******************** Windows & .NET Magazine Security UPDATE--brought to you by Security Administrator, a print newsletter bringing you practical, how-to articles about securing your Windows .NET Server, Windows 2000, and Windows NT systems. http://www.secadministrator.com ******************** ~~~~ THIS ISSUE SPONSORED BY ~~~~ Punching Holes in Your Network: What Hackers Know http://list.winnetmag.com/cgi-bin3/flo?y=eK7Y0CJgSH0CBw0rfz0AZ Scan and Patch Security Holes with UpdateEXPERT http://list.winnetmag.com/cgi-bin3/flo?y=eK7Y0CJgSH0CBw0rf10AM (below IN FOCUS) ~~~~~~~~~~~~~~~~~~~~ ~~~~ SPONSOR: PUNCHING HOLES IN YOUR NETWORK: WHAT HACKERS KNOW ~~~~ Join security expert Scott Blake in a free BindView Webinar "Punching Holes In Your Network: What Hackers Know And You Don't" on April 10 at 11 a.m. CST when he will share an insider look at the secretive computer underground. Drawing from his own extensive experience, as well as both public and private sources, Scott takes a look at the latest trends in hacker activities, revealing the dark side and how it impacts you. Additionally, he will expose the tricks and techniques hackers use to exploit the holes in your systems, your firewalls, and your people. Register at http://list.winnetmag.com/cgi-bin3/flo?y=eK7Y0CJgSH0CBw0rfz0AZ and log on! ~~~~~~~~~~~~~~~~~~~~ March 13, 2002--In this issue: 1. IN FOCUS - Keeping Up with the Black Hats 2. SECURITY RISKS - Unchecked Buffer in Microsoft Windows Shell - Information Disclosure Vulnerability in Microsoft Virtual Machine 3. ANNOUNCEMENTS - .NET Developers--Early Bird Discount Expires Soon! - Attend Our Free Webinar: Understanding PKI - On the Go? 4. SECURITY ROUNDUP - News: Center for Internet Security to the Rescue - Review: Network Vulnerability Scanners 5. INSTANT POLL - Results of Previous Poll: Security Testing Tools - Instant Poll: Latest Viruses and Prevention Techniques 6. HOT RELEASE - Sponsored by VeriSign--The Value of Trust 7. SECURITY TOOLKIT - Virus Center - New Tools: Pluto and AuthentProtect - FAQ: What's the Recommended Way to Scan for Viruses with Microsoft Exchange 2000 Server? 8. NEW AND IMPROVED - Integrated Security Appliance - Repair Web Sites That Attackers Have Broken Into 9. HOT THREADS - Windows 2000 Magazine Online Forums - Featured Thread: Decrypting Hashes Encrypted with Syskey - HowTo Mailing List - Featured Thread: Win2K/NT User Activity Monitoring 10. CONTACT US See this section for a list of ways to contact us. ~~~~~~~~~~~~~~~~~~~~ 1. ==== IN FOCUS ==== * KEEPING UP WITH THE BLACK HATS Most certifications demonstrate only that you knew a product or an OS when you passed the exams. However, as new technology emerges and software vendors release updates and new versions, exams can become outdated quickly. My MCSE certification will be 8 years old in June. I had to renew the certification in 1996 and 1997 after Microsoft released Windows NT 4.0, but I didn't start the Windows 2000 renewal process until 2000. I still have one exam to go. By the time I'm finished, almost 5 years will have passed since I earned my NT 4.0 certifications. I need to stay on top of new technology to do my job well, but Microsoft doesn't require me to show that I update my knowledge. In fact, very few certifications demonstrate that you've kept up with changes that have occurred since you passed the tests. The Global Information Assurance Certification (GIAC) program's stance is that because the black hats are always trying to find new ways into your systems, you don't have the luxury of resting on your laurels. Each GIAC security certification has an expiration period that depends on GIAC's estimation of how quickly the subject area changes, not on the release of new versions of a product. The mandatory renewal period for most GIAC certifications is 2 years. You have no option to postpone the renewal, and because the renewal requires that you pass new exams, you'll probably start preparing 3 to 6 months before the deadline. This means that GIAC-certified professionals have only about 18 months to admire their GIAC certificates before they must begin to prove themselves again. The renewal process is straightforward and relatively inexpensive. GIAC charges $120 to take the renewal exam, but that fee also buys you access to the online courseware so that you can learn about what's new and prepare for the exam. And if you're renewing multiple certifications in the same year, you have to pay that fee only once. The GIAC has a "use it or lose it" attitude toward its certifications, but it doesn't make the renewal process so burdensome as to discourage you from maintaining your certifications. I like the idea of forcing people to prove that they've kept their skills current. The renewal process makes especially good sense for security certifications, but the idea has validity for Microsoft and Cisco Systems certifications too. Both Microsoft and Cisco release patches and service packs regularly, and both companies regularly include additional functionality with service packs. Just a few rounds of service packs and patches can create a significant divide between what you studied for your exams and the current technology. GIAC appears to have learned a few lessons from Microsoft's mistakes. The process is demanding enough that only dedicated individuals will attempt it; the topics are relevant to the current state of the technology, which should result in direct improvements in the quality of security management; and the maintenance requirements are sufficient to weed out those who are inclined to let their skills slip. I believe we have a new standard in the certification business. Morris Lewis, Guest UPDATE Editor, morrisat_private ~~~~~~~~~~~~~~~~~~~~ ~~~~ SPONSOR: SCAN AND PATCH SECURITY HOLES WITH UPDATEEXPERT ~~~~ Do you have a reliable tool to secure your network with the latest updates? UpdateEXPERT is a software patch vulnerability assessment tool that scans your network for missing hotfixes, and FIXES discovered weaknesses for increased network protection. Supporting Windows NT/2000/XP, SQL Server, IE and other mission critical applications, UpdateEXPERT helps enforce software security policies, enables you to scan for patches, validates your installations for peace of mind, and installs updates to all networked machines without an agent. FREE Live Trial: http://list.winnetmag.com/cgi-bin3/flo?y=eK7Y0CJgSH0CBw0rf10AM ~~~~~~~~~~~~~~~~~~~~ 2. ==== SECURITY RISKS ==== (contributed by Ken Pfeil, kenat_private) * UNCHECKED BUFFER IN MICROSOFT WINDOWS SHELL eEye Digital Security discovered a vulnerability in Windows Shell that lets an attacker arbitrarily execute code under the authorized user's security context. An unchecked buffer exists in one of the functions that help locate incompletely removed applications on the system. As a result, an attacker can mount a buffer-overrun attack that can cause Windows Shell to crash, or the attacker can execute code under the user's security context. Microsoft has released Security Bulletin MS02-014 to address this vulnerability and recommends that affected users immediately apply the appropriate patch as listed in Security Bulletin MS02-014. http://www.secadministrator.com/articles/index.cfm?articleid=24407 * INFORMATION DISCLOSURE VULNERABILITY IN MICROSOFT VIRTUAL MACHINE Harmen van der Wal discovered a vulnerability in Microsoft Virtual Machine (VM) build 3802 and earlier that can result in unauthorized information disclosure. As a result of a VM problem, an attacker can use a malicious Java applet to redirect Web traffic, once the Java applet has a proxy server, to a destination of the attacker's choice. An intruder can use this vulnerability to send a user's Internet session to a system under the intruder's control without the user's knowledge. Microsoft has released Security Bulletin MS02-013, which addresses this vulnerability, and recommends that affected users immediately upgrade to build 3805 or later. http://www.secadministrator.com/articles/index.cfm?articleid=24393 3. ==== ANNOUNCEMENTS ==== * .NET DEVELOPERS--EARLY BIRD DISCOUNT EXPIRES SOON! Microsoft ASP.NET Connections, VB Connections, and Win-Dev are co- locating their events to deliver the largest independent .NET developer-focused event in 2002. You get three events for the price of one, with more than 145 sessions covering Web development, XML and data management, .NET basics, .NET Web security, Visual Basic (VB) 6.0, C++, C#, and more. Register right now and save $$! http://list.winnetmag.com/cgi-bin3/flo?y=eK7Y0CJgSH0CBw0rIA0A8 * ATTEND OUR FREE WEBINAR: UNDERSTANDING PKI Implementing public key infrastructure (PKI) successfully requires an understanding of the technology with all its implications. Attend the latest Webinar from Windows & .NET Magazine and develop the knowledge you need to address this challenging technology and make informed purchasing decisions. We'll also look closely at three possible content-encryption solutions, including PKI. Register for FREE today! http://list.winnetmag.com/cgi-bin3/flo?y=eK7Y0CJgSH0CBw0rcc0A8 * ON THE GO? Introducing Windows & .NET Magazine Network Mobile Edition! Now you can get the latest news from WinInfo Daily UPDATE, commentary from respected sources such as Windows & .NET Magazine UPDATE, and important security discoveries and alerts from Security UPDATE--delivered right to your handheld device. Sign up today! http://www.winnetmag.com/mobile 4. ==== SECURITY ROUNDUP ==== * NEWS: CENTER FOR INTERNET SECURITY TO THE RESCUE The Center for Internet Security (CIS) is offering free benchmarking tools designed to help users better secure their Windows 2000 systems, Cisco Systems routers, and Sun Microsystems' Solaris systems--the three common points intruders attack. According to CIS, "A key element currently missing in Internet security is useful and widely accepted, non-proprietary, security-enhancing benchmarks specifying in greater detail how systems should be configured and operated." http://www.secadministrator.com/articles/index.cfm?articleid=24398 * REVIEW: NETWORK VULNERABILITY SCANNERS From a fairly crowded field of competitors, Tom Iwanski looked at three security-scanner products for scanning heterogeneous networks. The three products are Internet Security Systems' (ISS's) Internet Scanner 6.2, Network Associates' Distributed CyberCop Scanner 2.0 (a new release based on the earlier CyberCop Scanner 5.5), and Symantec's NetRecon 3.5. http://www.secadministrator.com/articles/index.cfm?articleid=23849 5. ==== INSTANT POLL ==== * RESULTS OF PREVIOUS POLL: SECURITY TESTING TOOLS The voting has closed in Windows & .NET Magazine's Security Administrator Channel nonscientific Instant Poll for the question, "Microsoft has shown increased interest in the security testing-tools market. If Microsoft entered this market, would you rely on its tools to test the security of your systems and network?" Here are the results (+/-2percent) from the 665 votes: 11% 1) Yes. 41% 2) Yes, but I'd also use another testing tool. 48% 3) No. * INSTANT POLL: LATEST VIRUSES AND PREVENTION TECHNIQUES The current Instant Poll question is, "Is your company proactive in notifying employees about the latest viruses and prevention techniques?" The choices are 1) Yes, 2) Most of the time, 3) Sometimes, or 4) No. Go to the Security Administrator Channel home page and submit your vote. http://www.secadministrator.com 6. ==== HOT RELEASE (ADVERTISEMENT) ==== * SPONSORED BY VERISIGN--THE VALUE OF TRUST Get the strongest server security--128-bit SSL encryption! Download VeriSign's FREE guide, "Securing Your Web Site for Business," and learn everything you need to know about using SSL to encrypt your e-commerce transactions for serious online security. Click here! http://list.winnetmag.com/cgi-bin3/flo?y=eK7Y0CJgSH0CBw0rYZ0Ao 7. ==== SECURITY TOOLKIT ==== * VIRUS CENTER Panda Software and the Windows & .NET Magazine Network have teamed to bring you the Center for Virus Control. Visit the site often to remain informed about the latest threats to your system security. http://www.secadministrator.com/panda * NEW TOOLS: PLUTO AND AUTHENTPROTECT You might want to try out two new, free security tools. The first is Astral Security Research's Pluto 1.3.1, a vulnerability scanner that runs on Windows XP, Windows 2000, and Windows NT. Pluto scans a system to determine which ports are open, looks into open ports to see what sort of banner (if any) exists, and audits a variety of services for vulnerabilities. Audited services included FTP, SMTP, Web, Microsoft SQL Server, and NetBIOS. The software also performs brute-force, password-strength testing. Pluto has an interesting UI, runs fast, and is small--a 470Kbps download--but doesn't provide much user help (I had some difficulty with the auditing features). I noticed that the product has a few bugs, but it's a good start. Check it out. http://www.astralclinic.com/tools.asp The second free tool is called AuthentProtect 0.7 beta and is an Internet Server API (ISAPI) filter for Microsoft IIS Web servers that prevents authentication against specific configurable-user accounts. The filter prevents outside users from attempting to brute-force access nonremovable user accounts. By default, AuthentProtect guards the Administrator account, but you can use a text file to configure the software to help protect any accounts you choose. The author makes the filter available with complete source code--a bonus for developers. You can find AuthentProtect at the URL below. http://bob.firstcodings.com/programs/authentprotect * FAQ: WHAT'S THE RECOMMENDED WAY TO SCAN FOR VIRUSES WITH MICROSOFT EXCHANGE 2000 SERVER? ( contributed by John Savill, http://www.windows2000faq.com ) A. I recommend that you use a product that supports Exchange 2000's new virus API. Microsoft specifically designed this new API to integrate with third-party antivirus products, including GFI's Mail Security, Panda Software's Panda Antivirus for Exchange 2000, and Trend Micro's ScanMail. 8. ==== NEW AND IMPROVED ==== (contributed by Scott Firestone, IV, productsat_private) * INTEGRATED SECURITY APPLIANCE Symantec announced Symantec Gateway Security, an integrated security appliance that combines firewall, gateway-level antivirus, intrusion detection, content filtering, and VPN capabilities in one appliance. Symantec offers the appliance in three different models: The 5110 provides a maximum throughput of as much as 40Mbps and a 50-node license; the 5200 provides a maximum throughput of as much as 80Mbps and a 250-node license; and the 5300 provides a maximum throughput of as much as 80Mbps and an unlimited-node license. For pricing, contact Symantec at 408-517-8000. http://www.symantec.com * REPAIR WEB SITES THAT ATTACKERS HAVE BROKEN INTO Lockstep Systems released WebAgain 2.5, software that automatically repairs Web sites that attackers have broken into and restores the original content without your intervention. The software detects unauthorized file additions and destroys them and prevents intruders from illegally hosting and sharing files through your Web site. WebAgain 2.5 costs $995 per monitored Web site. Contact Lockstep Systems at 480-596-9432 or 877-932-3497. http://www.lockstep.com 9. ==== HOT THREADS ==== * WINDOWS & .NET MAGAZINE ONLINE FORUMS http://www.winnetmag.net/forums Featured Thread: Decrypting Hashes Encrypted with Syskey (One message in this thread) This user wonders whether a program exists that can decrypt the Windows 2000 password hashes that have been encrypted with Syskey. He wants to extract those hashes from the SAM file and decrypt them. Can you help? Read more about the problem at the following URL. http://www.secadministrator.com/forums/thread.cfm?thread_id=97289 * HOWTO MAILING LIST http://www.secadministrator.com/listserv/page_listserv.asp?s=howto Featured Thread: Win2K/NT User Activity Monitoring (One message in this thread) This user wants to know how to monitor the programs a given user might be running or the documents a user might have opened, without installing additional software on client systems. Read the responses or lend a hand at the following URL: http://63.88.172.96/listserv/page_listserv.asp?a2=ind0202c&l=howto&p=2812 10. ==== CONTACT US ==== Here's how to reach us with your comments and questions: * ABOUT IN FOCUS -- morrisat_private * ABOUT THE NEWSLETTER IN GENERAL -- mlibbeyat_private (please mention the newsletter name in the subject line) * TECHNICAL QUESTIONS -- http://www.winnetmag.net/forums * PRODUCT NEWS -- productsat_private * QUESTIONS ABOUT YOUR SECURITY UPDATE SUBSCRIPTION? Customer Support -- securityupdateat_private * WANT TO SPONSOR SECURITY UPDATE? emedia_oppsat_private ******************** This email newsletter is brought to you by Security Administrator, the print newsletter with independent, impartial advice for IT administrators securing a Windows 2000/NT enterprise. Subscribe today! http://www.secadministrator.com/sub.cfm?code=saei25xxup Receive the latest information about the Windows and .NET topics of your choice. Subscribe to our other FREE email newsletters. http://www.winnetmag.net/email |-+-+-+-+-+-+-+-+-+-| Thank you for reading Security UPDATE. SUBSCRIBE To subscribe, send a blank email to mailto:Security-UPDATE_Subat_private - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Thu Mar 14 2002 - 02:58:54 PST