[ISN] Security UPDATE, April 25, 2001

From: InfoSec News (isnat_private)
Date: Wed Apr 25 2001 - 16:02:00 PDT

  • Next message: InfoSec News: "[ISN] Chernobyl virus set to wake up"

    ********************
    Windows 2000 Magazine Security UPDATE
    **Watching the Watchers**
    The weekly Windows 2000 and Windows NT security update newsletter from
    the Windows 2000 Magazine Network
    http://www.win2000mag.net/Channels/Security
    ********************
    
    This week's issue sponsored by
    
    McAfee ePolicy Orchestrator
    http://www.win2000mag.com/jump.cfm?ID=129
    
    |-+-|-+-|-+-|-+-|-+-|-+-|
    April 25, 2001 - In this issue:
    
    1. IN FOCUS
         - SMBRelay: Another Good Reason to Protect Your Internal Network
    
    2. SECURITY RISKS
         - Implementation Flaw with Microsoft WebDAV
         - Denial of Service Condition in Microsoft ISA Server
    
    3. ANNOUNCEMENTS
         - New Seminars Series--Don't Be Left Out!
         - There Is Such a Thing as a Free Lunch!
    
    4. SECURITY ROUNDUP
         - News: Fortress Strengthens Wired Equivalent Privacy
         - Feature: Exchange Server Antivirus Scanners
         - Review: WinWhatWhere Investigator 3.0
    
    5. NEW AND IMPROVED
         - Advanced Security Software for Palm OS
         - Personal Firewall Protects PCs Before Windows Launches
         - Internet Content Security Solution
    
    6. SECURITY TOOLKIT
         - Book Highlight: PKI: Implementing and Managing E-security
         - Virus Alert: W32/Matcher
         - FAQ: I've Upgraded to Windows 2000 Server with Service Pack 1
           (SP1) Slipstreamed. Why Doesn't the Registry Show that SP1 Is
           Installed?
    
         - SOHO Security: Using PGP to Secure Your Email
         - New Poll: Which Administrative Scripting Language Do You Use Most
           Often?
    
    7. HOT THREADS
         - Windows 2000 Magazine Online Forums
              Problem Sending Mail from MS-Outlook Express (Client Side)
         - HowTo Mailing List
              Preventing Exchange 5.5 Server from Being Used to Relay Spam
              Reduce Domain Administrators
    
    8. CONTACT US
    See this section for a list of ways to contact us.
    
    ~~~~ SPONSOR: MCAFEE EPOLICY ORCHESTRATOR ~~~~
    Managing anti-virus protection through policy can save any business
    money. A policy gives you a framework that allows you to more
    effectively update your protection - critical in the fight against
    viruses. Up-to-date protection prevents infections. And fewer infections
    means less downtime and less time spent cleaning up. A policy also gives
    you a benchmark against which to measure performance - in terms of both
    protection and infection rates. By establishing and enforcing an
    anti-virus policy, you save money where it counts the most: in the
    ongoing management of anti-virus protection. ePolicy Orchestrator is the
    best anti-virus management tool in independent tests.
    http://www.win2000mag.com/jump.cfm?ID=129
    
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    Want to sponsor Security UPDATE?
    Email emedia_oppsat_private
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    
    1. ========== IN FOCUS ==========
    
    Hello everyone,
    
    Last week, I discussed 3COM's new Embedded Firewall and the need to
    protect your internal networks. Shortly after I wrote that column, I
    came across some interesting news: A new program--SMBRelay--is available
    that can hijack a user's session to perform a man-in-the-middle attack.
    SMBRelay represents another good reason to protect your internal
    networks.
    
    SMBRelay's author is Sir Dystic, a member of Cult of the Dead Cow (cDc).
    You'll recall that cDc also published Back Orifice and BO2K, remote
    control tools for Windows systems. SMBRelay sits on a Windows system
    waiting for a user to connect. When the user connects, the relay passes
    authentication traffic to its destination in a proxy-like fashion. After
    the system authenticates the session, the relay then disconnects the
    user's system and assumes control of the session. An intruder can use
    the relay system to access network resources under the same authority as
    the user whose session was hijacked. You can learn more about the
    program at the URL below.
    http://pr0n.newhackcity.net/~sd/smbrelay.html
    
    SMBRelay relies on the fact that many networks use the older NT LAN
    Manager (NTLM) authentication instead of the newer NTLMv2. The release
    of the L0phtcrack ( http://www.securitysoftwaretech.com/lc3 )
    password-cracking software showed security vulnerabilities in NTLM, so
    Microsoft released NTLMv2 when it published Windows NT 4.0 Service Pack
    4 (SP4). To learn about NTLMv2, see Randy Franklin Smith's article,
    "Inside SP4 NTLMv2 Security Enhancements," at the following URL.
    http://www.win2000mag.com/Articles/Index.cfm?ArticleID=7072
    
    In addition, Microsoft has several articles online that discuss NTLMv2,
    including "How to Disable LM Authentication on Windows NT," and "How to
    Enable NTLM 2 Authentication for Windows 95/98/2000 and NT." You can add
    NTLMv2 support to Windows 9x by installing the Directory Services Client
    from the Windows 2000 CD-ROM as discussed in the second article. The
    articles are located at the URLs below.
    http://support.microsoft.com/support/kb/articles/Q147/7/06.asp
    http://support.microsoft.com/support/kb/articles/Q239/8/69.asp
    
    NTLMv2 strengthens NTLM-based authentication, but it doesn't eliminate
    all risk. For example, NTLMv2 stops SMBRelay from hijacking user
    sessions, but the program might not stop future Server Message Block
    (SMB) relays. To better protect against man-in-the-middle attacks, you
    might want to integrate firewalls at the desktop and server level to
    guard against rogue client connections. Also consider VPN technology to
    protect user sessions and session traffic. Implementing a VPN can be
    tedious--but probably far less tedious than cleaning up after an
    intruder.
    
    Until next time, have a great week.
    
    Sincerely,
    Mark Joseph Edwards, News Editor
    markat_private
    
    2. ========== SECURITY RISKS =========
    (contributed by Mark Joseph Edwards, markat_private)
    
    * IMPLEMENTATION FLAW WITH MICROSOFT WEBDAV
    Microsoft reported a flaw in its WWW Distributed Authoring and
    Versioning (WebDAV) implementation that runs a script under the user's
    security context. WebDAV should distinguish between a user's request and
    the script that a Web browser runs, but Microsoft WebDAV doesn't
    differentiate the two. An attacker can use this flaw to browse the
    user's intranet or access Web-based email if the attacker knows certain
    variables, such as server names, folder structures, and specific user
    and network information. Microsoft has issued security bulletin MS01-022
    to address this vulnerability and has also released a hotfix that
    changes the WebDAV implementation to correctly process these scripts.
    http://www.windowsitsecurity.com/articles/index.cfm?articleID=20749
    
    * DENIAL OF SERVICE CONDITION IN MICROSOFT ISA SERVER
    SecureXpert Labs discovered that when you use Microsoft Internet
    Security and Acceleration (ISA) Server 2000 Web Publishing to bridge
    HTTP traffic to a Web server, a malicious attacker can use an invalid
    Web request containing a certain malformed argument to cause an access
    violation in the Web proxy service, denying service for legitimate
    traffic. Microsoft disables this service by default. Microsoft has
    issued security bulletin MS01-021 to address this vulnerability and has
    also issued a hotfix that enables ISA Server 2000's Web proxy service to
    correctly treat this request as invalid.
    http://www.windowsitsecurity.com/articles/index.cfm?articleID=20689
    
    3. ========= ANNOUNCEMENTS ==========
    
    * NEW SEMINARS SERIES--DON'T BE LEFT OUT!
    Check out our new 1- and 2-day seminars sponsored by Aelita Software.
    Hear from industry experts Mark Minasi, Kalen Delaney, and Steve Milroy,
    and polish your IT skills in informative sessions about Windows 2000
    Server, SQL Server, and mobile and wireless connectivity. Seminars will
    be held in Los Angeles, Boston, and San Francisco in May and June. Sign
    up today!
    http://www.win2000mag.net/seminars
    
    * THERE IS SUCH A THING AS A FREE LUNCH!
    Do you subscribe to Windows 2000 Magazine? Plan to attend N+I in Las
    Vegas this May? We're seeking readers for a focus group at N+I.
    Participants get $100 and a free lunch. If you're interested, email
    kcollinsat_private Include your name, job title, and phone
    number.
    
    4. ========== SECURITY ROUNDUP ==========
    
    * NEWS: FORTRESS STRENGTHENS WIRED EQUIVALENT PRIVACY
    To strengthen known weaknesses in the Wired Equivalent Privacy (WEP)
    protocol used in the 802.11b wireless network standard, Fortress
    Technologies has released a new Layer 2 protocol called Wireless Link
    Layer Security (wLLS). The new protocol provides secure frame and packet
    transmissions by automating crucial security operations, including
    encryption, authentication, data integrity-checking, key exchange, and
    data compression. Fortress based wLLS on techniques the company uses in
    its patented Secure Packet Shield (SPS) technology.
    http://www.windowsitsecurity.com/Articles/Index.cfm?ArticleID=20706
    
    * FEATURE: EXCHANGE SERVER ANTIVIRUS SCANNERS
    In the past, maintaining a regular virus-scanning regimen on your
    network was sufficient to prevent, or at least contain, viruses because
    viruses typically spread through disks. Today, however, email is the
    primary communication tool in many work environments. Users create,
    send, and receive countless email messages and attached files every day.
    Because most viruses now spread through email, ensuring that your
    networks remain virus-free is difficult. What is an overworked network
    administrator to do? One solution is to install a server-side virus
    scanner. Read all about it in Jonathan Chau's latest article on our Web
    site.
    http://www.win2000mag.com/Articles/Index.cfm?ArticleID=20394
    
    * REVIEW: WINWHATWHERE INVESTIGATOR 3.0
    Rodney Landrum admits he's looked through Web logs to see which users on
    his company's network visit illicit Web sites and which spend hours
    surfing instead of working. As a network administrator, Rodney has also
    used data-packet-capture tools for troubleshooting. However, some
    administrators might find more detailed user-activity reports desirable,
    especially if they suspect illegal conduct on the business's computer
    systems. WinWhatWhere's WinWhatWhere Investigator 3.0 is more than a Web
    log. The product captures data from Windows 2000, Windows NT, Windows
    Me, and Windows 9x machines. Learn all about the application in Rodney's
    latest review on our Web site.
    http://www.win2000mag.com/Articles/Index.cfm?ArticleID=20390
    
    5. ========== NEW AND IMPROVED ==========
    (contributed by Judy Drennen, productsat_private)
    
    * ADVANCED SECURITY SOFTWARE FOR PALM OS
    Asynchrony released PDABomb, a security application that locks Palm
    OS-based handheld devices and provides powerful, customizable, and
    flexible encryption of personal data. The application disables data
    transfer mechanisms such as HotSync and IrDa so that no one can retrieve
    information without the correct password. After a certain number of
    incorrect password attempts, the user can opt to set off the "bomb,"
    which erases all data and applications from the device. The user can
    then restore the data by syncing the device with a backup maintained on
    the user's computer. Go to http://www.pdabomb.com for more information
    about PDABomb.
    http://www.asynchrony.com
    
    * PERSONAL FIREWALL PROTECTS PCS BEFORE WINDOWS LAUNCHES
    Tiny Software announced Tiny Personal Firewall, a personal firewall
    positioned between the network interface adapter and the OS so that the
    PC is protected in the initial seconds of booting. This setup eliminates
    the possibility of hackers intruding with Trojan horses during this
    crucial and vulnerable stage. Tiny Personal Firewall offers many
    firewall features and is compatible with Windows 2000, Windows NT,
    Windows Me, and Windows 9x. The application is free for personal use,
    and pricing starts at $39 for business use. Bulk license rates are also
    available. For more information, go to the Tiny Software Web site.
    http://www.tinysoftware.com
    
    * INTERNET CONTENT SECURITY SOLUTION
    Aladdin Knowledge Systems released eSafe Gateway 3.01, an Internet
    content security solution that provides simple installation and fast
    content inspection using new NitroInspection Plug & Play (PnP)
    technology. IT managers plug eSafe Gateway 3.01 behind the firewall
    using a crossed network cable, and installation is complete. eSafe
    Gateway 3.01 provides immediate content inspection and verifies
    on-the-fly the content-type of the data transferred via HTTP. The
    application pushes through the graphics/audio/video content that doesn't
    contain malicious code, while inspecting other potentially malicious
    content such as HTML, ActiveX, Java, viruses, and vandals. For more
    information, go to the Aladdin Web site.
    http://www.ealaddin.com
    
    6. ========== SECURITY TOOLKIT ==========
    
    * BOOK HIGHLIGHT: PKI: IMPLEMENTING AND MANAGING E-SECURITY
    By Andrew Nash, Bill Duane, and Derek Brink
    Fatbrain Online Price: $49.99
    Softcover; 513 pages
    Published by McGraw-Hill Professional Book Group, May 2001
    ISBN 0072131233
    Have you installed adequate security to protect your network from
    hackers? Written by RSA Security experts, "PKI: Implementing and
    Managing E-security" provides you with the tools to prevent access to
    your data and to secure any electronic transactions. This book explores
    public key infrastructure (PKI) basics, PKIX model, X509, trust models,
    privilege management, and biometrics.
    
    For more information or to purchase this book, go to the Windows 2000
    Magazine Bookstore and click UPDATE Highlights under Highlighted Titles.
    http://www1.fatbrain.com/store.cl?p=win2000mag&s=97772
    
    Or go to
    http://www1.fatbrain.com/asp/bookinfo/bookinfo.asp?theisbn=0072131233
    and enter WIN2000MAG as the discount code when you order the book.
    
    * VIRUS ALERT: W32/MATCHER
    Panda Software and the Windows 2000 Magazine Network have teamed to
    bring you the Center for Virus Control. Visit the site often to remain
    informed about the latest threats to your system security.
    http://www.windowsitsecurity.com/panda
    
    W32/Matcher
    W32/Matcher is a worm designed to propagate through email. The worm is
    written in Visual Basic (VB) and is 28KB. W32/Matcher requires the
    Msvbvm60.dll Visual Basic Dynamic Library to work properly. The worm
    reaches systems in the form of an email message with a subject of
    "Matcher" and a message body that reads, "Want to find your love
    mates!!! Try this its cool... Looks and Attitude matching to opposite
    sex." The worm carries a file attachment called Matcher.exe that infects
    the user's system. To learn all about Matcher, be sure to visit our
    Center for Virus Control.
    http://63.88.172.96/Panda/Index.cfm?FuseAction=Virus&VirusID=1084
    
    * FAQ: I'VE UPGRADED TO WINDOWS 2000 SERVER WITH SERVICE PACK 1 (SP1)
    SLIPSTREAMED. WHY DOESN'T THE REGISTRY SHOW THAT SP1 IS INSTALLED?
    ( contributed by John Savill, http://www.windows2000faq.com )
    
    Slipstreaming, which lets you integrate a service pack's content into a
    setup area for the OS, is a great addition to Win2K. However, a known
    problem exists: The system doesn't update the registry key that
    indicates that SP1 is installed. This is a minor issue, and you can
    resolve it by performing the following steps:
      1. Start regedit.exe.
      2. Go to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
    NT\CurrentVersion.
      3. From the Edit menu, select New, String value.
      4. Enter a name of CSDVersion, and click Enter.
      5. Double-click the value and set it to Service Pack 1. Click OK.
      6. Close regedit.
    You can also download and run the servicepack1.reg script, located on
    our Window NT/2000 FAQ site.
    http://www.windows2000faq.com/Articles/Index.cfm?ArticleID=20686
    
    * SOHO SECURITY: USING PGP TO SECURE YOUR SOHO EMAIL
    Small office/home office (SOHO) users often need to send and receive
    private email. Although SOHOs don't have the resources that are
    available to larger organizations to maintain email security and
    integrity, SOHOs still might need to use cryptography for protection.
    Learn how to use Pretty Good Privacy (PGP) to keep your email
    communication more secure in Jonathan Hassel's latest article on our Web
    site.
    http://www.windowsitsecurity.com/Articles/Index.cfm?ArticleID=20696
    
    * NEW POLL: WHICH ADMINISTRATIVE SCRIPTING LANGUAGE DO YOU USE MOST
    OFTEN?
    Which scripting language do you use most often to perform administrative
    tasks? Visit our Web site and take our latest poll. We'll use your
    answers to learn which types of scripting languages we should cover in
    detail in our publications.
    http://www.windowsitsecurity.com
    
    7. ========== HOT THREADS ==========
    
    * WINDOWS 2000 MAGAZINE ONLINE FORUMS
    
    The following text is from a recent threaded discussion on the Windows
    2000 Magazine online forums.
    http://www.win2000mag.net/forums
    
    April 07, 2001, 07:29 A.M.
    Problem Sending Mail from MS-Outlook Express (Client Side)
    (Five messages in this thread)
    I have MS-Proxy Server 2.0 on my Windows NT 4.0 (SP4) machine. I am
    using Windows 98 and Windows 95 on the client side. I am using
    MS-Outlook Express 5.0 on the client machine. I can receive email, but I
    cannot send mail with Outlook Express. An error generates...
    
    "The message could not be sent because one of the recipients was
    rejected by the server. The rejected e-mail address was
    'aamir_riaz999at_private'. Subject 'Test Mail', Account: 'Aamir',
    Server: 'fsg6.fascom.com', Protocol: SMTP, Server Response: '550 not
    local host yahoo.com, not a gateway', Port: 25, Secure(SSL): No, Server
    Error: 550, Error Number: 0x800CCC79"
    
    I am using MS-Proxy Client on the client machine. If you know how to
    handle this problem, please reply as soon as possible.
    
    Thread continues at
    http://www.win2000mag.net/Forums/Application/Thread.cfm?CFApp=64&Thread_ID=63879&mc=5
    
    * HOWTO MAILING LIST
    Each week we offer a quick recap of some of the highlights from the
    HowTo for Security mailing list. The following threads are in the
    spotlight this week.
    
    1. Preventing Exchange 5.5 Server from Being Used to Relay Spam
    (Four messages in this thread)
    My service provider has informed me that they suspect someone is using
    my company's Exchange server to relay SPAM. But other than that they
    offered me no advice as to how to prevent this or even how to track it.
    I have routing turned on in the IMS because I need to support a number
    of Sales People who are on the road, and I am providing OWA as well. The
    mail server itself is sitting behind a firewall, but since it needs to
    have ports open for sending and receiving SMTP, POP3, and IMAP traffic,
    I'm not sure how much protection it has from intruders. Does anyone have
    any advice on what I can do to prevent non-company personnel from using
    the Exchange server and still support POP3 for my remote users?
    http://63.88.172.96/go/page_listserv.asp?A2=IND0104C&L=HOWTO&P=919
    
    2. Reduce Domain Administrators
    (Two messages in this thread)
    Our security department is tasked with resolving a common problem in
    many large organizations--how to reduce the number of Domain Admin
    accounts in a cost-effective way. We need a tool or solution that
    enables us to delegate user rights with a moderate-to-high level of
    granularity. We've looked at software solutions ranging from
    UsermanagemeNT to Aelita Enterprise Delegation Manager. None strike an
    acceptable balance between granularity of control and pricing. Can
    anyone offer a "How to" or mention how their organization reduced their
    number of Domain Administrator accounts?
    http://63.88.172.96/go/page_listserv.asp?A2=IND0104C&L=HOWTO&P=296
    
    Follow this link to read all threads for April, Week 3:
    http://63.88.172.96/go/page_listserv.asp?A1=ind0104C&L=howto
    
    8. ============ CONTACT US ============
    Here's how to reach us with your comments and questions.
    
    * COMMENTS ABOUT THE COMMENTARY?
    Email Mark Joseph Edwards at markat_private
    
    * COMMENTS ABOUT THE NEWSLETTER IN GENERAL?
    Email Managing Editor Trish Faubion at tfaubionat_private Please
    mention the name of the newsletter in the subject line or body.
    
    * TECHNICAL QUESTIONS?
    Please post your technical questions to the discussion area.
    http://www.win2000mag.net/forums
    
    * PRODUCT NEWS?
    Email press releases to productsat_private
    
    * QUESTIONS ABOUT YOUR SECURITY UPDATE SUBSCRIPTION?
    Email Customer Support at securityupdateat_private
    
    * WANT TO SPONSOR SECURITY UPDATE?
    Email emedia_oppsat_private
    
    ********************
    This Security UPDATE is brought to you by Windows 2000 Magazine, the
    leading publication for Windows 2000/NT professionals who want to learn
    more and perform better. Subscribe today.
    http://www.win2000mag.com/sub.cfm?code=00inxupb
    
    |-+-|-+-|-+-|-+-|-+-|-+-|
    
    Windows 2000 Magazine Security UPDATE Staff
    News Editor - Mark Joseph Edwards (mjeat_private)
    Editor - Gayle Rodcay (gayleat_private)
    New and Improved - Judy Drennen (productsat_private)
    Copy Editor - Judy Drennen (jdrennenat_private)
    
    |-+-|-+-|-+-|-+-|-+-|-+-|
    
    ========== GET UPDATED! ==========
    Receive the latest information about the Windows 2000 and Windows NT
    topics of your choice, including Win2K Pro, Exchange Server, training
    and certification, SQL Server, IIS administration, .NET development,
    application service provision, .NET, wireless and mobile devices, and
    more. Visit our Web site to subscribe to our other FREE email
    newsletters.
    http://www.win2000mag.com/sub.cfm?code=up00inxwnf
    |-+-|-+-|-+-|-+-|-+-|-+-|-
    
    Thank you for reading Security UPDATE.
    
    ISN is hosted by SecurityFocus.com
    ---
    To unsubscribe email LISTSERVat_private with a message body of
    "SIGNOFF ISN".
    



    This archive was generated by hypermail 2b30 : Thu Apr 26 2001 - 02:16:15 PDT