[ISN] Security UPDATE, April 24, 2002

From: InfoSec News (isnat_private)
Date: Thu Apr 25 2002 - 01:08:13 PDT

  • Next message: InfoSec News: "[ISN] CIA: China planning cyber-attacks on U.S., Taiwan"

    ******************** 
    Windows & .NET Magazine Security UPDATE--brought to you by Security 
    Administrator, a print newsletter bringing you practical, how-to 
    articles about securing your Windows .NET Server, Windows 2000, and 
    Windows NT systems. 
       http://www.secadministrator.com 
    ******************** 
    
    ~~~~ THIS ISSUE SPONSORED BY ~~~~
    
    FREE--SANS Top Trends in Security Management
       http://list.winnetmag.com/cgi-bin3/flo?y=eLfP0CJgSH0CBw0rCF0Al
    
    SPI Dynamics Web Application Security White Paper
       http://list.winnetmag.com/cgi-bin3/flo?y=eLfP0CJgSH0CBw0zPL0AE
       (below IN FOCUS)
    
    ~~~~~~~~~~~~~~~~~~~~ 
    
    ~~~~ SPONSOR: FREE--SANS TOP TRENDS IN SECURITY MANAGEMENT ~~~~ 
       What's the hottest trend shaping security this year? Read the FREE 
    SANS report sponsored by NetIQ to find out. Learn what the top industry 
    authorities had to say about security management in 2002. You'll gain 
    valuable insights and expert advice on crucial topics including new 
    threats, automated patching and continuous monitoring. Don't get left 
    behind--discover the top 8 security trends for 2002 now. Download the 
    must-have report today!
       http://list.winnetmag.com/cgi-bin3/flo?y=eLfP0CJgSH0CBw0rCF0Al
    
    ~~~~~~~~~~~~~~~~~~~~ 
    
    April 24, 2002--In this issue: 
    
    1. IN FOCUS
         - Security Checklists and Handy Tools 
     
    2. SECURITY RISKS
         - Buffer Overflow in talentsoft's Web+ 5.0 and Web+ 4.6 Affects 
    Microsoft IIS
         - Cross-Site Scripting Vulnerability in Microsoft IE
    
    3. ANNOUNCEMENTS
         - Learn from (or Try to Stump) Top Windows Security Pros
         - Cast Your Vote for Our Reader's Choice Awards!
    
    4. SECURITY ROUNDUP
         - News: Microsoft Article Q320751: DoS Workarounds
         - News: New Variant of Klez Worm Spreading 
         - News: eEye Digital Security and St. Bernard Software Bundle 
    Software
         - News: WebEyeAlert and Amcest Partner for Video Surveillance
    
    5. INSTANT POLL
         - Results of Previous Poll: Hotfix Availability Notification
         - New Instant Poll: Antivirus Defense Location
    
    6. SECURITY TOOLKIT
         - Virus Center
              - Virus Alert: W32/Klez.I
         - FAQ: How Can I Disable IPSec on a VPN Connection That Uses L2TP?
    
    7. NEW AND IMPROVED
         - Secure Your Company with Cameras
         - Protect Your Hardware from Theft
    
    8. HOT THREADS 
         - Windows & .NET Magazine Online Forums
             - Featured Thread: View All Permissions and Shares
         - HowTo Mailing List
             - Featured Thread: Exceeding the 512-Character Limit of the 
               Legal Logon Notice
    
    9. CONTACT US 
       See this section for a list of ways to contact us. 
    
    ~~~~~~~~~~~~~~~~~~~~ 
    
    1. ==== IN FOCUS ====
       (contributed by Mark Joseph Edwards, News Editor, 
    markat_private) 
    
    * SECURITY CHECKLISTS AND HANDY TOOLS 
    
    When you perform a new software installation, do you use a checklist to 
    make sure you've adjusted the configuration for better security? 
    Numerous helpful checklists are available for various systems, many of 
    them online. Windows & .NET Magazine published a new guide in February 
    2002, which is available for free: "Secure Your Operating System--
    Guidelines for Hardening Windows 2000." 
    
    Jan De Clercq, who writes the NT Gatekeeper column for the Security 
    Administrator print newsletter, developed the checklist, which covers a 
    variety of system-configuration settings. The guide covers topics such 
    as authentication, access control, system-related hardening features, 
    Group Policy settings, and using Microsoft's Security Configuration 
    Tool Set. The guide also includes references to many security tools and 
    resources available for free. You can download a copy of the guide in 
    PDF format at the IT Buyer's Network Web site.
       http://www.itbuynet.com/pdf/0202-security.pdf
    
    I also recommend a set of free checklists from Australian-based company 
    InterSect Alliance. You'll find valuable checklists for five products 
    that many of you use: Win2K, Windows NT, Microsoft IIS, Apache Web 
    server, and Linux. 
    
    The checklists cover several aspects of the products, and, as you might 
    expect, each checklist begins with suggestions about how to perform 
    installation. The checklists also discuss network services and network 
    access controls, object access controls, subsystems that particular 
    products contain, and, of course, auditing. Even if you have checklists 
    you already use, stop by the Web site and examine these lists as well--
    you might find additional items for consideration that you've 
    overlooked.
       http://www.intersectalliance.com/projects/index.html
    
    Arne Vidstrom, Swedish security aficionado, recently released a new 
    security tool--PromisDetect--which is available for free. The tool runs 
    on Windows XP, Win2K, and NT. The tool checks systems to determine 
    whether their network adapters are running in promiscuous mode. Systems 
    whose network adapter cards run in promiscuous mode probably run 
    software that acts as a traffic sniffer, and you don't want just 
    anybody running a sniffer on your network. As you know, network packets 
    often contain sensitive information, including authentication data and 
    proprietary company information, so letting sniffers run unchecked on 
    the network weakens overall security. PromisDetect is a good way to 
    identify rogue sniffers. However, as Vidstrom notes, because someone 
    running a sniffer might also be intercepting traffic from software 
    designed to detect sniffers, PromisDetect and similar sniffer detectors 
    aren't foolproof. You can download a copy of PromisDetect, as well as 
    several other useful security-related tools, at Vidstrom's Web site.
       http://www.ntsecurity.nu/toolbox
    
    As I read our "HowTo for Security" mailing list last week (you can 
    subscribe at the URL below), I noticed that subscribers were asking how 
    to map listening ports back to their respective system services. As you 
    know, using a command such as the "netstat ľa" command or the "netstat 
    ľan" command can produce a list of ports, port service names, and IP 
    addresses. However, the lists don't include a map to the actual system 
    service that opened the port in the first place. Although you can see 
    which port is listening, which computer system is connected to it, and 
    which service the port is typically used for, you're still in the dark 
    about which application on your system actually opened the port.
       http://www.secadministrator.com/listserv/page_listserv.asp?s=howto 
    
    Fortunately, tools are available that support further discovery. 
    Foundstone's Fport tool maps listening ports to the software on your 
    system that opened the port. When you run the Fport tool, you see a 
    list of open ports matched to a list of the applications that opened 
    the ports. The list includes full pathnames so that you can more easily 
    identify the exact programs referenced. You can download a copy of 
    Fport and several other useful security tools at the Foundstone Web 
    site.
       http://www.foundstone.com/knowledge/proddesc/fport.html
    
    Finally, are you keeping up with Microsoft security bulletins and 
    related hotfixes? Even if you are, keep in mind that occasionally 
    Microsoft publishes workarounds for security problems without releasing 
    a related bulletin to alert you to the need for system-configuration 
    adjustments. For example, Microsoft recently released the article, 
    "Denial of Service Attack on Port 445 May Cause Excessive CPU Use" 
    ( http://support.microsoft.com/default.aspx?scid=kb;en-us;q320751 ). 
    The article discusses registry settings that can help prevent 
    particular Denial of Service (DoS) attacks. You can read about the 
    matter in the related news story in this issue of Security UPDATE.
       http://www.secadministrator.com/articles/index.cfm?articleid=24948
    
    ~~~~~~~~~~~~~~~~~~~~ 
    
    ~~~~ SPONSOR: SPI DYNAMICS WEB APPLICATION SECURITY WHITE PAPER ~~~~ 
       ALERT! Web applications are the new area of attack for hackers!
       By taking advantage of your website and using it to exploit your 
    applications, a hacker can gain access to your backend data. All 
    undetectable by today's methods of Internet security! Download this 
    *FREE* white paper from SPI Dynamics that provides a complete guide of 
    vulnerabilities and steps for protection!
       http://list.winnetmag.com/cgi-bin3/flo?y=eLfP0CJgSH0CBw0zPL0AE
       
    ~~~~~~~~~~~~~~~~~~~~ 
    
    2. ==== SECURITY RISKS ====
    
    * BUFFER OVERFLOW IN TALENTSOFT'S WEB+ 5.0 AND WEB+ 4.6 AFFECTS 
    MICROSOFT IIS
       A buffer-overflow condition in talentsoft's Web+ 5.0 and Web+ 4.6 
    could result in the execution of code on the vulnerable system under 
    the system security context. Requesting a Wireless Markup Language 
    (WML) file from a Web server and supplying an overly long cookie can 
    cause the internal buffer to overflow, overwriting a saved return 
    address on the stack. The vendor, talentsoft, has created a patch for 
    this vulnerability. For a link to the patch, visit the URL below. 
       http://www.secadministrator.com/articles/index.cfm?articleid=24929
    
    * CROSS-SITE SCRIPTING VULNERABILITY IN MICROSOFT IE
       Thor Larholm discovered a universal cross-site scripting 
    vulnerability in Microsoft's WebBrowser control for Microsoft Internet 
    Explorer (IE) that could result in elevated privileges and session-
    hijacking of the MSN Messenger client. This vulnerability stems from an 
    error in the validation code in the dialogArguments property. Detailed 
    information is available on the discoverer's Web site (see the URL 
    below). Microsoft hasn't released a hotfix or workaround for this 
    problem.
       http://www.secadministrator.com/articles/index.cfm?articleid=24928
    
    3. ==== ANNOUNCEMENTS ====
    
    * LEARN FROM (OR TRY TO STUMP) TOP WINDOWS SECURITY PROS
       The Windows & .NET Magazine LIVE! event brings together industry 
    gurus who take security seriously. Topic coverage includes Microsoft 
    IIS security, deploying public key infrastructure (PKI), designing 
    Group Policies to enhance security, tips for securing Windows 2000 
    networks, security pitfalls (and solutions) for your mobile workforce, 
    and more. Register today before this event sells out!
       http://list.winnetmag.com/cgi-bin3/flo?y=eLfP0CJgSH0CBw0qQl0Ac  
    
    * CAST YOUR VOTE FOR OUR READER'S CHOICE AWARDS!
       Which companies and products do you think are the best on the 
    market? Nominate your favorites in four different categories for our 
    annual Windows & .NET Magazine Reader's Choice Awards. You could win a 
    T-shirt or a free Windows & .NET Magazine Super CD, just for submitting 
    your ballot. Click here!
       http://list.winnetmag.com/cgi-bin3/flo?y=eLfP0CJgSH0CBw0zMs0Ao
    
    4. ==== SECURITY ROUNDUP ====
    
    * NEWS: MICROSOFT ARTICLE Q320751: DoS WORKAROUNDS
       Peter Grundl, a researcher at KPMG in Denmark, discovered a Denial 
    of Service (DoS) condition in Windows 2000 that could potentially cause 
    systems to crash. Microsoft issued the article, "Denial of Service 
    Attack on Port 445 May Cause Excessive CPU Use," 
    (http://support.microsoft.com/default.aspx?scid=kb;en-us;q320751 ) 
    regarding the matter. The article describes two methods to work around 
    the vulnerability.
       http://www.secadministrator.com/articles/index.cfm?articleid=24948
    
    * NEWS: NEW VARIANT OF KLEZ WORM SPREADING 
       Antivirus software maker Panda Software has issued a warning about a 
    dangerous new worm variant, W32/Klez.I, which is spreading across 
    Europe and Asia. Panda Software expects the virus to spread to the 
    United States beginning this week.
       http://www.secadministrator.com/articles/index.cfm?articleid=24867
    
    * NEWS: eEYE DIGITAL SECURITY AND ST. BERNARD SOFTWARE BUNDLE SOFTWARE
       eEye Digital Security and St. Bernard Software have announced a 
    strategic partnership to bundle eEye's Retina Network Security Scanner 
    software with St. Bernard's UpdateEXPERT software. The software bundle 
    lets administrators use Retina Network Security Scanner to scan for 
    security vulnerabilities and use UpdateEXPERT to help correct a problem 
    by guiding the administrator through the process of installing patches 
    and making configuration adjustments.
       http://www.secadministrator.com/articles/index.cfm?articleid=24925
    
    * NEWS: WebEyeAlert AND AMCEST PARTNER FOR VIDEO SURVEILLANCE
       WebEyeAlert, which develops WebEyeAlert video security surveillance 
    technology, announced a strategic partnership with Amcest, a nationwide 
    monitoring service. Under the terms of the partnership, Amcest will 
    offer its dealers the WebEyeAlert solution to promote free video 
    monitoring services to its customers.
       http://www.secadministrator.com/articles/index.cfm?articleid=24924
    
    5. ==== INSTANT POLL ====
    
    * RESULTS OF PREVIOUS POLL: HOTFIX AVAILABILITY NOTIFICATION
       The voting has closed in Windows & .NET Magazine's Security 
    Administrator Channel nonscientific Instant Poll for the question, "If 
    someone makes information about a security vulnerability public before 
    the company whose product is involved has developed a fix, should that 
    company notify customers about an estimated time when a fix will be 
    available?" Here are the results (+/- 2 percent) from the 473 votes:
       - 90% Yes
       -  6% No
       -  4% Not sure
    
    * NEW INSTANT POLL: ANTIVIRUS DEFENSE LOCATION
       The next Instant Poll question is, "Where have you placed your 
    organization's antivirus defenses?" Go to the Security Administrator 
    Channel home page and submit your vote for a) on desktops, b) on email 
    servers, c) on file servers, d) at the Internet border, or e) at two or 
    more of the above locations.
       http://www.secadministrator.com
    
    6. ==== SECURITY TOOLKIT ==== 
    
    * VIRUS CENTER
       Panda Software and the Windows & .NET Magazine Network have teamed to 
    bring you the Center for Virus Control. Visit the site often to remain 
    informed about the latest threats to your system security.
       http://www.secadministrator.com/panda
    
    - Virus Alert: W32/Klez.I
       W32/Klez.I is a worm that's designed to spread through email. The 
    messages the worm sends have different subjects, which include 
    
       A new website 
       Introduction on ADSL
       Fw:virus,japanese lass' sexy pictures
       A very new game
       NOSHADE CLASS
    
    The body of the message the worm sends might contain any of the 
    following text: 
    
       This is a new website. I wish you would like it. 
       This game is my first work.
       You're the first player.
       I hope you would enjoy it
    
    Files attached to messages the worm sends have random names. Once run, 
    the worm creates a file in the Windows directory and a file in the 
    Program Files folder. 
       http://63.88.172.127/panda/index.cfm?fuseaction=virus&virusid=1154
    
    * FAQ: HOW CAN I DISABLE IPSEC ON A VPN CONNECTION THAT USES L2TP?
       ( contributed by John Savill, http://www.windows2000faq.com )
    
    A. Windows automatically creates an IP Security (IPSec) policy for 
    Layer Two Tunneling Protocol (L2TP) connections because L2TP doesn't 
    encrypt data. However, you might want to test a VPN L2TP connection 
    without IPSec (e.g., when you're troubleshooting). Although you must 
    disable IPSec on both the client and server in this situation, make 
    sure you reenable the security policy after you resolve any problems; 
    otherwise, your systems are vulnerable to attack. To disable IPSec, 
    perform the following steps on both client and server: 
    
       1. Start a registry editor (e.g., regedit.exe). 
       2. Navigate to the 
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\Parameters 
    subkey. 
       3. From the Edit menu, select New, DWORD Value. 
       4. Enter a name of ProhibitIpSec and click Enter. 
       5. Double-click the new value, set it to 1, and click OK. 
       6. Restart the machine. 
    
       For more information, see the Microsoft article "How to Configure a 
    L2TP/IPSec Connection Using Pre-shared Key Authentication." 
       http://support.microsoft.com/default.aspx?scid=kb;en-us;q240262
    
    7. ==== NEW AND IMPROVED ==== 
       (contributed by Judy Drennen, productsat_private) 
    
    * SECURE YOUR COMPANY WITH CAMERAS 
       CamDevTeam released CamSurveillance, shareware capable of monitoring 
    up to 50 IP-addressable network cameras to secure your company. You can 
    use the cameras within your company's LAN or select your favorite 
    WebCams from the Internet. CamSurveillance runs on Windows XP, Windows 
    2000, Windows NT, Windows Me, and Windows 9x systems and costs $49.95. 
    Contact CamDevTeam at webmasterat_private for a trial 
    download.
        http://www.camsurveillance.com
    
    * PROTECT YOUR HARDWARE FROM THEFT
       Brigadoon Software announced PC PhoneHome Enterprise, software that 
    gives enterprise-level users a security tool to protect computer 
    hardware and intellectual property against theft. PC PhoneHome 
    Enterprise works by sending periodic signals to a centralized command 
    center the licensee chooses with the exact coordinates of the 
    registrant's computer. If the computer is lost or stolen, the signals 
    can pinpoint the computer's whereabouts. PC PhoneHome Enterprise runs 
    on all Windows and Macintosh systems. For pricing, contact Brigadoon at 
    the Web site. 
       http://www.brigadoonsoftware.com
    
    8. ==== HOT THREADS ==== 
    
    * WINDOWS & .NET MAGAZINE ONLINE FORUMS 
       http://www.winnetmag.net/forums
    
    Featured Thread: View All Permissions and Shares
       (Two messages in this thread)
    
    Tom wants to know how he can view a list of all permissions and shares 
    on a given system. Can you help? 
       http://www.secadministrator.com/forums/thread.cfm?thread_id=102362
    
    * HOWTO MAILING LIST
       http://www.secadministrator.com/listserv/page_listserv.asp?s=howto
    
    Featured Thread: Exceeding the 512-Character Limit of the Legal Logon 
    Notice
       (One message in this thread)
    
    Windows 2000 Group Policy restricts the length of the logon sequence 
    legal notice text to 512 characters. This length is probably sufficient 
    in most cases. However, some countries have a legal requirement to 
    display such notices in more than one language, which can cause the 
    total text displayed to exceed the 512-character limit. Are there any 
    known workarounds to the 512-character restriction? Can you help? Read 
    the responses or lend a hand at the following URL.
       http://63.88.172.96/listserv/page_listserv.asp?A2=ind0204c&l=howto&p=659 
    
    9. ==== CONTACT US ==== 
       Here's how to reach us with your comments and questions: 
    
    * ABOUT IN FOCUS -- markat_private
    
    * ABOUT THE NEWSLETTER IN GENERAL -- vpattersonat_private (please 
    mention the newsletter name in the subject line) 
    
    * TECHNICAL QUESTIONS -- http://www.winnetmag.net/forums 
    
    * PRODUCT NEWS -- productsat_private 
    
    * QUESTIONS ABOUT YOUR SECURITY UPDATE SUBSCRIPTION? Customer 
    Support -- securityupdateat_private 
    
    * WANT TO SPONSOR SECURITY UPDATE? emedia_oppsat_private 
    
    ******************** 
    
       This email newsletter is brought to you by Security Administrator, 
    the print newsletter with independent, impartial advice for IT 
    administrators securing a Windows 2000/Windows NT enterprise. Subscribe 
    today!
       http://www.secadministrator.com/sub.cfm?code=saei25xxup
    
       Receive the latest information about the Windows and .NET topics of 
    your choice. Subscribe to our other FREE email newsletters. 
       http://www.winnetmag.net/email 
    
    |-+-+-+-+-+-+-+-+-+-| 
    
    Thank you for reading Security UPDATE.
    
    
    SUBSCRIBE
    To subscribe, send a blank email to mailto:Security-UPDATE_Subat_private
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Thu Apr 25 2002 - 04:12:22 PDT