[ISN] Security UPDATE, May 30, 2001 (fwd)

From: InfoSec News (isnat_private)
Date: Thu May 31 2001 - 00:01:56 PDT

  • Next message: InfoSec News: "[ISN] Scared of 'Zombies'? You Should Be"

    ********************
    
    Windows 2000 Magazine Security UPDATE--brought to you by the Windows
    2000 Magazine Network
       **Watching the Watchers**
       http://www.win2000mag.net/Channels/Security
    
    ********************
    
    >>>> THIS ISSUE SPONSORED BY <<<<
    
    WebTrends Firewall Suite -- Download Free Trial!
       http://www.webtrends.com/redirect/secupdate-fws1.htm 
    
    ~~~~~~~~~~~~~~~~~~~~
    
    >>>> SPONSOR: WEBTRENDS FIREWALL SUITE -- DOWNLOAD FREE TRIAL! <<<<
       Experienced IT Managers know security requires insight! 
    With WebTrends Firewall Suite, you'll get in-depth analysis of both
    incoming and outgoing traffic through your network. Monitor bandwidth
    usage, measure VPN activity, and receive alerts by e-mail or pager
    whenever critical security events occur. Firewall Suite 3.1 provides
    support for 35 leading firewall and proxy servers, including Cisco and
    Check Point. Currently a featured download on Tech Republic.  
       Click here for your FREE trial, download now:
       http://www.webtrends.com/redirect/secupdate-fws1.htm 
    
    ~~~~~~~~~~~~~~~~~~~~
    
    May 30, 2001--In this issue:
    
    1. IN FOCUS
         - Insurance Companies: Open Source Is Safer than Windows
    
    2. SECURITY RISKS
         - Macros Can Run Without Warning under Microsoft Word
         - Buffer Overflow Condition in Windows Media Player
         - Multiple Vulnerabilities in eEye SecureIIS
    
    3. ANNOUNCEMENTS
         - TechNet Summer Roadshow 2001 
         - The Black Hat Briefings: The Security Event the Experts Rave
    About
    
    4. SECURITY ROUNDUP
         - News: Managed Security Market to Reach $1.7 Billion 
         - News: Microsoft, McAfee Bring Security to .NET
         - Review: Server Consolidation Software
         - Review: SolarWinds 2000 Professional Edition 2.1
    
    5. HOT RELEASE (ADVERTISEMENT)
         - ICSA Certified Firewall: Free 120-Day Trial
    
    6. SECURITY TOOLKIT
         - Book Highlight: Hack Proofing Your E-commerce Site: The Only Way
           to Stop a Hacker Is to Think Like One
         - Virus Center: Virus Alert: VBS/VBSWG.Z
         - FAQ: How Can I Make a Palm Pilot (or Similar Device) Authenticate
           to My Server?
         - Windows 2000 Security: Internet Explorer Security Options, Part
    5
    
    7. NEW AND IMPROVED
         - Network Traffic Analyzer
         - Fight Defacement and Intrusion
    
    8. HOT THREADS 
         - Windows 2000 Magazine Online Forums
              Setting Password Ages
         - HowTo Mailing List
              Remotely Change Computer Name for Windows NT
    
    9. CONTACT US
       See this section for a list of ways to contact us.
    
    1. ==== COMMENTARY ====
    
    Hello everyone,
    
    A little more than a year ago, I wrote a column (linked below) about a
    new service in the high-tech industry: hacker insurance. The column
    pointed out that, by and large, crackers (often mistakenly referred to
    as hackers) control the premiums of such policies because crackers
    perpetrate the break-ins. I was only partially correct in those
    statements. As with other types of insurance, premiums for hacker
    insurance are based on risk factors, including the potential for attacks
    against your network. However, other factors also play a role in policy
    premiums--namely, the software you use and your staff's ability to
    manage that software.
    
    Why Intruders Control Internet Insurance (February 2000)
       http://www.windowsitsecurity.com/Articles/Index.cfm?ArticleID=8206
    
    I read an interesting article this week (linked below) that talks about
    how one insurer, J.S. Wurzler Underwriting Managers, has begun charging
    clients between 5 and 15 percent extra if those clients use Windows NT
    with the Internet. The added charge stems from statistical analyses that
    Wurzler performed.
       http://www.zdnet.com/intweek/stories/news/0,4164,2766045,00.html
    
    In the course of business, Wurzler has audited more than 400 networks.
    What the company found is interesting to say the least: Administrators
    who work with open-source systems are better trained and stay with a
    given employer longer than Windows-related administrators. According to
    Wurzler, administrative turnover rates in companies that run Windows can
    reach 33 percent per year. As a result, Wurzler considers
    open-source-based networks safer than Windows networks (because of
    better administration).
    
    How does Microsoft respond to these claims? According to the article,
    Microsoft spokesman Jim Desler said, "There's not enough history or
    business to draw conclusions about rate-setting practices." In addition,
    the article says Microsoft predicts that "as the market matures, rates
    are likely to be based on best practices, rather than on platforms or
    products."
    
    Microsoft's statements seem to justify Wurzler's insurance rates. After
    all, who establishes best practices in regard to network administration?
    Individual companies do. And who performs those best practices? The
    companies' network administrators. But how will Windows administrators
    develop better practices if they constantly move from company to
    company? They won't. So Microsoft's comment seems circular to me; the
    company points to the problem as if it's the solution.
    
    The problem here is two-fold: companies that don't deliver best
    practices across their networks and administrators who take class after
    class and continually change jobs to get better pay, benefits, and
    perks. It's a Catch-22. How can companies deliver best practices when
    the employees don't stay long enough to make the practices consistent
    and effective? Somewhere in the open-source realm resides an answer
    because apparently companies that use open-source platforms don't suffer
    these problems to the same degree that Windows-based companies do.
    
    I have a friend whose situation is good justification for Wurzler's
    policy rates. My friend learned about computers in the military--on very
    dated technology. After leaving the military, he began earning his MCSE.
    Since then, I've watched him change jobs more often than I wash my car.
    He started at an entry-level job, where he made less than $40,000 a
    year. Now, 5 years later, this man carries the title of vice president
    at a medium-size company where he's in charge of solution development.
    His pay is more than $120,000 per year, plus benefits and perks. When I
    ask why he changes jobs so frequently, his answer is always the same:
    training and money. He gravitates to companies that will pay for his
    desired training and pay for the expertise he's gained from the training
    he's already received. 
    
    Even with all his training and experience, where does he go when he
    needs security advice? He comes to me because he isn't retaining enough
    knowledge to become a standalone worker (with regard to security). He
    relies on outsiders to fill in any gaps in his security knowledge. Could
    this knowledge gap have anything to do with frequent job changes? I
    think so.
    
    Better pay, benefits, and perks help retain workers, but not for long.
    Compensation in this industry is like a freeway: No matter how fast you
    drive, someone will pass you. And likewise, no matter how much a company
    offers someone, another company will offer more. Some companies have
    long used training as an employee-retention tactic. For example, when I
    worked at EDS, the company offered all kinds of training. However, if I
    took any of the training, I was bound contractually to work for EDS for
    a given time period. And if I chose to leave EDS before that time ended,
    I couldn't use the training at another firm for a specified length of
    time. 
    
    This tactic does, in fact, help companies retain employees. It also can
    help identify who intends to stay with your firm, by virtue of who
    accepts training contracts and who doesn't. I've yet to come across any
    tactic as effective in retaining personnel, other than offering relative
    creative freedom.
    
    The jobs I've stayed with longest are the ones that allowed me
    considerable creative freedom, both with work and the time involved in
    that work. For me, these things are priceless, so the related pay
    becomes tertiary. I think many people have the same perspective, and
    perhaps this perspective points out how freedom can translate into
    employee loyalty and retention. This perspective might also help explain
    why open source is so successful in gaining its vast following: the
    associated creative freedom, which translates into loyalty. Perhaps the
    creative freedom of the open-source philosophy carries over directly
    into the workplace and is revealed partially in Wurzler's audit
    findings.
    
    How do Wurzler's findings compare to what you've observed in your own
    company? How does your company entice its employees to stay? Visit our
    Web site (linked below) and click Comment on this Article. I'd love to
    hear what you've learned about keeping good employees. Until next time,
    have a great week.
    
    http://www.windowsitsecurity.com/Articles/Index.cfm?ArticleID=21260
    
    Sincerely,
    
    Mark Joseph Edwards, News Editor, markat_private
    
    2. ==== SECURITY RISKS ====
       (contributed by Mark Joseph Edwards, markat_private)
    
    * MACROS CAN RUN WITHOUT WARNING UNDER MICROSOFT WORD
       By embedding a macro in a template and providing another user with a
    Rich Text Format (RTF) document that links to the template, an attacker
    can cause macros to run automatically when the user opens the RTF
    document. Microsoft has released an FAQ and a patch to remedy this
    vulnerability. 
       http://www.windowsitsecurity.com/Articles/Index.cfm?ArticleID=21251
    
    * BUFFER OVERFLOW CONDITION IN WINDOWS MEDIA PLAYER
       An unchecked buffer vulnerability in the process Windows Media Player
    (WMP) uses to process Active Stream Redirector (.asx) files can result
    in a buffer overflow. An attacker can use the vulnerability to run code
    on the vulnerable computer under the user's security context. Microsoft
    has acknowledged this vulnerability and recommends that WMP 6.4 users
    immediately apply the patch contained in Security Bulletin MS01-029. For
    users of WMP 7.0, Microsoft recommends an upgrade to version 7.1. 
       http://www.windowsitsecurity.com/Articles/Index.cfm?ArticleID=21252
    
    * MULTIPLE VULNERABILITIES IN EEYE SECUREIIS
       Multiple vulnerabilities exist in eEye Digital Security's SecureIIS
    1.0.2. The first vulnerability involves the keyword-checking
    feature--SecureIIS fails to decode escaped characters in a request's
    query, which can lead to information disclosure. The second
    vulnerability involves a directory traversal problem that lets an
    attacker break out of the Web root directory. The third vulnerability
    involves a buffer overrun condition caused by the way that SecureIIS
    processes HTTP header and large-character requests. The vendor, eEye
    Digital Security, recommends that users upgrade to version 1.0.5, which
    addresses these vulnerabilities. 
       http://www.windowsitsecurity.com/Articles/Index.cfm?ArticleID=21250
    
    3. ==== ANNOUNCEMENTS ====
    
    * TECHNET SUMMER ROADSHOW 2001 
       TechNet announces its new Summer Roadshow, taking place from May
    through July at 10 locations throughout the UK. These events include a
    new program of technical sessions that highlight Microsoft Office XP and
    Microsoft .NET Enterprise Servers. For details or to register for the
    free Roadshow, visit Microsoft's Web site. 
       http://www.microsoft.com/uk/technet/tn_events
    
    * THE BLACK HAT BRIEFINGS: THE SECURITY EVENT THE EXPERTS RAVE ABOUT 
       Register now for Black Hat Briefings, the world's premier technical
    event for IT and network security experts, July 11 and 12 in Las Vegas.
    New this year is a Tools of the Trade track. Join 1500+ security experts
    and "underground" security specialists at this truly unique conference
    with many Windows 2000 sessions. 
       http://www.blackhat.com
    
    4. ==== SECURITY ROUNDUP ====
    
    * NEWS: MANAGED SECURITY MARKET TO REACH $1.7 BILLION 
       A new report by the Yankee Group predicts that managed security
    services revenue will soar to $1.7 billion by 2005. According to the
    report, the managed security services market earned $400 million in
    2000. Yankee considers managed security services to include ongoing
    management of firewalls, VPNs, intrusion detection, virus scanning,
    Web-site security assessments, monitoring, applet scanning, content
    inspection, and URL blocking.
       http://www.windowsitsecurity.com/Articles/Index.cfm?ArticleID=21216
    
    * NEWS: MICROSOFT, MCAFEE BRING SECURITY TO .NET
       McAfee, the world's leading security application service provider
    (ASP), has announced a partnership with Microsoft to provide a
    .NET-based security service to customers over the Web. The new service,
    dubbed McAfee Security for MSN, touts protection against viruses,
    hackers, and privacy invasion, and integration with Microsoft's Passport
    service. The new security service costs about $6 a month, and it follows
    a November 2000 launch of McAfee's .NET initiative for small and
    mid-sized businesses, which now has more than 1000 companies
    registered.
       http://www.wininformant.com/Articles/Index.cfm?ArticleID=21210
    
    * REVIEW: SERVER CONSOLIDATION SOFTWARE
       Whether consolidating file servers is part of your plan to trim
    management overhead or part of your strategy to migrate to Windows 2000,
    you have your work cut out for you. You need to copy data to your new
    servers, recreate shares on the new servers, and reset permissions on
    the data. If you also want to move user profiles, you need to update
    your users' accounts to point to the new profile locations. These tasks
    are time-consuming, but tools exist to make the job easier. The Windows
    2000 Magazine Lab tested four server-consolidation products: Aelita
    Software's Aelita Server Consolidation Wizard 5.63, FastLane
    Technologies' DM/Consolidator 2.6.2, NetIQ's Server Consolidator 2.0,
    and Small Wonders Software's Secure Copy 2.0. Learn all about them in
    Joshua Orrison's comparative review on our Web site.
       http://www.win2000mag.com/Articles/Index.cfm?ArticleID=20652
    
    * REVIEW: SOLARWINDS 2000 PROFESSIONAL EDITION 2.1
       SolarWinds.Net's SolarWinds 2000 Professional Edition 2.1 is a
    collection of network utilities for Windows 2000, Windows NT, Windows
    Me, and Windows 9x systems. The product offers several tools for IP
    network management and tools for administration of Cisco Systems
    products; SNMP devices add functional diversity. The tools also offer a
    flexible variety of exporting options in comma-delimited, plain text,
    HTML, and Microsoft Excel formats. You can also export data to a Web
    page for online viewing. Find out what SolarWinds 2000 can do for you in
    Rob Schenk's lab review on our Web site.
       http://www.win2000mag.com/Articles/Index.cfm?ArticleID=20719
    
    5. ==== HOT RELEASE (ADVERTISEMENT) =====
    
    * ICSA CERTIFIED FIREWALL: FREE 120-DAY TRIAL 
       Be Secure with the ICSA Certified, multi-layer enterprise-class
    firewall that's easy to manage. Microsoft ISA Server provides
    packet/circuit/application-filtering, integrated intrusion detection,
    stateful inspection, and granular access control. Simplify management
    with integration with Windows 2000 VPN and Active Directory.
       http://www.win2000mag.com/jump.cfm?ID=161
    
    6. ==== SECURITY TOOLKIT ====
    
    * BOOK HIGHLIGHT: HACK PROOFING YOUR E-COMMERCE SITE: THE ONLY WAY TO
    STOP A HACKER IS TO THINK LIKE ONE
       By Ryan Russell and Stace Cunningham
       List Price: $49.95    
       Fatbrain Online Price: $39.96
       Softcover; 512 pages
       Published by Syngress Publishing, March 2001
       ISBN 192899427X
    
    For more information or to purchase this book, go to
    http://www1.fatbrain.com/asp/bookinfo/bookinfo.asp?theisbn=192899427X
    and enter WIN2000MAG as the discount code.
    
    * VIRUS CENTER
       Panda Software and the Windows 2000 Magazine Network have teamed to
    bring you the Center for Virus Control. Visit the site often to remain
    informed about the latest threats to your system security.
       http://www.windowsitsecurity.com/panda
    
    Virus Alert: VBS/VBSWG.Z
       VBS/VBSWG.Z is an encrypted worm that sends itself to all the entries
    in the user's Address Book. If the worm fails to create the email
    message, it displays a message on the user's screen that says, "Please
    forward this to everyone." Infected emails will have a subject of
    Mawanella, an attachment named Mawanella.vbs, and a message body that
    reads, "Mawanella is one of Sri Lanka's Muslim Village." For further
    details about this virus be sure to visit our Center for Virus
    Control.
       http://63.88.172.96/Panda/Index.cfm?FuseAction=Virus&VirusID=1095
    
    * FAQ: HOW CAN I MAKE A PALM PILOT (OR SIMILAR DEVICE) AUTHENTICATE TO
    MY SERVER?
       ( contributed by Paul Robichaux, http://www.windows2000faq.com )
    
    Typically, when you log on to a Microsoft Exchange Server, you need just
    the Windows 2000 or Windows NT account and the associated password.
    However, when a POP3 client (such as the one built into most Palm
    devices) wants to connect, the client has to use the mailbox name and
    the account name and domain. For example, my Exchange is in the remote
    automation (RA) domain, and my account is paul. I log on using those
    credentials, but to get to my POP3 mailbox, I have to tack on the
    mailbox alias for my mailbox, which is paulr. On my Pilot, I specify
    RA\paul\paulr as the user name, and my NT account password as the
    password.
    
    * WINDOWS 2000 SECURITY: INTERNET EXPLORER SECURITY OPTIONS, PART 5
       In Parts 2 through 4 of this series, Randy Franklin Smith described
    the settings in Microsoft Internet Explorer (IE) 5.0. In Part 5, Randy
    describes the remaining IE security settings. The previous parts of this
    article (parts 1, 2, 3, and 4) are linked on the Web page containing
    part 5.
       http://www.windowsitsecurity.com/Articles/Index.cfm?ArticleID=21199
    
    7. ==== NEW AND IMPROVED ====
       (contributed by Judy Drennen, productsat_private)
    
    * NETWORK TRAFFIC ANALYZER 
       eEye Digital Security released Iris 2.0, an advanced data and network
    traffic analyzer. Iris, built for Windows 2000 and Windows NT, collects,
    stores, organizes, and reports all data traffic on your network. With
    Iris, the network owner or administrator can decode most nonencrypted
    network protocols such as HTTP, POP3, SMTP, and others. Iris 2.0 is
    available for download at the Web site. Contact eEye at 888-299-4678 for
    more information.
       http://www.eeye.com/iris
    
    * FIGHT DEFACEMENT AND INTRUSION
       Tripwire announced Tripwire for Web Pages, a new product designed to
    secure Web sites from damage caused by defacement and intrusion.
    Tailored for the Apache Web server platform, this new product
    immediately detects unauthorized modifications to Web site content,
    prevents the delivery of modified pages, and instantly alerts the system
    administrator. Go to the Tripwire Web site for more information and
    pricing.
       http://www.tripwire.com
    
    8. ==== HOT THREADS ====
    
    * WINDOWS 2000 MAGAZINE ONLINE FORUMS
       http://www.win2000mag.net/forums 
    
    Featured Thread: Setting Password Ages
       (Four messages in this thread)
       This reader wants to know how to set different password expiration
    times for different users or groups. Read the responses of others or
    lend a helping hand at the following URL.
       http://www.win2000mag.net/forums/rd.cfm?app=64&id=67076
    
    * HOWTO MAILING LIST
       http://www.windowsitsecurity.com/go/page_listserv.asp?s=HowTo
    
    Featured Thread: Remotely Change Computer Name for Windows NT
       (Three messages in this thread)
       This reader wants to know how to change a computer name and join a
    domain remotely with Windows 2000 and Windows NT. Read other responses
    or lend a hand at the following URL.
       http://63.88.172.96/go/page_listserv.asp?A2=IND0105D&L=HOWTO&P=79
    
    9. ==== CONTACT US ====
       Here's how to reach us with your comments and questions:
    
    * ABOUT THE COMMENTARY -- markat_private
    
    * ABOUT THE NEWSLETTER IN GENERAL -- tfaubionat_private; please
    mention the newsletter name in the subject line.
    
    * TECHNICAL QUESTIONS -- http://www.win2000mag.net/forums
    
    * PRODUCT NEWS -- productsat_private
    
    * QUESTIONS ABOUT YOUR SECURITY UPDATE SUBSCRIPTION? -- Email Customer
    Support at securityupdateat_private
    
    * WANT TO SPONSOR Security UPDATE? emedia_oppsat_private
    
    ********************
       This weekly email newsletter is brought to you by Windows 2000
    Magazine, the leading publication for Windows 2000/NT professionals who
    want to learn more and perform better. Subscribe today.
       http://www.win2000mag.com/sub.cfm?code=wswi201x1z
    
       Receive the latest information about the Windows 2000 and Windows NT
    topics of your choice. Subscribe to our other FREE email newsletters.
       http://www.win2000mag.net/email
    
    |-+-+-+-+-+-+-+-+-+-|
    
    Thank you for reading Security UPDATE.
    
    SUBSCRIBE
    To subscribe send a blank email to
    subscribe-Security_UPDATEat_private
    
    If you have questions or problems with your UPDATE subscription, please
    contact securityupdateat_private 
    ___________________________________________________________
    Copyright 2001, Penton Media, Inc.
    
    
    
    
    
    
    
    
    
    
    
    
    
    ISN is hosted by SecurityFocus.com
    ---
    To unsubscribe email isn-unsubscribeat_private
    



    This archive was generated by hypermail 2b30 : Thu May 31 2001 - 02:16:46 PDT