Information Security News mailing list archives
Security UPDATE, March 27, 2002
From: InfoSec News <isn () c4i org>
Date: Thu, 28 Mar 2002 01:06:19 -0600 (CST)
******************** Windows & .NET Magazine Security UPDATE--brought to you by Security Administrator, a print newsletter bringing you practical, how-to articles about securing your Windows .NET Server, Windows 2000, and Windows NT systems. http://www.secadministrator.com ******************** ~~~~ THIS ISSUE SPONSORED BY ~~~~ Close the Largest Security Hole in Windows 2000/NT http://list.winnetmag.com/cgi-bin3/flo?y=eLKD0CJgSH0CBw0gDZ0AI VeriSign--The Value of Trust http://list.winnetmag.com/cgi-bin3/flo?y=eLKD0CJgSH0CBw0rcb0A7 (below IN FOCUS) ~~~~~~~~~~~~~~~~~~~~ ~~~~ SPONSOR: CLOSE THE LARGEST SECURITY HOLE IN WINDOWS 2000/NT ~~~~ After all the security measures taken to make your network impenetrable, there is one liability that could undermine your entire operation. Allowing lax network logon password policies on your network is like giving a stranger the keys to the front door of your home. Strict logon password policy is your first line of defense. Password Bouncer delivers stronger password enforcement than Win2K/NT, by preventing users from selecting vulnerable passwords that can be easily guessed or cracked by hackers. Passwords are screened and validated against a 300,000-word English wordlist and a 4,000-word proper name wordlist in addition to highly configurable password rules. STOP HACKERS TODAY, DOWNLOAD YOUR FREE TRIAL: http://list.winnetmag.com/cgi-bin3/flo?y=eLKD0CJgSH0CBw0gDZ0AI ~~~~~~~~~~~~~~~~~~~~ March 27, 2002--In this issue: 1. IN FOCUS - Tin Cans and Wireless LANs 2. ANNOUNCEMENTS - Learn from (or Try to Stump) Top Windows Security Pros - Protect Your Data. Protect Your Company. 3. SECURITY ROUNDUP - News: Security Review Delays Crucial .NET Passport Update - Feature: Securing Your OS - Feature: WS-License Associates Security Credentials with SOAP Messages 4. INSTANT POLL - Results of Previous Poll: Latest Viruses and Prevention Techniques - New Instant Poll: Written and Enforced Password Policy 5. SECURITY TOOLKIT - Virus Center - FAQ: Do Third-Party Products Based on the Microsoft Virus Scanning API (VS API) Scan Email at the Gateway Level? 6. NEW AND IMPROVED - Protect Proprietary Information - Manage Patches Across Multiple Servers 7. HOT THREAD - Windows & .NET Magazine Online Forums - Featured Thread: Security Templates for Win2K 8. CONTACT US See this section for a list of ways to contact us. ~~~~~~~~~~~~~~~~~~~~ 1. ==== IN FOCUS ==== (contributed by Mark Joseph Edwards, mark () ntsecurity net) * TIN CANS AND WIRELESS LANS Did you read the recent British Broadcasting Corporation (BBC) news story about "war-driving"? War-driving is the act of driving around with an antenna trying to detect unprotected wireless networks, and a lot of people have been doing just that ever since wireless LAN (WLAN) equipment made its debut. (See "Hacking with a Pringles tube" at the URL below.) http://news.bbc.co.uk/hi/english/sci/tech/newsid_1860000/1860241.stm The story seems to be an attempt to sensationalize the fact that people can make their own antennas with readily available parts, such as standard antenna cable connectors and potato-chip cans, and that those antennas are more sensitive than run-of-the-mill commercial wireless antennas. Because the homemade antennas are more sensitive, they're more capable of finding insecure WLANs that have weaker signals leaking from their various origin points. In addition, you can orient some homemade antennas directionally. The antennas not only pick up signals from and possibly connect to unprotected wireless devices but also help pinpoint where those unsecured LAN devices are relative to the antennas' position. Clearly, intruders might use such antennas to identify and attack companies that don't practice adequate wireless security. About a month ago, Gregory Rehm updated his Web site with the latest "802.11b Homebrew Antenna Shootout" data. When you visit the Web site (see the URL below), you'll find that reviewers rated several homemade antennas and one commercial antenna during tests. As it turns out, a waveguide antenna got the best reception. The particular waveguide antenna was made from a small piece of copper wire, a standard antenna cable connector, and a metal can that once held Nalley Big Chunk Beef Stew. No, I'm not kidding. That combination is all you need to make a powerful wireless antenna. Constructed from those basic parts, the waveguide antenna demonstrated a tremendous signal gain over off-the- shelf commercial antennas. http://www.turnpoint.net/wireless/has.html So what does this information mean to security administrators? You can use an inexpensive homemade antenna to test the signal leakage parameters of your WLAN and perform leakage tests for others against their WLANs. In addition, if you have LAN-connectivity problems that require wireless equipment to span a distance (e.g., between two buildings), you can build your own antennas and save money. Check out Rehm's Web site, which provides links to information about a half-dozen homemade wireless antennas (including plans) and to Web-based calculators that help you design your own antennas from items such as empty coffee cans from the company break room. For background information about WLAN security, be sure to read my commentary "802.11 Wireless Networks: Is Yours Really Safe?" http://www.secadministrator.com/articles/index.cfm?articleid=22147 Until next time, have a great week. Sincerely, Mark Joseph Edwards, News Editor mark () ntsecurity net ~~~~~~~~~~~~~~~~~~~~ ~~~~ SPONSOR: VERISIGN--THE VALUE OF TRUST ~~~~ Secure all your Web servers now--with a proven 5-part strategy. The FREE Server Security Guide shows you how: DEPLOY THE LATEST ENCRYPTION techniques. DELIVER TRANSPARENT PROTECTION with the strongest security without disrupting users. Get your FREE Guide now: http://list.winnetmag.com/cgi-bin3/flo?y=eLKD0CJgSH0CBw0rcb0A7 ~~~~~~~~~~~~~~~~~~~~ 2. ==== ANNOUNCEMENTS ==== * LEARN FROM (OR TRY TO STUMP) TOP WINDOWS SECURITY PROS The Windows & .NET Magazine LIVE! event brings together industry gurus who take security seriously. Topic coverage includes Microsoft IIS security, deploying public key infrastructure (PKI), designing Group Policies to enhance security, tips for securing Windows 2000 networks, security pitfalls (and solutions) for your mobile workforce, and more. Early bird discount expires soon, so register now! http://list.winnetmag.com/cgi-bin3/flo?y=eLKD0CJgSH0CBw0rFx0Az * PROTECT YOUR DATA. PROTECT YOUR COMPANY. Find out how by attending SECURITY MATTERS at Internet World Spring 2002, April 24 through 26 at the Los Angeles Convention Center, where it's a matter of YOUR security. Internet World is the largest and longest-running event for Internet Business technology! Register for discounted conference packages or FREE exhibit hall admission at (use priority code T26): http://list.winnetmag.com/cgi-bin3/flo?y=eLKD0CJgSH0CBw0rzX0AL 3. ==== SECURITY ROUNDUP ==== * NEWS: SECURITY REVIEW DELAYS CRUCIAL .NET PASSPORT UPDATE Microsoft has delayed until early 2003 an updated Microsoft .NET Passport version that the company originally envisioned as the first public step toward its .NET vision. Originally expected in late 2001 but delayed several times since then, .NET Passport 3.0 will include the industry-standard Kerberos security standard, possibly paving the way for competing products to integrate with Microsoft's online authentication system. http://www.secadministrator.com/articles/index.cfm?articleid=24534 * FEATURE: SECURING YOUR OS You probably would agree that transforming an OS into a secure platform isn't a straightforward task. And this task certainly hasn't been easy for Microsoft because of its "ease of use" end-user-oriented OS background. For a while, Microsoft seemed to be searching for the secure OS Holy Grail. The release of Windows 2000 demonstrated Microsoft's significant progress in its security journey. In this article, Jan De Clercq explores how you can make Win2K even more secure by using the OS's built-in hardening features. He also looks at Microsoft and third-party security tools. You can apply most of the tips and tools mentioned in this article to both Win2K servers and workstations. http://www.itbuynet.com/pdf/0202-security.pdf * FEATURE: WS-LICENSE ASSOCIATES SECURITY CREDENTIALS WITH SOAP MESSAGES In the March 7, 2002, edition of .NET UPDATE, Christa Anderson discussed how Web Services Security Language (WS-Security) can make Simple Object Access Protocol (SOAP) communications more secure. One aspect of security lies in associating credentials with messages so that a recipient can identify a message's original sender and determine what type of key the recipient needs to decrypt the message. WS- Security defines the credentials header, which is a framework for including a license with a SOAP message, but doesn't describe the structure of the license information that the header might contain. The license structure is the bailiwick of Web Services License Language (WS-License). http://www.secadministrator.com/articles/index.cfm?articleid=24533 4. ==== INSTANT POLL ==== * RESULTS OF PREVIOUS POLL: LATEST VIRUSES AND PREVENTION TECHNIQUES The voting has closed in Windows & .NET Magazine's Security Administrator Channel nonscientific Instant Poll for the question, "Is your company proactive in notifying employees about the latest viruses and prevention techniques?" Here are the results (+/- 2 percent) from the 302 votes: - 34% Yes - 24% Most of the time - 20% Sometimes - 22% No * NEW INSTANT POLL: WRITTEN AND ENFORCED PASSWORD POLICY The next Instant Poll question is, "Does your organization have a written and enforced password policy?" Go to the Security Administrator Channel home page and submit your vote for a) We have a written password policy, and we enforce it, b) We have a written password policy, but we don't enforce it, or c) We don't have a written password policy. http://www.secadministrator.com 5. ==== SECURITY TOOLKIT ==== * VIRUS CENTER Panda Software and the Windows & .NET Magazine Network have teamed to bring you the Center for Virus Control. Visit the site often to remain informed about the latest threats to your system security. http://www.secadministrator.com/panda * FAQ: DO THIRD-PARTY PRODUCTS BASED ON THE MICROSOFT VIRUS-SCANNING API (VS API) SCAN EMAIL AT THE GATEWAY LEVEL? ( contributed by John Savill, http://www.windows2000faq.com ) A. No. Antivirus products that use VS API don't scan mail at the perimeter of your network. These products scan only the Information Store (IS). If you want to establish gateway-level scanning, you must invest in a gateway antivirus product. 6. ==== NEW AND IMPROVED ==== (contributed by Carolyn Mascarenas, products () winnetmag com) * PROTECT PROPRIETARY INFORMATION Griffin Technologies released SecuriKey, a security system that protects your company's proprietary information through two-factor authentication. You plug the SecuriKey USB token into the PC's USB port, and the system will log you on only if you have the right password and SecuriKey token. When you remove the key, the accompanying software senses its absence and automatically locks the computer. SecuriKey runs on Windows XP and Windows 2000 and costs $50 per seat. Contact Griffin Technologies at 785-832-1623 or 800-986-6578. http://www.griftech.com * MANAGE PATCHES ACROSS MULTIPLE SERVERS Shavlik Technologies announced Shavlik EnterpriseInspector and Shavlik HFNetChkPRO AdminSuite, software that helps you scan for network vulnerabilities and keep software patch updates current. Shavlik EnterpriseInspector remotely inspects for vulnerabilities in Microsoft IIS; SQL Server; Windows NT Server 4.0, Terminal Server Edition (WTS); Outlook; Internet Explorer (IE); and domain controllers (DCs). Shavlik HFNetChkPRO AdminSuite lets you scan the network so that you can learn which systems aren't properly protected. Shavlik EnterpriseInspector costs $3123.75 for up to 50 PCs. Shavlik HFNetChkPRO AdminSuite costs $1123.75 for up to 50 PCs. Both products support Windows XP, Windows 2000, NT, SQL Server 2000 and SQL Server 7.0, IIS, and Outlook. Contact Shavlik Technologies at 651-426-6624 or 800-690-6911. http://www.shavlik.com 7. ==== HOT THREAD ==== * WINDOWS & .NET MAGAZINE ONLINE FORUMS http://www.winnetmag.net/forums Featured Thread: Security Templates for Win2K (Four messages in this thread) A user wants to know where he can find security-related templates for Windows 2000 that help define items such as which services to disable and which user rights and permissions to set. In particular, he wonders whether there is a template to build and secure a Microsoft IIS server on Win2K. Can you help? http://www.secadministrator.com/forums/thread.cfm?thread_id=98670 8. ==== CONTACT US ==== Here's how to reach us with your comments and questions: * ABOUT IN FOCUS -- mark () ntsecurity net * ABOUT THE NEWSLETTER IN GENERAL -- vpatterson () winnetmag com (please mention the newsletter name in the subject line) * TECHNICAL QUESTIONS -- http://www.winnetmag.net/forums * PRODUCT NEWS -- products () winnetmag com * QUESTIONS ABOUT YOUR SECURITY UPDATE SUBSCRIPTION? Customer Support -- securityupdate () winnetmag com * WANT TO SPONSOR SECURITY UPDATE? emedia_opps () winnetmag com ******************** This email newsletter is brought to you by Security Administrator, the print newsletter with independent, impartial advice for IT administrators securing a Windows 2000/Windows NT enterprise. Subscribe today! http://www.secadministrator.com/sub.cfm?code=saei25xxup Receive the latest information about the Windows and .NET topics of your choice. Subscribe to our other FREE email newsletters. http://www.winnetmag.net/email |-+-+-+-+-+-+-+-+-+-| Thank you for reading Security UPDATE. SUBSCRIBE To subscribe, send a blank email to mailto:Security-UPDATE_Sub () list winnetmag com. - ISN is currently hosted by Attrition.org To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY of the mail.
Current thread:
- Security UPDATE, March 27, 2002 InfoSec News (Mar 28)