Security UPDATE, September 25, 2002

[InfoSec News <isn () c4i org>]

********************
Windows & .NET Magazine Security UPDATE--brought to you by Security
Administrator, a print newsletter bringing you practical, how-to
articles about securing your Windows .NET Server, Windows 2000, and
Windows NT systems.
   http://www.secadministrator.com
********************

~~~~ THIS ISSUE SPONSORED BY ~~~~

"Tee-Off" at MEC with Sybari Software
  http://list.winnetmag.com/cgi-bin3/flo?y=eNfX0CJgSH0CBw041j0AD

Get the Most ROI Out of Your Patch Software
   http://list.winnetmag.com/cgi-bin3/flo?y=eNfX0CJgSH0CBw0rf10AB
   (below IN FOCUS)

~~~~~~~~~~~~~~~~~~~~

~~~~ SPONSOR: "TEE-OFF" AT MEC WITH SYBARI SOFTWARE ~~~~
   An out-of-the-box, suite solution for virus protection may not be
the value you bargained for . . . visit Sybari's booth (#300) at MEC
and learn how with Antigen you can deploy up to six of the leading
virus scan engine technologies, as well as advanced file and content
filtering features including subject line, sender, and domain
filtering, delivering the most comprehensive virus scanning on the
market today. At MEC play THE SYBARI OPEN and enter to win one of
three valuable prizes each day. Not going to MEC? Attend an Antigen
web demo by October 31st and get a free Sybari t-shirt. Register at
 http://list.winnetmag.com/cgi-bin3/flo?y=eNfX0CJgSH0CBw041j0AD

~~~~~~~~~~~~~~~~~~~~

September 25, 2002--In this issue:

1. IN FOCUS
     - National Cyberspace Security: It's Time to Regulate
       Manufacturers

2. SECURITY RISKS
     - Multiple Vulnerabilities in Microsoft VM
     - Multiple Vulnerabilities in Microsoft RDP

3. ANNOUNCEMENTS
     - Planning on Getting Certified? Make Sure to Pick Up Our New
       eBook!
     - Mark Minasi and Paul Thurrott Are Bringing Their Security
       Expertise to You!

4. SECURITY ROUNDUP
     - Feature: Product of the Year
     - Feature: Best Security Products
     - Feature: A Look at Win.NET Server Security

5. HOT RELEASES (ADVERTISEMENTS)
     - SPI Dynamics
     - FREE Network Security Web Seminars
     - FREE Security Assessment Tool

6. SECURITY TOOLKIT
     - Virus Center
     - FAQ: How Can I Prevent Microsoft Internet Explorer (IE) From
       Caching Secure Sockets Layer (SSL) Pages?

7. NEW AND IMPROVED
     - Software to Catch Hackers
     - Metadata Management for Law Firms
     - Submit Top Product Ideas
 
8. HOT THREADS
     - Windows & .NET Magazine Online Forums
         - Featured Thread: Threat from Within
     - HowTo Mailing List
         - Featured Thread: Failed Trust

9. CONTACT US
   See this section for a list of ways to contact us.

~~~~~~~~~~~~~~~~~~~~

1. ==== IN FOCUS ====
   (contributed by Mark Joseph Edwards, News Editor,
mark () ntsecurity net)

* NATIONAL CYBERSPACE SECURITY: IT'S TIME TO REGULATE MANUFACTURERS

Last week, the US government unveiled a newly drafted strategy to
secure cyberspace. The strategy calls for home-based users to
voluntarily learn more about security and for all computer users
(home, government, business) to do more to secure systems. A 65-page
document outlining the strategy is available at the URL below.
   http://www.whitehouse.gov/pcipb/

According to the President's Critical Infrastructure Protection Board
Web site, the plan was drafted after "town hall meetings were held
around the country, and fifty-three clusters of key questions were
published to spark public debate. Even more input is needed. The
public has 60 days to offer further input."

I've received press releases from several technology companies that
support the strategy. But based on news reports I've read, other
businesses and individuals have complained about the plan. Their
objections include that the plan isn't comprehensive enough, that it
targets government and home users more closely than businesses, and
that it might cost businesses too much to implement when profits are
down in an ailing economy. I want to discuss what the plan
emphasizes--and more importantly--what it doesn't emphasize.

According to "The Washington Post," Bruce Schneier, chief technology
officer (CTO) of Counterpane Internet Security, said, "You really have
to ask why CEOs would bother to follow any of these recommendations,
particularly at a time when most companies' earnings are down 20
percent. The fact is, companies aren't rewarded for altruism; they're
rewarded by the strength of their stock price."
   http://www.washingtonpost.com/wp-dyn/articles/A35812-2002Sep18.html

One notable security industry figure, Allan Paller, research director
of the SysAdmin, Audit, Network, and Security (SANS) Institute, seems
to have forgotten that we live in a democratic society. According to
"The Washington Post" story, "[Paller] believes the 60-day public
comment period will help to show who has worked hardest to weaken the
plan." Paller said, "The whiners will now have a spotlight shone on
them."

So will most businesses respond to the plan, and are all its critics
trying to weaken it? Many of us believe that the problem with security
in cyberspace resides largely in faulty software. You've sent email
messages to me stating that view, and I've written about my own
concerns (see the first URL below). In "eWEEK," Wyatt Starnes, CEO and
cofounder of security vendor Tripwire, echoes that sentiment in his
response to the draft strategy: "I'd like to see them make software
companies take responsibility for the reliability of their products."
   http://www.secadministrator.com/articles/index.cfm?articleid=23161
   http://www.eweek.com/article2/0,3959,547303,00.asp

Perhaps if software companies were liable by law for their products'
lack of security, we wouldn't need such a weighty plan to secure
cyberspace. We know that regulation works reasonably well in other
industries.

Consider that Microsoft currently controls 80 percent of the desktop
market, not to mention the server market space. Doesn't it make sense
that if software vendors, including Microsoft, were legally obligated
to roll out the most secure products possible--or face stiff
consequences--more than 80 percent of the computers on the planet
would be more secure (and less of a risk to any country's national
security)? Why are companies in the computer industry still exempt
from liability?

Although the government is taking an admirable path to better computer
security, it doesn't seem to notice the more obvious problem of an
unregulated and not-liable software industry. Why impose restrictions
on home users, government, and general business users while neglecting
the manufacturers of faulty software? Wouldn't it be equally effective
to consider regulating software manufacturers--or am I missing some
relevant points?

If you agree that we need to regulate software manufacturers, it's
time to contact your government representatives and urge them to
institute strong software regulation. (You can find contact
information for your representatives at the URL below.)
   http://clerk.house.gov/members/index.php

~~~~~~~~~~~~~~~~~~~~

~~~~ SPONSOR: GET THE MOST ROI OUT OF YOUR PATCH SOFTWARE ~~~~
   Network security is an invaluable asset. What is the risk to your
company if a hacker exploits an unknown weakness? UpdateEXPERT is a
patch validation and remediation tool that scans networks for missing
hotfixes, and FIXES discovered weaknesses for increased protection.
Supporting Windows NT4/2000/XP, SQL Server, Exchange Server, IE,
Outlook and other critical applications, UpdateEXPERT features an
exclusive patch database that has been tested for deployment
interdependencies.  Scan, validate, and install updates remotely
without a required client agent.
   FREE 15-day live trial and Whitepaper!
   http://list.winnetmag.com/cgi-bin3/flo?y=eNfX0CJgSH0CBw0rf10AB

~~~~~~~~~~~~~~~~~~~~

2. ==== SECURITY RISKS ====
   (contributed by Ken Pfeil, ken () winnetmag com)

* MULTIPLE VULNERABILITIES IN MICROSOFT VM
   Three new vulnerabilities exist in Microsoft Virtual Machine (VM),
the most serious of which can give an attacker complete control over
the vulnerable system. The first vulnerability exposes a flaw in the
way the Java Database Connectivity (JDBC) classes evaluate a request
to load and execute a DLL on the user's system. The second
vulnerability also involves the JDBC classes and exposes certain
functions in the classes that don't correctly validate the handles
provided as input. The third vulnerability involves a class that
provides XML support for Java applications. The vendor, Microsoft, has
released Security Bulletin MS02-052 (Flaw in Microsoft VM JBDC Classes
Could Allow Code Execution) to address these vulnerabilities and
recommends that affected users apply the appropriate patch mentioned
in the bulletin. For a detailed explanation of the risks and a link to
the patch, be sure to visit our Web site.
   http://www.secadministrator.com/articles/index.cfm?articleid=26735

* MULTIPLE VULNERABILITIES IN MICROSOFT RDP
  Two vulnerabilities exist in Microsoft RDP. The first is an
information-disclosure vulnerability that forwards unencrypted
checksums of plaintext data under Windows XP and Windows 2000. An
attacker can use these checksums to conduct a cryptographic attack to
recover session traffic. The second vulnerability is a Denial of
Service (DoS) condition in XP's Remote Desktop service when this
service uses RDP. By sending specially malformed packets to the
service (which by default runs on TCP port 3389), an attacker can
crash the vulnerable system. The vendor, Microsoft, has released
Security Bulletin MS02-051 (Cryptographic Flaw in RDP Protocol can
Lead to Information Disclosure) to address these vulnerabilities and
recommends that affected users apply the appropriate patch mentioned
in the bulletin. For a detailed explanation of the risks and a link to
the patch, be sure to visit our Web site.
   http://www.secadministrator.com/articles/index.cfm?articleid=26734

3. ==== ANNOUNCEMENTS ====
   (brought to you by Windows & .NET Magazine and its partners)

* PLANNING ON GETTING CERTIFIED? MAKE SURE TO PICK UP OUR NEW EBOOK!
   "The Insider's Guide to IT Certification" eBook is hot off the
presses and contains everything you need to know to help you save time
and money while preparing for certification exams from Microsoft,
Cisco Systems, and CompTIA and have a successful career in IT. Get
your copy of the Insider's Guide today!
   http://list.winnetmag.com/cgi-bin3/flo?y=eNfX0CJgSH0CBw038F0Ah

* MARK MINASI AND PAUL THURROTT ARE BRINGING THEIR SECURITY EXPERTISE
TO YOU!
   Windows & .NET Magazine Network Road Show 2002 is coming this
October to New York, Chicago, Denver, and San Francisco! Industry
experts Mark Minasi and Paul Thurrott will show you how to shore up
your system's security and what desktop security features are planned
for Microsoft .NET and beyond. Sponsored by NetIQ, Microsoft, and
Trend Micro. Registration is free, but space is limited so sign up
now!
   http://list.winnetmag.com/cgi-bin3/flo?y=eNfX0CJgSH0CBw03lK0Ae

4. ==== SECURITY ROUNDUP ====

* FEATURE: PRODUCT OF THE YEAR
   In a competition in which the winner was determined by write-in
vote only, our Windows & .NET Magazine readers chose BindView's
bv-Control for Windows as the product of the year. BindView's
bv-Control is a proactive security management solution. The company's
flagship product family effectively secures, automates, and lowers the
cost of managing Windows .NET Server (Win.NET Server) 2003, Enterprise
Edition servers and directories, Windows 2000, and Windows NT. To read
more about it, visit our Web site.
   http://www.secadministrator.com/articles/index.cfm?articleid=26308

* FEATURE: BEST SECURITY PRODUCTS
   We've completed the poll in which readers cast votes for their
favorite security software! Categories of products include antivirus
software for clients, servers, wireless networks, and Microsoft
Exchange; digital encryption/signature signing software; firewalls;
intrusion detection software; password-auditing software; security
scanners; third-party authentication software; application security
software; and security information management software. To see the
results, visit our Web site.
  http://www.secadministrator.com/articles/index.cfm?articleid=26315

* NEWS: A LOOK AT WIN.NET SERVER SECURITY
   As part of a continuing look at the more intriguing new features in
Windows .NET Server (Win.NET Server) 2003, Paul Thurrott examines some
of the OS's security improvements. The timing for such improvements is
crucial: Microsoft has issued 48 security bulletins this year and is
on track to beat last year's record of 60 bulletins. Paul comments,
"What a wonderful accomplishment."
   http://www.secadministrator.com/articles/index.cfm?articleid=26721

5. ==== HOT RELEASES (ADVERTISEMENTS) ====

* SPI DYNAMICS
   ALERT! - Cross-Site Scripting Holes in Web Applications
   Cross-site scripting vulnerabilities in web applications allow
hackers to compromise confidential information, steal cookies and
create requests that can be mistaken for those of a valid user!!
Download this *FREE* white paper
   http://list.winnetmag.com/cgi-bin3/flo?y=eNfX0CJgSH0CBw041k0AE

* FREE NETWORK SECURITY WEB SEMINARS
   Want to bullet-proof your networks against malicious code? Register
now for one or more web seminars and gain the experience from the
world's leading virus experts. Seating is limited, register today to
ensure your spot!
   http://list.winnetmag.com/cgi-bin3/flo?y=eNfX0CJgSH0CBw041l0AF

* FREE SECURITY ASSESSMENT TOOL
   Aelita InTrust(tm) closes the gap between policy and IT
infrastructure, simplifying your regulatory compliance efforts. HIPAA?
Gramm-Leach-Bliley? BS7799/ISO17799? Let Aelita provide your
compliance solution. Start with our FREE security assessment tool:
Aelita InTrust Audit Advisor!
   http://list.winnetmag.com/cgi-bin3/flo?y=eNfX0CJgSH0CBw041m0AG

6. ==== SECURITY TOOLKIT ====

* VIRUS CENTER
   Panda Software and the Windows & .NET Magazine Network have teamed
to bring you the Center for Virus Control. Visit the site often to
remain informed about the latest threats to your system security.
   http://www.secadministrator.com/panda

* FAQ: HOW CAN I PREVENT MICROSOFT INTERNET EXPLORER (IE) FROM CACHING
SECURE SOCKETS LAYER (SSL) PAGES?
   ( contributed by John Savill, http://www.windows2000faq.com )

A. By default, IE caches all pages, regardless of whether the pages
are secure (e.g., HTTP Secure--HTTPS--pages, which use SSL). If you
don't want IE to cache these secure pages, you can perform the
following steps for each user:
   1. Start a registry editor (e.g., regedit.exe).
   2. Navigate to the
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet
Settings registry subkey.
   3. From the Edit menu, select New, DWORD Value.
   4. Enter a name of DisableCachingOfSSLPages, then press Enter.
   5. Double-click the new value, set it to 1 to disable caching of
SSL pages, then click OK.
   6. Close the registry editor.
   7. Log off and log on for the change to take effect.

7. ==== NEW AND IMPROVED ====
   (contributed by Judy Drennen, products () winnetmag com)

* SOFTWARE TO CATCH HACKERS
   FutureWare released HackerTracker, software that scans a Web
server's standard World Wide Web Consortium (W3C) Extended Format log
files to identify attacks. You can use the intruder's IP address to
block further access at the server, at a front-end router, or at a
firewall, as well as to contact the intermediate ISPs who handle
intruder's traffic for their tracking and security efforts.
HackerTracker runs on Windows XP, Windows 2000, Windows NT, and
Windows 9x and costs $59 for a single-user registration. Contact
FutureWare at 714-446-0765.
   http://www.futurewaredc.com/hackertracker

* METADATA MANAGEMENT FOR LAW FIRMS
   SoftWise released Out-of-Sight 2.0, a metadata management utility
enhanced to let law firms reduce risks and avoid potential
embarrassments by managing the metadata in electronically distributed
documents. The utility lets users remove unwanted metadata from
Microsoft Excel XP, Excel 2000, and Excel 97 in addition to Word, and
it lets administrators manage and establish standards using a simple
GUI interface. Out-of-Sight integrates with Microsoft Outlook XP and
Outlook 2000. A 30-day evaluation copy of Out-of-Sight 2.0 is
available from the Web site, or call 718-876-9776 for a free
evaluation.
   http://www.softwise.net

* SUBMIT TOP PRODUCT IDEAS
   Have you used a product that changed your IT experience by saving
you time or easing your daily burden? Do you know of a terrific
product that others should know about? Tell us! We want to write about
the product in a future What's Hot column. Send your product
suggestions to whatshot () winnetmag com.

8. ==== HOT THREADS ====

* WINDOWS & .NET MAGAZINE ONLINE FORUMS
   http://www.winnetmag.com/forums

Featured Thread: Threat from Within
   (Seven messages in this thread)

Dannyboy writes that a member of his staff has been sniffing around
the network by connecting to printers by their IP address, connecting
to other users' machines, and trying to schedule tasks. He wants to
know whether this can be prevented. He thinks that all permissions on
his servers are tight, so the user can't view sensitive information.
He wants to know how other administrators would treat this situation
and deal with the user. Also, is there any security software that can
monitor an employee's actions on a Windows 2000 Professional machine?
Read the responses or lend a hand at:
   http://www.winnetmag.com/forums/rd.cfm?cid=42&tid=45970

* HOWTO MAILING LIST

Featured Thread: Failed Trust
   (One message in this thread)

Dimitry writes that he has a Windows 2000-based domain server. When he
adds a Windows NT 4.0 Workstation to the domain, no one from the
domain can access that PC. When they try to do so, they receive the
message, "The trust between this workstation and the primary domain
failed." Read the responses or lend a hand at the following URL:
   http://63.88.172.96/listserv/page_listserv.asp?A2=IND0209C&L=HOWTO&P=305

9. ==== CONTACT US ====
   Here's how to reach us with your comments and questions:

* ABOUT IN FOCUS -- mark () ntsecurity net

* ABOUT THE NEWSLETTER IN GENERAL -- vpatterson () winnetmag com (please
mention the newsletter name in the subject line)

* TECHNICAL QUESTIONS -- http://www.winnetmag.com/forums

* PRODUCT NEWS -- products () winnetmag com

* QUESTIONS ABOUT YOUR SECURITY UPDATE SUBSCRIPTION? Customer
Support -- securityupdate () winnetmag com

* WANT TO SPONSOR SECURITY UPDATE? emedia_opps () winnetmag com

********************

   This email newsletter is brought to you by Security Administrator,
the print newsletter with independent, impartial advice for IT
administrators securing a Windows 2000/Windows NT enterprise.
Subscribe today!
   http://www.secadministrator.com/sub.cfm?code=saei25xxup

   Receive the latest information about the Windows and .NET topics of
your choice. Subscribe to our other FREE email newsletters.
   http://www.winnetmag.com/email

|-+-|-+-|-+-|-+-|-+-|

Thank you for reading Security UPDATE.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.