Security UPDATE, September 5, 2001

[InfoSec News <isn () c4i org>]

********************
Windows 2000 Magazine Security UPDATE--brought to you by Security
Administrator, a print newsletter bringing you practical, how-to
articles about securing your Windows 2000 and NT systems.
   http://www.secadministrator.com
********************

~~~~ THIS ISSUE SPONSORED BY...15 MIN. LATER HE WAS IN THE PRINCIPAL'S 
OFFICE! ~~~~

http://lists.win2000mag.net/cgi-bin3/flo?y=eHMn0CJgSH0BVg0Kjq0AY 

~~~~~~~~~~~~~~~~~~~~

~~~~ SPONSOR: ...15 MIN. LATER HE WAS IN THE PRINCIPAL'S OFFICE! ~~~~
   A high school network administrator installed Event Log 
Monitor on classroom servers to evaluate system performance. The 
next day, ELM alerted him that a student was trying to break 
into the system. Within 15 minutes, the would-be hacker was in 
the Principal's office waiting for his parents to arrive. Use 
Event Log Monitor to keep tabs on your security perimeter. 
Because these aren't the only computers teenagers like to hack 
into.
   For more information, visit
   http://lists.win2000mag.net/cgi-bin3/flo?y=eHMn0CJgSH0BVg0Kjq0AY 
********************

September 5, 2001--In this issue:

1. IN FOCUS
     - Parasitic Computing

2. SECURITY RISK
     - Multiple Vulnerabilities in Mozilla Bugzilla

3. ANNOUNCEMENTS
     - New!! Get on the Fast Track with T-SQL Solutions!
     - Sound Off About Your Technical Training Needs!

4. SECURITY ROUNDUP
     - News: Grand Jury Indicts Russian Company and Programmer
     - News: New Worm Masquerades as Email from Microsoft Technical 
       Support
     
     - News: Microsoft Confirms Tagging Beta XP CDs
     - News: Microsoft Releases IE 6 to Web
     - News: Microsoft Releases New IIS Lockdown Tool
     - Feature: Create Home Directories and Set NTFS Permissions with a 
Web Script
     - Review: bv-Control for Internet Security 3.0

5. HOT RELEASE (ADVERTISEMENT)
     - Sponsored by Verisign - The Internet Trust Company

6. SECURITY TOOLKIT
     - Book Highlight: Malicious Mobile Code: Virus Protection for 
Windows
     - Virus Center
          - Virus Alert: X97M/Laroux.DO
     - Tip: Resetting Lost Passwords

7. NEW AND IMPROVED
     - Extend Policy-Based Security to Remote Users
     - Fix Security Vulnerabilities and Stability Problems

8. HOT THREAD
     - Windows 2000 Magazine Online Forums
         - Featured Thread: Restricted Desktops
     
9. CONTACT US
   See this section for a list of ways to contact us.

1. ==== COMMENTARY ====

Hello everyone,

Is there an end to the ways in which attackers can exploit a networked 
computer system? Probably not. I read an interesting story in the 
current issue of "Nature" magazine (see URL below) entitled "Parasitic 
Computing" that reveals yet another way intruders can attack networked 
systems. The article, written by three men from the University of Notre 
Dame, discusses a method of exploiting nuances of the TCP/IP protocol 
family to cause systems to unwittingly participate in a distributed 
computing effort (e.g., solving mathematical problems). Exploits of this 
type are possible by relying on the TCP checksum status of packets as 
mathematical indicators for a given formula.
   http://www.nature.com

In summary, attackers construct packets that contain a candidate answer 
for a given math problem, then send the packets to remote systems that 
test the potential answer during normal packet checksum analysis. 
Because the attackers specifically construct the packets in a particular 
manner, when a target system receives that packet, the packet's checksum 
should succeed only when it contains the correct response to the 
mathematical problem. In this way, a system made to perform such 
computations responds back to the rogue client only when it actually has 
a correct answer to the problem. 

As an example, the story points out that the HTTP protocol is required 
to respond to all requests received. But in the case of this type of 
parasitic computing, the HTTP service won't understand a valid packet's 
message, so it will simply respond to the client that it didn't 
understand the request. The client can then interpret that response as
an acknowledgement that the packet contained the answer to the 
mathematical problem. And it's unlikely that the HTTP service would log 
anything because the attacker didn't make a valid request, and the 
system never established a valid session. 

Interesting, don't you think? But don't worry about stolen CPU cycles 
too much just yet. The proof-of-concept the story presents--by the 
authors' own admission--isn't efficient enough to be useful for a 
practical exploit. Nevertheless, the authors point out that any 
impracticality is a function of the limitations in their proof-of-
concept and not necessarily reflective of limitations of the overall 
concept of parasitic computing. It's entirely possible to develop a 
program that more efficiently exploits checksum analysis, and guarding 
against that type of unauthorized CPU usage is difficult. Read the story 
and tell me know what you think. 

On another note, in the August 15 Security UPDATE, I reported that 
Microsoft had released its new Post-Service Pack 6a (SP6a) Security 
Rollup Package (SRP). Since that time, I've received numerous email 
messages about a serious problem with the SRP. In some cases, when you 
uninstall the SRP, the system no longer boots properly. This problem 
occurs on systems that have SYSKEY installed to protect the SAM 
database. The NTBugTraq mailing list recently posted a workaround for 
this problem. A list member reports that to successfully uninstall the 
SRP, you must first edit the associated uninst.inf file (located in the 
\%SYSTEMROOT%\$NtUninstallQ299444$ directory) to remove the entries for 
the lsasrv.dll and samsrv.dll files, which are located in the section 
labeled [systemroot\system32.restore.nodely.files]. After you remove the 
entries, you can safely uninstall the SRP without causing the system to 
hang during its boot phase. 

Before I sign off this week, I want to ask if you've seen our monthly 
Security Administrator print newsletter? If you haven't, you're missing 
some really good content! In the current issue (September 2001), you'll 
find articles about manipulating services with scripts; securing Windows 
2000 certificate services; removing C-2 compliant settings; securing 
private key storage, remote procedure call (RPC), and firewall 
configuration; properly applying security settings in Group Policy 
Objects (GPOs); tips on using IP Security (IPSec); and much more. Stop 
by our home page (see the URL below), and sign up for a free sample 
issue. It's a great resource! Until next time, have a great week.
   http://www.secadministrator.com

Sincerely,

Mark Joseph Edwards, News Editor, mark () ntsecurity net

2. ==== SECURITY RISK ====
   (contributed by Ken Pfeil, ken () win2000mag com)

* MULTIPLE VULNERABILITIES IN MOZILLA BUGZILLA
   Multiple vulnerabilities exist in the Bugzilla Web-based bug-tracking 
system available from Mozilla.org, some of which include unauthorized 
access to confidential information and passwords being stored in plain 
text. Mozilla.org has released version 2.14, which fixes the 
vulnerabilities.
   http://www.secadministrator.com/articles/index.cfm?articleid=22374

3. ==== ANNOUNCEMENTS ====

* NEW!! GET ON THE FAST TRACK WITH T-SQL SOLUTIONS!
   T-SQL Solutions, a monthly print newsletter from SQL Server Magazine, 
provides practical advice and multilevel code examples geared to SQL 
Server developers and administrators. T-SQL Solutions features exclusive 
content, how-to articles, tips, tricks, and programming techniques 
offered by SQL Server experts. Reserve your FREE sample issue today.
   http://www.sqlmag.com/sub.cfm?code=ftei311htw

* SOUND OFF ABOUT YOUR TECHNICAL TRAINING NEEDS!
   Windows 2000 Magazine is conducting a short survey designed to 
measure your technical training experiences and requirements. Don't miss 
this opportunity to weigh in with your peers. Tell us what you think 
today!
   http://www.zoomerang.com/survey.zgi?Y14DPBV26XRDTSK8FB9E8EV0

4. ==== SECURITY ROUNDUP ====

* NEWS: GRAND JURY INDICTS RUSSIAN COMPANY AND PROGRAMMER 
   On August 27, a US grand jury handed down a five-count indictment 
that charges Russian company Elcomsoft and one of its programmers, 
Dmitry Sklyarov, with trafficking and conspiracy to traffic devices that 
circumvent copyright protections. Go to the following URL to learn more.
   http://www.secadministrator.com/articles/index.cfm?articleid=22334

* NEWS: NEW WORM MASQUERADES AS EMAIL FROM MICROSOFT TECHNICAL SUPPORT 
   Antivirus software-maker Central Command issued a warning on August 
30 about a newly discovered worm that masquerades as an email from 
Microsoft Technical Support. See the URL below for more details.
   http://www.secadministrator.com/articles/index.cfm?articleid=22335

* NEWS: MICROSOFT CONFIRMS TAGGING BETA XP CDS 
   In a message to security expert Steve Gibson, Microsoft admitted on 
August 28 that it had secretly tagged the Windows XP downloads for 
technical beta testers to catch the software pirates who had been giving 
out builds of the product for the past year.
   http://www.secadministrator.com/articles/index.cfm?articleid=22311

* NEWS: MICROSOFT RELEASES IE 6 TO WEB 
   Microsoft has released a version of Internet Explorer (IE) that users 
can download free from the Web. IE 6 arrives with a little controversy--
the browser lacks support for the older Netscape-compatible plug-ins.
   http://www.secadministrator.com/articles/index.cfm?articleid=22292

* NEWS: MICROSOFT RELEASES NEW IIS LOCKDOWN TOOL 
   Microsoft released a new security tool called IIS Lockdown that lets 
users quickly secure a Microsoft Internet Information Services (IIS) 5.0 
or Internet Information Server (IIS) 4.0 system.
   http://www.secadministrator.com/articles/index.cfm?articleid=22304

* FEATURE: CREATE HOME DIRECTORIES AND SET NTFS PERMISSIONS WITH A WEB 
SCRIPT 
   In his feature for our Win32 Scripting Newsletter, Ethan Wilansky 
offers a Web script that displays a Web form that Help desk operators 
can use to create home directories and set NTFS permissions. The script 
uses a variety of scripting technologies, including Windows Management 
Instrumentation (WMI).
   http://www.secadministrator.com/articles/index.cfm?articleid=22048

* REVIEW: BV-CONTROL FOR INTERNET SECURITY 3.0
   BindView's bv-Control for Internet Security 3.0 is a high-end 
security-management product designed to be a small to midsized network's 
first line of defense against security breaches. BindView has built bv-
Control for Internet Security on the battle-proven architecture of its 
bv-Control network-management suite. Learn all about it in Jonathan 
Chau's review on our Web site!
   http://www.secadministrator.com/articles/index.cfm?articleid=21860

5. ==== HOT RELEASE (ADVERTISEMENT)

* SPONSORED BY VERISIGN - THE INTERNET TRUST COMPANY
   Which security solution is right for your Web site? Get your 
FREE guide, "Securing Your Web Site For Business," to learn the 
facts. In the guide, find solutions for:
   * Encrypting online transactions 
   * Securing corporate intranets
   http://lists.win2000mag.net/cgi-bin3/flo?y=eHMn0CJgSH0BVg0Kjr0AZ 

6. ==== SECURITY TOOLKIT ====

* BOOK HIGHLIGHT: MALICIOUS MOBILE CODE: VIRUS PROTECTION FOR WINDOWS
   By Roger A. Grimes
   Fatbrain Online Price: $27.96
   Softcover; 400 pages
   Published by O'Reilly & Associates, August 2001
   ISBN 156592682X

For more information or to purchase this book, go to link at the end of 
this book highlight and enter WIN2000MAG as the discount code when you 
order the book.
   http://www1.fatbrain.com/asp/bookinfo/bookinfo.asp?theisbn=156592682X 

* VIRUS CENTER
   Panda Software and the Windows 2000 Magazine Network have teamed to 
bring you the Center for Virus Control. Visit the site often to remain 
informed about the latest threats to your system security.
   http://www.secadministrator.com/panda

Virus Alert: X97M/Laroux.DO
   X97M/Laroux.DO is a macro virus that infects Microsoft Excel 97 
spreadsheets. The virus creates a file called vera.xls in the Excel 97 
Startup directory. When a user runs Excel, vera.xls automatically loads 
and infects any other Excel files used from that point on.
   http://63.88.172.96/panda/Index.cfm?fuseaction=virus&virusid=883

* TIP: RESETTING LOST PASSWORDS
   (contributed by Wu Wen Long, wuwenlong () singapore com)

One of our readers, Wu Wen Long, sent the following tip regarding a way 
to reset lost passwords. "I discovered a method for using the Spooler 
service to work around lost passwords on a Windows NT 4.0 Service Pack 5 
(SP5) system. By default, the Spooler service starts automatically under 
the system account. When a user loses a password, log on to the system 
(you can log on with an account that doesn't have Administrator 
permissions) and rename spoolss.exe as spoolss.bak and usrmgr.exe as 
spoolss.exe. Restart the system. User Manager will appear under the 
system account, so you can modify the user's account, including 
resetting the username and password."

7. ==== NEW AND IMPROVED ====
   (contributed by Scott Firestone, IV, products () win2000mag com)

* EXTEND POLICY-BASED SECURITY TO REMOTE USERS
   InfoExpress released CyberArmor 2.0, a centrally managed firewall 
suite that includes CyberArmor client, Policy Manager, CyberServer, and 
CyberConsole to let you extend policy-based security to remote users who 
access corporate networks. CyberArmor client protects the end-user's PC 
and notifies users and CyberServer of attacks. Policy Manager creates 
and manages policies, run-time settings, and automatic updates. 
CyberServer logs user events and threats into a database. CyberConsole 
lets you view remote user systems and manage incidents through the 
database. For pricing, contact InfoExpress at 650-623-0260.
   http://www.infoexpress.com

* FIX SECURITY VULNERABILITIES AND STABILITY PROBLEMS
   St. Bernard Software released UpdateEXPERT 5.1, automated research, 
inventory, deployment, and validation software that lets you fix 
security vulnerabilities and stability problems. The software 
inventories networked machines and identifies installed OS and 
application updates. You can research and select updates for 
applications, and the software remotely deploys and validates the 
selected updates. For pricing, contact St. Bernard Software at 858-676-
2277 or 800-782-3762.
   http://www.stbernard.com

8. ==== HOT THREAD ====

* WINDOWS 2000 MAGAZINE ONLINE FORUMS
   http://www.win2000mag.net/forums 

Featured Thread: Restricted Desktops
   (Four messages in this thread)

Clint wants to know where he can find good articles on how to manage and 
restrict Windows 98 user desktops used with a Windows 2000 server. Read 
more about the question and the responses, or lend a hand at the 
following URL:
   http://www.win2000mag.net/forums/rd.cfm?app=64&id=76502

9. ==== CONTACT US ====
   Here's how to reach us with your comments and questions:

* ABOUT THE COMMENTARY -- mark () ntsecurity net

* ABOUT THE NEWSLETTER IN GENERAL -- mlibbey () win2000mag com; please
mention the newsletter name in the subject line.

* TECHNICAL QUESTIONS -- http://www.win2000mag.net/forums

* PRODUCT NEWS -- products () win2000mag com

* QUESTIONS ABOUT YOUR SECURITY UPDATE SUBSCRIPTION? -- Email Customer
Support at securityupdate () win2000mag com.

* WANT TO SPONSOR SECURITY UPDATE? emedia_opps () win2000mag com

********************

   Receive the latest information about the Windows 2000 and Windows NT
topics of your choice. Subscribe to our other FREE email newsletters.
   http://www.win2000mag.net/email

|-+-+-+-+-+-+-+-+-+-|

Thank you for reading Security UPDATE.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.