Security UPDATE, September 26, 2001

[InfoSec News <isn () c4i org>]

********************
Windows 2000 Magazine Security UPDATE--brought to you by Security
Administrator, a print newsletter bringing you practical, how-to
articles about securing your Windows 2000 and NT systems.
   http://www.secadministrator.com
********************

~~~~ THIS ISSUE SPONSORED BY ~~~~

IBM Infrastructure
   http://lists.win2000mag.net/cgi-bin3/flo?y=eHmp0CJgSH0BVg0LBc0AF 

Lieberman & Associates
   http://lists.win2000mag.net/cgi-bin3/flo?y=eHmp0CJgSH0BVg0LBd0AG 
   (below SECURITY RISKS)
~~~~~~~~~~~~~~~~~~~~

~~~~ SPONSOR: IBM Infrastructure ~~~~
   Not worried about hackers? You should be. Because they can put your 
e-business out of business. If your customers don't feel comfortable 
dealing with you online, they'll work with someone else. With IBM 
infrastructure, you'll have the security your company needs to operate 
effectively and to keep your clients comfortable. Your networks and 
servers are the backbone of your company. It's time you treated them 
that way. In today's ever-changing e-environment, keeping network 
security tight is something that can't be ignored. So is keeping your 
clients happy. Find out more from our latest security white paper 
today.
   Download at: http://lists.win2000mag.net/cgi-bin3/flo?y=eHmp0CJgSH0BVg0LBc0AF 

********************

September 26, 2001--In this issue:

1. IN FOCUS
     - Nimda Opens Potential for Subsequent Back Doors

2. SECURITY RISKS
     - Relative Path Vulnerability in PI-Soft SpoonFTP
     - Cisco ICDN SSL Vulnerability

3. ANNOUNCEMENTS
     - Check Out the New WebSphere Professional Site! 
     - MCP TechMentor--November 20 Through 22, 2001, London 

4. INSTANT POLL
     - Results of Previous Poll: Code Red Worms
     - Instant Poll: Nimda Worm

5. SECURITY ROUNDUP
     - News: Microsoft Offers Advice on Nimda Worm
     - Review: Netpulse 2000
     - Review: Desktop Firewalls

6. HOT RELEASE (ADVERTISEMENT)
     - Sponsored by VeriSign - The Internet Trust Company 

7. SECURITY TOOLKIT
     - Book Highlight: Know Your Enemy: Revealing the Security Tools, 
Tactics, and Motives of the Black-Hat Community
     - Virus Center
          - Virus Alert: W32/Vote
          - Virus Alert: W32/Nimda
     - FAQ: What Is the Internet Explorer 6.0 Unsafe-File List?

8. NEW AND IMPROVED
     - Firewall and VPN Appliance
     - Prevent Unauthorized Intrusion

9. HOT THREADS
     - Windows 2000 Magazine Online Forums
         - Featured Thread: FTP Blank Folder Name
     - HowTo Mailing List:
         - Featured Thread: Tools for Trust Relationships

10. CONTACT US
   See this section for a list of ways to contact us.

~~~~~~~~~~~~~~~~~~~~

1. ==== COMMENTARY ====

Hello everyone,

Have you recovered from the Nimda worm yet? As you know, the worm 
spread rapidly, and computer users felt its effects far more heavily 
across the Internet than they felt the Code Red worm and its subsequent 
variations. To add insult to injury, Nimda leaves an infected system 
wide open to anyone who wants to connect--it maps shares and enables 
the Guest account and makes the account a member of the Administrators 
group.

Just about every security-related company has released advice, tools, 
and updates that help remove and prevent the Nimda infection. But as 
Greg Francis pointed out on our Win2KsecAdvice mailing list on Monday 
(see URL below), the Computer Emergency Response Team (CERT) is one of 
the few entities recommending that users perform a clean install of the 
OS to recover from infection. 
   http://63.88.172.96/listserv/win2ks-l.asp?a2=ind0109d&l=win2ksecadvice&P=94 

CERT's recommendation stems from the fact that infected systems make 
their IP addresses known by trying to infect other systems, and wily 
intruders know this. So during the time when Nimda infected a system, 
anyone could have connected to that system and inserted back doors or 
obtained proprietary data from the network. If you don't have detailed 
system-auditing in place that tracks all changes so that you can 
reverse them, you might be wise to completely reinstall the OS to be 
certain you've reinstated some level of network integrity. You might 
also want to consider changing usernames and passwords. 

Reinstalling OSs and reassigning resources can be a difficult job, 
especially if the system is a domain controller (DC) or Active 
Directory (AD) server. It's far easier and cheaper to perform regular 
system maintenance and stay on top of the latest patches and 
configuration recommendations so that worms such as Nimda don't infect 
your systems. 

Microsoft has a great Web page (see URL below) full of tools, 
checklists, and updates that help you make your systems more secure. 
The Web page contains six checklists, three security updates, and nine 
tools. The checklists cover Windows NT, Microsoft IIS, and DC 
configurations; the security updates are for Microsoft Office and 
Outlook. The tools on the Web site are incredibly useful. I won't 
describe each one because you can learn about them at the Web page, but 
here are the available tools: IIS Lockdown, Microsoft Personal Security 
Advisory, Cleaner for Code Red II, Improved Cipher Security Tool, 
Qchain, Security Screen Savers, Windows 2000 Internet Server Security 
Tool, Security Planning Tool for IIS, and HFNetChk. Be sure to take a 
look at these resources.
   http://www.microsoft.com/technet/security/tools/tools.asp

As I mentioned last week, Microsoft announced that it has a beta 
version of HFNetChk 3.2 available for those who want to try the tool 
before Microsoft releases it (very soon). HFNetChk lets you inspect 
which hotfixes and patches are installed on any system. The tool works 
with an XML-based database that Microsoft provides and maintains. You 
can learn about the current version of HFNetChk in Paula Sharick's 
review on our Web site (see first URL below), and you can try the beta 
(see second URL below). Log on with the username HFNetChk and a 
password of FooBar. But be aware that if Microsoft releases HFNetChk 
3.2 this week, the beta will become unavailable. In that event, use the 
third URL below to obtain the release version.
   http://www.secadministrator.com/articles/index.cfm?articleid=22369
   http://www.betaplace.com
   http://www.microsoft.com/technet/security/tools/hfnetchk.asp

Because HFNetChk inspects system files based on an XML database, you 
can create XML databases to use with HFNetChk that perform other types 
of system checks (e.g., checking for the current strain of Nimda 
infection). Russ Cooper, operator of the NTBugTraq Web site and mailing 
list, has made an XML file available for HFNetChk that checks a system 
for Nimda infection. You can learn about Cooper's tool at the URL 
below. If you already have a copy of HFNetChk, use Cooper's XML 
database right away by using the following command: 
   HFNETCHK -x
   http://www.ntbugtraq.com/nimdachk.asp

Because Nimda leaves a system wide open, an attacker can use HFNetChk 
to determine what other security vulnerabilities an infected system 
might have. Be sure to apply all crucial system updates. You can find a 
list of updates for Windows 2000 systems at the first URL below and the 
Microsoft Post-Service Pack 6a (SP6a) Security Rollup Package for 
Windows NT at the second URL below.
   http://www.microsoft.com/windows2000/downloads/critical/default.asp
   http://support.microsoft.com/support/kb/articles/Q299/4/44.asp

Many sites that are immune to Nimda infection are experiencing network 
problems from the worm because of the large amount of traffic that 
infected sites generate. Worms such as Code Red and Nimda show us that 
lax security on one network quickly becomes the detriment of another 
network. These worms also show us that users remain unaware of the 
extreme need to stay on top of security matters daily.

Microsoft has a solution for IIS users that overlook security hotfixes. 
As you probably learned when you read Tim Huckaby's commentary from the 
September 25 issue of IIS Administrator UPDATE, the upcoming Microsoft 
Internet Information Services (IIS) 6.0 is a complete paradigm shift; 
it provides an infrastructure that installs security hotfixes by 
default. IIS 6.0 also lets you download hotfixes and apply them 
automatically as they become available. You can also find the article 
on our Security Administrator Web site (see URL below). Until next 
time, have a great week.
   http://www.secadministrator.com/articles/index.cfm?articleid=22673

Sincerely,

Mark Joseph Edwards, News Editor, mark () ntsecurity net

2. ==== SECURITY RISKS ====
   (contributed by Ken Pfeil, ken () win2000mag com)

* RELATIVE PATH VULNERABILITY IN PI-SOFT SPOONFTP
   Joe Testa reported that a vulnerability in Pi-Soft SpoonFTP 
1.1 lets an attacker use relative paths to break out of an FTP 
root directory. The vendor, Pi-Soft Consulting, has released version 
1.1.0.1 to fix this problem.
   http://www.secadministrator.com/articles/index.cfm?articleid=22549

* CISCO ICDN SSL VULNERABILITY
   Cisco Systems reported that a vulnerability in its Internet
Content Distribution Network (ICDN) can result in authorized access 
over Secure Sockets Layer (SSL) through cached credentials. The company 
has issued a notice regarding this vulnerability and recommends that 
users of ICDN 2.0 upgrade to 2.0.1 through usual support channels. 
Versions of ICDN prior to 2.0 are not affected because these releases 
don't use the vulnerable RSA BSAFE SSL-J library.
   http://www.secadministrator.com/articles/index.cfm?articleid=22550

********************

~~~~ SPONSOR: LIEBERMAN & ASSOCIATES ~~~~
   GOING TO THE MICROSOFT EXCHANGE CONFERENCE (mec2001)?
Visit Lieberman and Associates at booth 627 next week for hands-on 
demos of:
* SERVICE ACCOUNT MANAGER
* USER MANAGER PRO
* TASK SCHEDULER PRO
* SERVER-TO-SERVER PASSWORD SYNCHRONIZER
* LAN SERVER TO NT/2000 MIGRATION WIZARD
* INTENSIVE CARE UTILITIES FOR WINDOWS NT
Go to our web site to learn more or contact us for more details.
FREE TRIALS: http://lists.win2000mag.net/cgi-bin3/flo?y=eHmp0CJgSH0BVg0LBd0AG 
EMAIL: sales () lanicu com
Phone: 310-550-8575

~~~~~~~~~~~~~~~~~~~~

3. ==== ANNOUNCEMENTS ====

* CHECK OUT THE NEW WEBSPHERE PROFESSIONAL SITE!
   Look to this great new site for invaluable resources, such as our V4 
Portal, which brings you fast, in-depth information about V4, the 
WebSphere Road Map that will help you get started, DocFinder for help 
finding IBM WebSphere reference materials, and forums for your 
questions and comments. While there, sign up for FREE email newsletters 
with news you can use!
   http://www.webspherepro.com

* MCP TECHMENTOR--NOVEMBER 20 Through 22, 2001, LONDON
   MCP TechMentor provides network and certification training for 
Windows professionals with technical workshops, preparation sessions, 
and professional development advice specifically designed to make the 
most of your Windows 2000 education experience. Visit the Web site at 
http://www.techmentor.co.uk for more details, or call +44 (0) 1483 
469088.

4. ==== INSTANT POLL ==== 

* RESULTS OF PREVIOUS POLL: CODE RED WORMS 
   The voting has closed in Windows 2000 Magazine's Security 
Administrator Channel nonscientific Instant Poll for the question, "Has 
your system become infected by the Code Red Worms?" Here are the 
results (+/-2 percent) from the 1900 votes:
   - 23% Yes 
   - 72% No 
   -  5% Not sure 

* INSTANT POLL: NIMDA WORM
   The current Instant Poll question is, "How has the Nimda worm 
affected your organization?" Go to the Security Administrator Channel 
home page and submit your vote for a) Significantly--we've lost days 
disinfecting systems, b) Somewhat, c) Hardly at all, or d) Not at all.
http://www.secadministrator.com

5. ==== SECURITY ROUNDUP ====

* NEWS: MICROSOFT OFFERS ADVICE ON NIMDA WORM
   Microsoft has posted specific information regarding the Nimda worm 
that details several actions users should take against infected 
systems. The document includes a list of patches and procedures that 
users should apply to prevent similar problems in the future.
   http://www.microsoft.com/technet/security/topics/nimda.asp

* REVIEW: NETPULSE 2000
   Labcal Technologies' NetPulse 2000 is a management tool that helps 
you assess the fundamental security of your systems and apply 
prepackaged or custom security solutions. The product, which operates 
in Windows 2000 and Windows NT 4.0 environments, targets well-
documented security problems. Although this functionality isn't 
groundbreaking, Labcal's approach is unique. By designing NetPulse so 
administrators with basic knowledge can secure their systems with 
minimal effort, the company has geared NetPulse directly toward small 
and midsized organizations. However, NetPulse can also operate in large 
environments. Learn all about it in Sean Porter's review on our Web 
site!
   http://www.secadministrator.com/articles/index.cfm?articleid=21863

* REVIEW: DESKTOP FIREWALLS
   Desktop firewalls serve a purpose similar to that of a safe in your 
home. Your home's doors have locks, which are your primary means of 
intrusion prevention. However, you might also install a safe within 
your home because locked doors aren't foolproof deterrents. For the 
most part, you'll spend less money to install and maintain desktop 
firewalls than you'll spend to recover from an intrusion. The October 
2001 issue of Windows 2000 Magazine features a Buyer's Guide that 
provides an overview of available desktop firewall solutions. You can 
also find the guide in a PDF file on our Web site. Be sure to check it 
out!
   http://www.secadministrator.com/articles/index.cfm?articleid=22241

6. ==== HOT RELEASE (ADVERTISEMENT) ====

* SPONSORED BY VERISIGN - THE INTERNET TRUST COMPANY
   Secure your servers with 128-bit SSL encryption! Grab your copy of 
VeriSign's FREE Guide, "Securing Your Web site for Business," and 
you'll learn everything you need to know about using 128-bit SSL to 
encrypt your e-commerce transactions, secure your corporate intranets 
and authenticate your Web sites. 128-bit SSL is serious security for 
your online business. Get it now!
   http://www.verisign.com/cgi-bin/go.cgi?a=n094449760013000 

7. ==== SECURITY TOOLKIT ====

* BOOK HIGHLIGHT: KNOW YOUR ENEMY: REVEALING THE SECURITY TOOLS, 
TACTICS, AND MOTIVES OF THE BLACK-HAT COMMUNITY
   By Lance Spitzer, Honeynet Project
   List Price: $39.99
   Fatbrain Online Price: $31.99
   Softcover; 368 pages
   Published by Addison Wesley Longman, September 2001
   ISBN 0201746131

For more information or to purchase this book, go to 
http://lists.win2000mag.net/cgi-bin3/flo?y=eHmp0CJgSH0BVg0LBe0AH 
and enter WIN2000MAG as the discount code when you order the book.

* VIRUS CENTER
   Panda Software and the Windows 2000 Magazine Network have teamed to 
bring you the Center for Virus Control. Visit the site often to remain 
informed about the latest threats to your system security.
   http://www.secadministrator.com/panda

Virus Alert: W32/Vote
   A new virus, W32/Vote, is circulating on the Internet. The virus 
comes in the form of an email with the message subject of "FW: Peace 
Between America and Islam!" The body of message reads, "Is it a war 
against America or Islam? Let's vote to live in peace!" The message 
also contains a file attachment named wtc.exe, which installs a copy of 
the virus on the system when the user runs the file. The file then 
modifies the registry to run the virus each time the user boots the 
system. 
   http://63.88.172.96/panda/index.cfm?fuseaction=virus&virusid=1111

Virus Alert: W32/Nimda
   Nimda is a worm that affects Outlook, Internet Explorer (IE), and 
Microsoft IIS. The worm leaves an infected system wide open to attack 
and can spread in four ways: Web servers, Web clients, email clients, 
and disk files. 
   http://63.88.172.96/panda/index.cfm?fuseaction=virus&virusid=1110

* FAQ: WHAT IS THE INTERNET EXPLORER 6.0 UNSAFE-FILE LIST?
   ( contributed by John Savill, http://www.windows2000faq.com )

A. Internet Explorer (IE) 6.0 contains a hard-coded list of unsafe file 
types in the shdocvw.dll file. IE 6.0 uses the unsafe-file list to 
prevent you from accidentally opening a file type that might cause 
problems on your computer. The complete list of file types is available 
on our Web site at the URL below.
   http://www.secadministrator.com/articles/index.cfm?articleid=22493

8. ==== NEW AND IMPROVED ====
   (contributed by Scott Firestone, IV, products () win2000mag com)

* FIREWALL AND VPN APPLIANCE
   Symantec released a new version of its VelociRaptor firewall and VPN 
appliance, which comes in three models. You'll find the 500 model 
suitable for protecting networks that have as many as 50 nodes. The 700 
model features an unlimited node license and can protect networks with 
speeds as fast as a T3. The 1000 model also features an unlimited node 
license that users can employ for securing Ethernet-speed networks. For 
pricing, contact Symantec at 408-517-8000 or 800-745-6054.
   http://www.symantec.com

* PREVENT UNAUTHORIZED INTRUSION
   Smith Micro Systems released CheckIt Firewall, a PC firewall that 
prevents unauthorized Internet intrusion while controlling outbound 
communication of personal or sensitive data. You can customize the 
firewall for specific applications and trusted IP addresses, ports, or 
protocols. Also, you can specify different security rules for different 
times. The CheckIt Firewall runs on Windows 2000, Windows NT, Windows 
Me, and Windows 9x systems and costs $39.95. Contact Smith Micro 
Systems at 949-362-5800.
   http://www.smithmicro.com

9. ==== HOT THREADS ====

* WINDOWS 2000 MAGAZINE ONLINE FORUMS
   http://www.win2000mag.net/forums 

Featured Thread: FTP Blank Folder Name
   (Three messages in this thread)

Robert has a blank folder that someone created in his public FTP site. 
He can't delete this folder from a command prompt or Internet Explorer 
(IE), and the Recovery Console won't let him access the folder. Read 
more about the question and the responses or lend a hand at the 
following URL: 
   http://www.win2000mag.net/forums/rd.cfm?app=64&id=78747

* HOWTO MAILING LIST
   http://www.secadministrator.com/listserv/page_listserv.asp?s=howto

Featured Thread: Tools for Trust Relationships
   (Four messages in this thread)

This user is looking for a tool to help him monitor trust relationships 
between domains. Do you know of a tool that can help? Read the responses 
or lend a hand at the following URL:
http://63.88.172.96/listserv/page_listserv.asp?a2=ind0109c&l=howto&p=483

10. ==== CONTACT US ====
   Here's how to reach us with your comments and questions:

* ABOUT THE COMMENTARY -- mark () ntsecurity net

* ABOUT THE NEWSLETTER IN GENERAL -- mlibbey () win2000mag com; please
mention the newsletter name in the subject line.

* TECHNICAL QUESTIONS -- http://www.win2000mag.net/forums

* PRODUCT NEWS -- products () win2000mag com

* QUESTIONS ABOUT YOUR SECURITY UPDATE SUBSCRIPTION? -- Email Customer
Support at securityupdate () win2000mag com.

* WANT TO SPONSOR SECURITY UPDATE? emedia_opps () win2000mag com

********************

   Receive the latest information about the Windows 2000 and Windows NT
topics of your choice. Subscribe to our other FREE email newsletters.
   http://www.win2000mag.net/email

|-+-+-+-+-+-+-+-+-+-|



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.