******************** Windows 2000 Magazine Security UPDATE--brought to you by the Windows 2000 Magazine Network **Watching the Watchers** http://www.win2000mag.net/Channels/Security ******************** >>>> THIS ISSUE SPONSORED BY <<<< WebTrends Firewall Suite -- Download Free Trial! http://www.webtrends.com/redirect/secupdate-fws1.htm ~~~~~~~~~~~~~~~~~~~~ >>>> SPONSOR: WEBTRENDS FIREWALL SUITE -- DOWNLOAD FREE TRIAL! <<<< Experienced IT Managers know security requires insight! With WebTrends Firewall Suite, you'll get in-depth analysis of both incoming and outgoing traffic through your network. Monitor bandwidth usage, measure VPN activity, and receive alerts by e-mail or pager whenever critical security events occur. Firewall Suite 3.1 provides support for 35 leading firewall and proxy servers, including Cisco and Check Point. Currently a featured download on Tech Republic. Click here for your FREE trial, download now: http://www.webtrends.com/redirect/secupdate-fws1.htm ~~~~~~~~~~~~~~~~~~~~ May 30, 2001--In this issue: 1. IN FOCUS - Insurance Companies: Open Source Is Safer than Windows 2. SECURITY RISKS - Macros Can Run Without Warning under Microsoft Word - Buffer Overflow Condition in Windows Media Player - Multiple Vulnerabilities in eEye SecureIIS 3. ANNOUNCEMENTS - TechNet Summer Roadshow 2001 - The Black Hat Briefings: The Security Event the Experts Rave About 4. SECURITY ROUNDUP - News: Managed Security Market to Reach $1.7 Billion - News: Microsoft, McAfee Bring Security to .NET - Review: Server Consolidation Software - Review: SolarWinds 2000 Professional Edition 2.1 5. HOT RELEASE (ADVERTISEMENT) - ICSA Certified Firewall: Free 120-Day Trial 6. SECURITY TOOLKIT - Book Highlight: Hack Proofing Your E-commerce Site: The Only Way to Stop a Hacker Is to Think Like One - Virus Center: Virus Alert: VBS/VBSWG.Z - FAQ: How Can I Make a Palm Pilot (or Similar Device) Authenticate to My Server? - Windows 2000 Security: Internet Explorer Security Options, Part 5 7. NEW AND IMPROVED - Network Traffic Analyzer - Fight Defacement and Intrusion 8. HOT THREADS - Windows 2000 Magazine Online Forums Setting Password Ages - HowTo Mailing List Remotely Change Computer Name for Windows NT 9. CONTACT US See this section for a list of ways to contact us. 1. ==== COMMENTARY ==== Hello everyone, A little more than a year ago, I wrote a column (linked below) about a new service in the high-tech industry: hacker insurance. The column pointed out that, by and large, crackers (often mistakenly referred to as hackers) control the premiums of such policies because crackers perpetrate the break-ins. I was only partially correct in those statements. As with other types of insurance, premiums for hacker insurance are based on risk factors, including the potential for attacks against your network. However, other factors also play a role in policy premiums--namely, the software you use and your staff's ability to manage that software. Why Intruders Control Internet Insurance (February 2000) http://www.windowsitsecurity.com/Articles/Index.cfm?ArticleID=8206 I read an interesting article this week (linked below) that talks about how one insurer, J.S. Wurzler Underwriting Managers, has begun charging clients between 5 and 15 percent extra if those clients use Windows NT with the Internet. The added charge stems from statistical analyses that Wurzler performed. http://www.zdnet.com/intweek/stories/news/0,4164,2766045,00.html In the course of business, Wurzler has audited more than 400 networks. What the company found is interesting to say the least: Administrators who work with open-source systems are better trained and stay with a given employer longer than Windows-related administrators. According to Wurzler, administrative turnover rates in companies that run Windows can reach 33 percent per year. As a result, Wurzler considers open-source-based networks safer than Windows networks (because of better administration). How does Microsoft respond to these claims? According to the article, Microsoft spokesman Jim Desler said, "There's not enough history or business to draw conclusions about rate-setting practices." In addition, the article says Microsoft predicts that "as the market matures, rates are likely to be based on best practices, rather than on platforms or products." Microsoft's statements seem to justify Wurzler's insurance rates. After all, who establishes best practices in regard to network administration? Individual companies do. And who performs those best practices? The companies' network administrators. But how will Windows administrators develop better practices if they constantly move from company to company? They won't. So Microsoft's comment seems circular to me; the company points to the problem as if it's the solution. The problem here is two-fold: companies that don't deliver best practices across their networks and administrators who take class after class and continually change jobs to get better pay, benefits, and perks. It's a Catch-22. How can companies deliver best practices when the employees don't stay long enough to make the practices consistent and effective? Somewhere in the open-source realm resides an answer because apparently companies that use open-source platforms don't suffer these problems to the same degree that Windows-based companies do. I have a friend whose situation is good justification for Wurzler's policy rates. My friend learned about computers in the military--on very dated technology. After leaving the military, he began earning his MCSE. Since then, I've watched him change jobs more often than I wash my car. He started at an entry-level job, where he made less than $40,000 a year. Now, 5 years later, this man carries the title of vice president at a medium-size company where he's in charge of solution development. His pay is more than $120,000 per year, plus benefits and perks. When I ask why he changes jobs so frequently, his answer is always the same: training and money. He gravitates to companies that will pay for his desired training and pay for the expertise he's gained from the training he's already received. Even with all his training and experience, where does he go when he needs security advice? He comes to me because he isn't retaining enough knowledge to become a standalone worker (with regard to security). He relies on outsiders to fill in any gaps in his security knowledge. Could this knowledge gap have anything to do with frequent job changes? I think so. Better pay, benefits, and perks help retain workers, but not for long. Compensation in this industry is like a freeway: No matter how fast you drive, someone will pass you. And likewise, no matter how much a company offers someone, another company will offer more. Some companies have long used training as an employee-retention tactic. For example, when I worked at EDS, the company offered all kinds of training. However, if I took any of the training, I was bound contractually to work for EDS for a given time period. And if I chose to leave EDS before that time ended, I couldn't use the training at another firm for a specified length of time. This tactic does, in fact, help companies retain employees. It also can help identify who intends to stay with your firm, by virtue of who accepts training contracts and who doesn't. I've yet to come across any tactic as effective in retaining personnel, other than offering relative creative freedom. The jobs I've stayed with longest are the ones that allowed me considerable creative freedom, both with work and the time involved in that work. For me, these things are priceless, so the related pay becomes tertiary. I think many people have the same perspective, and perhaps this perspective points out how freedom can translate into employee loyalty and retention. This perspective might also help explain why open source is so successful in gaining its vast following: the associated creative freedom, which translates into loyalty. Perhaps the creative freedom of the open-source philosophy carries over directly into the workplace and is revealed partially in Wurzler's audit findings. How do Wurzler's findings compare to what you've observed in your own company? How does your company entice its employees to stay? Visit our Web site (linked below) and click Comment on this Article. I'd love to hear what you've learned about keeping good employees. Until next time, have a great week. http://www.windowsitsecurity.com/Articles/Index.cfm?ArticleID=21260 Sincerely, Mark Joseph Edwards, News Editor, markat_private 2. ==== SECURITY RISKS ==== (contributed by Mark Joseph Edwards, markat_private) * MACROS CAN RUN WITHOUT WARNING UNDER MICROSOFT WORD By embedding a macro in a template and providing another user with a Rich Text Format (RTF) document that links to the template, an attacker can cause macros to run automatically when the user opens the RTF document. Microsoft has released an FAQ and a patch to remedy this vulnerability. http://www.windowsitsecurity.com/Articles/Index.cfm?ArticleID=21251 * BUFFER OVERFLOW CONDITION IN WINDOWS MEDIA PLAYER An unchecked buffer vulnerability in the process Windows Media Player (WMP) uses to process Active Stream Redirector (.asx) files can result in a buffer overflow. An attacker can use the vulnerability to run code on the vulnerable computer under the user's security context. Microsoft has acknowledged this vulnerability and recommends that WMP 6.4 users immediately apply the patch contained in Security Bulletin MS01-029. For users of WMP 7.0, Microsoft recommends an upgrade to version 7.1. http://www.windowsitsecurity.com/Articles/Index.cfm?ArticleID=21252 * MULTIPLE VULNERABILITIES IN EEYE SECUREIIS Multiple vulnerabilities exist in eEye Digital Security's SecureIIS 1.0.2. The first vulnerability involves the keyword-checking feature--SecureIIS fails to decode escaped characters in a request's query, which can lead to information disclosure. The second vulnerability involves a directory traversal problem that lets an attacker break out of the Web root directory. The third vulnerability involves a buffer overrun condition caused by the way that SecureIIS processes HTTP header and large-character requests. The vendor, eEye Digital Security, recommends that users upgrade to version 1.0.5, which addresses these vulnerabilities. http://www.windowsitsecurity.com/Articles/Index.cfm?ArticleID=21250 3. ==== ANNOUNCEMENTS ==== * TECHNET SUMMER ROADSHOW 2001 TechNet announces its new Summer Roadshow, taking place from May through July at 10 locations throughout the UK. These events include a new program of technical sessions that highlight Microsoft Office XP and Microsoft .NET Enterprise Servers. For details or to register for the free Roadshow, visit Microsoft's Web site. http://www.microsoft.com/uk/technet/tn_events * THE BLACK HAT BRIEFINGS: THE SECURITY EVENT THE EXPERTS RAVE ABOUT Register now for Black Hat Briefings, the world's premier technical event for IT and network security experts, July 11 and 12 in Las Vegas. New this year is a Tools of the Trade track. Join 1500+ security experts and "underground" security specialists at this truly unique conference with many Windows 2000 sessions. http://www.blackhat.com 4. ==== SECURITY ROUNDUP ==== * NEWS: MANAGED SECURITY MARKET TO REACH $1.7 BILLION A new report by the Yankee Group predicts that managed security services revenue will soar to $1.7 billion by 2005. According to the report, the managed security services market earned $400 million in 2000. Yankee considers managed security services to include ongoing management of firewalls, VPNs, intrusion detection, virus scanning, Web-site security assessments, monitoring, applet scanning, content inspection, and URL blocking. http://www.windowsitsecurity.com/Articles/Index.cfm?ArticleID=21216 * NEWS: MICROSOFT, MCAFEE BRING SECURITY TO .NET McAfee, the world's leading security application service provider (ASP), has announced a partnership with Microsoft to provide a .NET-based security service to customers over the Web. The new service, dubbed McAfee Security for MSN, touts protection against viruses, hackers, and privacy invasion, and integration with Microsoft's Passport service. The new security service costs about $6 a month, and it follows a November 2000 launch of McAfee's .NET initiative for small and mid-sized businesses, which now has more than 1000 companies registered. http://www.wininformant.com/Articles/Index.cfm?ArticleID=21210 * REVIEW: SERVER CONSOLIDATION SOFTWARE Whether consolidating file servers is part of your plan to trim management overhead or part of your strategy to migrate to Windows 2000, you have your work cut out for you. You need to copy data to your new servers, recreate shares on the new servers, and reset permissions on the data. If you also want to move user profiles, you need to update your users' accounts to point to the new profile locations. These tasks are time-consuming, but tools exist to make the job easier. The Windows 2000 Magazine Lab tested four server-consolidation products: Aelita Software's Aelita Server Consolidation Wizard 5.63, FastLane Technologies' DM/Consolidator 2.6.2, NetIQ's Server Consolidator 2.0, and Small Wonders Software's Secure Copy 2.0. Learn all about them in Joshua Orrison's comparative review on our Web site. http://www.win2000mag.com/Articles/Index.cfm?ArticleID=20652 * REVIEW: SOLARWINDS 2000 PROFESSIONAL EDITION 2.1 SolarWinds.Net's SolarWinds 2000 Professional Edition 2.1 is a collection of network utilities for Windows 2000, Windows NT, Windows Me, and Windows 9x systems. The product offers several tools for IP network management and tools for administration of Cisco Systems products; SNMP devices add functional diversity. The tools also offer a flexible variety of exporting options in comma-delimited, plain text, HTML, and Microsoft Excel formats. You can also export data to a Web page for online viewing. Find out what SolarWinds 2000 can do for you in Rob Schenk's lab review on our Web site. http://www.win2000mag.com/Articles/Index.cfm?ArticleID=20719 5. ==== HOT RELEASE (ADVERTISEMENT) ===== * ICSA CERTIFIED FIREWALL: FREE 120-DAY TRIAL Be Secure with the ICSA Certified, multi-layer enterprise-class firewall that's easy to manage. Microsoft ISA Server provides packet/circuit/application-filtering, integrated intrusion detection, stateful inspection, and granular access control. Simplify management with integration with Windows 2000 VPN and Active Directory. http://www.win2000mag.com/jump.cfm?ID=161 6. ==== SECURITY TOOLKIT ==== * BOOK HIGHLIGHT: HACK PROOFING YOUR E-COMMERCE SITE: THE ONLY WAY TO STOP A HACKER IS TO THINK LIKE ONE By Ryan Russell and Stace Cunningham List Price: $49.95 Fatbrain Online Price: $39.96 Softcover; 512 pages Published by Syngress Publishing, March 2001 ISBN 192899427X For more information or to purchase this book, go to http://www1.fatbrain.com/asp/bookinfo/bookinfo.asp?theisbn=192899427X and enter WIN2000MAG as the discount code. * VIRUS CENTER Panda Software and the Windows 2000 Magazine Network have teamed to bring you the Center for Virus Control. Visit the site often to remain informed about the latest threats to your system security. http://www.windowsitsecurity.com/panda Virus Alert: VBS/VBSWG.Z VBS/VBSWG.Z is an encrypted worm that sends itself to all the entries in the user's Address Book. If the worm fails to create the email message, it displays a message on the user's screen that says, "Please forward this to everyone." Infected emails will have a subject of Mawanella, an attachment named Mawanella.vbs, and a message body that reads, "Mawanella is one of Sri Lanka's Muslim Village." For further details about this virus be sure to visit our Center for Virus Control. http://63.88.172.96/Panda/Index.cfm?FuseAction=Virus&VirusID=1095 * FAQ: HOW CAN I MAKE A PALM PILOT (OR SIMILAR DEVICE) AUTHENTICATE TO MY SERVER? ( contributed by Paul Robichaux, http://www.windows2000faq.com ) Typically, when you log on to a Microsoft Exchange Server, you need just the Windows 2000 or Windows NT account and the associated password. However, when a POP3 client (such as the one built into most Palm devices) wants to connect, the client has to use the mailbox name and the account name and domain. For example, my Exchange is in the remote automation (RA) domain, and my account is paul. I log on using those credentials, but to get to my POP3 mailbox, I have to tack on the mailbox alias for my mailbox, which is paulr. On my Pilot, I specify RA\paul\paulr as the user name, and my NT account password as the password. * WINDOWS 2000 SECURITY: INTERNET EXPLORER SECURITY OPTIONS, PART 5 In Parts 2 through 4 of this series, Randy Franklin Smith described the settings in Microsoft Internet Explorer (IE) 5.0. In Part 5, Randy describes the remaining IE security settings. The previous parts of this article (parts 1, 2, 3, and 4) are linked on the Web page containing part 5. http://www.windowsitsecurity.com/Articles/Index.cfm?ArticleID=21199 7. ==== NEW AND IMPROVED ==== (contributed by Judy Drennen, productsat_private) * NETWORK TRAFFIC ANALYZER eEye Digital Security released Iris 2.0, an advanced data and network traffic analyzer. Iris, built for Windows 2000 and Windows NT, collects, stores, organizes, and reports all data traffic on your network. With Iris, the network owner or administrator can decode most nonencrypted network protocols such as HTTP, POP3, SMTP, and others. Iris 2.0 is available for download at the Web site. Contact eEye at 888-299-4678 for more information. http://www.eeye.com/iris * FIGHT DEFACEMENT AND INTRUSION Tripwire announced Tripwire for Web Pages, a new product designed to secure Web sites from damage caused by defacement and intrusion. Tailored for the Apache Web server platform, this new product immediately detects unauthorized modifications to Web site content, prevents the delivery of modified pages, and instantly alerts the system administrator. Go to the Tripwire Web site for more information and pricing. http://www.tripwire.com 8. ==== HOT THREADS ==== * WINDOWS 2000 MAGAZINE ONLINE FORUMS http://www.win2000mag.net/forums Featured Thread: Setting Password Ages (Four messages in this thread) This reader wants to know how to set different password expiration times for different users or groups. Read the responses of others or lend a helping hand at the following URL. http://www.win2000mag.net/forums/rd.cfm?app=64&id=67076 * HOWTO MAILING LIST http://www.windowsitsecurity.com/go/page_listserv.asp?s=HowTo Featured Thread: Remotely Change Computer Name for Windows NT (Three messages in this thread) This reader wants to know how to change a computer name and join a domain remotely with Windows 2000 and Windows NT. Read other responses or lend a hand at the following URL. http://63.88.172.96/go/page_listserv.asp?A2=IND0105D&L=HOWTO&P=79 9. ==== CONTACT US ==== Here's how to reach us with your comments and questions: * ABOUT THE COMMENTARY -- markat_private * ABOUT THE NEWSLETTER IN GENERAL -- tfaubionat_private; please mention the newsletter name in the subject line. * TECHNICAL QUESTIONS -- http://www.win2000mag.net/forums * PRODUCT NEWS -- productsat_private * QUESTIONS ABOUT YOUR SECURITY UPDATE SUBSCRIPTION? -- Email Customer Support at securityupdateat_private * WANT TO SPONSOR Security UPDATE? emedia_oppsat_private ******************** This weekly email newsletter is brought to you by Windows 2000 Magazine, the leading publication for Windows 2000/NT professionals who want to learn more and perform better. Subscribe today. http://www.win2000mag.com/sub.cfm?code=wswi201x1z Receive the latest information about the Windows 2000 and Windows NT topics of your choice. Subscribe to our other FREE email newsletters. http://www.win2000mag.net/email |-+-+-+-+-+-+-+-+-+-| Thank you for reading Security UPDATE. SUBSCRIBE To subscribe send a blank email to subscribe-Security_UPDATEat_private If you have questions or problems with your UPDATE subscription, please contact securityupdateat_private ___________________________________________________________ Copyright 2001, Penton Media, Inc. ISN is hosted by SecurityFocus.com --- To unsubscribe email isn-unsubscribeat_private
This archive was generated by hypermail 2b30 : Thu May 31 2001 - 02:16:46 PDT