[ISN] Security UPDATE, March 27, 2002

From: InfoSec News (isnat_private)
Date: Wed Mar 27 2002 - 23:06:19 PST

  • Next message: InfoSec News: "[ISN] Critical Eye - Don't Confuse Fans With Pirates"

    ******************** 
    Windows & .NET Magazine Security UPDATE--brought to you by Security 
    Administrator, a print newsletter bringing you practical, how-to 
    articles about securing your Windows .NET Server, Windows 2000, and 
    Windows NT systems. 
       http://www.secadministrator.com 
    ******************** 
    
    ~~~~ THIS ISSUE SPONSORED BY ~~~~
    
    Close the Largest Security Hole in Windows 2000/NT
       http://list.winnetmag.com/cgi-bin3/flo?y=eLKD0CJgSH0CBw0gDZ0AI
    
    VeriSign--The Value of Trust
       http://list.winnetmag.com/cgi-bin3/flo?y=eLKD0CJgSH0CBw0rcb0A7
       (below IN FOCUS) 
    
    ~~~~~~~~~~~~~~~~~~~~ 
    
    ~~~~ SPONSOR: CLOSE THE LARGEST SECURITY HOLE IN WINDOWS 2000/NT ~~~~ 
       After all the security measures taken to make your network 
    impenetrable, there is one liability that could undermine your entire 
    operation. 
       Allowing lax network logon password policies on your network is 
    like giving a stranger the keys to the front door of your home. 
    Strict logon password policy is your first line of defense.
       Password Bouncer delivers stronger password enforcement than 
    Win2K/NT, by preventing users from selecting vulnerable passwords 
    that can be easily guessed or cracked by hackers. Passwords are 
    screened and validated against a 300,000-word English wordlist and 
    a 4,000-word proper name wordlist in addition to highly 
    configurable password rules.
       STOP HACKERS TODAY, DOWNLOAD YOUR FREE TRIAL:
       http://list.winnetmag.com/cgi-bin3/flo?y=eLKD0CJgSH0CBw0gDZ0AI
    
    ~~~~~~~~~~~~~~~~~~~~ 
    
    March 27, 2002--In this issue: 
    
    1. IN FOCUS 
         - Tin Cans and Wireless LANs
    
    2. ANNOUNCEMENTS
         - Learn from (or Try to Stump) Top Windows Security Pros
         - Protect Your Data. Protect Your Company. 
    
    3. SECURITY ROUNDUP 
         - News: Security Review Delays Crucial .NET Passport Update
         - Feature: Securing Your OS
         - Feature: WS-License Associates Security Credentials with SOAP 
           Messages
    
    4. INSTANT POLL
         - Results of Previous Poll: Latest Viruses and Prevention 
           Techniques
         - New Instant Poll: Written and Enforced Password Policy
    
    5. SECURITY TOOLKIT
         - Virus Center 
         - FAQ: Do Third-Party Products Based on the Microsoft Virus 
           Scanning API (VS API) Scan Email at the Gateway Level?
    
    6. NEW AND IMPROVED
         - Protect Proprietary Information
         - Manage Patches Across Multiple Servers
     
    7. HOT THREAD 
         - Windows & .NET Magazine Online Forums
             - Featured Thread: Security Templates for Win2K
    
    8. CONTACT US 
       See this section for a list of ways to contact us. 
    
    ~~~~~~~~~~~~~~~~~~~~ 
    
    1. ==== IN FOCUS ====
       (contributed by Mark Joseph Edwards, markat_private) 
    
    * TIN CANS AND WIRELESS LANS
    
    Did you read the recent British Broadcasting Corporation (BBC) news 
    story about "war-driving"? War-driving is the act of driving around 
    with an antenna trying to detect unprotected wireless networks, and a 
    lot of people have been doing just that ever since wireless LAN (WLAN) 
    equipment made its debut. (See "Hacking with a Pringles tube" at the 
    URL below.)
       http://news.bbc.co.uk/hi/english/sci/tech/newsid_1860000/1860241.stm
    
    The story seems to be an attempt to sensationalize the fact that people 
    can make their own antennas with readily available parts, such as 
    standard antenna cable connectors and potato-chip cans, and that those 
    antennas are more sensitive than run-of-the-mill commercial wireless 
    antennas. Because the homemade antennas are more sensitive, they're 
    more capable of finding insecure WLANs that have weaker signals leaking 
    from their various origin points. In addition, you can orient some 
    homemade antennas directionally. The antennas not only pick up signals 
    from and possibly connect to unprotected wireless devices but also help 
    pinpoint where those unsecured LAN devices are relative to the 
    antennas' position. Clearly, intruders might use such antennas to 
    identify and attack companies that don't practice adequate wireless 
    security. 
    
    About a month ago, Gregory Rehm updated his Web site with the latest 
    "802.11b Homebrew Antenna Shootout" data. When you visit the Web site 
    (see the URL below), you'll find that reviewers rated several homemade 
    antennas and one commercial antenna during tests. As it turns out, a 
    waveguide antenna got the best reception. The particular waveguide 
    antenna was made from a small piece of copper wire, a standard antenna 
    cable connector, and a metal can that once held Nalley Big Chunk Beef 
    Stew. No, I'm not kidding. That combination is all you need to make a 
    powerful wireless antenna. Constructed from those basic parts, the 
    waveguide antenna demonstrated a tremendous signal gain over off-the-
    shelf commercial antennas.
       http://www.turnpoint.net/wireless/has.html
    
    So what does this information mean to security administrators? You can 
    use an inexpensive homemade antenna to test the signal leakage 
    parameters of your WLAN and perform leakage tests for others against 
    their WLANs. In addition, if you have LAN-connectivity problems that 
    require wireless equipment to span a distance (e.g., between two 
    buildings), you can build your own antennas and save money. Check out 
    Rehm's Web site, which provides links to information about a half-dozen 
    homemade wireless antennas (including plans) and to Web-based 
    calculators that help you design your own antennas from items such as 
    empty coffee cans from the company break room. 
    
    For background information about WLAN security, be sure to read my 
    commentary "802.11 Wireless Networks: Is Yours Really Safe?"
       http://www.secadministrator.com/articles/index.cfm?articleid=22147
    
    Until next time, have a great week.
    
    Sincerely, 
    Mark Joseph Edwards, News Editor 
    markat_private 
    
    ~~~~~~~~~~~~~~~~~~~~ 
    
    ~~~~ SPONSOR: VERISIGN--THE VALUE OF TRUST ~~~~ 
       Secure all your Web servers now--with a proven 5-part strategy. The 
    FREE Server Security Guide shows you how: DEPLOY THE LATEST ENCRYPTION 
    techniques. DELIVER TRANSPARENT PROTECTION with the strongest security 
    without disrupting users. Get your FREE Guide now:
       http://list.winnetmag.com/cgi-bin3/flo?y=eLKD0CJgSH0CBw0rcb0A7
       
    ~~~~~~~~~~~~~~~~~~~~ 
    
    2. ==== ANNOUNCEMENTS ==== 
    
    * LEARN FROM (OR TRY TO STUMP) TOP WINDOWS SECURITY PROS
       The Windows & .NET Magazine LIVE! event brings together industry 
    gurus who take security seriously. Topic coverage includes Microsoft 
    IIS security, deploying public key infrastructure (PKI), designing 
    Group Policies to enhance security, tips for securing Windows 2000 
    networks, security pitfalls (and solutions) for your mobile workforce, 
    and more. Early bird discount expires soon, so register now!
       http://list.winnetmag.com/cgi-bin3/flo?y=eLKD0CJgSH0CBw0rFx0Az
    
    * PROTECT YOUR DATA. PROTECT YOUR COMPANY.
       Find out how by attending SECURITY MATTERS at Internet World Spring 
    2002, April 24 through 26 at the Los Angeles Convention Center, where 
    it's a matter of YOUR security. Internet World is the largest and 
    longest-running event for Internet Business technology! Register for 
    discounted conference packages or FREE exhibit hall admission at (use 
    priority code T26):
       
    http://list.winnetmag.com/cgi-bin3/flo?y=eLKD0CJgSH0CBw0rzX0AL
    
    3. ==== SECURITY ROUNDUP ==== 
    
    * NEWS: SECURITY REVIEW DELAYS CRUCIAL .NET PASSPORT UPDATE
       Microsoft has delayed until early 2003 an updated Microsoft .NET 
    Passport version that the company originally envisioned as the first 
    public step toward its .NET vision. Originally expected in late 2001 
    but delayed several times since then, .NET Passport 3.0 will include 
    the industry-standard Kerberos security standard, possibly paving the 
    way for competing products to integrate with Microsoft's online 
    authentication system.
       http://www.secadministrator.com/articles/index.cfm?articleid=24534
    
    * FEATURE: SECURING YOUR OS
       You probably would agree that transforming an OS into a secure 
    platform isn't a straightforward task. And this task certainly hasn't 
    been easy for Microsoft because of its "ease of use" end-user-oriented 
    OS background. For a while, Microsoft seemed to be searching for the 
    secure OS Holy Grail. The release of Windows 2000 demonstrated 
    Microsoft's significant progress in its security journey. In this 
    article, Jan De Clercq explores how you can make Win2K even more secure 
    by using the OS's built-in hardening features. He also looks at 
    Microsoft and third-party security tools. You can apply most of the 
    tips and tools mentioned in this article to both Win2K servers and 
    workstations.
       http://www.itbuynet.com/pdf/0202-security.pdf
    
    * FEATURE: WS-LICENSE ASSOCIATES SECURITY CREDENTIALS WITH SOAP 
    MESSAGES
       In the March 7, 2002, edition of .NET UPDATE, Christa Anderson 
    discussed how Web Services Security Language (WS-Security) can make 
    Simple Object Access Protocol (SOAP) communications more secure. One 
    aspect of security lies in associating credentials with messages so 
    that a recipient can identify a message's original sender and determine 
    what type of key the recipient needs to decrypt the message. WS-
    Security defines the credentials header, which is a framework for 
    including a license with a SOAP message, but doesn't describe the 
    structure of the license information that the header might contain. The 
    license structure is the bailiwick of Web Services License Language 
    (WS-License).
       http://www.secadministrator.com/articles/index.cfm?articleid=24533
    
    4. ==== INSTANT POLL ====
    
    * RESULTS OF PREVIOUS POLL: LATEST VIRUSES AND PREVENTION TECHNIQUES
       The voting has closed in Windows & .NET Magazine's Security 
    Administrator Channel nonscientific Instant Poll for the question, "Is 
    your company proactive in notifying employees about the latest viruses 
    and prevention techniques?" Here are the results (+/- 2 percent) from 
    the 302 votes:
       - 34% Yes
       - 24% Most of the time
       - 20% Sometimes
       - 22% No
    
    * NEW INSTANT POLL: WRITTEN AND ENFORCED PASSWORD POLICY
       The next Instant Poll question is, "Does your organization have a 
    written and enforced password policy?" Go to the Security Administrator 
    Channel home page and submit your vote for a) We have a written password 
    policy, and we enforce it, b) We have a written password policy, but we 
    don't enforce it, or c) We don't have a written password policy.
       http://www.secadministrator.com
    
    5. ==== SECURITY TOOLKIT ==== 
    
    * VIRUS CENTER
       Panda Software and the Windows & .NET Magazine Network have teamed to 
    bring you the Center for Virus Control. Visit the site often to remain 
    informed about the latest threats to your system security.
       http://www.secadministrator.com/panda 
    
    * FAQ: DO THIRD-PARTY PRODUCTS BASED ON THE MICROSOFT VIRUS-SCANNING 
    API (VS API) SCAN EMAIL AT THE GATEWAY LEVEL?
       ( contributed by John Savill, http://www.windows2000faq.com )
    
    A. No. Antivirus products that use VS API don't scan mail at the 
    perimeter of your network. These products scan only the Information 
    Store (IS). If you want to establish gateway-level scanning, you must 
    invest in a gateway antivirus product.
    
    6. ==== NEW AND IMPROVED ==== 
       (contributed by Carolyn Mascarenas, productsat_private) 
    
    * PROTECT PROPRIETARY INFORMATION
       Griffin Technologies released SecuriKey, a security system that 
    protects your company's proprietary information through two-factor 
    authentication. You plug the SecuriKey USB token into the PC's USB 
    port, and the system will log you on only if you have the right 
    password and SecuriKey token. When you remove the key, the accompanying 
    software senses its absence and automatically locks the computer. 
    SecuriKey runs on Windows XP and Windows 2000 and costs $50 per seat. 
    Contact Griffin Technologies at 785-832-1623 or 800-986-6578. 
       http://www.griftech.com
    
    * MANAGE PATCHES ACROSS MULTIPLE SERVERS
       Shavlik Technologies announced Shavlik EnterpriseInspector and 
    Shavlik HFNetChkPRO AdminSuite, software that helps you scan for 
    network vulnerabilities and keep software patch updates current. 
    Shavlik EnterpriseInspector remotely inspects for vulnerabilities in 
    Microsoft IIS; SQL Server; Windows NT Server 4.0, Terminal Server 
    Edition (WTS); Outlook; Internet Explorer (IE); and domain controllers 
    (DCs). Shavlik HFNetChkPRO AdminSuite lets you scan the network so that 
    you can learn which systems aren't properly protected. Shavlik 
    EnterpriseInspector costs $3123.75 for up to 50 PCs. Shavlik 
    HFNetChkPRO AdminSuite costs $1123.75 for up to 50 PCs. Both products 
    support Windows XP, Windows 2000, NT, SQL Server 2000 and SQL Server 
    7.0, IIS, and Outlook. Contact Shavlik Technologies at 651-426-6624 or 
    800-690-6911. 
       http://www.shavlik.com
    
    7. ==== HOT THREAD ==== 
    
    * WINDOWS & .NET MAGAZINE ONLINE FORUMS 
       http://www.winnetmag.net/forums 
    
    Featured Thread: Security Templates for Win2K
       (Four messages in this thread)
    
    A user wants to know where he can find security-related templates for 
    Windows 2000 that help define items such as which services to disable 
    and which user rights and permissions to set. In particular, he wonders 
    whether there is a template to build and secure a Microsoft IIS server 
    on Win2K. Can you help? 
       http://www.secadministrator.com/forums/thread.cfm?thread_id=98670
    
    8. ==== CONTACT US ==== 
       Here's how to reach us with your comments and questions: 
    
    * ABOUT IN FOCUS -- markat_private
    
    * ABOUT THE NEWSLETTER IN GENERAL -- vpattersonat_private (please 
    mention the newsletter name in the subject line) 
    
    * TECHNICAL QUESTIONS -- http://www.winnetmag.net/forums 
    
    * PRODUCT NEWS -- productsat_private 
    
    * QUESTIONS ABOUT YOUR SECURITY UPDATE SUBSCRIPTION? Customer 
    Support -- securityupdateat_private 
    
    * WANT TO SPONSOR SECURITY UPDATE? emedia_oppsat_private 
    
    ******************** 
    
       This email newsletter is brought to you by Security Administrator, 
    the print newsletter with independent, impartial advice for IT 
    administrators securing a Windows 2000/Windows NT enterprise. Subscribe 
    today!
       http://www.secadministrator.com/sub.cfm?code=saei25xxup
    
       Receive the latest information about the Windows and .NET topics of 
    your choice. Subscribe to our other FREE email newsletters. 
       http://www.winnetmag.net/email 
    
    |-+-+-+-+-+-+-+-+-+-| 
    
    Thank you for reading Security UPDATE.
    
    
    SUBSCRIBE
    To subscribe, send a blank email to mailto:Security-UPDATE_Subat_private
    
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.
    



    This archive was generated by hypermail 2b30 : Thu Mar 28 2002 - 01:58:19 PST