[ISN] Security UPDATE, May 16, 2001

From: InfoSec News (isnat_private)
Date: Wed May 16 2001 - 17:42:13 PDT

  • Next message: InfoSec News: "[ISN] CRYPTO-GRAM, May 15, 2001"

    ********************
    Windows 2000 Magazine Security UPDATE--brought to you by the Windows
    2000 Magazine Network
       **Watching the Watchers**
       http://www.win2000mag.net/Channels/Security
    ********************
    
    >>>> SPONSOR: BINDVIEW CORPORATION <<<<
       Security is the key issue in today's interconnected world and
    BindView is right on top of it with a new, highly informative eBook, The
    Definitive Guide to Windows 2000 Security. This eBook covers all the
    bases of a comprehensive security methodology for your Microsoft Windows
    2000 environment. It's heavy into the detail of what goes into a great
    IT security system, and is specifically geared for Windows 2000
    platforms. Written by Paul Cooke, an Information Security professional
    with more than 10 years' experience developing and deploying security
    solutions, the tips, tricks, and info packed into this volume are
    priceless! Get it FREE at
       http://www.bindview.com/ebook.
    
    ~~~~~~~~~~~~~~~~~~~~
    
    May 16, 2001--In this issue:
    
    1. IN FOCUS
         - Three Great Security Tools
    
    2. SECURITY RISKS
         - IIS Might Allow Remote Command Execution
         - DoS in Windows 2000 Kerberos Service 
         - DoS in WFTPD FTP Server 
         - Crush FTP Relative Path Vulnerability
    
    3. ANNOUNCEMENTS
         - Microsoft TechEd 2001 Europe, Barcelona, Spain 
         - IIS Administrator Newsletter--Help Is on the Way 
    
    4. SECURITY ROUNDUP
         - News: Fast-Spreading Homepage Worm Directs Readers to View Porn
         - News: Microsoft Sites Suffer Defacement 
         - News: New Worm Causes Solaris to Attack Windows
         - Review: Good Migrations
         - Review: UserManagemeNT 5.3 Professional and Import
    
    5. HOT RELEASES (ADVERTISEMENTS)
         - CyberwallPLUS Firewalls for NT/2000 Servers
         - The Most Important EVENT in Your Network!
    
    6. SECURITY TOOLKIT
         - Book Highlight: Cryptography in C and C++
         - Virus Center Virus Alert: Homepage.A
         - FAQ: Do You Know an Easy Way to Determine Which User is Logged on
    to the Computer and Which Domain Controls the Computer?
         - Windows 2000 Security: Internet Explorer Security Options, Part
    4
    
    7. NEW AND IMPROVED
         - New Management Platform for Large Security Deployments
         - Fight Web Site Attacks
         - Proactive Security Solution
    
    8. HOT THREADS 
         - Windows 2000 Magazine Online Forums
               Changing the System Time
         - HowTo Mailing List
               Legal Notice Text
    
    9. CONTACT US
       See this section for a list of ways to contact us.
    
    >>>> THIS ISSUE SPONSORED BY <<<<
    
    BindView Corporation
       http://www.bindview.com/ebook
    
    ~~~~~~~~~~~~~~~~~~~~
    
    1. ==== COMMENTARY ====
    
    Hello everyone,
    
    Microsoft released another security bulletin (MS01-026) this week about
    serious vulnerabilities in IIS. One problem lets a remote intruder run
    commands on the server; two other problems affect the FTP service where
    intruders can cause Denial of Service (DoS) attacks or find valid user
    accounts across internal and trusted domains. Don't take these problems
    lightly; make sure you load the patch, which is linked in our report
    under Security Risks. This IIS patch is a cumulative patch that contains
    all previous IIS patches, so after you load it you don't have to load
    the previous patches.
    
    I point out this latest bulletin from Microsoft because I know about a
    new IIS add-on that prevents these and other types of problems whether
    or not you've patched your systems. eEye Digital Security developed the
    tool, called SecureIIS, and released it only 4 weeks ago. SecureIIS is
    an application firewall module that filters all inbound and outbound Web
    traffic, looking for traffic patterns that might indicate an attack is
    underway. SecureIIS loads itself into the same memory space as IIS so,
    according to eEye, the product can examine Secure Sockets Layer (SSL)
    traffic without affecting server performance.
    
    When I first heard about SecureIIS, I wondered what it offered for
    detecting and preventing unknown attacks. Soon after, I found out how
    effective the product can be. On May 1, Microsoft released bulletin
    MS01-023 regarding a serious vulnerability (discovered by eEye) in the
    IIS .printer extension that lets remote intruders run code of their
    choice under the security context of the System account by exploiting an
    unchecked buffer. As it turns out, SecureIIS can detect erroneous buffer
    overflow exploits and stop them cold. So users of SecureIIS didn't
    experience the problems reported in Microsoft's bulletin. The same holds
    true for the directory traversal and parsing error condition mentioned
    in Microsoft's latest IIS bulletin--SecureIIS users remain unaffected
    because the plug-in generically stops directory traversal attacks,
    parsing attacks, buffer overflow attacks, and more. Be sure to check it
    out.
       http://www.eeye.com/html/Products/SecureIIS/index.html
    
    Are you interested in biometric security? Another slick tool I've used
    for the past month is Identix's BioLogon. BioLogon is a fingerprint
    logon mechanism for Windows 2000, Windows NT, and Windows 9x systems
    that eliminates the need for passwords. The unit I have came as a PC
    card finger scanner, which I slipped into a laptop running Win2K. The
    product integrates into the Windows security subsystem, and you can
    configure it in a variety of ways, including fingerprint-only logons,
    where passwords aren't allowed--no matter how the system is booted, a
    person can't log on without the correct fingerprint. When combined with
    disk encryption, BioLogon offers strong security, especially for mobile
    users who are more susceptible to stolen or lost computer equipment. You
    can use BioLogon as standalone security for one system, or you can
    integrate the tool across a network with Identix's BioServer software.
    If you're looking for fingerprint-based security technology, give
    BioLogon a close look. 
       http://www.identix.com/itsecurity/products/biologonclient.html
    
    The third security product I've been playing with is an
    intrusion-detection system (IDS) called Snort, which is provided free to
    everyone under the GNU General Public License scheme (as published by
    the Free Software Foundation.) Snort was originally designed by Martin
    Roesch to run on UNIX systems; however, Michael Davis has graciously
    ported Snort to the Win32 platform so now it runs on Windows.
    
    Like other IDS systems, Snort works by comparing network traffic to a
    database of known attack types and traffic patterns. Snort is very
    flexible; users can write their own rules using fairly simple syntax, or
    they can download any of several predefined attack signature databases
    (called rules) for use within the product. The ability to define your
    own attack signatures means that you don't have to wait for your IDS
    vendor to produce them for you; you can protect yourself as soon as you
    discover a new risk by writing your own rules.
    
    No IDS can detect attack types it doesn't know about, so the rules are
    crucial. And because Snort is freeware (and open source at that), the
    tool has a tremendous amount of community support, and as a result, new
    rules are created about as fast as hackers and crackers discover new
    exploits. So in most cases, instead of writing your own rules, you can
    simply go to a site that maintains Snort rules and quickly download any
    new rules. For example, Whitehats.com maintains a list of rules called
    Vision that add to Snort's detection capabilities, so if you use Snort,
    consider loading the Vision rules along with any others you find
    useful.
    
    Developers have created many Snort add-ons that make the tool easier to
    use. Snort is command-line-based, so remembering the command switches is
    cumbersome. Snort users realized this and created Windows-based GUIs for
    Snort. The GUIs help automate command-line switch configurations through
    the use of simple dialogs. Other add-ons include log analyzers that help
    make sense of Snort logs. Logs can be written in Snort's native ASCII
    log format or to a familiar TCPDump-style binary format. In addition,
    Snort can send its output to a Posix-compliant syslog daemon (which
    typically runs on UNIX systems), to the Win2K/NT Event Log, or to a SQL
    database--all of which help you take advantage of existing technology
    infrastructures.
    
    Setting up Snort takes a little work, but its setup isn't beyond the
    capability of any network administrator who understands basic networking
    concepts. The real work comes from the need to download Snort along with
    other required components that might not be present on your system
    (e.g., WinPcap, which provides the packet driver--DLL file--that the
    Win32 version of Snort uses). 
    
    I installed Snort, a GUI-based configuration tool, and a log
    analyzer/alerter in less than an hour. I installed the software on a
    honey pot I leave running on my network as bait, and in the first 3
    days, it caught crackers' port scans as well as their attempts to break
    into the honey pot's Web service, mail server, and DNS server. I suppose
    it's no coincidence that two of those three crack attempts originated
    from networks in China! (See last week's column, "Cyberwar: Deadly
    Battleground or Hype Beyond Compare?" --
    http://www.windowsitsecurity.com/Articles/Index.cfm?ArticleID=21030 )
    
    Snort is easy to use, good at detecting attacks, runs on a variety of
    OSs, and comes with a plethora of snap-ins and add-ons that further
    extend its abilities. If you thought you couldn't afford a good IDS
    system for your network, Snort is just what you need--and it's free! You
    can thank the open-source community for that fact. You can get Snort and
    the required WinPcap packet driver at the following URLs:
       http://www.snort.org
       http://netgroup-serv.polito.it/winpcap
    
    Until next time, have a great week. 
    
    Sincerely,
    Mark Joseph Edwards, News Editor (markat_private)
    
    2. ========== SECURITY RISKS =========
       (contributed by Ken Pfeil, kenat_private)
    
    * IIS MIGHT ALLOW REMOTE COMMAND EXECUTION
       Three vulnerabilities were recently discovered in Microsoft's IIS 4.0
    and 5.0 that can lead to a Denial of Service (DoS), remote code
    execution, and information disclosure. The DoS vulnerability is in the
    function that processes wild-card service requests for the FTP service.
    The remote code execution vulnerability lets a potential attacker run
    scripts on the server by using the security context of IUSR_machinename,
    which by default appears in the Everyone group. The information
    disclosure vulnerability lets an attacker find guest accounts that FTP
    inadvertently exposed. Microsoft has acknowledged these vulnerabilities
    and recommends that users immediately apply the patch contained in
    Security Bulletin MS01-026.
       http://www.windowsitsecurity.com/Articles/Index.cfm?ArticleID=21101
    
    * DOS IN WINDOWS 2000 KERBEROS SERVICE 
       Defcom Labs discovered that a Denial of Service (DoS) condition in
    the Windows 2000 Kerberos and Kerberos password services can let an
    intruder disrupt those services on a network. Microsoft has released an
    FAQ and a patch to remedy this vulnerability. 
       http://www.windowsitsecurity.com/Articles/Index.cfm?ArticleID=21043
    
    * DOS IN WFTPD FTP SERVER 
       Joe Testa discovered a Denial of Service (DoS) condition in Texis
    Imperial Software's WFTPD program. If a potential attacker connects to
    the FTP server and issues a change directory (CD) command targeted at
    the 3.5" drive of the FTP server, the server processes this request. The
    vendor will correct the problem in version 3.1. A workaround is to
    disable the drive in the FTP server's BIOS.
       http://www.windowsitsecurity.com/Articles/Index.cfm?ArticleID=21003
    
    * CRUSH FTP RELATIVE PATH VULNERABILITY
       Joe Testa discovered that a vulnerability in CrushFTP lets an
    attacker break out of FTP root. For example, by connecting to a
    vulnerable host and issuing the change directory (CD) command, an
    attacker can access the root directory where the FTP server is running.
    An attacker can also download files outside of the FTP root by using
    relative paths. Version 2.17 is now available and isn't vulnerable to
    this problem.
       http://www.windowsitsecurity.com/articles/index.cfm?articleID=21007
    
    3. ==== ANNOUNCEMENTS ====
    
    * MICROSOFT TECHED 2001 EUROPE, BARCELONA, SPAIN
       July 3 through 6, join 7000 IT professionals and developers at the
    premier technical education event for solutions built on the Microsoft
    platform. If you're designing and building leading-edge solutions for
    today's business needs, then Microsoft TechEd 2001 Europe is for you.
    Book before May 18 for a EUR300 EURO discount. For full details and to
    register, visit the following site: 
       http://www.microsoft.com/europe/teched/home.asp
    
    * IIS ADMINISTRATOR NEWSLETTER--HELP IS ON THE WAY
       Do you wish you had a reliable resource to turn to when your Web
    server is down and you're out of answers? Subscribe to IIS
    Administrator, a monthly print newsletter, and start getting the tools,
    solutions, and advice you need to effectively manage your Web site with
    IIS. 
       http://www.iisadministrator.com/sub.cfm?code=niei241e1a
    
    4. ========== SECURITY ROUNDUP ==========
    
    * NEWS: FAST-SPREADING HOMEPAGE WORM DIRECTS READERS TO VIEW PORN
       A new worm, nicknamed Homepage, is spreading fast across the
    Internet. The Homepage worm spreads by sending a copy of itself to all
    addresses in the recipients' Outlook address book. The message subject
    reads "Homepage," and the message body contains the sentence "You've got
    to see this page! It's really cool ;O)". An attachment to the message
    (homepage.html.vbs) contains a Visual Basic (VB) script that opens one
    of four randomly selected pornographic Web sites. 
       http://www.windowsitsecurity.com/Articles/Index.cfm?ArticleID=21033
    
    * NEWS: MICROSOFT SITES SUFFER DEFACEMENT
       Microsoft suffered another Web site defacement last week--this time
    at streamer.microsoft.com. A group calling itself Prime Suspectz
    replaced the site's home page with a message that read, "Microsoft
    Owned. Where is the security?" The same group claimed responsibility for
    defacing the Microsoft Mexico, Saudi Arabia, and UK sites 2 weeks ago.
    
       http://www.windowsitsecurity.com/Articles/Index.cfm?ArticleID=21022
    
    * NEWS: NEW WORM CAUSES SOLARIS TO ATTACK WINDOWS
       The Computer Emergency Response Team (CERT) issued an advisory today
    detailing a new worm that causes a Sun Microsystems Solaris system to
    attack a Windows system. The worm exploits a vulnerability under Solaris
    to install a worm that attempts to seek out and attack IIS-based
    systems. According to the advisory, the problem stems from a 2-year-old
    buffer overflow condition in the Solstice sadmind program and a
    7-month-old directory traversal vulnerability common to unpatched IIS
    4.0 and 5.0 systems.
       http://www.windowsitsecurity.com/Articles/Index.cfm?ArticleID=21023
    
    * REVIEW: GOOD MIGRATIONS
       Computers have personalities, in the form of user-customized network,
    desktop, and application settings. Recreating a computer's personality
    on a new or upgraded machine can be time-consuming, especially when you
    need to repeat the task for multiple computers. The ability to migrate,
    rather than recreate, a computer's personality can save significant time
    and resources. Miramar Systems' Desktop DNA 2.5, Altiris's PC Transplant
    Pro 2.1 beta, and Tranxition's Personality Tranxport Professional (PT
    Pro) 2.0 give you this ability. You can save users' personalized
    settings, set up new computers or upgrade existing computers, then
    reapply the saved settings. The new or upgraded computers look familiar
    to users, who can immediately find printers, mapped network shares, and
    shortcuts. Learn all about these products in Joshua Orrison's Lab
    Comparative on our Web site!
       http://www.win2000mag.com/Articles/Index.cfm?ArticleID=20393
    
    * REVIEW: USERMANAGEMENT 5.3 PROFESSIONAL AND IMPORT
       Windows 2000 and Windows NT include easy-to-use graphical functions
    to help you create, modify, and delete user accounts. However, both
    products lack the flexibility to manage large numbers of users.
    Tools4ever's UserManagemeNT 5.3 product suite includes powerful
    enterprise-class Win2K/NT utilities that let you manage user-account and
    user-resource creation, movement, and deletion from within any
    configured domain. To learn about UserManagemeNT 5.3, be sure to read
    Marty Scher's Lab Review on our Web site.
       http://www.win2000mag.com/Articles/Index.cfm?ArticleID=20392
    
    5. ==== HOT RELEASES (ADVERTISEMENTS) =====
    
    * CYBERWALLPLUS FIREWALLS FOR NT/2000 SERVERS
       CyberwallPLUS uses stateful packet inspection and fine-grain network
    access control to bring full feature firewall security to NT/2000
    servers operating in "electronically open" networks - and it includes
    active intrusion detection to further protect servers.
    Free 30-day evaluation.
       http://www.network-1.com/support/download.html
    
    * THE MOST IMPORTANT EVENT IN YOUR NETWORK!
       Aelita EventAdmin gives you control over your Windows NT/2000
    network. It analyzes, reports and alerts on event data collected from
    all your distributed systems.
       Aelita EventAdmin . . .We Analyze, We Report, We Secure.
       http://www.aelita.com/516securityupdate
    
    6. ==== SECURITY TOOLKIT ====
    
    * BOOK HIGHLIGHT: CRYPTOGRAPHY IN C AND C++
       By Michael Welschenbach
       List Price: $49.95   
       Fatbrain Online Price: $39.96
       Softcover; 380 pages plus CD-ROM
       Published by Apress, February 2001
       ISBN 189311595X
    
    For more information or to purchase this book, go to
    http://www1.fatbrain.com/asp/bookinfo/bookinfo.asp?theisbn=189311595X
    and enter WIN2000MAG as the discount code when you order the book.
    
    * VIRUS CENTER
       Panda Software and the Windows 2000 Magazine Network have teamed to
    bring you the Center for Virus Control. Visit the site often to remain
    informed about the latest threats to your system security.
       http://www.windowsitsecurity.com/panda
    
     - VIRUS ALERT: HOMEPAGE.A
       The Homepage.A Internet worm was created using a VBS worm generator
    and is similar to the February 2001 Anna Kournikova worm. It spreads via
    Microsoft Outlook by sending itself as an email attachment to all
    addresses in the infected user's address book. Then the worm tries to
    randomly open one of four pornographic Web sites using the default Web
    browser. For complete technical details about this and other viruses, be
    sure to visit our Center for Virus Control.
       http://63.88.172.96/Panda/Index.cfm?FuseAction=Virus&VirusID=1092
    
    * FAQ: DO YOU KNOW AN EASY WAY TO DETERMINE WHICH USER IS LOGGED ON TO
    THE COMPUTER AND WHICH DOMAIN CONTROLS THE COMPUTER?
       ( Bob Chronister, http://www.windows2000faq.com )
    
    In this case it's time to forget Windows NT 4.0's GUI and go to the
    command line. Bob Chronister knows some wonderful and easy commands that
    can solve your problem. Bob prefers the "Net Config Workstation"
    command, which tells you about the workstation's configuration. For
    example, Figure 1 at the URL below shows information about the notebook
    on which Bob wrote this FAQ. Various command-line utilities are
    available to help you find information or set up a network. 
       http://www.windows2000faq.com/Articles/Index.cfm?ArticleID=20758
    
    * WINDOWS 2000 SECURITY: INTERNET EXPLORER SECURITY OPTIONS, PART 4
       In Part 1 and Part 2, Randy Franklin Smith described security zones
    and settings in Microsoft Internet Explorer (IE) 5.0. In Part 3, Randy
    showed you the IE security settings that control cookies and file
    downloads. In Part 4, Randy shows you how to securely set IE's Java
    permissions and describes some of the settings under the Miscellaneous
    group of security settings. Be sure to read the article on our Web
    site.
       http://www.windowsitsecurity.com/Articles/Index.cfm?ArticleID=21026
    
    7. ==== NEW AND IMPROVED ====
    (contributed by Judy Drennen, productsat_private)
    
    * NEW MANAGEMENT PLATFORM FOR LARGE SECURITY DEPLOYMENTS 
       NetScreen Technologies announced NetScreen-Global PRO, a strategy to
    simplify deployment and management of security technology for
    enterprises and service providers. NetScreen-Global PRO is a scalable
    security management platform that lets customers provide and control
    NetScreen's line of security systems and appliances that integrate
    firewall and VPN capabilities. For more information, contact NetScreen
    through its Web site.
       http://www.netscreen.com
    
    * FIGHT WEB SITE ATTACKS
       Tripwire released Tripwire for Web Pages, a solution that detects
    unauthorized modifications to Web site content, prevents the delivery of
    modified pages, and instantly alerts the system administrator. Tripwire
    for Web Pages determines whether an intruder has altered a Web page by
    comparing the date and the digital signature of the current Web page to
    that of the "known good" authorized file saved in the database. Tripwire
    for Web Pages is available immediately for an introductory price of
    $1095 in North America. For more information about Tripwire, go to the
    Web site.
       http://www.tripwire.com.
    
    * PROACTIVE SECURITY SOLUTION
       OKENA released StormWatch, a security solution that improves network
    uptime by protecting against both file and network attacks that
    originate externally or from inside the security perimeter. At the heart
    of OKENA StormWatch lies the Rules Engine, which lets OKENA security
    experts implement behavioral rules, "out of the box," to enforce
    behavior for IIS Web servers, Microsoft SQL Server databases, Microsoft
    Office desktops, and more. These rules recognize any irregular behavior
    within the network or host and immediately stop that activity and
    prevent further intrusion into the enterprise. OKENA StormWatch starter
    pack costs $8995. For more information, contact OKENA at 781-209-3200.
       http://www.okena.com
    
    8. ==== HOT THREADS ====
    
    * WINDOWS 2000 MAGAZINE ONLINE FORUMS
       http://www.win2000mag.net/forums 
    
    Featured Thread: Changing the System Time
       (Seven messages in this thread)
       Andy Clark is having trouble giving users the ability to change the
    time on their systems. Visit the following URL to read other responses
    or lend a hand.
       http://www.win2000mag.net/forums/rd.cfm?app=64&id=66697
    
    * HOWTO MAILING LIST
       http://www.windowsitsecurity.com/go/page_listserv.asp?s=HowTo
    
    Featured Thread: Legal Notice Text
       (Three messages in this thread)
       This reader is having problems getting a standard DOD warning banner
    to fully display using group policies. The last few words are truncated;
    however, the user can press the down arrow to display the rest of the
    message. Read other responses or lend a hand at the following URL.
       http://63.88.172.96/go/page_listserv.asp?A2=IND0105A&L=HOWTO&P=79
    
    8. ==== CONTACT US ====
       Here's how to reach us with your comments and questions:
    
    * ABOUT THE COMMENTARY -- markat_private
    
    * ABOUT THE NEWSLETTER IN GENERAL -- tfaubionat_private; please
    mention the newsletter name in the subject line.
    
    * TECHNICAL QUESTIONS -- http://www.win2000mag.net/forums
    
    * PRODUCT NEWS -- productsat_private
    
    * QUESTIONS ABOUT YOUR SECURITY UPDATE SUBSCRIPTION? -- Email Customer
    Support at securityupdateat_private
    
    * WANT TO SPONSOR Security UPDATE? -- Email emedia_oppsat_private
    
    ********************
       This weekly email newsletter is brought to you by Windows 2000
    Magazine, the leading publication for Windows 2000/NT professionals who
    want to learn more and perform better. Subscribe today.
       http://www.win2000mag.com/sub.cfm?code=wswi201x1z
    
       Receive the latest information about the Windows 2000 and Windows NT
    topics of your choice. Subscribe to our other FREE email newsletters.
       http://www.win2000mag.net/email
    
    |-+-+-+-+-+-+-+-+-+-|
    
    Thank you for reading Security UPDATE.
    
    SUBSCRIBE
    To subscribe send a blank email to
    subscribe-Security_UPDATEat_private
    
    If you have questions or problems with your UPDATE subscription, please
    contact securityupdateat_private 
    ___________________________________________________________
    Copyright 2001, Penton Media, Inc.
    
    
    
    
    
    
    
    
    
    
    
    
    
    ISN is hosted by SecurityFocus.com
    ---
    To unsubscribe email isn-unsubscribeat_private
    



    This archive was generated by hypermail 2b30 : Thu May 17 2001 - 03:35:07 PDT