[ISN] Security UPDATE, May 22, 2002

From: InfoSec News (isnat_private)
Date: Thu May 23 2002 - 02:52:19 PDT

  • Next message: InfoSec News: "Re: [ISN] Infosec research bill amended"

    ******************** 
    Windows & .NET Magazine Security UPDATE--brought to you by Security 
    Administrator, a print newsletter bringing you practical, how-to 
    articles about securing your Windows .NET Server, Windows 2000, and 
    Windows NT systems. 
       http://www.secadministrator.com 
    ******************** 
    
    ~~~~ THIS ISSUE SPONSORED BY ~~~~
    
    Plan for Infrastructure Security
       http://www.ibm.com/e-business/playtowin/n20 
    
    VeriSign--The Value of Trust
       http://list.winnetmag.com/cgi-bin3/flo?y=eL4Z0CJgSH0CBw014e0AI 
       (below IN FOCUS)
    
    ~~~~~~~~~~~~~~~~~~~~ 
    
    ~~~~ SPONSOR: PLAN FOR INFRASTRUCTURE SECURITY ~~~~
       A flexible, reliable infrastructure is a fully integrated 
    infrastructure. With your copy of "e-business Infrastructure 
    Integration: Practical Approaches," you'll learn how properly 
    constructed e-business infrastructure solutions can work for you across 
    business units and across operations to make your organization faster, 
    more flexible, immediately responsive, and highly competitive. IBM has 
    the knowledge, experience, and global resources to help you implement a 
    solution tailored to your company's needs. Let us help you get started 
    building a seamlessly integrated infrastructure for your organization 
    by signing up today to receive your complimentary white paper at
       http://www.ibm.com/e-business/playtowin/n20 
    
    ~~~~~~~~~~~~~~~~~~~~ 
    
    May 22, 2002--In this issue: 
    
    1. IN FOCUS
         - Biometric Security: Fingerprints Don't Always Suffice
    
    2. SECURITY RISKS
         - Multiple Problems with IE
         - Authorization Problem in nCipher's MSCAPI CSP Install Wizard 
           5.50
    
    3. ANNOUNCEMENTS
         - Meeting IT Security Benchmarks Through Effective IT Audits, 
           August 8-9, 2002, Washington, DC
         - Attend Black Hat Briefings & Training, July 29 - August 1, 2002, 
           Las Vegas
     
    4. SECURITY ROUNDUP
         - News: Online Personal Privacy Act Closer to Becoming Law 
         - News: Microsoft Remedy Hearings: Security by Obscurity, Parts I 
           and II
         - Feature: Secure Messaging and Exchange
    
    5. SECURITY TOOLKIT
         - Virus Center
         - FAQ: How Can I Restrict User Access to the Control Panel 
           Internet Options or Internet Tools Applet Without Using 
           Policies?
    
    6. NEW AND IMPROVED
         - Realtime Protection Against Security Breaches
         - Updated Security Suite
    
    7. HOT THREADS 
         - Windows & .NET Magazine Online Forums
             - Featured Thread: The Difference Between Required Encryption 
               and Maximum Strength Encryption
         - HowTo Mailing List
             - Featured Thread: IIS 5.0 Banner Query 
    
    8. CONTACT US 
       See this section for a list of ways to contact us. 
    
    ~~~~~~~~~~~~~~~~~~~~ 
    
    1. ==== IN FOCUS ====
       (contributed by Mark Joseph Edwards, News Editor, 
    markat_private) 
    
    * BIOMETRIC SECURITY: FINGERPRINTS DON'T ALWAYS SUFFICE
    
    Does your company use fingerprint-scanning authentication technology? 
    If so, that technology might not be enough to guard the authentication 
    process for your particular network environment because, as you know, 
    the finger doesn't have to be attached to the body. For that matter, 
    the finger doesn't even need to be a real finger. A recent news story 
    from The Register (see the URL below) is a good case in point. In the 
    story "Gummi bears defeat fingerprint sensors," reporter John Leyden 
    describes how Japanese mathematician Tsutomu Matsumoto used gelatin and 
    a plastic mold to reproduce a portion of a finger, including its 
    fingerprint, and defeated 11 different fingerprint-authentication 
    systems in four of five attempts. Taking the process further, Matsumoto 
    lifted a fingerprint from a glass, transferred the print to a rigid 
    flat surface, and used a mold to create a fake gelatin finger. 
    According to the report, the finger fooled scanners about 80 percent of 
    the time. 
       http://www.theregister.co.uk/content/55/25300.html
    
    To receive a copy of a paper Matsumoto wrote detailing the preceding 
    endeavors, send him an email message to tsutomuat_private and 
    request a copy. Although that paper isn't available on the Web site, 
    you'll find a presentation in which Matsumoto discusses biometrics and 
    shows some photographs of the process of creating a fake finger. You 
    can download a copy of the PDF file (about 1.2MB) at the URL below.
       http://www.itu.int/itudoc/itu-t/workshop/security/present/s5p4.pdf
    
    Bruce Schneier, founder and chief technology officer CTO of Counterpane 
    Internet Security, publishes the newsletter Crypto-Gram. In the May 15 
    edition (see the URL below), Schneier offers more detail and commentary 
    about Matsumoto's process. According to Schneier, "There's both a 
    specific and a general moral to take away from this result. Matsumoto 
    is not a professional fake-finger scientist; he's a mathematician. He 
    didn't use expensive equipment or a specialized laboratory. He used $10 
    of ingredients you could buy, and whipped up his gummy fingers in the 
    equivalent of a home kitchen. And he defeated eleven different 
    commercial fingerprint readers, with both optical and capacitive 
    sensors, and some with 'live finger detection' features." Schneier 
    urges us to consider how much more dedicated attackers could do. 
    Schneier warns, "All the fingerprint companies have claimed for years 
    that this kind of thing is impossible. When they read Matsumoto's 
    results, they're going to claim that [Matsumoto's methods] don't really 
    work, or that they don't apply to them, or that they've fixed the 
    problem. Think twice before believing them."
       http://www.counterpane.com/crypto-gram-0205.html#5
    
    Following the fake finger story, Crypto-Gram offered a link to a news 
    report about paying for merchandise with nothing more than a 
    fingerprint. According to an April 27 article in the Seattle Post-
    Intelligencer (see the URL below), the West Seattle Thriftway store 
    offers customers a fingerprint-only payment system. The system ties 
    customers' fingerprints directly to their credit cards, checking 
    accounts, and benefit cards and lets them pay for merchandise by simply 
    placing their index finger on a scanner during checkout.
       http://seattlepi.nwsource.com/local/68217_thumb27.shtml
    
    Someone could theoretically use Matsumoto's technique to create a thin 
    "skin" with someone else's fingerprint, lay it over his or her index 
    finger, and go on a shopping spree at someone else's expense. The 
    article about the fingerprint checkout system could mislead uneducated 
    consumers. According to the store owner, the new payment system is 
    foolproof: "People no longer have to worry that their cards will be 
    lost or stolen and then used to run up hefty charges. Stores and credit 
    card issuers will likewise avoid the losses associated with identity 
    theft." Yeah, right. If nothing else, the Matsumoto experiments should 
    keep us all from being lulled into a false sense of security.
    
    The West Seattle Thriftway might have used something a bit more secure 
    for its biometric payment system. Several other options (e.g., facial-
    recognition units) offer more security. Visionics (see the URL below) 
    makes a facial-recognition unit that you can use for network 
    authentication. The company's FaceIt product works as a single sign-on 
    (SSO) tool and as a continuous authentication system. Users are 
    authenticated initially, then reauthenticated as they continue to use 
    the system. This approach helps prevent anyone but the authenticated 
    user from using the authenticated resources. FaceIt uses any video 
    camera that supports Microsoft Video for Windows. The product runs on 
    Windows platforms, Linux, Sun OS, and SGI Irix systems, and the company 
    offers software development kits (SDKs) for custom application 
    development.
       http://www.visionics.com/faceit
    
    BioID makes a facial-recognition product also called BioID. The product 
    uses a combination of facial features, voice patterns, and lip movement 
    to identify a person. BioID uses a standard USB-based video camera and 
    microphone to perform its authentication process. You can learn more 
    about the product at the company's Web site (see the URL below). 
       http://www.bioid.com
    
    If you're interested in other types of biometric security, such as 
    hand-geometry, iris, retina, voice, and signature scanners, a great 
    place to start is the International Biometric Group Web site (see the 
    first URL below). The site offers information about most types of 
    biometric security available today and links to many vendor sites. The 
    following quick reference by security type (see the second through 
    eighth URLs below) will get you started.  
       http://www.biometricgroup.com
       http://www.finger-scan.com/finger-scan_vendors.htm
       http://www.facial-scan.com/facial-scan_vendors_and_links.htm
       http://www.iris-scan.com/iris_recognition_vendors.htm
       http://www.retina-scan.com/retina_scan_vendors_and_products.htm
       http://www.hand-scan.com/hand_scan_vendors.htm
       http://www.voice-scan.com/vendors.htm
       http://www.signature-scan.com/signature_scan_vendors.htm
    
    In last week's Security UPDATE commentary, I discussed Instant 
    Messaging (IM) software. A different article in The Register, "EDS bans 
    IM" (see the URL below), discusses how the computer arm of the British 
    government has banned IM because of its inherent security risks, 
    particularly the way IM products let network traffic bypass certain 
    security systems designed to protect networks. For example, IM software 
    can deliver email and transfer files that bypass virus-scanning 
    software and infect your network. The article offers further evidence 
    that you should weigh the risks of IM before you allow its use in your 
    environment.
       http://www.theregister.co.uk/content/55/25185.html
    
    ~~~~~~~~~~~~~~~~~~~~ 
    
    ~~~~ SPONSOR: VERISIGN--THE VALUE OF TRUST ~~~~
       Get the strongest server security--128-bit SSL encryption! 
       Download VeriSign's FREE guide, "Securing Your Web Site for 
    Business" and learn everything you need to know about using SSL to 
    encrypt your e-commerce transactions for serious online security. Click 
    here!
       http://list.winnetmag.com/cgi-bin3/flo?y=eL4Z0CJgSH0CBw014e0AI 
     
    ~~~~~~~~~~~~~~~~~~~~ 
    
    2. ==== SECURITY RISKS ====
       (contributed by Ken Pfeil, kenat_private)
    
    * MULTIPLE PROBLEMS WITH IE
       Microsoft reported six vulnerabilities in Microsoft Internet 
    Explorer (IE). The first is a cross-site scripting problem, the second 
    and third relate to information disclosure, the fourth is a zone-
    spoofing problem, and the last two relate to malformed headers in 
    downloadable files. Microsoft has released a cumulative patch to 
    correct the problems. For complete details about these problems and a 
    link to the patch, please visit the URL below.
       http://www.secadministrator.com/articles/index.cfm?articleid=25246
    
    * AUTHORIZATION VULNERABILITY IN NCIPHER'S MSCAPI CSP INSTALL WIZARD 
    5.50
       When a user creates an Operator Card Set with nCipher's MSCAPI CSP 
    Install Wizard 5.50, the nCipher CSP key generation behaves as the user 
    requests. When the user selects Cardset Protect from the Install Wizard 
    but doesn't create a new Operator Card Set, the wizard incorrectly sets 
    up the nCipher CSPs to use module protection for all keys that the user 
    subsequently creates. Then, rather than a combination of the Operator 
    Card Set and module, the module alone protects application keys that 
    the nCipher CSP generates. An attacker who gains control of any nCipher 
    module that the user has programmed into the key's security world can 
    gain unauthorized access to this key because the nCipher module doesn't 
    require any further smart card authorization. nCipher has released an 
    advisory that recommends the corrective action a user should take. 
       http://www.secadministrator.com/articles/index.cfm?articleid=25245
    
    3. ==== ANNOUNCEMENTS ====
       (brought to you by Windows & .NET Magazine and its partners)
    
    * MEETING IT SECURITY BENCHMARKS THROUGH EFFECTIVE IT AUDITS, AUGUST 8-
    9, 2002, WASHINGTON, DC
       Have your IT security solutions kept pace with evolving threats?  
    Until you conduct a thorough IT security audit, you won't know until 
    after a breach has occurred. To help you achieve the most Return on 
    Investment (ROI) on your security investment, ITRA is proud to present 
    a step-by-step practical guide to auditing your enterprise's IT 
    security. For more information, call 800-280-8440 or visit:
       http://list.winnetmag.com/cgi-bin3/flo?y=eL4Z0CJgSH0CBw014f0AJ
    
    * ATTEND BLACK HAT BRIEFINGS & TRAINING, JULY 29-AUGUST 1, 2002, LAS 
    VEGAS
       Black Hat Briefings is the world's premier technical security event, 
    featuring 8 tracks and 12 training sessions, with lots of Windows 
    topics coverage, full support by Microsoft, and a keynote by Richard 
    Clarke. See for yourself what the buzz is all about. Register today! 
       http://list.winnetmag.com/cgi-bin3/flo?y=eL4Z0CJgSH0CBw0pHV0AQ
    
    4. ==== SECURITY ROUNDUP ====
    
    * NEWS: ONLINE PERSONAL PRIVACY ACT CLOSER TO BECOMING LAW
       The Senate Commerce Committee approved bill (S.2201), "Online 
    Personal Privacy Act," which would require online entities to stop 
    collecting personal information from users unless the users 
    specifically agree to such information collection either before or 
    during the collection process. After users agree to the information 
    collection, the agreement would remain in effect until the users change 
    their consent.
       http://www.secadministrator.com/articles/index.cfm?articleid=25247
    
    * NEWS: MICROSOFT REMEDY HEARINGS: SECURITY BY OBSCURITY, PARTS I AND 
    II
       If you didn't read Paul Thurrott's WinInfo Daily UPDATE Short Takes 
    on May 10, you missed some interesting information. As Microsoft Group 
    Vice President Jim Allchin responded to a question about the security 
    exception in the proposed settlement with the US Department of Justice 
    (DOJ), he essentially said that the company must be permitted to 
    withhold information that would compromise Windows security (you know, 
    like interoperability information). "The more creators of viruses know 
    about how antivirus mechanisms in Windows operating systems work, the 
    easier it will be to create viruses to disable or destroy those 
    mechanisms," Allchin said. 
       Samba developers had been looking forward to a mid-2002 Microsoft 
    code release that would give them the information they need to work 
    with the company's latest networking protocol, the Common Internet File 
    System (CIFS). However, Microsoft forbids using the code in any 
    projects covered by the GNU General Public License (GPL), which is 
    exactly what Samba uses.
       http://www.secadministrator.com/articles/index.cfm?articleid=25172
    
    * FEATURE: SECURE MESSAGING AND EXCHANGE
       Microsoft Exchange Server implements secure messaging through the 
    Advanced Security subsystem. This subsystem supports two key functions: 
    signing (i.e., digital signatures for message nonrepudiation) and 
    encryption/decryption. In fact, Exchange's infrastructure and services 
    play a supporting role in secure messaging; the Exchange client (e.g., 
    Microsoft Outlook, Outlook Express) plays the main role. For secure 
    messaging to work, you need a supporting infrastructure, Exchange 
    services, and client extensions that implement support for digital 
    signing and encryption.
       http://www.secadministrator.com/articles/index.cfm?articleid=25165
    
    5. ==== SECURITY TOOLKIT ==== 
    
    * VIRUS CENTER
       Panda Software and the Windows & .NET Magazine Network have teamed to 
    bring you the Center for Virus Control. Visit the site often to remain 
    informed about the latest threats to your system security.
       http://www.secadministrator.com/panda
    
    * FAQ: HOW CAN I RESTRICT USER ACCESS TO THE CONTROL PANEL INTERNET 
    OPTIONS OR INTERNET TOOLS APPLET WITHOUT USING POLICIES?
       ( contributed by John Savill, http://www.windows2000faq.com )
    
    A. If you use NTFS, you can use the file system's built-in permissions 
    to restrict access to the Control Panel Internet Options or Internet 
    Tools applet by performing the following steps: 
       1. Open Windows Explorer. 
       2. Navigate to \%systemroot%\system32 (e.g., c:\windows\system32). 
       3. Right-click inetcpl.cpl and select Properties from the context 
    menu. 
       4. Select the Security tab. 
       5. Adjust the user and group permissions as appropriate, and ensure 
    that the SYSTEM group has Full Control. 
    
    You can also use the standard command-line permission utility cacls.exe 
    to set these permissions. However, be aware that when you use either 
    method to restrict access, another administrator will have a difficult 
    time determining the permissions you've set. Therefore, using policies 
    is the preferred method for restricting access.
    
    6. ==== NEW AND IMPROVED ==== 
       (contributed by Judy Drennen, productsat_private)
    
    * REALTIME PROTECTION AGAINST SECURITY BREACHES
       GFI's LANguard Security Event Log Monitor (S.E.L.M.) is a realtime 
    product that protects against internal and external security breaches. 
    The product monitors Security logs for Windows 2000 and Windows NT 
    servers and workstations, then consolidates them into a central log for 
    analysis. LANguard S.E.L.M. costs $495. Contact GFI at 888-243-4329 or 
    salesat_private
       http://www.gfi.com
    
    * UPDATED SECURITY SUITE
       Greatis Software released RegRun Security Suite 3.1, an updated 
    utility that maintains and controls PC stability while protecting 
    against dangerous viruses and Trojan horses. RegRun Security Suite 3.1 
    runs on Windows XP, Windows 2000, Windows NT, Windows NT, and Windows 
    9x, and costs from $19.95 to $49.95 for a single-user license. Contact 
    Greatis at 206-202-4216 or supportat_private
       http://www.greatis.com
      
    7. ==== HOT THREADS ==== 
    
    * WINDOWS & .NET MAGAZINE ONLINE FORUMS 
       http://www.winnetmag.com/forums
    
    Featured Thread: The Difference Between Required Encryption and Maximum 
    Strength Encryption
       (Twenty-one messages in this thread)
    
    Robert writes that when you set up a VPN client in Windows XP, in the 
    Properties section you see a tab labeled Security. If you select 
    Advanced (Custom Setting) on this tab, you enable the Setting button. 
    If you click Setting, the process displays another window. At the top 
    of this window, you see a section labeled Data Encryption, with a drop-
    down menu, in which you find four settings--including Required 
    Encryption and Maximum Strength Encryption. Robert wants to know the 
    difference between Required Encryption and Maximum Strength Encryption. 
    Read the responses or lend a hand at the following URL.
       http://www.secadministrator.com/forums/thread.cfm?thread_id=104764
    
    * HOWTO MAILING LIST
       http://www.secadministrator.com/listserv/page_listserv.asp?s=howto
    
    Featured Thread: IIS 5.0 Banner Query 
       (Five messages in this thread) 
    
    A reader wants to know how to change the banner in Microsoft Internet 
    Information Services (IIS) 5.0 so that the server no longer reports 
    itself to users as an IIS 5.0 server. Is there an easy way to make such 
    a change without using hexadecimal editors to edit associated .dll 
    files? Read the responses or lend a hand at the following URL.
       http://63.88.172.96/listserv/page_listserv.asp?a2=ind0205c&l=howto&p=971
    
    8. ==== CONTACT US ==== 
       Here's how to reach us with your comments and questions: 
    
    * ABOUT IN FOCUS -- markat_private
    
    * ABOUT THE NEWSLETTER IN GENERAL -- vpattersonat_private (please 
    mention the newsletter name in the subject line) 
    
    * TECHNICAL QUESTIONS -- http://www.winnetmag.com/forums 
    
    * PRODUCT NEWS -- productsat_private 
    
    * QUESTIONS ABOUT YOUR SECURITY UPDATE SUBSCRIPTION? Customer 
    Support -- securityupdateat_private 
    
    * WANT TO SPONSOR SECURITY UPDATE? emedia_oppsat_private 
    
    ******************** 
    
       This email newsletter is brought to you by Security Administrator, 
    the print newsletter with independent, impartial advice for IT 
    administrators securing a Windows 2000/Windows NT enterprise. Subscribe 
    today!
       http://www.secadministrator.com/sub.cfm?code=saei25xxup
    
       Receive the latest information about the Windows and .NET topics of 
    your choice. Subscribe to our other FREE email newsletters. 
       http://www.winnetmag.com/email 
    
    |-+-|-+-|-+-|-+-|-+-|
    
    Thank you for reading Security UPDATE. 
    
    
    MANAGE YOUR ACCOUNT
    You can manage your entire Windows & .NET Magazine Network email 
    newsletter account on our Web site. Simply log on and you can change 
    your email address, update your profile information, and subscribe or 
    unsubscribe to any of our email newsletters all in one place.
       http://www.winnetmag.com/email
    
    SUBSCRIBE
       To quickly subscribe, send a blank email to 
    mailto:Security-UPDATE_Subat_private
    
    UNSUBSCRIBE
       To quickly unsubscribe, send a blank email to 
    mailto:Security-UPDATE_Unsubat_private
    
    Thank you!
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Thu May 23 2002 - 05:57:28 PDT