[ISN] Security UPDATE, August 28, 2002

From: InfoSec News (isnat_private)
Date: Thu Aug 29 2002 - 00:12:48 PDT


********************
Windows & .NET Magazine Security UPDATE--brought to you by Security
Administrator, a print newsletter bringing you practical, how-to
articles about securing your Windows .NET Server, Windows 2000, and
Windows NT systems.
   http://www.secadministrator.com
********************

~~~~ THIS ISSUE SPONSORED BY ~~~~

Real Time Monitoring Is a Security Requirement
   http://list.winnetmag.com/cgi-bin3/flo?y=eNHZ0CJgSH0CBw02Jr0AG

Free Download - Secure PC Access over the Web!
   http://list.winnetmag.com/cgi-bin3/flo?y=eNHZ0CJgSH0CBw0pVP0Au
   (below IN FOCUS)

~~~~~~~~~~~~~~~~~~~~

~~~~ SPONSOR: REAL TIME MONITORING IS A SECURITY REQUIREMENT ~~~~
   A proactive Security Administrator installed TNT Software's ELM
Enterprise Manager 3.0 on his critical servers to assess the benefits
of real time monitoring. A week later, EEM 3.0 paged him as a
disgruntled employee was attempting to access confidential personal
files. Within minutes, the hacker was escorted off company property.
Use the comprehensive system management toolset, ELM Enterprise
Manager 3.0, to monitor your internal security, protect your
intellectual property, and prevent avoidable downtime. To download
your FREE 30-day full featured evaluation copy, visit:
   http://list.winnetmag.com/cgi-bin3/flo?y=eNHZ0CJgSH0CBw02Jr0AG

~~~~~~~~~~~~~~~~~~~~

August 28, 2002--In this issue:

1. IN FOCUS
     - How Not to Perform a Security Scan

2. SECURITY RISKS
     - Tiny Personal Firewall 3.0 for Windows
     - Multiple Vulnerabilities in Kerio MailServer 5.0 for Windows
       XP, Win2K, and NT
     - Multiple Vulnerabilities in Microsoft IE
     - DoS in Microsoft Windows SMB
     - Multiple Vulnerabilities in Microsoft Office Web Components 
       ActiveX Control
     - Multiple Vulnerabilities in WebEasyMail
     - Buffer Overrun in Microsoft TSAC ActiveX Control

3. ANNOUNCEMENTS
     - Why Pay When You Can Get In-Person Security Expertise at No
       Charge?
     - Planning on Getting Certified? Make Sure to Pick Up Our New
       eBook!

4. SECURITY ROUNDUP
     - Feature: Password Defense
     - Feature: Safe Transit
     - Feature: Windows XP SP1

5. HOT RELEASE (ADVERTISEMENT)
     - SecureIIS Provides a Solid Brick in Your Defensive Wall

6. SECURITY TOOLKIT
     - Virus Center
     - FAQ: How Can I Disable Encrypting File System (EFS) on a
       Windows 2000 or Later Machine?

7. NEW AND IMPROVED
     - Ensure Secure Information Exchange
     - Enable Enterprisewide Configuration Changes
     - Submit Top Product Ideas

8. HOT THREADS
     - Windows & .NET Magazine Online Forums
         - Featured Thread: Upstream Proxy Authentication
      - HowTo Mailing List:
         - Featured Thread: Win2K Group Policy Error

9. CONTACT US
   See this section for a list of ways to contact us.

~~~~~~~~~~~~~~~~~~~~

1. ==== IN FOCUS ====
   (contributed by Mark Joseph Edwards, News Editor,
markat_private)

* HOW NOT TO PERFORM A SECURITY SCAN

Many network administrators have security toolkits that include
security scanners and other vulnerability test tools, but not everyone
understands how to use those tools ethically. Using software packages
on your network to test for vulnerabilities is one thing, but testing
somebody else's network for vulnerabilities is an entirely different
matter.

It seems obvious that you need permission to scan someone else's
network or system. The reason is simple: Someone else's network is
neither your property nor your responsibility. Furthermore, mounting
an attack on someone's system isn't a wise way to gain notoriety,
especially for new security consulting firms. However, not everybody
understands that, and I read about a case in point over the weekend.

A security company, ForensicTec Solutions, a 4-month-old startup
company, apparently decided it would impress people with its ability
to detect vulnerabilities. However, some rookie ForensicTec
consultants chose to perform such detection on someone else's network.
To compound that poor judgment, that "someone else" turned out to be
the US government. According to a report from "The Washington Post,"
ForensicTec consultants decided to investigate the security of various
Department of Defense (DoD) networks and computer systems.
   http://www.forensictec.com
   http://www.washingtonpost.com/wp-dyn/articles/A24191-2002Aug15.html

The report said that 2 months ago, while working with a client, the
ForensicTec consultants detected other networks and IP addresses. They
investigated those IP addresses and learned that they belonged to
computers running on DoD networks located in Fort Hood, Texas. Out of
curiosity, they proceeded to gain access to those military networks,
then used that access to gain further access to other government
networks, such as those that the National Aeronautics and Space
Administration (NASA) operates.

According to the report, the consultants discovered that they could
access systems that contained detailed sensitive information,
sometimes by using common passwords such as "administrator" and
"password." They found information about "radio encryption techniques,
the use of laser targeting systems and other field procedures. Another
[system they accessed] maintained hundreds of personnel records
containing Social Security numbers, security clearance levels and
credit card numbers. A NASA computer contained vendor records,
including company bank account and financial routing numbers." Still
other systems contained "e-mail messages, confidential disciplinary
letters and, in one case, a memo naming couriers to carry secret
documents and their destinations."

After locating such sensitive information, the company apparently
waited 2 months before reporting its findings. When it reported its
findings to the military 2 weeks ago, it also contacted "The
Washington Post" to report the exploits. The newspaper contacted the
government to determine whether ForensicTec's information was
accurate.

As a result of its actions, ForensicTec found itself the subject of a
Federal Bureau of Investigation (FBI) forensic investigation.
According to another report from "The Washington Post," the FBI raided
the company's offices over the weekend.
   http://www.washingtonpost.com/wp-dyn/articles/A42019-2002Aug20.html

As you might expect, ForensicTec said it acted as it did to gain some
exposure for itself and to help the government realize its networks
were exposed to intruders. A spokesperson for the Army Criminal
Investigation Command in Virginia said, "Regardless of the stated
intent, unauthorized entry into Army computer systems is a federal
offense."

The moral of this story is at least threefold: Never use easy-to-guess
passwords; never turn rookie security consultants loose on others'
networks; and never investigate anyone's network without first
obtaining explicit permission, preferably in writing, for the
investigations you might perform.
 
~~~~~~~~~~~~~~~~~~~~

~~~~ SPONSOR: FREE DOWNLOAD - SECURE PC ACCESS OVER THE WEB! ~~~~
   PC Magazine's Editors' Choice, NetOp Remote Control, is the
professional's choice for fixing remote PC Problems and secure remote
access! NetOp is blazingly FAST, extremely SECURE, and provides rock
solid STABILITY. Don't trust anything less. Use the Remote Control
solution that was designed for enterprise support and access. Download
a FREE, fully functional, evaluation copy today and see why NetOp is
known as the "hands down winner!"
   http://list.winnetmag.com/cgi-bin3/flo?y=eNHZ0CJgSH0CBw0pVP0Au

~~~~~~~~~~~~~~~~~~~~

2. ==== SECURITY RISKS ====
   (contributed by Ken Pfeil, kenat_private)

* TINY PERSONAL FIREWALL 3.0 FOR WINDOWS
   Aaron Tan Lu of NSSI Research Labs discovered two Denial of Service
(DoS) conditions in Tiny Software's Tiny Personal Firewall 3.0 for
Windows. The first vulnerability affects the default installation and
use of the activity logger tab. If a potential attacker uses multiple
SYN, UDP, Internet Control Message Protocol (ICMP), and TCP full
Connect to scan a host's ports while the vulnerable user browses its
Personal Firewall Agent module firewall Log tab, a system crash will
occur that consumes 100 percent of system resources. The second DoS
condition is similar, but it occurs in the HIGH Security setting when
an attacker uses a spoofed source to address the firewall's IP
address.
   http://www.secadministrator.com/articles/index.cfm?articleid=26348

* MULTIPLE VULNERABILITIES IN KERIO MAILSERVER 5.0 for WINDOWS XP,
WIN2K, and NT
   Abraham Lincoln Hao of NSSI Research Labs discovered multiple
vulnerabilities in Kerio Technologies' Kerio MailServer 5.0 for
Windows that could result in a Denial of Service (DoS) or cross-site
scripting scenario. Sending at least five SYN packets to any of a mail
server's services (POP3, SMTP, IMAP, Secure IMAP, POP3S, Web-mail, or
secure Web-mail services) can result in that service not responding;
however, the service will be available again after several minutes.
The vendor, Kerio Technologies, has been notified but hasn't yet
released a patch for these vulnerabilities.
   http://www.secadministrator.com/articles/index.cfm?articleid=26353

* MULTIPLE VULNERABILITIES IN MICROSOFT IE
   GreyMagic Software, Mark Litchfield of Next Generation Security
Software (NGSSoftware), and Jouko Pynnonen of Oy Online Solutions
discovered five new vulnerabilities in Microsoft Internet Explorer
(IE), the most serious of which lets an attacker execute arbitrary
code on the vulnerable system. Microsoft has released Security
Bulletin MS02-047 (Cumulative Patch for Internet Explorer) to address
these vulnerabilities and recommends that affected users download and
apply the appropriate patch mentioned in the bulletin.
   http://www.secadministrator.com/articles/index.cfm?articleid=26419

* DoS IN MICROSOFT WINDOWS SMB
   Alberto Solino and Hernan Ochoa of Core Security Technologies
discovered an unchecked buffer in Microsoft Server Message Block (SMB)
that can result in a remotely exploitable Denial of Service (DoS)
condition on the vulnerable system. By sending a specially crafted
packet to certain transactions of the SMB command SMB_COM_TRANSACTION,
an attacker can halt the OS with a blue screen. You can find detailed
information about this vulnerability on the discoverers' Web site.
Microsoft has released Security Bulletin MS02-045 (Unchecked Buffer in
Network Share Provider Can Lead to Denial of Service) to address these
vulnerabilities and recommends that affected users download and apply
the appropriate patch mentioned in the bulletin.
   http://www.secadministrator.com/articles/index.cfm?articleid=26412

* MULTIPLE VULNERABILITIES IN MICROSOFT OFFICE WEB COMPONENTS ACTIVEX
CONTROL
   Three vulnerabilities exist in Microsoft Office Web Components 2002
and Office Web Components 2000 ActiveX control. Products affected by
these vulnerabilities include Microsoft Internet Security and
Acceleration (ISA) Server 2000, Office XP, Project 2002, Project
Server 2002, and Small Business Server (SBS) 2000. Microsoft has
released Security Bulletin MS02-044 (Unsafe Functions in Office Web
Components) to address these vulnerabilities and recommends that
affected users download and apply the appropriate patch mentioned in
the bulletin.
   http://www.secadministrator.com/articles/index.cfm?articleid=26407

* MULTIPLE VULNERABILITIES IN WEBEASYMAIL
   Stan Bubrouski discovered two vulnerabilities in WebEasyMail for
Windows 3.4.2.2 and earlier that can result in a Denial of Service
(DoS) condition and information disclosure. An attacker can send
specially crafted format strings as input, such as the "printf" family
of functions, and cause the service to terminate without an error
message. The information-disclosure vulnerability lets an attacker
obtain a valid username and password on the vulnerable system. By
default, an attacker can make unlimited logon attempts without the
server terminating the connection. If the attacker gives a wrong
password, the server responds with "-ERR invalid username" if the user
doesn't exist and "-ERR wrong password for this user" if the user
exists. The vendor, WebEasyMail, has been notified but has not yet
released a patch for this vulnerability.
   http://www.secadministrator.com/articles/index.cfm?articleid=26413

* BUFFER OVERRUN IN MICROSOFT TSAC ACTIVEX CONTROL
   A buffer-overrun condition exists in Microsoft Terminal Services
Advanced Client (TSAC) ActiveX control that can let an attacker
execute arbitrary code remotely on the vulnerable system. This
vulnerability results from an unchecked buffer in the control's code
that processes one of the input parameters. By calling the control on
a client system and overrunning the buffer, an attacker can run code
under the currently logged-on user's security context. The attacker
can mount an attack by either hosting a Web page that exploits the
vulnerability against any user who visits the Web page or by sending
HTML mail to another user. Microsoft has released Security Bulletin
MS02-046 (Buffer Overrun in TSAC ActiveX Control Could Allow Code
Execution) to address these vulnerabilities and recommends that
affected users download and apply the appropriate patch
   http://www.secadministrator.com/articles/index.cfm?articleid=26409

3. ==== ANNOUNCEMENTS ====
   (brought to you by Windows & .NET Magazine and its partners)

* WHY PAY WHEN YOU CAN GET IN-PERSON SECURITY EXPERTISE AT NO CHARGE?
   Windows & .NET Magazine Network Road Show 2002 is coming this fall
to New York, Chicago, Denver, and San Francisco!  Industry experts
Mark Minasi and Paul Thurrott will show you how to shore up your
system's security and what desktop security features are planned for
Microsoft .NET and beyond. Sponsored by Microsoft and NetIQ.
Registration is free, but space is limited so sign up now!
   http://list.winnetmag.com/cgi-bin3/flo?y=eNHZ0CJgSH0CBw03lK0AC

* PLANNING ON GETTING CERTIFIED? MAKE SURE TO PICK UP OUR NEW EBOOK!
   "The Insider's Guide to IT Certification" eBook is hot off the
presses and contains everything you need to know to help you save time
and money while preparing for certification exams from Microsoft,
Cisco Systems, and CompTIA and have a successful career in IT. Get
your copy of the Insider's Guide today!
   http://list.winnetmag.com/cgi-bin3/flo?y=eNHZ0CJgSH0CBw038F0AF

4. ==== SECURITY ROUNDUP ====

* FEATURE: PASSWORD DEFENSE
   Every user account on your network needs a password, although
Windows 2000 permits user logons with null passwords. When you decide
to enforce password use, you need to choose the password policies you
want to enforce. You can set password policies for a domain or for an
individual computer. Setting a password for an individual computer is
useful when you have machines that are in vulnerable locations or that
hold sensitive data. Unfortunately, Win2K doesn't let you set policies
on a group-by-group basis, only by domain or machine. Read more about
password management in Kathy Ivens's article.
   http://www.secadministrator.com/articles/index.cfm?articleid=25962

* FEATURE: SAFE TRANSIT
   When you move a backup of a Microsoft SQL Server database from one
server to another, you encounter some specific challenges. A common
problem is that in the restore process, usernames and login names can
be mismatched. In this article, Kalen Delaney looks at why usernames
and login names are important, why mismatched names are a problem, and
how to use a special procedure called sp_sidmap to avoid such
problems.
   http://www.secadministrator.com/articles/index.cfm?articleid=25983

* FEATURE: WINDOWS XP SP1
   When Windows XP arrived last year, the enterprise was underwhelmed:
Most new XP features were clearly aimed at consumers, not business
users, and the benefits the new system offered over Windows 2000 were
unclear. A year later, XP is more entrenched, however, and a new
Service Pack 1 (SP1) release will address some enterprise concerns.
Read Paul Thurrott's article to learn what you need to know about XP
SP1.
   http://www.secadministrator.com/articles/index.cfm?articleid=25972

5. ==== HOT RELEASE (ADVERTISEMENT) ====

* SECUREIIS PROVIDES A SOLID BRICK IN YOUR DEFENSIVE WALL
   SecureIIS is an application firewall that remedies the lack of
hacker protection that was assumed to be out-of-the-box on an IIS
server. eEye Digital Security created the first-ever application
firewall to combat Port 80 vulnerabilities.
   Learn more & free trial downloads at:
   http://list.winnetmag.com/cgi-bin3/flo?y=eNHZ0CJgSH0CBw04NQ0An

6. ==== SECURITY TOOLKIT ====

* VIRUS CENTER
   Panda Software and the Windows & .NET Magazine Network have teamed
to bring you the Center for Virus Control. Visit the site often to
remain informed about the latest threats to your system security.
   http://www.secadministrator.com/panda

* FAQ: HOW CAN I DISABLE ENCRYPTING FILE SYSTEM (EFS) ON A WINDOWS
2000 OR LATER MACHINE?
   ( contributed by John Savill, http://www.windows2000faq.com )

A. To disable EFS, perform the following steps:

   1. Start a registry editor (e.g., regedit.exe).
   2. Navigate to the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\EFS registry subkey.
   3. From the Edit menu, select New, DWORD Value.
   4. Enter a name of EfsConfiguration and press Enter.
   5. Double-click the new value, set it to 1 to disable EFS, then
click OK.
   6. Close the registry editor.
   7. Reboot the machine.

This change will affect all users: When users try to encrypt a file,
they'll receive an error. You can set the registry value to 0 to
enable EFS, but this value doesn't exist by default.

7. ==== NEW AND IMPROVED ====
   (contributed by Judy Drennen, productsat_private)

* ENSURE SECURE INFORMATION EXCHANGE
   Ingrian Networks announced its next generation of Active
Application Security solutions for database encryption, user
authentication, secure Microsoft Outlook Web-based email access,
intrusion protection, secure caching, and secure load balancing. Four
new solutions, i225, i220, i215, and i210, were designed to
proactively ensure secure information exchange. The products are
designed to be Plug and Play (PnP) and can often be deployed in less
than 30 minutes with the Ingrian Networks Quick Start Guide. Prices
start at $23,995 and depend on the solution configuration. Contact
Ingrian at 650-261-2400 or email marketingat_private
   http://www.ingrian.com

* ENABLE ENTERPRISEWIDE CONFIGURATION CHANGES
   Configuresoft announced Enterprise Configuration Manager (ECM) 4.0,
a solution that reduces the IT resources required to proactively
manage system and security configurations across enterprise networks.
ECM 4.0 lets central IT departments create customized user roles to
securely and selectively provide access to ECM's functionality and
configuration data. Prices start at $995 per server and $30 per
workstation. ECM 4.0 runs on Windows XP, Windows 2000, Windows NT, and
Microsoft SQL Server 2000 or higher. Contact Configuresoft at
719-447-4600 or email infoat_private
   http://www.configuresoft.com

* SUBMIT TOP PRODUCT IDEAS
   Have you used a product that changed your IT experience by saving
you time or easing your daily burden? Do you know of a terrific
product that others should know about? Tell us! We want to write about
the product in a future What's Hot column. Send your product
suggestions to whatshotat_private

8. ==== HOT THREADS ====

* WINDOWS & .NET MAGAZINE ONLINE FORUMS
   http://www.winnetmag.com/forums

Featured Thread: Upstream Proxy Authentication
   (One message in this thread)

Stryder writes that his company has two remote locations, each with a
Microsoft Internet Security and Acceleration (ISA) Server with its own
Internet connection. In office 1, a VPN tunnel links back to the
parent company for intranet sites the that office needs to access. He
has set up office 2 to route any request for those intranet sites to
office 1's ISA Server. Access works well for employees in office 1,
but office 2 connections involve multiple authentications. The two ISA
Servers run in a Windows NT 4.0 domain, so he doesn't have to set up
any trust between the machines. However, he wants to know how to set
up authentication so that users in office 2 aren't prompted every time
they access an intranet site. Can you help? Read the responses or lend
a hand at:
   http://www.winnetmag.com/forums/rd.cfm?cid=42&tid=44814
 
* HOWTO MAILING LIST
   http://www.secadministrator.com/listserv/page_listserv.asp?s=howto

Featured Thread: Win2K Group Policy Error
   (One message in this thread)

Erich has just set up Group Policy on Windows 2000 Server. When he
logs on to the domain, the policy hasn't been implemented. When he
checks the Event Viewer, he finds an error message in the Application
log that reads
   "The Group Policy client-side extension Security was passed flags
(17) and returned a failure status code of (1332)"
Can you help? Read the responses or lend a hand at the following URL:
   http://63.88.172.96/listserv/page_listserv.asp?a2=ind0208c&l=howto&p=82

9. ==== CONTACT US ====
   Here's how to reach us with your comments and questions:

* ABOUT IN FOCUS -- markat_private

* ABOUT THE NEWSLETTER IN GENERAL -- vpattersonat_private (please
mention the newsletter name in the subject line)

* TECHNICAL QUESTIONS -- http://www.winnetmag.com/forums

* PRODUCT NEWS -- productsat_private

* QUESTIONS ABOUT YOUR SECURITY UPDATE SUBSCRIPTION? Customer
Support -- securityupdateat_private

* WANT TO SPONSOR SECURITY UPDATE? emedia_oppsat_private

********************

   This email newsletter is brought to you by Security Administrator,
the print newsletter with independent, impartial advice for IT
administrators securing a Windows 2000/Windows NT enterprise.
Subscribe today!
   http://www.secadministrator.com/sub.cfm?code=saei25xxup

   Receive the latest information about the Windows and .NET topics of
your choice. Subscribe to our other FREE email newsletters.
   http://www.winnetmag.com/email

|-+-|-+-|-+-|-+-|-+-|

Thank you for reading Security UPDATE.


MANAGE YOUR ACCOUNT
   You can manage your entire Windows & .NET Magazine Network email
newsletter account on our Web site. Simply log on and you can change
your email address, update your profile information, and subscribe or
unsubscribe to any of our email newsletters all in one place.
   http://www.winnetmag.com/email

Thank you!



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomoat_private with 'unsubscribe isn'
in the BODY of the mail.



This archive was generated by hypermail 2b30 : Thu Aug 29 2002 - 03:43:10 PDT