******************** Windows & .NET Magazine Security UPDATE--brought to you by Security Administrator, a print newsletter bringing you practical, how-to articles about securing your Windows .NET, 2000, and NT systems. http://www.secadministrator.com ******************** ~~~~ THIS ISSUE SPONSORED BY ~~~~ Register Today and Get a Free Sybari T-shirt! http://list.winnetmag.com/cgi-bin3/flo?y=eKKE0CJgSH0CBw0qIj0An VeriSign--The Value of Trust http://list.winnetmag.com/cgi-bin3/flo?y=eKKE0CJgSH0CBw0p5N0Ay (below IN FOCUS) ~~~~~~~~~~~~~~~~~~~~ ~~~~ SPONSOR: REGISTER TODAY AND GET A FREE SYBARI T-SHIRT! Don't get caught waiting for signature file updates from your single engine provider when the next email virus hits! Administrators can customize Antigen to block email attachments by file name, type, or wild card. Antigen also allows you to enable up to five of the leading virus scan engines to be deployed simultaneously for the most robust pre-emptive protection! Just another way that Antigen keeps you ahead of email virus threats. Call today to register for an Antigen web demonstration with live Q&A at 1-800-239-1095 or visit our Website at http://list.winnetmag.com/cgi-bin3/flo?y=eKKE0CJgSH0CBw0qIj0An Register before February 15 and get a free Sybari T-shirt! ~~~~~~~~~~~~~~~~~~~~ January 16, 2002--In this issue: 1. IN FOCUS - Tools for Your Security Tool Kit 2. SECURITY RISKS - Multiple Vulnerabilities in Cisco SN 5420 Storage Router - Disclosure Vulnerability in Netscape Web Publisher - Cross-Site Scripting Vulnerability in DeleGate Proxy Server - DoS in BEA WebLogic Server - Buffer Overflow in AOL AIM - Directory Traversal Vulnerability in Encrypted FTP - File Disclosure Vulnerability in AOLserver 3. ANNOUNCEMENTS - Struggling with IIS and Web Administration? - If You Like Reading This UPDATE, You'll Love ... 4. SECURITY ROUNDUP - News: Proof-of-Concept Virus First to Infect MacroMedia Flash Files - News: Zero-Knowledge Systems Introduces Security and Privacy Tool Suite - News: National Academy of Sciences: Pay Now or Pay Later 5. INSTANT POLL - Results of Previous Poll: Hunting Bugs - Instant Poll: Performing Full Security Audits 6. HOT RELEASE (ADVERTISEMENT) - St. Bernard's iPrism, When Surfing Isn't Working 7. SECURITY TOOLKIT - Virus Center - FAQ: How Can I Avoid Having to Reactivate My Windows XP Installation When I Reinstall the OS on My Machine? 8. NEW AND IMPROVED - Scan Email Messages for Viruses - Protect Your Handheld Device from Viruses 9. HOT THREADS - Windows & .NET Magazine Online Forums - Featured Thread: Locked Accounts - HowTo Mailing List - Featured Thread: Securing the Administrator Account on Windows 2000 10. CONTACT US See this section for a list of ways to contact us. ~~~~~~~~~~~~~~~~~~~~ 1. ==== IN FOCUS ==== * TOOLS FOR YOUR SECURITY TOOLKIT Hello everyone, Keeping a set of security tools available is helpful in case you need to audit your system security or recover from failures or lost information. Four tools are freely available that help you audit Oracle database servers, analyze packets, recover unknown passwords on Windows 2000 and Windows NT, and test password strength on Macintosh OS X systems. UK-based PenTest offers scanner.sql, an Oracle database scanner that checks the database system's security. The script performs several tests, including tests against known and easy-to-guess passwords, and determines which users have database administrator privileges. The tool can also determine which users have the "ANY" privilege (which lets a user select any table in the database), which users can grant privileges, which accounts can run jobs from the OS level (external to the database service), and which users have system privileges (such as ALTER SYSTEM, CREATE LIBRARY, and CREATE SESSION). The tool also checks the UTF_FILE for parameters that present loose security, checks database links with clear-text passwords, and more. You can learn more about the scanner.sql script at the PenTest Web site. http://www.pentest-limited.com/download.htm NGSSoftware now offers a free packet-capture and analysis tool called NGSSniff. The tool runs on Windows XP and Win2K using the raw socket capabilities of the OS or the Microsoft Network Monitor drivers. NGSSniff can also import captured packets from files saved using Network Monitor so you don't need to install additional drivers. The GUI-based tool offers packet sorting and ASCII text viewing of packet data and can view packets in realtime without having to first stop a capture operation. NGSSniff is available as a free download from the NGSSoftware Web site. http://www.nextgenss.com/products/ngssniff.html Have you ever lost or forgotten a user password? Several tools are available that can help you in those situations, including Peter Nordahl's Offline NT Password & Registry Editor tool (see the first URL below). Nordahl's tool is available in the form of a floppy boot disk image, which contains a single-floppy version of the Linux OS along with software that resets any valid user's password. The tool works on systems that have Syskey enabled--a nice touch--and you can also use the tool to disable Syskey. If you prefer to use a CD-ROM-based boot image, DMZ Services offers one that contains a mini-Linux boot image and Nordahl's password recovery software (second URL below). DMZ Services offers a shell script that can create the bootable International Organization for Standardization (ISO)-based image and offers an ISO-based file (.iso) that you can burn directly onto a CD-RW using standard CD-RW burning software. http://home.eunet.no/~pnordahl/ntpasswd http://www.dmzs.com/tools/files Do you have an Apple Mac running Mac OS 9.x or the new Mac OS X? If so, you might be pleased to know that a person using the nickname Grungie has released Macintosh Hacker's Workshop, which is a set of tools that lets you test the strength of user passwords. In addition, the software can extract the General Electric Comprehensive OS (gecos) field information from UNIX-based password files, generate word lists to help guess passwords, and comes with a word-list cleaner that helps remove words considered invalid as potential passwords from lists. Macintosh Hacker's Workshop is available at Grungie's Web site at the URL below. http://grungie.code511.com/software_en.html Until next time, have a great week. Sincerely, Mark Joseph Edwards, News Editor markat_private ~~~~~~~~~~~~~~~~~~~~ ~~~~ SPONSOR: VERISIGN--THE VALUE OF TRUST ~~~~ Is your e-business secure enough? Learn why it's vital to encrypt your business transactions, secure your intranets, and authenticate your Web site with the strongest encryption available--128-bit SSL. To learn more, get VeriSign's FREE Guide, "Securing Your Web Site for Business" now: http://list.winnetmag.com/cgi-bin3/flo?y=eKKE0CJgSH0CBw0p5N0Ay ~~~~~~~~~~~~~~~~~~~~ 2. ==== SECURITY RISKS ==== (contributed by Ken Pfeil, kenat_private) * MULTIPLE VULNERABILITIES IN CISCO SYSTEMS SN 5420 STORAGE ROUTER Cisco Systems reported three vulnerabilities in its Cisco SN 5420 Storage Router software. With the first problem, an attacker can cause a Denial of Service (DoS) condition and crash the device by sending huge headers in an HTTP request. The second vulnerability lets an intruder cause a DoS condition by sending a fragmented packet over the gigabit interface. The third vulnerability lets an unauthorized person access the stored configuration information. Cisco Systems has issued a notice regarding these vulnerabilities. Cisco Systems recommends that customers obtain a firmware upgrade through Cisco Systems distribution channels. http://www.secadministrator.com/articles/index.cfm?articleid=23729 * DISCLOSURE VULNERABILITY IN NETSCAPE WEB PUBLISHER Richard Bain discovered a vulnerability in Netscape Enterprise Web Publishing that lets an intruder use a brute-force attack to access usernames and passwords that the system has stored. By using the Web Publishing command "?wp-force-auth" in conjunction with an HTTP Get Authorization:Basic Header with Base 64 usernames and passwords, an attacker can obtain a valid username and password combination from the directory. The vendor, iPlanet, acknowledges this vulnerability and released a Knowledge Base article regarding this problem. iPlanet further recommends that affected users disable the Web Publishing and Directory Indexing features on externally accessible systems and add the ?wp-force-auth command to Intrusion Detection System (IDS) patterns. http://www.secadministrator.com/articles/index.cfm?articleid=23730 * CROSS-SITE SCRIPTING VULNERABILITY IN DELEGATE PROXY SERVER Satoshi Ishizuka and Keigo Yamazaki reported a cross-site scripting vulnerability in DeleGate Proxy server that results in automatic JavaScript code execution on the user's Web browser when there's a URL that displays the error message "403 Forbidden" and the administrator displays his or her own configured error message using the MOUNT option. DeleGate has released version 7.8.0 to correct this problem. http://www.secadministrator.com/articles/index.cfm?articleid=23708 * DOS IN BEA WEBLOGIC SERVER Peter Grundl discovered a Denial of Service (DoS) condition in BEA WebLogic Server 6.1. By appending a DOS device request to a .jsp file request, such as "aux.jsp," an attacker can invoke an external compiler with a working thread that never finishes. When the intruder uses 10 or more working threads in this manner, the server will no longer process any more requests, even if the requests are legitimate. BEA released Service Pack 2 (SP2) to correct this problem. http://www.secadministrator.com/articles/index.cfm?articleid=23709 * BUFFER OVERFLOW IN AOL AIM Matt Conover of w00w00 Security Development reported a buffer overflow in AOL Instant Messenger (AIM) that an attacker can use to remotely execute commands on the vulnerable system. A buffer overrun condition in the parsing code used to parse game requests causes this vulnerability. Users can find details about this vulnerability on the discoverer's Web site. AOL has patched its servers to correct this vulnerability. AOL's servers now have an overly long game request parsed so that the vulnerability no longer triggers the overflow on the AIM client. http://www.secadministrator.com/articles/index.cfm?articleid=23701 * DIRECTORY TRAVERSAL VULNERABILITY IN ENCRYPTED FTP Ertan Kurt discovered a vulnerability in Encrypted FTP 2.0.8.346 that an attacker can use to break out of his or her home directory and see the contents of every drive and directory on the vulnerable host. Issuing the command "CWD ..." and then "CWD \" changes the current directory to the root drive. However, the attacker has to follow the procedure listed above if he or she wants to change the working directory to list another directory's content. The vendor, Encrypted FTP, has issued release 2.0.8.348, which corrects this vulnerability. http://www.secadministrator.com/articles/index.cfm?articleid=23705 * FILE DISCLOSURE VULNERABILITY IN AOLSERVER Tamer Sahin of Security Office reports that because of a vulnerability in AOLserver 3.4.2 for Windows, an attacker can gain read access to known files residing on an AOLserver host. AOL is aware of the problem but hasn't issued a patch. http://www.secadministrator.com/articles/index.cfm?articleid=23706 3. ==== ANNOUNCEMENTS ==== * STRUGGLING WITH IIS AND WEB ADMINISTRATION? Discover Windows Web Solutions (formerly IIS Administrator), the monthly, in-depth print newsletter that helps you manage the security, performance, and maintenance concerns Web site administrators deal with every day. Subscribe today! http://www.windowswebsolutions.com/sub.cfm?code=niei242xup * IF YOU LIKE READING THIS UPDATE, YOU'LL LOVE ... Windows & .NET Magazine UPDATE. Every Tuesday, we deliver news, commentary, and tips so that, in about 5 minutes, you can catch up on the latest Windows industry happenings, learn a new skill, and face your day a little more informed. It's free, so subscribe today! http://www.winnetmag.com/email/index.cfm?id=1 4. ==== SECURITY ROUNDUP ==== * NEWS: PROOF-OF-CONCEPT VIRUS FIRST TO INFECT MACROMEDIA FLASH FILES Sophos Antivirus discovered a proof-of-concept virus that infects Macromedia Flash files. Flash files offer speedy graphic animation rendition on multimedia Web sites. The virus, called SMF/LMF-926, is the first of its kind to infect Flash files. http://www.secadministrator.com/articles/index.cfm?articleid=23724 * NEWS: ZERO-KNOWLEDGE SYSTEMS INTRODUCES SECURITY AND PRIVACY TOOL SUITE Zero-Knowledge Systems introduced a new suite of security tools under its Freedom software series. The Freedom Security and Privacy Suite includes Freedom Personal Firewall 3.1, Freedom Parental Control 3.1, and Freedom Privacy Protection 3.1. http://www.secadministrator.com/articles/index.cfm?articleid=23723 * NEWS: NATIONAL ACADEMY OF SCIENCES: PAY NOW OR PAY LATER The National Academy of Sciences (NAS) released a prepublication issue of a new report entitled "Cybersecurity Today and Tomorrow: Pay Now or Pay Later." The report is a collection of excerpts from cyberspace security reports published between 1990 and 2000. According to NAS, the academy is publishing the report because the Computer Science and Telecommunications Board (CSTB) of the National Research Council (NRC) examined aspects of computer security since the September 11 attack and decided that previously published reports remain relevant. http://www.secadministrator.com/articles/index.cfm?articleid=23726 5. INSTANT POLL * RESULTS OF PREVIOUS POLL: HUNTING BUGS The voting has closed in Windows & .NET Magazine's Security Administrator Channel nonscientific Instant Poll for the question, "Should Microsoft continue to hunt bugs alone, contract with bug hunters, or release source code for public bug-hunting efforts?" Here are the results (+/-2percent) from the 772 votes: 3% 1) Continue to do it alone 44% 2) Contract with bug hunters to assist 10% 3) Release source code for public efforts 43% 4) Answers 2 and 3 above * INSTANT POLL: PERFORMING FULL SECURITY AUDITS The current Instant Poll question is, "How often does your organization perform full security audits?" The choices are 1) Every 3 months or more often, 2) Every 3 to 6 months, 3) Every 6 months to a year, or 4) Rarely or after a significant breach. Go to the Security Administrator Channel home page and submit your vote. http://www.secadministrator.com 6. ==== HOT RELEASE (ADVERTISEMENT) ==== * ST. BERNARD'S iPRISM, WHEN SURFING ISN'T WORKING The cost of running your IT department is on the rise due to Internet abuse. iPrism, PC Magazines editor's choice winner can help. Not sure if web abuse is a problem, download our sample monitoring tool. http://list.winnetmag.com/cgi-bin3/flo?y=eKKE0CJgSH0CBw0pE60Aq 7. ==== SECURITY TOOLKIT ==== * VIRUS CENTER Panda Software and the Windows 2000 Magazine Network have teamed to bring you the Center for Virus Control. Visit the site often to remain informed about the latest threats to your system security. http://www.secadministrator.com/panda * FAQ: HOW CAN I AVOID HAVING TO REACTIVATE MY WINDOWS XP INSTALLATION WHEN I REINSTALL THE OS ON MY MACHINE? ( contributed by John Savill, http://www.windows2000faq.com ) A. If you plan to reinstall XP on the same hardware, you can back up the activation status and restore it after you reinstall the OS. To save the activation status, back up the wpa.dbl file from the %systemroot%\system32 folder to a disk or other location. After you reinstall the OS, follow these steps: 1. Start your XP installation in Minimal Safe mode. 2. Move to the \%systemroot%\system32 folder. 3. Rename wpa.dbl to wpa.noact. 4. Copy your backed up wpa.dbl file to the system32 folder. 5. Reboot your system as usual. This procedure isn't a hack to avoid activating installations and will work only on the same hardware for an XP installation that you've already activated. 8. ==== NEW AND IMPROVED ==== (contributed by Scott Firestone, IV, productsat_private) * SCAN EMAIL MESSAGES FOR VIRUSES Panda Software announced the US release of Panda Antivirus for Exchange 2000, security software that is compatible with Microsoft's new Virus Scanning Application Programming Interface 2.0 (VSAPI). The software scans message bodies and attached files to detect and remove viruses in HTML, RTFHTML, RTF, or plain text. The software optimizes the load of the Exchange server through the use of AutoTuning technology, which automatically adjusts the performance of the antivirus software to the mail server processes. For pricing, contact Panda Software at 818-543-6901 or 800-603-4922. http://www.pandasecurity.com * PROTECT YOUR HANDHELD DEVICE FROM VIRUSES Symantec released Symantec AntiVirus 2002 for Palm OS, antivirus software adapted and optimized for handheld devices. The AutoProtect feature runs unobtrusively and protects your device from viruses before the code can infect your device. The software protects the device when you open an application, transmit files, navigate the Internet, or synchronize data with a PC. Symantec AntiVirus 2002 for Palm OS costs $39.95 and is available as a download from Symantec. Contact Symantec at 408-517-8000. http://www.symantec.com 9. ==== HOT THREADS ==== * WINDOWS & .NET MAGAZINE ONLINE FORUMS http://www.winnetmag.net/forums Featured Thread: Locked Accounts (Two messages in this thread) Eli is running Windows 2000 Active Directory (AD) in mixed mode. Sometimes his users' accounts become locked by causes other than exceeded failed password attempts or mistyped usernames. He sees Events IDs 681 and 539 in the Security log many times, and the events might register as fast as three to four times per second, with the events pointing to the relevant user's machine. Can you help Eli determine why this occurs? Read more about the problem or lend a helping hand at the following URL: http://www.secadministrator.com/forums/thread.cfm?thread_id=87687 * HOWTO MAILING LIST http://www.secadministrator.com/listserv/page_listserv.asp?s=howto Featured Thread: Securing the Administrator Account on Windows 2000 (Seven messages in this thread) Roger has seen suggestions stating that when setting up a Win2K domain, he should secure the default Administrator account with a strong password and remove the account from all its default groups. He has also read that he should use another account instead of the Administrator account--an account with appropriate privileges--to administer the domain. Is this the best approach? If so, is there a simple utility that Roger can use to configure the Administrator account and other administrative accounts so that he doesn't overlook anything in the process? Can you help? Read the responses or lend a hand at the following URL: http://63.88.172.96/listserv/page_listserv.asp?a2=ind0201b&l=howto&p=445 10. ==== CONTACT US ==== Here's how to reach us with your comments and questions: * ABOUT IN FOCUS -- markat_private * ABOUT THE NEWSLETTER IN GENERAL -- mlibbeyat_private (please mention the newsletter name in the subject line) * TECHNICAL QUESTIONS -- http://www.winnetmag.net/forums * PRODUCT NEWS -- productsat_private * QUESTIONS ABOUT YOUR SECURITY UPDATE SUBSCRIPTION? Customer Support -- securityupdateat_private * WANT TO SPONSOR SECURITY UPDATE? emedia_oppsat_private ******************** Receive the latest information about the Windows and .NET topics of your choice. Subscribe to our other FREE email newsletters. http://www.winnetmag.net/email |-+-+-+-+-+-+-+-+-+-| Thank you for reading Security UPDATE. SUBSCRIBE To subscribe, send a blank email to mailto:Security-UPDATE_Subat_private - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Thu Jan 17 2002 - 16:32:06 PST