******************** Security UPDATE--brought to you by Security Administrator, a print newsletter bringing you practical, how-to articles about securing your Windows .NET, 2000, and NT systems. http://www.secadministrator.com ******************** ~~~~ THIS ISSUE SPONSORED BY ~~~~ Keeping Information Services Afloat http://list.winnetmag.com/cgi-bin3/flo?y=eKhf0CJgSH0CBw0qyv0Ap Web Filtering Deployment Made Easy http://list.winnetmag.com/cgi-bin3/flo?y=eKhf0CJgSH0CBw0qyw0Aq (Below IN FOCUS) ~~~~~~~~~~~~~~~~~~~~ ~~~~ SPONSOR: KEEPING INFORMATION SERVICES AFLOAT ~~~~ Wallenius Wilhelmsen Lines is one of the world's largest ocean transportation companies. Needing a reliable backup and disaster recovery product, they chose UltraBac. UltraBac is now responsible for backing up critical Exchange and SQL databases, along with proprietary data generated from applications developed in- house. Network Administrator Kevin Whitney said UltraBac is simple to install, operate and administer. The software also allows them to manage their numerous U.S. offices remotely. Unlike their previous solution, UltraBac offers peace of mind when it comes to monitoring locations without IT staff. UltraBac proves again it is the right choice with rock-solid reliability. Download a free live trial http://list.winnetmag.com/cgi-bin3/flo?y=eKhf0CJgSH0CBw0qyv0Ap ~~~~~~~~~~~~~~~~~~~~ February 13, 2002--In this issue: 1. IN FOCUS - Security Trends and Analysis 2. SECURITY RISKS - HP AdvanceStack Switch Management Authentication Bypass - Incorrect Remote Registry Access to Microsoft Exchange 2000 - Buffer Overflow in Microsoft Telnet - Remote Compromise Vulnerability in Oracle 8 and 9 - Information Disclosure in Texis CGI Software 3. ANNOUNCEMENTS - If You Like This UPDATE, You'll Love ... WinInfo Daily UPDATE - The Industry's Most Popular Magazines Are Live! 4. SECURITY ROUNDUP - News: Shavlik Technologies Releases HFNetChkPro - News: CrossTec Announces NetOP Remote Control for XP - Opinion: Let's Challenge Linux Security Assumptions - Feature: New Win2K Post-SP2 Security Rollup Dos and Don'ts 5. INSTANT POLL - Results of Previous Poll: Single or Multiple Forests? - Instant Poll: Honeypots 6. HOT RELEASE (ADVERTISEMENT) - Sponsored by VeriSign--The Value of Trust 7. SECURITY TOOLKIT - Virus Center - FAQ: How Can I Secure My Wireless Network Connections? 8. NEW AND IMPROVED - Learn About Web Security, Privacy, and Commerce - Secure VPN and Firewall Solution 9. HOT THREADS - Windows & .NET Magazine Online Forums - Featured Thread: Disabling the Start Button - HowTo Mailing List - Featured Thread: Execute a Batch File on Shutdown 10. CONTACT US See this section for a list of ways to contact us. ~~~~~~~~~~~~~~~~~~~~ 1. ==== IN FOCUS ==== * SECURITY TRENDS AND ANALYSIS Hello everyone, "Riptech Internet Security Threat Report," an analysis report released at the end of January, reflects trends in security threats against Riptech's customers' networks during the last half of 2001. Riptech based the report on information the company collected from more than 300 of its clients in 25 countries. Those clients work in sectors that include business services, high tech, finance, e- commerce, manufacturing, health care, media and entertainment, power and energy, and application service providers (ASPs). According to the report, most attacks originated in the United States, South Korea, China, and Germany. However, when Riptech compared the number of Internet users in a given country with the number of attacks launched from that country, it discovered that Israelis launch twice as many attacks as any other country, followed by Hong Kong, Thailand, and South Korea. The top 10 methods of attack that the report notes include - a URL-encoding problem with Microsoft IIS that lets arbitrary commands execute on the server - attacks that employ IIS to gain access to the cmd.exe program to execute commands on the server - SubSeven Trojan horse insertion, which listens on port 27374 and lets an attacker remotely control a Windows system - intrusion against vulnerable or misconfigured FTP servers, often used to store and propagate illegal material - attacks against vulnerable remote procedure call (RPC) services - attacks against vulnerable versions of Secure Shell (SSH) - against vulnerable print services, include Line Print Daemon (LPD) The report also says that attacks increased 79 percent between July and December 2001. Sixty-one percent of those attacks were attempts by intruders to discover any vulnerability in a given network, while 39 percent of the attacks targeted specific systems or companies. An interesting highlight in the report, especially given the threat of cyberwar, is that power and energy companies suffered twice as many severe attacks as any other category of company in the sampled set of data about attacks that came from Middle Eastern countries. In contrast, high-tech and financial firms experienced 55 percent to 70 percent more attacks of Asian origin than any other category of company in the data sample set. Another interesting highlight is that larger companies (more than 500 employees) suffered at least 50 percent more attacks than smaller companies (fewer than 500 employees). In an even more refined perspective, companies with between 500 and 5000 employees are the most frequent targets of intruders. In addition, public companies are attacked twice as often as private companies. The report is 33 pages and offers information that lends interesting insight into what to expect from intruders in the near future. Be sure to visit Riptech's Web site and download a copy of the report. http://www.riptech.com/securityresources/form9.html On another note, we're conducting a new poll this week to learn how many of you use a honeypot on your network to distract intruders as well as learn their interests and intrusion methods. Please visit our home page and take the poll. http://www.secadministrator.com Until next time, have a great week. Sincerely, Mark Joseph Edwards, News Editor markat_private ~~~~~~~~~~~~~~~~~~~~ ~~~~ SPONSOR: WEB FILTERING DEPLOYMENT MADE EASY ~~~~ Your company's decided it's time for Web filtering. But installing server or client software across a corporate network is yet another headache for IT. With the award-winning iPrism server appliance, software installation, maintenance and interoperability issues vanish. For a reliable solution that helps eliminate the hassles versus adding to them--and for less money than many add-on software solutions--visit us to find out more at: http://list.winnetmag.com/cgi-bin3/flo?y=eKhf0CJgSH0CBw0qyw0Aq ~~~~~~~~~~~~~~~~~~~~ 2. ==== SECURITY RISKS ==== (contributed by Ken Pfeil, kenat_private) * HP ADVANCESTACK SWITCH MANAGEMENT AUTHENTICATION BYPASS Tamer Sahin reported that an access validation vulnerability in Hewlett-Packard's (HP's) J3210A switching hub can let an unprivileged user change the configuration of the device by connecting to the device's switch management URL at http://somehost/security/web_access.html. HP has been notified but hasn't issued a patch. http://www.secadministrator.com/articles/index.cfm?articleid=24114 * INCORRECT REMOTE REGISTRY ACCESS TO MICROSOFT EXCHANGE 2000 Eitan Caspi reported a vulnerability in Microsoft Exchange 2000 Server that lets an attacker gain remote access to the server configuration information. This vulnerability stems from a flaw in how the Exchange System Attendant sets group privileges, which could give the "Everyone" group inappropriate permissions to the WinReg key. Microsoft has released Security Bulletin MS02-003 to address this vulnerability and recommends that affected users apply the patch provided at Microsoft's Download Center. http://www.secadministrator.com/articles/index.cfm?articleid=24039 * BUFFER OVERFLOW IN MICROSOFT TELNET A buffer-overrun vulnerability in Microsoft Telnet lets an attacker execute arbitrary code on a vulnerable system. This vulnerability stems from an unchecked buffer in the code that processes the Telnet protocol options. Microsoft has released Security Bulletin MS02-004 to address this problem and recommends that affected users apply the appropriate patch provided at Microsoft's Download Center. Users can also find the Windows 2000 fix for this vulnerability in Win2K Security Roll-up Package 1 (SRP1). http://www.secadministrator.com/articles/index.cfm?articleid=24040 * REMOTE COMPROMISE VULNERABILITY IN ORACLE 8 AND 9 David Litchfield discovered a vulnerability in Oracle's Database server versions 8 and 9 for Windows 2000 and Windows NT 4.0. Because the Procedural Language/SQL that runs an external procedure doesn't require authentication, an attacker can connect to the listener/extproc process over TCP and call any function to which the system has access. A more detailed explanation is available in the discoverer's advisory. Oracle is working on a patch to correct this vulnerability. Users can work around this vulnerability by blocking the Transparent Network Substrate (TNS) Listener port (1521) behind a firewall and removing the PLSExtproc functionality, if it's not in use, by removing the entries in the files tnsnames.ora and listener.ora. http://www.secadministrator.com/articles/index.cfm?articleid=24026 * INFORMATION DISCLOSURE IN TEXIS CGI SOFTWARE A person using the alias "phinegeek" reported an information disclosure vulnerability in Thunderstone Software's Texis CGI software. By querying for an invalid path, an attacker can disclose the full path to webroot and, in some cases, reveal information about the host system. Thunderstone has been notified but has not released a response. http://www.secadministrator.com/articles/index.cfm?articleid=24027 3. ==== ANNOUNCEMENTS ==== * IF YOU LIKE THIS UPDATE, YOU'LL LOVE ... WININFO DAILY UPDATE Every day, you can catch up quickly on the latest Windows news (with analysis and commentary from Paul Thurrott) so that you can face your day a little more informed and prepared. It's free, so subscribe today! http://list.winnetmag.com/cgi-bin3/flo?y=eKhf0CJgSH0CBw0qvJ0A3 * THE INDUSTRY'S MOST POPULAR MAGAZINES ARE LIVE! Industry-leading magazines join to produce Windows & .NET Magazine LIVE! and SQL Server Magazine LIVE!--two events for the price of one. We have more than 100 sessions jam-packed with tips and techniques you need to know to be more successful with your enterprise deployments. Don't miss this chance to interact with tech experts Minasi, Russinovich, Moran, Delaney, and other gurus. Register now before this event sells out! http://list.winnetmag.com/cgi-bin3/flo?y=eKhf0CJgSH0CBw0qQl0Az 4. ==== SECURITY ROUNDUP ==== * NEWS: SHAVLIK TECHNOLOGIES RELEASES HFNETCHKPRO Shavlik Technologies has released HFNetChkPro, a tool that checks Microsoft systems for installed and missing hotfixes. The tool is based on Microsoft's Hfnetchk utility, which Shavlik developed, and combines Hfnetchk's GUI with the ability to scan specific machines for the hotfix status of chosen services and software. http://www.secadministrator.com/articles/index.cfm?articleid=24015 * NEWS: CROSSTEC ANNOUNCES NETOP REMOTE CONTROL FOR XP CrossTec announced that NetOP Remote Control 7.01 now provides support for Windows XP. NetOP Remote Control provides cross-platform support so that users can remotely control Windows, OS/2, Linux, and MS-DOS systems from any Windows platform, including Windows CE. http://www.secadministrator.com/articles/index.cfm?articleid=24014 * OPINION: LET'S CHALLENGE LINUX SECURITY ASSUMPTIONS When a reader forwarded the BugTraq link about OS vulnerabilities last week, Paul Thurrott knew it was fascinating information that he had to discuss in some capacity. But because of incomplete BugTraq 2001 data and some curious disclaimers about skewed results, Thurrott decided it was best to mention the information in his irreverent Short Takes. The item made it into the Slashdot forums, which caused hundreds of responses from a bitter Linux crowd. http://www.secadministrator.com/articles/index.cfm?articleid=23985 * FEATURE: NEW WIN2K POST-SP2 SECURITY ROLLUP DOS AND DON'TS Microsoft released a comprehensive security update for Windows 2000 post- Service Pack 2 (SP2) systems on January 30. Security Rollup Package 1 (SRP1), which you can install only on Win2K SP2 systems, includes every security hotfix Microsoft has issued for post-SP2 systems, except the WWW Distributed Authoring and Versioning (WebDAV) script hotfix. Paula Sharick discusses the dos and don'ts for installing the new service pack. http://www.secadministrator.com/articles/index.cfm?articleid=23994 5. ==== INSTANT POLL ==== * RESULTS OF PREVIOUS POLL: SINGLE OR MULTIPLE FORESTS? The voting has closed in Windows & .NET Magazine's Security Administrator Channel nonscientific Instant Poll for the question, "Do you use a single or multiple forest design, and if you use a single design, will you change to multiple?" Here are the results (+/- 2 percent) from the 162 votes: 73% 1) Single forest and we won't change 5% 2) Single forest but changing to multiple 22% 3) Multiple forests * INSTANT POLL: HONEYPOTS The current Instant Poll question is, "Do you use a honeypot on your network?" The choices are 1) Yes, a freeware package, 2) Yes, a commercial package, or 3) No. Go to the Security Administrator Channel home page and submit your vote. http://www.secadministrator.com 6. ==== HOT RELEASE (ADVERTISEMENT) ==== * SPONSORED BY VERISIGN--THE VALUE OF TRUST Is your e-business secure? Learn why it's vital to encrypt business transactions, secure intranets and authenticate your Web site with the strongest encryption available--128-bit SSL. Get VeriSign's FREE Guide, "Securing Your Web Site for Business" now: http://list.winnetmag.com/cgi-bin3/flo?y=eKhf0CJgSH0CBw0p5N0A1 7. ==== SECURITY TOOLKIT ==== * VIRUS CENTER Panda Software and the Windows & .NET Magazine Network have teamed to bring you the Center for Virus Control. Visit the site often to remain informed about the latest threats to your system security. http://www.secadministrator.com/panda * FAQ: HOW CAN I SECURE MY WIRELESS NETWORK CONNECTIONS? ( contributed by Paul Thurrott, http://www.windows2000faq.com ) A. Many wireless networks are automatically set up so that anyone with a wireless card can come by your home or business and use your connection to access your network and the Internet. To ensure that your data is safe and that your network bandwidth isn't compromised from the outside, you can do a couple of simple things. First, make sure your wireless access point isn't broadcasting its Service Set Identifier (SSID), which prevents most cards from even finding your network. Next, harden your network from the outside by hard-coding the media access control (MAC) addresses of your wireless cards into the management software for your access point so that only your machines can use the network. Be sure to use 128-bit encryption, if possible, and if you're using a bridged network with wireless and wired components, keep them separate so that machines on the wireless network can't access resources on the wired one. Also, be sure that you have the latest firmware update for your wireless access point; many companies (e.g., Apple, Linksys) have shipped crucial security updates for their hardware. 8. ==== NEW AND IMPROVED ==== (contributed by Scott Firestone IV, productsat_private) * LEARN ABOUT WEB SECURITY, PRIVACY, AND COMMERCE O'Reilly released "Web Security, Privacy & Commerce," a book by Simson Garfinkel and Gene Spafford that provides a reference about Web security risks and the techniques and technologies that you can use to protect yourself against these risks. Topics include cryptography, passwords, digital signatures, biometrics, cookies, log files, spam, Web logs, Secure Sockets Layer (SSL), digital payments, client-side signatures, pornography filtering, intellectual property, and legal concerns. The 756-page book costs $44.95. Contact O'Reilly at 800-998-9938. http://www.oreilly.com http://www.oreilly.com/catalog/websec2 * SECURE VPN AND FIREWALL SOLUTION InfoExpress announced that it has joined Alcatel's Technology Partner Program to provide a secure, integrated VPN and firewall solution with Alcatel's Secure VPN Clients to safeguard corporate networks. InfoExpress's enterprise personal firewall, CyberArmor, detects when the Alcatel Secure VPN Client is active and dynamically applies the appropriate customized security policy. Alcatel's VPN Client lets remote and mobile users securely access their corporate networks from anywhere. Contact InfoExpress at 650-623-0260. http://www.alcatel.com http://www.infoexpress.com 9. ==== HOT THREADS ==== * WINDOWS & .NET MAGAZINE ONLINE FORUMS http://www.winnetmag.net/forums Featured Thread: Disabling the Start Button (Eight messages in this thread) Gavin knows that he can lockdown many Windows NT functions on the Start button, but he wants to know whether he can totally remove the button. All he needs are some icons on the desktop--nothing more. Can you help at the following URL? http://www.secadministrator.com/forums/thread.cfm?thread_id=56048 * HOWTO MAILING LIST http://www.secadministrator.com/listserv/page_listserv.asp?s=howto Featured Thread: Execute a Batch File on Shutdown (One message in this thread) Scott wants to know how to execute a batch file when a Windows 2000 computer shuts down. Can you help? Read the responses or lend a hand at the following URL: http://63.88.172.96/listserv/page_listserv.asp?a2=ind0202b&l=howto&p=1236 10. ==== CONTACT US ==== Here's how to reach us with your comments and questions: * ABOUT IN FOCUS -- markat_private * ABOUT THE NEWSLETTER IN GENERAL -- mlibbeyat_private (please mention the newsletter name in the subject line) * TECHNICAL QUESTIONS -- http://www.winnetmag.net/forums * PRODUCT NEWS -- productsat_private * QUESTIONS ABOUT YOUR SECURITY UPDATE SUBSCRIPTION? Customer Support -- securityupdateat_private * WANT TO SPONSOR SECURITY UPDATE? emedia_oppsat_private ******************** Receive the latest information about the Windows and .NET topics of your choice. Subscribe to our other FREE email newsletters. http://www.winnetmag.net/email |-+-+-+-+-+-+-+-+-+-| Thank you for reading Security UPDATE. SUBSCRIBE To subscribe, send a blank email to mailto:Security-UPDATE_Subat_private Copyright 2002, Penton Media, Inc. - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Thu Feb 14 2002 - 05:11:51 PST