[ISN] Security UPDATE, April 3, 2002

From: InfoSec News (isnat_private)
Date: Wed Apr 03 2002 - 23:26:29 PST

  • Next message: InfoSec News: "[ISN] Why con artists are your biggest security threat"

    ******************** 
    Windows & .NET Magazine Security UPDATE--brought to you by Security 
    Administrator, a print newsletter bringing you practical, how-to 
    articles about securing your Windows .NET Server, Windows 2000, and 
    Windows NT systems. 
       http://www.secadministrator.com 
    ******************** 
    
    ~~~~ THIS ISSUE SPONSORED BY ~~~~
    
    "Tee-Off" at Tech·Ed with Sybari Software 
       http://list.winnetmag.com/cgi-bin3/flo?y=eLPS0CJgSH0CBw0r830Aw
    
    Windows & .NET Magazine Network UPDATE Newsletters
       http://list.winnetmag.com/cgi-bin3/flo?y=eLPS0CJgSH0CBw0rvS0AW
       (below IN FOCUS)
    
    ~~~~~~~~~~~~~~~~~~~~ 
    
    ~~~~ SPONSOR: "TEE-OFF" AT TECH·ED WITH SYBARI SOFTWARE ~~~~ 
       Don't get caught waiting for signature file updates from your single 
    engine provider when the next email virus hits! Visit Sybari's booth 
    (#619) at Tech Ed and learn how Antigen lets you deploy up to six of 
    the leading virus scan engine technologies for the most comprehensive 
    virus scanning on the market today. Antigen also delivers advanced 
    content management capabilities including subject line, sender, and 
    domain filtering. Don't forget to play Sybari's "Putt and Win" game at 
    Tech Ed and enter to win a Ping Putter. Not going to Tech Ed? Attend an 
    Antigen web demo by May 1st and get a free Sybari t-shirt. 
       Register at http://list.winnetmag.com/cgi-bin3/flo?y=eLPS0CJgSH0CBw0r830Aw
    
    ~~~~~~~~~~~~~~~~~~~~ 
    
    April 3, 2002--In this issue: 
    
    1. IN FOCUS 
         - Abundant Resources for Security Best Practices
     
    2. SECURITY RISKS
         - Memory Leak Vulnerability in Cisco Systems' CallManager 3.1
         - Script Execution Vulnerabilities in Microsoft IE
    
    3. ANNOUNCEMENTS
         - Sign Up for Free UPDATEs and Enter to Win a Palm Handheld!
         - Find the Right Training Tool for You! 
    
    4. SECURITY ROUNDUP
         - News: Survey Says Web Sites Are Now Less Intrusive
         - News: More Outlook Security Problems
         - Feature: WS-Security Sets Standard for Web Services Transactions
    
    5. SECURITY TOOLKIT
         - Virus Center
               Virus Alert: W32/MyLife.B
         - FAQ: What Advantages Do Offline Backups and Image Backups Have 
           over Online Backups?
    
    6. NEW AND IMPROVED
         - Learn About Web Security, Privacy, and Commerce
         - Restrict File and Folder Access
    
    7. HOT THREADS 
         - Windows & .NET Magazine Online Forums
             - Featured Thread: Anonymous Access
         - HowTo Mailing List
             - Featured Thread: How to Hide Dial-up Properties
    
    8. CONTACT US 
       See this section for a list of ways to contact us. 
    
    ~~~~~~~~~~~~~~~~~~~~ 
    
    1. ==== IN FOCUS ====
       (contributed by Mark Joseph Edwards, markat_private) 
    
    * ABUNDANT RESOURCES FOR SECURITY BEST PRACTICES
    
    Have you visited Microsoft TechNet's Security Best Practices Web site 
    recently? In January, just two documents were posted to the site. 
    However, when I revisited the site (see the URL below), I found that 
    since mid-March, Microsoft has assembled more than two dozen additional 
    items from both inhouse and outside sources. Currently, the site offers 
    29 links that lead to individual resources that include white papers, 
    interviews, articles, checklists, and links to other useful sites. 
       http://www.microsoft.com/technet/security/bestprac
    
    Let me give you a brief overview of what the site offers. You'll find 
    information about topics such as preventing Denial of Service (DoS) 
    attacks, effective security monitoring, TCP/IP security, and security 
    strategies. For example, "Best Practices for Preventing DoS/Denial of 
    Service Attacks," by Michael Cretzman and Todd Weeks, lists 10 best 
    practices for preventing such attacks based on information drawn from 
    actual attacks that several companies experienced. The article includes 
    advice about system configuration and suggests several registry 
    adjustments that can help minimize the effects of DoS attacks. Another 
    article available through the site, "Distributed Denial-of-Service 
    Attacks and You," by Paul Robichaux, describes the nature of 
    distributed attacks and lists various ways you can protect your network 
    from them. The latter article includes links to other Web sites that 
    have additional related information.
    
    Both the TCP/IP article and the security strategy article are chapters 
    from popular and respected books. "TCP/IP from a Security Viewpoint," 
    Chapter 3 of "Firewalls, 24 seven" (Sybex), by Matthew Strebe and 
    Charles Perkins, offers an in-depth discussion about how TCP/IP packets 
    are structured and how various protocols move traffic in and out of 
    your network. "For Strategists," Chapter 11 of "Intrusion Detection" 
    (MacMillan Technical Publishing), by Rebecca Gurley Bace, provides a 
    roadmap for people charged with improving security in their 
    organizations. It offers good advice about developing your security 
    strategies and suggests specific questions to ask solution vendors. 
    This Web site draws information from other books as well. 
    
    The Best Security Practices Web site resources also include information 
    about managing Microsoft IIS Web services, an interview with Dr. 
    William Stallings (a popular engineer and consultant) about 
    cryptography, and best practices for managing service packs and 
    hotfixes. "Manage Security of Your Windows IIS Web Services," from 
    Microsoft Consulting Services Web Server Best Practices, offers advice 
    about how to bring rogue systems under management to help prevent 
    security problems such as virus infections. The Stallings interview 
    covers topics such as assessing security needs, open-standard 
    encryption algorithms, the inner workings of firewalls, what intruders 
    look for, and intrusion detection. 
    
    As you know, managing service packs and hotfixes is a hot topic. During 
    the last month and a half, Microsoft has released more than a dozen 
    security bulletins. Keeping up with all the patches (and service pack 
    releases, which are less frequent) is a tough job indeed, especially 
    for those who administer large networks. The Microsoft article "Best 
    Practices for Applying Service Packs, Hotfixes, and Security Patches," 
    by Rick Rosato, outlines various steps to take before, during, and 
    after installation. The article recommends that you apply all changes 
    in a test environment and be prepared to uninstall in case the systems 
    in your environment behave unexpectedly. The document also stresses the 
    need for revision consistency, especially with domain controllers 
    (DCs), and recommends that noncritical systems be updated first. 
    
    Overall, the Web site offers abundant resources that you might not be 
    aware of. Be sure to stop by the site and take a look. The site can 
    help raise your awareness about various aspects of security and help 
    you increase the overall security of your entire enterprise. 
    
    Until next time, have a great week.
    
    Sincerely,
    Mark Joseph Edwards, News Editor
    markat_private
    
    ~~~~~~~~~~~~~~~~~~~~ 
    
    ~~~~ SPONSOR: WINDOWS & .NET MAGAZINE NETWORK UPDATE NEWSLETTERS ~~~~ 
       * SIGN UP FOR FREE UPDATES AND ENTER TO WIN A PALM HANDHELD!
       UPDATE email newsletters are designed to help busy IT professionals 
    just like you stay on top of the latest Windows enterprise news and 
    developments. We distill what's really important in the world of IT in 
    a concise and independent voice. Sign up for FREE today and you'll be 
    entered to win a Palm handheld!
       http://list.winnetmag.com/cgi-bin3/flo?y=eLPS0CJgSH0CBw0rvS0AW
       
    ~~~~~~~~~~~~~~~~~~~~ 
    
    2. ==== SECURITY RISKS ==== 
    
    * MEMORY LEAK VULNERABILITY IN CISCO SYSTEMS' CALLMANAGER 3.1
       When a user logs on to his or her account through the IMail Server 
    Web interface, the application uses a unique URL to maintain the 
    session authentication. A vulnerability in Cisco Systems' CallManager 
    3.1 can cause a memory leak in the computer telephony integration (CTI) 
    framework authentication. This memory leak can cause the server to 
    crash and reload. An attacker can exploit this vulnerability to create 
    a Denial of Service (DoS) condition.
       http://www.secadministrator.com/articles/index.cfm?articleid=24641
    
    * SCRIPT EXECUTION VULNERABILITIES IN MICROSOFT IE
       Andreas Sandblad discovered two vulnerabilities in Microsoft 
    Internet Explorer (IE), one of which can lead to script execution in 
    the Local Computer Zone. The first vulnerability involves a flaw in the 
    way IE handles object tags that lets an attacker invoke an executable 
    already present on the vulnerable system. The second vulnerability 
    targets IE's zone-determination function. By embedding an HTML script 
    within a cookie, an attacker can execute a script on the vulnerable 
    computer.
       http://www.secadministrator.com/articles/index.cfm?articleid=24651
    
    3. ==== ANNOUNCEMENTS ==== 
    
    * SIGN UP FOR FREE UPDATES AND ENTER TO WIN A PALM HANDHELD!
       UPDATE email newsletters are designed to help busy IT professionals 
    just like you stay on top of the latest Windows enterprise news and 
    developments. We distill what's really important in the world of IT in 
    a concise and independent voice. Sign up for FREE today and you'll be 
    entered to win a Palm handheld! 
       http://list.winnetmag.com/cgi-bin3/flo?y=eLPS0CJgSH0CBw0rvS0AW
    
    * FIND THE RIGHT TRAINING TOOL FOR YOU!
       The Windows & .NET Magazine Training and Certification Interactive 
    Product Guide is an online resource where you'll discover boot camps, 
    test simulators, and other resources to help you get certified. Whether 
    you're studying for your MCSE exams, trying to strengthen your resume, 
    or just learning a new skill set, you'll definitely want to check this 
    guide out!
       http://list.winnetmag.com/cgi-bin3/flo?y=eLPS0CJgSH0CBw0r5p0Au
    
    4. ==== SECURITY ROUNDUP ====
    
    * NEWS: SURVEY SAYS WEB SITES ARE NOW LESS INTRUSIVE
       The Progress & Freedom Foundation (PFF) published a new survey that 
    shows that fewer Web sites are collecting users' personal information. 
    The study indicates that only 84 percent of the 100 most popular Web 
    sites collect personal information; in 2000, 96 percent collected 
    personal information. In addition, only 48 percent of the 100 most 
    popular Web sites use cookies to track users' surfing habits, compared 
    with 78 percent that used cookies in 2000. Read more about the new 
    survey results at the URL below. 
       http://www.secadministrator.com/articles/index.cfm?articleid=24642
    
    * NEWS: MORE OUTLOOK SECURITY PROBLEMS
       As we approach the 2-year anniversary of the VBS.LoveLetter virus 
    outbreak, which catapulted Microsoft Outlook into the headlines, 
    security problems continue to surface. Internet security and privacy 
    expert Richard M. Smith posted a note to the Windows NTBugtraq mailing 
    list that cited four problems with Outlook 2002--two security problems, 
    one privacy problem, and one case of mixed messages from Microsoft--
    that Smith says probably affect earlier Outlook versions as well.
       http://www.secadministrator.com/articles/index.cfm?articleid=24618
    
    * FEATURE: WS-SECURITY SETS STANDARD FOR WEB SERVICES TRANSACTIONS
       The three core pieces of Microsoft's XML Web services--Simple Object 
    Access Protocol (SOAP), Web Services Description Language (WSDL), and 
    Universal Description, Discovery, and Integration (UDDI)--form the 
    foundation of Microsoft's approach to the .NET platform, but they don't 
    represent the whole picture. To add greater security and better routing 
    and lookup abilities to Web services, Microsoft is developing five 
    other XML-based specifications. Read this article to learn more. 
       http://www.secadministrator.com/articles/index.cfm?articleid=24401
    
    5. ==== SECURITY TOOLKIT ====
    
    * VIRUS CENTER
       Panda Software and the Windows & .NET Magazine Network have teamed 
    to bring you the Center for Virus Control. Visit the site often to 
    remain informed about the latest threats to your system security.
       http://www.secadministrator.com/panda
    
    * VIRUS ALERT: W32/MYLIFE.B
       W32/MyLife.B is a mass-mailing worm that arrives in a compressed 
    format in a user's inbox as an email message with another email message 
    attached. In reality, the attachment is a compressed program that 
    executes when the user attempts to open the attachment. Once it 
    executes, the worm attempts to delete all files on the user's C, D, E, 
    and F drives and all files in the C:\windows\system folder that have a 
    .sys, .vxd, .ocx, or .nls extension. The worm spreads by sending a copy 
    of itself to everyone in the user's address book.
       http://63.88.172.127/panda/index.cfm?fuseaction=virus&virusid=1149
    
    * FAQ: WHAT ADVANTAGES DO OFFLINE BACKUPS AND IMAGE BACKUPS HAVE OVER 
    ONLINE BACKUPS?
       ( contributed by John Savill, http://www.windows2000faq.com )
    
    A. You can use any backup program--or even the Copy command--to 
    reliably back up files that aren't in use. However, backing up files 
    that are in use, such as system files, when your OS is in an online 
    state can be complicated. Read what John Savill has to say about 
    offline, image, and online backups!
       http://www.windows2000faq.com/articles/index.cfm?articleid=24414
    
    6. ==== NEW AND IMPROVED ==== 
       (contributed by Carolyn Mascarenas, productsat_private) 
    
    * LEARN ABOUT WEB SECURITY, PRIVACY, AND COMMERCE
       O'Reilly & Associates released "Web Security, Privacy & Commerce," 
    by Simson Garfinkel and Gene Spafford, a reference book that covers Web 
    security risks and the techniques and technologies that you can use to 
    protect yourself against these risks. Topics include cryptography, 
    passwords, digital signatures, biometrics, cookies, log files, spam, 
    Web logs, the Secure Sockets Layer (SSL), digital payments, client-side 
    signatures, pornography filtering, intellectual property, and legal 
    concerns. The 756-page book costs $44.95. Contact O'Reilly at 800-998-
    9938.
       http://www.oreilly.com
    
    * RESTRICT FILE AND FOLDER ACCESS
       CenturionSoft and SoftClan released SoftClan Security Suite, a 
    security and auditing program that can provide Windows Me and Windows 
    9x systems with protection levels similar to those of Windows NT on 
    NTFS. You can administer the software by using a transparent monitoring 
    process that doesn't alter the system's operation or speed. The 
    software restricts file and folder access to protect a system from 
    intruders, accidents, and viruses. The software controls and audits 
    each user's PC use, which is important for PCs that have multiple 
    users. SoftClan Security Suite costs $39.95. Contact CenturionSoft or 
    SoftClan at 202-293-5151.
       http://www.centurionsoft.com
    
    7. ==== HOT THREADS ==== 
    
    * WINDOWS & .NET MAGAZINE ONLINE FORUMS 
       http://www.winnetmag.net/forums 
    
    Featured Thread: Anonymous Access
       (One message in this thread)
    
    Richard writes that every 2 hours, his PDC records hundreds of 
    anonymous accesses in a 2- to 4-second period in the Security log. He 
    reports that he has disabled anonymous access, but the log entries 
    still appear. He's worried about the security implications. Can you 
    help?
       http://www.secadministrator.com/forums/thread.cfm?thread_id=100630
    
    * HOWTO MAILING LIST
       http://www.secadministrator.com/listserv/page_listserv.asp?s=howto 
    
    Featured Thread: How to Hide Dial-up Properties
       (One message in this thread)
    
    Tricia wants to know how to hide dial-up properties when users dial 
    into a Windows NT server. She wants to hide all settings including the 
    number dialed yet still let the user enter a username and password for 
    authentication. Can you help?
    
    http://www.secadministrator.com/listserv/page_listserv.asp?a2=ind0204a&l=howto&p=81
    
    8. ==== CONTACT US ==== 
       Here's how to reach us with your comments and questions: 
    
    * ABOUT IN FOCUS -- markat_private
    
    * ABOUT THE NEWSLETTER IN GENERAL -- vpattersonat_private (please 
    mention the newsletter name in the subject line) 
    
    * TECHNICAL QUESTIONS -- http://www.winnetmag.net/forums 
    
    * PRODUCT NEWS -- productsat_private 
    
    * QUESTIONS ABOUT YOUR SECURITY UPDATE SUBSCRIPTION? Customer 
    Support -- securityupdateat_private 
    
    * WANT TO SPONSOR SECURITY UPDATE? emedia_oppsat_private 
    
    ******************** 
    
       This email newsletter is brought to you by Security Administrator, 
    the print newsletter with independent, impartial advice for IT 
    administrators securing a Windows 2000/Windows NT enterprise. Subscribe 
    today!
       http://www.secadministrator.com/sub.cfm?code=saei25xxup
    
       Receive the latest information about the Windows and .NET topics of 
    your choice. Subscribe to our other FREE email newsletters. 
       http://www.winnetmag.net/email 
    
    |-+-+-+-+-+-+-+-+-+-| 
    
    Thank you for reading Security UPDATE.
    
    SUBSCRIBE
    To subscribe, send a blank email to mailto:Security-UPDATE_Subat_private
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.
    



    This archive was generated by hypermail 2b30 : Thu Apr 04 2002 - 02:15:30 PST