Security UPDATE, May 22, 2002

[InfoSec News <isn () c4i org>]

******************** 
Windows & .NET Magazine Security UPDATE--brought to you by Security 
Administrator, a print newsletter bringing you practical, how-to 
articles about securing your Windows .NET Server, Windows 2000, and 
Windows NT systems. 
   http://www.secadministrator.com 
******************** 

~~~~ THIS ISSUE SPONSORED BY ~~~~

Plan for Infrastructure Security
   http://www.ibm.com/e-business/playtowin/n20 

VeriSign--The Value of Trust
   http://list.winnetmag.com/cgi-bin3/flo?y=eL4Z0CJgSH0CBw014e0AI 
   (below IN FOCUS)

~~~~~~~~~~~~~~~~~~~~ 

~~~~ SPONSOR: PLAN FOR INFRASTRUCTURE SECURITY ~~~~
   A flexible, reliable infrastructure is a fully integrated 
infrastructure. With your copy of "e-business Infrastructure 
Integration: Practical Approaches," you'll learn how properly 
constructed e-business infrastructure solutions can work for you across 
business units and across operations to make your organization faster, 
more flexible, immediately responsive, and highly competitive. IBM has 
the knowledge, experience, and global resources to help you implement a 
solution tailored to your company's needs. Let us help you get started 
building a seamlessly integrated infrastructure for your organization 
by signing up today to receive your complimentary white paper at
   http://www.ibm.com/e-business/playtowin/n20 

~~~~~~~~~~~~~~~~~~~~ 

May 22, 2002--In this issue: 

1. IN FOCUS
     - Biometric Security: Fingerprints Don't Always Suffice

2. SECURITY RISKS
     - Multiple Problems with IE
     - Authorization Problem in nCipher's MSCAPI CSP Install Wizard 
       5.50

3. ANNOUNCEMENTS
     - Meeting IT Security Benchmarks Through Effective IT Audits, 
       August 8-9, 2002, Washington, DC
     - Attend Black Hat Briefings & Training, July 29 - August 1, 2002, 
       Las Vegas
 
4. SECURITY ROUNDUP
     - News: Online Personal Privacy Act Closer to Becoming Law 
     - News: Microsoft Remedy Hearings: Security by Obscurity, Parts I 
       and II
     - Feature: Secure Messaging and Exchange

5. SECURITY TOOLKIT
     - Virus Center
     - FAQ: How Can I Restrict User Access to the Control Panel 
       Internet Options or Internet Tools Applet Without Using 
       Policies?

6. NEW AND IMPROVED
     - Realtime Protection Against Security Breaches
     - Updated Security Suite

7. HOT THREADS 
     - Windows & .NET Magazine Online Forums
         - Featured Thread: The Difference Between Required Encryption 
           and Maximum Strength Encryption
     - HowTo Mailing List
         - Featured Thread: IIS 5.0 Banner Query 

8. CONTACT US 
   See this section for a list of ways to contact us. 

~~~~~~~~~~~~~~~~~~~~ 

1. ==== IN FOCUS ====
   (contributed by Mark Joseph Edwards, News Editor, 
mark () ntsecurity net) 

* BIOMETRIC SECURITY: FINGERPRINTS DON'T ALWAYS SUFFICE

Does your company use fingerprint-scanning authentication technology? 
If so, that technology might not be enough to guard the authentication 
process for your particular network environment because, as you know, 
the finger doesn't have to be attached to the body. For that matter, 
the finger doesn't even need to be a real finger. A recent news story 
from The Register (see the URL below) is a good case in point. In the 
story "Gummi bears defeat fingerprint sensors," reporter John Leyden 
describes how Japanese mathematician Tsutomu Matsumoto used gelatin and 
a plastic mold to reproduce a portion of a finger, including its 
fingerprint, and defeated 11 different fingerprint-authentication 
systems in four of five attempts. Taking the process further, Matsumoto 
lifted a fingerprint from a glass, transferred the print to a rigid 
flat surface, and used a mold to create a fake gelatin finger. 
According to the report, the finger fooled scanners about 80 percent of 
the time. 
   http://www.theregister.co.uk/content/55/25300.html

To receive a copy of a paper Matsumoto wrote detailing the preceding 
endeavors, send him an email message to tsutomu () mlab jks ynu ac jp and 
request a copy. Although that paper isn't available on the Web site, 
you'll find a presentation in which Matsumoto discusses biometrics and 
shows some photographs of the process of creating a fake finger. You 
can download a copy of the PDF file (about 1.2MB) at the URL below.
   http://www.itu.int/itudoc/itu-t/workshop/security/present/s5p4.pdf

Bruce Schneier, founder and chief technology officer CTO of Counterpane 
Internet Security, publishes the newsletter Crypto-Gram. In the May 15 
edition (see the URL below), Schneier offers more detail and commentary 
about Matsumoto's process. According to Schneier, "There's both a 
specific and a general moral to take away from this result. Matsumoto 
is not a professional fake-finger scientist; he's a mathematician. He 
didn't use expensive equipment or a specialized laboratory. He used $10 
of ingredients you could buy, and whipped up his gummy fingers in the 
equivalent of a home kitchen. And he defeated eleven different 
commercial fingerprint readers, with both optical and capacitive 
sensors, and some with 'live finger detection' features." Schneier 
urges us to consider how much more dedicated attackers could do. 
Schneier warns, "All the fingerprint companies have claimed for years 
that this kind of thing is impossible. When they read Matsumoto's 
results, they're going to claim that [Matsumoto's methods] don't really 
work, or that they don't apply to them, or that they've fixed the 
problem. Think twice before believing them."
   http://www.counterpane.com/crypto-gram-0205.html#5

Following the fake finger story, Crypto-Gram offered a link to a news 
report about paying for merchandise with nothing more than a 
fingerprint. According to an April 27 article in the Seattle Post-
Intelligencer (see the URL below), the West Seattle Thriftway store 
offers customers a fingerprint-only payment system. The system ties 
customers' fingerprints directly to their credit cards, checking 
accounts, and benefit cards and lets them pay for merchandise by simply 
placing their index finger on a scanner during checkout.
   http://seattlepi.nwsource.com/local/68217_thumb27.shtml

Someone could theoretically use Matsumoto's technique to create a thin 
"skin" with someone else's fingerprint, lay it over his or her index 
finger, and go on a shopping spree at someone else's expense. The 
article about the fingerprint checkout system could mislead uneducated 
consumers. According to the store owner, the new payment system is 
foolproof: "People no longer have to worry that their cards will be 
lost or stolen and then used to run up hefty charges. Stores and credit 
card issuers will likewise avoid the losses associated with identity 
theft." Yeah, right. If nothing else, the Matsumoto experiments should 
keep us all from being lulled into a false sense of security.

The West Seattle Thriftway might have used something a bit more secure 
for its biometric payment system. Several other options (e.g., facial-
recognition units) offer more security. Visionics (see the URL below) 
makes a facial-recognition unit that you can use for network 
authentication. The company's FaceIt product works as a single sign-on 
(SSO) tool and as a continuous authentication system. Users are 
authenticated initially, then reauthenticated as they continue to use 
the system. This approach helps prevent anyone but the authenticated 
user from using the authenticated resources. FaceIt uses any video 
camera that supports Microsoft Video for Windows. The product runs on 
Windows platforms, Linux, Sun OS, and SGI Irix systems, and the company 
offers software development kits (SDKs) for custom application 
development.
   http://www.visionics.com/faceit

BioID makes a facial-recognition product also called BioID. The product 
uses a combination of facial features, voice patterns, and lip movement 
to identify a person. BioID uses a standard USB-based video camera and 
microphone to perform its authentication process. You can learn more 
about the product at the company's Web site (see the URL below). 
   http://www.bioid.com

If you're interested in other types of biometric security, such as 
hand-geometry, iris, retina, voice, and signature scanners, a great 
place to start is the International Biometric Group Web site (see the 
first URL below). The site offers information about most types of 
biometric security available today and links to many vendor sites. The 
following quick reference by security type (see the second through 
eighth URLs below) will get you started.  
   http://www.biometricgroup.com
   http://www.finger-scan.com/finger-scan_vendors.htm
   http://www.facial-scan.com/facial-scan_vendors_and_links.htm
   http://www.iris-scan.com/iris_recognition_vendors.htm
   http://www.retina-scan.com/retina_scan_vendors_and_products.htm
   http://www.hand-scan.com/hand_scan_vendors.htm
   http://www.voice-scan.com/vendors.htm
   http://www.signature-scan.com/signature_scan_vendors.htm

In last week's Security UPDATE commentary, I discussed Instant 
Messaging (IM) software. A different article in The Register, "EDS bans 
IM" (see the URL below), discusses how the computer arm of the British 
government has banned IM because of its inherent security risks, 
particularly the way IM products let network traffic bypass certain 
security systems designed to protect networks. For example, IM software 
can deliver email and transfer files that bypass virus-scanning 
software and infect your network. The article offers further evidence 
that you should weigh the risks of IM before you allow its use in your 
environment.
   http://www.theregister.co.uk/content/55/25185.html

~~~~~~~~~~~~~~~~~~~~ 

~~~~ SPONSOR: VERISIGN--THE VALUE OF TRUST ~~~~
   Get the strongest server security--128-bit SSL encryption! 
   Download VeriSign's FREE guide, "Securing Your Web Site for 
Business" and learn everything you need to know about using SSL to 
encrypt your e-commerce transactions for serious online security. Click 
here!
   http://list.winnetmag.com/cgi-bin3/flo?y=eL4Z0CJgSH0CBw014e0AI 
 
~~~~~~~~~~~~~~~~~~~~ 

2. ==== SECURITY RISKS ====
   (contributed by Ken Pfeil, ken () winnetmag com)

* MULTIPLE PROBLEMS WITH IE
   Microsoft reported six vulnerabilities in Microsoft Internet 
Explorer (IE). The first is a cross-site scripting problem, the second 
and third relate to information disclosure, the fourth is a zone-
spoofing problem, and the last two relate to malformed headers in 
downloadable files. Microsoft has released a cumulative patch to 
correct the problems. For complete details about these problems and a 
link to the patch, please visit the URL below.
   http://www.secadministrator.com/articles/index.cfm?articleid=25246

* AUTHORIZATION VULNERABILITY IN NCIPHER'S MSCAPI CSP INSTALL WIZARD 
5.50
   When a user creates an Operator Card Set with nCipher's MSCAPI CSP 
Install Wizard 5.50, the nCipher CSP key generation behaves as the user 
requests. When the user selects Cardset Protect from the Install Wizard 
but doesn't create a new Operator Card Set, the wizard incorrectly sets 
up the nCipher CSPs to use module protection for all keys that the user 
subsequently creates. Then, rather than a combination of the Operator 
Card Set and module, the module alone protects application keys that 
the nCipher CSP generates. An attacker who gains control of any nCipher 
module that the user has programmed into the key's security world can 
gain unauthorized access to this key because the nCipher module doesn't 
require any further smart card authorization. nCipher has released an 
advisory that recommends the corrective action a user should take. 
   http://www.secadministrator.com/articles/index.cfm?articleid=25245

3. ==== ANNOUNCEMENTS ====
   (brought to you by Windows & .NET Magazine and its partners)

* MEETING IT SECURITY BENCHMARKS THROUGH EFFECTIVE IT AUDITS, AUGUST 8-
9, 2002, WASHINGTON, DC
   Have your IT security solutions kept pace with evolving threats?  
Until you conduct a thorough IT security audit, you won't know until 
after a breach has occurred. To help you achieve the most Return on 
Investment (ROI) on your security investment, ITRA is proud to present 
a step-by-step practical guide to auditing your enterprise's IT 
security. For more information, call 800-280-8440 or visit:
   http://list.winnetmag.com/cgi-bin3/flo?y=eL4Z0CJgSH0CBw014f0AJ

* ATTEND BLACK HAT BRIEFINGS & TRAINING, JULY 29-AUGUST 1, 2002, LAS 
VEGAS
   Black Hat Briefings is the world's premier technical security event, 
featuring 8 tracks and 12 training sessions, with lots of Windows 
topics coverage, full support by Microsoft, and a keynote by Richard 
Clarke. See for yourself what the buzz is all about. Register today! 
   http://list.winnetmag.com/cgi-bin3/flo?y=eL4Z0CJgSH0CBw0pHV0AQ

4. ==== SECURITY ROUNDUP ====

* NEWS: ONLINE PERSONAL PRIVACY ACT CLOSER TO BECOMING LAW
   The Senate Commerce Committee approved bill (S.2201), "Online 
Personal Privacy Act," which would require online entities to stop 
collecting personal information from users unless the users 
specifically agree to such information collection either before or 
during the collection process. After users agree to the information 
collection, the agreement would remain in effect until the users change 
their consent.
   http://www.secadministrator.com/articles/index.cfm?articleid=25247

* NEWS: MICROSOFT REMEDY HEARINGS: SECURITY BY OBSCURITY, PARTS I AND 
II
   If you didn't read Paul Thurrott's WinInfo Daily UPDATE Short Takes 
on May 10, you missed some interesting information. As Microsoft Group 
Vice President Jim Allchin responded to a question about the security 
exception in the proposed settlement with the US Department of Justice 
(DOJ), he essentially said that the company must be permitted to 
withhold information that would compromise Windows security (you know, 
like interoperability information). "The more creators of viruses know 
about how antivirus mechanisms in Windows operating systems work, the 
easier it will be to create viruses to disable or destroy those 
mechanisms," Allchin said. 
   Samba developers had been looking forward to a mid-2002 Microsoft 
code release that would give them the information they need to work 
with the company's latest networking protocol, the Common Internet File 
System (CIFS). However, Microsoft forbids using the code in any 
projects covered by the GNU General Public License (GPL), which is 
exactly what Samba uses.
   http://www.secadministrator.com/articles/index.cfm?articleid=25172

* FEATURE: SECURE MESSAGING AND EXCHANGE
   Microsoft Exchange Server implements secure messaging through the 
Advanced Security subsystem. This subsystem supports two key functions: 
signing (i.e., digital signatures for message nonrepudiation) and 
encryption/decryption. In fact, Exchange's infrastructure and services 
play a supporting role in secure messaging; the Exchange client (e.g., 
Microsoft Outlook, Outlook Express) plays the main role. For secure 
messaging to work, you need a supporting infrastructure, Exchange 
services, and client extensions that implement support for digital 
signing and encryption.
   http://www.secadministrator.com/articles/index.cfm?articleid=25165

5. ==== SECURITY TOOLKIT ==== 

* VIRUS CENTER
   Panda Software and the Windows & .NET Magazine Network have teamed to 
bring you the Center for Virus Control. Visit the site often to remain 
informed about the latest threats to your system security.
   http://www.secadministrator.com/panda

* FAQ: HOW CAN I RESTRICT USER ACCESS TO THE CONTROL PANEL INTERNET 
OPTIONS OR INTERNET TOOLS APPLET WITHOUT USING POLICIES?
   ( contributed by John Savill, http://www.windows2000faq.com )

A. If you use NTFS, you can use the file system's built-in permissions 
to restrict access to the Control Panel Internet Options or Internet 
Tools applet by performing the following steps: 
   1. Open Windows Explorer. 
   2. Navigate to \%systemroot%\system32 (e.g., c:\windows\system32). 
   3. Right-click inetcpl.cpl and select Properties from the context 
menu. 
   4. Select the Security tab. 
   5. Adjust the user and group permissions as appropriate, and ensure 
that the SYSTEM group has Full Control. 

You can also use the standard command-line permission utility cacls.exe 
to set these permissions. However, be aware that when you use either 
method to restrict access, another administrator will have a difficult 
time determining the permissions you've set. Therefore, using policies 
is the preferred method for restricting access.

6. ==== NEW AND IMPROVED ==== 
   (contributed by Judy Drennen, products () winnetmag com)

* REALTIME PROTECTION AGAINST SECURITY BREACHES
   GFI's LANguard Security Event Log Monitor (S.E.L.M.) is a realtime 
product that protects against internal and external security breaches. 
The product monitors Security logs for Windows 2000 and Windows NT 
servers and workstations, then consolidates them into a central log for 
analysis. LANguard S.E.L.M. costs $495. Contact GFI at 888-243-4329 or 
sales () gfiusa com.
   http://www.gfi.com

* UPDATED SECURITY SUITE
   Greatis Software released RegRun Security Suite 3.1, an updated 
utility that maintains and controls PC stability while protecting 
against dangerous viruses and Trojan horses. RegRun Security Suite 3.1 
runs on Windows XP, Windows 2000, Windows NT, Windows NT, and Windows 
9x, and costs from $19.95 to $49.95 for a single-user license. Contact 
Greatis at 206-202-4216 or support () greatis com.
   http://www.greatis.com
  
7. ==== HOT THREADS ==== 

* WINDOWS & .NET MAGAZINE ONLINE FORUMS 
   http://www.winnetmag.com/forums

Featured Thread: The Difference Between Required Encryption and Maximum 
Strength Encryption
   (Twenty-one messages in this thread)

Robert writes that when you set up a VPN client in Windows XP, in the 
Properties section you see a tab labeled Security. If you select 
Advanced (Custom Setting) on this tab, you enable the Setting button. 
If you click Setting, the process displays another window. At the top 
of this window, you see a section labeled Data Encryption, with a drop-
down menu, in which you find four settings--including Required 
Encryption and Maximum Strength Encryption. Robert wants to know the 
difference between Required Encryption and Maximum Strength Encryption. 
Read the responses or lend a hand at the following URL.
   http://www.secadministrator.com/forums/thread.cfm?thread_id=104764

* HOWTO MAILING LIST
   http://www.secadministrator.com/listserv/page_listserv.asp?s=howto

Featured Thread: IIS 5.0 Banner Query 
   (Five messages in this thread) 

A reader wants to know how to change the banner in Microsoft Internet 
Information Services (IIS) 5.0 so that the server no longer reports 
itself to users as an IIS 5.0 server. Is there an easy way to make such 
a change without using hexadecimal editors to edit associated .dll 
files? Read the responses or lend a hand at the following URL.
   http://63.88.172.96/listserv/page_listserv.asp?a2=ind0205c&l=howto&p=971

8. ==== CONTACT US ==== 
   Here's how to reach us with your comments and questions: 

* ABOUT IN FOCUS -- mark () ntsecurity net

* ABOUT THE NEWSLETTER IN GENERAL -- vpatterson () winnetmag com (please 
mention the newsletter name in the subject line) 

* TECHNICAL QUESTIONS -- http://www.winnetmag.com/forums 

* PRODUCT NEWS -- products () winnetmag com 

* QUESTIONS ABOUT YOUR SECURITY UPDATE SUBSCRIPTION? Customer 
Support -- securityupdate () winnetmag com 

* WANT TO SPONSOR SECURITY UPDATE? emedia_opps () winnetmag com 

******************** 

   This email newsletter is brought to you by Security Administrator, 
the print newsletter with independent, impartial advice for IT 
administrators securing a Windows 2000/Windows NT enterprise. Subscribe 
today!
   http://www.secadministrator.com/sub.cfm?code=saei25xxup

   Receive the latest information about the Windows and .NET topics of 
your choice. Subscribe to our other FREE email newsletters. 
   http://www.winnetmag.com/email 

|-+-|-+-|-+-|-+-|-+-|

Thank you for reading Security UPDATE. 


MANAGE YOUR ACCOUNT
You can manage your entire Windows & .NET Magazine Network email 
newsletter account on our Web site. Simply log on and you can change 
your email address, update your profile information, and subscribe or 
unsubscribe to any of our email newsletters all in one place.
   http://www.winnetmag.com/email

SUBSCRIBE
   To quickly subscribe, send a blank email to 
mailto:Security-UPDATE_Sub () list winnetmag com.

UNSUBSCRIBE
   To quickly unsubscribe, send a blank email to 
mailto:Security-UPDATE_Unsub () list winnetmag com.

Thank you!



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.