[ISN] Security UPDATE, July 11, 2001

From: InfoSec News (isnat_private)
Date: Thu Jul 12 2001 - 02:58:38 PDT

  • Next message: InfoSec News: "[ISN] Nukes: A Lesson From Russia"

    ********************
    Windows 2000 Magazine Security UPDATE--brought to you by Security
    Administrator, a print newsletter bringing you practical, how-to
    articles about securing your Windows 2000 and NT systems.
       http://www.secadministrator.com
    
    ********************
    
    ~~~~ THIS ISSUE SPONSORED BY ~~~~
    
    UltraBac Version 6.3 Deploys Machines Faster!
       http://go.win2000mag.net/UM/T.asp?A2153.23115.1203.1.532985
    
    ~~~~~~~~~~~~~~~~~~~~
    
    ~~~~ ULTRABAC VERSION 6.3 DEPLOYS MACHINES FASTER! ~~~~
       UltraBac Software announces new support for Windows NT(R)/2000/XP
    disaster recovery, disk cloning, and ultra-fast rollouts of server and
    workstation installations. The utility runs using a Win9x/DOS bootable
    floppy and can backup/restore only the clusters marked in-use. A system
    administrator can now copy or restore multiple images onto a network
    share (or tape) in significantly less time than other options. The
    program is available without charge for personal use. Visit
    http://go.win2000mag.net/UM/T.asp?A2153.23115.1203.1.532985 to download
    a free live trial of the software.
     
    ********************
    
    July 11, 2001--In this issue:
    
    1. IN FOCUS
         - Updated Windows 2000 Security Tools
    
    2. SECURITY RISKS
         - Back Door in R.I. Soft Systems Screensavers 
         - SMTP Vulnerability in Windows 2000
    
    3. ANNOUNCEMENTS
         - Get 25 Percent Off Windows 2000 Magazine!    
         - Now Is the Time, Now Is the Time . . .
    
    4. SECURITY ROUNDUP
         - News: Linux Community Fights .NET
         - News: Windows XP Pricing, Packaging Revealed
         - Review: Security Analyzer 3.5a
         - Review: NTRama 3.0 
    
    5. SECURITY TOOLKIT
         - Book Highlight: The Handbook of System and Network Security
         - Virus Center
        - Virus Alert: X97M/Barisada.C
         - FAQ: How Can I Add a Boot Option that Starts with the Alternate
    Shell?
         - Windows 2000 Security: Don't Shoot Yourself in the Foot with
    Group Policy Security Settings, Part 1
         - SOHO Security: Zombie Attackers
    
    6. NEW AND IMPROVED
         - Data Encryption and Smart Card Technology
         - Track PC Use 
    
    7. HOT THREADS
         - Windows 2000 Magazine Online Forums
              - Featured Thread: Security Overview
         - How-to Mailing List
              - Featured Thread: Event ID 643
    
    8. CONTACT US
       See this section for a list of ways to contact us.
    
    1. ==== COMMENTARY ====
    
    Hello everyone,
    
    On June 6, I wrote about the need for adequate exit procedures when an
    employee leaves a company (for whatever reasons). This week, I came
    across an interesting news item at ComputerWorld (see URL below) that
    serves as a great case in point. A company suffered repeated Denial of
    Service (DoS) attacks after firing two key software developers. As it
    turned out, the company failed to change certain passwords after firing
    the two employees, and subsequently, these two former employees used
    those passwords to gain remote access to the company's application
    server and crash it. Be sure to read the details of the story with its
    interesting comments.
    http://www.computerworld.com/itresources/rcstory/0,4167,STO61983.html
    
    You might also recall that on June 20, I mentioned that the National
    Security Agency (NSA) had released a set of documents to help users
    secure Windows 2000 systems. The demand for these documents was
    overwhelming, and the NSA had to take the documents offline because of
    the server load. NSA contracted with Conxion to host these documents,
    which are available again from links at the NSA Web site. In addition,
    NSA has made documents available that help secure Cisco routers. You can
    find both sets of documents at the following URL.
      http://nsa1.www.conxion.com
    
    Speaking of Win2K security, Microsoft has an updated version of the
    cipher.exe tool that it's shipping with Win2K as part of the Encrypting
    File System (EFS). The original cipher.exe version that ships with the
    OS doesn't include a mechanism to wipe data off the hard disk; however,
    the updated version does include such functionality. During typical
    system operation, when you delete a file, the OS doesn't actually erase
    the data associated with that file. Instead, the OS marks the disk
    clusters related to that file as available empty space, and the data
    remains intact within those clusters until another process overwrites
    the clusters with new data. In other words, you can recover deleted
    files from a Win2K system in certain instances.
    
    Clem Colman of Colman Communications realized the problem and suggested
    that Microsoft provide a cluster-wiping mechanism, and now this updated
    cipher.exe version is available to overwrite all unallocated clusters,
    guarding against unwanted data recovery. You can find the updated
    cipher.exe file on Microsoft's TechNet Web site. 
      http://www.microsoft.com/technet/security/cipher.asp
    
    Of course, third-party tools that wipe data off the hard disk are also
    available. A few freeware packages that I am aware of include Parisien
    Encryption Tools from Parisien Research, Without a Trace from Karmadrome
    Software, and BCWipe from Jetico. You can find the packages at their
    respective URLs below. Until next time, have a great week.
    
    Sincerely,
    Mark Joseph Edwards, News Editor, markat_private
    
       http://www.parisien.org/download.htm
       http://www.karmadromesoft.com
       http://www.jetico.sci.fi/bcwipe.htm
    
    2. ==== SECURITY RISKS ====
       (contributed by Ken Pfeil, kenat_private)
    
    * BACK DOOR IN R.I. SOFT SYSTEMS SCREENSAVERS
       Steve Johns reported a back door in R.I. Soft Systems 4th of July
    Fireworks and Living Waterfalls demo screensavers. By pressing the space
    bar on the keyboard, you can circumvent the screensaver's lock
    workstation function. A malicious user can open the default Web browser
    with the R.I. Soft System Web site by using the security context of the
    currently logged-on user. From there, the attacker can run explorer.exe
    in the browser's address window to get the desktop and to run programs
    under this context. A malicious user can also exploit this vulnerability
    remotely through Windows 2000 Terminal Services Advanced Client
    (formerly known as Terminal Services Web Client). The vendor, R.I. Soft
    Systems, is aware of the vulnerabilities but doesn't intend to release a
    fix. To work around this problem, a user can uninstall the demo
    screensaver software.
       http://www.windowsitsecurity.com/articles/index.cfm?articleID=21684
    
    * SMTP VULNERABILITY IN WINDOWS 2000
       Joao Gouveia reported a vulnerability in the default SMTP server that
    is installed with the Windows 2000 Professional, Windows 2000 Server,
    Windows 2000 Advanced Server, and Windows 2000 Datacenter Server
    versions of Win2K. An attacker can use a vulnerability in the SMTP
    authentication process to authenticate to the SMTP service using
    incorrect credentials. An attacker can gain user-level privileges on the
    SMTP service and use the service to perform SMTP mail relaying. This
    vulnerability affects only standalone machines, not domain controllers
    (DCs) or Microsoft Exchange mail servers running Win2K. Microsoft has
    released security bulletin MS01-037 for this vulnerability and
    recommends that Win2K users immediately apply the patch mentioned in the
    bulletin. Patches for Win2K Datacenter are hardware specific and are
    available only through the OEM. As usual, if a service is not needed, a
    user should disable the service.
       http://www.windowsitsecurity.com/articles/index.cfm?articleID=21685
    
    3. ==== ANNOUNCEMENTS ====
    
    * GET 25 PERCENT OFF WINDOWS 2000 MAGAZINE!
       Every issue of Windows 2000 Magazine is packed with superb coverage
    of security, Active Directory (AD), disaster recovery, Exchange (and
    more) and helps you navigate the rough waters of your job with ease.
    Subscribe now (at 25 percent off the regular rate!) and find out why
    your peers think we're simply the best independent resource for Windows
    2000/NT professionals.
       http://www.win2000mag.com/sub.cfm?code=diee201gup
    
    * NOW IS THE TIME, NOW IS THE TIME . . .
       It's Windows 2000 Magazine LIVE! Hear and talk with the writers
    you've come to trust. Minasi, Daily, Mar-Elia, and Russinovich join a
    host of world-renowned gurus to help you be more successful. The seven
    dedicated tracks include Active Directory (AD), .NET Servers, Security,
    plus a bonus SMS track sponsored by Altiris. Attend concurrently running
    XML & Web Services Connections for FREE! Now is the time to reserve your
    spot! 
       http://www.winconnections.com
    
    4. ==== SECURITY ROUNDUP ====
    
    * NEWS: LINUX COMMUNITY FIGHTS .NET
       As expected, the Linux community announced a variety of open-source
    replacements for Microsoft's .NET product line Monday, including a way
    to run C# programs and the .NET Common Language Infrastructure (CLI) on
    Linux. The Free Software Foundation (FSF) and Linux desktop application
    maker Ximian are spearheading the development of these tools, which are
    called DotGNU and GNU Mono. The companies say that their open-source
    alternatives will overcome the limitations of Microsoft's centralized
    server approach.
       http://www.wininformant.com/Articles/Index.cfm?ArticleID=21693
    
    * NEWS: WINDOWS XP PRICING, PACKAGING REVEALED
       Amazon.com is the first online retailer to offer the Windows XP full
    and upgrade versions for advanced sale, giving us an early idea of how
    much the product will cost and what the packaging will look like. On
    Amazon.com, the upgrade version of Windows XP Home Edition is priced
    slightly higher than Windows Me, the product it's replacing; prices for
    Windows XP Professional Edition are similarly higher than its
    predecessor, Windows 2000 Professional. Although Microsoft has yet to
    release official pricing for the products, Amazon's prices are roughly
    equivalent to what we've been expecting.
       http://www.wininformant.com/Articles/Index.cfm?ArticleID=21692
    
    * REVIEW: SECURITY ANALYZER 3.5A
       NetIQ's Security Analyzer 3.5a architecture is based on profiles and
    policies. Profiles let you create scanning conditions (i.e., which
    policies to use and which hosts to scan) and policies define what
    Security Analyzer will search for during a security check. NetIQ offers
    10 default security policies: Complete Security Analysis, Standard
    Security Analysis, Critical Security Analysis, Intermediate Security
    Analysis, Inventory Scan, Port Scan Only (Well-Known Ports), Port Scan
    Only (Standard Ports), Password Grinding Analysis, Ping Scan, and UNIX
    Security Analysis. These policy files are essentially Perl scripts, so
    if you know Perl, you can create your own policies. Security Analyzer
    even includes a software development kit (SDK) to help you create custom
    policy files. Learn more about this product in Jonathan Chau's Lab
    Review on our Web site.
       http://www.win2000mag.com/Articles/Index.cfm?ArticleID=21144
    
    * REVIEW: NTRAMA 3.0
       CoperNet's NTRama 3.0 is a network-discovery and inventory tool that
    scans your network's Windows 2000, Windows NT, and Windows 9x computers.
    The software saves the results to a central ODBC-compliant database
    file, on which you can run queries to obtain a global vision of your
    infrastructure. CoperNet didn't design NTRama as an end-all
    network-management application. Instead, NTRama is a scaled-down
    solution that functions impressively as a scanner, requiring no software
    agents on any other computer on the network. Learn all about it in
    Dennis Williams Lab Review on our Web site.
       http://www.win2000mag.com/Articles/Index.cfm?ArticleID=21141
    
    5. ==== SECURITY TOOLKIT ====
    
    * BOOK HIGHLIGHT: THE HANDBOOK OF SYSTEM AND NETWORK SECURITY
       By Julia H. Allen
       Fatbrain Online Price: $39.99
       Softcover; 464 pages
       Published by Addison Wesley Longman, June 2001
       ISBN 020173723X
    
    For more information or to purchase this book, go to
    http://www1.fatbrain.com/asp/bookinfo/bookinfo.asp?theisbn=020173723X
    and enter WIN2000MAG as the discount code when you order the book.
    
    * VIRUS CENTER
       Panda Software and the Windows 2000 Magazine Network have teamed to
    bring you the Center for Virus Control. Visit the site often to remain
    informed about the latest threats to your system security.
       http://www.windowsitsecurity.com/panda
    
    Virus Alert: X97M/Barisada.C
       This virus contains a single macro associated with the
    WindowDeactivate event. The virus triggers when a user moves from an
    Excel window with an infected book to another Excel window. The virus
    first checks the global variable StartUpPath to see whether a copy of
    itself exists in the Excel Start directory. If this directory doesn't
    exist, the virus provokes an interesting secondary effect: Because the
    virus can't copy itself to where it wants, it opens two new Excel books,
    which stops the user from exiting the program. The virus opens a number
    of books and continually increases the number. For complete details on
    this macro virus, be sure to visit the URL below.
       http://63.88.172.96/Panda/Index.cfm?FuseAction=Virus&VirusID=876
    
    * FAQ: HOW CAN I ADD A BOOT OPTION THAT STARTS WITH THE ALTERNATE
    SHELL?
       ( contributed by John Savill, http://www.windows2000faq.com )
    
    A. Under the registry key
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot 
    is the value AlternateShell, which is set to cmd.exe (the command
    prompt). When you press F8 during startup and select "Safe Mode with
    Command Prompt," the system uses this alternate shell. You shouldn't
    change the AlternateShell value. You can, however, create a boot option
    so that you don't have to press F8, then select "Safe Mode with Command
    Prompt." 
       1. Edit the boot.ini (c:\boot.ini) file attributes to make the file
    nonread-only, nonsystem, and nonhidden (attrib c:\boot.ini -r -s -h). 
       2. Open boot.ini. 
       3. Add a line similar to the following:
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP
    Professional" /fastdetect /SAFEBOOT:MINIMAL(ALTERNATESHELL).
       4. Save the file. 
       5. Reapply the correct permissions (attrib c:\boot.ini +r +s +h). 
    
    * WINDOWS 2000 SECURITY: DON'T SHOOT YOURSELF IN THE FOOT WITH GROUP
    POLICY SECURITY SETTINGS, PART 1
       Recently, when Randy Franklin Smith presented a Windows 2000 security
    seminar, one of his students made a simple change to rights assignments
    in Group Policy, and Randy discovered how easy it is to lock everyone
    out of an Active Directory (AD) domain. The incident taught Randy how
    important it is to use strict change-management controls, to follow
    least-privilege doctrine, and to implement some fail-safe measures in AD
    to protect domain controllers (DCs). To find out how Randy recovered
    from this situation, read his latest article on our Web site!
       http://www.windowsitsecurity.com/Articles/Index.cfm?ArticleID=21656
    
    * SOHO SECURITY: ZOMBIE ATTACKERS
       While researching information to write Spyware, Part 1 and Part 2,
    Jonathan Hassell explored the Gibson Research Corporation Web site.
    Steve Gibson, an assembly language programmer and noted advocate for
    consumer privacy on the Internet, is also interested in security systems
    connected to the Internet. Recently, script kiddies attacked his Web
    site (script kiddies are young crackers who maliciously knock off Web
    sites).
    
    Unlike most victims of an Internet assault, Gibson dissected and
    analyzed the attack. On his Web site, Gibson describes what he did to
    find out how the script kiddies used a Distributed Denial of Service
    (DDoS) attack on his systems, and he shares what he did to protect his
    Web site in the future. To find out how, be sure to read Jonathan
    Hassell's latest article on our Web site!
       http://www.windowsitsecurity.com/Articles/Index.cfm?ArticleID=21629
    
    6. ========== NEW AND IMPROVED ==========
       (contributed by Scott Firestone, IV, productsat_private)
    
    * DATA ENCRYPTION AND SMART CARD TECHNOLOGY 
       WinMagic and Datakey announced integration of the Datakey Certified
    Internet Professional (CIP) system with WinMagic's SecureDoc 2.5 disk
    encryption software. The software encrypts all data written to the
    disks. Users don't have to save files to certain folders or drives for
    the software to encrypt the files. SecureDoc 2.5 runs on Windows 2000,
    Windows NT, Windows Me, and Windows 9x systems. For pricing, contact
    WinMagic at 905-502-7000 ext. 222.
       http://www.winmagic.com
    
    * TRACK PC USE
       Alexander Jmerik released Boss Everyware 2.3, security software that
    records data about how people use a PC. The software keeps a log of
    which programs each user runs, and how much time they've spent on those
    programs. The software is password-protected, and only the network
    administrator can access it. Boss Everyware 2.3 runs on Windows 2000,
    Windows NT, Windows Me, and Windows 9x systems. Pricing starts at $49
    for a single-user license. Contact Alexander Jmerik at
    infoat_private
       http://boss.dids.com
    
    7. ==== HOT THREADS ====
    
    * WINDOWS 2000 MAGAZINE ONLINE FORUMS
       http://www.win2000mag.net/forums 
    
    Featured Thread: Security Overview
       (Four messages in this thread)
    
    A user wants recommendations for books that provide an overview of most
    IT security aspects (e.g., firewalls, Secure Sockets Layer (SSL), and
    demilitarized zone (DMZ)) and the security aspects of FTP, HTTP, HTTPS,
    POP3, and SMTP. Also, ssh and Telnet (e.g., how they work, their
    vulnerabilities). The books he has come across don't provide details
    that a beginner or intermediate person in the security field can grasp.
    Read the responses or lend a hand at the following URL:
       http://www.win2000mag.net/forums/rd.cfm?app=64&id=70864
    
    * HOWTO MAILING LIST
       http://www.windowsitsecurity.com/go/page_listserv.asp?s=HowTo
    
    Featured Thread: Event ID 643
       (Two messages in this thread)
    
    This user found an item in the Event Log associated with Event ID 643.
    Typically, this ID reflects a condition in which an administrator has
    changed the domain's password requirements or lockout policy. However,
    this user said this wasn't the case, so he suspects the event might be
    related to local policy changes, but he is uncertain what type of
    changes to a local machine might trigger the logging of Event ID 643.
    Can you help? Read the responses or lend a hand at the following URL:
    http://63.88.172.96/go/page_listserv.asp?A2=IND0107A&L=HOWTO&P=572
    
    8. ==== CONTACT US ====
       Here's how to reach us with your comments and questions:
    
    * ABOUT THE COMMENTARY -- markat_private
    
    * ABOUT THE NEWSLETTER IN GENERAL -- tfaubionat_private; please
    mention the newsletter name in the subject line.
    
    * TECHNICAL QUESTIONS -- http://www.win2000mag.net/forums
    
    * PRODUCT NEWS -- productsat_private
    
    * QUESTIONS ABOUT YOUR SECURITY UPDATE SUBSCRIPTION? -- Email Customer
    Support at securityupdateat_private
    
    * WANT TO SPONSOR Security UPDATE? emedia_oppsat_private
    
    ********************
    
       Receive the latest information about the Windows 2000 and Windows NT
    topics of your choice. Subscribe to our other FREE email newsletters.
       http://www.win2000mag.net/email
    
    |-+-+-+-+-+-+-+-+-+-|
    
    Thank you for reading Security UPDATE.
    ___________________________________________________________
    Copyright 2001, Penton Media, Inc.
    
    
    
    
    
    
    
    
    
    
    
    
    
    ISN is hosted by SecurityFocus.com
    ---
    To unsubscribe email isn-unsubscribeat_private
    



    This archive was generated by hypermail 2b30 : Thu Jul 12 2001 - 03:28:41 PDT