Security UPDATE, October 2, 2002

[InfoSec News <isn () c4i org>]

********************
Windows & .NET Magazine Security UPDATE--brought to you by Security
Administrator, a print newsletter bringing you practical, how-to
articles about securing your Windows .NET Server, Windows 2000, and
Windows NT systems.
   http://www.secadministrator.com
********************

~~~~ THIS ISSUE SPONSORED BY ~~~~

Free Security Seminar
   http://list.winnetmag.com/cgi-bin3/flo?y=eNmZ0CJgSH0CBw05CO0AE

Networking UPDATE Email Newsletter
   http://list.winnetmag.com/cgi-bin3/flo?y=eNmZ0CJgSH0CBw0rvS0AA
   (below IN FOCUS)

~~~~~~~~~~~~~~~~~~~~

~~~~ SPONSOR: FREE SECURITY SEMINAR ~~~~
   How can you quickly locate and eliminate security vulnerabilities?
Why were some companies protected from Nimda and Code Red when others
were not? How can you become proactive, rather than reactive with
security issues? Find out the answers to these and other questions at
one of 12 free, half-day seminars co-sponsored by Microsoft and
BindView Corporation, "Proactive Security Management for the Microsoft
Enterprise." To find a location near you and to register, go to
   http://list.winnetmag.com/cgi-bin3/flo?y=eNmZ0CJgSH0CBw05CO0AE

~~~~~~~~~~~~~~~~~~~~

October 2, 2002--In this issue:

1. IN FOCUS
     - Infrastructure for Resilient Internet Systems

2. SECURITY RISKS
     - Buffer Overrun and DoS in Microsoft Front Page Server
       Extensions

3. ANNOUNCEMENTS
     - Mark Minasi and Paul Thurrott Are Bringing Their Security
       Expertise to You!
     - Get Connected at Microsoft IT Forum 2002!

4. SECURITY ROUNDUP
     - Feature: Win.NET Server Kerberos
     - Feature: Two Backup Windows

5. HOT RELEASE (ADVERTISEMENT)
     - FREE Security Assessment Tool

6. INSTANT POLL
     - Results of Previous Poll: A Year of Security
     - New Instant Poll: Using Snort

7. SECURITY TOOLKIT
     - Virus Center
     - FAQ: How Can I Prevent Microsoft Word in Microsoft Office XP
       from Loading HTTP-linked Images?

8. NEW AND IMPROVED
     - Out-of-the-Box Protection at Multiple Entry Points
     - New Firewall Appliances for SOHO
     - Submit Top Product Ideas
 
9. HOT THREADS
     - Windows & .NET Magazine Online Forums
         - Featured Thread: Win2K Server and Security Issues
     - HowTo Mailing List
         - Featured Thread: Logon Attempts to IIS 5.0

10. CONTACT US
   See this section for a list of ways to contact us.

~~~~~~~~~~~~~~~~~~~~

1. ==== IN FOCUS ====
   (contributed by Mark Joseph Edwards, News Editor,
   mark () ntsecurity net)

* INFRASTRUCTURE FOR RESILIENT INTERNET SYSTEMS

Are you tired of Denial of Service (DoS) attacks, viruses, worms, and
assorted causes of network downtime? A new solution might be on the
(distant) horizon: The National Science Foundation (NSF) has selected
five university computer science departments to create a new secure
decentralized network infrastructure that would be resilient against
failure and attack. The NSF awarded $12 million to launch development
of the new project, called the Infrastructure for Resilient Internet
Systems (IRIS). The selected universities are the Massachusetts
Institute of Technology (MIT), the University of California at
Berkeley, the International Computer Science Institute, New York
University, and Rice University.
   http://iris.lcs.mit.edu

The group of universities will work to develop a new network
infrastructure based on distributed hash table (DHT) technology, which
will act as the cornerstone to "securely orchestrate data retrieval
and computation on open-ended large-scale networks such as the
Internet, even when the individual nodes on the network are insecure
or unreliable."

Whereas DNS typically involves systems accessed in hierarchical order,
DHT would, in contrast, involve a range of systems accessed based on a
data object that an application requires. Developers could use DHT to
create a network infrastructure similar to peer-to-peer (P2P)
file-sharing networks, such as Gnutella or KaZaA, but with significant
replication and security improvements--potentially a viable new
computing infrastructure for the business world.

According to the basic operational theory of the new infrastructure,
an object stored on the network would be digitally signed and
replicated to numerous other file servers on the network. In the event
of network degradation or failure (e.g., DoS attack, system crash,
system overload, virus or worm infection), the object would be
available elsewhere transparently to users. A file-system API would
ride on top of DHT and automatically move data back and forth to files
based on information DHT provides to the API.

This new type of network would be self-configuring and would
automatically incorporate new network nodes without manual
intervention. Systems (e.g., file servers) could join or drop off the
network without significantly affecting overall network operation. If
a malicious user or file server were to participate in the network,
that user's activities could be minimized to prevent security problems
(though computer scientists are still considering how to minimize
those activities).

According to a proposal that discusses the new technology (see the URL
below), "In general, DHTs will be used to organize complex structures
consisting of related objects. Thus a key concern is the ability to
provide verifiable inter-object references, perhaps analogous to
secure links between web pages. A simple example involves naming an
object using a cryptographic hash of its content, an idea that fits
well with DHTs. More difficult challenges include mutable objects;
objects that more than one user can change; verifying that the
freshest version of an object has been obtained; and verifying that a
particular set of objects consists of consistent versions. Initial
work by the [program interfaces] in these areas include
self-certifying pathnames for mutable data and techniques to ensure
consistent and correct mutable file systems in the face of malicious
file servers."
   http://iris.lcs.mit.edu/proposal.html

DHT isn't a new concept, but it hasn't been brought into mainstream
business use. In the past, MIT computer scientists have outlined and
discussed some of the security risks involved with P2P digital hash
tables. According to Emil Sit and Robert Morris (see the URL below),
the risks include incorrect routing lookups, incorrect routing
updates, new network nodes being cross connected to a malicious
parallel network, storage and retrieval attacks, inconsistent node
behavior, unsolicited network traffic, and more.
   http://www.cs.rice.edu/Conferences/IPTPS02/173.pdf

The IRIS project must address these problems and many others before a
new infrastructure can perform as promised. But the proposed system
could act as a secure storage system for the Internet and could help
users (e.g., businesses, government) mitigate the many nuisances we
experience today. For more information about this new infrastructure
design, visit the IRIS Web site (see the first URL below). The IRIS
Web site also lists similar and related projects, including a
Microsoft research project called Farsite (see the second URL below).
   http://iris.lcs.mit.edu/projects.html
   http://www.research.microsoft.com/sn/farsite

~~~~~~~~~~~~~~~~~~~~

~~~~ SPONSOR: NETWORKING UPDATE EMAIL NEWSLETTER ~~~~
   NEW! NEWS, TIPS, AND MORE TO KEEP YOUR NETWORK HUMMING
   Networking UPDATE brings you the how-to tips and news you need to
implement and maintain a rock-solid networking infrastructure. We'll
explore interoperability solutions, hardware (including servers,
routers, and switches), network architecture, network management,
network security, installation technology, network training, and WAN
disaster recovery. Subscribe (at no cost!) at:
   http://list.winnetmag.com/cgi-bin3/flo?y=eNmZ0CJgSH0CBw0rvS0AA

~~~~~~~~~~~~~~~~~~~~

2. ==== SECURITY RISKS ====
   (contributed by Ken Pfeil, ken () winnetmag com)

* BUFFER OVERRUN AND DoS IN MICROSOFT FRONT PAGE SERVER EXTENSIONS
   A buffer-overrun vulnerability exists in the SmartHTML Interpreter
(shtml.dll), which ships as part of the Microsoft FrontPage Server
Extensions (FPSE) package. The vulnerability affects the two versions,
FPSE 2002 and FPSE 2000, differently. Microsoft has released Security
Bulletin MS02-053 (Buffer Overrun in SmartHTML Interpreter Could Allow
Code Execution) to address these vulnerabilities. Be sure to read the
bulletin (linked from the page listed below), and consider applying
the appropriate patch mentioned in the bulletin.
   http://www.secadministrator.com/articles/index.cfm?articleid=26819

3. ==== ANNOUNCEMENTS ====
   (brought to you by Windows & .NET Magazine and its partners)

* MARK MINASI AND PAUL THURROTT ARE BRINGING THEIR SECURITY EXPERTISE
TO YOU!
   Windows & .NET Magazine Network Road Show 2002 is coming this
October to New York, Chicago, Denver, and San Francisco! Industry
experts Mark Minasi and Paul Thurrott will show you how to shore up
your system's security and what desktop security features are planned
for Microsoft .NET and beyond. Sponsored by NetIQ, Microsoft, and
Trend Micro. Registration is free, but space is limited so sign up
now!
   http://list.winnetmag.com/cgi-bin3/flo?y=eNmZ0CJgSH0CBw03lK0An

* GET CONNECTED AT MICROSOFT IT FORUM 2002!
   Microsoft's premier European conference for planning, deploying,
and managing a connected infrastructure. Learn how to fully optimize
the Microsoft Server Platform, including Windows .NET Servers, Active
Directory, ISA, SharePoint Portal Server, SMS, and MOM. Topics include
administration, management, planning, deployment, messaging, security,
integration, and much more. Register now and save 300 euros!
   http://list.winnetmag.com/cgi-bin3/flo?y=eNmZ0CJgSH0CBw04a70AJ

4. ==== SECURITY ROUNDUP ====

* FEATURE: WIN.NET SERVER KERBEROS
   The new Kerberos delegation features that Microsoft has embedded in
Windows .NET Server (Win.NET Server) 2003 make Kerberos an even better
choice for user authentication in a Windows environment. (A basic
understanding of the Kerberos authentication protocol will help as you
read about Win.NET Server's Kerberos implementation.)
   http://www.secadministrator.com/articles/index.cfm?articleid=26450

* FEATURE: TWO BACKUP WINDOWS
   Closing backup windows is one of the most difficult and overlooked
challenges you face as a database administrator. On one hand, the
window of time you have to perform a backup is shrinking. Databases
are growing larger even as availability demands increase, leaving you
with precious few minutes to back up your critical data. On the other
hand, you need to make sure that your backup is secure, closing all
inappropriate access paths. Read Michael Otey's article about Backup
Windows on our Web site.
   http://www.secadministrator.com/articles/index.cfm?articleid=26436

5. ==== HOT RELEASE (ADVERTISEMENT)====

* FREE SECURITY ASSESSMENT TOOL
   Aelita InTrust(tm) closes the gap between policy and IT
infrastructure, simplifying your regulatory compliance efforts. HIPAA?
Gramm-Leach-Bliley? BS7799/ISO17799? Let Aelita provide your
compliance solution. Start with our FREE security assessment tool:
Aelita InTrust Audit Advisor!
   http://list.winnetmag.com/cgi-bin3/flo?y=eNmZ0CJgSH0CBw05CP0AF

6. ==== INSTANT POLL ====

* RESULTS OF PREVIOUS POLL: A YEAR OF SECURITY
   The voting has closed in Windows & .NET Magazine's Security
Administrator Channel nonscientific Instant Poll for the question, "Do
you think that your organization's network is more secure or less
secure than it was a year ago?" Here are the results (+/- 2 percent)
from the 215 votes:
   -  78% More secure
   -  18% Less secure
   -  10% Not sure

* NEW INSTANT POLL: USING SNORT
   The next Instant Poll question is, "Do you use Snort to implement
an Intrusion Detection System (IDS) on your network?" Go to the
Security Administrator Channel home page and submit your vote for a)
Yes, or b) No.
   http://www.secadministrator.com

7. ==== SECURITY TOOLKIT ====

* VIRUS CENTER
   Panda Software and the Windows & .NET Magazine Network have teamed
to bring you the Center for Virus Control. Visit the site often to
remain informed about the latest threats to your system security.
   http://www.secadministrator.com/panda

* FAQ: HOW CAN I PREVENT MICROSOFT WORD IN MICROSOFT OFFICE XP FROM
LOADING HTTP-LINKED IMAGES?
   ( contributed by John Savill, http://www.windows2000faq.com )

A. Office XP can display HTTP images, which might let the hosting site
track the image download. Authors have been known to place hidden HTTP
images in a document to let them track the reading of a document. To
disable the loading of HTTP-linked images in Word, perform the
following steps:
   1. Start a registry editor (e.g., regedit.exe).
   2. Navigate to the
HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Common registry
 subkey.
   3. From the Edit menu, select New, DWORD Value.
   4. Enter the name BlockHTTPImages, then press Enter.
   5. Double-click the new value, set it to 1 to block HTTP-linked
images, then click OK.
   6. Restart Word.

To reenable HTTP-linked images, either delete the BlockHTTPImages
registry value or set it to 0. To test whether you can view
HTTP-linked images, download the testhttpimage.doc from the link
below. If you can see the ntfaq.com link image in that .doc file, then
you can download HTTP images.
   http://www.windows2000faq.com/articles/download/testhttpimage.doc

8. ==== NEW AND IMPROVED ====
   (contributed by Judy Drennen, products () winnetmag com)

* OUT-OF-THE-BOX PROTECTION AT MULTIPLE ENTRY POINTS
   Symantec released Norton AntiVirus 2003, antivirus software that
removes most malicious code automatically, protects email messages and
Instant Messaging (IM) attachments, and keeps virus definitions
up-to-date without requiring user intervention. Norton AntiVirus 2003
runs on Windows XP, Windows 2000, Windows Me, and Windows 98 and costs
$49.95 ($69.95 for the Professional Edition). Contact Symantec at the
Web site.
   http://www.symantec.com

* NEW FIREWALL APPLIANCES FOR SOHO
   WatchGuard announced Firebox SOHO 6, Firebox SOHO 6tc, and Firebox
SOHO 6tc (50-User version) firewall appliances. These new small
office/home office (SOHO) models integrate WatchGuard's proven SOHO
security features with a new custom-built high-performance hardware
platform that delivers 75Mbps firewall and 20Mbps VPN throughputs. The
list price for the Firebox SOHO 6 is $469; the list price for the
Firebox SOHO 6tc is $629; and the list price for the SOHO 6tc 50-User
version is $899. The products will be available by year-end. Contact
WatchGuard at 800-734-9905 or information () watchguard com.
   http://www.watchguard.com

* SUBMIT TOP PRODUCT IDEAS
   Have you used a product that changed your IT experience by saving
you time or easing your daily burden? Do you know of a terrific
product that others should know about? Tell us! We want to write about
the product in a future What's Hot column. Send your product
suggestions to whatshot () winnetmag com.

9. ==== HOT THREADS ====

* WINDOWS & .NET MAGAZINE ONLINE FORUMS
   http://www.winnetmag.com/forums

Featured Thread: Win2K Server and Security Issues
   (Two messages in this thread)

One user's company recently upgraded a server to Windows 2000 Advanced
Server. During the process, staff members created a new domain
controller (DC), which he calls DC101.com for the purposes of this
explanation. This server is the only DC running Active Directory (AD),
and it connects to the Internet. He discovered that someone had
already registered a DC101.com domain.
   By accident, he pinged a machine in his company, which is in New
York City, and it resolved to an unknown IP address. He found that the
unknown Address was in London (the network of the already registered
DC101.com domain).
   Upon further investigation, he noticed that the London server was
attempting to access the TCP ports on his server. Can he solve the
problems this scenario contains? What are the implications if he
doesn't change his internal domain name? Read the responses or lend a
hand:
   http://www.winnetmag.com/forums/rd.cfm?cid=42&tid=46958

* HOWTO MAILING LIST

Featured Thread: Logon Attempts to IIS 5.0
   (Three messages in this thread)

A user recently found a lot of audit failure events on her Web Server,
which runs Windows 2000 Service Pack 3 (SP3) with Microsoft Internet
Information Services (IIS) 5.0 and all the most recent security
patches. Based on the event log, she can see that an intruder tried to
log on with some of the organization's local user accounts. She
wonders how the intruder might have discovered the local user account
names. Read the responses or lend a hand at the following URL:
   http://63.88.172.96/listserv/page_listserv.asp?A2=IND0209D&L=HOWTO&P=253

10. ==== CONTACT US ====
   Here's how to reach us with your comments and questions:

* ABOUT IN FOCUS -- mark () ntsecurity net

* ABOUT THE NEWSLETTER IN GENERAL -- letters () winnetmag com (please
mention the newsletter name in the subject line)

* TECHNICAL QUESTIONS -- http://www.winnetmag.com/forums

* PRODUCT NEWS -- products () winnetmag com

* QUESTIONS ABOUT YOUR SECURITY UPDATE SUBSCRIPTION? Customer
Support -- securityupdate () winnetmag com

* WANT TO SPONSOR SECURITY UPDATE? emedia_opps () winnetmag com

********************

   This email newsletter is brought to you by Security Administrator,
the print newsletter with independent, impartial advice for IT
administrators securing a Windows 2000/Windows NT enterprise.
Subscribe today!
   http://www.secadministrator.com/sub.cfm?code=saei25xxup

   Receive the latest information about the Windows and .NET topics of
your choice. Subscribe to our other FREE email newsletters.
   http://list.winnetmag.com/cgi-bin3/flo?y=eNmZ0CJgSH0CBw0rvS0AA

|-+-|-+-|-+-|-+-|-+-|

Thank you for reading Security UPDATE.




-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.