Security UPDATE, July 24, 2002

[InfoSec News <isn () c4i org>]

********************
Windows & .NET Magazine Security UPDATE--brought to you by Security
Administrator, a print newsletter bringing you practical, how-to
articles about securing your Windows .NET Server, Windows 2000, and
Windows NT systems.
   http://www.secadministrator.com
********************

~~~~ THIS ISSUE SPONSORED BY ~~~~

Got security challenges? Come see solutions.
   http://list.winnetmag.com/cgi-bin3/flo?y=eMmj0CJgSH0CBw03Rz0AP

Free White Paper: Content Filtering Strategies
   http://list.winnetmag.com/cgi-bin3/flo?y=eMmj0CJgSH0CBw03R10AC
   (below IN FOCUS)

~~~~~~~~~~~~~~~~~~~~

~~~~ SPONSOR: GOT SECURITY CHALLENGES? COME SEE SOLUTIONS.~~~~
   What is Microsoft really doing to improve the security in their
products? What are your responsibilities vs. Microsoft's for security?
How can you quickly locate and eliminate security vulnerabilities? Why
were some companies protected from Nimda and Code Red when others were
not? How can you become proactive, rather than reactive with security
issues? Find out the answers to these and other questions at one of
more than 15 free, half-day seminars co-sponsored by Microsoft and
BindView Corporation, "Proactive Security Management for the Microsoft
Enterprise." To find a location near you and to register, go to
   http://list.winnetmag.com/cgi-bin3/flo?y=eMmj0CJgSH0CBw03Rz0AP

~~~~~~~~~~~~~~~~~~~~

July 24, 2002--In this issue:

1. IN FOCUS
     - Security Statistics Abound: What Do They Tell Us?

2. SECURITY RISKS
     - Remote PGP Outlook Encryption Plug-in Vulnerability
     - Buffer Overrun in Semantic Norton Personal Security Firewall

3. ANNOUNCEMENTS
     - Energize Your Enterprise at MEC 2002, October 8 Through 11,
       Anaheim, CA
     - Real-World Tips and Solutions Here for You

4. SECURITY ROUNDUP
     - News: New Win2K Pro Security Benchmarks
     - News: Internet Security Threat Report, Volume II
     - Feature: * #@$&% SECURITY
     - Feature: WMP EULA and DRM System Security

5. INSTANT POLL
     - Results of Previous Poll: Credit Card Information Theft
     - New Instant Poll: Security Budget

6. SECURITY TOOLKIT
     - Virus Center
        - Virus Alert: W32/Dadinu
        - Virus Alert: W32/Calil
        - Virus Alert: W32/Frethem.K
     - FAQ: How Can I Remove the Link Between Outlook 2002 and MSN
       Messenger?

7. NEW AND IMPROVED
     - Learn about Web Security, Privacy, and Commerce
     - Restrict File and Folder Access
     - Submit Top Product Ideas

8. HOT THREADS
     - Windows & .NET Magazine Online Forums
         - Featured Thread: Can DHCP Authenticate a Workstation Before
           Issuing an IP Address?
      - HowTo Mailing List:
         - Featured Thread: Event ID 1000 and Event ID 1202 in Win2K DCs

9. CONTACT US
   See this section for a list of ways to contact us.

~~~~~~~~~~~~~~~~~~~~

1. ==== IN FOCUS ====
   (contributed by Mark Joseph Edwards, News Editor,
mark () ntsecurity net)

* SECURITY STATISTICS ABOUND: WHAT DO THEY TELL US?

Are you ready for more security statistics? Newly published
information indicates that Linux systems suffered an increasing number
of attacks in the first half of 2002, compared with 2001. According to
London company mi2g, Linux systems have suffered 7630 attacks so far
in 2002, not including viruses and worms. During all of 2001, Linux
systems suffered only 5736 attacks. The company said the attacks are
largely because of third-party applications with vulnerabilities that
administrators don't patch quickly enough.

On the other hand, attacks against Microsoft IIS systems have
diminished. According to mi2g, attackers launched 9404 attacks against
IIS systems in the first half of 2002, compared with 11,828 attacks in
the first half of 2001.

Overall, however, the number of attacks against all systems rose 27
percent over last year. In the first half of 2001, organizations
reported 16,007 attacks; so far this year, organizations have reported
20,371 attacks.

Government online systems are experiencing fewer attacks. Fifty-four
US government systems reported attacks so far this year, compared with
204 such attacks in the first half of 2001. In the UK, only 12
government systems reported attacks this year, compared with 38
attacks in the first half of 2001. According to mi2g, the US Cyber
Security Enhancement Act (CSEA) has probably helped reduce the number
of attacks against government systems because the act permits much
stiffer penalties for cybercrime.
   http://www.mi2g.com/cgi/mi2g/press/110702.php

The recently published Computer Emergency Response Team (CERT)
statistics reflect an increase in the number of vulnerabilities
reported this year. According to CERT, organizations have reported
2148 vulnerabilities so far this year, compared with 2437 reported
vulnerabilities in 2001 and 1090 reported in 2000.
   http://www.cert.org/stats/cert_stats.html

The Computer Security Institute (CSI) released statistics in April
2002 that CSI gathered in conjunction with the Federal Bureau of
Investigation (FBI). CSI polled 503 security practitioners; 80 percent
of those polled reported financial losses because of system breaches.
Forty-four percent (223 entities) were willing to quantify their
losses, which totaled about $455,848,000.
   http://www.gocsi.com/press/20020407.html

Riptech, a Virginia-based security services firm, recently released an
interesting set of statistics. Riptech gathered log information from
400 companies in more than 30 countries and confirmed that more than
180,000 attacks took place in the first half of 2002. The report shows
that 80 percent of all attacks originate from 10 countries, including
the United States, Germany, South Korea, China, France, Canada, Italy,
Taiwan, the UK, and Japan. You can read more about Riptech's report in
the related news story in the Security Roundup section of this
newsletter.
   http://www.secadministrator.com/articles/index.cfm?articleid=25897

With the exception of a few bright spots, the unsurprising news is
that attacks are increasing. Some of the increase might be a function
of a trend feeding on itself. For example, more organizations and
individuals discover and report more vulnerabilities in some detail.
Then, unscrupulous individuals use the details to perpetrate
additional attacks. Also, each reported vulnerability--if left
unpatched for too long--lets intruders attack an increasing number of
systems. Because intruders use search-engine tactics to identify many
vulnerable Web servers, the numbers can soar higher.

Given the current climate, patch your systems quickly. And take a
moment to answer today's Instant Poll question about the security
resources you need to keep your organization from becoming a negative
security statistic.

~~~~~~~~~~~~~~~~~~~~

~~~~ SPONSOR: FREE WHITE PAPER: CONTENT FILTERING STRATEGIES ~~~~
   Defeat cyber-threats. Avoid false alarms. Filter out the most
dangerous file extensions. Block undesirable material from entering
your company. Check out Panda Software's new white paper and discover
how to protect your company against a whole range of threats - from
rampant malware to email-transmitted viruses. All of this crucial
information is offered to you completely FREE of charge. CLICK the
following URL to DOWNLOAD now:
   http://list.winnetmag.com/cgi-bin3/flo?y=eMmj0CJgSH0CBw03R10AC

~~~~~~~~~~~~~~~~~~~~

2. ==== SECURITY RISKS ====
   (contributed by Ken Pfeil, ken () winnetmag com)

* REMOTE PGP OUTLOOK ENCRYPTION PLUG-IN VULNERABILITY
   Marc Maiffret and Riley Hassell of eEye Digital Security discovered
a vulnerability in Network Associates' (NAI's) pretty good privacy
(PGP) Outlook Encryption plugin. The vulnerability can result in
remote compromise of the vulnerable system. By sending a specially
crafted email to a vulnerable system, an attacker can execute code
remotely on that system. Read eEye Digital Security's advisory for a
detailed explanation of this vulnerability. NAI has released a patch
for the latest version of the PGP Outlook plugin to address this
vulnerability.
   http://www.secadministrator.com/articles/index.cfm?articleid=25875

* BUFFER OVERRUN IN SEMANTIC NORTON PERSONAL SECURITY FIREWALL
   Ollie Whitehouse of @stake discovered a buffer-overflow
vulnerability in Symantec's Norton Personal Firewall that an attacker
can exploit to execute code on the vulnerable system. An intruder can
exploit this vulnerability even if the requesting application isn't
configured in the firewall permission settings to make outgoing
requests. See the @stake advisory for a detailed technical
explanation. The vendor, Symantec, has released an advisory regarding
this vulnerability and recommends that affected users download the
patch from the advisory URL when the patch becomes available.
   http://www.secadministrator.com/articles/index.cfm?articleid=25895

3. ==== ANNOUNCEMENTS ====
   (brought to you by Windows & .NET Magazine and its partners)

* ENERGIZE YOUR ENTERPRISE AT MEC 2002, OCTOBER 8 THROUGH 11, ANAHEIM,
CA
   Don't miss the essential Microsoft infrastructure conference where
you'll connect with a world of expert information, technical training
sessions, best practices, and hands-on labs. Be among the first 1000
to register and receive a free MEC 2002 DVD valued at $695--plus save
$300!
   http://list.winnetmag.com/cgi-bin3/flo?y=eMmj0CJgSH0CBw02lL0A3

* REAL-WORLD TIPS AND SOLUTIONS HERE FOR YOU
   Windows & .NET Magazine LIVE!'s full-conference schedule is now
online. Don't miss this chance to network with the finest gathering of
Windows gurus on the planet. This conference is chock full of "been
there, done that" knowledge from people who use Microsoft products in
the real world. Register now and access concurrently run XML Web
Services Connections for FREE.
   http://list.winnetmag.com/cgi-bin3/flo?y=eMmj0CJgSH0CBw026q0Al

4. ==== SECURITY ROUNDUP ====

* NEWS: NEW WIN2K PRO SECURITY BENCHMARKS
   On July 17, the Center for Internet Security (CIS) released new
security benchmarking tools for Windows 2000 Professional. The new
benchmarking set consists of a scoring tool along with security
templates that you can use to analyze and adjust system security
settings.
   http://www.secadministrator.com/articles/index.cfm?articleid=25949

* NEWS: INTERNET SECURITY THREAT REPORT, VOLUME II
   Riptech released Volume II of its Internet Security Threat Report,
which shows that Internet attacks grew at an annualized rate of 64
percent during the period between January 2002 and June 2002. The
report is based on data mining and analysis of more than 11 billion
firewall logs and Intrusion Detection System (IDS) alerts from more
than 400 companies in more than 30 countries around the world.
   http://www.secadministrator.com/articles/index.cfm?articleid=25897

* FEATURE: *#@$&% SECURITY
   As you know, securing your networks requires vigilance and a lot of
work. However, you ignore security at your peril, risking your job and
possibly your company's entire future. But when you adopt the right
mind-set, security tasks aren't so bad. What's important is to address
security problems before it's too late.
   http://www.secadministrator.com/articles/index.cfm?articleid=25928

* FEATURE: WMP EULA AND DRM SYSTEM SECURITY
   On June 27, 2002, Microsoft posted a security update to the Windows
Media Player (WMP). That update included an End User Licensing
Agreement (EULA) covering, among other things, the Digital Rights
Management (DRM) system.
   http://www.secadministrator.com/articles/index.cfm?articleid=25910

5. ==== INSTANT POLL ====

* RESULTS OF PREVIOUS POLL: CREDIT CARD INFORMATION THEFT
   The voting has closed in Windows & .NET Magazine's Security
Administrator Channel nonscientific Instant Poll for the question,
"Have you or has your company experienced credit card information
theft through the Internet?" Here are the results (+/- 2 percent) from
the 197 votes:
   - 23% I have experienced Internet credit card information theft
   -  5% My company has experienced Internet credit card information
 theft
   -  1% Both have experienced Internet credit card information theft
   - 71% Neither has experienced Internet credit card information
 theft

* NEW INSTANT POLL: SECURITY BUDGET
   The next Instant Poll question is, "Is your current level of
network security a function of budget constraints?" Go to the Security
Administrator Channel home page and submit your vote for a) Yes--We
need more security staff, b) Yes--We need additional security tools,
c) Yes--We need additional staff and tools, d) No--We budget for
adequate network security, or e) No--We "spare no expense" for network
security.
   http://www.secadministrator.com

6. ==== SECURITY TOOLKIT ====

* VIRUS CENTER
   Panda Software and the Windows & .NET Magazine Network have teamed
to bring you the Center for Virus Control. Visit the site often to
remain informed about the latest threats to your system security.
   http://www.secadministrator.com/panda

* VIRUS ALERT: W32/DADINU
   W32/Dadinu is a worm that spreads by sending itself to every
address in the Microsoft Messenger Address Book. The worm creates a
large number of files on infected computers. The files are copies of
the worm.
   http://63.88.172.127/panda/index.cfm?fuseaction=virus&virusid=1183

* VIRUS ALERT: W32/CALIL
   W32/Calil emails itself to every address in the Microsoft Outlook
Address Book. The message containing the worm has a subject field that
reads "FW:FW: LILAC project video attach."
   http://63.88.172.127/panda/index.cfm?fuseaction=virus&virusid=1185

* VIRUS ALERT: W32/FRETHEM.K
   W32/Frethem.K is a worm that spreads through email with a subject
that reads "Re: Your password!." This message contains a file
attachment called "decrypt-password.exe file." The worm exploits a
vulnerability in Microsoft Internet Explorer (IE) 5.5 and IE 5.01 that
lets files attached to an email message run automatically simply by
viewing the message.
   http://63.88.172.127/panda/index.cfm?fuseaction=virus&virusid=1187

* FAQ: HOW CAN I REMOVE THE LINK BETWEEN OUTLOOK 2002 AND MSN
MESSENGER?
   ( contributed by John Savill, http://www.windows2000faq.com )

A. By default, Microsoft Outlook 2002 and MSN Messenger are linked. If
both applications are running and you attempt to close MSN Messenger,
the following error appears on the screen:

"There are other applications currently using features provided by
Windows Messenger. You must close these other applications before you
can exit Windows Messenger. These applications may include Outlook,
Outlook Express, MSN Explorer, and Internet Explorer."

To remove the link between Outlook 2002 and MSN Messenger, perform the
following steps:
   1. Start Outlook.
   2. From the Tools menu, select Options.
   3. Select the Other tab.
   4. Clear the "Enable Instant Messaging in Microsoft Outlook" check
box in the Instant Messaging section, then click OK.
   5. Close and restart Outlook for the change to take effect.

7. ==== NEW AND IMPROVED ====
   (contributed by Judy Drennen, products () winnetmag com)

* LEARN ABOUT WEB SECURITY, PRIVACY, AND COMMERCE
   O'Reilly & Associates released "Web Security, Privacy & Commerce,"
a book by Simson Garfinkel and Gene Spafford that provides a reference
on Web security risks and the techniques and technologies that you can
use to protect yourself against these risks. Topics include
cryptography, passwords, digital signatures, biometrics, cookies, log
files, spam, Web logs, the Secure Sockets Layer (SSL), digital
payments, client-side signatures, pornography filtering, intellectual
property, and legal issues. The 756-page book costs $44.95. Contact
O'Reilly at 800-998-9938.
   http://www.oreilly.com

* RESTRICT FILE AND FOLDER ACCESS
   CenturionSoft and SoftClan released SoftClan Security Suite, a
security and auditing program that can provide Windows Me and Windows
9x systems with protection levels similar to Windows NT on NTFS. You
can administer the software by using a transparent monitoring process
that doesn't affect system performance. The software restricts file
and folder access to protect a system from intruders, accidents, and
viruses. The software controls and audits PC use for each user, which
is important for PCs that have multiple users. SoftClan Security Suite
costs $39.95. Contact CenturionSoft or SoftClan at 202-293-5151.
   http://www.centurionsoft.com

* SUBMIT TOP PRODUCT IDEAS
   Have you used a product that changed your IT experience by saving
you time or easing your daily burden? Do you know of a terrific
product that others should know about? Tell us! We want to write about
the product in a future What's Hot column. Send your product
suggestions to whatshot () winnetmag com.

8. ==== HOT THREADS ====

* WINDOWS & .NET MAGAZINE ONLINE FORUMS
   http://www.winnetmag.com/forums

Featured Thread: Can DHCP Authenticate a Workstation Before Issuing an
IP Address?
   (One message in this thread)

Rich writes that he'll be migrating to a Windows 2000 DHCP server
soon. He has a requirement that nonauthorized machines not be allowed
on the network. Right now, Rich registers valid media access control
(MAC) addresses through DHCP to prevent nonauthorized machines on the
network, but performing this task is an administrative nightmare. Rich
wants to know whether DHCP performs some other type of machine/user
authentication before it issues an IP address so that if the
authentication fails, the machine doesn't receive an address on the
network. Do you know of any other solution to keep nonauthorized
machines off a network? Read the responses or lend a hand:
   http://www.secadministrator.com/forums/thread.cfm?thread_id=109634

* HOWTO MAILING LIST [need to move this item under HOT THREADS]
   http://www.secadministrator.com/listserv/page_listserv.asp?s=howto

Featured Thread: Event ID 1000 and Event ID 1202 in Win2K DCs
   (One message in this thread)

Eric recently had to take down the root server in his domain forest to
reinstall the OS. Because he was running a second domain controller
(DC) in the domain, the second controller took over as the root of the
forest. He repaired the original domain root and put it back on the
network as a DC. However, Eric now keeps receiving Event ID 1000 and
Event ID 1202 error messages in the Application log every 5 minutes.
He has reapplied the group policy link for the Domain Controller OU,
but the error messages still appear. How can he resolve this problem?
Read the responses or lend a hand at the following URL:
  http://63.88.172.96/listserv/page_listserv.asp?a2=ind0207c&l=howto&p=738

9. ==== CONTACT US ====
   Here's how to reach us with your comments and questions:

* ABOUT IN FOCUS -- mark () ntsecurity net

* ABOUT THE NEWSLETTER IN GENERAL -- vpatterson () winnetmag com (please
mention the newsletter name in the subject line)

* TECHNICAL QUESTIONS -- http://www.winnetmag.com/forums

* PRODUCT NEWS -- products () winnetmag com

* QUESTIONS ABOUT YOUR SECURITY UPDATE SUBSCRIPTION? Customer
Support -- securityupdate () winnetmag com

* WANT TO SPONSOR SECURITY UPDATE? emedia_opps () winnetmag com

********************

   This email newsletter is brought to you by Security Administrator,
the print newsletter with independent, impartial advice for IT
administrators securing a Windows 2000/Windows NT enterprise.
Subscribe today!
   http://www.secadministrator.com/sub.cfm?code=saei25xxup

   Receive the latest information about the Windows and .NET topics of
your choice. Subscribe to our other FREE email newsletters.
   http://www.winnetmag.com/email

|-+-|-+-|-+-|-+-|-+-|

Thank you for reading Security UPDATE.


MANAGE YOUR ACCOUNT
You can manage your entire Windows & .NET Magazine Network email
newsletter account on our Web site. Simply log on and you can change
your email address, update your profile information, and subscribe or
unsubscribe to any of our email newsletters all in one place.
   http://www.winnetmag.com/email

Thank you!



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.