Windows & .NET Magazine Security UPDATE--October 1, 2003

[InfoSec News <isn () c4i org>]

====================

==== This Issue Sponsored By ====

Sybari Software
   http://list.winnetmag.com/cgi-bin3/DM/y/eczY0CJgSH0CBw0BCoh0AG

NetIQ
   http://list.winnetmag.com/cgi-bin3/DM/y/eczY0CJgSH0CBw0BCud0AI

====================

1. In Focus: Passive Vulnerability Scanning

2. Security Risks
     - Denial of Service in SpeakFreely for Windows
     - Denial of Service in wzdftpd FTP Server for Windows
     - Mondosoft's MondoSearch File-Creation Vulnerability

3. Announcements
     - Attend Windows & .NET Magazine Connections, Win a Free Vacation
     - Check Out Our 2 New Web Seminars!

4. Security Roundup
     - News: Report: Microsoft Monoculture Is a National Security Risk
     - News: Sophos Acquires ActiveState
     - News: California Cracks Down Hard on Spammers

5. Instant Poll
     - Results of Previous Poll: DRM Use
     - New Instant Poll: Firewall and IDS Use

6. Security Toolkit
     - Virus Center
     - FAQ: How Can I Use Microsoft Internet Explorer (IE) to Pass a
       Username and Password to an FTP Site?
     - Featured Thread: Auditing Software for Windows 2000?

7. Event
     - The Mobile & Wireless Road Show Is Coming to Tampa and Atlanta!

8. New and Improved
     - Authenticate Using Steel-Belted Appliance
     - Secure Your Web Portal
     - Tell Us About a Hot Product and Get a T-Shirt

9. Contact Us
   See this section for a list of ways to contact us.

====================

==== Sponsor: Sybari Software ====
   Sybari Delivers Enterprise Anti-Spam!
   We've led the market on innovative virus protection for Microsoft
messaging and collaboration platforms! And now we've applied the same
proven, comprehensive expert technology in Antigen to protecting your
enterprise from anti-spam. Register today at
http://list.winnetmag.com/cgi-bin3/DM/y/eczY0CJgSH0CBw0BCoh0AG
to find out how Sybari can guarantee the 100% percent uptime of your
messaging servers and keep your inbox Spam free! Register by October
15th and you could win a $250.00 American Express Gift Card!

====================

==== 1. In Focus: Passive Vulnerability Scanning ====
   by Mark Joseph Edwards, News Editor, mark () ntsecurity net

Last week, I wrote about Intrusion Detection Systems (IDSs) and about
a couple of reports that evaluate some (but not all) of the more
popular IDSs. IDSs are valuable tools for your network, as are
firewalls, vulnerability scanners, packet sniffers and analyzers, port
scanners, network mapping tools, and so on.

I recently learned about a new tool called a Passive Vulnerability
Scanner (PVS). A PVS is a hybrid tool that combines the sniffing
capabilities of a packet sniffer and analyzer with the capabilities of
an active vulnerability scanner and an IDS.

As you know, a packet analyzer and sniffer promiscuously captures
packets from the network so that you can analyze them; an active
vulnerability scanner probes systems and devices to detect known
vulnerabilities; and an IDS detects possible intrusion attempts as
traffic moves over your network. A PVS can do all of those things,
with a slight twist in the way it works. But a PVS isn't a replacement
for those types of tools--instead, it's complementary.

You place a PVS on the network in a position in which it can monitor
the traffic coming from various network segments, just like a network
sniffer. The PVS then sniffs the traffic in real time and analyzes it
by comparing it with a set of rules, like a vulnerability scanner
does. Broken rules trip triggers that alert the PVS administrator to
possible security problems on the network.

For example, you might have an environment in which none of the
network systems should be running FTP servers and only certain systems
should be running Web servers. If anyone from inside or outside your
network initiates inbound FTP access to one of your systems, the PVS
will alert you. Likewise, if the PVS detects Web traffic to a system
that shouldn't be running Web services, the PVS will alert you. These
sorts of detections are typical of IDSs, but the PVS can take the
analysis further.

When detecting Web traffic in this example, the PVS can analyze the
packets to try to determine what type of Web server software is in
use. If it's an outdated version of Microsoft IIS or Apache, the PVS
will alert the administrator that the system is running a vulnerable
software package. The administrator becomes aware of the problem
immediately without having to run a periodic vulnerability scan on
individual systems to detect problems.

In one more example, someone could place a server in your
demilitarized zone (DMZ) without your approval or knowledge. With a
PVS in place, you might become aware of that action sooner than you
would have otherwise because the PVS monitors traffic and doesn't
depend on network device audits or on vulnerability scans or agent
software running on individual systems. PVSs are independently
deployed, centrally manageable, and scan for problems by looking at
network traffic.

I only know of one PVS system available at the moment: Tenable Network
Security's NeVO, which runs on the Red Hat Linux and FreeBSD UNIX
platforms. Although NeVO doesn't run on Windows platforms, it's
compatible with Windows networks. It can detect anomalies on Windows
and UNIX networks, and because its logs are generated in a
Nessus-style format, you can use any Nessus client, such as the
Windows-based Nessus client, to access them. (Nessus is an active
vulnerability scanner; for more information, go to
http://www.nessus.org .)

You can learn more about NeVO at the first URL below. You'll also find
a more detailed explanation of the PVS and NeVO, "Passive
Vulnerability Scanning, Introduction to NeVO," in PDF format at the
second URL below.
   http://www.tenablesecurity.com/nevo.html
   http://www.tenablesecurity.com/docs/passive_scanning_tenable.pdf

Tenable offers a 30-day demo of the product. If you try a copy on your
network, send me an email message to let me know what you think of the
PVS concept and how well it works for you in your environment.

====================

==== Sponsor: NetIQ ====
   Security White Paper
   Tired of constantly firefighting? You need a more proactive and
effective means of managing your vulnerable security systems for
policy and compliance. Get the answers you need now! Download a free
white paper from NetIQ on "Proactive Security Policy Enforcement: A
Practical Approach for the Enterprise." You'll discover why policy
enforcement is so important, how to manage the process and how to
implement a practical approach to enterprise security policy
compliance.
   http://list.winnetmag.com/cgi-bin3/DM/y/eczY0CJgSH0CBw0BCud0AI

====================

==== 2. Security Risks ====
   contributed by Ken Pfeil, ken () winnetmag com

Denial of Service in SpeakFreely for Windows
   Luigi Auriemma discovered that a vulnerability in Speak Freely for
Windows can result in a Denial of Service (DoS) condition. Sending
multiple spoofed packets (more than 160 packets of 2 bytes or more
each) results in the termination of the program, with an error message
such as, "Cannot create transmit socket for host (x.x.x.x), error
10055. No buffer space is available." SpeakFreely's developer has been
notified.
   http://secadministrator.com/articles/index.cfm?articleid=40352
 
Denial of Service in wzdftpd FTP Server for Windows
   Moran Zavdi discovered that a vulnerability in wzdftpd FTP server
for Windows can result in a Denial of Service (DoS) condition. Sending
a CRLF sequence at logon causes an unhandled exception at the server.
The wzdftpd developer has released a patch for this vulnerability.
   http://secadministrator.com/articles/index.cfm?articleid=40351
 
Mondosoft's MondoSearch File-Creation Vulnerability
   Jens H. Christensen discovered that a vulnerability in Mondosoft's
MondoSearch can result in the execution of arbitrary code on the
vulnerable computer. One of the default installation files,
msmsetup.exe, contains a vulnerability that lets malicious users
create files with user-specified content on the Web server or anywhere
that the executing user (typically IUSR_xxx) has write access. For
details about this vulnerability, see the discoverer's Web site.
Mondosoft has released a patch for this vulnerability.
   http://secadministrator.com/articles/index.cfm?articleid=40350

====================

==== Sponsor: Virus Update from Panda Software ====
   Check for the latest anti-virus information and tools, including
weekly virus reports, virus forecasts, and virus prevention tips, at
Panda Software's Center for Virus Control.
   http://list.winnetmag.com/cgi-bin3/DM/y/eczY0CJgSH0CBw0BBlT0Aq

   Viruses routinely infect "fully protected" networks. Is total
protection possible? Find answers in the free guide HOW TO KEEP YOUR
COMPANY 100% VIRUS FREE from Panda Software. Learn how viruses enter
networks, what they do, and the most effective weapons to combat them.
Protect your network effectively and permanently - download today!
   http://list.winnetmag.com/cgi-bin3/DM/y/eczY0CJgSH0CBw0BBDp0Ae

====================

==== 3. Announcements ====
   (from Windows & .NET Magazine and its partners)

Attend Windows & .NET Magazine Connections, Win a Free Vacation
   How secure is your network? Are Windows Server 2003's improved
security features worth the migration effort? Want to stop spam? Learn
the answers to these questions and more at Windows & .NET Magazine
Connections. Register today and receive access to concurrently running
Exchange Connections.
   http://list.winnetmag.com/cgi-bin3/DM/y/eczY0CJgSH0CBw0KXQ0AW

Check Out Our 2 New Web Seminars!
   "Plan, Migrate, Manage: Shifting Seamlessly from NT4 to Windows
2003" will help you discover tips and tricks to maximize planning,
administration, and performance. "The Secret Costs of Spam ... What
You Don't Know Can Hurt You" will show you how to quantify costs and
find antispam solutions. Register today!
   http://list.winnetmag.com/cgi-bin3/DM/y/eczY0CJgSH0CBw02lB0AC

==== 4. Security Roundup ====

News: Report: Microsoft Monoculture Is a National Security Risk
   A damning report written by security experts and sponsored by
Microsoft's competitors concludes that the "monoculture" created by
the software giant's dominance is a national security risk. The report
was released at a meeting of the Computer & Communications Industry
Association (CCIA).
   http://secadministrator.com/articles/index.cfm?articleid=40340

News: Sophos Acquires ActiveState
   Antivirus software maker Sophos announced that it has acquired
ActiveState, a Canadian-based maker of spam-filtering and development
tools. Sophos will acquire ActiveState and all of the company's stock
for $23 million.
   http://secadministrator.com/articles/index.cfm?articleid=40344

News: California Cracks Down Hard on Spammers
   California Governor Gray Davis signed legislation that prohibits
advertisers from sending unsolicited email and said the law contains
no loopholes that can be used to thwart it.
   http://secadministrator.com/articles/index.cfm?articleid=40345

====================

==== Hot Release: Thawte ====
   Get Thawte's New Step-by-Step SSL Guide for MSIIS
   In this guide you will find out how to test, purchase, install and
use a Thawte Digital Certificate on your MSIIS web server. Throughout,
best practices for set-up are highlighted to help you ensure efficient
ongoing management of your encryption keys and digital certificates.
Get your copy of this new guide now:
   http://list.winnetmag.com/cgi-bin3/DM/y/eczY0CJgSH0CBw0BCue0AJ

====================

==== 5. Instant Poll ====

Results of Previous Poll: DRM Use
   The voting has closed in Windows & .NET Magazine's Security
Administrator Channel nonscientific Instant Poll for the question, "Is
your company using or planning to use Digital Rights Management
(DRM)?" Here are the results from the 88 votes.
   - 2% We have a DRM application in production
   - 5% We're experimenting with DRM
   - 18% We see some possible applications for DRM but aren't working
with it yet
   - 75% We aren't interested in DRM

New Instant Poll: Firewall and IDS Use
   The next Instant Poll question is, "Does your company use firewalls
and Intrusion Detection Systems (IDSs) to protect the infrastructure?"
Go to the Security Administrator Channel home page and submit your
vote for
   - Yes, we use both firewalls and IDSs
   - No, we only use firewalls
   - Not sure
   http://www.secadministrator.com

==== 6. Security Toolkit ====

Virus Center
   Panda Software and the Windows & .NET Magazine Network have teamed
to bring you the Center for Virus Control. Visit the site often to
remain informed about the latest threats to your system security.
   http://www.secadministrator.com/panda

FAQ: How Can I Use Microsoft Internet Explorer (IE) to Pass a Username
and Password to an FTP Site?
   contributed by John Savill, http://www.windows2000faq.com
   If you access an FTP site that doesn't allow anonymous access, you
must provide a username and password. To access an FTP site
anonymously from IE, use the syntax

   ftp://ftp.<sitename>

To pass a username and password, the syntax is

   ftp://<username>:<password>@ftp.<sitename>

For example, to access the Internet Software Consortium (ISC) FTP site
with a username and password, you might type

   ftp://john:john () ibm com@ftp.isc.org

where "john" is the username and "john () ibm com" is the password.

Similarly, to pass just a username, you can use the syntax

   ftp://<username>@ftp.<sitename>

Featured Thread: Auditing Software for Windows 2000?
   (3 messages in this thread)
   Brycea writes that he has a small network of 25 users with five
servers and Windows 2000 Server running Active Directory (AD) in
native mode. He has one server available to the outside world that
runs Microsoft IIS for FTP and the Web. The FTP server has been on the
internal network with openings on the firewall for ports 21 and 80,
but Brycea recently upgraded to a firewall that has an optional
demilitarized zone (DMZ) port and he'd like to move the FTP server
onto a DMZ. He'd like to know the best practices for using a DMZ for
an AD network on its own subnet. Lend a hand or read the responses:
   http://www.winnetmag.com/forums/messageview.cfm?catid=42&threadid=63521

==== 7. Event ====

The Mobile & Wireless Road Show Is Coming to Tampa and Atlanta!
   Learn more about the wireless and mobility solutions that are
available today, plus discover how going wireless can offer low risk,
proven performance, and compatibility with existing and emerging
industry standards. Register now for this free, 12-city event!
   http://list.winnetmag.com/cgi-bin3/DM/y/eczY0CJgSH0CBw0BA8Y0A3

==== 8. New and Improved ====
   by Sue Cooper, products () winnetmag com

Authenticate Using Steel-Belted Appliance
   Network Engines introduced Steel-Belted Radius Enterprise Edition
Appliance 2.0 to deploy remote and wireless LAN (WLAN) access control
and security on a network. The appliance combines Network Engines'
rack-mountable hardware with Funk Software's Steel-Belted Radius
Enterprise Edition 4.5 and an embedded, hardened version of Windows
2000 Professional. The appliance now supports two-factor
authentication products, which ensures that only authorized users have
access to your network. Steel-Belted Radius Enterprise Edition
Appliance 2.0 is available from TidalWire, a Network Engines company.
For more information, contact TidalWire at 877-638-8277 or
sales () tidalwire com.
   http://www.networkengines.com

Secure Your Web Portal
   Entrust announced Entrust TruePass 7.0, a Web security solution
that delivers bidirectional, end-to-end security for your
organization's online information. Users can submit sensitive
information as encrypted and digitally signed XML or HTML data, or as
secure file attachments. The Web server can return secured real-time
updates, approvals, and instructions to the users, eliminating the
need for paper-based processes. The application provides centralized,
role-based password policies, digital ID management in cross-certified
environments, certificate revocation list (CRL) checking on
third-party certificates, and diagnostic tools. Contact Entrust at
888-690-2424 or entrust () entrust com.
   http://www.entrust.com

Tell Us About a Hot Product and Get a T-Shirt!
   Have you used a product that changed your IT experience by saving
you time or easing your daily burden? Tell us about the product, and
we'll send you a Windows & .NET Magazine T-shirt if we write about the
product in a future Windows & .NET Magazine What's Hot column. Send
your product suggestions with information about how the product has
helped you to whatshot () winnetmag com.

===================

==== Sponsored Links ====

CrossTec
   Free Download - NEW NetOp 7.6 - faster, more secure, remote support
   http://list.winnetmag.com/cgi-bin3/DM/y/eczY0CJgSH0CBw0BBnb0A7

Microsoft
   Attend a Microsoft(R) Office System Launch Event - Get a FREE Eval
 Kit
   http://list.winnetmag.com/cgi-bin3/DM/y/eczY0CJgSH0CBw0BCqD0Ag

===================

==== 9. Contact Us ====

About the newsletter -- letters () winnetmag com
About technical questions -- http://www.winnetmag.com/forums
About product news -- products () winnetmag com
About your subscription -- securityupdate () winnetmag com
About sponsoring Security UPDATE -- emedia_opps () winnetmag com

This email newsletter is brought to you by Security Administrator, the
print newsletter with independent, impartial advice for IT
administrators securing Windows and related technologies. Subscribe
today.
   http://www.secadministrator.com/sub.cfm?code=saei25xxup

Thank you for reading Security UPDATE!
__________________________________________________________
Copyright 2003, Penton Media, Inc.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.