Information Security News mailing list archives

Previous By Date Next
Previous By Thread Next

Security UPDATE, April 30, 2003

From: InfoSec News <isn () c4i org>
Date: Thu, 1 May 2003 02:58:51 -0500 (CDT)
********************
Windows & .NET Magazine Security UPDATE--brought to you by Security
Administrator, a print newsletter bringing you practical, how-to
articles about securing your Windows Server 2003, Windows 2000, and
Windows NT systems.
   http://www.secadministrator.com
********************

~~~~ THIS ISSUE SPONSORED BY ~~~~

HFNetChkLT-FREE Patch Mgmt on 50 CPUs. No Timeouts!
   http://list.winnetmag.com/cgi-bin3/DM/y/eQig0CJgSH0CBw076e0Ab

HP & Microsoft Network Storage Solutions Road Show
   http://list.winnetmag.com/cgi-bin3/DM/y/eQig0CJgSH0CBw07cD0An
   (below IN FOCUS)

~~~~~~~~~~~~~~~~~~~~

~~~~ SPONSOR: HFNetChkLT-FREE PATCH MGMT ON 50 CPUS. NO TIMEOUTS! ~~~~
   Introducing NEW Shavlik HFNetChkLT -- the FREE version of the new
HFNetChkPro 4.0, an automated scanning and remediation solution from
Shavlik, the developers of HFNetChk and MBSA for Microsoft. It
includes loads of new features that save time for busy security
professionals while offering greater enterprise security. HFNetChkPro
4.0 automates patch remediation for Microsoft Office, Windows Server
2003, Exchange, SQL, Outlook, Java Virtual Machine and more. Its
intuitive Drag-n-Drop Patch Management interface allows you to
precisely control which groups will be scanned, by what criteria and
when and how patches are deployed. Visit www.shavlik.com to download
it!
   http://list.winnetmag.com/cgi-bin3/DM/y/eQig0CJgSH0CBw076e0Ab
~~~~~~~~~~~~~~~~~~~~

April 30, 2003--In this issue:

1. IN FOCUS
     - The Legal Liability of Information Security

2. SECURITY RISKS
     - Multiple Vulnerabilities in Microsoft IE
     - MHTML Arbitrary Code Execution in Microsoft Outlook Express
     - Buffer Overflow in Cisco ACS for Windows

3. ANNOUNCEMENTS
     - Get Armed with the Same Security Protection Used by the
       Department of Defense!
     - Microsoft TechEd 2003, June 1-6, Dallas, TX

4. SECURITY ROUNDUP
     - News: NetVision Helps Patrol NetWare Servers
     - News: Microsoft Releases Windows Server 2003 Resource Kit Tools
     - News: Microsoft Partners with Storage Industry for Enhanced
       Storage Security
     - Feature: Protect Your Network from Intrusion

5. INSTANT POLL
     - Results of Previous Poll: Windows Server 2003
     - New Instant Poll: Cyber-Insurance

6. SECURITY TOOLKIT
     - Virus Center
     - FAQ: How Can I Audit Users Who Start and Stop Services?

7. NEW AND IMPROVED
     - Protect Back-End Storage
     - Secure Enterprise Applications
     - Submit Top Product Ideas

8. HOT THREADS
     - Windows & .NET Magazine Online Forums
         - Featured Thread: How Do I Establish a Cisco VPN Tunneling
           Solution?
     - HowTo Mailing List
         - Featured Thread: Are MAILTO and POST Safe for Transactions?

9. CONTACT US
   See this section for a list of ways to contact us.

~~~~~~~~~~~~~~~~~~~~

1. ==== IN FOCUS ====
   (contributed by Mark Joseph Edwards, News Editor,
mark () ntsecurity net)

* THE LEGAL LIABILITY OF INFORMATION SECURITY

In last week's Security UPDATE commentary, I discussed the changing
legal landscape regarding security. I have a bit more to say about the
subject. The SysAdmin, Audit, Network, Security (SANS) Institute
recently offered the Webcast "Legal Liability For Information
Security: Ask the Experts." If you didn't tune in, you missed some
interesting perspectives. (For a rebroadcast of the SANS Webcast,
visit the URL below. Register and follow the instructions to access
the show in the archives.)
   http://www.sans.org/webcasts/042303.php

In one segment of the Webcast, attorney Marc Zwillinger offered his
opinions about how torts will soon affect companies based on their
information security practices (or the lack thereof). Without getting
into complicated legal interpretations, one can define a tort as
basically damage, injury, or a wrongful act that occurs either
willfully or through negligence.

In the past, to get into trouble in the arena of information security,
you typically had to either break the law or break or violate a
contract. Legal experts now think we'll start to see litigants suing
entities for torts civilly--and perhaps even prosecuting them
criminally, depending on the circumstances.

For example, if your company is aware that it runs an open mail relay,
and a spammer uses your mail system to send email in a way that causes
harm or damage to another entity, your company has effectively
committed a tort and might be found liable in a court of law. In
another example, if you don't properly secure private user or customer
information and that information becomes compromised, you might be
held liable for civil damages.

In the United States, almost anyone can sue someone else for almost
any reason. So staying out of court might become increasingly
difficult in some security-related instances. The legal experts note
several ways you can help prevent litigation regarding your
information security.

One of the key factors in determining liability is whether you've
taken reasonable steps toward keeping your systems and information
secure. Another factor is how you respond to security incidents. These
factors will probably determine whether and how you're found liable in
the event that someone brings a legal action against you or your
company. How you handle those matters--which steps you've taken to
keep information secure and how you respond to security
incidents--might also affect whether you qualify for cyber-insurance.

When asked which were the most important security-related steps to
take, members of the legal panel recommended that you explicitly
assign responsibilities for security matters, put those assignments in
writing, and have the responsible parties sign them physically,
digitally, or both. You should take appropriate action before
something becomes a problem for your business. You must be aware of
the different layers of law under which you operate (local, county,
state, federal, international) and respond to requirements
accordingly. Find a capable lawyer to help ensure you aren't caught
off guard. Finally, be sure you assign access rights and
responsibilities carefully, after assessing people's skill levels and
their need for access relative to their specific tasks and your
business needs. Doing so can help avoid liabilities stemming from
negligence.

Do the insurance and the legal industries seem poised to start
steering the information security industry more directly toward what
it must do and how to do it? Will a day come when people won't be able
to connect to the Internet without a proper license and
cyber-insurance of some sort? I hope such potential changes won't
occur--at least until after the day that computer software and
hardware vendors become legally liable for defective products. I think
many people agree that, like automobiles, software and hardware should
have both better "precautionary devices" and more knowledgeable
"drivers."

In any case, it's clear that your company's security practices must be
stated, assigned, and carried out to keep your company out of court in
case of a mishap. You should know which security elements will come
into play when courts make decisions about liability and take steps to
address those elements--not only to avoid litigation but also to
protect your company, its customers, and you.

~~~~~~~~~~~~~~~~~~~~

~~~~ SPONSOR: HP & MICROSOFT NETWORK STORAGE SOLUTIONS ROAD SHOW ~~~~
    TIME IS RUNNING OUT TO CATCH OUR STORAGE ROAD SHOW!
    Attend the HP & Microsoft Network Storage Solutions Road Show, and
learn how existing and future storage solutions can save your company
money--and make your job easier! Attendees have lots of chances to win
incredible prizes. There is absolutely no fee for this event, but
space is limited. We've just added Minneapolis to our list of cities,
so register now!
   http://list.winnetmag.com/cgi-bin3/DM/y/eQig0CJgSH0CBw07cD0An
~~~~~~~~~~~~~~~~~~~~

2. ==== SECURITY RISKS ====
   (contributed by Ken Pfeil, ken () winnetmag com)

* MULTIPLE VULNERABILITIES IN MICROSOFT IE
   Mark Litchfield of Next Generation Security Software (NGSSoftware),
Andreas Sandblad, and Jouko Pynnonen of Oy Online Solutions discovered
that Microsoft Internet Explorer (IE) 6.0, IE 5.5, and IE 5.01 contain
four vulnerabilities, the most serious of which can result in the
execution of arbitrary code on the vulnerable system. Microsoft has
released Security Bulletin MS03-015 (Cumulative Patch for Internet
Explorer) to address these vulnerabilities and recommends that
affected users immediately apply the appropriate patch mentioned in
the bulletin. For more details about these problems as well as links
to the bulletin visit our Web site.
   http://www.secadministrator.com/articles/index.cfm?articleid=38781

* MHTML ARBITRARY CODE EXECUTION IN MICROSOFT OUTLOOK EXPRESS
   Microsoft reported a vulnerability in Microsoft Outlook Express 6.0
and Outlook Express 5.5 that can result in the execution of arbitrary
code on the vulnerable system. This vulnerability is a result of flaw
in the Mime Encapsulation of Aggregate HTML (MHTML) URL Handler. To
exploit this vulnerability, an attacker can construct a URL and either
host it on a Web site or send it by email. In the Web-based scenario,
when a user clicks the site-hosted URL, the attacker can then read or
launch files already present on the local machine. Microsoft has
released Security Bulletin MS03-014 (Cumulative Patch for Outlook
Express) to address this vulnerability and recommends that affected
users immediately apply the patch mentioned in the bulletin.
   http://www.secadministrator.com/articles/index.cfm?articleid=38780

* BUFFER OVERFLOW IN CISCO ACS FOR WINDOWS
   Cisco Secure ACS for Windows contains a buffer-overflow condition
that can permit a Denial of Service (DoS) attack and a root
compromise. The problem appears to lie in the software's handling of
logon sequences. Cisco Systems recommends that customers either
upgrade to repaired versions of Cisco Secure ACS or install Cisco
Secure ACS so that it denies or restricts access to management
interfaces. Users who want to restrict access to management interfaces
need to block access to ACS on port 2002. Cisco has released a
bulletin and free upgrades, which you can download from the company's
Web site.
   http://www.secadministrator.com/articles/index.cfm?articleid=38778

3. ==== ANNOUNCEMENTS ====
   (brought to you by Windows & .NET Magazine and its partners)

* GET ARMED WITH THE SAME SECURITY PROTECTION USED BY THE DEPARTMENT
OF DEFENSE!
   Computer security is a top priority for organizations and
individuals because you don't want to leave confidential data open to
intrusion. Now, individuals can get the same protection offered for
corporate and government networks. For $69.95 Harris STAT Scanner Home
Edition enables you to accurately identify and eliminate security
deficiencies.
   http://list.winnetmag.com/cgi-bin3/DM/y/eQig0CJgSH0CBw082R0AF

* MICROSOFT TECHED 2003, JUNE 1-6, DALLAS, TX
   Realize your potential at TechEd 2003, Microsoft's premier
technical conference. Join network administrators, developers,
architects, and messaging/security specialists for sessions on Windows
Server 2003, Visual Studio .NET 2003, and all .NET developer
languages. 350+ technical sessions, hands-on labs, free betas, demos.
Don't miss this opportunity; make sure to register today!
   http://list.winnetmag.com/cgi-bin3/DM/y/eQig0CJgSH0CBw08vb0Ad

4. ==== SECURITY ROUNDUP ====

* NEWS: NETVISION HELPS PATROL NETWARE SERVERS
   NetVision announced a new product that fills a need for Fortune 500
and Fortune 1000 companies: eDirectory Policy Manager Knowledge Module
for PATROL. The module is an intrusion prevention and remediation
solution that integrates BMC Software's PATROL management platform and
Novell NetWare servers. NetVision will comarket the new knowledge
module with BMC Software.
   http://www.secadministrator.com/articles/index.cfm?articleid=38763

* NEWS: MICROSOFT RELEASES WINDOWS SERVER 2003 RESOURCE KIT TOOLS
   Microsoft released its free set of resource kit tools for Windows
Server 2003. The "Microsoft Windows Server 2003 Resource Kit" includes
utilities that administrators, developers, and power users can use to
manage Active Directory (AD), group policy, TCP/IP networks, the
registry, security, scalability, and many other aspects of the Windows
2003 OS. The resource kit tools run on Windows XP and any member of
the Windows 2003 family of products.
 
 http://www.winnetmag.com/windowsserver2003/index.cfm?articleid=38747

* NEWS: MICROSOFT PARTNERS WITH STORAGE INDUSTRY FOR ENHANCED STORAGE
SECURITY
   Microsoft has announced plans to help enhance Storage Area Network
(SAN) security. The company is working with the storage industry to
promote the adoption of the Internet Engineering Task Force (IETF)
standard Remote Authentication Dial-In User Service (RADIUS) protocol,
which is part of its Windows Server 2003 and Windows 2000 OS platforms
and integrates with Active Directory (AD). Microsoft's industry
partners for RADIUS include SAN fabric vendors such as Brocade
Communications Systems, McDATA, and QLogic.
   http://www.secadministrator.com/articles/index.cfm?articleid=38753

* FEATURE: PROTECT YOUR NETWORK FROM INTRUSION
   When you think about intrusion detection, consider a modern
paraphrase of an old question: "If an attack occurs on your network
and no one knows about it, did the attack really occur?" Detecting
attacks on your network is crucial, but doing so is also difficult.
That's where intrusion detection comes in. Intrusion detection is
important, especially in a multilayered defense-in-depth strategy. To
learn more about intrusion detection, read Jason Harper's article on
our Web site.
   http://www.secadministrator.com/articles/index.cfm?articleid=24650

5. ==== INSTANT POLL ====
 
* RESULTS OF PREVIOUS POLL: WINDOWS SERVER 2003
   The voting has closed in Windows & .NET Magazine's Security
Administrator Channel nonscientific Instant Poll for the question,
"Will your company upgrade to Windows Server 2003 for better
security?" Here are the results from the 203 votes.
   - 31% Yes--within 1 year
   - 10% Yes--within 2 years
   -  8% Yes--within 3 years
   - 21% Not sure
   - 30% No
 
* NEW INSTANT POLL: CYBER-INSURANCE
   The next Instant Poll question is, "Does your company have
cyber-insurance?" Go to the Security Administrator Channel home page
and submit your vote for a) Yes--We have it, b) No--But we plan to
obtain it, c) No--We won't get it until it's required by law, or d)
No.
   http://www.secadministrator.com

6. ==== SECURITY TOOLKIT ====

* VIRUS CENTER
   Panda Software and the Windows & .NET Magazine Network have teamed
to bring you the Center for Virus Control. Visit the site often to
remain informed about the latest threats to your system security.
   http://www.secadministrator.com/panda

* FAQ: HOW CAN I AUDIT USERS WHO START AND STOP SERVICES?
   (contributed by Randy Franklin Smith, rsmith () montereytechgroup com)

A: Like files and folders, services are access-controlled objects, and
every access-controlled object has a security descriptor. Part of a
service's security descriptor is the system ACL (SACL), which you can
use to track access to that object. The only way to view or change a
service's current SACL is through security templates.
   To reach the security templates, log on to the server and open the
Microsoft Management Console (MMC) Security Templates snap-in. To
create a new template, right-click the security templates path. Select
New Template, click System Services, then double-click the appropriate
service (e.g., Telnet). Select the "Define this policy setting in the
template" check box, then click Edit Security to open the Security for
Telnet dialog box. This dialog box contains the service's ACL, which
you can use to fine-tune who has start and stop authority. To read the
complete answer to this question and view screen shots of the dialog
boxes, be sure to visit the URL below.
   http://www.secadministrator.com/articles/index.cfm?articleid=24669

7. ==== NEW AND IMPROVED ====
   (contributed by Sue Cooper, products () winnetmag com)

* PROTECT BACK-END STORAGE
   NeoScale Systems released CryptoStor FC, a wire-speed storage
security appliance for data storage access, transport, and privacy.
Fully transparent, the inline storage appliance inspects storage
traffic and applies data access controls and encryption to the data
payload at gigabit rates. CryptoStor FC lets you centrally manage
hundreds of storage data security policies without performance
degradation. CryptoStor FC uses two-factor smart card authentication
to secure remote, roles-based administration. Platform and
application-independent, the appliance can be deployed with the Fibre
Channel fabric, in front of storage subsystems, and behind storage
gateways. CryptoStor FC prices start at $35,000. Contact NeoScale
Systems at 408-586-1300 or info () neoscale com.
   http://www.neoscale.com

* SECURE ENTERPRISE APPLICATIONS
   Entrust announced Entrust Entelligence Security Provider 7.0 to
secure desktop applications that leverage the Windows security
framework, including their files and forms, eforms, email, VPNs, and
wireless LANs (WLANs). With a "footprint" of less than 1MB and a
customizable installation that leverages Windows-installer technology,
Security Provider 7.0 lets your users access their enterprise
applications with a single logon. Security Provider provides strong
authentication between a Web server and an end user, protecting access
to both Web and desktop applications. A simple self-service feature
lets users recover file keys and encrypted messages if they forget
their passwords. Entrust Entelligence Security Provider 7.0 supports
Windows XP/2000/NT systems that support 128-bit encryption. Contact
Entrust at 888-690-2424 or entrust () entrust com.
   http://www.entrust.com

* SUBMIT TOP PRODUCT IDEAS
   Have you used a product that changed your IT experience by saving
you time or easing your daily burden? Do you know of a terrific
product that others should know about? Tell us! We want to write about
the product in a future What's Hot column. Send your product
suggestions to whatshot () winnetmag com.

8. ==== HOT THREADS ====

* WINDOWS & .NET MAGAZINE ONLINE FORUMS
   http://www.winnetmag.com/forums

Featured Thread: How Do I Establish a Cisco VPN Tunneling Solution?
   (Three messages in this thread)

A user wants to let his five remote users access the company network
from the users' ISP dial-up connections in various states around the
country. The users could then use Microsoft Outlook natively to manage
such functions as correspondence and contacts. His network uses a
Cisco Systems PIX Firewall, and he needs some guidance on how to
implement a VPN tunneling solution on the firewall. He wants to know
whether he can simply install the Cisco VPN client software on the
remote users' machines or whether the firewall will need some special
configuration also. Lend a hand or read the responses:
   http://www.winnetmag.com/forums/rd.cfm?cid=42&tid=57909

* HOWTO MAILING LIST
   http://63.88.172.96/listserv/page_listserv.asp?s=howto

Featured Thread: Are MAILTO and POST Safe for Transactions?
   (Three messages in this thread)

A user wants to know what the dangers are of someone sending a credit
card number over the Internet using MAILTO and POST links. Read the
responses or lend a hand at the following URL:
 
 http://63.88.172.96/listserv/page_listserv.asp?A2=IND0301E&L=HOWTO&P=281
 
9. ==== CONTACT US ====
   Here's how to reach us with your comments and questions:

* ABOUT IN FOCUS -- mark () ntsecurity net

* ABOUT THE NEWSLETTER IN GENERAL -- letters () winnetmag com (please
mention the newsletter name in the subject line)

* TECHNICAL QUESTIONS -- http://www.winnetmag.com/forums

* PRODUCT NEWS -- products () winnetmag com

* QUESTIONS ABOUT YOUR SECURITY UPDATE SUBSCRIPTION? Customer
Support -- securityupdate () winnetmag com

* WANT TO SPONSOR SECURITY UPDATE? emedia_opps () winnetmag com

********************
   This email newsletter is brought to you by Security Administrator,
the print newsletter with independent, impartial advice for IT
administrators securing a Windows 2000/Windows NT enterprise.
Subscribe today!
   http://www.secadministrator.com/sub.cfm?code=saei25xxup

   Receive the latest information about the Windows and .NET topics of
your choice. Subscribe to our other FREE email newsletters.
   http://www.winnetmag.com/email

|-+-|-+-|-+-|-+-|-+-|

Thank you for reading Security UPDATE.

MANAGE YOUR ACCOUNT
   You can manage your entire Windows & .NET Magazine Network email
newsletter account on our Web site. Simply log on and you can change
your email address, update your profile information, and subscribe or
unsubscribe to any of our email newsletters all in one place.
   http://www.winnetmag.com/email

Thank you!
__________________________________________________________
Copyright 2003, Penton Media, Inc.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.
Previous By Date Next
Previous By Thread Next

Current thread: