Information Security News mailing list archives

Previous By Date Next
Previous By Thread Next

Windows & .NET Magazine Security UPDATE--May 21, 2003

From: InfoSec News <isn () c4i org>
Date: Thu, 22 May 2003 00:53:04 -0500 (CDT)
====================

==== This Issue Sponsored By ====
RippleTech
   http://list.winnetmag.com/cgi-bin3/DM/y/eQ1s0CJgSH0CBw0BAOq0Ak

Research in Motion
   http://list.winnetmag.com/cgi-bin3/DM/y/eQ1s0CJgSH0CBw0BAOr0Al
(below IN FOCUS)

====================

1. In Focus: Is Trustworthy Computing Trustworthy Yet?

2. Security Risks
     - Arbitrary Code Execution Vulnerability in Microsoft WMP
     - Multiple Vulnerabilities in Cisco VPN 3000 Series VPN
       Concentrators

3. Announcements
     - How Can You Reclaim 30% to 50% of Windows Server Space?
     - Guide to Securing Your Web Site for Business

4. Security Roundup
     - News: New Technology for the Packet Police
     - News: Virtual Machine Security Melts in the Heat of Attack
     - News: It's a Worm, It's a Trojan Horse, It's a Keystroke 
       Logger. It's Fizzer
     - News: Hotmail and .NET Passport Open to Account Theft?
     - Feature: 5 Techniques for Establishing Highly Secure Systems

5. Security Toolkit
     - Virus Center
     - FAQ: How Can I Track Network Users Who Use the Telnet Service
       to Remotely Log On to My Computer?

6. Event
     - Security 2003 Road Show
 
7. New and Improved
     - Install Turnkey Security Appliance Platform
     - Manage Digital Identities with PKI-Based Security
     - Submit Top Product Ideas

8. Hot Thread
     - Windows & .NET Magazine Online Forums
         - Featured Thread: ISA Server Losing Persistent Route

9. Contact Us
   See this section for a list of ways to contact us.

====================

==== Sponsor: RippleTech  ====

   Protect Your Company Now From the Trusted Intruder with Informant
   How do you find out if employees are abusing their privileges to
access confidential corporate assets?  Most companies don’t find out
until it’s too late.
   Informant is an internal security monitoring, auditing and
reporting solution that tells you exactly what’s happening on your
network . . . from the inside!  Informant’s granular data capture
tracks an employee’s every step and notifies you of suspicious
 activity.  Its robust reporting provides instant access to the
critical information needed to minimize security risks.  Plus,
Informant’s sensitive file auditing can detect potential electronic
theft of data.
   Find out now how you can protect your company’s information assets
against internal security threats with Informant today at:
   http://list.winnetmag.com/cgi-bin3/DM/y/eQ1s0CJgSH0CBw0BAOq0Ak

====================

==== 1. In Focus: Is Trustworthy Computing Trustworthy Yet? ====
   by Mark Joseph Edwards, News Editor, mark () ntsecurity net

Microsoft recently launched the Windows Server 2003 OS. It's probably
the company's best effort to date at rolling out a secure product. So
far, no one has reported security problems with the new OS, but it's
still early. Attackers haven't yet hammered on Windows 2003 enough to
determine whether its armor has chinks.

However, Microsoft's effort to establish itself as a maker of
trustworthy computing products has encountered some other
difficulties. As you'll learn from the news story "Hotmail and .NET
Passport Open to Account Theft?" in this week's Security UPDATE,
Microsoft Passport has an exploitable vulnerability. The Passport
problem's simplicity shows that developers didn't think broadly enough
about how attackers might try to subvert Passport security. Microsoft
has corrected the problem, which is good--but I'm sure Passport
account holders wonder whether the service contains other problems.

The NTBugtraq mailing list recently brought to light a second
trustworthiness problem--with the Windows Update service. Countless
users rely on the service to obtain patches for their Microsoft
products. On May 12, Bob Terry posted a message to the list stating
that while he was patching systems, Windows Update began reporting
back to his systems that no updates were available. He wondered
whether the service was down.

NTBugtraq Editor Russ Cooper posted a reply stating that many other
users were reporting similar problems. After comparing notes with
other users and checking further, Cooper posted another message to the
list that summarizes his findings. He discovered that many users had
to tweak various aspects of their systems and perform secondary or
tertiary checks to determine whether their systems were up-to-date.
Below you'll find what Cooper had to say, excerpted for brevity (you
can read Cooper's entire post at the URL below):
   http://ntbugtraq.ntadvice.com/default.asp?pid=36&sid=1&A2=ind0305&L=ntbugtraq&F=P&S=&P=4505

"For at least the past several days, Windows Update has been
providing consumers with false information. Windows Update users would
connect [and] initiate the scan. [The scan] would complete and inform
[users that] their system needed no patches. Wonderful, a clean bill
of health, or so the consumer thought.

"In reality, some flaw in the Windows Update process has led it to
conclude that a system in need of critical security patches is instead
clean and good to go on the Internet. In other words, if the security
check fails, tell consumers they're just fine and don't need anything
...

"You wouldn't believe the number of individual [reports about problems
with Windows Update] I've received. No doubt Microsoft receives far
more than I do. I can't believe that huge corporations are having the
problems they are, nor can I believe they haven't received a
reasonable answer from Microsoft as to why the problems exist ...

"If [those at Microsoft were] serious about beginning to tackle the
trustworthiness of Microsoft, they'd have done something a year ago
when I first called Windows Update a dog. See for yourself, look at my
previous musings [see the URLs below], then tell me what's been fixed
or improved. If, like me, you see nothing ... then the Trustworthy
Computing Initiative once again gets an 'F'."
   http://ntbugtraq.ntadvice.com/default.asp?pid=36&sid=1&A2=ind0204&L=ntbugtraq&F=P&S=&P=6886
   http://ntbugtraq.ntadvice.com/default.asp?pid=36&sid=1&A2=ind0204&L=ntbugtraq&F=P&S=&P=6990

Cooper makes some reasonable observations and valid points. If Windows
Update doesn't behave properly, Microsoft should return a message
stating that the service is experiencing a problem instead of
returning the ambiguous message "no updates available."

The Passport vulnerability and the Windows Update errors seem to
reveal a lack of perspective on Microsoft's part. Granted, software
will continue to have flaws. However, if we're to trust Microsoft's
secure computing initiative as the company undoubtedly wants us to,
then Microsoft's software and services must become more secure--and
that security includes being more informative.

What do you think? Is Trustworthy Computing trustworthy yet? Send me
an email with your thoughts and experiences.

====================

==== Sponsor: Research in Motion  ====

   NEW BLACKBERRY SECURITY WHITE PAPER
   Prevent wireless handhelds from compromising your enterprise
 security!  Download the BlackBerry Security White Paper for Microsoft
Exchange and learn how the BlackBerry security architecture addresses
data encryption, corporate firewalls, lost devices, and other critical
security concerns.
   http://list.winnetmag.com/cgi-bin3/DM/y/eQ1s0CJgSH0CBw0BAOr0Al

====================

==== 2. Security Risks ====
   contributed by Ken Pfeil, ken () winnetmag com

Arbitrary Code Execution Vulnerability in Microsoft WMP
   Jouko Pynnonen and Jelmer discovered that a vulnerability in
Windows Media Player (WMP) 8.0 and WMP 7.1 can result in the execution
of arbitrary code on the vulnerable system. This vulnerability stems
from a flaw in the way WMP handles the download of skin files. The
flaw could let an attacker force a file (e.g., a malicious executable)
masquerading as a skin file into a certain location on a user's
machine. Microsoft has released Security Bulletin MS03-017 (Flaw in
Windows Media Player Skins Downloading could allow Code Execution) to
address this vulnerability.
   http://www.secadministrator.com/articles/index.cfm?articleid=38993

Multiple Vulnerabilities in Cisco VPN 3000 Series VPN Concentrators
   Multiple vulnerabilities exist in the Cisco VPN 3000 Series
Concentrator, the most serious of which can let an attacker access the
internal hosts on the IP Security (IPSec) over TCP-configured ports.
The other two vulnerabilities can result in a Denial of Service (DoS)
condition on the VPN Concentrator. Cisco Systems has released an
advisory and a fix for affected customers, which you can obtain from
the company's Web site. The company recommends that customers upgrade
to fixed software versions, as detailed in this documentation.
   http://www.secadministrator.com/articles/index.cfm?articleid=38994

==== 3. Announcements ====
   (from Windows & .NET Magazine and its partners)

How Can You Reclaim 30% to 50% of Windows Server Space?
   Attend the newest Web seminar from Windows & .NET Magazine and
discover the secrets from the experts. We'll also advise you on how to
reduce storage growth and backups by 30% and how to reduce storage
administration by 25% or more. There's no charge for this important
Web event, but space is limited so register today!
   http://list.winnetmag.com/cgi-bin3/DM/y/eQ1s0CJgSH0CBw06A10AB

Guide to Securing Your Web Site for Business
   Download VeriSign's new whitepaper, "Guide to Securing Your Web
Site For Business," and discover the practical business benefits of
securing your Web site. You'll also learn more about the innovative
processes and technologies VeriSign uses to address Internet security
issues. Download your free copy now!
   http://list.winnetmag.com/cgi-bin3/DM/y/eQ1s0CJgSH0CBw0BAMg0AY

==== 4. Security Roundup ====

News: New Technology for the Packet Police
   Cisco Systems has introduced new technology that will let law
enforcement agencies and ISPs police both networks and people.
According to Cisco, one new capability already present in routers but
not yet deployed is the ability to tap both IP telephony calls and
data streams. Another is a new Bandwidth Processing Engine (BPE) for
the company's uBR7246VXR Cable Modem Termination System (CMTS).
   http://www.secadministrator.com/articles/index.cfm?articleid=39020

News: Virtual Machine Security Melts in the Heat of Attack
   Sudhakar Govindavajhala and Andrew W. Appel presented a paper at
the 2003 IEEE Symposium about Security Privacy that demonstrates a
method of defeating security of virtual machine products such as
Microsoft Virtual Machine (VM) and Sun Microsystems and IBM Java
virtual machines. The men discovered that they could use a heat lamp
to flip bits in memory chips, causing their own untrusted code to run
within the virtual machine.
   http://www.secadministrator.com/articles/index.cfm?articleid=39024

News: It's a Worm, It's a Trojan Horse, It's a Keystroke Logger. It's
Fizzer
   A new worm, dubbed Fizzer, is spreading around the Internet through
email and peer-to-peer (P2P) networks. Fizzer carries quite a hostile
payload compared with past worms.
  http://www.secadministrator.com/articles/index.cfm?articleid=39016

News: Hotmail and .NET Passport Open to Account Theft?
   According to a message posted by Muhammad Faisal Rauf Danka to the
BugTraq mailing list, Microsoft's .NET Passport service is wide open
to attackers who use a Passport user's Hotmail account to reset the
password. Danka claims to have found a certain Passport URL that
anyone can enter into a Web browser and thereby hijack a user's
Passport account. Microsoft removed access to the vulnerable URL that
Danka described.
   http://www.secadministrator.com/articles/index.cfm?articleid=39001

Feature: 5 Techniques for Establishing Highly Secure Systems
   Microsoft has documented five TCP registry modifications you can
implement to reduce a Windows 2000 system's vulnerability to Denial of
Service (DoS) attacks and other common exploits. These techniques are
suitable for Win2K systems connected to a WAN or the Internet and for
sites operating under strict security controls. Read Paula Sharick's
article on our Web site to learn about them.
   http://www.secadministrator.com/articles/index.cfm?articleid=25027


==== 5. Security Toolkit ====

Virus Center
   Panda Software and the Windows & .NET Magazine Network have teamed
to bring you the Center for Virus Control. Visit the site often to
remain informed about the latest threats to your system security.
   http://www.secadministrator.com/panda

FAQ: How Can I Track Network Users Who Use the Telnet Service to
Remotely Log On to My Computer?
   contributed by Randy Franklin Smith, rsmith () montereytechgroup com

A. You need to first enable auditing for Audit logon events and Audit
process tracking. Then, look in your event log for an event ID 592 (a
new process has been created) for which where the image base filename
is tlntsess.exe. Note the Logon ID, and scan the event log for an
event ID 528 (successful logon) with the same Logon ID. The User Name
in event ID 528 identifies who logged on using the Telnet service.

==== 6. Event ====

Security 2003 Road Show
   Join Mark Minasi and Paul Thurrott as they deliver sound security
advice at our popular Security 2003 Road Show event.
   http://list.winnetmag.com/cgi-bin3/DM/y/eQ1s0CJgSH0CBw07Kz0AZ

==== 7. New and Improved ====
   by Sue Cooper, products () winnetmag com

Install Turnkey Security Appliance Platform
   14 South Networks announced IntraLock, a security appliance
platform that lets you integrate several vendors' security
applications into your servers without affecting the host platform.
IntraLock is a turnkey solution that includes hardware that installs
in a standard PCI slot, software, and centralized management. VPN work
is performed on IntraLock, rather than on the server itself. IntraLock
supports three security mechanisms: inbound, outbound, and data
stream. IntraLock is available from Value Added Resellers (VARs) and
systems integrators. Prices range from $2495 to $4495. Contact 14
South Networks at 866-414-7688, 561-862-5100, or sales () 14south com.
   http://www.14south.com

Manage Digital Identities with PKI-Based Security
   Entrust released Entrust Authority Security Manager 7.0, a public
key infrastructure (PKI)-based solution to manage the life cycles of
certificate-based digital identities--consistently enabling
encryption, digital signatures, and authentication capabilities across
applications and platforms. This new version offers support for
Microsoft smart card logon, additional key pair support for Encrypting
File System (EFS), and improved support for Active Directory (AD).
Enhanced policy control includes flexible storage options for digital
identities, support for legally binding digital signatures, and
flexible certificate lifetime policy. Improved audit and reporting
capabilities now let you monitor status information to immediately
address availability issues and format the reports using XML. Entrust
Authority Security Manager 7.0 supports Windows and UNIX environments.
Contact Entrust at 888-690-2424 or entrust () entrust com.
   http://www.entrust.com

Submit Top Product Ideas
   Have you used a product that changed your IT experience by saving
you time or easing your daily burden? Do you know of a terrific
product that others should know about? Tell us! We want to write about
the product in a future What's Hot column. Send your product
suggestions to whatshot () winnetmag com.

==== 8. Hot Thread ====

Windows & .NET Magazine Online Forums
   http://www.winnetmag.com/forums

Featured Thread: ISA Server Losing Persistent Route
   (Two messages in this thread)

A user writes that he has Microsoft Internet Security and Acceleration
(ISA) Server 2000, which he uses as a firewall, proxy, and VPN server.
He had the same setup on Windows NT with Proxy Server 2.0 running. In
that configuration, he never entered a default gateway in the IP
settings of his local NIC. Instead, he entered a persistent route in
the route table using the command shell "route" command. He has set up
a new box with ISA Server  and applied the same settings and theory he
used with Proxy Server. However, he loses the persistent route every
few days. When he uses the "route print" command, the route doesn't
show up in the table. If he tries to add the route again using the
"route -p add" command, he receives a response telling him that the
route is already there. He wonders what the problem is. Lend a hand or
read the responses:
   http://www.winnetmag.com/forums/rd.cfm?cid=42&tid=58577

==== 9. Contact Us ====

About the newsletter -- letters () winnetmag com
About technical questions -- http://www.winnetmag.com/forums
About product news -- products () winnetmag com
About your subscription -- securityupdate () winnetmag com
About sponsoring Security UPDATE -- emedia_opps () winnetmag com

====================
   This email newsletter is brought to you by Security Administrator,
the print newsletter with independent, impartial advice for IT
administrators securing Windows and related technologies. Subscribe
 today.
   http://www.secadministrator.com/sub.cfm?code=saei25xxup

Thank you!
__________________________________________________________
Copyright 2003, Penton Media, Inc.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.
Previous By Date Next
Previous By Thread Next

Current thread: