Security UPDATE, July 25, 2001

[InfoSec News <isn () c4i org>]

********************

Windows 2000 Magazine Security UPDATE--brought to you by Security
Administrator, a print newsletter bringing you practical, how-to
articles about securing your Windows 2000 and NT systems.
   http://www.secadministrator.com

********************

~~~~ THIS ISSUE SPONSORED BY ~~~~

IBM Infrastructure
   http://go.win2000mag.net/UM/T.asp?A2153.23115.1249.1.532985

CLOSE MASSIVE LOCAL SECURITY HOLE IN NT/2000/XP
   http://go.win2000mag.net/UM/T.asp?A2153.23115.1249.3.532985
   (below SECURITY RISKS)

~~~~~~~~~~~~~~~~~~~~

~~~~ SPONSOR: IBM INFRASTRUCTURE ~~~~
   Not worried about hackers? You should be. Because they can put your
e-business out of business. If your customers don't feel comfortable
dealing with you online, they'll work with someone else. With IBM
infrastructure, you'll have the security your company needs to operate
effectively and to keep your clients comfortable. Your networks and
servers are the backbone of your company. It's time you treated them
that way. In today's ever-changing e-environment, keeping network
security tight is something that can't be ignored. So is keeping your
clients happy. Find out more from our latest security white paper
today.
   Download at:
http://go.win2000mag.net/UM/T.asp?A2153.23115.1249.1.532985

********************

July 25, 2001--In this issue:

1. IN FOCUS
     - As Two Worms Multiply, CERT Releases Security Tips for
Home-Computer Users

2. SECURITY RISKS
     - Denial of Service Condition in IBM DB2 Universal Database
Server
     - Denial of Service Condition in Cisco IOS PPTP 
     - Unsafe Functionality Exposure in Microsoft Outlook

3. ANNOUNCEMENTS
     - Now Is the Time, Now Is the Time . . .
     - Where Do You Go Before You Take Your MCSE Exams?

4. SECURITY ROUNDUP
     - News: Code Red Worm Readily Penetrates Unpatched Web Servers
     - News: Factor a 576-Bit Number and Earn $10,000
     - Feature: The 7 Habits of Highly Available Exchange Servers
     - Feature: Network Troubleshooting with a Pocket PC

5. SECURITY TOOLKIT
     - Book Highlight: Hack Attacks Revealed: A Complete Reference with
Custom Security Hacking Toolkit
     - Virus Center: 
     - Virus Alert: W32/Sircam
     - FAQ: Does Windows 2000 Include an Update of the Chkdsk
Application?

6. NEW AND IMPROVED
     - Monitor Your Web Server
     - Secure Exchange 2000 Server

7. HOT THREADS
     - Windows 2000 Magazine Online Forums
     - Featured Thread: API Call to LogonUser Across Firewall
     - HowTo Mailing List:
     - Turning Down a Backup Domain Controller (BDC)

8. CONTACT US
   See this section for a list of ways to contact us.

1. ==== COMMENTARY ====

Hello everyone,
   Last week, I mentioned that I didn't know about any cracks to Windows
XP license activation so far. Since then, I quickly learned that cracks
do exist, so I suppose that fact is quite a statement considering
Microsoft's stance that mandatory license activation will thwart
piracy.
   On another note, did the Code Red worm hit your Web network last
week? I've received many emails requesting details about the Code Red
worm and how to stop it or recover from its infection. The irony is that
more than a month ago (June 18), Microsoft released a patch for a
security bug that's related to IIS-based .idq and .ida file
mappings--the same bug that the Code Red worm exploits. Be sure to read
the related news story in the Security Roundup section of this
newsletter.
   Because the Code Red worm has affected so many sites already
(including Microsoft's Windows Update site and many sites operated by
the US Department of Defense--DOD), it's apparent that many online
entities still don't keep their systems as up-to-date as possible, so
they suffer the consequences of lackadaisical systems administration. If
nothing else, the Code Red worm serves as one more example of why we
need to consider acquiring and installing software patches and updates
as top priorities in our daily routines. 
   As I mentioned, the Code Red worm takes advantage of a bug related to
the .ida and .idq files. Nelson Bunker, vice president of security at
Critical Watch, notified me last week that his company has released a
utility that quickly removes any .ida and .idq file mappings from an IIS
server. Users can run the utility from a remote workstation against an
IIS server. Users can also download the utility as freeware at the
company's Web site (along with complete source code). See the first URL
at the end of this editorial.
   I hope you don't think workstations or home computers running IIS and
the related indexing services are immune from such a worm, because they
aren't. A home computer is just another system connected to the
Internet. To help small offices/home offices (SOHOs) with problems such
as the Code Red worm, the Computer Emergency Response Team (CERT)
released a document titled "Home Network Security." Users can access
this document online at CERT's Web site (CERT updated it June 26). See
the second URL at the end of this editorial.
   I took a quick look at "Home Network Security" and found that the
document covers a broad range of security concerns, including basic
material that explains computer security, TCP/IP networking, firewalls,
and antivirus software; various types of risks, including
hardware-related problems such as disk failure and theft; and a series
of actions that home-based users can take to protect their systems. Be
sure to check it out--it's good material.
   On that note, are you aware that in addition to this newsletter and
numerous others, we offer our Connected Home EXPRESS email newsletter?
The biweekly newsletter offers how-to advice, tips, and news that cover
a broad range of technology-related topics: home automation, home
networks, home theater, and a variety of gadgets-on-the-go. Visit the
related Connected Home Magazine Web site (
http://www.connectedhomemag.com ), and be sure to take a look at this
newsletter.
   Before I sign off, I want to remind you that another worm is
spreading fast, but this one affects Outlook email clients. The
W32/Sircam worm spreads by sending copies of itself to every person
listed in an affected user's Outlook address book (see the related item
in this newsletter's Security Tools section under Virus Center). Since
Friday, I've received at least two dozen copies of the worm in email
from people that have my email address in their address books. The worm
is still spreading, so be sure to review the technical details regarding
the W32/Sircam worm at our online Virus Center, and download the latest
antivirus signature updates from the software vendor of your choice. 
   Until next time, have a great week.

Sincerely,

Mark Joseph Edwards, News Editor, mark () ntsecurity net

   http://www.criticalwatch.com/downloads/IDA_ScriptRemoval_Util.zip
   http://www.cert.org/tech_tips/home_networks.html

2. ==== SECURITY RISKS ====
(contributed by Ken Pfeil, ken () win2000mag com)

* DENIAL OF SERVICE CONDITION IN IBM DB2 UNIVERSAL DATABASE SERVER
   Gilles Lami reported that a Denial of Service (DoS) vulnerability
exists in IBM's DB2 Universal Database server. An attacker can crash the
server by establishing a Telnet connection to the ports that the
services db2ccs.exe and db2jds.exe are running on (typically ports 6790
and 6789) and sending 1 byte of information. IBM has acknowledged this
vulnerability and will release a patch for version 7 and later
versions.
   http://www.windowsitsecurity.com/articles/index.cfm?articleID=21820

* DENIAL OF SERVICE CONDITION IN CISCO IOS PPTP
   Cisco Systems reported that a Denial of Service (DoS) vulnerability
exists in its IOS that can let a potential attacker crash the router by
sending a malformed or crafted PPTP packet to port 1723. Although the
router will crash after receiving just one packet, the attacker can
cause the DoS attack by repeatedly sending packets. A workaround is to
disable PPTP on the router because the vulnerability doesn't affect
routers with PPTP disabled. The company recommends that users obtain a
firmware upgrade through the Software Center on Cisco's Web site or
through Cisco's distribution channels.
   http://www.windowsitsecurity.com/Articles/Index.cfm?ArticleID=21821

* UNSAFE FUNCTIONALITY EXPOSURE IN MICROSOFT OUTLOOK
   Georgi Guninski reported that a vulnerability exists in Microsoft
Outlook that might let a malicious attacker manipulate Outlook data.
This vulnerability stems from the Outlook View Control ActiveX control,
which lets users view Outlook mail folders from Web pages. This ActiveX
control exposes a function that might let the Web page manipulate
Outlook data, and thereby let an attacker delete mail, change calendar
information, or take other actions through Outlook, including running
arbitrary code on the user's machine. Microsoft has released security
bulletin MS01-038 for this vulnerability. A patch  will be available in
the near future, but as a workaround, Microsoft recommends applying the
Outlook 2000 Service Release 1 (SR1) security update and temporarily
disabling ActiveX controls in Internet Explorer's (IE's) Internet
security zone.
   http://www.windowsitsecurity.com/Articles/Index.cfm?ArticleID=21822

~~~~~~~~~~~~~~~~~~~~

~~~~ SPONSOR: LIEBERMAN AND ASSOCIATES ~~~~ 
   CLOSE MASSIVE LOCAL SECURITY HOLE IN NT/2000/XP
   Did you ever consider that the same local administrator account and
password is stored on every NT/2000/XP workstation in your organization?
If this account were to become compromised, or one of your
administrators were to leave, how would you change this backdoor account
on all of your workstations? User Manager Pro for Windows NT/2000/XP
makes mass changes to the local security of your workstations in
minutes.
   FREE TRIAL:
http://go.win2000mag.net/UM/T.asp?A2153.23115.1249.3.532985

~~~~~~~~~~~~~~~~~~~~

3. ==== ANNOUNCEMENTS ====

* NOW IS THE TIME, NOW IS THE TIME . . .
   It's Windows 2000 Magazine LIVE! Hear and talk with the writers
you've come to trust. Minasi, Daily, Mar-Elia, and Russinovich join a
host of world-renowned gurus to help you be more successful. The seven
dedicated tracks include Active Directory (AD), .NET Servers, Security,
plus a bonus SMS track sponsored by Altiris. Attend concurrently run XML
and Web Services Connections for FREE! Now is the time to reserve your
spot!
   http://www.winconnections.com

* WHERE DO YOU GO BEFORE YOU TAKE YOUR MCSE EXAMS?
   2000Tutor.com is the Web site where you need to be. We help you
prepare for MCSE certifications as quickly and painlessly as possible.
Take practice exams, study for certification, join your peers in our
discussion forums, and get free tips and advice from the experts. Visit
today!
   http://www.2000tutor.com

4. ==== SECURITY ROUNDUP ====

* NEWS: CODE RED WORM READILY PENETRATES UNPATCHED WEB SERVERS
   A new worm, Code Red, is making the rounds on the Internet. Code Red
plays on an existing security-related bug in Microsoft IIS-based Web
servers. Microsoft made a patch available for the bug on June 18, yet
countless Web servers apparently remain unpatched--including Microsoft's
own Windows Update Web site. An alert reader informed Windows 2000
Magazine yesterday that the worm had, in fact, penetrated the Windows
Update site. The worm changes the home page of sites that it attacks to
read, "Welcome to http://www.worm.com !, Hacked By Chinese!"
   http://www.windowsitsecurity.com/Articles/Index.cfm?ArticleID=21884

* NEWS: FACTOR A 576-BIT NUMBER AND EARN $10,000
   RSA Labs launched a challenge designed to reveal the factors of
particular types of large integers. RSA launched a similar Factoring
Challenge in 1999, and this latest challenge will reward successful
participants with cash prizes up to $200,000 for factoring a 2048-bit
number. RSA will reward participants with lesser amounts for
successfully factoring numbers with bit lengths that range from 576 bits
to 1536 bits. 
   http://www.windowsitsecurity.com/Articles/Index.cfm?ArticleID=21923

* FEATURE: THE 7 HABITS OF HIGHLY AVAILABLE EXCHANGE SERVERS
   Consulting about Microsoft Exchange Server availability is like
watching the Loony Tunes' Wile E. Coyote: Watch for a while, and you can
begin to predict the mistakes that lead to the falls. You also learn
that the falls aren't as deadly as the pounding that follows close
behind. After years of working with Exchange Server organizations, Evan
Morris identified the factors that can lead to falls from high
availability and the disaster recovery mistakes that can make these
falls catastrophic. Inspired by Stephen R. Covey's bestseller The Seven
Habits of Highly Effective People (Simon & Schuster, 1999), Evan has
identified seven factors that help organizations prevent Exchange Server
system failures and maintain high availability.
   http://www.win2000mag.com/Articles/Index.cfm?ArticleID=21519

* FEATURE: NETWORK TROUBLESHOOTING WITH A POCKET PC
   Portable computers can be valuable network troubleshooting tools.
Joshua Orrison recently tested the practicality of using his Compaq iPAQ
Pocket PC as a troubleshooting tool. Using an Ethernet adapter that
plugs into the device's optional expansion pack, Joshua easily connected
to a hub in our networks' demilitarized zone (DMZ). He then used Ruksun
Software Technologies' Telnet Force and Net Force programs (for Windows
CE-based mobile computing devices) to perform several network
troubleshooting tasks. Read all about it in Joshua's article on our Web
site.
   http://www.win2000mag.com/Articles/Index.cfm?ArticleID=21515

5. ==== SECURITY TOOLKIT ====

* BOOK HIGHLIGHT: HACK ATTACKS REVEALED: A COMPLETE REFERENCE WITH
CUSTOM SECURITY HACKING TOOLKIT
   By John Chirillo
   List Price: $59.99
   Fatbrain Online Price: $47.99
   Softcover; 944 pages
   Published by John Wiley & Sons, May 2001
   ISBN 047141624X

For more information or to purchase this book, go to
http://www1.fatbrain.com/asp/bookinfo/bookinfo.asp?theisbn=047141624X
and enter WIN2000MAG as the discount code when you order the book.

* VIRUS CENTER
   Panda Software and the Windows 2000 Magazine Network have teamed to
bring you the Center for Virus Control. Visit the site often to remain
informed about the latest threats to your system security.
   http://www.windowsitsecurity.com/panda

Virus Alert: W32/Sircam
   W32/Sircam is a worm that propagates through email by sending itself
to all the addresses found in the infected user's Outlook Address Book.
After the worm infects a system, it modifies the Windows Registry to
ensure its execution every time a user runs an .exe file. One of every
10 times the worm will delete some data from the computer's hard disk.
   http://63.88.172.96/Panda/Index.cfm?FuseAction=Virus&VirusID=1104

* FAQ: DOES WINDOWS 2000 INCLUDE AN UPDATE OF THE CHKDSK APPLICATION?
   ( contributed by Bob Chronister, http://www.windows2000faq.com )

A. Win2K, Windows NT 4.0 Service Pack 5 (SP5), and NT 4.0 SP6 introduced
several new NTFS switches for Chkdsk. The /i switch performs a moderate
check of index entries, and the /c switch stops checking cycles within
the directory structure. I don't recommend using either switch because
they circumvent important file checks. The /x switch, which Win2K
introduced, dismounts a drive, then runs Chkdsk /f on the drive.
However, the /x switch doesn't work with the boot volume, and you can't
lock the volume (although the switch dismounts it).

6. ========== NEW AND IMPROVED ==========
   (contributed by Scott Firestone, IV, products () win2000mag com)

* MONITOR YOUR WEB SERVER
   Cimcor released CimTrak Web Security Edition, a security system that
provides Web-server monitoring against intruders and features automated
countermeasures for immediate recovery. The system consists of the
WebMonitor, which resides on the Web server, and a CimTrak server. The
software program creates a unique digital signature of the Web server
files to store on the CimTrak server with a master repository of all
crucial files. The monitor compares the digital signatures of the Web
server and the CimTrak repository and notifies the administrator if the
two signatures differ. CimTrak Web Security Edition supports Microsoft
IIS for Windows 2000 and Windows NT and costs $2000 for the basic
package. Contact Cimcor at 219-736-4400 or 877-424-6267.
   http://www.cimcor.com

* SECURE EXCHANGE 2000 SERVER
   GROUP Software released securiQ Suite, a server-based security
application for Microsoft Exchange 2000 Server that features five
modules: (1) Watchdog protects against malicious attacks on email and
databases and disarms viruses at their core file structure. (2) Wall
scans and checks email content to protect against confidentiality
breaches and features spam and junk mail detection and prevention. (3)
Trailer adds a legal disclaimer to outgoing email messages to maintain
legal security. (4) Safe copies all email traffic and archives the
messages for legal protection and quality control. (5) Crypt provides
centralized, server-based email encryption with pretty good privacy
(PGP). For pricing, contact GROUP Software at 508-473-9940 or
877-476-8755.
   http://www.group-software.com

7. ==== HOT THREADS ====

* WINDOWS 2000 MAGAZINE ONLINE FORUMS
   http://www.win2000mag.net/forums 

Featured Thread: API Call to LogonUser Across Firewall
   (Five messages in this thread)

William saw something unusual in the logs today. He noticed that someone
tried to log on to the network using AdvAPI, which Microsoft says is an
API call to LogonUser. The authentication attempt came against the email
and Web server, which leads him to believe that the logon attempt came
in through one of the pinholes in the firewall, exposing 25, 80, 443 to
that one server. Read more about the problem and the responses, or lend
a hand at the following URL:
   http://www.win2000mag.net/forums/rd.cfm?app=64&id=73116

* HOWTO MAILING LIST
   http://www.windowsitsecurity.com/go/page_listserv.asp?s=HowTo

Featured Thread: Turning Down a BDC
   (Eleven messages in this thread)

This user is in the process of closing down remote offices that have
server gear. Due to special circumstances, the user will auction off
server gear when its data has been completely pulled and migrated. One
of the servers is a BDC, and instead of shutting down the BDC and
shipping it off to the auctioneers, the user wants to ensure the system
has no recoverable information. However, the user doesn't have physical
access to the systems at the remote office and would like to be able to
wipe the system's sensitive information remotely. Can you help? Read the
responses or lend a hand at the following URL:
http://63.88.172.96/go/page_listserv.asp?A2=IND0107C&L=HOWTO&P=869

8. ==== CONTACT US ====
   Here's how to reach us with your comments and questions:

* ABOUT THE COMMENTARY -- mark () ntsecurity net

* ABOUT THE NEWSLETTER IN GENERAL -- mlibbey () win2000mag com; please
mention the newsletter name in the subject line.

* TECHNICAL QUESTIONS -- http://www.win2000mag.net/forums

* PRODUCT NEWS -- products () win2000mag com

* QUESTIONS ABOUT YOUR SECURITY UPDATE SUBSCRIPTION? -- Email Customer
Support at securityupdate () win2000mag com.

* WANT TO SPONSOR SECURITY UPDATE? emedia_opps () win2000mag com

********************

   Receive the latest information about the Windows 2000 and Windows NT
topics of your choice. Subscribe to our other FREE email newsletters.
   http://www.win2000mag.net/email

|-+-+-+-+-+-+-+-+-+-|

Thank you for reading Security UPDATE.

SUBSCRIBE
To subscribe send a blank email to
subscribe-Security_UPDATE () list win2000mag net.

If you have questions or problems with your UPDATE subscription, please
contact securityupdate () win2000mag com. 
___________________________________________________________
Copyright 2001, Penton Media, Inc.












-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.