******************** Windows 2000 Magazine Security UPDATE--brought to you by Security Administrator, a print newsletter bringing you practical, how-to articles about securing your Windows 2000 and NT systems. http://www.secadministrator.com ******************** ~~~~ THIS ISSUE SPONSORED BY ~~~~ BindView Corporation http://go.win2000mag.net/UM/T.asp?A2153.23115.1316.1.532985 Ultimate Hacking: Hands On - NT/2000 Security http://go.win2000mag.net/UM/T.asp?A2153.23115.1316.3.532985 (below SECURITY RISKS) ~~~~~~~~~~~~~~~~~~~~ ~~~~ BINDVIEW CORPORATION ~~~~ Security is the key issue in today's interconnected world and BindView is right on top of it with a new, highly informative eBook, The Definitive Guide to Windows 2000 Security. This eBook covers all the bases of a comprehensive security methodology for your Microsoft Windows 2000 environment. It's heavy into the detail of what goes into a great IT security system, and is specifically geared for Windows 2000 platforms. Written by Paul Cooke, an Information Security professional with more than 10 years' experience developing and deploying security solutions, the tips, tricks, and info packed into this volume are priceless! Get it FREE at http://go.win2000mag.net/UM/T.asp?A2153.23115.1316.1.532985 ******************** August 15, 2001--In this issue: 1. COMMENTARY - 802.11 Wireless Networks: Is Yours Really Safe? 2. SECURITY RISKS - Internal IP Address Disclosure in IIS SSL 3. ANNOUNCEMENTS - What Key Weapon Is Missing from Your Security Arsenal? - Visit the New Connected Home Web Site! 4. SECURITY ROUNDUP - News: Code Red Reveals New Security Hole in IIS - News: Microsoft Releases Post-SP6a Security Rollup Package - News: Vigilinx Joins RSA Secured Partner Program - News: Riptech Expands Operations - Feature: Exchange 2000 SP1 Adds New Functionality to the Migration Wizard 5. HOT RELEASES (ADVERTISEMENTS) - CyberwallPLUS Server Resident Security - Sponsored by Thawte 6. SECURITY TOOLKIT - Book Highlight: Surviving Security: How to Integrate People, Process and Technology - Virus Center - Virus Alert: Win2K/Stream - FAQ: How Do I Enable and Disable Windows XP's System Restore Feature? 7. NEW AND IMPROVED - Security System - Close Security Holes 8. HOT THREADS - Windows 2000 Magazine Online Forums - Featured Thread: Installing IIS for a Standalone Certificate Server - HowTo Mailing List - Featured Thread: Trouble with Network Authentication on Laptops 9. CONTACT US See this section for a list of ways to contact us. 1. ==== COMMENTARY ==== Hello everyone, Do you use an 802.11-based wireless LAN? If so, are you aware of several security problems in the Wired Equivalent Privacy (WEP) protocol (used in 802.11-based wireless LANs) that can compromise your network? WEP is part of the IEEE 802.11 standard and uses the RC4 encryption algorithm with a 40-bit key to encrypt network traffic. During the past several months, we've published two stories about vendor support for WEP and two stories about several WEP protocol security risks--see the URL below to locate the stories. Recently, researchers have discovered two more security problems that let attackers easily crack WEP's RC4 encryption keys. http://126.96.36.199/security/query.html?col=security&qt=wep Three researchers (Scott Fluhrer, Istak Mantin, and Adi Shamir) published "Weakness in the Key Scheduling Algorithm of RC4" (linked below), a paper which the three men say proves that "RC4 is completely insecure in a common mode of operation which is used in the widely deployed [WEP] protocol." The document outlines two vulnerabilities. The first vulnerability stems from the fact that a small number of secret encryption key bits determine a large number of subsequent key permutation bits. An intruder can use the second weakness to determine the secret part of a key by analyzing particular aspects of encryption key streams. http://www.eyetap.org/~rguerra/toronto2001/rc4_ksaproc.pdf Although the paper is very technical--people without a significant understanding of cryptography and mathematics might find the paper difficult to comprehend--it reminds us not to depend on only one security method. If you rely on WEP to protect sensitive wireless-network traffic, you're a sitting duck. Until the IEEE adopts revamped encryption specifications for the 802.11 standard (which it's in the process of doing), we can't depend on the standard to offer any significant information security. Exploits exist already for some of the WEP vulnerabilities--don't think that cracking your wireless LAN takes a rocket scientist. For example, over the weekend, Anton Rager posted Perl scripts (available at the URL below) to the BugTraq mailing list that help demonstrate and validate the claims the three researchers make in the paper. The code base functionality is limited but clearly proves that penetrating WEP-based network security doesn't take much effort. http://sourceforge.net/projects/wepcrack Although protecting your WEP-enabled network against intrusion isn't difficult, it does take some effort. One of the most effective security measures you can take is to implement a VPN between all systems that communicate over the wireless network. This setup means that if you have WEP enabled on your wireless LAN and an intruder subsequently cracks WEP on your LAN, then any underlying VPN protocols will still probably protect your network. It's also a good idea use a media access control (MAC) address to restrict access to your wireless network hubs. This configuration ensures that only authorized network cards can communicate on your wireless network. If you need another reason to better protect your wireless LANs, remember that wireless LANs operate based on radio technology, and radio signals often stray well beyond their intended boundaries. For example, take a laptop computer with an 802.11-based wireless network card, configure the machine to run a DHCP client, and take the laptop with you as you drive around heavily populated business districts or walk around inside large office buildings. You might be surprised to find a few wireless LANs are wide open to the public. If you don't guard against unknown wireless connections, someone will use your wireless network without your knowledge--and who knows what kind of trouble that can lead to? Before I sign off this week, I want to remind you to patch all your systems--especially laptops--to protect them from the Code Red worms. Be sure to review our article related to Microsoft security bulletin MS01-033 (see the URL below for details). I mention this warning again because many companies have overlooked patching their laptops. Some laptops have Microsoft Internet Information Services (IIS) 5.0 running on top of Windows 2000 Professional, and as you know, IIS 5.0 is vulnerable to Code Red. When these unpatched laptops connect to the Internet using a connection outside the company's protected internal LAN, they become vulnerable to Code Red infection. A Code Red-infected system can spread the worm back into a company's internal LAN when a user reconnects the system to the LAN. So be sure to patch your Win2K-based laptop systems. http://www.WindowsITsecurity.com/articles/index.cfm?articleid=21503 Until next time, have a great week. Sincerely, Mark Joseph Edwards, News Editor, markat_private 2. ==== SECURITY RISKS ==== (contributed by Ken Pfeil, kenat_private) * INTERNAL IP ADDRESS DISCLOSURE IN IIS SSL By connecting manually to Secure Sockets Layer (SSL) TCP port 443 using OpenSSL or a similar tool, an attacker can obtain the internal IP address or NetBIOS name of the Web server. The attacker can exploit the vulnerability by using an HTTP/1.1 GET request instead of an HTTP/1.0 GET request. Microsoft has not released a fix or workaround for this problem. http://www.WindowsITsecurity.com/articles/index.cfm?articleid=22095 ~~~~~~~~~~~~~~~~~~~~ ~~~~ ULTIMATE HACKING: HANDS ON – NT/2000 SECURITY ~~~~ If you're running a Windows network, then this is the intensive 3-day course with everything a hacker knows...that you'll need to know! Our hands-on class, based on real world consultant experience and Foundstone's best-seller "Hacking Exposed," provides a dynamic environment to learn this security knowledge. As a Specialist in Microsoft's Security Services Partner Program, Foundstone knows hacking, security and Microsoft. Register now for the class in New York City, September 25-27, and Irvine, California, December 11-13. http://go.win2000mag.net/UM/T.asp?A2153.23115.1316.3.532985 ~~~~~~~~~~~~~~~~~~~~ 3. ==== ANNOUNCEMENTS ==== * WHAT KEY WEAPON IS MISSING FROM YOUR SECURITY ARSENAL? The best IT security defense starts with a subscription to Security Administrator. Each month, this print newsletter delivers detailed instructions to help make your Windows 2000/NT environment more tamper resistant. Get in-depth information on configuring a secure firewall, setting up group policies, and much more. Subscribe today--before it's too late! http://www.secadministrator.com/sub.cfm?code=saei251gsa * VISIT THE NEW CONNECTED HOME WEB SITE! The people who bring you Connected Home EXPRESS have launched a new Web site! Get how-to tips and tricks to help you with home networking, home theater, audio, and much more. While you're there, sign up (for free!) for the first issue of Connected Home Magazine, coming in late October. Check it out! http://www.connectedhomemag.com 4. ==== SECURITY ROUNDUP ==== * NEWS: CODE RED REVEALS NEW SECURITY HOLE IN IIS As the Code Red II worm spread across the Internet last week, users reported that their Web systems were suffering Denial of Service (DoS) attacks--even after they had installed the Microsoft IIS patch recommended in bulletin MS01-033. Users notified Microsoft about the problem, and the company is now working on a patch. http://www.WindowsITsecurity.com/articles/index.cfm?articleid=22120 * NEWS: MICROSOFT RELEASES POST-SP6A SECURITY ROLLUP PACKAGE Although Microsoft decided to cancel the development and release of Windows NT 4.0 Service Pack 7 (SP7), the company is releasing security-related hotfixes for that OS. To make applying those security hotfixes easier, Microsoft recently released the Post-SP6a Security Rollup Package. http://www.WindowsITsecurity.com/articles/index.cfm?articleid=22121 * NEWS: VIGILINX JOINS RSA SECURED PARTNER PROGRAM Vigilinx today announced a strategic partnership with RSA Security. Under the partnership agreement, Vigilinx joins the RSA Secure Partner Program as a consultant and system integrator. RSA awarded Vigilinx its "RSA Secured Keon Ready" certificate, which signifies that Vigilinx products are compatible with RSA Security's products. RSA Security will help train Vigilinx consultants to integrate RSA Keon software into customer solutions. http://www.windowsitsecurity.com/Articles/Index.cfm?ArticleID=22133 * NEWS: RIPTECH EXPANDS OPERATIONS Riptech, a managed security-services provider, has opened a new office in New York and expanded its facilities in San Jose, California. Riptech also named Ken Legge as vice president of business development for the company's eastern region. http://www.windowsitsecurity.com/Articles/Index.cfm?ArticleID=22134 * FEATURE: EXCHANGE 2000 SP1 ADDS NEW FUNCTIONALITY TO THE MIGRATION WIZARD Exchange 2000 Server Service Pack 1 (SP1) included many bug fixes and patches that Exchange administrators have been waiting for. Exchange 2000 SP1 also added a great new feature to the Exchange Migration Wizard--something that many of you might not be aware of. http://www.exchangeadmin.com/articles/index.cfm?articleid=22100 5. ==== HOT RELEASES (ADVERTISEMENTS) ==== * CYBERWALLPLUS SERVER RESIDENT SECURITY Were your Windows NT/2000 web servers hit by the Code Red Worm? Are there other important servers still at risk? Use CyberwallPLUS server-class firewall and intrusion prevention software as your last line of defense when perimeter security is no longer enough. Free 30-day evaluation - http://go.win2000mag.net/UM/T.asp?A2153.23115.1316.5.532985 * SPONSORED BY THAWTE FREE Apache SSL Guide from Thawte Certification. Do your online customers demand the best available protection of their personal information? Click here for your FREE certification guide: http://go.win2000mag.net/UM/T.asp?A2153.23115.1316.6.532985 6. ==== SECURITY TOOLKIT ==== * BOOK HIGHLIGHT: SURVIVING SECURITY: HOW TO INTEGRATE PEOPLE, PROCESS AND TECHNOLOGY By Mandy Andress List Price: $39.99 Fatbrain Online Price: $31.99 Softcover; 525 pages Published by Sams, July 2001 ISBN 0672321297 For more information or to purchase this book, go to http://www1.fatbrain.com/asp/bookinfo/bookinfo.asp?theisbn=0672321297 and enter WIN2000MAG as the discount code when you order the book. * VIRUS CENTER Panda Software and the Windows 2000 Magazine Network have teamed to bring you the Center for Virus Control. Visit the site often to remain informed about the latest threats to your system security. http://www.WindowsITsecurity.com/panda Virus Alert: Win2K/Stream Win2K/Stream is the first virus to exploit Windows 2000's ability to divide a file into streams, where there can be various streams in one single file, where each stream is identified as a "file." Once the virus is active, it infects all .exe files in the current directory, and the infected files lose their respective icons. For complete details on this virus be sure to visit our Web site. http://188.8.131.52/panda/index.cfm?fuseaction=virus&virusid=559 * FAQ: HOW DO I ENABLE AND DISABLE WINDOWS XP'S SYSTEM RESTORE FEATURE? ( contributed by John Savill, http://www.windows2000faq.com ) System Restore (i.e., restorept.api) is a new Windows XP feature that's similar to Last Known Good Configuration. However, System Restore maintains multiple restore points instead of one last-restore point. The user can manually create restore points, or System Restore can keep restore points during the following operations: - Installing new software, if the application uses a current installer that is System-Restore compliant - Using AutoUpdate - During a restore operation - During a Microsoft backup or recovery operation - Installing an unsigned driver - Automatically following 24 hours of inactivity By default, System Restore monitors all partitions. So, for example, if you delete an executable file, you can have the system state revert to a specific restore point to recreate or repair the executable file. When you revert to a restore point, however, you lose all changes since that point, except for changes to files in the My Documents folder and documents you've created with applications such as Microsoft Word and Microsoft Excel. If you use System Restore and don't like the new system state, you can undo the process and restore the machine to the system state it had before you ran System Restore. Alternatively, you can run System Restore to change the system state to a different restore point. To enable or disable System Restore, follow the steps in our FAQ. http://www.windows2000faq.com/articles/index.cfm?articleid=22059 6. ========== NEW AND IMPROVED ========== (contributed by Scott Firestone, IV, productsat_private) * SECURITY SYSTEM NFR Security released NFR Network Intrusion Detection-200 (NID-200), a system that monitors networks and responds to suspicious activity (e.g., too many attempts to match a password, port scans, debilitating ping floods, and back-entry device planting). The system provides a set of customizable default alerts, including an annotation describing the alert, common industry responses, and a field for your company's policy explaining what action you should take. For pricing, contact NFR Security at 240-632-9000. http://www.nfr.com * CLOSE SECURITY HOLES ElcomSoft released Advanced NT Security Explorer (ANTExp), security software that lets you use passwords to identify and close security holes in your networks. The software executes a comprehensive audit of account passwords and exposes insecure account passwords. You can also use ANTExp to recover lost passwords and access a user's Windows account. The software runs on Windows 2000, Windows NT, Windows Me, and Windows 9x systems. ANTExp costs $49 for a personal license, $149 for a business license, and $399 for a universal license. Contact ElcomSoft at supportat_private http://www.elcomsoft.com/antexp.html 7. ==== HOT THREADS ==== * WINDOWS 2000 MAGAZINE ONLINE FORUMS http://www.win2000mag.net/forums Featured Thread: Installing IIS for a Standalone Certificate Server (Four messages in this thread) A user wants to set up a standalone root Certificate Authority (CA) server. However, he doesn't want to install IIS because of all the security issues and wonders whether this CA setup is available without IIS installed. Read more about the problem and the responses, or lend a hand at the following URL: http://www.win2000mag.net/forums/rd.cfm?app=64&id=73867 * HOWTO MAILING LIST http://www.WindowsITsecurity.com/go/page_listserv.asp?s=howto Featured Thread: Trouble with Network Authentication on Laptops (Two messages in this thread) An administrator has configured his network so that a user must authenticate to a domain controller (DC) to log on to a machine. However, this presents a problem for mobile users (e.g., those with laptops) who can't log on to their systems when they aren't connected to the local LAN. Do you know to remedy this type of problem? Read the responses or lend a hand at the following URL: http://184.108.40.206/go/page_listserv.asp?a2=ind0108b&l=howto&p=777 8. ==== CONTACT US ==== Here's how to reach us with your comments and questions: * ABOUT THE COMMENTARY -- markat_private * ABOUT THE NEWSLETTER IN GENERAL -- mlibbeyat_private; please mention the newsletter name in the subject line. * TECHNICAL QUESTIONS -- http://www.win2000mag.net/forums * PRODUCT NEWS -- productsat_private * QUESTIONS ABOUT YOUR SECURITY UPDATE SUBSCRIPTION? -- Email Customer Support at securityupdateat_private * WANT TO SPONSOR SECURITY UPDATE? emedia_oppsat_private ******************** Receive the latest information about the Windows 2000 and Windows NT topics of your choice. Subscribe to our other FREE email newsletters. http://www.win2000mag.net/email |-+-+-+-+-+-+-+-+-+-| Thank you for reading Security UPDATE. SUBSCRIBE To subscribe send a blank email to subscribe-Security_UPDATEat_private ___________________________________________________________ Copyright 2001, Penton Media, Inc. - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Thu Aug 16 2001 - 02:26:57 PDT