[ISN] Security UPDATE, July 25, 2001

From: InfoSec News (isnat_private)
Date: Sun Jul 29 2001 - 02:52:54 PDT

  • Next message: InfoSec News: "Re: [ISN] Companies Confront Rising Network Threats"

    ********************
    
    Windows 2000 Magazine Security UPDATE--brought to you by Security
    Administrator, a print newsletter bringing you practical, how-to
    articles about securing your Windows 2000 and NT systems.
       http://www.secadministrator.com
    
    ********************
    
    ~~~~ THIS ISSUE SPONSORED BY ~~~~
    
    IBM Infrastructure
       http://go.win2000mag.net/UM/T.asp?A2153.23115.1249.1.532985
    
    CLOSE MASSIVE LOCAL SECURITY HOLE IN NT/2000/XP
       http://go.win2000mag.net/UM/T.asp?A2153.23115.1249.3.532985
       (below SECURITY RISKS)
    
    ~~~~~~~~~~~~~~~~~~~~
    
    ~~~~ SPONSOR: IBM INFRASTRUCTURE ~~~~
       Not worried about hackers? You should be. Because they can put your
    e-business out of business. If your customers don't feel comfortable
    dealing with you online, they'll work with someone else. With IBM
    infrastructure, you'll have the security your company needs to operate
    effectively and to keep your clients comfortable. Your networks and
    servers are the backbone of your company. It's time you treated them
    that way. In today's ever-changing e-environment, keeping network
    security tight is something that can't be ignored. So is keeping your
    clients happy. Find out more from our latest security white paper
    today.
       Download at:
    http://go.win2000mag.net/UM/T.asp?A2153.23115.1249.1.532985
    
    ********************
    
    July 25, 2001--In this issue:
    
    1. IN FOCUS
         - As Two Worms Multiply, CERT Releases Security Tips for
    Home-Computer Users
    
    2. SECURITY RISKS
         - Denial of Service Condition in IBM DB2 Universal Database
    Server
         - Denial of Service Condition in Cisco IOS PPTP 
         - Unsafe Functionality Exposure in Microsoft Outlook
    
    3. ANNOUNCEMENTS
         - Now Is the Time, Now Is the Time . . .
         - Where Do You Go Before You Take Your MCSE Exams?
    
    4. SECURITY ROUNDUP
         - News: Code Red Worm Readily Penetrates Unpatched Web Servers
         - News: Factor a 576-Bit Number and Earn $10,000
         - Feature: The 7 Habits of Highly Available Exchange Servers
         - Feature: Network Troubleshooting with a Pocket PC
    
    5. SECURITY TOOLKIT
         - Book Highlight: Hack Attacks Revealed: A Complete Reference with
    Custom Security Hacking Toolkit
         - Virus Center: 
         - Virus Alert: W32/Sircam
         - FAQ: Does Windows 2000 Include an Update of the Chkdsk
    Application?
    
    6. NEW AND IMPROVED
         - Monitor Your Web Server
         - Secure Exchange 2000 Server
    
    7. HOT THREADS
         - Windows 2000 Magazine Online Forums
         - Featured Thread: API Call to LogonUser Across Firewall
         - HowTo Mailing List:
         - Turning Down a Backup Domain Controller (BDC)
    
    8. CONTACT US
       See this section for a list of ways to contact us.
    
    1. ==== COMMENTARY ====
    
    Hello everyone,
       Last week, I mentioned that I didn't know about any cracks to Windows
    XP license activation so far. Since then, I quickly learned that cracks
    do exist, so I suppose that fact is quite a statement considering
    Microsoft's stance that mandatory license activation will thwart
    piracy.
       On another note, did the Code Red worm hit your Web network last
    week? I've received many emails requesting details about the Code Red
    worm and how to stop it or recover from its infection. The irony is that
    more than a month ago (June 18), Microsoft released a patch for a
    security bug that's related to IIS-based .idq and .ida file
    mappings--the same bug that the Code Red worm exploits. Be sure to read
    the related news story in the Security Roundup section of this
    newsletter.
       Because the Code Red worm has affected so many sites already
    (including Microsoft's Windows Update site and many sites operated by
    the US Department of Defense--DOD), it's apparent that many online
    entities still don't keep their systems as up-to-date as possible, so
    they suffer the consequences of lackadaisical systems administration. If
    nothing else, the Code Red worm serves as one more example of why we
    need to consider acquiring and installing software patches and updates
    as top priorities in our daily routines. 
       As I mentioned, the Code Red worm takes advantage of a bug related to
    the .ida and .idq files. Nelson Bunker, vice president of security at
    Critical Watch, notified me last week that his company has released a
    utility that quickly removes any .ida and .idq file mappings from an IIS
    server. Users can run the utility from a remote workstation against an
    IIS server. Users can also download the utility as freeware at the
    company's Web site (along with complete source code). See the first URL
    at the end of this editorial.
       I hope you don't think workstations or home computers running IIS and
    the related indexing services are immune from such a worm, because they
    aren't. A home computer is just another system connected to the
    Internet. To help small offices/home offices (SOHOs) with problems such
    as the Code Red worm, the Computer Emergency Response Team (CERT)
    released a document titled "Home Network Security." Users can access
    this document online at CERT's Web site (CERT updated it June 26). See
    the second URL at the end of this editorial.
       I took a quick look at "Home Network Security" and found that the
    document covers a broad range of security concerns, including basic
    material that explains computer security, TCP/IP networking, firewalls,
    and antivirus software; various types of risks, including
    hardware-related problems such as disk failure and theft; and a series
    of actions that home-based users can take to protect their systems. Be
    sure to check it out--it's good material.
       On that note, are you aware that in addition to this newsletter and
    numerous others, we offer our Connected Home EXPRESS email newsletter?
    The biweekly newsletter offers how-to advice, tips, and news that cover
    a broad range of technology-related topics: home automation, home
    networks, home theater, and a variety of gadgets-on-the-go. Visit the
    related Connected Home Magazine Web site (
    http://www.connectedhomemag.com ), and be sure to take a look at this
    newsletter.
       Before I sign off, I want to remind you that another worm is
    spreading fast, but this one affects Outlook email clients. The
    W32/Sircam worm spreads by sending copies of itself to every person
    listed in an affected user's Outlook address book (see the related item
    in this newsletter's Security Tools section under Virus Center). Since
    Friday, I've received at least two dozen copies of the worm in email
    from people that have my email address in their address books. The worm
    is still spreading, so be sure to review the technical details regarding
    the W32/Sircam worm at our online Virus Center, and download the latest
    antivirus signature updates from the software vendor of your choice. 
       Until next time, have a great week.
    
    Sincerely,
    
    Mark Joseph Edwards, News Editor, markat_private
    
       http://www.criticalwatch.com/downloads/IDA_ScriptRemoval_Util.zip
       http://www.cert.org/tech_tips/home_networks.html
    
    2. ==== SECURITY RISKS ====
    (contributed by Ken Pfeil, kenat_private)
    
    * DENIAL OF SERVICE CONDITION IN IBM DB2 UNIVERSAL DATABASE SERVER
       Gilles Lami reported that a Denial of Service (DoS) vulnerability
    exists in IBM's DB2 Universal Database server. An attacker can crash the
    server by establishing a Telnet connection to the ports that the
    services db2ccs.exe and db2jds.exe are running on (typically ports 6790
    and 6789) and sending 1 byte of information. IBM has acknowledged this
    vulnerability and will release a patch for version 7 and later
    versions.
       http://www.windowsitsecurity.com/articles/index.cfm?articleID=21820
    
    * DENIAL OF SERVICE CONDITION IN CISCO IOS PPTP
       Cisco Systems reported that a Denial of Service (DoS) vulnerability
    exists in its IOS that can let a potential attacker crash the router by
    sending a malformed or crafted PPTP packet to port 1723. Although the
    router will crash after receiving just one packet, the attacker can
    cause the DoS attack by repeatedly sending packets. A workaround is to
    disable PPTP on the router because the vulnerability doesn't affect
    routers with PPTP disabled. The company recommends that users obtain a
    firmware upgrade through the Software Center on Cisco's Web site or
    through Cisco's distribution channels.
       http://www.windowsitsecurity.com/Articles/Index.cfm?ArticleID=21821
    
    * UNSAFE FUNCTIONALITY EXPOSURE IN MICROSOFT OUTLOOK
       Georgi Guninski reported that a vulnerability exists in Microsoft
    Outlook that might let a malicious attacker manipulate Outlook data.
    This vulnerability stems from the Outlook View Control ActiveX control,
    which lets users view Outlook mail folders from Web pages. This ActiveX
    control exposes a function that might let the Web page manipulate
    Outlook data, and thereby let an attacker delete mail, change calendar
    information, or take other actions through Outlook, including running
    arbitrary code on the user's machine. Microsoft has released security
    bulletin MS01-038 for this vulnerability. A patch  will be available in
    the near future, but as a workaround, Microsoft recommends applying the
    Outlook 2000 Service Release 1 (SR1) security update and temporarily
    disabling ActiveX controls in Internet Explorer's (IE's) Internet
    security zone.
       http://www.windowsitsecurity.com/Articles/Index.cfm?ArticleID=21822
    
    ~~~~~~~~~~~~~~~~~~~~
    
    ~~~~ SPONSOR: LIEBERMAN AND ASSOCIATES ~~~~ 
       CLOSE MASSIVE LOCAL SECURITY HOLE IN NT/2000/XP
       Did you ever consider that the same local administrator account and
    password is stored on every NT/2000/XP workstation in your organization?
    If this account were to become compromised, or one of your
    administrators were to leave, how would you change this backdoor account
    on all of your workstations? User Manager Pro for Windows NT/2000/XP
    makes mass changes to the local security of your workstations in
    minutes.
       FREE TRIAL:
    http://go.win2000mag.net/UM/T.asp?A2153.23115.1249.3.532985
    
    ~~~~~~~~~~~~~~~~~~~~
    
    3. ==== ANNOUNCEMENTS ====
    
    * NOW IS THE TIME, NOW IS THE TIME . . .
       It's Windows 2000 Magazine LIVE! Hear and talk with the writers
    you've come to trust. Minasi, Daily, Mar-Elia, and Russinovich join a
    host of world-renowned gurus to help you be more successful. The seven
    dedicated tracks include Active Directory (AD), .NET Servers, Security,
    plus a bonus SMS track sponsored by Altiris. Attend concurrently run XML
    and Web Services Connections for FREE! Now is the time to reserve your
    spot!
       http://www.winconnections.com
    
    * WHERE DO YOU GO BEFORE YOU TAKE YOUR MCSE EXAMS?
       2000Tutor.com is the Web site where you need to be. We help you
    prepare for MCSE certifications as quickly and painlessly as possible.
    Take practice exams, study for certification, join your peers in our
    discussion forums, and get free tips and advice from the experts. Visit
    today!
       http://www.2000tutor.com
    
    4. ==== SECURITY ROUNDUP ====
    
    * NEWS: CODE RED WORM READILY PENETRATES UNPATCHED WEB SERVERS
       A new worm, Code Red, is making the rounds on the Internet. Code Red
    plays on an existing security-related bug in Microsoft IIS-based Web
    servers. Microsoft made a patch available for the bug on June 18, yet
    countless Web servers apparently remain unpatched--including Microsoft's
    own Windows Update Web site. An alert reader informed Windows 2000
    Magazine yesterday that the worm had, in fact, penetrated the Windows
    Update site. The worm changes the home page of sites that it attacks to
    read, "Welcome to http://www.worm.com !, Hacked By Chinese!"
       http://www.windowsitsecurity.com/Articles/Index.cfm?ArticleID=21884
    
    * NEWS: FACTOR A 576-BIT NUMBER AND EARN $10,000
       RSA Labs launched a challenge designed to reveal the factors of
    particular types of large integers. RSA launched a similar Factoring
    Challenge in 1999, and this latest challenge will reward successful
    participants with cash prizes up to $200,000 for factoring a 2048-bit
    number. RSA will reward participants with lesser amounts for
    successfully factoring numbers with bit lengths that range from 576 bits
    to 1536 bits. 
       http://www.windowsitsecurity.com/Articles/Index.cfm?ArticleID=21923
    
    * FEATURE: THE 7 HABITS OF HIGHLY AVAILABLE EXCHANGE SERVERS
       Consulting about Microsoft Exchange Server availability is like
    watching the Loony Tunes' Wile E. Coyote: Watch for a while, and you can
    begin to predict the mistakes that lead to the falls. You also learn
    that the falls aren't as deadly as the pounding that follows close
    behind. After years of working with Exchange Server organizations, Evan
    Morris identified the factors that can lead to falls from high
    availability and the disaster recovery mistakes that can make these
    falls catastrophic. Inspired by Stephen R. Covey's bestseller The Seven
    Habits of Highly Effective People (Simon & Schuster, 1999), Evan has
    identified seven factors that help organizations prevent Exchange Server
    system failures and maintain high availability.
       http://www.win2000mag.com/Articles/Index.cfm?ArticleID=21519
    
    * FEATURE: NETWORK TROUBLESHOOTING WITH A POCKET PC
       Portable computers can be valuable network troubleshooting tools.
    Joshua Orrison recently tested the practicality of using his Compaq iPAQ
    Pocket PC as a troubleshooting tool. Using an Ethernet adapter that
    plugs into the device's optional expansion pack, Joshua easily connected
    to a hub in our networks' demilitarized zone (DMZ). He then used Ruksun
    Software Technologies' Telnet Force and Net Force programs (for Windows
    CE-based mobile computing devices) to perform several network
    troubleshooting tasks. Read all about it in Joshua's article on our Web
    site.
       http://www.win2000mag.com/Articles/Index.cfm?ArticleID=21515
    
    5. ==== SECURITY TOOLKIT ====
    
    * BOOK HIGHLIGHT: HACK ATTACKS REVEALED: A COMPLETE REFERENCE WITH
    CUSTOM SECURITY HACKING TOOLKIT
       By John Chirillo
       List Price: $59.99
       Fatbrain Online Price: $47.99
       Softcover; 944 pages
       Published by John Wiley & Sons, May 2001
       ISBN 047141624X
    
    For more information or to purchase this book, go to
    http://www1.fatbrain.com/asp/bookinfo/bookinfo.asp?theisbn=047141624X
    and enter WIN2000MAG as the discount code when you order the book.
    
    * VIRUS CENTER
       Panda Software and the Windows 2000 Magazine Network have teamed to
    bring you the Center for Virus Control. Visit the site often to remain
    informed about the latest threats to your system security.
       http://www.windowsitsecurity.com/panda
    
    Virus Alert: W32/Sircam
       W32/Sircam is a worm that propagates through email by sending itself
    to all the addresses found in the infected user's Outlook Address Book.
    After the worm infects a system, it modifies the Windows Registry to
    ensure its execution every time a user runs an .exe file. One of every
    10 times the worm will delete some data from the computer's hard disk.
       http://63.88.172.96/Panda/Index.cfm?FuseAction=Virus&VirusID=1104
    
    * FAQ: DOES WINDOWS 2000 INCLUDE AN UPDATE OF THE CHKDSK APPLICATION?
       ( contributed by Bob Chronister, http://www.windows2000faq.com )
    
    A. Win2K, Windows NT 4.0 Service Pack 5 (SP5), and NT 4.0 SP6 introduced
    several new NTFS switches for Chkdsk. The /i switch performs a moderate
    check of index entries, and the /c switch stops checking cycles within
    the directory structure. I don't recommend using either switch because
    they circumvent important file checks. The /x switch, which Win2K
    introduced, dismounts a drive, then runs Chkdsk /f on the drive.
    However, the /x switch doesn't work with the boot volume, and you can't
    lock the volume (although the switch dismounts it).
    
    6. ========== NEW AND IMPROVED ==========
       (contributed by Scott Firestone, IV, productsat_private)
    
    * MONITOR YOUR WEB SERVER
       Cimcor released CimTrak Web Security Edition, a security system that
    provides Web-server monitoring against intruders and features automated
    countermeasures for immediate recovery. The system consists of the
    WebMonitor, which resides on the Web server, and a CimTrak server. The
    software program creates a unique digital signature of the Web server
    files to store on the CimTrak server with a master repository of all
    crucial files. The monitor compares the digital signatures of the Web
    server and the CimTrak repository and notifies the administrator if the
    two signatures differ. CimTrak Web Security Edition supports Microsoft
    IIS for Windows 2000 and Windows NT and costs $2000 for the basic
    package. Contact Cimcor at 219-736-4400 or 877-424-6267.
       http://www.cimcor.com
    
    * SECURE EXCHANGE 2000 SERVER
       GROUP Software released securiQ Suite, a server-based security
    application for Microsoft Exchange 2000 Server that features five
    modules: (1) Watchdog protects against malicious attacks on email and
    databases and disarms viruses at their core file structure. (2) Wall
    scans and checks email content to protect against confidentiality
    breaches and features spam and junk mail detection and prevention. (3)
    Trailer adds a legal disclaimer to outgoing email messages to maintain
    legal security. (4) Safe copies all email traffic and archives the
    messages for legal protection and quality control. (5) Crypt provides
    centralized, server-based email encryption with pretty good privacy
    (PGP). For pricing, contact GROUP Software at 508-473-9940 or
    877-476-8755.
       http://www.group-software.com
    
    7. ==== HOT THREADS ====
    
    * WINDOWS 2000 MAGAZINE ONLINE FORUMS
       http://www.win2000mag.net/forums 
    
    Featured Thread: API Call to LogonUser Across Firewall
       (Five messages in this thread)
    
    William saw something unusual in the logs today. He noticed that someone
    tried to log on to the network using AdvAPI, which Microsoft says is an
    API call to LogonUser. The authentication attempt came against the email
    and Web server, which leads him to believe that the logon attempt came
    in through one of the pinholes in the firewall, exposing 25, 80, 443 to
    that one server. Read more about the problem and the responses, or lend
    a hand at the following URL:
       http://www.win2000mag.net/forums/rd.cfm?app=64&id=73116
    
    * HOWTO MAILING LIST
       http://www.windowsitsecurity.com/go/page_listserv.asp?s=HowTo
    
    Featured Thread: Turning Down a BDC
       (Eleven messages in this thread)
    
    This user is in the process of closing down remote offices that have
    server gear. Due to special circumstances, the user will auction off
    server gear when its data has been completely pulled and migrated. One
    of the servers is a BDC, and instead of shutting down the BDC and
    shipping it off to the auctioneers, the user wants to ensure the system
    has no recoverable information. However, the user doesn't have physical
    access to the systems at the remote office and would like to be able to
    wipe the system's sensitive information remotely. Can you help? Read the
    responses or lend a hand at the following URL:
    http://63.88.172.96/go/page_listserv.asp?A2=IND0107C&L=HOWTO&P=869
    
    8. ==== CONTACT US ====
       Here's how to reach us with your comments and questions:
    
    * ABOUT THE COMMENTARY -- markat_private
    
    * ABOUT THE NEWSLETTER IN GENERAL -- mlibbeyat_private; please
    mention the newsletter name in the subject line.
    
    * TECHNICAL QUESTIONS -- http://www.win2000mag.net/forums
    
    * PRODUCT NEWS -- productsat_private
    
    * QUESTIONS ABOUT YOUR SECURITY UPDATE SUBSCRIPTION? -- Email Customer
    Support at securityupdateat_private
    
    * WANT TO SPONSOR SECURITY UPDATE? emedia_oppsat_private
    
    ********************
    
       Receive the latest information about the Windows 2000 and Windows NT
    topics of your choice. Subscribe to our other FREE email newsletters.
       http://www.win2000mag.net/email
    
    |-+-+-+-+-+-+-+-+-+-|
    
    Thank you for reading Security UPDATE.
    
    SUBSCRIBE
    To subscribe send a blank email to
    subscribe-Security_UPDATEat_private
    
    If you have questions or problems with your UPDATE subscription, please
    contact securityupdateat_private 
    ___________________________________________________________
    Copyright 2001, Penton Media, Inc.
    
    
    
    
    
    
    
    
    
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.
    



    This archive was generated by hypermail 2b30 : Sun Jul 29 2001 - 04:57:30 PDT