Information Security News mailing list archives

Previous By Date Next
Previous By Thread Next

Security UPDATE, March 13, 2002

From: InfoSec News <isn () c4i org>
Date: Thu, 14 Mar 2002 01:40:12 -0600 (CST)
******************** 
Windows & .NET Magazine Security UPDATE--brought to you by Security 
Administrator, a print newsletter bringing you practical, how-to 
articles about securing your Windows .NET Server, Windows 2000, and 
Windows NT systems. 
   http://www.secadministrator.com 
******************** 

~~~~ THIS ISSUE SPONSORED BY ~~~~

Punching Holes in Your Network: What Hackers Know
   http://list.winnetmag.com/cgi-bin3/flo?y=eK7Y0CJgSH0CBw0rfz0AZ 

Scan and Patch Security Holes with UpdateEXPERT
   http://list.winnetmag.com/cgi-bin3/flo?y=eK7Y0CJgSH0CBw0rf10AM
   (below IN FOCUS) 

~~~~~~~~~~~~~~~~~~~~ 

~~~~ SPONSOR: PUNCHING HOLES IN YOUR NETWORK: WHAT HACKERS KNOW ~~~~ 
   Join security expert Scott Blake in a free BindView Webinar 
"Punching Holes In Your Network: What Hackers Know And You Don't" on 
April 10 at 11 a.m. CST when he will share an insider look at the 
secretive computer underground. Drawing from his own extensive 
experience, as well as both public and private sources, Scott takes a 
look at the latest trends in hacker activities, revealing the dark side 
and how it impacts you. Additionally, he will expose the tricks and 
techniques hackers use to exploit the holes in your systems, your 
firewalls, and your people. Register at
   http://list.winnetmag.com/cgi-bin3/flo?y=eK7Y0CJgSH0CBw0rfz0AZ and log on!

~~~~~~~~~~~~~~~~~~~~ 

March 13, 2002--In this issue: 

1. IN FOCUS 
     - Keeping Up with the Black Hats

2. SECURITY RISKS 
     - Unchecked Buffer in Microsoft Windows Shell 
     - Information Disclosure Vulnerability in Microsoft Virtual 
Machine

3. ANNOUNCEMENTS 
     - .NET Developers--Early Bird Discount Expires Soon!
     - Attend Our Free Webinar: Understanding PKI
     - On the Go?

4. SECURITY ROUNDUP 
     - News: Center for Internet Security to the Rescue
     - Review: Network Vulnerability Scanners

5. INSTANT POLL
     - Results of Previous Poll: Security Testing Tools
     - Instant Poll: Latest Viruses and Prevention Techniques

6. HOT RELEASE
      - Sponsored by VeriSign--The Value of Trust

7. SECURITY TOOLKIT 
     - Virus Center 
     - New Tools: Pluto and AuthentProtect
     - FAQ: What's the Recommended Way to Scan for Viruses with 
Microsoft Exchange 2000 Server?

8. NEW AND IMPROVED 
     - Integrated Security Appliance
     - Repair Web Sites That Attackers Have Broken Into

9. HOT THREADS 
     - Windows 2000 Magazine Online Forums
         - Featured Thread: Decrypting Hashes Encrypted with Syskey
     - HowTo Mailing List
         - Featured Thread: Win2K/NT User Activity Monitoring

10. CONTACT US 
   See this section for a list of ways to contact us. 
~~~~~~~~~~~~~~~~~~~~ 

1. ==== IN FOCUS ==== 

* KEEPING UP WITH THE BLACK HATS

Most certifications demonstrate only that you knew a product or an OS 
when you passed the exams. However, as new technology emerges and 
software vendors release updates and new versions, exams can become 
outdated quickly. My MCSE certification will be 8 years old in June. I 
had to renew the certification in 1996 and 1997 after Microsoft 
released Windows NT 4.0, but I didn't start the Windows 2000 renewal 
process until 2000. I still have one exam to go. By the time I'm 
finished, almost 5 years will have passed since I earned my NT 4.0 
certifications. I need to stay on top of new technology to do my job 
well, but Microsoft doesn't require me to show that I update my 
knowledge. In fact, very few certifications demonstrate that you've 
kept up with changes that have occurred since you passed the tests. 

The Global Information Assurance Certification (GIAC) program's stance 
is that because the black hats are always trying to find new ways into 
your systems, you don't have the luxury of resting on your laurels. 
Each GIAC security certification has an expiration period that depends 
on GIAC's estimation of how quickly the subject area changes, not on 
the release of new versions of a product. 

The mandatory renewal period for most GIAC certifications is 2 years. 
You have no option to postpone the renewal, and because the renewal 
requires that you pass new exams, you'll probably start preparing 3 to 
6 months before the deadline. This means that GIAC-certified 
professionals have only about 18 months to admire their GIAC 
certificates before they must begin to prove themselves again. 

The renewal process is straightforward and relatively inexpensive. GIAC 
charges $120 to take the renewal exam, but that fee also buys you 
access to the online courseware so that you can learn about what's new 
and prepare for the exam. And if you're renewing multiple 
certifications in the same year, you have to pay that fee only once. 
The GIAC has a "use it or lose it" attitude toward its certifications, 
but it doesn't make the renewal process so burdensome as to discourage 
you from maintaining your certifications.

I like the idea of forcing people to prove that they've kept their 
skills current. The renewal process makes especially good sense for 
security certifications, but the idea has validity for Microsoft and 
Cisco Systems certifications too. Both Microsoft and Cisco release 
patches and service packs regularly, and both companies regularly 
include additional functionality with service packs. Just a few rounds 
of service packs and patches can create a significant divide between 
what you studied for your exams and the current technology. 

GIAC appears to have learned a few lessons from Microsoft's mistakes. 
The process is demanding enough that only dedicated individuals will 
attempt it; the topics are relevant to the current state of the 
technology, which should result in direct improvements in the quality 
of security management; and the maintenance requirements are sufficient 
to weed out those who are inclined to let their skills slip. I believe 
we have a new standard in the certification business.

Morris Lewis, Guest UPDATE Editor, morris () holistech com

~~~~~~~~~~~~~~~~~~~~ 

~~~~ SPONSOR: SCAN AND PATCH SECURITY HOLES WITH UPDATEEXPERT ~~~~ 
   Do you have a reliable tool to secure your network with the latest 
updates? UpdateEXPERT is a software patch vulnerability assessment tool 
that scans your network for missing hotfixes, and FIXES discovered 
weaknesses for increased network protection. Supporting Windows 
NT/2000/XP, SQL Server, IE and other mission critical applications, 
UpdateEXPERT helps enforce software security policies, enables you to 
scan for patches, validates your installations for peace of mind, and 
installs updates to all networked machines without an agent.
   FREE Live Trial:
   http://list.winnetmag.com/cgi-bin3/flo?y=eK7Y0CJgSH0CBw0rf10AM

~~~~~~~~~~~~~~~~~~~~ 

2. ==== SECURITY RISKS ==== 
   (contributed by Ken Pfeil, ken () winnetmag com) 

* UNCHECKED BUFFER IN MICROSOFT WINDOWS SHELL 
   eEye Digital Security discovered a vulnerability in Windows Shell 
that lets an attacker arbitrarily execute code under the authorized 
user's security context. An unchecked buffer exists in one of the 
functions that help locate incompletely removed applications on the 
system. As a result, an attacker can mount a buffer-overrun attack that 
can cause Windows Shell to crash, or the attacker can execute code 
under the user's security context. Microsoft has released Security 
Bulletin MS02-014 to address this vulnerability and recommends that 
affected users immediately apply the appropriate patch as listed in 
Security Bulletin MS02-014.
   http://www.secadministrator.com/articles/index.cfm?articleid=24407

* INFORMATION DISCLOSURE VULNERABILITY IN MICROSOFT VIRTUAL MACHINE
   Harmen van der Wal discovered a vulnerability in Microsoft Virtual 
Machine (VM) build 3802 and earlier that can result in unauthorized 
information disclosure. As a result of a VM problem, an attacker can 
use a malicious Java applet to redirect Web traffic, once the Java 
applet has a proxy server, to a destination of the attacker's choice. 
An intruder can use this vulnerability to send a user's Internet 
session to a system under the intruder's control without the user's 
knowledge. Microsoft has released Security Bulletin MS02-013, which 
addresses this vulnerability, and recommends that affected users 
immediately upgrade to build 3805 or later.
   http://www.secadministrator.com/articles/index.cfm?articleid=24393

3. ==== ANNOUNCEMENTS ==== 

* .NET DEVELOPERS--EARLY BIRD DISCOUNT EXPIRES SOON!
   Microsoft ASP.NET Connections, VB Connections, and Win-Dev are co-
locating their events to deliver the largest independent .NET 
developer-focused event in 2002. You get three events for the price of 
one, with more than 145 sessions covering Web development, XML and data 
management, .NET basics, .NET Web security, Visual Basic (VB) 6.0, C++, 
C#, and more. Register right now and save $$! 
   http://list.winnetmag.com/cgi-bin3/flo?y=eK7Y0CJgSH0CBw0rIA0A8 

* ATTEND OUR FREE WEBINAR: UNDERSTANDING PKI
   Implementing public key infrastructure (PKI) successfully requires 
an understanding of the technology with all its implications. Attend 
the latest Webinar from Windows & .NET Magazine and develop the 
knowledge you need to address this challenging technology and make 
informed purchasing decisions. We'll also look closely at three 
possible content-encryption solutions, including PKI. Register for FREE 
today! 
   http://list.winnetmag.com/cgi-bin3/flo?y=eK7Y0CJgSH0CBw0rcc0A8

* ON THE GO?
   Introducing Windows & .NET Magazine Network Mobile Edition! Now you 
can get the latest news from WinInfo Daily UPDATE, commentary from 
respected sources such as Windows & .NET Magazine UPDATE, and important 
security discoveries and alerts from Security UPDATE--delivered right 
to your handheld device. Sign up today!
   http://www.winnetmag.com/mobile 

4. ==== SECURITY ROUNDUP ==== 

* NEWS: CENTER FOR INTERNET SECURITY TO THE RESCUE
   The Center for Internet Security (CIS) is offering free benchmarking 
tools designed to help users better secure their Windows 2000 systems, 
Cisco Systems routers, and Sun Microsystems' Solaris systems--the three 
common points intruders attack. According to CIS, "A key element 
currently missing in Internet security is useful and widely accepted, 
non-proprietary, security-enhancing benchmarks specifying in greater 
detail how systems should be configured and operated." 
   http://www.secadministrator.com/articles/index.cfm?articleid=24398

* REVIEW: NETWORK VULNERABILITY SCANNERS
   From a fairly crowded field of competitors, Tom Iwanski looked at 
three security-scanner products for scanning heterogeneous networks. 
The three products are Internet Security Systems' (ISS's) Internet 
Scanner 6.2, Network Associates' Distributed CyberCop Scanner 2.0 (a 
new release based on the earlier CyberCop Scanner 5.5), and Symantec's 
NetRecon 3.5.
   http://www.secadministrator.com/articles/index.cfm?articleid=23849

5. ==== INSTANT POLL ==== 

* RESULTS OF PREVIOUS POLL: SECURITY TESTING TOOLS 
   The voting has closed in Windows & .NET Magazine's Security 
Administrator Channel nonscientific Instant Poll for the question, 
"Microsoft has shown increased interest in the security testing-tools 
market. If Microsoft entered this market, would you rely on its tools to 
test the security of your systems and network?" Here are the results 
(+/-2percent) from the 665 votes:
  11% 1) Yes. 
  41% 2) Yes, but I'd also use another testing tool. 
  48% 3) No.

* INSTANT POLL: LATEST VIRUSES AND PREVENTION TECHNIQUES
   The current Instant Poll question is, "Is your company proactive in 
notifying employees about the latest viruses and prevention 
techniques?" The choices are 1) Yes, 2) Most of the time, 3) Sometimes, 
or 4) No. Go to the Security Administrator Channel home page and submit 
your vote.
   http://www.secadministrator.com

6. ==== HOT RELEASE (ADVERTISEMENT) ====

* SPONSORED BY VERISIGN--THE VALUE OF TRUST
   Get the strongest server security--128-bit SSL encryption! Download 
VeriSign's FREE guide, "Securing Your Web Site for Business," and learn 
everything you need to know about using SSL to encrypt your e-commerce 
transactions for serious online security. Click here!
   http://list.winnetmag.com/cgi-bin3/flo?y=eK7Y0CJgSH0CBw0rYZ0Ao

7. ==== SECURITY TOOLKIT ==== 

* VIRUS CENTER 
   Panda Software and the Windows & .NET Magazine Network have teamed 
to bring you the Center for Virus Control. Visit the site often to 
remain informed about the latest threats to your system security.
   http://www.secadministrator.com/panda 

* NEW TOOLS: PLUTO AND AUTHENTPROTECT 
   You might want to try out two new, free security tools. The first is 
Astral Security Research's Pluto 1.3.1, a vulnerability scanner that 
runs on Windows XP, Windows 2000, and Windows NT. Pluto scans a system 
to determine which ports are open, looks into open ports to see what 
sort of banner (if any) exists, and audits a variety of services for 
vulnerabilities. Audited services included FTP, SMTP, Web, Microsoft 
SQL Server, and NetBIOS. The software also performs brute-force, 
password-strength testing. Pluto has an interesting UI, runs fast, and 
is small--a 470Kbps download--but doesn't provide much user help (I had 
some difficulty with the auditing features). I noticed that the product 
has a few bugs, but it's a good start. Check it out.
   http://www.astralclinic.com/tools.asp
 
The second free tool is called AuthentProtect 0.7 beta and is an 
Internet Server API (ISAPI) filter for Microsoft IIS Web servers that 
prevents authentication against specific configurable-user accounts. 
The filter prevents outside users from attempting to brute-force access 
nonremovable user accounts. By default, AuthentProtect guards the 
Administrator account, but you can use a text file to configure the 
software to help protect any accounts you choose. The author makes the 
filter available with complete source code--a bonus for developers. You 
can find AuthentProtect at the URL below.
   http://bob.firstcodings.com/programs/authentprotect

* FAQ: WHAT'S THE RECOMMENDED WAY TO SCAN FOR VIRUSES WITH MICROSOFT 
EXCHANGE 2000 SERVER?
 ( contributed by John Savill, http://www.windows2000faq.com ) 

A. I recommend that you use a product that supports Exchange 2000's new 
virus API. Microsoft specifically designed this new API to integrate 
with third-party antivirus products, including GFI's Mail Security, 
Panda Software's Panda Antivirus for Exchange 2000, and Trend Micro's 
ScanMail.

8. ==== NEW AND IMPROVED ==== 
   (contributed by Scott Firestone, IV, products () winnetmag com) 

* INTEGRATED SECURITY APPLIANCE
   Symantec announced Symantec Gateway Security, an integrated security 
appliance that combines firewall, gateway-level antivirus, intrusion 
detection, content filtering, and VPN capabilities in one appliance. 
Symantec offers the appliance in three different models: The 5110 
provides a maximum throughput of as much as 40Mbps and a 50-node 
license; the 5200 provides a maximum throughput of as much as 80Mbps 
and a 250-node license; and the 5300 provides a maximum throughput of 
as much as 80Mbps and an unlimited-node license. For pricing, contact 
Symantec at 408-517-8000.
   http://www.symantec.com

* REPAIR WEB SITES THAT ATTACKERS HAVE BROKEN INTO
   Lockstep Systems released WebAgain 2.5, software that automatically 
repairs Web sites that attackers have broken into and restores the 
original content without your intervention. The software detects 
unauthorized file additions and destroys them and prevents intruders 
from illegally hosting and sharing files through your Web site. 
WebAgain 2.5 costs $995 per monitored Web site. Contact Lockstep 
Systems at 480-596-9432 or 877-932-3497.
   http://www.lockstep.com

9. ==== HOT THREADS ==== 

* WINDOWS & .NET MAGAZINE ONLINE FORUMS 
   http://www.winnetmag.net/forums 

Featured Thread: Decrypting Hashes Encrypted with Syskey
   (One message in this thread)

This user wonders whether a program exists that can decrypt the Windows 
2000 password hashes that have been encrypted with Syskey. He wants to 
extract those hashes from the SAM file and decrypt them. Can you help? 
Read more about the problem at the following URL. 
   http://www.secadministrator.com/forums/thread.cfm?thread_id=97289

* HOWTO MAILING LIST 
   http://www.secadministrator.com/listserv/page_listserv.asp?s=howto 

Featured Thread: Win2K/NT User Activity Monitoring
   (One message in this thread)

This user wants to know how to monitor the programs a given user might 
be running or the documents a user might have opened, without installing 
additional software on client systems. Read the responses or lend a hand 
at the following URL:
  
http://63.88.172.96/listserv/page_listserv.asp?a2=ind0202c&l=howto&p=2812

10. ==== CONTACT US ==== 
   Here's how to reach us with your comments and questions: 

* ABOUT IN FOCUS -- morris () holistech com 

* ABOUT THE NEWSLETTER IN GENERAL -- mlibbey () winnetmag com (please 
mention the newsletter name in the subject line) 

* TECHNICAL QUESTIONS -- http://www.winnetmag.net/forums 

* PRODUCT NEWS -- products () winnetmag com 

* QUESTIONS ABOUT YOUR SECURITY UPDATE SUBSCRIPTION? Customer 
Support -- securityupdate () winnetmag com 

* WANT TO SPONSOR SECURITY UPDATE? emedia_opps () winnetmag com 

******************** 

   This email newsletter is brought to you by Security Administrator, 
the print newsletter with independent, impartial advice for IT 
administrators securing a Windows 2000/NT enterprise. Subscribe today!
   http://www.secadministrator.com/sub.cfm?code=saei25xxup

   Receive the latest information about the Windows and .NET topics of 
your choice. Subscribe to our other FREE email newsletters. 
   http://www.winnetmag.net/email 

|-+-+-+-+-+-+-+-+-+-| 

Thank you for reading Security UPDATE.

SUBSCRIBE
To subscribe, send a blank email to mailto:Security-UPDATE_Sub () list winnetmag com.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.
Previous By Date Next
Previous By Thread Next

Current thread: