******************** Windows 2000 Magazine Security UPDATE--brought to you by Security Administrator, a print newsletter bringing you practical, how-to articles about securing your Windows 2000 and NT systems. http://www.secadministrator.com ******************** ~~~~ THIS ISSUE SPONSORED BY...15 MIN. LATER HE WAS IN THE PRINCIPAL'S OFFICE! ~~~~ http://lists.win2000mag.net/cgi-bin3/flo?y=eHMn0CJgSH0BVg0Kjq0AY ~~~~~~~~~~~~~~~~~~~~ ~~~~ SPONSOR: ...15 MIN. LATER HE WAS IN THE PRINCIPAL'S OFFICE! ~~~~ A high school network administrator installed Event Log Monitor on classroom servers to evaluate system performance. The next day, ELM alerted him that a student was trying to break into the system. Within 15 minutes, the would-be hacker was in the Principal's office waiting for his parents to arrive. Use Event Log Monitor to keep tabs on your security perimeter. Because these aren't the only computers teenagers like to hack into. For more information, visit http://lists.win2000mag.net/cgi-bin3/flo?y=eHMn0CJgSH0BVg0Kjq0AY ******************** September 5, 2001--In this issue: 1. IN FOCUS - Parasitic Computing 2. SECURITY RISK - Multiple Vulnerabilities in Mozilla Bugzilla 3. ANNOUNCEMENTS - New!! Get on the Fast Track with T-SQL Solutions! - Sound Off About Your Technical Training Needs! 4. SECURITY ROUNDUP - News: Grand Jury Indicts Russian Company and Programmer - News: New Worm Masquerades as Email from Microsoft Technical Support - News: Microsoft Confirms Tagging Beta XP CDs - News: Microsoft Releases IE 6 to Web - News: Microsoft Releases New IIS Lockdown Tool - Feature: Create Home Directories and Set NTFS Permissions with a Web Script - Review: bv-Control for Internet Security 3.0 5. HOT RELEASE (ADVERTISEMENT) - Sponsored by Verisign - The Internet Trust Company 6. SECURITY TOOLKIT - Book Highlight: Malicious Mobile Code: Virus Protection for Windows - Virus Center - Virus Alert: X97M/Laroux.DO - Tip: Resetting Lost Passwords 7. NEW AND IMPROVED - Extend Policy-Based Security to Remote Users - Fix Security Vulnerabilities and Stability Problems 8. HOT THREAD - Windows 2000 Magazine Online Forums - Featured Thread: Restricted Desktops 9. CONTACT US See this section for a list of ways to contact us. 1. ==== COMMENTARY ==== Hello everyone, Is there an end to the ways in which attackers can exploit a networked computer system? Probably not. I read an interesting story in the current issue of "Nature" magazine (see URL below) entitled "Parasitic Computing" that reveals yet another way intruders can attack networked systems. The article, written by three men from the University of Notre Dame, discusses a method of exploiting nuances of the TCP/IP protocol family to cause systems to unwittingly participate in a distributed computing effort (e.g., solving mathematical problems). Exploits of this type are possible by relying on the TCP checksum status of packets as mathematical indicators for a given formula. http://www.nature.com In summary, attackers construct packets that contain a candidate answer for a given math problem, then send the packets to remote systems that test the potential answer during normal packet checksum analysis. Because the attackers specifically construct the packets in a particular manner, when a target system receives that packet, the packet's checksum should succeed only when it contains the correct response to the mathematical problem. In this way, a system made to perform such computations responds back to the rogue client only when it actually has a correct answer to the problem. As an example, the story points out that the HTTP protocol is required to respond to all requests received. But in the case of this type of parasitic computing, the HTTP service won't understand a valid packet's message, so it will simply respond to the client that it didn't understand the request. The client can then interpret that response as an acknowledgement that the packet contained the answer to the mathematical problem. And it's unlikely that the HTTP service would log anything because the attacker didn't make a valid request, and the system never established a valid session. Interesting, don't you think? But don't worry about stolen CPU cycles too much just yet. The proof-of-concept the story presents--by the authors' own admission--isn't efficient enough to be useful for a practical exploit. Nevertheless, the authors point out that any impracticality is a function of the limitations in their proof-of- concept and not necessarily reflective of limitations of the overall concept of parasitic computing. It's entirely possible to develop a program that more efficiently exploits checksum analysis, and guarding against that type of unauthorized CPU usage is difficult. Read the story and tell me know what you think. On another note, in the August 15 Security UPDATE, I reported that Microsoft had released its new Post-Service Pack 6a (SP6a) Security Rollup Package (SRP). Since that time, I've received numerous email messages about a serious problem with the SRP. In some cases, when you uninstall the SRP, the system no longer boots properly. This problem occurs on systems that have SYSKEY installed to protect the SAM database. The NTBugTraq mailing list recently posted a workaround for this problem. A list member reports that to successfully uninstall the SRP, you must first edit the associated uninst.inf file (located in the \%SYSTEMROOT%\$NtUninstallQ299444$ directory) to remove the entries for the lsasrv.dll and samsrv.dll files, which are located in the section labeled [systemroot\system32.restore.nodely.files]. After you remove the entries, you can safely uninstall the SRP without causing the system to hang during its boot phase. Before I sign off this week, I want to ask if you've seen our monthly Security Administrator print newsletter? If you haven't, you're missing some really good content! In the current issue (September 2001), you'll find articles about manipulating services with scripts; securing Windows 2000 certificate services; removing C-2 compliant settings; securing private key storage, remote procedure call (RPC), and firewall configuration; properly applying security settings in Group Policy Objects (GPOs); tips on using IP Security (IPSec); and much more. Stop by our home page (see the URL below), and sign up for a free sample issue. It's a great resource! Until next time, have a great week. http://www.secadministrator.com Sincerely, Mark Joseph Edwards, News Editor, markat_private 2. ==== SECURITY RISK ==== (contributed by Ken Pfeil, kenat_private) * MULTIPLE VULNERABILITIES IN MOZILLA BUGZILLA Multiple vulnerabilities exist in the Bugzilla Web-based bug-tracking system available from Mozilla.org, some of which include unauthorized access to confidential information and passwords being stored in plain text. Mozilla.org has released version 2.14, which fixes the vulnerabilities. http://www.secadministrator.com/articles/index.cfm?articleid=22374 3. ==== ANNOUNCEMENTS ==== * NEW!! GET ON THE FAST TRACK WITH T-SQL SOLUTIONS! T-SQL Solutions, a monthly print newsletter from SQL Server Magazine, provides practical advice and multilevel code examples geared to SQL Server developers and administrators. T-SQL Solutions features exclusive content, how-to articles, tips, tricks, and programming techniques offered by SQL Server experts. Reserve your FREE sample issue today. http://www.sqlmag.com/sub.cfm?code=ftei311htw * SOUND OFF ABOUT YOUR TECHNICAL TRAINING NEEDS! Windows 2000 Magazine is conducting a short survey designed to measure your technical training experiences and requirements. Don't miss this opportunity to weigh in with your peers. Tell us what you think today! http://www.zoomerang.com/survey.zgi?Y14DPBV26XRDTSK8FB9E8EV0 4. ==== SECURITY ROUNDUP ==== * NEWS: GRAND JURY INDICTS RUSSIAN COMPANY AND PROGRAMMER On August 27, a US grand jury handed down a five-count indictment that charges Russian company Elcomsoft and one of its programmers, Dmitry Sklyarov, with trafficking and conspiracy to traffic devices that circumvent copyright protections. Go to the following URL to learn more. http://www.secadministrator.com/articles/index.cfm?articleid=22334 * NEWS: NEW WORM MASQUERADES AS EMAIL FROM MICROSOFT TECHNICAL SUPPORT Antivirus software-maker Central Command issued a warning on August 30 about a newly discovered worm that masquerades as an email from Microsoft Technical Support. See the URL below for more details. http://www.secadministrator.com/articles/index.cfm?articleid=22335 * NEWS: MICROSOFT CONFIRMS TAGGING BETA XP CDS In a message to security expert Steve Gibson, Microsoft admitted on August 28 that it had secretly tagged the Windows XP downloads for technical beta testers to catch the software pirates who had been giving out builds of the product for the past year. http://www.secadministrator.com/articles/index.cfm?articleid=22311 * NEWS: MICROSOFT RELEASES IE 6 TO WEB Microsoft has released a version of Internet Explorer (IE) that users can download free from the Web. IE 6 arrives with a little controversy-- the browser lacks support for the older Netscape-compatible plug-ins. http://www.secadministrator.com/articles/index.cfm?articleid=22292 * NEWS: MICROSOFT RELEASES NEW IIS LOCKDOWN TOOL Microsoft released a new security tool called IIS Lockdown that lets users quickly secure a Microsoft Internet Information Services (IIS) 5.0 or Internet Information Server (IIS) 4.0 system. http://www.secadministrator.com/articles/index.cfm?articleid=22304 * FEATURE: CREATE HOME DIRECTORIES AND SET NTFS PERMISSIONS WITH A WEB SCRIPT In his feature for our Win32 Scripting Newsletter, Ethan Wilansky offers a Web script that displays a Web form that Help desk operators can use to create home directories and set NTFS permissions. The script uses a variety of scripting technologies, including Windows Management Instrumentation (WMI). http://www.secadministrator.com/articles/index.cfm?articleid=22048 * REVIEW: BV-CONTROL FOR INTERNET SECURITY 3.0 BindView's bv-Control for Internet Security 3.0 is a high-end security-management product designed to be a small to midsized network's first line of defense against security breaches. BindView has built bv- Control for Internet Security on the battle-proven architecture of its bv-Control network-management suite. Learn all about it in Jonathan Chau's review on our Web site! http://www.secadministrator.com/articles/index.cfm?articleid=21860 5. ==== HOT RELEASE (ADVERTISEMENT) * SPONSORED BY VERISIGN - THE INTERNET TRUST COMPANY Which security solution is right for your Web site? Get your FREE guide, "Securing Your Web Site For Business," to learn the facts. In the guide, find solutions for: * Encrypting online transactions * Securing corporate intranets http://lists.win2000mag.net/cgi-bin3/flo?y=eHMn0CJgSH0BVg0Kjr0AZ 6. ==== SECURITY TOOLKIT ==== * BOOK HIGHLIGHT: MALICIOUS MOBILE CODE: VIRUS PROTECTION FOR WINDOWS By Roger A. Grimes Fatbrain Online Price: $27.96 Softcover; 400 pages Published by O'Reilly & Associates, August 2001 ISBN 156592682X For more information or to purchase this book, go to link at the end of this book highlight and enter WIN2000MAG as the discount code when you order the book. http://www1.fatbrain.com/asp/bookinfo/bookinfo.asp?theisbn=156592682X * VIRUS CENTER Panda Software and the Windows 2000 Magazine Network have teamed to bring you the Center for Virus Control. Visit the site often to remain informed about the latest threats to your system security. http://www.secadministrator.com/panda Virus Alert: X97M/Laroux.DO X97M/Laroux.DO is a macro virus that infects Microsoft Excel 97 spreadsheets. The virus creates a file called vera.xls in the Excel 97 Startup directory. When a user runs Excel, vera.xls automatically loads and infects any other Excel files used from that point on. http://126.96.36.199/panda/Index.cfm?fuseaction=virus&virusid=883 * TIP: RESETTING LOST PASSWORDS (contributed by Wu Wen Long, wuwenlongat_private) One of our readers, Wu Wen Long, sent the following tip regarding a way to reset lost passwords. "I discovered a method for using the Spooler service to work around lost passwords on a Windows NT 4.0 Service Pack 5 (SP5) system. By default, the Spooler service starts automatically under the system account. When a user loses a password, log on to the system (you can log on with an account that doesn't have Administrator permissions) and rename spoolss.exe as spoolss.bak and usrmgr.exe as spoolss.exe. Restart the system. User Manager will appear under the system account, so you can modify the user's account, including resetting the username and password." 7. ==== NEW AND IMPROVED ==== (contributed by Scott Firestone, IV, productsat_private) * EXTEND POLICY-BASED SECURITY TO REMOTE USERS InfoExpress released CyberArmor 2.0, a centrally managed firewall suite that includes CyberArmor client, Policy Manager, CyberServer, and CyberConsole to let you extend policy-based security to remote users who access corporate networks. CyberArmor client protects the end-user's PC and notifies users and CyberServer of attacks. Policy Manager creates and manages policies, run-time settings, and automatic updates. CyberServer logs user events and threats into a database. CyberConsole lets you view remote user systems and manage incidents through the database. For pricing, contact InfoExpress at 650-623-0260. http://www.infoexpress.com * FIX SECURITY VULNERABILITIES AND STABILITY PROBLEMS St. Bernard Software released UpdateEXPERT 5.1, automated research, inventory, deployment, and validation software that lets you fix security vulnerabilities and stability problems. The software inventories networked machines and identifies installed OS and application updates. You can research and select updates for applications, and the software remotely deploys and validates the selected updates. For pricing, contact St. Bernard Software at 858-676- 2277 or 800-782-3762. http://www.stbernard.com 8. ==== HOT THREAD ==== * WINDOWS 2000 MAGAZINE ONLINE FORUMS http://www.win2000mag.net/forums Featured Thread: Restricted Desktops (Four messages in this thread) Clint wants to know where he can find good articles on how to manage and restrict Windows 98 user desktops used with a Windows 2000 server. Read more about the question and the responses, or lend a hand at the following URL: http://www.win2000mag.net/forums/rd.cfm?app=64&id=76502 9. ==== CONTACT US ==== Here's how to reach us with your comments and questions: * ABOUT THE COMMENTARY -- markat_private * ABOUT THE NEWSLETTER IN GENERAL -- mlibbeyat_private; please mention the newsletter name in the subject line. * TECHNICAL QUESTIONS -- http://www.win2000mag.net/forums * PRODUCT NEWS -- productsat_private * QUESTIONS ABOUT YOUR SECURITY UPDATE SUBSCRIPTION? -- Email Customer Support at securityupdateat_private * WANT TO SPONSOR SECURITY UPDATE? emedia_oppsat_private ******************** Receive the latest information about the Windows 2000 and Windows NT topics of your choice. Subscribe to our other FREE email newsletters. http://www.win2000mag.net/email |-+-+-+-+-+-+-+-+-+-| Thank you for reading Security UPDATE. - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Thu Sep 06 2001 - 01:27:07 PDT