******************** Windows 2000 Magazine Security UPDATE--brought to you by Security Administrator, a print newsletter bringing you practical, how-to articles about securing your Windows 2000 and NT systems. http://www.secadministrator.com ******************** ~~~~ THIS ISSUE SPONSORED BY ~~~~ IBM Infrastructure http://go.win2000mag.net/UM/T.asp?A2153.23115.1249.1.532985 CLOSE MASSIVE LOCAL SECURITY HOLE IN NT/2000/XP http://go.win2000mag.net/UM/T.asp?A2153.23115.1249.3.532985 (below SECURITY RISKS) ~~~~~~~~~~~~~~~~~~~~ ~~~~ SPONSOR: IBM INFRASTRUCTURE ~~~~ Not worried about hackers? You should be. Because they can put your e-business out of business. If your customers don't feel comfortable dealing with you online, they'll work with someone else. With IBM infrastructure, you'll have the security your company needs to operate effectively and to keep your clients comfortable. Your networks and servers are the backbone of your company. It's time you treated them that way. In today's ever-changing e-environment, keeping network security tight is something that can't be ignored. So is keeping your clients happy. Find out more from our latest security white paper today. Download at: http://go.win2000mag.net/UM/T.asp?A2153.23115.1249.1.532985 ******************** July 25, 2001--In this issue: 1. IN FOCUS - As Two Worms Multiply, CERT Releases Security Tips for Home-Computer Users 2. SECURITY RISKS - Denial of Service Condition in IBM DB2 Universal Database Server - Denial of Service Condition in Cisco IOS PPTP - Unsafe Functionality Exposure in Microsoft Outlook 3. ANNOUNCEMENTS - Now Is the Time, Now Is the Time . . . - Where Do You Go Before You Take Your MCSE Exams? 4. SECURITY ROUNDUP - News: Code Red Worm Readily Penetrates Unpatched Web Servers - News: Factor a 576-Bit Number and Earn $10,000 - Feature: The 7 Habits of Highly Available Exchange Servers - Feature: Network Troubleshooting with a Pocket PC 5. SECURITY TOOLKIT - Book Highlight: Hack Attacks Revealed: A Complete Reference with Custom Security Hacking Toolkit - Virus Center: - Virus Alert: W32/Sircam - FAQ: Does Windows 2000 Include an Update of the Chkdsk Application? 6. NEW AND IMPROVED - Monitor Your Web Server - Secure Exchange 2000 Server 7. HOT THREADS - Windows 2000 Magazine Online Forums - Featured Thread: API Call to LogonUser Across Firewall - HowTo Mailing List: - Turning Down a Backup Domain Controller (BDC) 8. CONTACT US See this section for a list of ways to contact us. 1. ==== COMMENTARY ==== Hello everyone, Last week, I mentioned that I didn't know about any cracks to Windows XP license activation so far. Since then, I quickly learned that cracks do exist, so I suppose that fact is quite a statement considering Microsoft's stance that mandatory license activation will thwart piracy. On another note, did the Code Red worm hit your Web network last week? I've received many emails requesting details about the Code Red worm and how to stop it or recover from its infection. The irony is that more than a month ago (June 18), Microsoft released a patch for a security bug that's related to IIS-based .idq and .ida file mappings--the same bug that the Code Red worm exploits. Be sure to read the related news story in the Security Roundup section of this newsletter. Because the Code Red worm has affected so many sites already (including Microsoft's Windows Update site and many sites operated by the US Department of Defense--DOD), it's apparent that many online entities still don't keep their systems as up-to-date as possible, so they suffer the consequences of lackadaisical systems administration. If nothing else, the Code Red worm serves as one more example of why we need to consider acquiring and installing software patches and updates as top priorities in our daily routines. As I mentioned, the Code Red worm takes advantage of a bug related to the .ida and .idq files. Nelson Bunker, vice president of security at Critical Watch, notified me last week that his company has released a utility that quickly removes any .ida and .idq file mappings from an IIS server. Users can run the utility from a remote workstation against an IIS server. Users can also download the utility as freeware at the company's Web site (along with complete source code). See the first URL at the end of this editorial. I hope you don't think workstations or home computers running IIS and the related indexing services are immune from such a worm, because they aren't. A home computer is just another system connected to the Internet. To help small offices/home offices (SOHOs) with problems such as the Code Red worm, the Computer Emergency Response Team (CERT) released a document titled "Home Network Security." Users can access this document online at CERT's Web site (CERT updated it June 26). See the second URL at the end of this editorial. I took a quick look at "Home Network Security" and found that the document covers a broad range of security concerns, including basic material that explains computer security, TCP/IP networking, firewalls, and antivirus software; various types of risks, including hardware-related problems such as disk failure and theft; and a series of actions that home-based users can take to protect their systems. Be sure to check it out--it's good material. On that note, are you aware that in addition to this newsletter and numerous others, we offer our Connected Home EXPRESS email newsletter? The biweekly newsletter offers how-to advice, tips, and news that cover a broad range of technology-related topics: home automation, home networks, home theater, and a variety of gadgets-on-the-go. Visit the related Connected Home Magazine Web site ( http://www.connectedhomemag.com ), and be sure to take a look at this newsletter. Before I sign off, I want to remind you that another worm is spreading fast, but this one affects Outlook email clients. The W32/Sircam worm spreads by sending copies of itself to every person listed in an affected user's Outlook address book (see the related item in this newsletter's Security Tools section under Virus Center). Since Friday, I've received at least two dozen copies of the worm in email from people that have my email address in their address books. The worm is still spreading, so be sure to review the technical details regarding the W32/Sircam worm at our online Virus Center, and download the latest antivirus signature updates from the software vendor of your choice. Until next time, have a great week. Sincerely, Mark Joseph Edwards, News Editor, markat_private http://www.criticalwatch.com/downloads/IDA_ScriptRemoval_Util.zip http://www.cert.org/tech_tips/home_networks.html 2. ==== SECURITY RISKS ==== (contributed by Ken Pfeil, kenat_private) * DENIAL OF SERVICE CONDITION IN IBM DB2 UNIVERSAL DATABASE SERVER Gilles Lami reported that a Denial of Service (DoS) vulnerability exists in IBM's DB2 Universal Database server. An attacker can crash the server by establishing a Telnet connection to the ports that the services db2ccs.exe and db2jds.exe are running on (typically ports 6790 and 6789) and sending 1 byte of information. IBM has acknowledged this vulnerability and will release a patch for version 7 and later versions. http://www.windowsitsecurity.com/articles/index.cfm?articleID=21820 * DENIAL OF SERVICE CONDITION IN CISCO IOS PPTP Cisco Systems reported that a Denial of Service (DoS) vulnerability exists in its IOS that can let a potential attacker crash the router by sending a malformed or crafted PPTP packet to port 1723. Although the router will crash after receiving just one packet, the attacker can cause the DoS attack by repeatedly sending packets. A workaround is to disable PPTP on the router because the vulnerability doesn't affect routers with PPTP disabled. The company recommends that users obtain a firmware upgrade through the Software Center on Cisco's Web site or through Cisco's distribution channels. http://www.windowsitsecurity.com/Articles/Index.cfm?ArticleID=21821 * UNSAFE FUNCTIONALITY EXPOSURE IN MICROSOFT OUTLOOK Georgi Guninski reported that a vulnerability exists in Microsoft Outlook that might let a malicious attacker manipulate Outlook data. This vulnerability stems from the Outlook View Control ActiveX control, which lets users view Outlook mail folders from Web pages. This ActiveX control exposes a function that might let the Web page manipulate Outlook data, and thereby let an attacker delete mail, change calendar information, or take other actions through Outlook, including running arbitrary code on the user's machine. Microsoft has released security bulletin MS01-038 for this vulnerability. A patch will be available in the near future, but as a workaround, Microsoft recommends applying the Outlook 2000 Service Release 1 (SR1) security update and temporarily disabling ActiveX controls in Internet Explorer's (IE's) Internet security zone. http://www.windowsitsecurity.com/Articles/Index.cfm?ArticleID=21822 ~~~~~~~~~~~~~~~~~~~~ ~~~~ SPONSOR: LIEBERMAN AND ASSOCIATES ~~~~ CLOSE MASSIVE LOCAL SECURITY HOLE IN NT/2000/XP Did you ever consider that the same local administrator account and password is stored on every NT/2000/XP workstation in your organization? If this account were to become compromised, or one of your administrators were to leave, how would you change this backdoor account on all of your workstations? User Manager Pro for Windows NT/2000/XP makes mass changes to the local security of your workstations in minutes. FREE TRIAL: http://go.win2000mag.net/UM/T.asp?A2153.23115.1249.3.532985 ~~~~~~~~~~~~~~~~~~~~ 3. ==== ANNOUNCEMENTS ==== * NOW IS THE TIME, NOW IS THE TIME . . . It's Windows 2000 Magazine LIVE! Hear and talk with the writers you've come to trust. Minasi, Daily, Mar-Elia, and Russinovich join a host of world-renowned gurus to help you be more successful. The seven dedicated tracks include Active Directory (AD), .NET Servers, Security, plus a bonus SMS track sponsored by Altiris. Attend concurrently run XML and Web Services Connections for FREE! Now is the time to reserve your spot! http://www.winconnections.com * WHERE DO YOU GO BEFORE YOU TAKE YOUR MCSE EXAMS? 2000Tutor.com is the Web site where you need to be. We help you prepare for MCSE certifications as quickly and painlessly as possible. Take practice exams, study for certification, join your peers in our discussion forums, and get free tips and advice from the experts. Visit today! http://www.2000tutor.com 4. ==== SECURITY ROUNDUP ==== * NEWS: CODE RED WORM READILY PENETRATES UNPATCHED WEB SERVERS A new worm, Code Red, is making the rounds on the Internet. Code Red plays on an existing security-related bug in Microsoft IIS-based Web servers. Microsoft made a patch available for the bug on June 18, yet countless Web servers apparently remain unpatched--including Microsoft's own Windows Update Web site. An alert reader informed Windows 2000 Magazine yesterday that the worm had, in fact, penetrated the Windows Update site. The worm changes the home page of sites that it attacks to read, "Welcome to http://www.worm.com !, Hacked By Chinese!" http://www.windowsitsecurity.com/Articles/Index.cfm?ArticleID=21884 * NEWS: FACTOR A 576-BIT NUMBER AND EARN $10,000 RSA Labs launched a challenge designed to reveal the factors of particular types of large integers. RSA launched a similar Factoring Challenge in 1999, and this latest challenge will reward successful participants with cash prizes up to $200,000 for factoring a 2048-bit number. RSA will reward participants with lesser amounts for successfully factoring numbers with bit lengths that range from 576 bits to 1536 bits. http://www.windowsitsecurity.com/Articles/Index.cfm?ArticleID=21923 * FEATURE: THE 7 HABITS OF HIGHLY AVAILABLE EXCHANGE SERVERS Consulting about Microsoft Exchange Server availability is like watching the Loony Tunes' Wile E. Coyote: Watch for a while, and you can begin to predict the mistakes that lead to the falls. You also learn that the falls aren't as deadly as the pounding that follows close behind. After years of working with Exchange Server organizations, Evan Morris identified the factors that can lead to falls from high availability and the disaster recovery mistakes that can make these falls catastrophic. Inspired by Stephen R. Covey's bestseller The Seven Habits of Highly Effective People (Simon & Schuster, 1999), Evan has identified seven factors that help organizations prevent Exchange Server system failures and maintain high availability. http://www.win2000mag.com/Articles/Index.cfm?ArticleID=21519 * FEATURE: NETWORK TROUBLESHOOTING WITH A POCKET PC Portable computers can be valuable network troubleshooting tools. Joshua Orrison recently tested the practicality of using his Compaq iPAQ Pocket PC as a troubleshooting tool. Using an Ethernet adapter that plugs into the device's optional expansion pack, Joshua easily connected to a hub in our networks' demilitarized zone (DMZ). He then used Ruksun Software Technologies' Telnet Force and Net Force programs (for Windows CE-based mobile computing devices) to perform several network troubleshooting tasks. Read all about it in Joshua's article on our Web site. http://www.win2000mag.com/Articles/Index.cfm?ArticleID=21515 5. ==== SECURITY TOOLKIT ==== * BOOK HIGHLIGHT: HACK ATTACKS REVEALED: A COMPLETE REFERENCE WITH CUSTOM SECURITY HACKING TOOLKIT By John Chirillo List Price: $59.99 Fatbrain Online Price: $47.99 Softcover; 944 pages Published by John Wiley & Sons, May 2001 ISBN 047141624X For more information or to purchase this book, go to http://www1.fatbrain.com/asp/bookinfo/bookinfo.asp?theisbn=047141624X and enter WIN2000MAG as the discount code when you order the book. * VIRUS CENTER Panda Software and the Windows 2000 Magazine Network have teamed to bring you the Center for Virus Control. Visit the site often to remain informed about the latest threats to your system security. http://www.windowsitsecurity.com/panda Virus Alert: W32/Sircam W32/Sircam is a worm that propagates through email by sending itself to all the addresses found in the infected user's Outlook Address Book. After the worm infects a system, it modifies the Windows Registry to ensure its execution every time a user runs an .exe file. One of every 10 times the worm will delete some data from the computer's hard disk. http://126.96.36.199/Panda/Index.cfm?FuseAction=Virus&VirusID=1104 * FAQ: DOES WINDOWS 2000 INCLUDE AN UPDATE OF THE CHKDSK APPLICATION? ( contributed by Bob Chronister, http://www.windows2000faq.com ) A. Win2K, Windows NT 4.0 Service Pack 5 (SP5), and NT 4.0 SP6 introduced several new NTFS switches for Chkdsk. The /i switch performs a moderate check of index entries, and the /c switch stops checking cycles within the directory structure. I don't recommend using either switch because they circumvent important file checks. The /x switch, which Win2K introduced, dismounts a drive, then runs Chkdsk /f on the drive. However, the /x switch doesn't work with the boot volume, and you can't lock the volume (although the switch dismounts it). 6. ========== NEW AND IMPROVED ========== (contributed by Scott Firestone, IV, productsat_private) * MONITOR YOUR WEB SERVER Cimcor released CimTrak Web Security Edition, a security system that provides Web-server monitoring against intruders and features automated countermeasures for immediate recovery. The system consists of the WebMonitor, which resides on the Web server, and a CimTrak server. The software program creates a unique digital signature of the Web server files to store on the CimTrak server with a master repository of all crucial files. The monitor compares the digital signatures of the Web server and the CimTrak repository and notifies the administrator if the two signatures differ. CimTrak Web Security Edition supports Microsoft IIS for Windows 2000 and Windows NT and costs $2000 for the basic package. Contact Cimcor at 219-736-4400 or 877-424-6267. http://www.cimcor.com * SECURE EXCHANGE 2000 SERVER GROUP Software released securiQ Suite, a server-based security application for Microsoft Exchange 2000 Server that features five modules: (1) Watchdog protects against malicious attacks on email and databases and disarms viruses at their core file structure. (2) Wall scans and checks email content to protect against confidentiality breaches and features spam and junk mail detection and prevention. (3) Trailer adds a legal disclaimer to outgoing email messages to maintain legal security. (4) Safe copies all email traffic and archives the messages for legal protection and quality control. (5) Crypt provides centralized, server-based email encryption with pretty good privacy (PGP). For pricing, contact GROUP Software at 508-473-9940 or 877-476-8755. http://www.group-software.com 7. ==== HOT THREADS ==== * WINDOWS 2000 MAGAZINE ONLINE FORUMS http://www.win2000mag.net/forums Featured Thread: API Call to LogonUser Across Firewall (Five messages in this thread) William saw something unusual in the logs today. He noticed that someone tried to log on to the network using AdvAPI, which Microsoft says is an API call to LogonUser. The authentication attempt came against the email and Web server, which leads him to believe that the logon attempt came in through one of the pinholes in the firewall, exposing 25, 80, 443 to that one server. Read more about the problem and the responses, or lend a hand at the following URL: http://www.win2000mag.net/forums/rd.cfm?app=64&id=73116 * HOWTO MAILING LIST http://www.windowsitsecurity.com/go/page_listserv.asp?s=HowTo Featured Thread: Turning Down a BDC (Eleven messages in this thread) This user is in the process of closing down remote offices that have server gear. Due to special circumstances, the user will auction off server gear when its data has been completely pulled and migrated. One of the servers is a BDC, and instead of shutting down the BDC and shipping it off to the auctioneers, the user wants to ensure the system has no recoverable information. However, the user doesn't have physical access to the systems at the remote office and would like to be able to wipe the system's sensitive information remotely. Can you help? Read the responses or lend a hand at the following URL: http://188.8.131.52/go/page_listserv.asp?A2=IND0107C&L=HOWTO&P=869 8. ==== CONTACT US ==== Here's how to reach us with your comments and questions: * ABOUT THE COMMENTARY -- markat_private * ABOUT THE NEWSLETTER IN GENERAL -- mlibbeyat_private; please mention the newsletter name in the subject line. * TECHNICAL QUESTIONS -- http://www.win2000mag.net/forums * PRODUCT NEWS -- productsat_private * QUESTIONS ABOUT YOUR SECURITY UPDATE SUBSCRIPTION? -- Email Customer Support at securityupdateat_private * WANT TO SPONSOR SECURITY UPDATE? emedia_oppsat_private ******************** Receive the latest information about the Windows 2000 and Windows NT topics of your choice. Subscribe to our other FREE email newsletters. http://www.win2000mag.net/email |-+-+-+-+-+-+-+-+-+-| Thank you for reading Security UPDATE. SUBSCRIBE To subscribe send a blank email to subscribe-Security_UPDATEat_private If you have questions or problems with your UPDATE subscription, please contact securityupdateat_private ___________________________________________________________ Copyright 2001, Penton Media, Inc. - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Sun Jul 29 2001 - 04:57:30 PDT