Security UPDATE, April 9, 2003

[InfoSec News <isn () c4i org>]

********************
Windows & .NET Magazine Security UPDATE--brought to you by Security
Administrator, a print newsletter bringing you practical, how-to
articles about securing your Windows Server 2003, Windows 2000, and
Windows NT systems.
   http://www.secadministrator.com
********************

~~~~ THIS ISSUE SPONSORED BY ~~~~

HFNetChkLT-FREE Patch Mgmt on 50 CPUs. No Timeouts!
   http://list.winnetmag.com/cgi-bin3/flo/y/eQQg0CJgSH0CBw076e0AD

Experience the Benefits of Real Time Monitoring
   http://list.winnetmag.com/cgi-bin3/flo/y/eQQg0CJgSH0CBw07mN0Aj
   (below IN FOCUS)

~~~~~~~~~~~~~~~~~~~~

~~~~ SPONSOR: HFNetChkLT-FREE PATCH MGMT ON 50 CPUs. NO TIMEOUTS! ~~~~
   Introducing NEW Shavlik HFNetChkLT -- the FREE version of the new
HFNetChkPro 4.0, an automated scanning and remediation solution from
Shavlik, the developers of HFNetChk and MBSA for Microsoft. It
includes loads of new features that save time for busy security
professionals while offering greater enterprise security. HFNetChkPro
4.0 automates patch remediation for Microsoft Office, Windows Server
2003, Exchange, SQL, Outlook, Java Virtual Machine and more. Its
intuitive Drag-n-Drop Patch Management interface allows you to
precisely control which groups will be scanned, by what criteria and
when and how patches are deployed. Visit www.shavlik.com for details!
   http://list.winnetmag.com/cgi-bin3/flo/y/eQQg0CJgSH0CBw076e0AD
~~~~~~~~~~~~~~~~~~~~

April 9, 2003--In this issue:

1. IN FOCUS
     - Test Your Forensic-Analysis Skills

2. SECURITY RISKS
     - DoS in Opera 7 and Netscape 7.02 Browsers
     - Man-in-the-Middle Attack on Microsoft Terminal Services

3. ANNOUNCEMENTS
     - Join the HP & Microsoft Network Storage Solutions Road Show!
     - Windows & .Net Magazine Connections: Learn from the Writers You
       Know and Trust

4. SECURITY ROUNDUP
     - News: Report: Most Users Do Not Trust Microsoft
     - News: Microsoft Releases WPA for XP to Strengthen Wireless
       Security

5. SECURITY TOOLKIT
     - Virus Center
     - FAQ: How Can I Enable or Disable the User's Ability to Change
       File Associations?

6. NEW AND IMPROVED
     - Lock Down Systems with USB Key
     - Secure Access Through Web Browser
     - Submit Top Product Ideas

7. HOT THREADS
     - Windows & .NET Magazine Online Forums
         - Featured Thread: Export Certificates to VPN Appliances

8. CONTACT US
   See this section for a list of ways to contact us.

~~~~~~~~~~~~~~~~~~~~

1. ==== IN FOCUS ====
   (contributed by Mark Joseph Edwards, News Editor,
mark () ntsecurity net)

* TEST YOUR FORENSIC-ANALYSIS SKILLS

I've discussed the Honeynet Project in previous Security UPDATE
commentaries. Last week, the project posted another "Scan of the
Month," which makes information gathered from an attacked honeypot
available to the public.

The Honeynet Project posts the scans to let people use their
forensic-analysis skills to analyze the log files the honeypot
gathered. The Azusa Pacific University (APU) Honeynet Project provided
this month's scan challenge. APU deployed a honeypot on an unpatched
Windows 2000 system that had a blank administrator password. Attackers
and worms compromised the system numerous times, and the honeypot
became part of a large "botnet."
   http://www.honeynet.org/scans/scan27

The Honeynet Project tailored the current challenge to beginner and
intermediate skill levels. After analyzing the logs, you can answer
several questions and submit your answers for review. You can use
several tools to help you arrive at answers. The tools the Honeynet
Project recommends include Snort (an Intrusion Detection System--IDS)
and Ethereal, which are packet-capture and analysis tools. You'll find
links to those tools on the Scan of the Month page, and you can read
more about the rules of the challenge at the URL below.
   http://www.honeynet.org/scans

Taking part in such challenges can help hone your forensic-analysis
skills. If you're already proficient, further practice can help you
keep abreast of current trends--the sorts of activities currently
compromising systems. Because this month's challenge addresses a
compromised Win2K system, many of you might want to consider meeting
the challenge. Submissions to the challenge are due no later than
April 25.

Patching the Patch System
   In last week's Security UPDATE, I discussed a mishap in the
disclosure of a vulnerability in Sendmail. A researcher posted various
details of the vulnerability to the BugTraq mailing list, and
Sendmail.org released a patched version of its application before its
planned release date. I speculated and raised questions about what
might have happened, and--as it turns out--I was wrong. I was missing
a key fact about the situation. Reader Claus Assmann wrote to inform
me about some of the missing details. At his suggestion, I also
contacted Eric Allman at Sendmail.org to obtain a clearer perspective
about what had transpired.

Allman took the time to offer what he knows about events--how and when
they occurred. The following paragraphs present what he told me in
detail.

"What we know is this: Late in the day on Tuesday, 18 March, Michal
Zalewski reported a possible vulnerability to us. He included a sample
case that demonstrated that there was a buffer overflow of some sort,
but he had not created a 'proof of concept' exploit, nor did he
speculate on the nature of the bug.

"We verified the bug that night and shortly thereafter had a first
pass at a fix, which had not yet undergone code review. Code review
was completed later that week.

"We then wanted to send the information to vendors so they could have
a patch available. However, this was delayed due to the problems CERT
was having with someone going by [the name] Hack4Life who seemed to
have pretty direct access to security information going to vendors. It
wasn't (and to the best of my knowledge, still isn't) clear where the
leak actually was, but we had to consider at least the possibility
that it was inside one of the vendors themselves. For this reason, we
delayed release of the information to vendors in the hope that CERT
could find and fix the problem. Our plan had been to go to vendors on
Monday, 31 March ... whether or not they had succeeded.

"However, some time on the night of Friday, 28 March, someone by the
name of 'nag' posted a message to vulndiscuss [a mailing list] and
full-disclosure asking about a 'rumor spreading about new Sendmail
vulnerability.' That message included a patch to the problem we had
been working on. However, the patch that was given was quite different
from the one we had come up with, so we don't believe that the patch
was a leak from ourselves. At this point we have no idea where it did
come from--it could even have been independently found by someone who
never reported it to us.

"We decided to delay for a few hours so we could get some sleep, and
we released on Saturday, 29 March. We knew that this was almost the
worst possible time to release, but we felt that with the patch being
distributed, it was only a matter of time before an exploit was
created, and we had no idea if that would be hours, days, or even
longer. As it turns out, I haven't seen an exploit in the wild today,
almost a week later. Another security group [Internet Security
Systems--ISS] has produced a proof-of-concept exploit, which we have
not seen, but they did tell us that it was substantially harder to
create than it would at first appear. Had we realized that an exploit
was unlikely to have been released over the weekend, we might have
delayed release until Monday, but we didn't know that at the time, and
we felt that going out Saturday was as prudent as we could be. And
that's what we know ..."

So there you have it, another case of an unknown source somehow
gaining access to private communications and leaking details to the
public prematurely. Two weeks ago, I discussed this problem as it
pertains to CERT in my Security UPDATE commentary, "Security Research:
A Double-Edged Sword" (see the URL below). I think most people aren't
sure why someone is intercepting communications and leaking details
about security vulnerabilities. But we can easily see that it places a
lot of networks at risk unnecessarily. Sooner or later, if we can't
plug the information leaks, one could cause serious repercussions. The
situation is both ironic and challenging: The process of finding
security vulnerabilities and patching them before they're compromised
has itself become compromised--and must now be patched.
   http://www.secadministrator.com/articles/index.cfm?articleid=38448

~~~~~~~~~~~~~~~~~~~~

~~~~ SPONSOR: EXPERIENCE THE BENEFITS OF REAL TIME MONITORING ~~~~
   A proactive Security Administrator installed TNT Software's ELM
Enterprise Manager 3.1 on his servers to assess the benefits of real
time monitoring. Within days, EEM paged him when access to a
confidential file was denied, sent him an instant message when the QoS
of this Exchange Server began to drop, and automatically restarted a
failed service. EEM was promptly purchased. Download your FREE
evaluation copy today and experience how real time monitoring will
benefit YOU.
   http://list.winnetmag.com/cgi-bin3/flo/y/eQQg0CJgSH0CBw07mN0Aj
~~~~~~~~~~~~~~~~~~~~

2. ==== SECURITY RISKS ====
   (contributed by Ken Pfeil, ken () winnetmag com)

* DoS IN OPERA 7 AND NETSCAPE 7.02 BROWSERS
   Marc Schonefeld discovered a vulnerability in Opera 7 and Netscape
7.02 Web browsers that can result in a Denial of Service (DoS)
condition. The vulnerability stems from problems with JavaScript.
Opera and Netscape haven't yet responded publicly to the problem.
   http://www.secadministrator.com/articles/index.cfm?articleid=38590

* MAN-IN-THE-MIDDLE ATTACK ON MICROSOFT TERMINAL SERVICES
   Erik Forsberg discovered that Microsoft's RDP implementation of
Terminal Services doesn't verify the server's identity when it sets up
the encryption keys for the RDP session. This vulnerability can result
in a potential man-in-the-middle (MITM) attack. Although Forsberg
notified the company about this vulnerability on March 13, 2003,
Microsoft hasn't yet responded publicly.
   http://www.secadministrator.com/articles/index.cfm?articleid=38589

3. ==== ANNOUNCEMENTS ====
   (brought to you by Windows & .NET Magazine and its partners)

* JOIN THE HP & MICROSOFT NETWORK STORAGE SOLUTIONS ROAD SHOW!
   Now is the time to start thinking of storage as a strategic weapon
in your IT arsenal. Come to our 10-city Network Storage Solutions Road
Show, and learn how existing and future storage solutions can save
your company money--and make your job easier! There is no fee for this
event, but space is limited. Register today!
   http://list.winnetmag.com/cgi-bin3/flo/y/eQQg0CJgSH0CBw07cD0AP

* WINDOWS & .NET MAGAZINE CONNECTIONS: LEARN FROM THE WRITERS YOU KNOW
AND TRUST
   Our event includes in-depth coverage by the world's top gurus on
Windows security. Eye-opening sessions include Keeping Up with Service
Packs and Security Patches, Implementing Security with Group Policy,
Defending Your Networks by Planning Your Own "Hack Attack," Using
Event Logs to Identify Intruder Activity, Securing Wireless LANs,
Managing AD Security with ADSI and WSH, Making IIS a Secure Web
Server, and more. Register today!
   http://list.winnetmag.com/cgi-bin3/flo/y/eQQg0CJgSH0CBw0KXQ0Al

4. ==== SECURITY ROUNDUP ====

* NEWS: REPORT: MOST USERS DO NOT TRUST MICROSOFT
   A recent Forrester Research survey brings an ugly truth to the
forefront: The majority of IT administrators currently working with
Microsoft products don't trust the company or believe it can produce
secure software. According to the survey, 77 percent of respondents
don't trust Microsoft but 90 percent still deploy Microsoft software
in mission-critical applications.
   http://www.secadministrator.com/articles/index.cfm?articleid=38543

* NEWS: MICROSOFT RELEASES WPA FOR XP TO STRENGTHEN WIRELESS SECURITY
   Microsoft announced the release of an update for Windows XP that
introduces the Wi-Fi Protected Access (WPA) for stronger security over
wireless LAN (WLAN) connections.
   http://www.secadministrator.com/articles/index.cfm?articleid=38556

5. ==== SECURITY TOOLKIT ====

* VIRUS CENTER
   Panda Software and the Windows & .NET Magazine Network have teamed
to bring you the Center for Virus Control. Visit the site often to
remain informed about the latest threats to your system security.
   http://www.secadministrator.com/panda

* FAQ: How Can I Enable or Disable the User's Ability to Change File
Associations?
   ( contributed by John Savill, http://www.windows2000faq.com )

A. You can configure the user's computer to enable or disable the
ability to change file associations by performing the following steps:
   1. Start a registry editor (e.g., regedit.exe).
   2. Navigate to the
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
registry subkey to configure the computer for all users or navigate to
the
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies
registry subkey to configure the computer for the current user. If
neither subkey exists, open the Edit menu and select New, Key to
create it.
   3. From the Edit menu, select New, DWORD Value.
   4. Enter the name NoFileAssociate.
   5. Set the value to 1 to disable the user's ability to change file
associations (this setting doesn't affect Power Users and
Administrators); a value of 0 or a missing value lets the user change
file associations.
   6. Click OK.
   7. Close the registry editor.
   8. Restart the computer for the changes to take effect.

6. ==== NEW AND IMPROVED ====
   (contributed by Sue Cooper, products () winnetmag com)

* LOCK DOWN SYSTEMS WITH USB KEY
   imagine LAN announced LockDown Key, software that turns any
standard USB flash drive into a security key, protecting the system
from illegal access and theft. You first establish an administrator
logon ID and password on the target system, then prepare the key with
the LockDown Key security preparation utility, which enables security
parameters and generates the key. All other users and administrators
are then locked out of the system. Creating new keys automatically
invalidates old keys. LockDown Key supports Windows XP/2000, and it's
expected to cost about $29 per device license when it ships this
quarter. Contact imagine LAN at 800-372-9776 or 603-889-3883.
   http://www.imaginelan.com

* SECURE ACCESS THROUGH WEB BROWSER
   Whale Communications released the e-Gap Remote Access Appliance
Advanced Edition (AE), an integrated hardware/software appliance to
protect corporate data that users access from Web browsers at
untrusted locations such as airport kiosks and Internet cafes. The
appliance uses Secure Sockets Layer (SSL) VPN technology, which
doesn't require the client software that an IP Security (IPSec) VPN
requires. Features include an attachment wiper to remove all
information recorded by a browser during a session; nonintrusive user
timeouts; a secure logoff to ensure that credentials aren't cached at
the client machine; and forced periodic reauthentication to ensure
that users reauthenticate regularly. Pricing for the e-Gap Remote
Access Appliance AE starts at $23,000. Contact Whale Communications at
877-659-4253 or 201-947-9177.
   http://www.whalecommunications.com

* SUBMIT TOP PRODUCT IDEAS
   Have you used a product that changed your IT experience by saving
you time or easing your daily burden? Do you know of a terrific
product that others should know about? Tell us! We want to write about
the product in a future What's Hot column. Send your product
suggestions to whatshot () winnetmag com.

7. ==== HOT THREADS ====

* WINDOWS & .NET MAGAZINE ONLINE FORUMS
   http://www.winnetmag.com/forums

Featured Thread: Export Certificates to VPN Appliances
   (Three messages in this thread)

A user wants to know whether anyone has used Microsoft Certificate
Server to generate certificates for third-party VPN appliances. The
user says he keeps stumbling over the problem that the private keys
can't be exported, so he can't generate Public-Key Cryptography
Standard #12 (PKCS#12) containers. Lend a hand or read the responses:
   http://www.winnetmag.com/forums/rd.cfm?cid=42&tid=56943

8. ==== CONTACT US ====
   Here's how to reach us with your comments and questions:

* ABOUT IN FOCUS -- mark () ntsecurity net

* ABOUT THE NEWSLETTER IN GENERAL -- letters () winnetmag com (please
mention the newsletter name in the subject line)

* TECHNICAL QUESTIONS -- http://www.winnetmag.com/forums

* PRODUCT NEWS -- products () winnetmag com

* QUESTIONS ABOUT YOUR SECURITY UPDATE SUBSCRIPTION? Customer
Support -- securityupdate () winnetmag com

* WANT TO SPONSOR SECURITY UPDATE? emedia_opps () winnetmag com

********************
   This email newsletter is brought to you by Security Administrator,
the print newsletter with independent, impartial advice for IT
administrators securing a Windows 2000/Windows NT enterprise.
Subscribe today!
   http://www.secadministrator.com/sub.cfm?code=saei25xxup

   Receive the latest information about the Windows and .NET topics of
your choice. Subscribe to our other FREE email newsletters.
   http://www.winnetmag.com/email

|-+-|-+-|-+-|-+-|-+-|

Thank you for reading Security UPDATE.

MANAGE YOUR ACCOUNT
   You can manage your entire Windows & .NET Magazine Network email
newsletter account on our Web site. Simply log on and you can change
your email address, update your profile information, and subscribe or
unsubscribe to any of our email newsletters all in one place.
   http://www.winnetmag.com/email

Thank you!
__________________________________________________________
Copyright 2003, Penton Media, Inc.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.