******************** Windows 2000 Magazine Security UPDATE--brought to you by the Windows 2000 Magazine Network **Watching the Watchers** http://www.win2000mag.net/Channels/Security ******************** >>>> SPONSOR: SURFCONTROL: EMAIL FILTERING SOFTWARE <<<< SECURITY ALERT: This threat comes from inside your company. Confidentiality leaks and "inappropriate" jokes can cost your company millions. It doesn't stop there -- your unmanaged email system is left vulnerable to spam and spoof attacks -- even worse, virus attacks! Improve your email system efficiency, increase security and limit legal liability the easy way. Install SuperScout Email Filter -- Try it FREE for 30-days. DOWNLOAD now at: http://www.surfcontrol.com/offer/W2KSU0502 ~~~~~~~~~~~~~~~~~~~~ May 2, 2001--In this issue: 1. IN FOCUS - One Million Reasons to Hack a System 2. SECURITY RISKS - RobTex Viking Web/Proxy Server Relative Path Vulnerability - Buffer Overflow Condition in IPSwitch IMail 6 3. ANNOUNCEMENTS - There Is Such a Thing as a Free Lunch! - We're Watching Out for You! 4. SECURITY ROUNDUP - News: W3C Releases Working Draft for XML Encryption - News: FunLove Virus Infects Microsoft Hotfixes - News: Polish Hackers Tame PitBull - Review: UserManagemeNT 5.3 Professional and Import 5. SECURITY TOOLKIT - Book Highlight: Intrusion Signatures and Analysis - Virus Center Virus Alert: W32/Stator Virus Alert: W32/Hello - FAQ: How Do I Enter a Shutdown Description from the Command Line? - Windows 2000 Security: Internet Explorer Security Options, Part 3 6. NEW AND IMPROVED - Early Warning System Organized - Web Site to Educate IT Market About Firewalls - Automated Access Control Solution 7. HOT THREADS - Windows 2000 Magazine Online Forums Problems with MS01-015 - Win2KsecAdvice Mailing List ISA Server Update 8. CONTACT US See this section for a list of ways to contact us. >>>> THIS ISSUE SPONSORED BY <<<< Surfcontrol: Email Filtering Software http://www.surfcontrol.com/offer/W2KSU0502 ...15 Min. Later He Was in the Principal's Office! http://www.tntsoftware.com/security (below SECURITY RISKS) ~~~~~~~~~~~~~~~~~~~~ 1. ==== COMMENTARY ==== Hello everyone, Are you ready for another hacking contest? Various organizations have held hacking contests in the past, some with prize incentives and some without. In 1999, Microsoft hosted a contest to break into Windows 2000, and this year, the company launched another contest to hack the new Windows XP OS. Neither contest offered prizes for winners. To counter Microsoft's Win2K contest, the PowerPC Linux Project (LinuxPPC) launched its own hacking contest in 1999; the winner got to keep the LinuxPPC server that hosted the contest. In January 2001, the Honeynet Project hosted a forensic challenge to see who could determine how a hacker broke in to a system by examining the supplied forensics data. The prize for successful detectives was a copy of the great book, "Hacking Exposed." And just last week, Argus Systems launched a challenge to see who could break into its PitBull security product. The company offered $30,000 to the winner, and a group of Polish hackers took the prize quickly. See the related news item in the SECURITY ROUNDUP section below. Thirty thousand dollars is a lot of money, especially when the winners earned it by hacking into one system over the course of a few days. On the other hand, Argus gained incredibly useful insight about how its product and the system it runs on might be vulnerable to attack. So the money is well spent in my opinion. This week, I learned about a new contest that takes prize offerings to an entirely new level. All you have to do is break the security of Saafnet's upcoming AlphaShield 2000 product--and win a cool $1 million cash. AlphaShield 2000 is Saafnet's soon-to-be-released $149 USB add-on that introduces security by virtually disconnecting the system from the Internet while the user isn't actively receiving data. The product targets home users and small-business networks. The technology's premise is that without an active virtual connection, an intruder can't reach the system. Sounds interesting. Each time someone launches a hacking challenge, I never wonder whether someone will win the challenge; I wonder how much time it will take. Information security technologies have never been 100 percent unbreakable for various reasons, so it stands to reason that someone will eventually win any security hacking challenge. And even though Saafnet's technology sounds strong, it's unproven; I tend to think a chink exists in the armor somewhere. We'll have to wait and see. But even if no one wins the million-dollar prize money, we should still err on safety's side and assume that the technology has a chink somewhere. I'm not sure when Saafnet ( http://www.saafnet.com ) will officially launch the challenge, but I'll let you know when I hear about a launch date. Until next time, have a great week. Sincerely, Mark Joseph Edwards, News Editor markat_private 2. ========== SECURITY RISKS ========= (contributed by Mark Joseph Edwards, markat_private) * ROBTEX VIKING WEB/PROXY SERVER RELATIVE PATH VULNERABILITY A vulnerability exists in the RobTex Viking Web/Proxy Server that lets an attacker break out of the Web root by using relative paths. For example, an attacker can gain access to files outside of the Web root directory by connecting to a vulnerable host and issuing the command http://
>/\...\<file outside of Web root>. The vendor, RobTex, has released build 378 that corrects this problem. http://www.windowsitsecurity.com/Articles/Index.cfm?ArticleID=20873 * BUFFER OVERFLOW CONDITION IN IPSWITCH IMAIL 6 eEye Digital Security discovered that a vulnerability exists in the IPSwitch IMail 6.06 mail server that can let a remote attacker gain system-level access to servers running the SMTP daemon. This vulnerability exists because the IMail SMTP daemon doesn't perform proper bounds checking on the input data that passes to the IMail Mailing List handler code. IPSwitch has released a patch to correct this vulnerability. http://www.windowsitsecurity.com/articles/index.cfm?articleID=20851 ******************** >>>> SPONSOR: ...15 MIN. LATER HE WAS IN THE PRINCIPAL'S OFFICE! <<<< A high school network administrator installed Event Log Monitor on classroom servers to evaluate system performance. The next day, ELM alerted him that a student was trying to break into the system. Within 15 minutes, the would-be hacker was in the Principal's office waiting for his parents to arrive. Use Event Log Monitor to keep tabs on your security perimeter. Because these aren't the only computers teenagers like to hack into. For more information, visit http://www.tntsoftware.com/security ~~~~~~~~~~~~~~~~~~~~ 3. ==== ANNOUNCEMENTS ==== * THERE IS SUCH A THING AS A FREE LUNCH! Do you subscribe to Windows 2000 Magazine? Plan to attend N+I in Las Vegas this May? We're seeking readers for a focus group at N+I. Participants get $100 and a free lunch. If you're interested, email kcollinsat_private Include your name, job title, and phone. * WE'RE WATCHING OUT FOR YOU! While you're busy doing your job, someone is out there preparing to unleash a nasty virus. That's why Panda Software and the Windows 2000 Magazine Network have launched the Center for Virus Control. Find out which viruses could threaten your systems when you're not looking. Check it out! http://www.windowsitsecurity.com/Panda/Index.cfm 4. ==== SECURITY ROUNDUP ==== * NEWS: W3C RELEASES WORKING DRAFT FOR XML ENCRYPTION The World Wide Web Consortium (W3C) has released a working draft of a new standard for encrypting XML-based documents. The organization published the document, "XML Encryption Requirements," April 20, 2001. According to the draft, W3C will design encryption methods to protect all or parts of an XML-based document using existing encryption specifications, such as Advanced Encryption Standard (AES) and Triple Data Encryption Standard (3DES). http://www.windowsitsecurity.com/Articles/Index.cfm?ArticleID=20863 * NEWS: FUNLOVE VIRUS INFECTS MICROSOFT HOTFIXES Microsoft stopped all access to its hotfixes this week when someone discovered that many of the hotfixes contained the FunLove virus, which first appeared in November 1999. The virus infects Windows-based portable executable documents, ActiveX controls (.ocx files), and screen saver files. When FunLove runs on a Windows NT system, the virus grants Administrator rights to any user who logs on. http://www.windowsitsecurity.com/Articles/Index.cfm?ArticleID=20864 * NEWS: POLISH HACKERS TAME PITBULL Argus Systems, makers of the PitBull security software for Solaris, planned to highlight its 5th Argus Hacking Challenge at the Infosecurity Europe conference this week in London. However, a group of Polish hackers broke in to the system, effectively winning the challenge before Argus ever made it to the conference. http://www.windowsitsecurity.com/Articles/Index.cfm?ArticleID=20844 * REVIEW: USERMANAGEMENT 5.3 PROFESSIONAL AND IMPORT Windows 2000 and Windows NT include easy-to-use graphical functions to help you create, modify, and delete user accounts. However, both products lack the flexibility to manage large user numbers. Tools4ever's UserManagemeNT 5.3 product suite includes powerful enterprise-class NT utilities that let you manage user-account and user-resource creation, movement, and deletion from within any configured domain. You can also use the product with Win2K. Learn all about it in Marty Scher's review on our Web site. http://www.win2000mag.com/Articles/Index.cfm?ArticleID=20392 5. ==== SECURITY TOOLKIT ==== * BOOK HIGHLIGHT: INTRUSION SIGNATURES AND ANALYSIS By Stephen Northcutt, Mark Cooper, Matt Fearow, and Karen Federick List Price: $39.99 Fatbrain Online Price: $31.99 Softcover, 408 pages Published by New Riders Publishing, January 2001 ISBN 0735710635 For more information or to purchase this book, go to http://www1.fatbrain.com/asp/bookinfo/bookinfo.asp?theisbn=0735710635 and enter WIN2000MAG as the discount code when you order the book. * VIRUS CENTER Panda Software and the Windows 2000 Magazine Network have teamed to bring you the Center for Virus Control. Visit the site often to remain informed about the latest threats to your system security. http://www.windowsitsecurity.com/panda Virus Alert: W32/Stator W32/Stator is a worm designed to propagate itself when certain programs, such as Notepad, Windows Media Player (WMP), Control Panel, and Windows Help, execute. The worm renames several existing .vxd files and then creates copies of itself using the original file names. http://22.214.171.124/panda/index.cfm?FuseAction=Virus&VirusID=1087 Virus Alert: W32/Hello W32Hello is a worm that propagates through Microsoft's MSN Messenger program. The worm is written in Visual Basic (VB) 5.0. The file that contains the worm is 10KB and has no icon. http://126.96.36.199/panda/index.cfm?FuseAction=Virus&VirusID=1085 * FAQ: HOW DO I ENTER A SHUTDOWN DESCRIPTION FROM THE COMMAND LINE? ( contributed by John Savill, http://www.windows2000faq.com ) In Windows XP, the new version of shutdown.exe (the tool used to shutdown/reboot from the command line) contains support for tracker descriptions via the -d (description/reason code) and -c (comment) attributes. For example, the command shutdown -t 10 -d up:125:1 -c "Testing" shuts down the system in 10 seconds, with a description of user-defined, planned, major reason 125, minor reason 1, and a comment of "Testing." * WINDOWS 2000 SECURUTY: INTERNET EXPLORER SECURITY OPTIONS, PART 3 Because Web browsing provides so many ways for malicious users to attack your workstations and internal network, make sure your users don't expose your systems to risk while they browse the Web. In Part 1 and Part 2, Randy Franklin Smith described security zones and settings in Microsoft Internet Explorer (IE) 5.0. In Part 3, Randy shows you the IE security settings that let you control cookies and file downloads. Be sure to read the article on our Web site. http://www.windowsitsecurity.com/Articles/Index.cfm?ArticleID=20700 7. ==== NEW AND IMPROVED ==== (contributed by Judy Drennen, productsat_private) * EARLY WARNING SYSTEM ORGANIZED Segura Solutions announced that organizations representing more than 1.5 million users have signed on to the Segura Virus Early Warning System (EWS) Network. Segura-based EWS provides information about new threats and potential problems before they are filtered through the virus labs and public relations arms at antivirus companies. Segura Solutions hosts the EWS for the Anti-Virus Information Exchange Network (AVIEN). Membership in the EWS is available for $99 per year for each two participants per organization. Find more information about the Segura EWS at following Web site. http://www.segura.ca/ewsnetwork.htm * WEB SITE TO EDUCATE IT MARKET ABOUT FIREWALLS Network-1 Security Solutions launched a new Web site to promote and educate the IT market about distributed firewalls. "This seemed an ideal time to provide a place on the Web where IT professionals could go for information and technical resources to further their understanding of this important network security topic," said Avi Fogel, president and CEO of Network-1. The site features general editorial content about distributed firewalls, white papers, articles, news releases, and case studies. http://www.DistributedFirewalls.com * AUTOMATED ACCESS CONTROL SOLUTION Camelot announced the launch of Hark!, an automated access control solution. Based on Network Intelligence technology, Hark! defines, manages, and enforces access control in the interconnected e-business world. The Network Intelligence technology uses proprietary algorithms to analyze network events and deduce an organization's functional structure. This analysis lets network and security administrators manage network users, resources and applications, while controlling the flow of the right information to the right people. Hark! runs on Windows NT, Solaris, and Novell, and the company says a Windows 2000 version should be available this spring. For more information, go to the Camelot Web site. http://www.camelot.com 8. ==== HOT THREADS ==== * WINDOWS 2000 MAGAZINE ONLINE FORUMS http://www.win2000mag.net/forums Featured Thread: Problems with MS01-015 (Two messages in this thread) Dave and his coworkers are unable to install patch MS01-015 on their systems, even though these systems should still require the patch. Read more about his setup and perhaps lend a helping hand at the following URL. http://www.win2000mag.net/Forums/Application/Thread.cfm?CFApp=64&Thread_ID=65787&mc=2 * WIN2KSECADVICE MAILING LIST http://188.8.131.52/go/win2ks-l.asp?A0=WIN2KSECADVICE Featured Thread: Microsoft ISA Server Vulnerability (Three messages in this thread) Microsoft claims that the ISA Server vulnerability won't let an attacker take control of the ISA Server. Read why this user disagrees at the following URL. http://184.108.40.206/go/win2ks-l.asp?A2=IND0104D&L=WIN2KSECADVICE&P=225 8. ==== CONTACT US ==== Here's how to reach us with your comments and questions: * ABOUT THE COMMENTARY -- Mark Joseph Edwards, markat_private * ABOUT THE NEWSLETTER IN GENERAL -- tfaubionat_private; please mention the newsletter name in the subject line. * TECHNICAL QUESTIONS -- http://www.win2000mag.net/forums * PRODUCT NEWS -- productsat_private * QUESTIONS ABOUT YOUR SECURITY UPDATE SUBSCRIPTION? -- Email Customer Support at securityupdateat_private * WANT TO SPONSOR Security UPDATE? -- emedia_oppsat_private ******************** This weekly email newsletter is brought to you by Windows 2000 Magazine, the leading publication for Windows 2000/NT professionals who want to learn more and perform better. Subscribe today. http://www.win2000mag.com/sub.cfm?code=ws00inxupb Receive the latest information about the Windows 2000 and Windows NT topics of your choice. Subscribe to our other FREE email newsletters. http://www.win2000mag.com/sub.cfm?code=up00inxwnf |-+-+-+-+-+-+-+-+-+-| Thank you for reading Security UPDATE. ISN is hosted by SecurityFocus.com --- To unsubscribe email LISTSERVat_private with a message body of "SIGNOFF ISN".
This archive was generated by hypermail 2b30 : Thu May 03 2001 - 04:11:30 PDT