Windows & .NET Magazine Security UPDATE--October 8, 2003

[InfoSec News <isn () c4i org>]

==== This Issue Sponsored By ====

TNT Software
   http://list.winnetmag.com/cgi-bin3/DM/y/ec5S0CJgSH0CBw0BC120A4

Shavlik HFNetChkPro Patch Management
   http://list.winnetmag.com/cgi-bin3/DM/y/ec5S0CJgSH0CBw076e0Ah

====================

1. In Focus: The Dangers of Uncontrolled Software Use

2. Announcements
     - New White Paper on Exchange 2003 Deployment
     - Check Out Our 2 New Web Seminars!

3. Security News and Features
     - Recent Security Vulnerabilities
     - News: Microsoft Preps Major Security Strategy Shift
     - News: XP Security Rollup Package in Beta
     - News: Microsoft Faces Security Class-Action Suit
     - Feature: How to Build a Snort Server

4. Security Toolkit
     - Virus Center
         - Virus Alert: Trj/Hatoy.A
     - FAQ: How do I prevent administrators from successfully using
       L0phtCrack?
     - Featured Thread: How to Stop Viruses from Spreading

5. Event
     - The Mobile & Wireless Road Show Is Coming to Tampa and Atlanta!

6. New and Improved
     - Control USB and FireWire Devices
     - Secure All Data
     - Tell Us About a Hot Product and Get a T-Shirt

7. Contact Us
   See this section for a list of ways to contact us.

==== Sponsor: TNT Software ====
   FREE Download: Automate Event Log Monitoring
   Automate event log monitoring, provide real-time intrusion
detection, and satisfy mandated auditing requirements all with TNT
Software's ELM Log Manager. Preferred by small businesses because of
its ease of use and Fortune 500 companies because of its reliability,
ELM 3.1 is the affordable solution with the scalability to consolidate
MILLIONs of events and Syslog messages a day, display them in custom
views, launch critical alerts, and schedule reports. Download your
FREE 30 day fully functional evaluation software NOW and start
experiencing the benefits of automated log monitoring.
   http://list.winnetmag.com/cgi-bin3/DM/y/ec5S0CJgSH0CBw0BC120A4

====================

==== 1. In Focus: The Dangers of Uncontrolled Software Use ====
   by Mark Joseph Edwards, News Editor, mark () ntsecurity net

Surely, most of you know about various peer-to-peer (P2P) software
packages, such as KaZaA and the soon-to-be-revived Napster. Millions
of people use P2P software to trade files, sometimes in violation of
copyright laws.

Businesses should be aware of such software and control its use on
their networks. One reason for doing so is that P2P software can
consume huge amounts of bandwidth. Another reason is that employees
might use P2P software to break the law while using company resources.
Yet another reason is that employees should be spending their time
working and not trading files on company time.

A new reason surfaced last week. I read an interesting post on a
security mailing list regarding the P2P software and network called
Earth Station 5 (ES5). The makers of ES5 claim to provide stealth
activity and cloaking to protect users' privacy. They also claim to
provide protection against viruses and other erroneous files, along
with a variety of Web services.
   http://www.earthstation5.com

What was so interesting about the post I read regarding ES5 is that
the product has a serious security hole that lets any ES5 user delete
files on another user's computer. The person who discovered the hole
is convinced that due to the nature of the problem he found, the
creators must have intentionally built in the ability to delete files
on users' computers as some sort of back door.

That's a strong accusation to make, and although the product
definitely has the security hole, I don't yet know whether the makers
of ES5 actually put a back door in on purpose. Whether they did or
didn't, the matter points out the seriousness of not controlling what
types of traffic are allowed to traverse your network and what sort of
software users can install on their machines, if any. In the case of
ES5, a remote user could wipe out critical files on your systems,
leading to all sorts of problems.

Chances are that your company frowns on P2P use, but does it try to
prevent it? You might recall that I mentioned a new hybrid technology,
Passive Vulnerability Scanners (PVSs), last week. A PVS would be a
great way to find out immediately whether someone had installed
unwanted software (such as a P2P client) on your company's computer,
as opposed to finding out later through some sort of periodic audit.
But you don't necessarily have to use a PVS to detect the use of
unwanted software in real time.

If you have a flexible Intrusion Detection System (IDS) in place, you
might be able to create IDS rules that can detect traffic from
unwanted software the instant it moves traffic across your network. As
you know, one very popular IDS tool, Snort, allows users plenty of
flexibility to create custom rules. So you could develop a Snort rule
that detects traffic from various types of software.

Martin Roesch (creator of Snort) and Hugh Njemanze (founder of
ArcSight) gave a Webcast last week that was sponsored by The SysAdmin,
Audit, Network, Security (SANS) Institute. Roesch discussed "the use
of passive network discovery, behavioral profiling and vulnerability
analysis techniques" along with "intrusion detection, reducing false
positives and negatives as well as opportunities for evasion."
Njemanze discussed "how the context and robust correlation techniques
of centralized security management take maximum advantage of the
alarms and alerts produced not only by IDSs but also all the other
security-relevant sources of information that are available."

The Webcast is archived at SANS, so you can check it out after
registering. You can find the synopsis and links to it at the SANS Web
site. Be sure to check out the list of upcoming Webcasts too--at the
second URL below.
   http://www.sans.org/webcasts/show.php?webcastid=90419
   http://www.sans.org/webcasts

====================

==== Sponsor: Shavlik HFNetChkPro Patch Management  ====
   Get Patched Now with Shavlik HFNetChkPro
   Immediately deploy critical patches, including MS03-040, with
Shavlik HFNetChkPro patch management software and make a powerful
impact on your enterprise security. HFNetChkPro is a must-have for any
busy network administrator in charge of security updates. Its
easy-to-use interface makes patch management a breeze. Create machine
groups or patch groups for quick scanning and deployment and produce
management reports in minutes. Download the free version of
HFNetChkPro with no time-outs at
http://list.winnetmag.com/cgi-bin3/DM/y/ec5S0CJgSH0CBw076e0Ah .

====================

==== 2. Announcements ====
   (from Windows & .NET Magazine and its partners)

New White Paper on Exchange 2003 Deployment
   In this timely white paper, Microsoft Exchange expert Kieran
McCorry, from HP's Exchange consulting group, outlines the best
options for organizations migrating to Exchange Server 2003. The paper
outlines inter- and intra-organizational migration issues and the
benefits of server consolidation during deployment. Get your copy
today!
   http://list.winnetmag.com/cgi-bin3/DM/y/ec5S0CJgSH0CBw0BC130A5

Check Out Our 2 New Web Seminars!
   "Plan, Migrate, Manage: Shifting Seamlessly from NT4 to Windows
2003" will help you discover tips and tricks to maximize planning,
administration, and performance. "The Secret Costs of Spam ... What
You Don't Know Can Hurt You" will show you how to quantify costs and
find antispam solutions. Register today!
   http://list.winnetmag.com/cgi-bin3/DM/y/ec5S0CJgSH0CBw02lB0Av

====================

==== Virus Update from Panda Software ====
   Check for the latest anti-virus information and tools, including
weekly virus reports, virus forecasts, and virus prevention tips, at
Panda Software's Center for Virus Control.
   http://list.winnetmag.com/cgi-bin3/DM/y/ec5S0CJgSH0CBw0BBlT0Ab

Viruses routinely infect "fully protected" networks. Is total
protection possible? Find answers in the free guide HOW TO KEEP YOUR
COMPANY 100% VIRUS FREE from Panda Software. Learn how viruses enter
networks, what they do, and the most effective weapons to combat them.
Protect your network effectively and permanently - download today!
   http://list.winnetmag.com/cgi-bin3/DM/y/ec5S0CJgSH0CBw0BBDp0AP

====================

==== 3. Security News and Features ====

Recent Security Vulnerabilities
   If you subscribe to this newsletter, you also receive Security
Alerts, which inform you about recently discovered security
vulnerabilities. You can also find information about these discoveries
at
   http://www.secadministrator.com/articles/index.cfm?departmentid=752

News: Microsoft Preps Major Security Strategy Shift
   Under attack from various quarters because of the perceived lack of
security in its products, Microsoft is close to announcing a strategy
shift in its Trustworthy Computing initiative. According to executives
from the software giant, Microsoft's short-term strategy will shift
from patch management to what the company calls "securing the
perimeter."
   http://secadministrator.com/articles/index.cfm?articleid=40423

News: XP Security Rollup Package in Beta
   Microsoft hasn't officially made any announcements yet; however,
according to Neowin.net, Microsoft has released a beta version of its
forthcoming Security Rollup Package 1 (SRP1) for Windows XP.
   http://secadministrator.com/articles/index.cfm?articleid=40403

News: Microsoft Faces Security Class-Action Suit
   A consumer in California filed a class-action lawsuit on behalf of
potentially millions of additional plaintiffs against Microsoft this
week, claiming that the software giant's dominant Windows platform is
vulnerable to dangerous virus attacks that could trigger "massive" and
"cascading" failures of the world's networks. Given Microsoft's
unbelievable security problems this year and public admissions by the
company's executives that the worst was yet to come, it's likely that
this lawsuit and others like it were inevitable.
   http://secadministrator.com/articles/index.cfm?articleid=40437

Feature: How to Build a Snort Server
   Intrusion Detection Systems (IDSs) are an important part of any
network. One free, open-source tool for implementing an IDS on
networks is Snort. (If you're unfamiliar with IDSs, see "Protect Your
Network from Intrusion" at the first URL below and "Deploy Your
Network IDS Effectively" at the second URL below.) To build a Snort
server in a Windows 2000 environment, you need to install and secure
Win2K Server, install Snort and its companion files, and test Snort's
various modes. Read Morris Lewis's article (at the third URL below)
for details.
   http://secadministrator.com/articles/index.cfm?articleid=24650
   http://secadministrator.com/articles/index.cfm?articleid=25013
   http://secadministrator.com/articles/index.cfm?articleid=26449

====================

==== Hot Release: Free Trial SSL Certificate from Thawte ====
   Take your first step towards giving your online business a
competitive advantage. Test-drive a Thawte SSL certificate - our easy
online guide will show you how. Click here to get started:
   http://list.winnetmag.com/cgi-bin3/DM/y/ec5S0CJgSH0CBw0BC140A6

====================

==== 4. Security Toolkit ====

Virus Center
   Panda Software and the Windows & .NET Magazine Network have teamed
to bring you the Center for Virus Control. Visit the site often to
remain informed about the latest threats to your system security.
   http://www.secadministrator.com/panda

Virus Alert: Trj/Hatoy.A
   Panda Software reports that a new Trojan horse, Hatoy.A, is
spreading via Web browsers. Hatoy.A affects users of Microsoft
Internet Explorer (IE) by exploiting a known vulnerability in the
browser for which no patch is currently available. The Trojan horse
manipulates users' systems to change DNS entries so that users are
redirected to a site different from the one whose URL they entered.
For more information about Hatoy.A, see Panda's report:
   http://www.pandasoftware.com/about/press/viewnews.aspx?noticia=4211

FAQ: How do I prevent administrators from successfully using
L0phtCrack?
   contributed by John Savill, http://www.windows2000faq.com

A: In Windows 2000, thanks to automatic activation of the Syskey
utility, @stake's L0phtCrack is useless against password hashes in the
SAM or Active Directory (AD) unless the user has Administrator access.
You can't stop administrators who use L0phtCrack from cracking
passwords; you can only slow them down. To do so, begin by adding the
NoLmHash registry value described in the Microsoft article "How to
Prevent Windows from Storing a LAN Manager Hash of Your Password in
Active Directory and Local SAM Databases" (at the URL below). However,
keep in mind that even after you set the new registry key, an
administrator can use L0phtCrack to crack passwords.
   Syskey encrypts password hashes stored on disk in the SAM or in AD
on domain controllers (DCs). However, an administrator can use
L0phtCrack to dump password hashes from OS memory because password
hashes in memory aren't encrypted. When you enable NoLmHash, Win2K
doesn't automatically delete the LAN Manager hash for users. To get
rid of the hash, you must reset each user's password.
   Even after you reset passwords, however, administrators can use
L0phtCrack because Win2K stores two hashes for each account: the old,
weak LAN Manager hash and a stronger Windows NT hash. L0phtCrack can
use either hash but takes longer to crack accounts when only the NT
hash is present.
   http://support.microsoft.com/?kbid=299656

Featured Thread: How to Stop Viruses from Spreading
   (Five messages in this thread)
A user writes that he's an administrator for 200 computers. He wants
to know whether he should put a firewall on every workstation on his
network to stop viruses from spreading or use some other approach.
Lend a hand or read the responses:
   http://www.winnetmag.com/forums/messageview.cfm?catid=42&threadid=63446

==== 5. Event ====

The Mobile & Wireless Road Show Is Coming to Tampa and Atlanta!
   Learn more about the wireless and mobility solutions that are
available today, plus discover how going wireless can offer low risk,
proven performance, and compatibility with existing and emerging
industry standards. Register now for this free, 12-city event!
   http://list.winnetmag.com/cgi-bin3/DM/y/ec5S0CJgSH0CBw0BA8Y0An

==== 6. New and Improved ====
   by Jason Bovberg, products () winnetmag com

Control USB and FireWire Devices
   SmartLine released DeviceLock 5.5, a security solution that lets
you restrict access to USB and FireWire (IEEE 1394) devices on Windows
2003/XP/2000/NT 4.0 machines. Standard Windows access-control
solutions don't permit the assignment of permissions for USB and
FireWire ports. DeviceLock gives you control over which users can
access these ports and certain devices (e.g., floppy-disk drives,
CD-ROM drives, tape devices) on a local computer. DeviceLock costs $35
for a single-user license. A free, fully functional demonstration
version is available for download from SmartLine's Web site. For more
information about DeviceLock, contact SmartLine on the Web.
   http://www.devicelock.com

Secure All Data
   Cypherix announced Cryptainer LE, 128-bit data-encryption software.
Cryptainer LE stores all sensitive information in encrypted 5MB ghost
drives that appear and disappear at your convenience. Only the user
who owns a specific passkey can view, access, browse, or modify files
inside a ghost drive. You can install and run programs inside this
encrypted drive. Cryptainer LE runs on Windows XP/2000/Me/9x and
conforms to international standards. It runs as a special Windows
device driver operating on a 128-bit implementation of the Blowfish
algorithm in Cipher Block Chaining (CBC) mode, with a block size of 64
bytes. Cryptainer LE is a free, fully functional product that you can
download from Cypherix's Web site. For more information about
Cryptainer LE, contact Cypherix on the Web.
   http://www.cypherix.co.uk/cryptainerle/index.htm

Tell Us About a Hot Product and Get a T-Shirt!
   Have you used a product that changed your IT experience by saving
you time or easing your daily burden? Tell us about the product, and
we'll send you a Windows & .NET Magazine T-shirt if we write about the
product in a future Windows & .NET Magazine What's Hot column. Send
your product suggestions with information about how the product has
helped you to whatshot () winnetmag com.

===================

==== Sponsored Links ====

CrossTec
   Free Download - NEW NetOp 7.6 - faster, more secure, remote support
   http://list.winnetmag.com/cgi-bin3/DM/y/ec5S0CJgSH0CBw0BBnb0Ar

Microsoft
   Attend a Microsoft(R) Office System Launch Event -- Get a FREE Eval
Kit
   http://list.winnetmag.com/cgi-bin3/DM/y/ec5S0CJgSH0CBw0BCqD0AR

===================

==== 7. Contact Us ====

About the newsletter -- letters () winnetmag com
About technical questions -- http://www.winnetmag.com/forums
About product news -- products () winnetmag com
About your subscription -- securityupdate () winnetmag com
About sponsoring Security UPDATE -- emedia_opps () winnetmag com

This email newsletter is brought to you by Security Administrator, the
print newsletter with independent, impartial advice for IT
administrators securing Windows and related technologies. Subscribe
today.
   http://www.secadministrator.com/sub.cfm?code=saei25xxup

To make other changes to your email account such as change your email
address, update your profile, and subscribe or unsubscribe to any of
our email newsletters, simply log on to our Email Preference Center.
   http://www.winnetmag.com/email

__________________________________________________________
Copyright 2003, Penton Media, Inc.




-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.