[ISN] Security UPDATE, August 21, 2002

From: InfoSec News (isnat_private)
Date: Wed Aug 21 2002 - 23:20:29 PDT

  • Next message: InfoSec News: "[ISN] Setting a trap for laptop thieves"

    ********************
    Windows & .NET Magazine Security UPDATE--brought to you by Security
    Administrator, a print newsletter bringing you practical, how-to
    articles about securing your Windows .NET Server, Windows 2000, and
    Windows NT systems.
       http://www.secadministrator.com
    ********************
    
    ~~~~ THIS ISSUE SPONSORED BY ~~~~
    
    VeriSign - The Value of Trust
       http://list.winnetmag.com/cgi-bin3/flo?y=eNBo0CJgSH0CBw014e0At
    
    Security Exploits Are a Result of Missing Patches
       http://list.winnetmag.com/cgi-bin3/flo?y=eNBo0CJgSH0CBw0rf10Aw
       (below IN FOCUS)
    
    ~~~~~~~~~~~~~~~~~~~~
    
    ~~~~ SPONSOR: VeriSign - The Value of Trust ~~~~
       Get the strongest server security -- 128-bit SSL encryption!
       Download VeriSign's FREE guide, "Securing Your Web Site for
    Business" and learn everything you need to know about using SSL to
    encrypt your e-commerce transactions for serious online security.
    Click here!
       http://list.winnetmag.com/cgi-bin3/flo?y=eNBo0CJgSH0CBw014e0At
    
    ~~~~~~~~~~~~~~~~~~~~
    
    August 21, 2002--In this issue:
    
    1. IN FOCUS
         - Thought Police: Coming to a Computer Near You?
    
    2. SECURITY RISKS
         - Privilege Elevation Vulnerability in Microsoft SQL and MSDE
         - Privilege Elevation Vulnerability in Win2K Network Connection
           Manager
         - Macromedia Shockwave Flash Malformed Header Overflow
         - Buffer Overflow in Winhlp32.exe
    
    3. ANNOUNCEMENTS
         - Why Pay When You Can Get In-Person Security Expertise at No
           Charge?
         - Take Our Survey and You Could Win a Free T-Shirt!
    
    4. SECURITY ROUNDUP
         - News: Security Certifications Decline
         - News: Severe Vulnerability in IE Secure Sockets Layer
         - News: Intruder Stole New Shuttle Design Plans from NASA
    
    5. HOT RELEASE
         - Stop IIS Web Server Intrusions & Cyber Attacks
    
    6. INSTANT POLL
         - Results of Previous Poll: Wireless Security
         - New Instant Poll: Biometric Scanners
    
    7. SECURITY TOOLKIT
         - Virus Center
         - FAQ: How Can I Connect to a Windows .NET Server (Win.NET
           Server) Console?
    
    8. NEW AND IMPROVED
         - Upgrade to VPN Security Solution
         - Centralized Auditing of Windows Security Logs
         - Submit Top Product Ideas
    
    9. HOT THREADS
         - Windows & .NET Magazine Online Forums
             - Featured Thread: PGP or PKI?
          - HowTo Mailing List:
             - Featured Thread: Windows XP User Account Creation
    
    10. CONTACT US
       See this section for a list of ways to contact us.
    
    ~~~~~~~~~~~~~~~~~~~~
    
    1. ==== IN FOCUS ====
       (contributed by Mark Joseph Edwards, News Editor,
    markat_private)
    
    * THOUGHT POLICE: COMING TO A COMPUTER NEAR YOU?
    
    Imagine a computer security device that won't let you access a
    computer or network unless your thoughts are preapproved by a policing
    scanner. You walk up to a terminal, and a device instantly scans your
    brain waves and heart rate and gathers biometric identification data
    from your body. The scanner then compares the biometrics data and your
    vital statistics to a variety of databases, including credit bureaus,
    criminal records, travel habits, and hundreds (if not thousands) of
    other sensitive databases. If you're deemed not to be a risk, you're
    allowed access to the computer or network. Sound far-fetched? Think
    again (no pun intended).
    
    According to a "The Washington Times" report, such technology is under
    development right now, all in the name of antiterrorism. The report
    states that the National Aeronautics and Space Administration (NASA)
    is developing the technology with cooperation from an unnamed
    commercial firm for use at airports to help identify potential
    terrorists. Given the fact that computers and networks are vital to
    everyday affairs, it hardly stretches the imagination to think that
    such technology could become commonplace in the computer industry
    sometime in the future.
       http://washtimes.com/national/20020817-704732.htm
    
    According to "The Washington Times" report, on July 31, the Electronic
    Privacy Information Center (EPIC) obtained documents from the
    Transportation Security Administration (TSA) under the Freedom of
    Information Act (FOIA) for a lawsuit. The documents revealed a plan to
    implement such technology to screen passengers at airports. NASA told
    security specialists at Northwest Airlines, where the technology might
    be tested, about the brain-monitoring technology.
       http://www.epic.org
    
    NASA Aerospace Research Manager Herb Schlickenmaier likened the
    technology to "a super lie detector that would also measure pulse
    rate, body temperature, eye-flicker rate and other biometric aspects
    sensed remotely." Today, a ball cap-type sensor must touch someone's
    head to read brainwaves. And, in fact, Schlickenmaier noted, "To say I
    can take that cap off and put sensors in a doorjamb, and as the
    passenger starts walking through [say that the passenger is] a threat
    or not, is at this point a future application."
    
    Physics professors familiar with brainwave research have raised
    privacy concerns about that research. Nevertheless, if NASA can
    produce such a device and the public accepts such technology as part
    of the general screening process for airport access, then it's
    reasonable to think that such technology might also make its way into
    the computer security industry (and other industries soon thereafter).
    After all, computer networks are mission-critical elements of a
    nation's infrastructure, and it's rather obvious that computer
    intruders pose a serious threat to such infrastructures.
    
    For information about such threats, be sure to read our news story,
    "Intruder Stole New Shuttle Design Plans from NASA," listed in the
    SECURITY ROUNDUP section of this UPDATE (see the URL below). And read
    "The Washington Times" report for a revealing glimpse of a potential
    future scenario.
       http://www.secadministrator.com/articles/index.cfm?articleid=26246
    
    ~~~~~~~~~~~~~~~~~~~~
    
    ~~~~ SPONSOR: SECURITY EXPLOITS ARE A RESULT OF MISSING PATCHES ~~~~
       Are you confident your network has the patches required to prevent
    intrusions? UpdateEXPERT is a patch remediation tool that scans for
    missing hotfixes, and FIXES discovered weaknesses for increased
    protection. UpdateEXPERT features an exclusive database of patches
    that are researched and tested for interdependencies by our in-house
    patch experts. Supporting Windows NT4/2000/XP, SQL Server, Exchange
    Server, IE, Outlook and other critical applications, UpdateEXPERT
    installs updates to all servers and workstations remotely without a
    required client agent. FREE 15-day live trial and Whitepaper!
       http://list.winnetmag.com/cgi-bin3/flo?y=eNBo0CJgSH0CBw0rf10Aw
    
    ~~~~~~~~~~~~~~~~~~~~
    
    2. ==== SECURITY RISKS ====
       (contributed by Ken Pfeil, kenat_private)
    
    * PRIVILEGE ELEVATION VULNERABILITY IN MICROSOFT SQL SERVER AND MSDE
       David Litchfield of NGS Software discovered vulnerabilities in
    Microsoft SQL Server and Microsoft Desktop Engine (MSDE) that could
    result in an unprivileged user gaining control of the database. These
    vulnerabilities stem from weak default permissions on certain extended
    stored procedures that let unprivileged users run these stored
    procedures with Administrator privileges. Microsoft has released
    Security Bulletin MS02-043 (Cumulative Patch for SQL Server) to
    address this vulnerability and recommends that affected users download
    and apply the patch mentioned in the security bulletin
       http://www.secadministrator.com/articles/index.cfm?articleid=26292
    
    * PRIVILEGE ELEVATION VULNERABILITY IN WIN2K NETWORK
    CONNECTION MANAGER
       Microsoft reported a vulnerability in Windows 2000's Network
    Connection Manager (NCM) that could result in compromise of the
    affected system. This vulnerability stems from a flaw in an NCM
    handler routine that could grant an unprivileged user LocalSystem
    rights. Microsoft has released Security Bulletin MS02-042 (Flaw in
    Network Connection Manager Could Enable Privilege Elevation) to
    address this vulnerability and recommends that affected users download
    and apply the patch mentioned in the security bulletin.
       http://www.secadministrator.com/articles/index.cfm?articleid=26291
    
    * MACROMEDIA SHOCKWAVE FLASH MALFORMED HEADER OVERFLOW
       Drew Copley and Riley Hassell of eEye Digital Security discovered a
    vulnerability in Macromedia's Shockwave Flash that could lead to
    execution of arbitrary code on the vulnerable system. An intruder can
    exploit a malformed Macromedia Flash movie (SWF) header that supplies
    more frame data than the decoder expects, resulting in a
    buffer-overrun condition. Macromedia has released bulletin MPSB02-07
    (Macromedia Flash Malformed Header Vulnerability Issue) regarding this
    vulnerability and recommends that affected users download Flash Player
    6,0,40,0, which addresses this vulnerability.
       http://www.secadministrator.com/articles/index.cfm?articleid=26250
    
    * BUFFER OVERFLOW IN WINHLP32.EXE
       A buffer-overrun vulnerability in Winhlp32.exe could result in the
    execution of arbitrary code on the vulnerable system. This
    vulnerability stems from a flaw in the Item parameter within WinHlp
    Command. This exploit would execute in the security context of the
    currently logged on user. Microsoft has released Windows 2000 Service
    Pack 3 (SP3), which includes a fix for this vulnerability.
       http://www.secadministrator.com/articles/index.cfm?articleid=26252
    
    3. ==== ANNOUNCEMENTS ====
       (brought to you by Windows & .NET Magazine and its partners)
    
    * WHY PAY WHEN YOU CAN GET IN-PERSON SECURITY EXPERTISE AT NO CHARGE?
       Windows & .NET Magazine Network Road Show 2002 is coming this fall
    to New York, Chicago, Denver, and San Francisco! Industry experts Mark
    Minasi and Paul Thurrott will show you how to shore up your system's
    security and what desktop security features are planned for Microsoft
    .NET and beyond. Sponsored by NetIQ. Registration is free, but space
    is limited so sign up now!
       http://list.winnetmag.com/cgi-bin3/flo?y=eNBo0CJgSH0CBw03lK0AR
    
    * TAKE OUR SURVEY AND YOU COULD WIN A FREE T-SHIRT!
       We need to hear your thoughts on the future on technology! Take our
    reader survey, and you'll be entered to win a T-shirt, compliments of
    Windows & .NET Magazine. All responses are completely confidential, so
    visit
       http://list.winnetmag.com/cgi-bin3/flo?y=eNBo0CJgSH0CBw038L0Aa
    
    4. ==== SECURITY ROUNDUP ====
    
    * NEWS: SECURITY CERTIFICATIONS DECLINE
       According to a new "Cyber Defense IQ Report" from Brainbench, the
    number of new security certifications obtained over an 8-month period
    has declined significantly. Brainbench compared the number of security
    certifications obtained between November 2000 through July 2001 with
    the number of security certifications obtained between November 2001
    through July 2002.
       http://www.secadministrator.com/articles/index.cfm?articleid=26262
    
    * NEWS: SEVERE VULNERABILITY IN IE SSL
       In what has been called one of the most serious problems ever
    detected in cryptography, researcher Mike Benham has discovered that
    intruders can implement undetected man-in-the-middle attacks against
    users of Microsoft Internet Explorer (IE) 6.x and 5.x. Benham reported
    his findings to readers of a popular security mailing and detailed the
    vulnerability.
       http://www.secadministrator.com/articles/index.cfm?articleid=26245
    
    * NEWS: INTRUDER STOLE NEW SHUTTLE DESIGN PLANS FROM NASA
       According to a "Computerworld" report, an intruder known as RaFa
    has broken into a network that National Aeronautics and Space
    Administration (NASA) operates and stolen extremely sensitive design
    plans for a space shuttle. Using a vulnerability in FTP servers that
    allow anonymous logons, RaFa managed to locate and download more than
    43MB of data, including a Microsoft PowerPoint presentation.
       http://www.secadministrator.com/articles/index.cfm?articleid=26246
    
    5. ==== HOT RELEASE ====
    
    * STOP IIS WEB SERVER INTRUSIONS & CYBER ATTACKS
       eEye Digital Security has released SecureIIS, a proactive security
    solution built specifically for IIS. Known for their IIS vulnerability
    research expertise, eEye created SecureIIS to prevent damaging network
    traffic that goes undetected by firewalls and IDS's.
       Learn more & free trial downloads at:
       http://list.winnetmag.com/cgi-bin3/flo?y=eNBo0CJgSH0CBw04DK0Am
    
    6. ==== INSTANT POLL ====
    
    * RESULTS OF PREVIOUS POLL: WIRELESS SECURITY
          The voting has closed in Windows & .NET Magazine's Security
    Administrator Channel nonscientific Instant Poll for the question,
    "Does your company use some form of security to prevent unauthorized
    access to its wireless network?" Here are the results (+/- 2 percent)
    from the 90 votes:
       -  56% Yes
       -  28% No
       -  17% No--We leave the wireless network unprotected to offer open
     access
    
    * NEW INSTANT POLL: BIOMETRIC SCANNERS
       The next Instant Poll question is, "Which of the following types of
    biometric scanners are currently in use on your network?" Go to the
    Security Administrator Channel home page and submit your vote for a)
    Fingerprint, b) Retina, c) Facial, d) Two or more of the above, or e)
    None of the above.
       http://www.secadministrator.com
    
    7. ==== SECURITY TOOLKIT ====
    
    * VIRUS CENTER
       Panda Software and the Windows & .NET Magazine Network have teamed
    to bring you the Center for Virus Control. Visit the site often to
    remain informed about the latest threats to your system security.
       http://www.secadministrator.com/panda
    
    * FAQ: HOW CAN I CONNECT TO A WINDOWS .NET SERVER (WIN.NET SERVER)
    CONSOLE?
       ( contributed by John Savill, http://www.windows2000faq.com )
    
    A. The Windows 2000 Server family lets you make two connections to a
    server in Win2K Server Terminal Services administration mode without
    requiring additional licenses, but neither connection is an actual
    console session. Win.NET Server addresses this omission by letting you
    connect to the console session using technology taken from Windows
    XP's Remote Desktop feature.
    
    The XP Remote Desktop Connection (RDC) client can connect to a console
    session, but this ability is hidden. To connect to a Win.NET Server
    console from an XP system, you have to start the RDC client with the
    /console switch by typing the following at the command prompt:
    
       msdtc /console
    
    The RDC graphical interface will start as usual, but the connection to
    the Win.NET Server will display a console session instead of creating
    a new RDP session.
    
    To modify the RDC client shortcut to always include the /console
    switch, right-click the RDC client shortcut item on the Start menu,
    select Properties from the context menu, and add /console to the
    Target. For example,
    
       C:\program files\remote desktop\mstsc.exe
    
    becomes
    
       C:\program files\remote desktop\mstsc.exe /console
    
    If you aren't using XP, you can install the Win.NET Server RDC client
    on a Win2K or later client. Win.NET Server also ships with the
    Microsoft Management Console (MMC) Remote Desktops snap-in, which lets
    you connect to a console by selecting the "Connect to console" check
    box.
    
    8. ==== NEW AND IMPROVED ====
       (contributed by Judy Drennen, productsat_private)
    
    * UPGRADE TO VPN SECURITY SOLUTION
       WatchGuard Technologies announced WatchGuard Firebox System (WFS)
    6.0 for its Firebox III line of products. WFS 6.0, a complete firewall
    and VPN solution with advanced stateful packet filtering and
    transparent proxy architecture, is a free software upgrade for current
    LiveSecurity subscribers. WFS 6.0 integrates a new public key
    infrastructure (PKI) with built-in Certificate Authority (CA). WFS 6.0
    is available for download from http://www.watchguard.com. For more
    information, contact WatchGuard at 206-521-8340 or go to the Web site.
       http://www.watchguard.com
    
    * CENTRALIZED AUDITING OF WINDOWS SECURITY LOGS
       GFI announced LANguard Security Event Log Monitor (S.E.L.M.) 3.0, a
    host-based Intrusion Detection System (IDS) that monitors networks for
    security breaches. The product analyzes network Security logs and
    alerts administrators about key security events in realtime. Because
    it performs intrusion detection by scanning the event logs, GFI
    LANguard S.E.L.M. isn't impaired by switches, IP traffic encryption,
    or high-speed data transfer, as are traditional network-based
    intrusion detection products. The product scans Windows XP, Windows
    2000, and Windows NT, and pricing starts at $375 for a
    two-server/10-workstation package. Contact GFI Software at
    angelicaat_private or go to the Web site.
       http://www.gfi.com
    
    * SUBMIT TOP PRODUCT IDEAS
       Have you used a product that changed your IT experience by saving
    you time or easing your daily burden? Do you know of a terrific
    product that others should know about? Tell us! We want to write about
    the product in a future What's Hot column. Send your product
    suggestions to whatshotat_private
    
    9. ==== HOT THREADS ====
    
    * WINDOWS & .NET MAGAZINE ONLINE FORUMS
       http://www.winnetmag.com/forums
    
    Featured Thread: PGP or PKI?
       (Two messages in this thread)
    
    A user writes that he's moving to a new office in 3 months and his
    company will be completely rebuilding its network. The company will
    maintain a remote site for five people. Therefore, he intends to have
    a VPN connecting the two sites. His boss is very concerned about
    security, including email. He wants to know which is more secure and
    easier to implement and maintain: pretty good privacy (PGP) or public
    key infrastructure (PKI)? Read the responses or lend a hand at:
       http://www.secadministrator.com/forums/thread.cfm?thread_id=23123
    
    * HOWTO MAILING LIST
       http://www.secadministrator.com/listserv/page_listserv.asp?s=howto
    
    Featured Thread: Windows XP User Account Creation
       (One message in this thread)
    
    Michael wants to know a way to create users in Windows XP, then
    restrict their local access without using the domain model. He tried
    using Group Policy in Microsoft Management Console (MMC) and felt that
    the results were disastrous because the process locked all accounts
    (including administrative accounts) out of the Control Panel. Read the
    responses or lend a hand at the following URL:
       http://63.88.172.96/listserv/page_listserv.asp?a2=ind0208b&l=howto&p=82
    
    10. ==== CONTACT US ====
       Here's how to reach us with your comments and questions:
    
    * ABOUT IN FOCUS -- markat_private
    
    * ABOUT THE NEWSLETTER IN GENERAL -- vpattersonat_private (please
    mention the newsletter name in the subject line)
    
    * TECHNICAL QUESTIONS -- http://www.winnetmag.com/forums
    
    * PRODUCT NEWS -- productsat_private
    
    * QUESTIONS ABOUT YOUR SECURITY UPDATE SUBSCRIPTION? Customer
    Support -- securityupdateat_private
    
    * WANT TO SPONSOR SECURITY UPDATE? emedia_oppsat_private
    
    ********************
    
       This email newsletter is brought to you by Security Administrator,
    the print newsletter with independent, impartial advice for IT
    administrators securing a Windows 2000/Windows NT enterprise.
    Subscribe today!
       http://www.secadministrator.com/sub.cfm?code=saei25xxup
    
       Receive the latest information about the Windows and .NET topics of
    your choice. Subscribe to our other FREE email newsletters.
       http://list.winnetmag.com/cgi-bin3/flo?y=eNBo0CJgSH0CBw0rvS0Am
    
    |-+-|-+-|-+-|-+-|-+-|
    
    Thank you for reading Security UPDATE.
    
    MANAGE YOUR ACCOUNT
       You can manage your entire Windows & .NET Magazine Network email
    newsletter account on our Web site. Simply log on and you can change
    your email address, update your profile information, and subscribe or
    unsubscribe to any of our email newsletters all in one place.
       http://list.winnetmag.com/cgi-bin3/flo?y=eNBo0CJgSH0CBw0rvS0Am
    
    Thank you!
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Thu Aug 22 2002 - 02:26:46 PDT