Security UPDATE, September 18, 2002

[InfoSec News <isn () c4i org>]

********************
Windows & .NET Magazine Security UPDATE--brought to you by Security
Administrator, a print newsletter bringing you practical, how-to
articles about securing your Windows .NET Server, Windows 2000, and
Windows NT systems.
   http://www.secadministrator.com
********************

~~~~ THIS ISSUE SPONSORED BY ~~~~

Consolidated Security Auditing and Monitoring
   http://list.winnetmag.com/cgi-bin3/flo?y=eNZH0CJgSH0CBw04qT0AR

Wireless WP
   http://www.ibm.com/e-business/playtowin/n240
   (below IN FOCUS)

~~~~~~~~~~~~~~~~~~~~

~~~~ SPONSOR: CONSOLIDATED SECURITY AUDITING AND MONITORING ~~~~
   HIPAA? Gramm-Leach-Bliley? BS7799/ISO17799? Aelita InTrust(tm)
bridges the gap between industry regulations & policies and your IT
infrastructure. InTrust consolidates, archives, and analyzes
heterogeneous IT audit data and offers numerous reports to assist in
documenting compliance. And InTrust's data repositories enable
efficient, permanent storage of all event data. Get started with the
FREE security assessment tool: Aelita InTrust Audit Advisor!
   http://list.winnetmag.com/cgi-bin3/flo?y=eNZH0CJgSH0CBw04qT0AR

~~~~~~~~~~~~~~~~~~~~

September 18, 2002--In this issue:

1. IN FOCUS
     - Is Discovering Security Holes a Catch-22?

2. SECURITY RISKS
     - Certificate Validation Vulnerability in Multiple Microsoft
       Products

3. ANNOUNCEMENTS
     - Mark Minasi and Paul Thurrott Are Bringing Their Security
       Expertise to You!
     - Real-World Tips and Solutions Here for You

4. SECURITY ROUNDUP
     - News: Surprise: Microsoft's Java Implementation Is Full of
Security Holes
     - News: Privacy Groups Not Done Complaining About Passport
     - News: Windows XP SP1 Already Cracked
     - News: Intel 3GHz Pentium 4 with Hyperthreading in 2002;
       Security in 2003
     - News: Intel and VeriSign Announced Processor-Based
       Authentication

5. INSTANT POLL
     - Results of Previous Poll: Warchalking
     - New Instant Poll: A Year of Security

6. SECURITY TOOLKIT
     - Virus Center
     - FAQ: Why Did My FTP Password Stop Working on My Windows 2000
       System After I Installed the Win2K Security Rollup Package 1 
       (SRP1)?

7. NEW AND IMPROVED
     - Protect Your PC from Trojan Horses
     - Security for Web Services and Web-Based Networks
     - Submit Top Product Ideas
 
8. HOT THREADS
     - Windows & .NET Magazine Online Forums
         - Featured Thread: Blocking by Port?

9. CONTACT US
   See this section for a list of ways to contact us.

~~~~~~~~~~~~~~~~~~~~

1. ==== IN FOCUS ====
   (contributed by Mark Joseph Edwards, News Editor,
mark () ntsecurity net)

* IS DISCOVERING SECURITY HOLES A CATCH-22?

In an email message last week, I received a URL to a Web site on which
I saw more than a dozen vulnerabilities in Microsoft products (19 as
of September 16). Patches are either not available or offer
insufficient protection. The most recent vulnerability was reported on
September 9, 2002, and the oldest was reported on June 6, 2000.
   http://www.pivx.com/larholm/unpatched

The vulnerabilities include serious problems, such as exposing local
files, sniffing Secure Sockets Layer (SSL) connections, installation
and execution of arbitrary programs, breaching firewalls, elevation of
privileges, and buffer overflows. Why aren't patches available for
these problems? The answer is probably manifold.

Given that users reported some of the vulnerabilities last week, we
can assume that Microsoft is working on patches to correct them. Other
vulnerabilities do have available patches--but not for all versions of
a product. For example, regarding two Microsoft Internet Explorer (IE)
problems (cssText Local File Reading and DynSrc Local File detection,
which relate to reading data from local files and determining whether
certain files exist, respectively), patches are available for IE 6.0,
but not for IE 5.x.

Microsoft released IE 6.0 some time ago and recently released Service
Pack 1 (SP1) for that version (see the first URL below). However, many
users still have IE 5.x. Recent reports that show IE's presence on
about 94 percent of all desktops also show that 48 percent of those
users still have IE 5.x versions of the browser (see the second URL
below). Why do we lack patches for serious vulnerabilities in IE 5.x?
We could infer that Microsoft wants users to "toe the line" and
upgrade to IE 6.0 SP1.
   http://www.microsoft.com/windows/ie/default.asp
   http://www.upsdell.com/browsernews/stat.htm

According to "InfoWorld," Microsoft Windows Division Senior Vice
President Brian Valentine recently made some rather startling
statements. At the Windows .NET Server (Win.NET Server) 2003 developer
conference, Valentine said, "I'm not proud. We really haven't done
everything we could to protect our customers ... Our products just
aren't engineered for security ... We realized that we couldn't
continue with the way we were building software and expect to deliver
secure products ... It's impossible to solve the problem completely,
as we solve these problems there are hackers who are going to come up
with new ones. There's no end to this."
   http://www.infoworld.com/articles/hn/xml/02/09/05/020905hnmssecure.xml

Why would Microsoft admit somewhat apologetically that the company
hasn't done all it could do for security? Given the constant barrage
of security problems still being discovered, won't the company make
significant security changes in its code base? Furthermore, won't
Microsoft slow the rush of new products to market faster than we can
adapt to the current products? Unfortunately, the answer is--probably
not, especially given some of the company's latest technology
announcements.

Microsoft recently announced its intention to create a hardware-based
platform for security, code-named Palladium. Palladium will offload
certain aspects of system security—-aspects that have resided inside a
user-controlled OS--onto Intel-developed hardware designed to work
with Microsoft-sanctioned security technology.

Clearly, Palladium will, in some instances, relieve Microsoft of the
burden of writing more-secure software. At the same time, the new
security approach will put users in the uncomfortable position of
choosing whether they should upgrade every computer and OS to continue
"following" Microsoft by adopting Palladium. To help foster Palladium
adoption, Microsoft will probably release yet another
resource-intensive OS that couldn't possibly run well on users'
existing hardware. And if the company also continues to forego
releasing security patches for previous software packages, that will
prod users even harder.
   http://www.secadministrator.com/articles/index.cfm?articleid=26675

I have deep concerns about hardware-based security as the direction of
the future. Bruce Schneier expressed the sentiments of many users
quite clearly in a recent "Crypto-Gram" newsletter (see the URL
below): "There's a lot of good stuff in [Palladium], and a lot I like
about it. There's also a lot I don't like, and am scared of. My fear
is that [Palladium] will lead us down a road where our computers are
no longer our computers, but are instead owned by a variety of
factions and companies all looking for a piece of our wallet. To the
extent that [Palladium] facilitates that reality, it's bad for
society. I don't mind companies selling, renting, or licensing things
to me, but the loss of the power, reach, and flexibility of the
computer is too great a price to pay."
   http://www.counterpane.com/crypto-gram-0208.html#1

Hacking Microsoft products is no longer about the white-hat angle of
coaxing Microsoft to write better code and alerting users to
vulnerabilities or the black-hat angle of attacking Microsoft. Right
now, the more diligently hackers work to find security bugs, the more
they support the eventual adoption of Microsoft Palladium, as well as
other vendorcentric hardware-based security subsystems that will
quickly make their way to market. (For more about Intel and VeriSign's
recently announced processor-based authentication, for example, see
the news story in this edition of the newsletter or use the URL
below.)
   http://www.secadministrator.com/articles/index.cfm?articleid=26671

If more severe security problems are discovered and reported—-and we
can assume they will be--that's fuel for the vendorcentric hardware
security platforms of the near future. Conversely, if those security
problems go undiscovered or unreported, users remain unknowingly at
high risk. With the advent of Palladium, Microsoft benefits either
way. But do we? It's a veritable Catch-22.

~~~~~~~~~~~~~~~~~~~~

~~~~ SPONSOR: WIRELESS WP ~~~~
   Put wireless technologies to work for your organization to build a
flexible and more competitive e-business. The IBM white paper, "A
Wireless World Awaits: Nine Moves that Mobilize e-business," can help
you learn how wireless technology solutions extend your company's
reach and help you and your partners work securely while still
remaining focused on your core business issues. Also covered are early
implementation questions, planning issues, and reasons for getting
started now. Visit us online today to download your complimentary copy
at http://www.ibm.com/e-business/playtowin/n240

~~~~~~~~~~~~~~~~~~~~

2. ==== SECURITY RISKS ====
   (contributed by Ken Pfeil, ken () winnetmag com)

* CERTIFICATE VALIDATION VULNERABILITY IN MULTIPLE MICROSOFT PRODUCTS
   Microsoft discovered a vulnerability in its CryptoAPI that can let
an attacker use digital certificates to spoof his or her identity.
This vulnerability stems from a problem in the APIs that construct and
validate certificate chains--they don't check the basic constraints
field. The same type of vulnerability (but unrelated to CryptoAPI)
also occurs in several products for the Macintosh. Microsoft has
released Security Bulletin MS02-050 (Certificate Validation Flaw Could
Enable Identity Spoofing) to address this vulnerability and recommends
that affected users apply the appropriate patch mentioned in the
bulletin. For a detailed explanation of the risks and a link to the
patch, be sure to visit our Web site.
   http://www.secadministrator.com/articles/index.cfm?articleid=26559

3. ==== ANNOUNCEMENTS ====
   (brought to you by Windows & .NET Magazine and its partners)

* MARK MINASI AND PAUL THURROTT ARE BRINGING THEIR SECURITY EXPERTISE
TO YOU!
   Windows & .NET Magazine Network Road Show 2002 is coming this
October to New York, Chicago, Denver, and San Francisco!  Industry
experts Mark Minasi and Paul Thurrott will show you how to shore up
your system's security and what desktop security features are planned
for Microsoft .NET and beyond. Sponsored by NetIQ, Microsoft, and
Trend Micro. Registration is free, but space is limited so sign up
now!
   http://list.winnetmag.com/cgi-bin3/flo?y=eNZH0CJgSH0CBw03lK0AC

* REAL-WORLD TIPS AND SOLUTIONS HERE FOR YOU
   Early-bird discount for Windows & .NET Magazine LIVE! expires
September 21st! Register now, and you'll also receive access to
sessions of concurrently run XML Web Services Connections. Choose from
more than 70 sessions and save $1595. Discover why more than half of
our attendees choose to attend only LIVE! events, which are chock-full
of "been there, done that" knowledge from people who use Microsoft
products in the real world. Register now at
   http://list.winnetmag.com/cgi-bin3/flo?y=eNZH0CJgSH0CBw03lH0A8

4. ==== SECURITY ROUNDUP ====

* NEWS: SURPRISE: MICROSOFT'S JAVA IMPLEMENTATION IS FULL OF SECURITY
HOLES
   Jouko Pynnonen of Online Solutions in Finland discovered a series
of severe security vulnerabilities in Microsoft's Java implementation.
Some of the vulnerabilities let attackers run arbitrary code through
Microsoft Internet Explorer (IE) and Microsoft Outlook Express.
According to a message posted to the NTBugTraq mailing list on
September 9, Pynnonen discovered and reported to Microsoft as many as
10 such vulnerabilities during July and August.
   http://www.secadministrator.com/articles/index.cfm?articleid=26623

* NEWS: PRIVACY GROUPS NOT DONE COMPLAINING ABOUT PASSPORT
   Two of the privacy groups that exhorted the Federal Trade
Commission (FTC) to investigate Microsoft for privacy and security
violations in Microsoft .NET Passport are now asking the FTC to
reconsider its early August settlement with the software giant. Citing
concerns that the agreement doesn't do enough to protect consumers,
the Electronic Privacy Information Center (EPIC) and Computer &
Communications Industry Association (CCIA) have separately lobbied the
FTC to come down harder on Microsoft.
   http://www.secadministrator.com/articles/index.cfm?articleid=26617

* NEWS: WINDOWS XP SP1 ALREADY CRACKED
   As Paul Thurrott noted in a Short Take item in the September 13,
2002, edition of WinInfo Daily UPDATE, by the time Microsoft released
Windows XP Service Pack 1 (SP1), intruders had already issued a patch
that lets users with illegally obtained copies of the OS upgrade to
SP1, an ability the service pack was supposed to prevent. Microsoft
says, however, that it intended the feature to prevent casual copying
only, and that the company knew all along that it couldn't prevent the
hacker community from finding a way to upgrade. Users can circumvent
the no-upgrade policy by using a Product Key changer program that lets
users change XP's Windows Product Activation (WPA) key to a new key
that isn't on Microsoft's no-upgrade list.
   http://www.wininformant.com/articles/index.cfm?articleid=26625

* NEWS: INTEL: 3GHZ PENTIUM 4 WITH HYPERTHREADING IN 2002; SECURITY IN
2003
   Intel announced a slew of new products at the annual Intel
Developer Forum in San Jose, California, touching off a year of
massive upgrades that the company says will further distance it from
the competition. Intel plans upgrades and new products in virtually
every product category it covers, including processors for every type
of hardware from PDAs to the most massively scalable server products
in the world.
   http://www.secadministrator.com/articles/index.cfm?articleid=26616

* INTEL AND VERSIGN ANNOUNCED PROCESSOR-BASED AUTHENTICATION
   In what might become a significant blow to competitors, Intel and
VeriSign announced that Intel's upcoming line of mobile processors
(code-named Banias) will support VeriSign's digital certificate and
Personal Trust Agent (PTA) technology. VeriSign said that by
integrating the two technologies, a PC is thereby transformed into a
"digital credential that can then be used to perform many e-business
functions in the corporate IT environment, such as single sign-on,
more secure remote access, and trusted peer-to-peer computing."
   http://www.secadministrator.com/articles/index.cfm?articleid=26671

5. ==== INSTANT POLL ====

* RESULTS OF PREVIOUS POLL: WARCHALKING
   The voting has closed in Windows & .NET Magazine's Security
Administrator Channel nonscientific Instant Poll for the question,
"Has your wireless network been warchalked?" Here are the results (+/-
2 percent) from the 136 votes:
   -  10% Yes
   -  51% No
   -  38% I'm not sure

* NEW INSTANT POLL: A YEAR OF SECURITY
   The next Instant Poll question is, "Do you think that your
organization's network is more secure or less secure than it was a
year ago?" Go to the Security Administrator Channel home page and
submit your vote for a) More secure, b) Less secure, or c) Not sure.
   http://www.secadministrator.com

6. ==== SECURITY TOOLKIT ====

* VIRUS CENTER
   Panda Software and the Windows & .NET Magazine Network have teamed
to bring you the Center for Virus Control. Visit the site often to
remain informed about the latest threats to your system security.
   http://www.secadministrator.com/panda

* FAQ: WHY DID MY FTP PASSWORD STOP WORKING ON MY WINDOWS 2000 SYSTEM
AFTER I INSTALLED THE WIN2K SECURITY ROLLUP PACKAGE 1 (SRP1)?
   ( contributed by John Savill, http://www.windows2000faq.com )

A. After you install the Win2K SRP1, Win2K considers leading
white-space characters (i.e., spaces) in the FTP password to be valid
characters and no longer removes them. As a result, if a stored
password contains spaces, you must include the spaces when you enter
the password. Likewise, if the password doesn't contain spaces, you
must ensure that the password you type has no leading spaces.

7. ==== NEW AND IMPROVED ====
   (contributed by Judy Drennen, products () winnetmag com)

* PROTECT YOUR PC FROM TROJAN HORSES
   Anti-Trojan Network released Anti-Trojan 5.5, software to protect
your PC from the threat of Trojan horses. Anti-Trojan 5.5 lets users
protect their computers by scanning all ports on their PCs, checking
for the presence of Trojan horses in the registry, and scanning the
contents of the system's hard drives. The software runs on Windows XP,
Windows 2000, Windows NT, Windows Me, and Windows 9x and costs $22 per
single license. Contact Anti-Trojan Network at the Web site.
   http://www.anti-trojan.net

* SECURITY FOR WEB SERVICES AND WEB-BASED NETWORKS
   Array Networks announced Array SP (Security Proxy), a platform to
help enterprises defend and police Web services and applications with
trusted encryption, authentication, authorization, and accounting.
Array SP's rich set of features, intuitive GUI, and Plug and Play
(PnP) installation ensures painless Web security. Contact Array
Networks at 408-874-2420.
   http://www.arraynetworks.net

* SUBMIT TOP PRODUCT IDEAS
   Have you used a product that changed your IT experience by saving
you time or easing your daily burden? Do you know of a terrific
product that others should know about? Tell us! We want to write about
the product in a future What's Hot column. Send your product
suggestions to whatshot () winnetmag com.

8. ==== HOT THREADS ====

* WINDOWS & .NET MAGAZINE ONLINE FORUMS
   http://www.winnetmag.com/forums

Featured Thread: Blocking by Port?
   (Three messages in this thread)

A user writes that he has a Windows NT Server 4.0 Service Pack 6a
(SP6a) environment with Microsoft Proxy Server 2.0. Users on the
network access the Internet through the proxy server. He would like to
block access that originates on the network to any sites that don't
use port 80 for HTTP. How can he configure proxy server to do this?
Can he block this sort of access using his Cisco Systems 1605 router?
Read the responses or lend a hand:
   http://www.winnetmag.com/forums/rd.cfm?cid=42&tid=46005

9. ==== CONTACT US ====
   Here's how to reach us with your comments and questions:

* ABOUT IN FOCUS -- mark () ntsecurity net

* ABOUT THE NEWSLETTER IN GENERAL -- vpatterson () winnetmag com (please
mention the newsletter name in the subject line)

* TECHNICAL QUESTIONS -- http://www.winnetmag.com/forums

* PRODUCT NEWS -- products () winnetmag com

* QUESTIONS ABOUT YOUR SECURITY UPDATE SUBSCRIPTION? Customer
Support -- securityupdate () winnetmag com

* WANT TO SPONSOR SECURITY UPDATE? emedia_opps () winnetmag com

********************

   This email newsletter is brought to you by Security Administrator,
the print newsletter with independent, impartial advice for IT
administrators securing a Windows 2000/Windows NT enterprise.
Subscribe today!
   http://www.secadministrator.com/sub.cfm?code=saei25xxup

   Receive the latest information about the Windows and .NET topics of
your choice. Subscribe to our other FREE email newsletters.
   http://www.winnetmag.com/email

|-+-|-+-|-+-|-+-|-+-|

Thank you for reading Security UPDATE.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.