[ISN] Security UPDATE, June 19, 2002

From: InfoSec News (isnat_private)
Date: Thu Jun 20 2002 - 02:55:54 PDT

  • Next message: InfoSec News: "Re: [ISN] Secret Service Agent: Hackers Are Unpatriotic"

    ********************
    Windows & .NET Magazine Security UPDATE--brought to you by Security
    Administrator, a print newsletter bringing you practical, how-to
    articles about securing your Windows .NET Server, Windows 2000, and
    Windows NT systems.
       http://www.secadministrator.com
    ********************
    
    ~~~~ THIS ISSUE SPONSORED BY ~~~~
    
    Making Security Policies Effective
       http://list.winnetmag.com/cgi-bin3/flo?y=eMO50CJgSH0CBw02fD0AR
    
    SECURE MS EXCHANGE ***FREE EMAIL SECURITY WHITE PAPER
       http://list.winnetmag.com/cgi-bin3/flo?y=eMO50CJgSH0CBw02fE0AS
       (below IN FOCUS)
    
    ~~~~~~~~~~~~~~~~~~~~
    
    ~~~~ SPONSOR: MAKING SECURITY POLICIES EFFECTIVE ~~~~
       Do you have security policies that are impossible to implement
    manually? Do you dread internal and external audits because you know
    you're going to get "dinged" again? Are you unclear on how to keep
    your policies in compliance with new regulatory requirements? If you
    answered yes to any or all of these questions, you are not alone. Many
    organizations have policies that are out of date and/or are not
    adhered to. To find out how you can make your security policies
    effective, tune in July 24 to a free Webinar from BindView "Making
    Security Policies Effective." Register at
       http://list.winnetmag.com/cgi-bin3/flo?y=eMO50CJgSH0CBw02fD0AR
    
    ~~~~~~~~~~~~~~~~~~~~
    
    June 19, 2002--In this issue:
    
    1. IN FOCUS
         - Honeypots with a Sting
         - Editor's Note
    
    2. SECURITY RISKS
         - Buffer Overrun in IIS 5.0 and IIS 4.0 HTR
         - Unchecked Buffer in Microsoft RAS Phonebook
         - Multiple Vulnerabilities in Microsoft SQLXML for SQL Server
           2000
         - Unchecked Buffer in Microsoft Gopher Protocol Handler
    
    3. ANNOUNCEMENTS
         - Struggling with IIS and Web Administration Concerns?
         - Special 2-for-1 Subscription Offer!
    
    4. SECURITY ROUNDUP
         - News: Windows Users Threatened by IIS, IE, MSN Messenger Flaws
         - News: Akonix Systems to Release Software to Protect IM and P2P
           Traffic
         - Feature: Test Your Knowledge About Cookies
         - Feature: The Cost of Ignorance
    
    5. HOT RELEASE
         - Spectracom's NetClock, for Secure Network Time
    
    6.SECURITY TOOLKIT
         - Virus Center
         - FAQ: How Can I Check and Set a Volume's Dirty Status in Windows
           XP?
    
    7. NEW AND IMPROVED
         - Submit Top Product Ideas
         - Snoop-Proof Your Files
         - Protect Programs and Files
    
    8. HOT THREADS
         - Windows & .NET Magazine Online Forums
             - Featured Thread: Can I Force a User to Reauthenticate?
    
    9. CONTACT US
       See this section for a list of ways to contact us.
    
    ~~~~~~~~~~~~~~~~~~~~
    
    1. ==== IN FOCUS ====
       (contributed by Mark Joseph Edwards, News Editor,
    markat_private)
    
    * HONEYPOTS WITH A STING
    
    Have you considered using a honeypot on your network? You can use
    honeypots in many ways, and new uses are still unfolding in the
    information security landscape. One company, CardCops.com, established
    a honeypot not to catch network intruders but to catch perpetrators of
    fraud.
    
    Credit card information theft is a significant problem on the
    Internet, but CardCops.com has taken the offensive to nab those who
    would steal credit card information and use it to perpetrate fraud.
    CardCops.com founders Dan Clements and Mike Brown often had to spend
    part of their day chasing fraudulent Web-based ad impressions at their
    company, Ads360.com. The fraudulent ad impressions came from
    unscrupulous individuals who established Web sites, subscribed to
    various ad placement networks, then generated fake ad impressions by
    using automated software--often placing ads on unsuspecting victims'
    cracked systems. The ad impressions then generated revenue for the
    perpetrators.
    
    Clements and Brown noticed that those who generate fake ad impressions
    are often the same people who steal credit card information. They
    started CardCops.com to curb Internet credit card fraud. CardCops.com
    intends to catch criminals in the act of stealing credit card
    information and fraudulently using stolen credit card information.
       http://www.cardcops.com
    
    To set their short-lived trap, the company established a fake
    operation as laptop vendor Laptops4now.com, complete with an
    e-commerce Web site that served as the honeypot. The company then
    posted alluring messages to various chat channels, which credit card
    information thieves are known to frequent. The messages lured
    perpetrators by stating that Laptops4now.com would ship laptop orders
    anywhere. CardCops.com then systematically gathered forensic
    information as the orders came in and promptly turned the data over to
    the US Secret Service for investigation.
    
    Card thieves often use stolen cards to buy new laptops, which they
    then trade or sell. Thieves usually give shipping addresses to
    locations that they use as drop locations and from which they collect
    the goods and relay them to other points, sometimes overseas. They
    hope that by using foreign drop points, they can cover their tracks
    and make their actual identity and location more difficult to
    discover.
    
    CardCops.com turned on its fake Laptops4now.com Web site at 5:00 P.M.
    Pacific Standard Time on Wednesday, May 29, 2002. By 5:00 A.M. the
    next morning, the company had snared five criminals in its trap. In
    that 12-hour time period, Laptops4now.com received 16 overseas orders
    for new laptops (totaling more than $27,000), all ordered with stolen
    credit card information and all to be shipped to US drop locations.
    The orders came from foreign IP addresses and had US locations as
    shipping addresses, according to Patrick Granahan, CTO of
    CardCops.com. After CarCops.com emailed the United Parcel Service
    (UPS) tracking numbers to those customers, four of five reordered
    Friday night. "The greed had set in," Granahan noted. As of Tuesday,
    June 11, the Laptops4now.com site had attracted more than 37
    fraudulent laptop orders.
    
    CardCops.com hired a third-party security agency, Secure Net Labs, to
    track the online orders from the fake Laptops4now.com e-commerce site,
    and the overall operation has succeeded. The results verify how
    quickly thieves can attack reputable merchants with fraudulent orders,
    according to Keath Nupuf of Secure Net Labs. "Foreign [IP addresses],
    email addresses, drop addresses, and site scan origins were all
    captured as part of the project," Nupuf explained. The data has been
    turned over to law enforcement. "We have received the data and are
    investigating," said Don Masters, US Secret Service Agent based in Los
    Angeles. CardCops.com hopes the data will lead to the identity and
    arrest of global intruders and credit card information thieves. I'll
    keep you posted.
       http://www.securenetlabs.com
       http://www.ectaskforce.org/Regional_Locations.htm
    
    In a recent interview, I learned that CardCops.com had just finished
    its second honeypot sting operation. The company established an Apache
    Web site that presented a fake Microsoft IIS Web server bug that
    supposedly exposed a file containing bogus credit card information.
    The company designed the trap to snare intruders who tried to steal
    that credit card data. The operation succeeded in catching thieves in
    the act of stealing the bogus data file. The company said that ideas
    for further sting operations are in the works.
    
    Another less recent endeavor also stretches the notion of honeypots.
    In January, the Securities and Exchange Commission (SEC) posted a
    press release to lure investors to the Web site of McWhortle
    Enterprises, a fictitious company about to make its initial public
    offering (IPO) in the stock market. The company's nonexistent product,
    the Bio-Hazard Detector, was a protection device that played on public
    fears of terrorist attacks. The device claimed to detect "microscopic
    levels of hazardous bio-organisms ... even the finest-milled,
    weapons-grade biohazards from 50 feet, long before the risk of
    inhalation or cutaneous (skin) infection, by testing for the
    distinctive surface leptins (neurotransmitters)." The company sought
    to raise millions of dollars and promised investors 400 percent gains
    in just 3 months.
    
    However, when visitors reached the fake McWhortle Web site, they were
    led to a warning page that said, "If you responded to an investment
    idea like this ... you could get scammed!" The SEC, the Federal Trade
    Commission (FTC), the North American Securities Administrators
    Association (NASAA), and the National Association of Securities
    Dealers (NASD) sponsored the operation, which was designed to make
    online investors more cautious to prevent online investment fraud from
    succeeding.
       http://www.mcwhortle.com/ipogreenlight.htm
       http://www.mcwhortle.com/onlinebid.htm
    
    Honeypots can trap all kinds of users, including blatant criminals,
    curiosity-driven intruders, and members of the public who want to make
    a fast buck. Honeypots don't have to be expensive or comprehensive. As
    the preceding stories demonstrate, you can develop honeypots that are
    simple, temporary, and highly targeted. When you consider your
    honeypot design, take time to be creatively convincing.
    
    * EDITOR'S NOTE
       We need your help to make this and other email newsletters from
    Windows & .NET Magazine as useful to you as they can be. To help us
    with our editorial planning, please answer the Windows & .NET Magazine
    Network Email Newsletter & Web Site Survey, available at the following
    URL. If you provide your email address at the end of the survey, we'll
    put your name in a drawing for a Windows & .NET Magazine T-shirt.
    Thank you! We appreciate your help.
       http://www.zoomerang.com/survey.zgi?QN1V072PTHGA5PGS9R9LGR5R
    
    ~~~~~~~~~~~~~~~~~~~~
    
    ~~~ SPONSOR: SECURE MS EXCHANGE ***FREE EMAIL SECURITY WHITE PAPER ~~~
       Protect MS Exchange from SPAM, VIRUSES, HACKERS and other threats. 
    CipherTrust has INTEGRATED DEFENSES for these email-related threats
    into a single comprehensive gateway appliance - IronMail. As a
    stand-alone device, IronMail protects your email infrastructure and
    messages and secures webmail systems such as Outlook Web Access.
    * PREVENT SPAM
    * STOP ATTACKS from viruses, worms and hackers
    * SECURE DELIVERY
    * Enforce corporate EMAIL POLICY
    * PROTECT WEBMAIL systems including Outlook Web Access.
       Request white paper:
     http://list.winnetmag.com/cgi-bin3/flo?y=eMO50CJgSH0CBw02fE0AS
    
    ~~~~~~~~~~~~~~~~~~~~
    
    2. ==== SECURITY RISKS ====
       (contributed by Ken Pfeil, kenat_private)
    
    * BUFFER OVERRUN IN IIS 5.0 AND IIS 4.0
       eEye Digital Security discovered a buffer-overrun condition in
    Microsoft Internet Information Services (IIS 5.0) and Internet
    Information Server (IIS) 4.0 that can lead to remote compromise of the
    affected system. This vulnerability stems from an unchecked buffer in
    the Internet Server API (ISAPI) extension that implements the HTR
    scripting component. Microsoft has released Microsoft Security
    Bulletin MS02-028 (Heap Overrun in HTR Chunked Encoding Could Enable
    Web Server Compromise) to address this vulnerability, which doesn't
    affect users who don't use HTR. Microsoft recommends that only
    affected users download and apply the appropriate patch mentioned in
    the bulletin.
       http://www.secadministrator.com/articles/index.cfm?articleid=25587
    
    * UNCHECKED BUFFER IN MICROSOFT RAS PHONEBOOK
       Next Generation Security Software discovered a buffer-overrun
    condition in Microsoft's RAS phonebook implementation that can
    compromise the affected system. If an attacker logs on to an affected
    server and modifies a phonebook entry by using specially malformed
    data, then makes a connection using this modified phonebook entry, the
    attacker can run the data as the system's code under LocalSystem
    security privileges. Microsoft has released Microsoft Security
    Bulletin MS02-029 (Unchecked Buffer in Remote Access Service Phonebook
    Could Lead to Code Execution) to address this vulnerability and
    recommends that affected users download and apply the appropriate
    patch mentioned in the bulletin.
       http://www.secadministrator.com/articles/index.cfm?articleid=25588
    
    * MULTIPLE VULNERABILITIES IN SQLXML FOR SQL SERVER 2000
       Matt Moore discovered two vulnerabilities in XML for Microsoft SQL
    Server (SQLXML). The first problem is a buffer overrun that lets an
    attacker execute arbitrary code on the affected system, and the second
    problem is in a function specifying an XML tag that lets an attacker
    run script on the user's computer in a higher privilege zone, such as
    "Intranet" instead of "Internet." Microsoft has released Microsoft
    Security Bulletin MS02-030 (Unchecked Buffer in SQLXML Could Lead to
    Code Execution) to address this vulnerability and recommends that
    affected users download and apply the appropriate patch mentioned in
    the bulletin.
       http://www.secadministrator.com/articles/index.cfm?articleid=25589
    
    * UNCHECKED BUFFER IN MICROSOFT GOPHER PROTOCOL HANDLER
       Jouko Pynnonen discovered a buffer-overrun condition in Microsoft's
    implementation of the gopher protocol in Microsoft Internet Explorer
    (IE), Internet Security and Acceleration (ISA) Server 2000, and Proxy
    Server 2.0 that can lead to remote compromise of the affected system.
    This vulnerability stems from an unchecked buffer in the code that
    handles responses from gopher servers. Microsoft has released
    Microsoft Security Bulletin MS02-027 (Unchecked Buffer in Gopher
    Protocol Can Run Code of Attacker's Choice) to address this
    vulnerability. Microsoft is currently developing a patch, but as a
    workaround, affected users should block the gopher protocol at the
    perimeter.
       http://www.secadministrator.com/articles/index.cfm?articleid=25534
    
    3. ==== ANNOUNCEMENTS ====
       (brought to you by Windows & .NET Magazine and its partners)
    
    * STRUGGLING WITH IIS AND WEB ADMINISTRATION CONCERNS?
       Discover Windows Web Solutions online, the Web site with articles,
    tips, and more to help you manage and overcome the security,
    performance, and maintenance concerns Web site administrators deal
    with every day. Don't miss this article: "15 Tips for Troubleshooting
    VPN Connections"
    ( http://list.winnetmag.com/cgi-bin3/flo?y=eMO50CJgSH0CBw02Si0Aj ).
     Check it out!
       http://list.winnetmag.com/cgi-bin3/flo?y=eMO50CJgSH0CBw02DM0A1
    
    * SPECIAL 2-FOR-1 SUBSCRIPTION OFFER!
       Windows & .NET Magazine can help you find the right answer to an
    urgent problem, discover better ways to manage your enterprise, or
    prepare for an important migration. How can we improve on a resource
    this good? Subscribe now at our regular rate, and bring on a friend or
    colleague for free! This is a limited time offer, so act now!
       http://list.winnetmag.com/cgi-bin3/flo?y=eMO50CJgSH0CBw02aF0AO
    
    4. ==== SECURITY ROUNDUP ====
    
    * NEWS: WINDOWS USERS THREATENED BY IIS, IE, MSN MESSENGER FLAWS
       Microsoft has admitted to three serious new security
    vulnerabilities, one of which could let attackers seize control of Web
    sites that use Microsoft Internet Information Services 5.0. IIS 5.0
    currently runs more than a third of all Web sites on the Internet and
    an even larger percent of corporate Web sites. Microsoft has issued a
    patch for this vulnerability, which affects the IIS versions in
    Windows 2000 and Windows NT but doesn't affect Windows XP.
       http://www.secadministrator.com/articles/index.cfm?articleid=25552
    
    * NEWS: AKONIX SYSTEMS TO RELEASE SOFTWARE TO PROTECT IM AND P2P
    TRAFFIC
       Akonix Systems announced that it will release its new L7 Gateway, a
    perimeter security product designed to protect networks against "rogue
    protocols." The new gateway software intercepts specific protocols,
    such as Instant Messaging (IM) and file-sharing software, at network
    borders to enforce company-defined security policies.
       http://www.secadministrator.com/articles/index.cfm?articleid=25535
    
    * FEATURE: TEST YOUR KNOWLEDGE ABOUT COOKIES
       Solve this month's Reader Challenge problem from Kathy Ivens, and
    you might win a prize! The problem involves privacy protection and
    cookies when using Windows clients with Microsoft Internet Explorer
    (IE). To read about the contest and this month's problem, be sure to
    visit our Web site. Submissions must be in by June 21!
       http://www.secadministrator.com/articles/index.cfm?articleid=25540
    
    * FEATURE: THE COST OF IGNORANCE
       By now, you should have heard about the Spida (aka Digispid.B)
    worm, which attacks Microsoft SQL Server. The main difference between
    this worm and some others (e.g., the Klez virus/worm) is that you can
    avoid it easily--simple common sense and a little training are all you
    need to ward off the Spida worm.
       http://www.secadministrator.com/articles/index.cfm?articleid=25509
    
    5. ==== HOT RELEASE ====
    
    * SPECTRACOM'S NETCLOCK, FOR SECURE NETWORK TIME
       Does your network depend on a Time Source that's outside your
    Firewall? Doesn't your network need an accurate clock source? Think
    "Time" is FREE over the Internet? Spectracom's NetClock/NTP and
    White-Paper can help you.
       http://list.winnetmag.com/cgi-bin3/flo?y=eMO50CJgSH0CBw02fF0AT
       http://list.winnetmag.com/cgi-bin3/flo?y=eMO50CJgSH0CBw02fG0AU
    
    6. ==== SECURITY TOOLKIT ====
    
    * VIRUS CENTER
       Panda Software and the Windows & .NET Magazine Network have teamed
    to bring you the Center for Virus Control. Visit the site often to remain
    informed about the latest threats to your system security.
       http://www.secadministrator.com/panda
    
    * FAQ: HOW CAN I CHECK AND SET A VOLUME'S DIRTY STATUS IN WINDOWS XP?
       ( contributed by John Savill, http://www.windows2000faq.com )
    
    A. The XP version of Fsutil lets you query and set a volume's dirty
    flag. This flag signals that the volume has experienced a problem and
    that you must run Chkdsk to identify and fix the problem. For example,
    shutting down Windows suddenly can sometimes cause the OS to set the
    dirty flag.
       1. To query a volume's current state, at the command prompt, type
    
       fsutil dirty query <volume>:
    
    The result will be either
         Volume - <volume>: is Dirty
         Volume - <volume>: is NOT Dirty
    
       2. To set the status of a volume's dirty flag, at the command
    prompt, type
    
       fsutil dirty set <volume>:
    
    Use this command with care: XP won't ask you to confirm this action,
    and you can't use this command to set the dirty flag's status to
    clean.
    
    7. ==== NEW AND IMPROVED ====
       (contributed by Judy Drennen, productsat_private)
    
    * SUBMIT TOP PRODUCT IDEAS
       Have you used a product that changed your IT experience by saving
    you time or easing your daily burden? Do you know of a terrific
    product that others should know about? Tell us! We want to write about
    the product in a future What's Hot column. Send your product
    suggestions to whatshotat_private
    
    * SNOOP-PROOF YOUR FILES
       WinAbility released Folder Guard Professional 5.4, a Windows
    security program that you can use to restrict access to files,
    folders, and other computer resources. When Folder Guard hides a
    folder, the folder's contents become invisible to all applications
    including Windows programs such as Windows Explorer, applications such
    as Microsoft Office, and even MS-DOS programs. Folder Guard runs on
    Windows XP, Windows 2000, Windows NT, Windows Me, and Windows 9x and
    costs $69.95. Contact WinAbility at 720-489-3872 or
    infoat_private
       http://www.winability.com
    
    * PROTECT PROGRAMS AND FILES
       WinGuard Pro announced WinGuard Pro 4.0, a security program that
    prevents data loss, system changes, and unauthorized application
    access. WinGuard Pro lets you password protect any of your Windows
    programs and files and other applications such as the Control Panel.
    WinGuard Pro runs automatically at system startup and sits in the
    background monitoring any programs and files opened. The utility runs
    on Windows XP, Windows 2000, Windows NT, Windows Me, and Windows 9x
    and costs $23.95. Contact WinGuard Pro at supportat_private or
    go to the Web site.
       http://www.winguardpro.com
    
    8. ==== HOT THREADS ====
    
    * WINDOWS & .NET MAGAZINE ONLINE FORUMS
       http://www.winnetmag.com/forums
    
    Featured Thread: Can I Force a User to Reauthenticate?
       (Two messages in this thread)
    
    Afroze wants to force an already logged-on user to reenter his or her
    username and password--to reauthenticate the user as a valid Windows
    NT user. To design a custom program to force this reauthentication,
    Afroze wants to know about any available functions he might use. To
    read the response or lend a hand, use the URL below.
       http://www.secadministrator.com/forums/thread.cfm?thread_id=106930
    
    9. ==== CONTACT US ====
       Here's how to reach us with your comments and questions:
    
    * ABOUT IN FOCUS -- markat_private
    
    * ABOUT THE NEWSLETTER IN GENERAL -- vpattersonat_private (please
    mention the newsletter name in the subject line)
    
    * TECHNICAL QUESTIONS -- http://www.winnetmag.com/forums
    
    * PRODUCT NEWS -- productsat_private
    
    * QUESTIONS ABOUT YOUR SECURITY UPDATE SUBSCRIPTION? Customer
    Support -- securityupdateat_private
    
    * WANT TO SPONSOR SECURITY UPDATE? emedia_oppsat_private
    
    ********************
    
       This email newsletter is brought to you by Security Administrator,
    the print newsletter with independent, impartial advice for IT
    administrators securing a Windows 2000/Windows NT enterprise.
    Subscribe today!
       http://www.secadministrator.com/sub.cfm?code=saei25xxup
    
       Receive the latest information about the Windows and .NET topics of
    your choice. Subscribe to our other FREE email newsletters.
       http://www.winnetmag.com/email
    
    |-+-|-+-|-+-|-+-|-+-|
    
    Thank you for reading Security UPDATE.
    
    
    MANAGE YOUR ACCOUNT
    You can manage your entire Windows & .NET Magazine Network email
    newsletter account on our Web site. Simply log on and you can change
    your email address, update your profile information, and subscribe or
    unsubscribe to any of our email newsletters all in one place.
       http://www.winnetmag.com/email
    
    Thank you!
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Thu Jun 20 2002 - 08:19:30 PDT