Security UPDATE, April 24, 2002

[InfoSec News <isn () c4i org>]

******************** 
Windows & .NET Magazine Security UPDATE--brought to you by Security 
Administrator, a print newsletter bringing you practical, how-to 
articles about securing your Windows .NET Server, Windows 2000, and 
Windows NT systems. 
   http://www.secadministrator.com 
******************** 

~~~~ THIS ISSUE SPONSORED BY ~~~~

FREE--SANS Top Trends in Security Management
   http://list.winnetmag.com/cgi-bin3/flo?y=eLfP0CJgSH0CBw0rCF0Al

SPI Dynamics Web Application Security White Paper
   http://list.winnetmag.com/cgi-bin3/flo?y=eLfP0CJgSH0CBw0zPL0AE
   (below IN FOCUS)

~~~~~~~~~~~~~~~~~~~~ 

~~~~ SPONSOR: FREE--SANS TOP TRENDS IN SECURITY MANAGEMENT ~~~~ 
   What's the hottest trend shaping security this year? Read the FREE 
SANS report sponsored by NetIQ to find out. Learn what the top industry 
authorities had to say about security management in 2002. You'll gain 
valuable insights and expert advice on crucial topics including new 
threats, automated patching and continuous monitoring. Don't get left 
behind--discover the top 8 security trends for 2002 now. Download the 
must-have report today!
   http://list.winnetmag.com/cgi-bin3/flo?y=eLfP0CJgSH0CBw0rCF0Al

~~~~~~~~~~~~~~~~~~~~ 

April 24, 2002--In this issue: 

1. IN FOCUS
     - Security Checklists and Handy Tools 
 
2. SECURITY RISKS
     - Buffer Overflow in talentsoft's Web+ 5.0 and Web+ 4.6 Affects 
Microsoft IIS
     - Cross-Site Scripting Vulnerability in Microsoft IE

3. ANNOUNCEMENTS
     - Learn from (or Try to Stump) Top Windows Security Pros
     - Cast Your Vote for Our Reader's Choice Awards!

4. SECURITY ROUNDUP
     - News: Microsoft Article Q320751: DoS Workarounds
     - News: New Variant of Klez Worm Spreading 
     - News: eEye Digital Security and St. Bernard Software Bundle 
Software
     - News: WebEyeAlert and Amcest Partner for Video Surveillance

5. INSTANT POLL
     - Results of Previous Poll: Hotfix Availability Notification
     - New Instant Poll: Antivirus Defense Location

6. SECURITY TOOLKIT
     - Virus Center
          - Virus Alert: W32/Klez.I
     - FAQ: How Can I Disable IPSec on a VPN Connection That Uses L2TP?

7. NEW AND IMPROVED
     - Secure Your Company with Cameras
     - Protect Your Hardware from Theft

8. HOT THREADS 
     - Windows & .NET Magazine Online Forums
         - Featured Thread: View All Permissions and Shares
     - HowTo Mailing List
         - Featured Thread: Exceeding the 512-Character Limit of the 
           Legal Logon Notice

9. CONTACT US 
   See this section for a list of ways to contact us. 

~~~~~~~~~~~~~~~~~~~~ 

1. ==== IN FOCUS ====
   (contributed by Mark Joseph Edwards, News Editor, 
mark () ntsecurity net) 

* SECURITY CHECKLISTS AND HANDY TOOLS 

When you perform a new software installation, do you use a checklist to 
make sure you've adjusted the configuration for better security? 
Numerous helpful checklists are available for various systems, many of 
them online. Windows & .NET Magazine published a new guide in February 
2002, which is available for free: "Secure Your Operating System--
Guidelines for Hardening Windows 2000." 

Jan De Clercq, who writes the NT Gatekeeper column for the Security 
Administrator print newsletter, developed the checklist, which covers a 
variety of system-configuration settings. The guide covers topics such 
as authentication, access control, system-related hardening features, 
Group Policy settings, and using Microsoft's Security Configuration 
Tool Set. The guide also includes references to many security tools and 
resources available for free. You can download a copy of the guide in 
PDF format at the IT Buyer's Network Web site.
   http://www.itbuynet.com/pdf/0202-security.pdf

I also recommend a set of free checklists from Australian-based company 
InterSect Alliance. You'll find valuable checklists for five products 
that many of you use: Win2K, Windows NT, Microsoft IIS, Apache Web 
server, and Linux. 

The checklists cover several aspects of the products, and, as you might 
expect, each checklist begins with suggestions about how to perform 
installation. The checklists also discuss network services and network 
access controls, object access controls, subsystems that particular 
products contain, and, of course, auditing. Even if you have checklists 
you already use, stop by the Web site and examine these lists as well--
you might find additional items for consideration that you've 
overlooked.
   http://www.intersectalliance.com/projects/index.html

Arne Vidstrom, Swedish security aficionado, recently released a new 
security tool--PromisDetect--which is available for free. The tool runs 
on Windows XP, Win2K, and NT. The tool checks systems to determine 
whether their network adapters are running in promiscuous mode. Systems 
whose network adapter cards run in promiscuous mode probably run 
software that acts as a traffic sniffer, and you don't want just 
anybody running a sniffer on your network. As you know, network packets 
often contain sensitive information, including authentication data and 
proprietary company information, so letting sniffers run unchecked on 
the network weakens overall security. PromisDetect is a good way to 
identify rogue sniffers. However, as Vidstrom notes, because someone 
running a sniffer might also be intercepting traffic from software 
designed to detect sniffers, PromisDetect and similar sniffer detectors 
aren't foolproof. You can download a copy of PromisDetect, as well as 
several other useful security-related tools, at Vidstrom's Web site.
   http://www.ntsecurity.nu/toolbox

As I read our "HowTo for Security" mailing list last week (you can 
subscribe at the URL below), I noticed that subscribers were asking how 
to map listening ports back to their respective system services. As you 
know, using a command such as the "netstat –a" command or the "netstat 
–an" command can produce a list of ports, port service names, and IP 
addresses. However, the lists don't include a map to the actual system 
service that opened the port in the first place. Although you can see 
which port is listening, which computer system is connected to it, and 
which service the port is typically used for, you're still in the dark 
about which application on your system actually opened the port.
   http://www.secadministrator.com/listserv/page_listserv.asp?s=howto 

Fortunately, tools are available that support further discovery. 
Foundstone's Fport tool maps listening ports to the software on your 
system that opened the port. When you run the Fport tool, you see a 
list of open ports matched to a list of the applications that opened 
the ports. The list includes full pathnames so that you can more easily 
identify the exact programs referenced. You can download a copy of 
Fport and several other useful security tools at the Foundstone Web 
site.
   http://www.foundstone.com/knowledge/proddesc/fport.html

Finally, are you keeping up with Microsoft security bulletins and 
related hotfixes? Even if you are, keep in mind that occasionally 
Microsoft publishes workarounds for security problems without releasing 
a related bulletin to alert you to the need for system-configuration 
adjustments. For example, Microsoft recently released the article, 
"Denial of Service Attack on Port 445 May Cause Excessive CPU Use" 
( http://support.microsoft.com/default.aspx?scid=kb;en-us;q320751 ). 
The article discusses registry settings that can help prevent 
particular Denial of Service (DoS) attacks. You can read about the 
matter in the related news story in this issue of Security UPDATE.
   http://www.secadministrator.com/articles/index.cfm?articleid=24948

~~~~~~~~~~~~~~~~~~~~ 

~~~~ SPONSOR: SPI DYNAMICS WEB APPLICATION SECURITY WHITE PAPER ~~~~ 
   ALERT! Web applications are the new area of attack for hackers!
   By taking advantage of your website and using it to exploit your 
applications, a hacker can gain access to your backend data. All 
undetectable by today's methods of Internet security! Download this 
*FREE* white paper from SPI Dynamics that provides a complete guide of 
vulnerabilities and steps for protection!
   http://list.winnetmag.com/cgi-bin3/flo?y=eLfP0CJgSH0CBw0zPL0AE
   
~~~~~~~~~~~~~~~~~~~~ 

2. ==== SECURITY RISKS ====

* BUFFER OVERFLOW IN TALENTSOFT'S WEB+ 5.0 AND WEB+ 4.6 AFFECTS 
MICROSOFT IIS
   A buffer-overflow condition in talentsoft's Web+ 5.0 and Web+ 4.6 
could result in the execution of code on the vulnerable system under 
the system security context. Requesting a Wireless Markup Language 
(WML) file from a Web server and supplying an overly long cookie can 
cause the internal buffer to overflow, overwriting a saved return 
address on the stack. The vendor, talentsoft, has created a patch for 
this vulnerability. For a link to the patch, visit the URL below. 
   http://www.secadministrator.com/articles/index.cfm?articleid=24929

* CROSS-SITE SCRIPTING VULNERABILITY IN MICROSOFT IE
   Thor Larholm discovered a universal cross-site scripting 
vulnerability in Microsoft's WebBrowser control for Microsoft Internet 
Explorer (IE) that could result in elevated privileges and session-
hijacking of the MSN Messenger client. This vulnerability stems from an 
error in the validation code in the dialogArguments property. Detailed 
information is available on the discoverer's Web site (see the URL 
below). Microsoft hasn't released a hotfix or workaround for this 
problem.
   http://www.secadministrator.com/articles/index.cfm?articleid=24928

3. ==== ANNOUNCEMENTS ====

* LEARN FROM (OR TRY TO STUMP) TOP WINDOWS SECURITY PROS
   The Windows & .NET Magazine LIVE! event brings together industry 
gurus who take security seriously. Topic coverage includes Microsoft 
IIS security, deploying public key infrastructure (PKI), designing 
Group Policies to enhance security, tips for securing Windows 2000 
networks, security pitfalls (and solutions) for your mobile workforce, 
and more. Register today before this event sells out!
   http://list.winnetmag.com/cgi-bin3/flo?y=eLfP0CJgSH0CBw0qQl0Ac  

* CAST YOUR VOTE FOR OUR READER'S CHOICE AWARDS!
   Which companies and products do you think are the best on the 
market? Nominate your favorites in four different categories for our 
annual Windows & .NET Magazine Reader's Choice Awards. You could win a 
T-shirt or a free Windows & .NET Magazine Super CD, just for submitting 
your ballot. Click here!
   http://list.winnetmag.com/cgi-bin3/flo?y=eLfP0CJgSH0CBw0zMs0Ao

4. ==== SECURITY ROUNDUP ====

* NEWS: MICROSOFT ARTICLE Q320751: DoS WORKAROUNDS
   Peter Grundl, a researcher at KPMG in Denmark, discovered a Denial 
of Service (DoS) condition in Windows 2000 that could potentially cause 
systems to crash. Microsoft issued the article, "Denial of Service 
Attack on Port 445 May Cause Excessive CPU Use," 
(http://support.microsoft.com/default.aspx?scid=kb;en-us;q320751 ) 
regarding the matter. The article describes two methods to work around 
the vulnerability.
   http://www.secadministrator.com/articles/index.cfm?articleid=24948

* NEWS: NEW VARIANT OF KLEZ WORM SPREADING 
   Antivirus software maker Panda Software has issued a warning about a 
dangerous new worm variant, W32/Klez.I, which is spreading across 
Europe and Asia. Panda Software expects the virus to spread to the 
United States beginning this week.
   http://www.secadministrator.com/articles/index.cfm?articleid=24867

* NEWS: eEYE DIGITAL SECURITY AND ST. BERNARD SOFTWARE BUNDLE SOFTWARE
   eEye Digital Security and St. Bernard Software have announced a 
strategic partnership to bundle eEye's Retina Network Security Scanner 
software with St. Bernard's UpdateEXPERT software. The software bundle 
lets administrators use Retina Network Security Scanner to scan for 
security vulnerabilities and use UpdateEXPERT to help correct a problem 
by guiding the administrator through the process of installing patches 
and making configuration adjustments.
   http://www.secadministrator.com/articles/index.cfm?articleid=24925

* NEWS: WebEyeAlert AND AMCEST PARTNER FOR VIDEO SURVEILLANCE
   WebEyeAlert, which develops WebEyeAlert video security surveillance 
technology, announced a strategic partnership with Amcest, a nationwide 
monitoring service. Under the terms of the partnership, Amcest will 
offer its dealers the WebEyeAlert solution to promote free video 
monitoring services to its customers.
   http://www.secadministrator.com/articles/index.cfm?articleid=24924

5. ==== INSTANT POLL ====

* RESULTS OF PREVIOUS POLL: HOTFIX AVAILABILITY NOTIFICATION
   The voting has closed in Windows & .NET Magazine's Security 
Administrator Channel nonscientific Instant Poll for the question, "If 
someone makes information about a security vulnerability public before 
the company whose product is involved has developed a fix, should that 
company notify customers about an estimated time when a fix will be 
available?" Here are the results (+/- 2 percent) from the 473 votes:
   - 90% Yes
   -  6% No
   -  4% Not sure

* NEW INSTANT POLL: ANTIVIRUS DEFENSE LOCATION
   The next Instant Poll question is, "Where have you placed your 
organization's antivirus defenses?" Go to the Security Administrator 
Channel home page and submit your vote for a) on desktops, b) on email 
servers, c) on file servers, d) at the Internet border, or e) at two or 
more of the above locations.
   http://www.secadministrator.com

6. ==== SECURITY TOOLKIT ==== 

* VIRUS CENTER
   Panda Software and the Windows & .NET Magazine Network have teamed to 
bring you the Center for Virus Control. Visit the site often to remain 
informed about the latest threats to your system security.
   http://www.secadministrator.com/panda

- Virus Alert: W32/Klez.I
   W32/Klez.I is a worm that's designed to spread through email. The 
messages the worm sends have different subjects, which include 

   A new website 
   Introduction on ADSL
   Fw:virus,japanese lass' sexy pictures
   A very new game
   NOSHADE CLASS

The body of the message the worm sends might contain any of the 
following text: 

   This is a new website. I wish you would like it. 
   This game is my first work.
   You're the first player.
   I hope you would enjoy it

Files attached to messages the worm sends have random names. Once run, 
the worm creates a file in the Windows directory and a file in the 
Program Files folder. 
   http://63.88.172.127/panda/index.cfm?fuseaction=virus&virusid=1154

* FAQ: HOW CAN I DISABLE IPSEC ON A VPN CONNECTION THAT USES L2TP?
   ( contributed by John Savill, http://www.windows2000faq.com )

A. Windows automatically creates an IP Security (IPSec) policy for 
Layer Two Tunneling Protocol (L2TP) connections because L2TP doesn't 
encrypt data. However, you might want to test a VPN L2TP connection 
without IPSec (e.g., when you're troubleshooting). Although you must 
disable IPSec on both the client and server in this situation, make 
sure you reenable the security policy after you resolve any problems; 
otherwise, your systems are vulnerable to attack. To disable IPSec, 
perform the following steps on both client and server: 

   1. Start a registry editor (e.g., regedit.exe). 
   2. Navigate to the 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\Parameters 
subkey. 
   3. From the Edit menu, select New, DWORD Value. 
   4. Enter a name of ProhibitIpSec and click Enter. 
   5. Double-click the new value, set it to 1, and click OK. 
   6. Restart the machine. 

   For more information, see the Microsoft article "How to Configure a 
L2TP/IPSec Connection Using Pre-shared Key Authentication." 
   http://support.microsoft.com/default.aspx?scid=kb;en-us;q240262

7. ==== NEW AND IMPROVED ==== 
   (contributed by Judy Drennen, products () winnetmag com) 

* SECURE YOUR COMPANY WITH CAMERAS 
   CamDevTeam released CamSurveillance, shareware capable of monitoring 
up to 50 IP-addressable network cameras to secure your company. You can 
use the cameras within your company's LAN or select your favorite 
WebCams from the Internet. CamSurveillance runs on Windows XP, Windows 
2000, Windows NT, Windows Me, and Windows 9x systems and costs $49.95. 
Contact CamDevTeam at webmaster () camsurveillance com for a trial 
download.
    http://www.camsurveillance.com

* PROTECT YOUR HARDWARE FROM THEFT
   Brigadoon Software announced PC PhoneHome Enterprise, software that 
gives enterprise-level users a security tool to protect computer 
hardware and intellectual property against theft. PC PhoneHome 
Enterprise works by sending periodic signals to a centralized command 
center the licensee chooses with the exact coordinates of the 
registrant's computer. If the computer is lost or stolen, the signals 
can pinpoint the computer's whereabouts. PC PhoneHome Enterprise runs 
on all Windows and Macintosh systems. For pricing, contact Brigadoon at 
the Web site. 
   http://www.brigadoonsoftware.com

8. ==== HOT THREADS ==== 

* WINDOWS & .NET MAGAZINE ONLINE FORUMS 
   http://www.winnetmag.net/forums

Featured Thread: View All Permissions and Shares
   (Two messages in this thread)

Tom wants to know how he can view a list of all permissions and shares 
on a given system. Can you help? 
   http://www.secadministrator.com/forums/thread.cfm?thread_id=102362

* HOWTO MAILING LIST
   http://www.secadministrator.com/listserv/page_listserv.asp?s=howto

Featured Thread: Exceeding the 512-Character Limit of the Legal Logon 
Notice
   (One message in this thread)

Windows 2000 Group Policy restricts the length of the logon sequence 
legal notice text to 512 characters. This length is probably sufficient 
in most cases. However, some countries have a legal requirement to 
display such notices in more than one language, which can cause the 
total text displayed to exceed the 512-character limit. Are there any 
known workarounds to the 512-character restriction? Can you help? Read 
the responses or lend a hand at the following URL.
   http://63.88.172.96/listserv/page_listserv.asp?A2=ind0204c&l=howto&p=659 

9. ==== CONTACT US ==== 
   Here's how to reach us with your comments and questions: 

* ABOUT IN FOCUS -- mark () ntsecurity net

* ABOUT THE NEWSLETTER IN GENERAL -- vpatterson () winnetmag com (please 
mention the newsletter name in the subject line) 

* TECHNICAL QUESTIONS -- http://www.winnetmag.net/forums 

* PRODUCT NEWS -- products () winnetmag com 

* QUESTIONS ABOUT YOUR SECURITY UPDATE SUBSCRIPTION? Customer 
Support -- securityupdate () winnetmag com 

* WANT TO SPONSOR SECURITY UPDATE? emedia_opps () winnetmag com 

******************** 

   This email newsletter is brought to you by Security Administrator, 
the print newsletter with independent, impartial advice for IT 
administrators securing a Windows 2000/Windows NT enterprise. Subscribe 
today!
   http://www.secadministrator.com/sub.cfm?code=saei25xxup

   Receive the latest information about the Windows and .NET topics of 
your choice. Subscribe to our other FREE email newsletters. 
   http://www.winnetmag.net/email 

|-+-+-+-+-+-+-+-+-+-| 

Thank you for reading Security UPDATE.


SUBSCRIBE
To subscribe, send a blank email to mailto:Security-UPDATE_Sub () list winnetmag com.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.