Information Security News mailing list archives

Previous By Date Next
Previous By Thread Next

Security UPDATE, August 1, 2001

From: InfoSec News <isn () c4i org>
Date: Mon, 6 Aug 2001 03:17:20 -0500 (CDT)
********************
Windows 2000 Magazine Security UPDATE--brought to you by Security
Administrator, a print newsletter bringing you practical, how-to
articles about securing your Windows 2000 and NT systems.
   http://www.secadministrator.com
********************

August 1, 2001--In this issue:

1. IN FOCUS
     - Tighten Your System Security Now!

2. SECURITY RISKS
     - Unchecked Buffer in Windows Media Player 
     - DoS in Microsoft's Remote Procedure Call 
     - DoS Condition in Windows Terminal Services 
     - DoS Condition in Microsoft Services for UNIX 2.0

3. ANNOUNCEMENTS
     - Weaving a Tangled Web?
     - Free Research Delivered to Your Email Inbox

4. SECURITY ROUNDUP
     - News: Windows Product Activation: The Enemy Within
     - News: Microsoft Unleashes a .NET Hailstorm
     - Review: Disk-Imaging Solutions

5. SECURITY TOOLKIT
     - Book Highlight: Incident Response: Investigating Computer Crime
     - Virus Center: 
         - Virus Alert: W32/Prolin.A
     - Tip: Changing Passwords in Untrusted Domains
     - Windows 2000 Security: Don't Shoot Yourself in the Foot with
Group Policy Security Settings, Part 2
     - SOHO Security: Encryption Basics

6. NEW AND IMPROVED
     - Prevent Vulnerable Password Selection
     - USB Security Key

7. HOT THREADS
     - Windows 2000 Magazine Online Forums
         - Featured Thread: Blank Audit Events in Security Event Log
     - HowTo Mailing List 
         - Featured Thread: How to Log On to an NT DC over Secure
Remote

8. CONTACT US
   See this section for a list of ways to contact us.

1. ==== COMMENTARY ====

Hello everyone,

Last week, I mentioned that I had received no fewer than two dozen
copies of the Sircam worm in email. This week the count has risen to
more than eight dozen, and copies of the worm are arriving in my inbox
even as I write this editorial. If you haven't checked into the Sircam
worm at our online Virus Center, be sure to do so--or at least take my
email address out of your Outlook address book!
   http://63.88.172.96/panda/index.cfm?fuseaction=virus&virusID=1104

Also last week, I discussed the Code Red worm, which affects unpatched
Microsoft IIS Web servers. Two variants of the virus have been
discovered, and many entities (e.g., Microsoft, National Infrastructure
Protection Center--NIPC, Computer Emergency Response Team--CERT) think
someone might launch the two Code Red worm variants July 31. Code Red is
a date-driven worm that deactivates itself after day 27 of a given
month. However, because CERT has received reports of Code Red attacks
from July 28 through 30, CERT suspects that Code Red has infected many
IIS Web servers with incorrectly set system dates. The assumption is
that if the dates were set correctly, the worm should be
inactive--apparently, it's not. Therefore, CERT and others think the
worm is likely to flare up either through nondormant copies of Code Red
or because someone releases one of the two known variants onto the
Internet. 

Getting rid of the Code Red worm is easy because it's a memory-resident
worm--it's not stored in a disk file. To rid your systems of Code Red,
simply reboot your system and be sure to apply the Microsoft patch for
IIS that the company released 6 weeks ago:
Windows 2000:
   http://www.microsoft.com/downloads/release.asp?releaseID=30800
Windows NT 4.0:
   http://www.microsoft.com/downloads/release.asp?releaseID=30833

Speaking of IIS, Microsoft has a utility available, called IISLock, that
helps you better secure your IIS systems. Microsoft released the tool in
March 2000, and it's available on Microsoft's Web site (see first URL at
the end of this paragraph). If you follow the NTBugtraq mailing list,
you're probably aware that the list moderator, Russ Cooper, has released
a Visual Basic (VB) script that also helps secure an IIS system.
According to Cooper, the script implements many of the recommended
configuration settings found in Microsoft IIS 4.0 Security Checklist
(see second URL), plus a few additional settings that Cooper thinks are
prudent. You can download the SecuredIIS.vbs script from the NTBugtraq
Web site (see third URL).
http://www.microsoft.com/downloads/release.asp?releaseID=19889
http://www.microsoft.com/technet/itsolutions/security/tools/iischk.asp
http://ntbugtraq.ntadvice.com/download/securedIIS.zip

Finally, this week I learned about a new book, "The Unofficial Guide to
Ethical Hacking," that will be available soon. Although several great
security-related books are currently on the market, this book is unique
because its author, Ankit Fadia, was 14 years old when he wrote it,
making him India's youngest author ever published. Fadia, now 16,
recently drew the interest of Macmillan India, who agreed to publish the
book. 

Although I haven't been able to locate a full table of contents for the
book, I did find that Fadia has a Web site with three sample sections of
the book (see the URL at the end of this paragraph). I looked at the
samples and found them informative. One section covers Windows-related
tips and tricks, the second explains viruses in detail, and the third
explains how to crack the Windows screen saver password without software
assistance--a good lesson in basic cryptographic analysis. If nothing
else, check out the tips and tricks section, where you might learn a few
interesting registry tweaks. Until next time, have a great week.
   http://hackingtruths.box.sk/book.htm

Sincerely,
Mark Joseph Edwards, News Editor, mark () ntsecurity net

2. ==== SECURITY RISKS ====
(contributed by Ken Pfeil, ken () win2000mag com)

* UNCHECKED BUFFER IN WINDOWS MEDIA PLAYER
   An unchecked buffer exists in one of the functions that processes
Microsoft Windows Media Station (.nsc) files for certain Windows Media
Player (WMP) versions. An attacker can use this overflow condition to
execute malicious code on the user's system. This code can then take any
action on the system that a legitimate user can take. Microsoft has
released security bulletin MS01-042 to address this vulnerability and
recommends that users apply the patch that's relevant for their system.
For more details, see the following URL:
   http://www.WindowsITsecurity.com/articles/index.cfm?articleID=21964

* DOS IN MICROSOFT'S REMOTE PROCEDURE CALL 
   Several of the remote procedure call (RPC) servers associated with
the services of certain Microsoft Exchange Server, SQL Server, Windows
2000, and Windows NT systems might not validate input information
properly. In some cases, these systems might accept invalid input
information that can disrupt normal processing of legitimate requests.
Specific values of invalid input vary among RPC servers. A malicious
attacker can exploit this vulnerability by repeatedly sending these
invalid RPC requests and cause a Denial of Service (DoS) condition.
Microsoft has released security bulletin MS01-041 to address this
vulnerability and recommends that users apply any of the patches that
are relevant to their system. For more details, see the following URL:
   http://www.WindowsITsecurity.com/articles/index.cfm?articleID=21965

* DOS CONDITION IN WINDOWS TERMINAL SERVICES
   A memory leak exists in one of the functions used to process TCP
checksums on incoming RDP information using port 3389 of Windows 2000
Server and Windows NT Server 4.0 Terminal Services Edition. Every time a
user sends an RDP packet to the server using a specially crafted
malformed format, the process depletes the server's memory by a small
amount. By repeatedly sending these packets, an attacker can cause the
server to stop responding, resulting in a Denial of Service (DoS)
condition. Microsoft has released security bulletin MS01-040 to address
this vulnerability and recommends that users apply one of the patches
that's relevant to their system. For more details, see the following
URL:
   http://www.WindowsITsecurity.com/articles/index.cfm?articleID=21948

* DOS CONDITION IN MICROSOFT SERVICES FOR UNIX 2.0
   A vulnerability exists in both the Telnet and NFS service components
of Microsoft Services for UNIX 2.0. An attacker can exploit the
vulnerability to trigger memory leaks in both services. By using
repeated requests, a potential attacker can cause the depletion of
resources on the server, resulting in a Denial of Service (DoS)
condition. The vendor, Microsoft, has released security bulletin
MS01-039 to address this vulnerability and recommends that users apply
one of the patches that's relevant to their system. For more details,
see the following URL:
   http://www.WindowsITsecurity.com/articles/index.cfm?articleID=21928

3. ==== ANNOUNCEMENTS ====

* WEAVING A TANGLED WEB?
   Our newly launched Web site, WebSpherePro.com, can help you unravel
the Web with practical, how-to information about developing and
deploying Web and enterprise applications for IBM's WebSphere
Application Server. Check out the new Web site, and sign up to receive
our FREE WebSphereWire and WebSpherePro email newsletters. You can also
sign up to get a free premiere issue of WebSphere Professional
magazine!
   http://www.webspherepro.com

* FREE RESEARCH DELIVERED TO YOUR EMAIL INBOX
   Make informed choices about new technology with a free subscription
to Research UPDATE. This HTML-based, biweekly newsletter delivers
analysis and forecasting on the hottest topics and trends in the IT
industry. Subscribe today! 
   http://www.win2000mag.net/email/index.cfm?id=18

4. ==== SECURITY ROUNDUP ====

* NEWS: WINDOWS PRODUCT ACTIVATION: THE ENEMY WITHIN
   It started with the international versions of Microsoft Office 2000
and crept into Office XP. Michael Otey first wrote about it in his
editorial, "Where the Real Monopoly Is," Windows 2000 Magazine, June
2001. Since then, Otey has learned more about what he calls "forced
registration," and it has spread beyond Office. Microsoft plans to
include this antipiracy technology in Windows XP, where it's known as
Microsoft Product Activation or Windows Product Activation (WPA). For
more details, see the following URL:
   http://www.win2000mag.com/articles/index.cfm?articleID=21579

* NEWS: MICROSOFT UNLEASHES A .NET HAILSTORM
   Microsoft recently rolled out concrete plans for its .NET strategy,
code-named Hailstorm, which will let the software giant make the
transition from a maker of shrinkwrapped software to a company that
provides software services over the Internet. Hailstorm will include
base services such as email, instant messaging, alerts and
notifications, calendar and address book functions, and file storage, as
well as premium services that the company has yet to identify. For more
details, see the following URL:
   http://www.win2000mag.com/articles/index.cfm?articleID=21511

* REVIEW: DISK-IMAGING SOLUTIONS
   Disk-imaging programs have been a boon to administrators tasked with
deploying PCs in their organization. You configure a system the way you
want it, then copy the hard disk's contents (i.e., the image) to another
system's hard disk so that the second system is configured the same as
the first. Although the basics haven't changed since cloning software's
inception, the mechanisms for copying and deploying images have become
sophisticated. Some imaging software vendors even incorporate backup,
restore, and application-deployment facilities into their products.
These new features promise to help administrators deploy images faster
and make computer maintenance easier than previously possible. Ed Roth
tested Altiris eXpress 5, PowerQuest Drive Image Pro 4.0, SoftStorage
Solutions (formerly IT Infusion) ImageCast, and Symantec Ghost 6.5.1 to
see how they handle a variety of cloning tasks. Be sure to read the
review on our Web site!
   http://www.win2000mag.com/articles/index.cfm?articleID=20876

5. ==== SECURITY TOOLKIT ====

* BOOK HIGHLIGHT: INCIDENT RESPONSE: INVESTIGATING COMPUTER CRIME
   By Chris Prosise, Kevin Mandia
   List Price: $39.99
   Fatbrain Online Price: $31.99
   Softcover; 512 pages
   Published by McGraw-Hill Professional Book Group, July 2001
   ISBN 0072131829

For more information or to purchase this book, go to
http://www1.fatbrain.com/asp/bookinfo/bookinfo.asp?theisbn=0072131829
and enter WIN2000MAG as the discount code when you order the book.

* VIRUS CENTER
   Panda Software and the Windows 2000 Magazine Network have teamed to
bring you the Center for Virus Control. Visit the site often to remain
informed about the latest threats to your system security.
   http://www.WindowsITsecurity.com/panda

Virus Alert: W32/Prolin.A
   W32/Prolin.A is a worm that uses email to spread to other systems.
The worm sends itself to all the entries in the infected user's
Microsoft Outlook address book. In addition, the worm renames the
extensions of all .jpg, .mp3, and .zip files found on the affected
system. If the email recepient has a yahoo.com address, the messages
have varied characteristics. For more details, see the following URL:
   http://63.88.172.96/panda/index.cfm?fuseaction=virus&virusID=809

* TIP: CHANGING PASSWORDS IN UNTRUSTED DOMAINS
   (contributed by James Turner, jamesdturner () hotmail com)

Q. My company has put a freeze on creating trusts in our Windows NT
Server 4.0 environment, but users in our domain need access to files and
applications in another domain. Setting up local accounts, passwords,
shares, and permissions in the other domain isn't a problem. However,
users needed to be able to change their passwords in the untrusted
domain. 

A. A simple solution exists that also works for changing passwords in
trusted domains. Log on to your local domain, and press Ctrl+Alt+Del. In
the resulting window, click Change Password, and in the User name text
box, input the account ID of the user's account in the untrusted domain
(e.g., userID1). In the Domain text box, input the PDC's name (e.g.,
pdcmydomain). In the Old Password text box, enter the current password
for the untrusted domain, then enter the new password in the New
Password text box. Re-enter the new password in the Confirm New Password
text box, and click OK. For this solution to work, you must enable
DNS.

* WINDOWS 2000 SECURITY: DON'T SHOOT YOURSELF IN THE FOOT WITH GROUP
POLICY SECURITY SETTINGS, PART 2
   Nowhere is change control more important than in Active Directory
(AD) and Group Policy: A directory service (i.e., AD) and a centralized
configuration solution (i.e., Group Policy) are fundamental to your IT
infrastructure. However, many systems administrators make the mistake of
implementing changes in production without a review-and-release cycle
that includes peer review and advance maintenance announcements. Change
control has always been strong in the mainframe world, but it's never
fully matured in the Windows world. Unfortunately, as the opening
example illustrated in Part 1 of Randy Smith's article, Windows 2000 can
make a potentially devastating and wide-ranging change appear to be
simple and harmless. Learn how to avoid the pitfalls in Part 2 of this
series.
   http://www.WindowsITsecurity.com/articles/index.cfm?articleID=21834

* SOHO SECURITY: ENCRYPTION BASICS
   In previous small office/home office (SOHO) columns, Jonathan Hassell
discussed encryption as it relates to pretty good privacy (PGP) and
secure email. Many readers have asked for further details describing
exactly how encryption works. Although doing justice to such a complex
topic is difficult, you can use this SOHO security column as a primer on
using encryption to secure your data. Learn some of the basics of
encryption in the SOHO column on our Web site.
   http://www.WindowsITsecurity.com/articles/index.cfm?articleID=21953

6. ========== NEW AND IMPROVED ==========
   (contributed by Scott Firestone, IV, products () win2000mag com)

* PREVENT VULNERABLE PASSWORD SELECTION
   MDD released Password Bouncer Standard Edition, a centralized
management console that prevents users from selecting vulnerable
passwords that intruders can easily guess and crack. The console screens
and validates passwords against a 300,000-word English wordlist and a
4000-word proper noun wordlist. Password Bouncer Standard runs on
Windows 2000 and Windows NT systems and is licensed on an annual,
nonperpetual subscription at $995. Contact MDD at 925-831-4746.
   http://www.mddinc.com

* USB SECURITY KEY
   PlayApp is offering its PlayApp Key as a USB device that consumers
can use to generate and remember all their personal passwords,
encryption codes, and pretty good privacy (PGP) passphrases. The PlayApp
key requires the PlayApp Player software, which lets you download
digital books, music, videos, business applications, and streaming
channels from the PlayApp Web page. The PlayApp key supports Windows
2000, Windows Me, and Windows 9x systems and costs $44. Contact PlayApp
at 214-704-3397.
   http://www.playapp.com

7. ==== HOT THREADS ====

* WINDOWS 2000 MAGAZINE ONLINE FORUMS
   http://www.win2000mag.net/forums 

Featured Thread: Blank Audit Events in Security Event Log
   (Three messages in this thread)

A user has noticed a strange event in the security event logs. The log
has recorded some successful logons, but the username, domain, and
workstation name fields are blank in the event's description field. Read
more about the problem and the responses, or lend a hand at the
following URL:
   http://www.win2000mag.net/forums/rd.cfm?app=64&id=73849

* HOWTO MAILING LIST
   http://www.WindowsITsecurity.com/go/page_listserv.asp?s=HowTo

Featured Thread: How to Log On to an NT Domain Controller Over Secure
Remote
   (Four messages in this thread)

This user needs to perform administrative tasks against a remote SQL
Server installation using Secure Remote. However, the SQL Server
requires NT LAN Manager (NTLM) authentication, which relies on a domain
controller (DC)-based database of user accounts. The user wants to know
how to log on to the domain remotely using Secure Remote so that his
attempt to connect to the SQL Server is not rejected because of a
failure to authenticate with the domain. Can you help? Read the
responses or lend a hand at the following URL:
   http://63.88.172.96/go/page_listserv.asp?A2=IND0107D&L=HOWTO&P=703

8. ==== CONTACT US ====
   Here's how to reach us with your comments and questions:

* ABOUT THE COMMENTARY -- mark () ntsecurity net

* ABOUT THE NEWSLETTER IN GENERAL -- mlibbey () win2000mag com; please
mention the newsletter name in the subject line.

* TECHNICAL QUESTIONS -- http://www.win2000mag.net/forums

* PRODUCT NEWS -- products () win2000mag com

* QUESTIONS ABOUT YOUR SECURITY UPDATE SUBSCRIPTION? -- Email Customer
Support at securityupdate () win2000mag com.

* WANT TO SPONSOR SECURITY UPDATE? emedia_opps () win2000mag com

********************

   Receive the latest information about the Windows 2000 and Windows NT
topics of your choice. Subscribe to our other FREE email newsletters.
   http://www.win2000mag.net/email

|-+-+-+-+-+-+-+-+-+-|

Thank you for reading Security UPDATE.

SUBSCRIBE
To subscribe send a blank email to
subscribe-Security_UPDATE () list win2000mag net.

If you have questions or problems with your UPDATE subscription, please
contact securityupdate () win2000mag com. 
___________________________________________________________
Copyright 2001, Penton Media, Inc.




-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.
Previous By Date Next
Previous By Thread Next

Current thread: