Security UPDATE, October 16, 2002

[InfoSec News <isn () c4i org>]

********************
Windows & .NET Magazine Security UPDATE--brought to you by Security
Administrator, a print newsletter bringing you practical, how-to
articles about securing your Windows .NET Server, Windows 2000, and
Windows NT systems.
   http://www.secadministrator.com
********************

~~~~ THIS ISSUE SPONSORED BY ~~~~

UltraBac Offers the Most Backup & Restore Options
   http://list.winnetmag.com/cgi-bin3/flo?y=eNyZ0CJgSH0CBw05V10AF

Real Time Monitoring Is a Security Requirement
   http://list.winnetmag.com/cgi-bin3/flo?y=eNyZ0CJgSH0CBw02Jr0A4
   (below IN FOCUS)

~~~~~~~~~~~~~~~~~~~~

~~~~ SPONSOR: ULTRABAC OFFERS THE MOST BACKUP & RESTORE OPTIONS ~~~~
   UltraBac Software announces UltraBac v7.0.2 with the ability to use
any FTP server or IBM's Tivoli Storage Manager (TSM) as storage
devices for backup and restore operations. The FTP Device allows
administrators to perform backup & restore operations to any FTP
server connected to the Internet by simply entering the server's
address as the backup path. By including FTP and TSM devices as backup
paths, UltraBac now sets a new industry standard by offering more
backup and restore options than any other application. Backup options
include writing data to any type of local or remote media, including
disk, tape, CD-RW and optical. Download a free live trial
   http://list.winnetmag.com/cgi-bin3/flo?y=eNyZ0CJgSH0CBw05V10AF

~~~~~~~~~~~~~~~~~~~~

October 16, 2002--In this issue:

1. IN FOCUS
     - Microsoft .NET Passport Must Set Security Bar Higher

2. SECURITY RISKS
     - DoS in Oracle 9i Application Server for Windows
     - Multiple Vulnerabilities in Microsoft Services for UNIX 3.0
     - BearShare File-Sharing Directory Traversal Vulnerability
     - Multiple Vulnerabilities in Microsoft SQL Server, MSDE 2000,
       and MSDE 1.0

3. ANNOUNCEMENTS
     - The Exchange Solutions You've Been Searching For!
     - Planning on Getting Certified? Make Sure to Pick Up Our New
       eBook!

4. SECURITY ROUNDUP
    - News: RSA Security and iRevolution Give Passport Two-Factor
      Authentication
    - Feature: Vendor-Specific Security Settings
    - Feature: Palladium's Glacial Approach

5. HOT RELEASES (ADVERTISEMENTS)
     - Spectracom's Netclock, for Secure Network Time
     - Protect Your Infrastructure

6. INSTANT POLL
     - Results of Previous Poll: Using Snort
     - New Instant Poll: Microsoft .NET Passport

7. SECURITY TOOLKIT
     - Virus Center
     - FAQ: How Can I Configure the Grace Period That Windows Uses for
       Password-Protected Screen Savers?

8. NEW AND IMPROVED
     - Integrated Security Solution for USB Keys and SSL Acceleration
     - Tips for Troubleshooting and Preventing Internet-Based Computer
       Intrusions
     - Submit Top Product Ideas
 
9. HOT THREADS
     - Windows & .NET Magazine Online Forums
         - Featured Thread: Port Mappings

10. CONTACT US
   See this section for a list of ways to contact us.

~~~~~~~~~~~~~~~~~~~~

1. ==== IN FOCUS ====
   (contributed by Mark Joseph Edwards, News Editor,
mark () ntsecurity net)

* MICROSOFT .NET PASSPORT MUST SET SECURITY BAR HIGHER

Although in the past Microsoft lambasted open-source projects as
inherently insecure, the company has chosen to embrace the idea of
open source by using the Kerberos protocol--again. According to
vnunet.com  (see the URL below), Microsoft will marry its technology
with Kerberos technology to make its next generation of .NET Passport
more secure and somewhat open-source.
   http://www.vnunet.com/news/1125551

The last time Microsoft began to use Kerberos technology, in
conjunction Windows 2000, critics screamed because Microsoft had
apparently inserted undocumented modifications into the technology.
Twisting open-source code into proprietary technology through
undocumented changes is a definite no-no. Now, however, Microsoft is
turning to Kerberos to improve .NET Passport security in response to
the Federal Trade Commission (FTC) scrutiny that resulted in specific
charges.
   http://www.microsoft.com/netservices/passport

Microsoft described its .NET Passport, launched in 1999, as "a suite
of Web-based services that makes using the Internet and purchasing
online easier and faster. .NET Passport provides users with single
sign-in (SSI) and fast purchasing capability at a growing number of
participating sites, reducing the amount of information users must
remember or retype." Many popular shopping sites, including eBay
(which recently acquired PayPal), offer .NET Passport as a means to
conduct business through their portals.
   http://www.microsoft.com/netservices/passport/overview.asp

Because SSI is the core feature of .NET Passport, Kerberos is an
obvious choice to use as part of the core methodology of
authentication. To learn more about Microsoft's Kerberos
implementation, read Jan De Clerq's article "Win.NET Server Kerberos"
on our Web site (see the URL below). De Clerq discusses the new
Kerberos delegation features that Microsoft has embedded in Windows
.NET Server (Win.NET Server) 2003.
   http://www.secadministrator.com/articles/index.cfm?articleid=26450

According to the FTC, Microsoft made false claims about .NET
Passport's security and privacy. Microsoft recently came to an
agreement with the commission (see the URL below) by which the company
will work to mend the problems. Under the agreement, Microsoft will
change the way the company communicates with consumers about the
security and privacy of the .NET Passport service and change the way
Kids Passport works to some extent, as you'll see below.
   http://www.ftc.gov/opa/2002/08/microsoft.htm

As Microsoft Senior Vice President and General Counsel Brad Smith
noted, "The FTC's complaint asserts that we should have taken
additional security steps earlier in the operation of the Passport
service." Smith went on to say: "Even though we know of no instance
where a Passport user's information has ever been compromised, in
hindsight we wish we had held ourselves to an even higher bar."

The FTC's complaints were certainly justified, however. You might
recall that in November 2001, I wrote about one researcher who
required just 30 minutes to discover that when Hotmail and .NET
Passport were combined, an intruder could quickly empty a user's
"wallet." On Microsoft's behalf, Smith acknowledged .NET Passport's
shortcomings and promised change: "Consistent with our heightened
security obligations, we accept responsibility for the past and will
focus on living up to this high level of responsibility in the
future."
   http://www.secadministrator.com/articles/index.cfm?articleid=23161

Toward that goal, according to Microsoft Corporate Vice President
Brian Arbogast, the company will "document the comprehensive
information security program that protects the security,
confidentiality, and integrity of the personal information collected
from our customers. We will also ensure that a third-party
professional firm reviews, advises us, and ultimately certifies that
our information-security program is designed and operates with
sufficient effectiveness to provide reasonable assurances that the
security, confidentiality, and integrity of every Passport user's
information is protected. We will also ensure that all of the
statements we make about the service are accurate and clear. Finally,
we will strengthen training for all the managers involved with
Passport, to ensure that they understand and comply fully with this
order."

The FTC also raised concerns about Kids Passport, particularly noting
that children could bypass the controls their parents placed on the
technology. Microsoft said that it has taken steps to remedy that
situation by making Kids Passport more "kid-proof."

The new agreement with the FTC will be in force for 20 years. To read
more about Microsoft's perspective on the agreement, visit the Web
site at the URL below. In related news, Microsoft has licensed
security technology from RSA Security that will strengthen the
authentication mechanisms .NET Passport uses. Be sure to read about
that licensing agreement in the related news item in this newsletter.
   http://www.microsoft.com/presspass/features/2002/aug02/08-08passport.asp

~~~~~~~~~~~~~~~~~~~~

~~~~ SPONSOR: REAL TIME MONITORING IS A SECURITY REQUIREMENT ~~~~
   A proactive IT Manager installed ELM Enterprise Manager 3.0 on his
critical servers to assess the benefits of real time monitoring. A
week later, EEM 3.0 paged him as a disgruntled employee was attempting
to access confidential personal files. Within minutes, the hacker was
escorted off company property. Use ELM Enterprise Manager 3.0 to
monitor the health and status of your systems, protect your
intellectual property, and prevent avoidable downtime. Download your
FREE 30-day evaluation copy at:
   http://list.winnetmag.com/cgi-bin3/flo?y=eNyZ0CJgSH0CBw02Jr0A4

~~~~~~~~~~~~~~~~~~~~

2. ==== SECURITY RISKS ====
   (contributed by Ken Pfeil, ken () winnetmag com)

* DoS IN ORACLE 9I APPLICATION SERVER FOR WINDOWS
   @stake discovered a Denial of Service (DoS) condition in Oracle 9i
Application Server's Web Cache Manager Tool. An attacker who sends a
specially formatted HTTP GET request to the port on which the Web
Cache Administration process is listening can crash the administration
process. The vendor, Oracle, has released Oracle Security Alert #43 to
address this vulnerability but hasn't released a patch. The company
will include a fix for this vulnerability in Oracle 9i Application
Server 9.02.
   http://www.secadministrator.com/articles/index.cfm?articleid=26941

* MULTIPLE VULNERABILITIES IN MICROSOFT SERVICES FOR UNIX 3.0
   Three new vulnerabilities exist in the Windows Help Facility, one
of which could let an attacker execute arbitrary code on the
vulnerable system. These new vulnerabilities consist of an integer
overflow in the XML Data Reduced (XDR) library, a buffer overrun in
remote procedure calls (RPCs), and an RPC implementation error. The
vendor, Microsoft, has released Security Bulletin MS02-057 (Flaw in
Services for Unix 3.0 Interix SDK Could Allow Code Execution) to
address these vulnerabilities and recommends that affected users
immediately apply the patch mentioned in the bulletin.
   http://www.secadministrator.com/articles/index.cfm?articleid=26889

* BEARSHARE FILE-SHARING DIRECTORY TRAVERSAL VULNERABILITY
   A directory traversal vulnerability exists in the file-sharing
program BearShare. This vulnerability stems from a flaw in the
personal Web server portion of BearShare that could let an attacker
view any file on the vulnerable system by issuing a specially crafted
HTTP request. The vendor, Free Peers, has released version 4.0.6 to
address the traversal issue described above, but the software is still
vulnerable if an attacker uses certain HTTP requests, which the
article lists. Free Peers hasn't yet addressed this second variant of
the same problem.
   http://www.secadministrator.com/articles/index.cfm?articleid=26890

* MULTIPLE VULNERABILITIES IN MICROSOFT SQL SERVER, MSDE 2000, AND
MSDE 1.0
   Three new vulnerabilities exist in Microsoft SQL Server, Microsoft
SQL Server Desktop Engine (MSDE) 2000, and Microsoft Data Engine
(MSDE) 1.0, the most serious of which could let an attacker execute
arbitrary code on the vulnerable system. The vulnerabilities are a
buffer overrun in a section of code in SQL Server 2000 and MSDE 2000
associated with user authentication, a buffer-overrun vulnerability
that occurs in one of the Database Console Commands shipped as part of
SQL Server 2000 and SQL Server 7.0, and a vulnerability associated
with SQL Server 2000 and SQL Server 7.0 scheduled jobs. The vendor,
Microsoft, has released Security Bulletin MS02-056 (Cumulative Patch
for SQL Server) to address these vulnerabilities and recommends that
affected users immediately apply the appropriate patch mentioned in
the bulletin.
   http://www.secadministrator.com/articles/index.cfm?articleid=26888

3. ==== ANNOUNCEMENTS ====
   (brought to you by Windows & .NET Magazine and its partners)

* THE EXCHANGE SOLUTIONS YOU'VE BEEN SEARCHING FOR!
   Our popular IT Buyers' Directories (ITBDs) are online catalogs of
the hottest vendor solutions around. Our latest ITBD highlights the
solutions and services that will help you protect, migrate, and
administer your Exchange server. Download your copy today at
   http://list.winnetmag.com/cgi-bin3/flo?y=eNyZ0CJgSH0CBw05Ji0Ax

* PLANNING ON GETTING CERTIFIED? MAKE SURE TO PICK UP OUR NEW EBOOK!
   "The Insider's Guide to IT Certification" eBook is hot off the
presses and contains everything you need to know to help you save time
and money while preparing for certification exams from Microsoft,
Cisco Systems, and CompTIA and have a successful career in IT. Get
your copy of the Insider's Guide today!
   http://list.winnetmag.com/cgi-bin3/flo?y=eNyZ0CJgSH0CBw038F0A3

4. ==== SECURITY ROUNDUP ====

* NEWS: RSA SECURITY AND iREVOLUTION GIVE PASSPORT TWO-FACTOR
AUTHENTICATION
   RSA Security and iRevolution announced a strategic relationship to
provide two-factor authentication to Microsoft Passport. The two
companies will create a solution designed to provide Passport users
single sign-on (SSO) capabilities using RSA Mobile software.
   http://www.secadministrator.com/articles/index.cfm?articleid=26976

* FEATURE: VENDOR-SPECIFIC SECURITY SETTINGS
   Ed Roth tells you how to configure Wired Equivalent Privacy (WEP)
encryption settings for a variety of different wireless network gear,
including SMC Networks, Linksys, D-Link Systems, NETGEAR, Siemens, and
SOHOware.
   http://www.secadministrator.com/articles/index.cfm?articleid=26410

* FEATURE: PALLADIUM'S GLACIAL APPROACH
   Palladium is based on the theory that software alone can't
adequately protect users and data in our connected world. According to
Microsoft, Palladium will do almost everything but balance your
checkbook: It will stop viruses, worms, and spam; it will understand
who you are and prevent malicious users from accessing information you
intend to send to certain individuals; it will safeguard your privacy.
Read Paul Thurrott's editorial about Palladium at the URL below.
   http://www.secadministrator.com/articles/index.cfm?articleid=26375

5. ==== HOT RELEASES (ADVERTISEMENTS)====

* SPECTRACOM'S NETCLOCK, FOR SECURE NETWORK TIME
   Does your network depend on a Time Source that's outside your
Firewall? Doesn't your network need an accurate clock source?
Spectracom's NetClock/NTP (Network Time Provider) or NetClock/TM (Time
Machine) can help you. See how at:
   http://list.winnetmag.com/cgi-bin3/flo?y=eNyZ0CJgSH0CBw02fF0An
   http://list.winnetmag.com/cgi-bin3/flo?y=eNyZ0CJgSH0CBw05V20AG

* PROTECT YOUR INFRASTRUCTURE
   How do you make sure only the right people access your vital
systems? IBM can help build trust into your e-business relationships.
Get the IBM white paper, "Linking Security Needs to e-business
Evolution" at http://www.ibm.com/e-business/playtowin/n296

6. ==== INSTANT POLL ====

* RESULTS OF PREVIOUS POLL: USING SNORT
   The voting has closed in Windows & .NET Magazine's Security
Administrator Channel nonscientific Instant Poll for the question, "Do
you use Snort to implement an Intrusion Detection System (IDS) on your
network?" Here are the results (+/- 2 percent) from the 1220 votes:
   -  91% Yes
   -   9% No

* NEW INSTANT POLL: MICROSOFT .NET PASSPORT
   The next Instant Poll question is, "Do you currently use Microsoft
.NET Passport?" Go to the Security Administrator Channel home page and
submit your vote for a) Yes, or b) No.
   http://www.secadministrator.com

7. ==== SECURITY TOOLKIT ====

* VIRUS CENTER
   Panda Software and the Windows & .NET Magazine Network have teamed
to bring you the Center for Virus Control. Visit the site often to
remain informed about the latest threats to your system security.
   http://www.secadministrator.com/panda

* FAQ: HOW CAN I CONFIGURE THE GRACE PERIOD THAT WINDOWS USES FOR
PASSWORD-PROTECTED SCREEN SAVERS?
   ( contributed by John Savill, http://www.windows2000faq.com )

A. By default, when you activate a password-protected screen saver,
Windows provides a brief grace period during which keyboard and mouse
activity will stop the screen saver and let you access the system
without having to enter the password. To modify this grace period,
perform the following steps:
   1. Start a registry editor (e.g., regedit.exe).
   2. Navigate to the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon registry subkey.
   3. From the Edit menu, select New, DWORD Value.
   4. Enter a name of ScreenSaverGracePeriod, then press Enter.
   5. Double-click the new value, set the "Value data" to the number
of seconds (from 0 to 2,147,483) that you want to use for the grace
period, set the Base type to decimal, then click OK.
   6. Restart the machine for the change to take effect.

8. ==== NEW AND IMPROVED ====
   (contributed by Judy Drennen, products () winnetmag com)

* INTEGRATED SECURITY SOLUTIONS FOR USB KEYS AND SSL ACCELERATION
   Rainbow Technologies eSecurity and i-Security Solutions Limited
(i-SSL) announced a partnership to integrate Rainbows's iKey and
CryptoSwift products with i-SSL's i-Secur products. The partnership
will provide one-stop, seamlessly integrated security services and
solutions to customers in the Asian Pacific IT security market. "Our
partnership with Rainbow further enhances our ability to create,
deliver and support world-class security solutions tailored to the
specific needs of Asian and international customers," said Frederick
Chang, CEO of i-SSL. "Rainbow's security solutions complement our
i-Secur suite of products to provide user-friendly e-applications
embedded with strong security measures." Contact Rainbow at
949-450-7377 or go to the Web sites listed below.
   http://www.rainbow.com
   http://www.issl.com.hk

* TIPS FOR TROUBLESHOOTING AND PREVENTING INTERNET-BASED COMPUTER
INTRUSIONS
   Sybex released "Absolute PC Security and Privacy" by Michael
Miller, a solutions-oriented book that shows users how to detect and
seal security holes, how to reduce the chance of attack, and how to
recognize when an attack is underway and stop it in progress. The book
contains solutions for addressing the most common Internet-based
intrusions including viruses, privacy theft, and email spam. Written
for average computer users, Miller's book offers easy-to-follow
instructions and practical advice. The book (ISBN 0-7821-4127) costs
$34.99. Contact Sybex at its Web site for more information.
   http://www.sybex.com

* SUBMIT TOP PRODUCT IDEAS
   Have you used a product that changed your IT experience by saving
you time or easing your daily burden? Do you know of a terrific
product that others should know about? Tell us! We want to write about
the product in a future What's Hot column. Send your product
suggestions to whatshot () winnetmag com.

9. ==== HOT THREADS ====

* WINDOWS & .NET MAGAZINE ONLINE FORUMS
   http://www.winnetmag.com/forums

Featured Thread: Port Mappings
   (Five messages in this thread)

A reader wants to know about any articles or Web sites that offer a
list of ports and maps those ports to malicious applications such as
Trojan horses or known intruder tools. Such Web pages do exist, as the
responses demonstrate.
   http://www.winnetmag.com/forums/rd.cfm?cid=42&tid=47344

10. ==== CONTACT US ====
   Here's how to reach us with your comments and questions:

* ABOUT IN FOCUS -- mark () ntsecurity net

* ABOUT THE NEWSLETTER IN GENERAL -- letters () winnetmag com (please
mention the newsletter name in the subject line)

* TECHNICAL QUESTIONS -- http://www.winnetmag.com/forums

* PRODUCT NEWS -- products () winnetmag com

* QUESTIONS ABOUT YOUR SECURITY UPDATE SUBSCRIPTION? Customer
Support -- securityupdate () winnetmag com

* WANT TO SPONSOR SECURITY UPDATE? emedia_opps () winnetmag com

********************

   This email newsletter is brought to you by Security Administrator,
the print newsletter with independent, impartial advice for IT
administrators securing a Windows 2000/Windows NT enterprise.
Subscribe today!
   http://www.secadministrator.com/sub.cfm?code=saei25xxup

   Receive the latest information about the Windows and .NET topics of
your choice. Subscribe to our other FREE email newsletters.
   http://www.winnetmag.com/email

|-+-|-+-|-+-|-+-|-+-|

Thank you for reading Security UPDATE.
__________________________________________________________
Copyright 2002, Penton Media, Inc.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.