[ISN] Security UPDATE, December 12, 2001

From: InfoSec News (isnat_private)
Date: Thu Dec 13 2001 - 00:51:10 PST

  • Next message: InfoSec News: "[ISN] [defaced-commentary] Interesting MTVN Defacement"

    ********************
    Windows 2000 Magazine Security UPDATE--brought to you by Security
    Administrator, a print newsletter bringing you practical, how-to
    articles about securing your Windows 2000 and Windows NT systems
       http://www.secadministrator.com
    ********************
    
    ~~~~ THIS ISSUE SPONSORED BY ~~~~
    
    Protect Against the Top 20 Security Threats!
       http://lists.win2000mag.net/cgi-bin3/flo?y=eJfd0CJgSH0BVg0pHT0AP
    
    Lieberman & Associates--Shore Up Your Back Doors
       http://lists.win2000mag.net/cgi-bin3/flo?y=eJfd0CJgSH0BVg0pHU0AQ
       (below IN FOCUS)
    
    ~~~~~~~~~~~~~~~~~~~~
    
    ~~~~ SPONSOR: PROTECT AGAINST THE TOP 20 SECURITY THREATS! ~~~~
       The SANS group has developed a critical list of the key threats that 
    organizations face today. This list outlines the most common attacks used by 
    hackers and insiders to break in to your systems. Learn about these threats and 
    how to stop them with BindView's definitive white paper, SANS/FBI Top 20 List: 
    How BindView Helps You Get Secure. You can download the white paper from 
    BindView's Web site at http://lists.win2000mag.net/cgi-bin3/flo?y=eJfd0CJgSH0BVg0pHT0AP
    
    ********************
    
    December 12, 2001--In this issue:
    
    1. IN FOCUS
         - Monitoring ISPs, Intruders, and Your Network
    
    2. SECURITY RISK
         - OWA Script Execution Vulnerability in Microsoft Exchange Server 5.5
    
    3. ANNOUNCEMENTS
         - Connected Home Magazine--Try It Free!
         - Windows Security 2002 Briefings and Training, February 5 Through 8, 2002
    
    4. SECURITY ROUNDUP
         - News: Amino's Network Diversity
         - News: SonicWALL Announces Next Generation of Security Appliances
         - News: CA Offering Free Vulnerability Assessment to Qualified Companies
         - News: Microsoft Releases Cumulative IE Patch
    
    5. HOT RELEASE (ADVERTISEMENT)
         - Sponsored by VeriSign--The Value of Trust
    
    6. INSTANT POLL
         - Results of Previous Poll: Personal Firewalls
         - Instant Poll: ISP Response
    
    7. SECURITY TOOLKIT
         - Virus Center
         - Correction to Last Week's News About the Goner.A Virus
         - FAQ: How Can I Let Users Search, but Not Browse, AD?
    
    8. NEW AND IMPROVED
         - Attach Your USB Token to Your Key Ring
    
    9. HOT THREADS
         - Windows 2000 Magazine Online Forums
             - Featured Thread: Hiding User Accounts from Hackers
         - HowTo Mailing List
             - Featured Thread: Monitor Third-Party Mail
    
    10. CONTACT US
       See this section for a list of ways to contact us.
    
    ~~~~~~~~~~~~~~~~~~~~
    
    1. ==== IN FOCUS ====
    
    * MONITORING ISPS, INTRUDERS, AND YOUR NETWORK
    
    Hello everyone,
    
    I received many responses to last week's commentary about ISPs and the way some 
    of them prioritize revenue above Internet security. Some readers told me about 
    similar horror stories; others asked why I didn't name the ISPs to which I 
    alluded; still others asked what sort of monitoring software I use to track 
    incidents. This week I'll address those questions.
    
    I didn't name the Minnesota-based ISP that failed to respond in a reasonable, 
    timely fashion for several reasons. First and foremost, naming the company 
    might unnecessarily damage its reputation. We all make mistakes--and presumably 
    learn from them. Although I can't be certain, I hope the incident taught the 
    ISP a valuable lesson. If the ISP is intelligent enough to build and operate a 
    complex network, it should also be intelligent enough to realize its mistakes 
    and correct its procedures to ensure that such incidents don't occur again. 
    
    I also mentioned a Colorado-based ISP that did respond admirably when I 
    reported that one of its user's systems seemed to be infected with a malicious 
    worm. The company is Front Range Internet (URL below), and I commend its 
    support staff for a genuine caring attitude and swift actions to fix a serious 
    problem. Kudos to Front Range Internet's entire staff--they're network 
    professionals who deserve attention in good light. 
       http://www.frii.com
    
    As for naming which monitoring software I use: Don't ask me that! It isn't 
    prudent to ask, nor is it prudent for me to tell. The reasons should be 
    obvious. Would you walk into your bank and ask the manager what kind of 
    security system it uses? I doubt it. You would raise too much suspicion. Even 
    if you did ask, I doubt that you'd get an answer because you don't have a need 
    to know that sort of information. The same goes for networks: It's not wise to 
    ask people about their network security systems. 
    
    If you're interested in monitoring packages for various levels of system and 
    network activity, I can point out several things that might help you. First, 
    every good firewall provides considerable logging features that include various 
    levels of tracking and alerting. If you aren't monitoring such logs at regular 
    intervals, you need to start; otherwise, you'll find out after damage has 
    already occurred that someone attacked your network. Some firewalls use their 
    own log files; others send their events to the Windows event log. Several 
    software packages can monitor and consolidate event-log records and deliver 
    alerts to appropriate personnel. I offered tips about some of these products in 
    "Which Software Can Help Monitor Event Logs?" October 2000 (see URL below).
       http://www.secadministrator.com/articles/index.cfm?articleid=15988
    
    Keep in mind that when your log entries indicate that someone is attacking your 
    system, the information might not point to the intruder's true point of origin. 
    Savvy attackers cover their tracks as deeply as they can. An intruder will 
    hijack other people's equipment and launch attacks from those hijacked systems. 
    It's often extremely difficult, if not impossible, to determine an attack's 
    true origin. So be careful when you contact an ISP about intrusion attempts. 
    Don't assume that you know exactly where the intruder originates. Work with the 
    ISP to help make that discovery as accurately as possible.
    
    When someone attacks your system, you might want to know which files or 
    registry keys an intruder accesses as the attack occurs. A great tool that can 
    help you learn this information in realtime is Winternals Software's Monitoring 
    Tools. Monitoring Tools captures and displays file and registry accesses that 
    occur on any Windows system on your network. The product displays results on 
    your local computer and can filter for specific details. Monitoring Tools lets 
    you know which application is accessing your system and logs results to a file 
    for review or offline processing. Be sure to check out this tool and other 
    Winternals Software tools.
       http://www.winternals.com
    
    We're conducting a new poll this week to ask about your experiences with 
    intruders and ISPs: If you've ever caught intruders and reported them to an 
    ISP, did the ISP respond immediately? Please visit our home page and tell us 
    your answer.
       http://www.secadministrator.com
    
    Until next time, have a great week.
    
    Mark Joseph Edwards, News Editor, markat_private
    
    ********************
    
    ~~~~ SPONSOR: LIEBERMAN & ASSOCIATES -- SHORE UP YOUR BACK DOORS ~~~~
       THE NEW YEAR IS KNOCKING! Use your year-end budget dollars for management 
    tools you have always wanted. With Service Account Manager you can report and 
    change service settings on all your servers in seconds. With User Manager Pro 
    you can make the same changes to all your workstations in a few mouse clicks. 
    Get the award winning tools you've been waiting for all year. Year-end 
    discounts through December 31. Microsoft Gold Certified FREE TRIAL at    
    http://lists.win2000mag.net/cgi-bin3/flo?y=eJfd0CJgSH0BVg0pHU0AQ
    
    ~~~~~~~~~~~~~~~~~~~~
    
    2. ==== SECURITY RISK ====
    
    * OWA SCRIPT EXECUTION VULNERABILITY IN MICROSOFT EXCHANGE SERVER 5.5
       WhiteHat Security reported a vulnerability in the Microsoft Exchange Server 
    5.5 Outlook Web Access (OWA) service that lets an attacker take any action on 
    the user's mailbox that the user can take, including deleting, moving, and 
    sending messages. The vulnerability results from a problem in the way that OWA 
    handles inline script messages used in conjunction with Microsoft Internet 
    Explorer (IE). If the attacker uses OWA to open an HTML message containing a 
    specially formed script, the script executes under the user's security context. 
    Microsoft has released Security Bulletin MS01-057 to address this vulnerability 
    and recommends that affected users apply the patch provided at this URL.
       http://www.secadministrator.com/articles/index.cfm?articleid=23433
    
    3. ==== ANNOUNCEMENTS ====
    
    * CONNECTED HOME MAGAZINE--TRY IT FREE!
       Connected Home Magazine is the new magazine to help you manage all the PCs, 
    devices, and components in your home and in your life. We can show you how to 
    install a home network, tackle home automation, build a home theater system, or 
    integrate your PDA with your PC. Get a free sample of the premiere issue today!
       http://www.connectedhomemag.com/sub.cfm?code=fsei301xup
    
    * WINDOWS SECURITY 2002 BRIEFINGS AND TRAINING, FEBRUARY 5 THROUGH 8, 2002
       Registration and call for papers for the Black Hat Briefing's Windows 
    Security 2002 conference is now open! This is the Windows XP/2000/.NET security 
    event of the year with intensive training sessions! Join 500 experts and 
    "underground" security specialists for briefings, training, and Mardi Gras in 
    New Orleans.
       http://lists.win2000mag.net/cgi-bin3/flo?y=eJfd0CJgSH0BVg0pHV0AR
    
    4. ==== SECURITY ROUNDUP ====
    
    * NEWS: AMINO'S NETWORK DIVERSITY
       Amino Communications announced patent-pending technology that might help 
    eliminate the need for encryption. The new technology, called Network 
    Diversity, helps protect sensitive data in transit by breaking up the data 
    packets into fragments smaller than characters or symbols.
       http://www.secadministrator.com/articles/index.cfm?articleid=23420
    
    * NEWS: SONICWALL ANNOUNCES NEXT GENERATION OF SECURITY APPLIANCES
       SonicWALL announced its next generation of Internet security appliances. The 
    new appliances feature the company's CyberSentry security processor, which 
    provides application-specific integrated circuit (ASIC)-based acceleration and 
    high-performance throughput. The appliances include more memory and more 
    concurrent connections than previous versions, bandwidth management, and a 
    serial port for out-of-band (OOB) device management.
       http://www.secadministrator.com/articles/index.cfm?articleid=23422
    
    * NEWS: CA OFFERING FREE VULNERABILITY ASSESSMENT TO QUALIFIED COMPANIES
       Computer Associates (CA) is offering a free remote vulnerability assessment 
    to current CA customers and to other qualified companies until March 31, 2002. 
    Companies with 1000 or more employees might qualify for free assessment at the 
    discretion of a CA security consultant.
       http://www.secadministrator.com/articles/index.cfm?articleid=23423
    
    * NEWS: MICROSOFT RELEASES CUMULATIVE IE PATCH
       Microsoft has released updates for Internet Explorer (IE) 6.0 and IE 5.5 
    Service Pack 2 (SP2) to protect against all known vulnerabilities. The patch 
    includes fixes for two new cookie-related problems that can affect HTML mail 
    messages. 
       http://www.microsoft.com/technet/security/bulletin/ms01-055.asp
    
    5. ==== HOT RELEASE (ADVERTISEMENT) ====
    
    * SPONSORED BY VERISIGN - THE VALUE OF TRUST
       Secure your servers with 128-bit SSL encryption! Grab your copy of 
    VeriSign's FREE Guide, "Securing Your Web site for Business," and learn about 
    using SSL to encrypt e-commerce transactions. Get it now!
       http://lists.win2000mag.net/cgi-bin3/flo?y=eJfd0CJgSH0BVg0Lo50Av
    
    6. ==== INSTANT POLL ====
    
    * RESULTS OF PREVIOUS POLL: PERSONAL FIREWALLS
       The voting has closed in Windows 2000 Magazine Network's Security 
    Administrator Channel nonscientific Instant Poll for the question, 
    "If you use a personal firewall, which one do you use?" Here are the results 
    (+/-2 percent) from the 1906 votes:
      54% a) ZoneAlarm.
      15% b) Tiny Personal Firewall
      12% c) Norton Personal Firewall
      20% d) Other
    
    * INSTANT POLL: ISP RESPONSE
       The current Instant Poll question is, "If you caught someone intruding into 
    your network and you reported it to your ISP, did the ISP respond immediately?" 
    a) Yes, b) No. Go to the Security Administrator Channel home page and submit 
    your vote.
       http://www.secadministrator.com 
    
    7. ==== SECURITY TOOLKIT ====
    
    * VIRUS CENTER
       Panda Software and the Windows 2000 Magazine Network have teamed to 
    bring you the Center for Virus Control. Visit the site often to remain 
    informed about the latest threats to your system security.
       http://www.secadministrator.com/panda
    
    * CORRECTION TO LAST WEEK'S NEWS ABOUT THE GONER.A VIRUS 
       Last week's Security UPDATE mentioned a new worm, Goner.A, that was spreading 
    rapidly around the Internet. The worm is an executable file with an .scr file 
    extension, not an .exe extension, as we reported.
    
    * FAQ: HOW CAN I LET USERS SEARCH, BUT NOT BROWSE, AD?
       ( contributed by John Savill, http://www.windows2000faq.com )
    
    A. You can use either a policy setting or the registry to configure Active 
    Directory (AD) for browsing. To use the policy-setting method, complete the 
    following steps: 
    
       1. Open Group Policy with Group Policy Editor (GPE). 
       2. Navigate to User Configurations, Administrative Templates, Desktop, AD. 
       3. Double-click "Hide Active Directory folder." 
       4. Select the Policy tab. 
       5. Click Enabled, and click OK. 
       6. Close the policy. 
    
    To use the registry to complete the same task, perform the following steps: 
    
       1. Start a registry editor (e.g., regedit.exe). 
       2. Navigate to the HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft registry 
    subkey. 
       3. If the Windows subkey doesn't exist, click Edit, New, Key to create the 
    subkey. 
       4. Look for "Directory UI" under the Windows subkey, and if it doesn't 
    exist, click Edit, New, Key to create the subkey. 
       5. From the Edit menu, select New-DWORD Value. 
       6. Type HideDirectoryFolder and press Enter. 
       7. Double-click the new value, set it to 1, and click OK. 
       8. Close the registry editor.
    
    8. ==== NEW AND IMPROVED ====
       (contributed by Scott Firestone, IV, productsat_private)
    
    * ATTACH YOUR USB TOKEN TO YOUR KEY RING
       Griffin Technologies released SecuriKey, a USB-based user-authentication 
    solution for PCs that combines a small, keylike USB device with password 
    protection. The USB token attaches to a key ring and plugs into a PC's USB port 
    or USB hub, which eliminates the need for a special hardware device, other than 
    an available USB port, to authenticate the physical token. For pricing, contact 
    Griffin Technologies at salesat_private or 800-986-6578.
       http://www.griftech.com
    
    9. ==== HOT THREADS ====
    
    * WINDOWS 2000 MAGAZINE ONLINE FORUMS
       http://www.win2000mag.net/forums 
    
    Featured Thread: Hiding User Accounts from Hackers
       (Two messages in this thread)
    
    Mark wonders whether there's a registry switch (or some other method) that can 
    prevent intruders from browsing his Windows 2000/NT server for valid user 
    accounts. Can you help? Read the responses or lend a hand at the following URL:
       http://www.secadministrator.com/forums/thread.cfm?thread_id=86281
    
    * HOWTO MAILING LIST
       http://www.secadministrator.com/listserv/page_listserv.asp?s=howto
    
    Featured Thread: Monitor Third-Party Mail
       (Three messages in this thread)
    
    Sebastian wonders whether he can monitor the email messages that users send by 
    way of third-party mail servers (e.g., MSN Hotmail, Yahoo!) from within his 
    domain. Can you help? Read the responses or lend a hand at the following URL:
       http://63.88.172.96/listserv/page_listserv.asp?a2=ind0112b&l=howto&p=84
    
    10. ==== CONTACT US ====
       Here's how to reach us with your comments and questions:
    
    * ABOUT IN FOCUS -- markat_private
    
    * ABOUT THE NEWSLETTER IN GENERAL -- mlibbeyat_private (please
    mention the newsletter name in the subject line)
    
    * TECHNICAL QUESTIONS -- http://www.win2000mag.net/forums
    
    * PRODUCT NEWS -- productsat_private
    
    * QUESTIONS ABOUT YOUR SECURITY UPDATE SUBSCRIPTION? Customer
    Support -- securityupdateat_private
    
    * WANT TO SPONSOR SECURITY UPDATE? emedia_oppsat_private
    
    ********************
    
       Receive the latest information about the Windows and .NET topics of 
    your choice. Subscribe to our other FREE email newsletters.
       http://www.win2000mag.net/email
    
    |-+-+-+-+-+-+-+-+-+-| 
    
    Thank you for reading Security UPDATE.
    
    You are subscribed as isnat_private
    
    SUBSCRIBE
    To subscribe, send a blank email to mailto:Security_UPDATE_Subat_private
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.
    



    This archive was generated by hypermail 2b30 : Thu Dec 13 2001 - 09:22:58 PST