[ISN] Security UPDATE, August 8, 2001

From: InfoSec News (isnat_private)
Date: Thu Aug 09 2001 - 04:35:02 PDT

  • Next message: InfoSec News: "[ISN] Web site hacker is sentenced to 6-month term"

    ********************
    Windows 2000 Magazine Security UPDATE--brought to you by Security
    Administrator, a print newsletter bringing you practical, how-to
    articles about securing your Windows 2000 and NT systems.
       http://www.secadministrator.com
    ********************
    
    
    ~~~~ THIS ISSUE SPONSORED BY ~~~~
    
    IBM Infrastructure
       http://go.win2000mag.net/UM/T.asp?A2153.23115.1296.1.532985
    
    ~~~~~~~~~~~~~~~~~~~~
    
    ~~~~ IBM INFRASTRUCTURE ~~~~
       Not worried about hackers? You should be. Because they can put your
    e-business out of business. If your customers don't feel comfortable
    dealing with you online, they'll work with someone else. With IBM
    infrastructure, you'll have the security your company needs to operate
    effectively and to keep your clients comfortable. Your networks and
    servers are the backbone of your company. It's time you treated them
    that way. In today's ever-changing e-environment, keeping network
    security tight is something that can't be ignored. So is keeping your
    clients happy. Find out more from our latest security white paper
    today.
       http://go.win2000mag.net/UM/T.asp?A2153.23115.1296.1.532985
    
    ********************
    
    August 8, 2001--In this issue:
    
    1. COMMENTARY
         - Surprise: Code Red II 
    
    2. SECURITY RISKS
         - Command History Vulnerability in Windows 2000 and Windows NT
    
    3. ANNOUNCEMENTS
         - Get 25 Percent Off Windows 2000 Magazine!
         - Tired of the Same Old Sales Pitch?
    
    4. SECURITY ROUNDUP
         - News: Code Red II Worm on the Loose
         - News: Orbit Secures DirecPC Satellite Internet Service
         - News: Government Mulls Requesting Court to Block Windows XP
    
    5. SECURITY TOOLKIT
         - Book Highlight: Counter Hack: A Step-By-Step Guide to Computer
    Attacks and Effective Defenses
         - Virus Center 
             - Virus Alert: W32/MSInit.A
         - FAQ: Do I Have to Call Microsoft If I've Lost My Windows 2000
    Server Terminal Services License Tokens?
         - Windows 2000 Security: Code Red and Proactive Security
    
    6. NEW AND IMPROVED
         - Detect Trojan Horses
         - Learn About ISA Server
    
    7. HOT THREADS
         - Windows 2000 Magazine Online Forums
             - Featured Thread: Unlocking Security Policy
         - HowTo Mailing List 
             - Featured Thread: How to Disable HTTP and SMTP Banner Version
    Information
    
    8. CONTACT US
       See this section for a list of ways to contact us.
    
    1. ==== COMMENTARY ====
    
    Hello everyone,
       You've probably read the news by now: A new version of the Code Red
    worm, dubbed Code Red II, is spreading rapidly across the Internet. Is
    that news any surprise? The new Code Red worm is far more dangerous than
    previous versions--it spreads more effectively and also installs a
    Trojan horse that creates back doors within Microsoft IIS.
       On Monday, we posted a survey on our Windows 2000 Magazine Security
    Channel home page that asks whether any version of the Code Red worm has
    infected your systems. (See the list of resources at the end of this
    column for all related URLs.) As of today, 9 people have admitted that
    the worm has infected their systems. If you ask me, that's 9 too many.
    If you haven't patched your IIS systems to protect against the Code Red
    worm, this is the time to do so. You'll find a link to the Microsoft
    security bulletin MS01-033 and patch in the related news item in the
    Security Roundup section of this newsletter. Also, be sure to read Randy
    Franklin Smith's article, "Code Red and Proactive Security" on the
    Security Channel Web page--it's good advice. (See the first paragraph of
    his article and the URL to the Web site in the Security Toolkit section
    of this newsletter.)
       Speaking of patches, I've read several recent posts on the Bugtraq
    mailing list that indicate a problem might exist with the Microsoft
    patch listed in Microsoft Bulletin MS01-033. A few people have reported
    that after they installed the patch, their systems remain immune to Code
    Red infection. However, when an infected system attempts to connect to
    their system to infect it, several IIS services (e.g., FTP, the default
    Web site, the administrative Web site, and the proxy service) stop
    processing.
       In addition, users on our Win2KSecAdvice mailing list report that
    Code Red worm variants are affecting Cisco 600 series routers because
    the routers use a Web service on port 80. Users report that even when
    their systems run Cisco's latest firm revision (which is generally CBOS
    2.4.2, depending on the router) and they have disabled the Web
    interface, the routers stop passing traffic when the worm confronts the
    routers. Some readers have suggested workarounds that help deter the
    effects of the Code Red worm.
       If you're interested in a detailed analysis of how the new Code Red
    II operates, read eEye Digital Security's Code Red II report, which we
    published on our Win2KsecAdvice mailing list last weekend. In addition,
    the Computer Emergency Response Team (CERT) has published a good
    overview of how the Code Red worm works. Until next time, have a great
    week.
    
    Resources:
      Security: Poll
      http://www.WindowsITsecurity.com
    
      Microsoft Bulletin MS01-033
      http://www.securityfocus.com/templates/archive.pike?list=1
    
      Win2KSecAdvice--Code Red II workarounds
      http://63.88.172.96/go/win2ks-l.asp?a1=ind0108a&l=win2ksecadvice
    
      eEye Digital Code Red II Report
    http://63.88.172.96/go/win2ks-l.asp?a2=ind0108a&l=win2ksecadvice&p=1173
    
      CERT Incident Note
      http://www.cert.org/incident_notes/IN-2001-09.html
    
    Sincerely,
    
    Mark Joseph Edwards, News Editor, markat_private
    
    2. ==== SECURITY RISKS ====
       (contributed by Ken Pfeil, kenat_private)
    
    * COMMAND HISTORY VULNERABILITY IN WINDOWS 2000 AND WINDOWS NT
       Siffredi Dani reported that a vulnerability exists in Windows 2000
    and Windows NT that lets a user crash the system by opening a command
    prompt, running certain commands (e.g., ping, dir), and pressing F7
    repeatedly during the commandís execution. Depending on the system's
    configuration, Win2K or NT will either reboot or display the blue screen
    common to system crashes. Microsoft is aware of the vulnerability but
    hasn't released a fix or workaround for this problem.
       http://www.WindowsITsecurity.com/articles/index.cfm?articleID=22037
    
    3. ==== ANNOUNCEMENTS ====
    
    * GET 25 PERCENT OFF WINDOWS 2000 MAGAZINE!
       Every issue of Windows 2000 Magazine is packed with superb coverage
    of security, Active Directory (AD), disaster recovery, Exchange (and
    more!) and helps you navigate the rough waters of your job with ease.
    Subscribe now (at 25 percent off the regular rate) and find out why your
    peers think we're simply the best independent resource for Windows 2000
    and Windows NT professionals.
       http://www.win2000mag.com/sub.cfm?code=diee201gup
    
    * TIRED OF THE SAME OLD SALES PITCH?
       Now there's a better way to find the perfect IT vendor or
    solution--absolutely free! The IT Buyer's Network (ITBN) lets you search
    through thousands of vendor solutions. You'll love the ITBN's one-stop
    shopping approach for hardware, network and systems software, IT
    services, and much more. Visit the ITBN today.
       http://www.itbuynet.com
    
    4. ==== SECURITY ROUNDUP ====
    
    * NEWS: CODE RED II WORM ON THE LOOSE
       A new worm, dubbed Code Red II, is attacking Web servers and carries
    an entirely different payload from the original Code Red worm. eEye
    Digital Security performed a detailed analysis of the Code Red II worm
    after the SecurityFocus ARIS Project came forward with information about
    the new threat. Once inside a system, Code Red II creates files in the
    MSDAC and SCRIPTS IIS-related directories. In addition, the worm creates
    a Trojan horse on the system by injecting binary code into the
    explorer.exe file, which runs the Win2K desktop.
       http://www.WindowsITsecurity.com/articles/index.cfm?articleID=22054
    
    * NEWS: ORBIT SECURES DIRECPC SATELLITE INTERNET SERVICE
       Orbit Communications has released its new Orbitnet software, which
    uses a two-way satellite to connect a network of computers to the
    Internet through DirecPC's satellite Internet service. Targeted at small
    office/home office (SOHO) users, Orbitnet is a server-based application
    that's compatible with all Windows platforms. Orbitnet's server software
    runs on an Intel-based computer and provides network address translation
    (NAT), a firewall, a proxy server, and virus scanners. Orbit based the
    firewall on stateful packet-inspection technology that uses fine-grain
    control over a user's Internet access privileges.
       http://www.WindowsITsecurity.com/articles/index.cfm?articleID=22042
    
    * NEWS: GOVERNMENT MULLS REQUESTING COURT TO BLOCK WINDOWS XP
       Quoting sources close to state and federal prosecutors, a report this
    weekend in The Washington Post said that the government is seriously
    considering asking the courts to block Windows XP's release or at least
    require Microsoft to modify the OS before releasing it. According to the
    report, lawyers from the offices of the New York, Wisconsin, and
    California attorneys general are conducting XP research. None of the
    parties involved will speak publicly about the government's legal
    strategy.
       http://www.wininformant.com/articles/index.cfm?articleID=22050
    
    5. ==== SECURITY TOOLKIT ====
    
    * BOOK HIGHLIGHT: COUNTER HACK: A STEP-BY-STEP GUIDE TO COMPUTER ATTACKS
    AND EFFECTIVE DEFENSES
       By Edward Skoudis
       List Price: $49.99
       Fatbrain Online Price: $39.99
       Softcover; 500 pages
       Published by Prentice Hall PTR, July 2001
       ISBN 0130332739
    
    For more information or to purchase this book, go to
    http://www1.fatbrain.com/asp/bookinfo/bookinfo.asp?theisbn=0130332739
    and enter WIN2000MAG as the discount code when you order the book.
    
    * VIRUS CENTER
       Panda Software and the Windows 2000 Magazine Network have teamed to
    bring you the Center for Virus Control. Visit the site often to remain
    informed about the latest threats to your system security.
       http://www.WindowsITsecurity.com/panda
    
    Virus Alert: W32/MSInit.A
       W32/MSInit.A is a worm that uses a TCP/IP connection to access other
    systems. The worm searches for IP addresses at random. When the worm
    finds an IP address for a remote system that allows access to a disk
    where Windows is installed, the worm creates a copy of itself in the
    Windows\System directory of that remote system. The copy of the worm
    resides in a file named Wininit.exe.
       http://63.88.172.96/panda/index.cfm?fuseaction=virus&virusID=798
    
    * FAQ: DO I HAVE TO CALL MICROSOFT IF I'VE LOST MY WINDOWS 2000 SERVER
    TERMINAL SERVICES LICENSE TOKENS?
       ( contributed by John Savill, http://www.windows2000faq.com )
    
    A. With Windows 2000 Server Terminal Services licenses, you must contact
    Microsoft to enable Client Access Tokens on the server. If you rebuild a
    Terminal Services license server, you typically must contact Microsoft
    to re-enable the licenses. However, Microsoft has released a hotfix at
    its Web site (see the first URL below) that lets you recover any future
    Client Access Licenses (CALs) that you apply. You must be running Win2K
    Service Pack 1 (SP1) or Win2K Service Pack 2 (SP2) to apply this fix. Be
    aware, however, that you'll still need to contact Microsoft to recover
    any CALs that you install before applying the hotfix if you have no
    backup of the license database. Microsoft has published a related news
    bulletin at the second URL below:
    
    http://support.microsoft.com/support/kb/articles/Q287/6/87.asp
    http://www.microsoft.com/windows2000/server/evaluation/news/bulletins/tslichotfix.asp
    
    * WINDOWS 2000 SECURITY: CODE RED AND PROACTIVE SECURITY
       By now, you've probably read about the Code Red Web server worm and
    have loaded the fix on your Internet-connected Microsoft IIS servers.
    Unlike a typical desktop worm, such as Melissa, the Code Red worm
    spreads from one Web server to another. After infecting a Web server,
    Code Red temporarily defaces the home page before creating 99 threads
    that look for other Web servers to infect. However, because Code Red
    uses an exploit for which a patch has been available for some time, your
    systems might be safe. If you've practiced proactive security (e.g.,
    reading Microsoft security bulletins and loading recommended hotfixes on
    your Windows 2000 IIS servers), you were probably already protected from
    Code Red before its release. Read the rest of Randy Franklin Smith's
    article at the following URL:
       http://www.WindowsITsecurity.com/articles/index.cfm?articleID=21967
    
    6. ========== NEW AND IMPROVED ==========
       (contributed by Scott Firestone, IV, productsat_private)
    
    * DETECT TROJAN HORSES
       Greatis Software released RegRun II software to manage the Windows
    startup processes. RegRun II consists of eight subsystems for
    controlling programs that load from the registry or Windows system
    files. You can track and manage all startup processes to detect hidden
    Trojan horses, viruses, or other unauthorized programs. RegRun II runs
    on Windows 2000, Windows NT, Windows Me, and Windows 9x systems and
    costs $19.95 for a single-user license. Contact Greatis Software at
    a-teamat_private
       http://www.greatis.com
    
    * LEARN ABOUT ISA SERVER
       Microsoft Press released "MCSE Training Kit: Microsoft Internet
    Security and Acceleration Server 2000," a book that teaches you how to
    set up and support Microsoft Internet Security and Acceleration (ISA)
    Server 2000 to optimize network performance and security. Topics include
    installing ISA Server, configuring and troubleshooting ISA Server
    services, managing and troubleshooting policies and rules, configuring
    the client PC, and monitoring and managing ISA Server use. The 656-page
    book includes one CD-ROM and costs $59.99. Contact Microsoft Press at
    800-677-7377.
       http://mspress.microsoft.com
    
    7. ==== HOT THREADS ====
    
    * WINDOWS 2000 MAGAZINE ONLINE FORUMS
       http://www.win2000mag.net/forums 
    
    Featured Thread: Unlocking Security Policy
       (Three messages in this thread)
    
    A user needs to change the user rights in Windows 2000 Professional, but
    when he opens the Local Security Policy, all of the subheadings have a
    lock next to them. He already has administrator rights and is not on a
    domain. Also, he needs to know how to recover or retrieve his forgotten
    password in Win2K Pro. Read more about the problem and the responses, or
    lend a hand at the following URL:
       http://www.win2000mag.net/forums/rd.cfm?app=64&id=73704
    
    * HOWTO MAILING LIST
       http://www.WindowsITsecurity.com/go/page_listserv.asp?s=HowTo
    
    Featured Thread: How to Disable HTTP and SMTP Banner Version Info
       (Four messages in this thread)
    
    As you know, versioning information recovered from service banners can
    help an intruder determine a more effective way of penetrating a system.
    In most cases, it's wise to mask this information from preying eyes. A
    user on the HowTo mailing list wants to know how to remove Microsoft
    version information from the banners presented during typical HTTP and
    SMTP mail sessions. With Windows releases prior to Windows 2000, you
    could use a hexadecimal editor to edit the text strings within the
    binary file used to provide a service. However, with Microsoft system
    file protection technology in Win2K, it's more difficult to replace the
    text strings because the system file protection will notice those
    changes and revert to an original copy of the edited file. Can you help
    figure out how to effectively mask such banners? Read the responses or
    lend a hand at the following URL:
       http://63.88.172.96/go/page_listserv.asp?A2=ind0108A&L=howto&p=82
    
    8. ==== CONTACT US ====
       Here's how to reach us with your comments and questions:
    
    * ABOUT THE COMMENTARY -- markat_private
    
    * ABOUT THE NEWSLETTER IN GENERAL -- mlibbeyat_private; please
    mention the newsletter name in the subject line.
    
    * TECHNICAL QUESTIONS -- http://www.win2000mag.net/forums
    
    * PRODUCT NEWS -- productsat_private
    
    * QUESTIONS ABOUT YOUR SECURITY UPDATE SUBSCRIPTION? -- Email Customer
    Support at securityupdateat_private
    
    * WANT TO SPONSOR SECURITY UPDATE? emedia_oppsat_private
    
    ********************
    
       Receive the latest information about the Windows 2000 and Windows NT
    topics of your choice. Subscribe to our other FREE email newsletters.
       http://www.win2000mag.net/email
    
    |-+-+-+-+-+-+-+-+-+-|
    
    Thank you for reading Security UPDATE.
    
    SUBSCRIBE
    To subscribe send a blank email to
    subscribe-Security_UPDATEat_private
    
    If you have questions or problems with your UPDATE subscription, please
    contact securityupdateat_private 
    ___________________________________________________________
    Copyright 2001, Penton Media, Inc.
    
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.
    



    This archive was generated by hypermail 2b30 : Thu Aug 09 2001 - 08:16:24 PDT