrusion Detection System (IDS) logs?" Go to the Security
Administrator Channel home page and submit your vote for a)
Yes--DShield.org, b) Yes--Symantec DeepSight Analyzer, c) Both of the
above, d) Other, or e) No.
   http://www.secadministrator.com

6. ==== SECURITY TOOLKIT ====

* VIRUS CENTER
   Panda Software and the Windows & .NET Magazine Network have teamed
to bring you the Center for Virus Control. Visit the site often to
remain informed about the latest threats to your system security.
   http://www.secadministrator.com/panda

* FAQ: HOW CAN I PREVENT USERS FROM IMPORTING OR EXPORTING THEIR
MICROSOFT INTERNET EXPLORER (IE) FAVORITES?
   ( contributed by John Savill, http://www.windows2000faq.com )

A. By default, users can use the File, Import and Export menu option
in IE to import and export their IE Favorites. You can disable this
functionality by performing the following steps:
   1. Start a registry editor (e.g., regedit.exe).
   2. Navigate to the HKEY_CURRENT_USER\Software\Policies\Microsoft
registry subkey.
   3. If the Internet Explorer subkey doesn't exist, create it (from
the Edit menu, select New, Key and type "Internet Explorer" without
the quotes), then navigate to that subkey.
   4. From the Edit menu, select New, DWORD Value.
   5. Enter the name DisableImportExportFavorites, then press Enter.
   6. Double-click the new value, set it to 1, then click OK.

The change takes effect immediately. Users will still be able to run
the Import and Export Wizard, but when they click Finish, the wizard
will inform them that it has been disabled.

7. ==== NEW AND IMPROVED ====
   (contributed by Sue Cooper, products () winnetmag com)

* BLOCK USER-INSTALLED WIRELESS NETWORKS
   SecureWave released WaveLock, a free utility that blocks access to
the wireless network adapters and wireless LAN (WLAN) cards that
Windows XP and Windows 2000 supported. WaveLock detects attempts to
install wireless network adapters and prevents their drivers from
loading, rendering the adapters inoperative and ensuring that users
who know about these preinstalled drivers don't compromise your
networks. For more information or to download WaveLock, visit the
following URLs:
   http://securewave.com/products/free_utilities/wavelock.html
   http://securewave.com

* SECURE SERVERS ATTACHED TO KVM SWITCHES
   Belkin introduced the OmniView SE Plus Series Keyboard/Video/Mouse
(KVM) Switch, which gives you control over multiple-platform servers
from a single console. Product security has been enhanced to prevent
unintended information exchange between secure and nonsecure servers
connected to the Switch. The new KVM switch supports PS/2-style and
USB servers in two-port or four-port models. For pricing or more
information, contact Belkin at 800-223-5546 or through its Web site.
   http://www.belkin.com

* SUBMIT TOP PRODUCT IDEAS
   Have you used a product that changed your IT experience by saving
you time or easing your daily burden? Do you know of a terrific
product that others should know about? Tell us! We want to write about
the product in a future What's Hot column. Send your product
suggestions to whatshot () winnetmag com.

8. ==== HOT THREAD ====

* WINDOWS & .NET MAGAZINE ONLINE FORUMS
   http://www.winnetmag.com/forums

Featured Thread: ISA Feature Pack 1 and SSL Certificates
   (Three messages in this thread)

A user in the Netherlands writes that he believes that since the
release of Microsoft Internet Security and Acceleration (ISA) Server
Feature Pack 1, it's no longer necessary to configure a demilitarized
zone (DMZ) to secure his network when he wants only to securely expose
his Microsoft Exchange Server to his employees through the Internet.
Is this correct? He believes that he'll have to use a Secure Sockets
Layer (SSL) certificate, and he has questions about the best approach
to do so. Lend a hand or read the responses:
   http://www.winnetmag.com/forums/rd.cfm?cid=42&tid=54270

9. ==== CONTACT US ====
   Here's how to reach us with your comments and questions:

* ABOUT IN FOCUS -- mark () ntsecurity net

* ABOUT THE NEWSLETTER IN GENERAL -- letters () winnetmag com (please
mention the newsletter name in the subject line)

* TECHNICAL QUESTIONS -- http://www.winnetmag.com/forums

* PRODUCT NEWS -- products () winnetmag com

* QUESTIONS ABOUT YOUR SECURITY UPDATE SUBSCRIPTION? Customer
Support -- securityupdate () winnetmag com

* WANT TO SPONSOR SECURITY UPDATE? emedia_opps () winnetmag com

********************

   This email newsletter is brought to you by Security Administrator,
the print newsletter with independent, impartial advice for IT
administrators securing a Windows 2000/Windows NT enterprise.
Subscribe today!
   http://www.secadministrator.com/sub.cfm?code=saei25xxup

   Receive the latest information about the Windows and .NET topics of
your choice. Subscribe to our other FREE email newsletters.
   http://www.winnetmag.com/email

|-+-|-+-|-+-|-+-|-+-|

Thank you for reading Security UPDATE.

MANAGE YOUR ACCOUNT
   You can manage your entire Windows & .NET Magazine Network email
newsletter account on our Web site. Simply log on and you can change
your email address, update your profile information, and subscribe or
unsubscribe to any of our email newsletters all in one place.
   http://www.winnetmag.com/email

Thank you!
__________________________________________________________
Copyright 2003, Penton Media, Inc.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.