[ISN] Security UPDATE, May 29, 2002

From: InfoSec News (isnat_private)
Date: Thu May 30 2002 - 01:36:22 PDT

  • Next message: InfoSec News: "[ISN] Newest IT Job Title: Chief Hacking Officer"

    ******************** 
    Windows & .NET Magazine Security UPDATE--brought to you by Security 
    Administrator, a print newsletter bringing you practical, how-to 
    articles about securing your Windows .NET Server, Windows 2000, and 
    Windows NT systems. 
       http://www.secadministrator.com 
    ******************** 
    
    ~~~~ THIS ISSUE SPONSORED BY ~~~~
    
    Plan for Infrastructure Security
       http://www.ibm.com/e-business/playtowin/n32 
    
    VeriSign--The Value of Trust
       http://list.winnetmag.com/cgi-bin3/flo?y=eL8W0CJgSH0CBw0zFu0A5 
       (below IN FOCUS)
    
    ~~~~~~~~~~~~~~~~~~~~ 
    
    ~~~~ SPONSOR: PLAN FOR INFRASTRUCTURE SECURITY ~~~~
       Put wireless technologies to work for your organization to build a 
    flexible and more competitive e-business. IBM offers know-how and 
    global resources that can help you work both intelligently and safely. 
    Learn how wireless technology solutions can extend your company's reach 
    with a copy of our white paper, "A Wireless World Awaits: Nine Moves 
    that Mobilize e-business." IBM has the knowledge, experience and global 
    resources to help you and your partners work with peace of mind and 
    remain focused on your core business issues. Visit us and register 
    today to receive your complimentary copy at
       http://www.ibm.com/e-business/playtowin/n32 
    
    ~~~~~~~~~~~~~~~~~~~~ 
    
    May 29, 2002--In this issue: 
    
    1. IN FOCUS
         - Legal Remedy for Junk Email; Hiring Security Staff 
    
    2. SECURITY RISK
         - Buffer Overflow in Ipswitch's IMail Server
    
    3. ANNOUNCEMENTS
         - Cast Your Vote for Our Readers' Choice Awards! 
         - Attend Our Free Windows Security Solutions Webinar!
    
    4. SECURITY ROUNDUP
         - News: Spammers Beware: New Bill Seeks Criminal Enforcement 
         - News: CyberSource Teams with Concord EFS for Secure Payment 
           System 
         - News: SonicWALL Protects Santa Barbara Police Department 
         - News: Spida Worm Infects SQL Servers 
         - News: SurfControl Releases White Paper Stressing Layered 
           Security
    
    5. INSTANT POLL
         - Results of Previous Poll: IM Use 
         - New Instant Poll: IM Policy
    
    6. SECURITY TOOLKIT
         - Virus Center
         - FAQ: How Can I Disable Multiuser Editing in Microsoft Office 
           XP's Word Processor--Microsoft Word 2002?
    
    7. NEW AND IMPROVED
         - Automatically Plug Major Windows XP Security Hole
         - PC User-Authentication Solution
       
    8. HOT THREADS 
         - Windows & .NET Magazine Online Forums
             - Featured Thread: Password Breach
         - HowTo Mailing List
             - Featured Thread: NT Profiles and Password Policy
    
    9. CONTACT US 
       See this section for a list of ways to contact us. 
    
    ~~~~~~~~~~~~~~~~~~~~ 
    
    1. ==== IN FOCUS ====
       (contributed by Mark Joseph Edwards, News Editor, 
    markat_private) 
    
    * LEGAL REMEDY FOR JUNK EMAIL; HIRING SECURITY STAFF 
    
    Are you getting enough spam yet? After the long holiday weekend, I 
    checked the email in just one of my mail accounts, and the server 
    reported 76 messages waiting to be delivered. In fact, 38 of them were 
    unsolicited junk mail advertising all kinds of things I don't need, 
    such as an as-seen-on-TV cure for snoring. I don't get nearly as much 
    junk mail in my postal mailbox as I do in my electronic mail boxes, yet 
    I've never opted into anyone's electronic advertising campaigns. 
    
    All online advertisers should include a link or email address that we 
    can use to remove our names from their distribution lists (DLs). 
    However, spam sources often use such contact points not to remove names 
    from lists but to verify that a particular email address is valid--
    which only increases the amount of junk mail I receive. 
    
    A few years ago, in a television commentary, Andy Rooney joked that he 
    accumulates piles of his postal junk mail, then ships it all back to 
    the sender with a note that says, "Please throw this away for me." The 
    idea struck me as hilarious, and it might be effective, but I doubt it 
    would work with electronic junk mail. 
    
    We can use spam filters to eliminate unwanted email traffic, but 
    keeping the filters effective isn't simple. The task becomes expensive 
    over the long run through filtering software costs and the security-
    related maintenance hours required. But some relief might be in sight. 
    Recently, the Senate Commerce Committee passed Bill S.630, which, if it 
    becomes law, would make it illegal to send unsolicited email unless 
    recipients have given express consent to receive such communications. 
    In a nutshell, the new law would eliminate "opt out" in favor of "opt 
    in" policies. The proposed law would also let those who receive 
    unsolicited communications file class-action and independent lawsuits 
    against offenders to collect monetary damages. You can read about the 
    bill in the related news story, "Spammers Beware: New Law Seeks 
    Criminal Enforcement" (see the URL below).
       http://www.secadministrator.com/articles/index.cfm?articleid=25291
    
    On another security-related subject--do you have trouble hiring and 
    keeping security professionals in your company? A recent article in CIO 
    Magazine, "How to Staff Up for Security" (see the URL below), notes 
    that employers have trouble filling available positions because of a 
    lack of skilled and experienced workers in the field: On average, 
    employers fill 1 in 13 available positions.
       http://www.idg.net/go.cgi?id=685363
    
    The article lists several ways to attract, hire, and keep quality 
    security people on your staff, including
       - knowing your needs and matching them to a candidate
       - using specialized headhunters and employment agencies
       - making cutting-edge technology available to your security staff
       - offering incentives such as yearly training and conference 
    attendance 
       - considering training inhouse staff for security positions
       - paying them well
    
    You probably already know that security professionals don't come cheap. 
    The article states that salaries in the field can range from $60,000 up 
    to $180,000 per year, depending on several factors, including level of 
    responsibility. Be sure to read the article. 
    
    ~~~~~~~~~~~~~~~~~~~~ 
    
    ~~~~ SPONSOR: VERISIGN--THE VALUE OF TRUST ~~~~
       Secure your servers with 128-bit SSL encryption! 
       Grab your copy of VeriSign's FREE Guide, "Securing Your Web site for 
    Business," and you'll learn everything you need to know about using 
    128-bit SSL to encrypt your e-commerce transactions, secure your 
    corporate intranets and authenticate your Web sites. 128-bit SSL is 
    serious security for your online business. Get it now!
       http://list.winnetmag.com/cgi-bin3/flo?y=eL8W0CJgSH0CBw0zFu0A5 
    
    ~~~~~~~~~~~~~~~~~~~~ 
    
    2. ==== SECURITY RISK ====
       (contributed by Ken Pfeil, kenat_private)
    
    * BUFFER OVERFLOW IN IPSWITCH'S IMAIL SERVER
       Foundstone discovered a buffer-overflow condition in the Lightweight 
    Directory Access Protocol (LDAP) component of Ipswitch's IMail Server 
    that can result in a Denial of Service (DoS) attack. An attacker can 
    exploit this vulnerability to remotely execute arbitrary code by using 
    the privileges of the IMail daemon, which typically has the default of 
    SYSTEM. Ipswitch has released Hotfix 1 for IMail Server 7.10, which 
    addresses this vulnerability. Users who have earlier versions of IMail 
    Server will need to upgrade to IMail Server 7.10.
       http://www.secadministrator.com/articles/index.cfm?articleid=25294
    
    3. ==== ANNOUNCEMENTS ====
       (brought to you by Windows & .NET Magazine and its partners)
    
    * CAST YOUR VOTE FOR OUR READERS' CHOICE AWARDS! 
       Which companies and products do you think are the best on the 
    market? Nominate your favorites in four different categories for our 
    annual Windows & .NET Magazine Readers' Choice Awards. You could win a 
    T-shirt or a free Windows & .NET Magazine Super CD, just for submitting 
    your ballot. Click here! 
       http://list.winnetmag.com/cgi-bin3/flo?y=eL8W0CJgSH0CBw0zMs0AB
    
    * ATTEND OUR FREE WINDOWS SECURITY SOLUTIONS WEBINAR!
       If you're using Windows 2000 to run mission-critical applications, 
    you know Win2K has security concerns. The Windows & .NET Magazine's 
    Security Solutions Summit, a half-day online event, addresses where the 
    vulnerabilities lie, how you can strengthen your enterprise's security, 
    and how you can exploit the same tools that intruders use. Register 
    today!  
       http://list.winnetmag.com/cgi-bin3/flo?y=eL8W0CJgSH0CBw011d0AF
    
    4. ==== SECURITY ROUNDUP ====
    
    * NEWS: SPAMMERS BEWARE: NEW BILL SEEKS CRIMINAL ENFORCEMENT
       The Senate Commerce Committee approved Bill S.630 "Controlling the 
    Assault of Non-Solicited Pornography and Marketing Act of 2001" (the 
    "CAN SPAM Act of 2001" for short). The CAN SPAM act is designed to 
    protect consumers and businesses from unsolicited commercial email 
    (UCE) by levying fines and permitting civil and criminal actions 
    against spammers. 
       http://www.secadministrator.com/articles/index.cfm?articleid=25291
    
    * NEWS: CYBERSOURCE TEAMS WITH CONCORD EFS FOR SECURE PAYMENT SYSTEM 
       CyberSource and Concord EFS announced an agreement in which Concord 
    will sell the CyberSource Small Business solution to its small and 
    midsized customers. 
       http://www.secadministrator.com/articles/index.cfm?articleid=25290
    
    * NEWS: SONICWALL PROTECTS SANTA BARBARA POLICE DEPARTMENT 
       SonicWALL announced that the Santa Barbara (California) Police 
    Department (SBPD) has selected the company's firewall and VPN 
    appliances to protect the SBPD network and communications between 
    remote offices for some 230 offsite law enforcement employees. 
       http://www.secadministrator.com/articles/index.cfm?articleid=25289
    
    * NEWS: SPIDA WORM INFECTS SQL SERVERS 
       A new worm, Spida, is spreading across the Internet into Microsoft 
    SQL Server systems. Spida infects SQL servers that have a blank systems 
    administrator (sa) account password. 
       http://www.secadministrator.com/articles/index.cfm?articleid=25280
    
    * NEWS: SURFCONTROL RELEASES WHITE PAPER STRESSING LAYERED SECURITY 
       SurfControl, a Web and email-filtering company, announced the 
    release of a white paper that urges organizations to layer security to 
    ensure network integrity and to keep sensitive and proprietary 
    information confidential.
       http://www.secadministrator.com/articles/index.cfm?articleid=25286
    
    5. ==== INSTANT POLL ====
    
    * RESULTS OF PREVIOUS POLL: IM USE
       The voting has closed in Windows & .NET Magazine's Security 
    Administrator Channel nonscientific Instant Poll for the question, "If 
    your organization uses Instant Messaging (IM), which IM choice have you 
    standardized on?" Here are the results (+/- 2 percent) from the 315 
    votes:
       - 14% AOL Instant Messenger (AIM)
       - 16% ICQ  
       - 43% MSN Messenger
       -  9% Yahoo! Messenger
       - 18% Other
    
    * NEW INSTANT POLL: IM POLICY
       The next Instant Poll question is, "Which of the following answers 
    best describes your organization's approach to Instant Messaging (IM) 
    use?" Go to the Security Administrator Channel home page and submit your 
    vote for a) We standardize on one package, b) We let users make their 
    own IM choice, c) We don't let users use IM.
       http://www.secadministrator.com
    
    6. ==== SECURITY TOOLKIT ==== 
    
    * VIRUS CENTER
       Panda Software and the Windows & .NET Magazine Network have teamed to 
    bring you the Center for Virus Control. Visit the site often to remain 
    informed about the latest threats to your system security.
       http://www.secadministrator.com/panda
    
    * FAQ: HOW CAN I DISABLE MULTIUSER EDITING IN MICROSOFT OFFICE XP'S 
    WORD PROCESSOR--MICROSOFT WORD 2002?
       ( contributed by John Savill, http://www.windows2000faq.com )
    
    A. The multiuser editing feature of Office XP's version of Word lets 
    you open a locked file, edit the file locally, and merge your changes 
    into the original document. To disable this feature, perform the 
    following steps: 
       1. Start a registry editor (e.g., regedit.exe). 
       2. Navigate to the 
    HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Word\Options registry 
    subkey. 
       3. From the Edit menu, select New, DWORD Value. 
       4. Enter a name of NoPromptToForkDocuments and press Enter. 
       5. Double-click the new value, set it to 1 to disable multiuser 
    editing, and click OK.
    
    7. ==== NEW AND IMPROVED ==== 
       (contributed by Judy Drennen, productsat_private)
    
    * AUTOMATICALLY PLUG MAJOR WINDOWS XP SECURITY HOLE
       BigFix announced BigFix i-prevention, a software support system that 
    protects Windows XP from a security flaw that can expose a PC to 
    outside attackers. The BigFix i-prevention system identifies vulnerable 
    Windows machines, proactively alerts users, and if a user clicks OK, 
    plugs the security hole automatically. Some versions of Windows Me and 
    Windows 98 are also susceptible if the users have installed Universal 
    Plug and Play (UPnP) updates on their systems. Go to BigFix's Web site 
    for a free download. Contact BigFix at 510-652-6700 or infoat_private
       http://www.bigfix.com
    
    * PC USER-AUTHENTICATION SOLUTION
       Griffin Technologies announced SecuriKey, a USB-based user-
    authentication solution for PCs. SecuriKey combines a keylike USB 
    device with password protection. The solution also provides an 
    alternative to public key infrastructure (PKI), protecting companies 
    against unauthorized computer use. For a 200-user network, the cost to 
    deploy would be less than $50 per seat. For more information, contact 
    Griffin Technologies at 800-986-6578 or go to the Web site.
       http://www.griftech.com
      
    8. ==== HOT THREADS ==== 
    
    * WINDOWS & .NET MAGAZINE ONLINE FORUMS 
       http://www.winnetmag.com/forums
    
    Featured Thread: Password Breach
       (Twenty-one messages in this thread)
    
    Gary finds that on some of his organization's PDCs and BDCs, users 
    logging on locally can access shared folders on PDC and BDC servers if 
    three conditions exist. First, the users aren't domain users and have 
    no privileges on any of the servers. Second, they log on by using 
    "workgroup" or the domain name as their workgroup name. Finally, they 
    use a password of "password" (all lowercase). Any user can connect to 
    the BDC and PDC shared directories without permission. Has anyone 
    solved this problem? 
       http://www.secadministrator.com/forums/thread.cfm?thread_id=105380
    
    * HOWTO MAILING LIST
       http://www.secadministrator.com/listserv/page_listserv.asp?s=howto
    
    Featured Thread: NT Profiles and Password Policy
       (One message in this thread)
    
    Mark has set his password policy on the domain so that after five bad 
    password attempts, the account is locked out. His domain uses roaming 
    profiles. However, if a user's Windows NT 4.0 workstation isn't in the 
    domain, the user can attempt any number of password attempts for a 
    specific domain user without locking the account. How can he lock out 
    the domain account on nondomain systems? Can you help? Read the 
    responses or lend a hand at the following URL:
        http://63.88.172.96/listserv/page_listserv.asp?a2=ind0205d&l=howto&p=548
    
    9. ==== CONTACT US ==== 
       Here's how to reach us with your comments and questions: 
    
    * ABOUT IN FOCUS -- markat_private
    
    * ABOUT THE NEWSLETTER IN GENERAL -- vpattersonat_private (please 
    mention the newsletter name in the subject line) 
    
    * TECHNICAL QUESTIONS -- http://www.winnetmag.com/forums 
    
    * PRODUCT NEWS -- productsat_private 
    
    * QUESTIONS ABOUT YOUR SECURITY UPDATE SUBSCRIPTION? Customer 
    Support -- securityupdateat_private 
    
    * WANT TO SPONSOR SECURITY UPDATE? emedia_oppsat_private 
    
    ******************** 
    
       This email newsletter is brought to you by Security Administrator, 
    the print newsletter with independent, impartial advice for IT 
    administrators securing a Windows 2000/Windows NT enterprise. Subscribe 
    today!
       http://www.secadministrator.com/sub.cfm?code=saei25xxup
    
       Receive the latest information about the Windows and .NET topics of 
    your choice. Subscribe to our other FREE email newsletters. 
       http://www.winnetmag.com/email 
    
    |-+-|-+-|-+-|-+-|-+-|
    
    Thank you for reading Security UPDATE. 
    
    MANAGE YOUR ACCOUNT
    You can manage your entire Windows & .NET Magazine Network email 
    newsletter account on our Web site. Simply log on and you can change 
    your email address, update your profile information, and subscribe or 
    unsubscribe to any of our email newsletters all in one place.
       http://www.winnetmag.com/email
    
    SUBSCRIBE
       To quickly subscribe, send a blank email to 
    mailto:Security-UPDATE_Subat_private
    
    UNSUBSCRIBE
       To quickly unsubscribe, send a blank email to 
    mailto:Security-UPDATE_Unsubat_private
    
    Thank you!
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Thu May 30 2002 - 04:23:48 PDT