******************** Windows 2000 Magazine Security UPDATE--brought to you by Security Administrator, a print newsletter bringing you practical, how-to articles about securing your Windows 2000 and NT systems. http://www.secadministrator.com ******************** ~~~~ THIS ISSUE SPONSORED BY ~~~~ IBM Infrastructure http://lists.win2000mag.net/cgi-bin3/flo?y=eHmp0CJgSH0BVg0LBc0AF Lieberman & Associates http://lists.win2000mag.net/cgi-bin3/flo?y=eHmp0CJgSH0BVg0LBd0AG (below SECURITY RISKS) ~~~~~~~~~~~~~~~~~~~~ ~~~~ SPONSOR: IBM Infrastructure ~~~~ Not worried about hackers? You should be. Because they can put your e-business out of business. If your customers don't feel comfortable dealing with you online, they'll work with someone else. With IBM infrastructure, you'll have the security your company needs to operate effectively and to keep your clients comfortable. Your networks and servers are the backbone of your company. It's time you treated them that way. In today's ever-changing e-environment, keeping network security tight is something that can't be ignored. So is keeping your clients happy. Find out more from our latest security white paper today. Download at: http://lists.win2000mag.net/cgi-bin3/flo?y=eHmp0CJgSH0BVg0LBc0AF ******************** September 26, 2001--In this issue: 1. IN FOCUS - Nimda Opens Potential for Subsequent Back Doors 2. SECURITY RISKS - Relative Path Vulnerability in PI-Soft SpoonFTP - Cisco ICDN SSL Vulnerability 3. ANNOUNCEMENTS - Check Out the New WebSphere Professional Site! - MCP TechMentor--November 20 Through 22, 2001, London 4. INSTANT POLL - Results of Previous Poll: Code Red Worms - Instant Poll: Nimda Worm 5. SECURITY ROUNDUP - News: Microsoft Offers Advice on Nimda Worm - Review: Netpulse 2000 - Review: Desktop Firewalls 6. HOT RELEASE (ADVERTISEMENT) - Sponsored by VeriSign - The Internet Trust Company 7. SECURITY TOOLKIT - Book Highlight: Know Your Enemy: Revealing the Security Tools, Tactics, and Motives of the Black-Hat Community - Virus Center - Virus Alert: W32/Vote - Virus Alert: W32/Nimda - FAQ: What Is the Internet Explorer 6.0 Unsafe-File List? 8. NEW AND IMPROVED - Firewall and VPN Appliance - Prevent Unauthorized Intrusion 9. HOT THREADS - Windows 2000 Magazine Online Forums - Featured Thread: FTP Blank Folder Name - HowTo Mailing List: - Featured Thread: Tools for Trust Relationships 10. CONTACT US See this section for a list of ways to contact us. ~~~~~~~~~~~~~~~~~~~~ 1. ==== COMMENTARY ==== Hello everyone, Have you recovered from the Nimda worm yet? As you know, the worm spread rapidly, and computer users felt its effects far more heavily across the Internet than they felt the Code Red worm and its subsequent variations. To add insult to injury, Nimda leaves an infected system wide open to anyone who wants to connect--it maps shares and enables the Guest account and makes the account a member of the Administrators group. Just about every security-related company has released advice, tools, and updates that help remove and prevent the Nimda infection. But as Greg Francis pointed out on our Win2KsecAdvice mailing list on Monday (see URL below), the Computer Emergency Response Team (CERT) is one of the few entities recommending that users perform a clean install of the OS to recover from infection. http://22.214.171.124/listserv/win2ks-l.asp?a2=ind0109d&l=win2ksecadvice&P=94 CERT's recommendation stems from the fact that infected systems make their IP addresses known by trying to infect other systems, and wily intruders know this. So during the time when Nimda infected a system, anyone could have connected to that system and inserted back doors or obtained proprietary data from the network. If you don't have detailed system-auditing in place that tracks all changes so that you can reverse them, you might be wise to completely reinstall the OS to be certain you've reinstated some level of network integrity. You might also want to consider changing usernames and passwords. Reinstalling OSs and reassigning resources can be a difficult job, especially if the system is a domain controller (DC) or Active Directory (AD) server. It's far easier and cheaper to perform regular system maintenance and stay on top of the latest patches and configuration recommendations so that worms such as Nimda don't infect your systems. Microsoft has a great Web page (see URL below) full of tools, checklists, and updates that help you make your systems more secure. The Web page contains six checklists, three security updates, and nine tools. The checklists cover Windows NT, Microsoft IIS, and DC configurations; the security updates are for Microsoft Office and Outlook. The tools on the Web site are incredibly useful. I won't describe each one because you can learn about them at the Web page, but here are the available tools: IIS Lockdown, Microsoft Personal Security Advisory, Cleaner for Code Red II, Improved Cipher Security Tool, Qchain, Security Screen Savers, Windows 2000 Internet Server Security Tool, Security Planning Tool for IIS, and HFNetChk. Be sure to take a look at these resources. http://www.microsoft.com/technet/security/tools/tools.asp As I mentioned last week, Microsoft announced that it has a beta version of HFNetChk 3.2 available for those who want to try the tool before Microsoft releases it (very soon). HFNetChk lets you inspect which hotfixes and patches are installed on any system. The tool works with an XML-based database that Microsoft provides and maintains. You can learn about the current version of HFNetChk in Paula Sharick's review on our Web site (see first URL below), and you can try the beta (see second URL below). Log on with the username HFNetChk and a password of FooBar. But be aware that if Microsoft releases HFNetChk 3.2 this week, the beta will become unavailable. In that event, use the third URL below to obtain the release version. http://www.secadministrator.com/articles/index.cfm?articleid=22369 http://www.betaplace.com http://www.microsoft.com/technet/security/tools/hfnetchk.asp Because HFNetChk inspects system files based on an XML database, you can create XML databases to use with HFNetChk that perform other types of system checks (e.g., checking for the current strain of Nimda infection). Russ Cooper, operator of the NTBugTraq Web site and mailing list, has made an XML file available for HFNetChk that checks a system for Nimda infection. You can learn about Cooper's tool at the URL below. If you already have a copy of HFNetChk, use Cooper's XML database right away by using the following command: HFNETCHK -x http://www.ntbugtraq.com/nimdachk.asp Because Nimda leaves a system wide open, an attacker can use HFNetChk to determine what other security vulnerabilities an infected system might have. Be sure to apply all crucial system updates. You can find a list of updates for Windows 2000 systems at the first URL below and the Microsoft Post-Service Pack 6a (SP6a) Security Rollup Package for Windows NT at the second URL below. http://www.microsoft.com/windows2000/downloads/critical/default.asp http://support.microsoft.com/support/kb/articles/Q299/4/44.asp Many sites that are immune to Nimda infection are experiencing network problems from the worm because of the large amount of traffic that infected sites generate. Worms such as Code Red and Nimda show us that lax security on one network quickly becomes the detriment of another network. These worms also show us that users remain unaware of the extreme need to stay on top of security matters daily. Microsoft has a solution for IIS users that overlook security hotfixes. As you probably learned when you read Tim Huckaby's commentary from the September 25 issue of IIS Administrator UPDATE, the upcoming Microsoft Internet Information Services (IIS) 6.0 is a complete paradigm shift; it provides an infrastructure that installs security hotfixes by default. IIS 6.0 also lets you download hotfixes and apply them automatically as they become available. You can also find the article on our Security Administrator Web site (see URL below). Until next time, have a great week. http://www.secadministrator.com/articles/index.cfm?articleid=22673 Sincerely, Mark Joseph Edwards, News Editor, markat_private 2. ==== SECURITY RISKS ==== (contributed by Ken Pfeil, kenat_private) * RELATIVE PATH VULNERABILITY IN PI-SOFT SPOONFTP Joe Testa reported that a vulnerability in Pi-Soft SpoonFTP 1.1 lets an attacker use relative paths to break out of an FTP root directory. The vendor, Pi-Soft Consulting, has released version 126.96.36.199 to fix this problem. http://www.secadministrator.com/articles/index.cfm?articleid=22549 * CISCO ICDN SSL VULNERABILITY Cisco Systems reported that a vulnerability in its Internet Content Distribution Network (ICDN) can result in authorized access over Secure Sockets Layer (SSL) through cached credentials. The company has issued a notice regarding this vulnerability and recommends that users of ICDN 2.0 upgrade to 2.0.1 through usual support channels. Versions of ICDN prior to 2.0 are not affected because these releases don't use the vulnerable RSA BSAFE SSL-J library. http://www.secadministrator.com/articles/index.cfm?articleid=22550 ******************** ~~~~ SPONSOR: LIEBERMAN & ASSOCIATES ~~~~ GOING TO THE MICROSOFT EXCHANGE CONFERENCE (mec2001)? Visit Lieberman and Associates at booth 627 next week for hands-on demos of: * SERVICE ACCOUNT MANAGER * USER MANAGER PRO * TASK SCHEDULER PRO * SERVER-TO-SERVER PASSWORD SYNCHRONIZER * LAN SERVER TO NT/2000 MIGRATION WIZARD * INTENSIVE CARE UTILITIES FOR WINDOWS NT Go to our web site to learn more or contact us for more details. FREE TRIALS: http://lists.win2000mag.net/cgi-bin3/flo?y=eHmp0CJgSH0BVg0LBd0AG EMAIL: salesat_private Phone: 310-550-8575 ~~~~~~~~~~~~~~~~~~~~ 3. ==== ANNOUNCEMENTS ==== * CHECK OUT THE NEW WEBSPHERE PROFESSIONAL SITE! Look to this great new site for invaluable resources, such as our V4 Portal, which brings you fast, in-depth information about V4, the WebSphere Road Map that will help you get started, DocFinder for help finding IBM WebSphere reference materials, and forums for your questions and comments. While there, sign up for FREE email newsletters with news you can use! http://www.webspherepro.com * MCP TECHMENTOR--NOVEMBER 20 Through 22, 2001, LONDON MCP TechMentor provides network and certification training for Windows professionals with technical workshops, preparation sessions, and professional development advice specifically designed to make the most of your Windows 2000 education experience. Visit the Web site at http://www.techmentor.co.uk for more details, or call +44 (0) 1483 469088. 4. ==== INSTANT POLL ==== * RESULTS OF PREVIOUS POLL: CODE RED WORMS The voting has closed in Windows 2000 Magazine's Security Administrator Channel nonscientific Instant Poll for the question, "Has your system become infected by the Code Red Worms?" Here are the results (+/-2 percent) from the 1900 votes: - 23% Yes - 72% No - 5% Not sure * INSTANT POLL: NIMDA WORM The current Instant Poll question is, "How has the Nimda worm affected your organization?" Go to the Security Administrator Channel home page and submit your vote for a) Significantly--we've lost days disinfecting systems, b) Somewhat, c) Hardly at all, or d) Not at all. http://www.secadministrator.com 5. ==== SECURITY ROUNDUP ==== * NEWS: MICROSOFT OFFERS ADVICE ON NIMDA WORM Microsoft has posted specific information regarding the Nimda worm that details several actions users should take against infected systems. The document includes a list of patches and procedures that users should apply to prevent similar problems in the future. http://www.microsoft.com/technet/security/topics/nimda.asp * REVIEW: NETPULSE 2000 Labcal Technologies' NetPulse 2000 is a management tool that helps you assess the fundamental security of your systems and apply prepackaged or custom security solutions. The product, which operates in Windows 2000 and Windows NT 4.0 environments, targets well- documented security problems. Although this functionality isn't groundbreaking, Labcal's approach is unique. By designing NetPulse so administrators with basic knowledge can secure their systems with minimal effort, the company has geared NetPulse directly toward small and midsized organizations. However, NetPulse can also operate in large environments. Learn all about it in Sean Porter's review on our Web site! http://www.secadministrator.com/articles/index.cfm?articleid=21863 * REVIEW: DESKTOP FIREWALLS Desktop firewalls serve a purpose similar to that of a safe in your home. Your home's doors have locks, which are your primary means of intrusion prevention. However, you might also install a safe within your home because locked doors aren't foolproof deterrents. For the most part, you'll spend less money to install and maintain desktop firewalls than you'll spend to recover from an intrusion. The October 2001 issue of Windows 2000 Magazine features a Buyer's Guide that provides an overview of available desktop firewall solutions. You can also find the guide in a PDF file on our Web site. Be sure to check it out! http://www.secadministrator.com/articles/index.cfm?articleid=22241 6. ==== HOT RELEASE (ADVERTISEMENT) ==== * SPONSORED BY VERISIGN - THE INTERNET TRUST COMPANY Secure your servers with 128-bit SSL encryption! Grab your copy of VeriSign's FREE Guide, "Securing Your Web site for Business," and you'll learn everything you need to know about using 128-bit SSL to encrypt your e-commerce transactions, secure your corporate intranets and authenticate your Web sites. 128-bit SSL is serious security for your online business. Get it now! http://www.verisign.com/cgi-bin/go.cgi?a=n094449760013000 7. ==== SECURITY TOOLKIT ==== * BOOK HIGHLIGHT: KNOW YOUR ENEMY: REVEALING THE SECURITY TOOLS, TACTICS, AND MOTIVES OF THE BLACK-HAT COMMUNITY By Lance Spitzer, Honeynet Project List Price: $39.99 Fatbrain Online Price: $31.99 Softcover; 368 pages Published by Addison Wesley Longman, September 2001 ISBN 0201746131 For more information or to purchase this book, go to http://lists.win2000mag.net/cgi-bin3/flo?y=eHmp0CJgSH0BVg0LBe0AH and enter WIN2000MAG as the discount code when you order the book. * VIRUS CENTER Panda Software and the Windows 2000 Magazine Network have teamed to bring you the Center for Virus Control. Visit the site often to remain informed about the latest threats to your system security. http://www.secadministrator.com/panda Virus Alert: W32/Vote A new virus, W32/Vote, is circulating on the Internet. The virus comes in the form of an email with the message subject of "FW: Peace Between America and Islam!" The body of message reads, "Is it a war against America or Islam? Let's vote to live in peace!" The message also contains a file attachment named wtc.exe, which installs a copy of the virus on the system when the user runs the file. The file then modifies the registry to run the virus each time the user boots the system. http://188.8.131.52/panda/index.cfm?fuseaction=virus&virusid=1111 Virus Alert: W32/Nimda Nimda is a worm that affects Outlook, Internet Explorer (IE), and Microsoft IIS. The worm leaves an infected system wide open to attack and can spread in four ways: Web servers, Web clients, email clients, and disk files. http://184.108.40.206/panda/index.cfm?fuseaction=virus&virusid=1110 * FAQ: WHAT IS THE INTERNET EXPLORER 6.0 UNSAFE-FILE LIST? ( contributed by John Savill, http://www.windows2000faq.com ) A. Internet Explorer (IE) 6.0 contains a hard-coded list of unsafe file types in the shdocvw.dll file. IE 6.0 uses the unsafe-file list to prevent you from accidentally opening a file type that might cause problems on your computer. The complete list of file types is available on our Web site at the URL below. http://www.secadministrator.com/articles/index.cfm?articleid=22493 8. ==== NEW AND IMPROVED ==== (contributed by Scott Firestone, IV, productsat_private) * FIREWALL AND VPN APPLIANCE Symantec released a new version of its VelociRaptor firewall and VPN appliance, which comes in three models. You'll find the 500 model suitable for protecting networks that have as many as 50 nodes. The 700 model features an unlimited node license and can protect networks with speeds as fast as a T3. The 1000 model also features an unlimited node license that users can employ for securing Ethernet-speed networks. For pricing, contact Symantec at 408-517-8000 or 800-745-6054. http://www.symantec.com * PREVENT UNAUTHORIZED INTRUSION Smith Micro Systems released CheckIt Firewall, a PC firewall that prevents unauthorized Internet intrusion while controlling outbound communication of personal or sensitive data. You can customize the firewall for specific applications and trusted IP addresses, ports, or protocols. Also, you can specify different security rules for different times. The CheckIt Firewall runs on Windows 2000, Windows NT, Windows Me, and Windows 9x systems and costs $39.95. Contact Smith Micro Systems at 949-362-5800. http://www.smithmicro.com 9. ==== HOT THREADS ==== * WINDOWS 2000 MAGAZINE ONLINE FORUMS http://www.win2000mag.net/forums Featured Thread: FTP Blank Folder Name (Three messages in this thread) Robert has a blank folder that someone created in his public FTP site. He can't delete this folder from a command prompt or Internet Explorer (IE), and the Recovery Console won't let him access the folder. Read more about the question and the responses or lend a hand at the following URL: http://www.win2000mag.net/forums/rd.cfm?app=64&id=78747 * HOWTO MAILING LIST http://www.secadministrator.com/listserv/page_listserv.asp?s=howto Featured Thread: Tools for Trust Relationships (Four messages in this thread) This user is looking for a tool to help him monitor trust relationships between domains. Do you know of a tool that can help? Read the responses or lend a hand at the following URL: http://220.127.116.11/listserv/page_listserv.asp?a2=ind0109c&l=howto&p=483 10. ==== CONTACT US ==== Here's how to reach us with your comments and questions: * ABOUT THE COMMENTARY -- markat_private * ABOUT THE NEWSLETTER IN GENERAL -- mlibbeyat_private; please mention the newsletter name in the subject line. * TECHNICAL QUESTIONS -- http://www.win2000mag.net/forums * PRODUCT NEWS -- productsat_private * QUESTIONS ABOUT YOUR SECURITY UPDATE SUBSCRIPTION? -- Email Customer Support at securityupdateat_private * WANT TO SPONSOR SECURITY UPDATE? emedia_oppsat_private ******************** Receive the latest information about the Windows 2000 and Windows NT topics of your choice. Subscribe to our other FREE email newsletters. http://www.win2000mag.net/email |-+-+-+-+-+-+-+-+-+-| - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Thu Sep 27 2001 - 06:45:10 PDT