[ISN] Security UPDATE, September 11, 2002

From: InfoSec News (isnat_private)
Date: Wed Sep 11 2002 - 23:08:46 PDT

  • Next message: InfoSec News: "RE: [ISN] Insecure wireless networks exposed"

    ********************
    Windows & .NET Magazine Security UPDATE--brought to you by Security
    Administrator, a print newsletter bringing you practical, how-to
    articles about securing your Windows .NET Server, Windows 2000, and
    Windows NT systems.
       http://www.secadministrator.com
    ********************
    
    ~~~~ THIS ISSUE SPONSORED BY ~~~~
    
    Consolidated Security Auditing and Monitoring
       http://list.winnetmag.com/cgi-bin3/flo?y=eNTO0CJgSH0CBw04gJ0A7
    
    VeriSign - The Value of Trust
       http://list.winnetmag.com/cgi-bin3/flo?y=eNTO0CJgSH0CBw04gK0A8
       (below IN FOCUS)
    
    ~~~~~~~~~~~~~~~~~~~~
    
    ~~~~ SPONSOR: CONSOLIDATED SECURITY AUDITING AND MONITORING ~~~~
       HIPAA? Gramm-Leach-Bliley? BS7799/ISO17799? Aelita InTrust(tm)
    bridges the gap between industry regulations & policies and your IT
    infrastructure. InTrust consolidates, archives, and analyzes
    heterogeneous IT audit data and offers numerous reports to assist in
    documenting compliance. And InTrust's data repositories enable
    efficient, permanent storage of all event data. Get started with the
    FREE security assessment tool: Aelita InTrust Audit Advisor!
       http://list.winnetmag.com/cgi-bin3/flo?y=eNTO0CJgSH0CBw04gJ0A7
    
    ~~~~~~~~~~~~~~~~~~~~
    
    September 11, 2002--In this issue:
    
    1. IN FOCUS
         - Assessing Security Threats to Microsoft SQL Server
    
    2. SECURITY RISKS
         - Application Execution Vulnerability in Microsoft Visual FoxPro 6.0
         - Multiple Vulnerabilities in Cisco VPN 3000 Series Concentrator
           and VPN 3002 Hardware Client
    
    3. ANNOUNCEMENTS
         - Mark Minasi and Paul Thurrott Are Bringing Their Security
           Expertise to You!
         - UNIX, Linux, and Windows: Managing the Unruly Trinity
    
    4. SECURITY ROUNDUP
         - News: Microsoft Releases Windows XP SP1
         - News: Microsoft Solves Windows Hacking Mystery
     
    5. SECURITY TOOLKIT
         - Virus Center
         - FAQ: How Can I Prevent Users from Changing Their Passwords
           Except When Windows 2000 Prompts Them To?
    
    6. NEW AND IMPROVED
         - Antispam Server for the Enterprise
         - Lock Up Your Hard Disk
         - Submit Top Product Ideas
     
    7. HOT THREADS
         - Windows & .NET Magazine Online Forums
             - Featured Thread: Obtaining Hashes from the Win2K SAM
               Database
    
    8. CONTACT US
       See this section for a list of ways to contact us.
    
    ~~~~~~~~~~~~~~~~~~~~
    
    1. ==== IN FOCUS ====
       (contributed by Mark Joseph Edwards, News Editor,
    markat_private)
    
    * ASSESSING SECURITY THREATS TO MICROSOFT SQL SERVER
    
    When did you last profile your Microsoft SQL Server 2000 system for
    potential threats? If you haven't done so, you might want a toolkit
    and some easy-to-understand guidelines.
    
    Next Generation Security Software (NGSSoftware) recently published
    "Threat Profiling Microsoft SQL Server," which describes in detail
    tools and procedures that you can use to gauge your exposure to
    intruders. According to NGSSoftware, the paper has "four main
    sections. The first section will cover attacks that do not require the
    attacker to have a user ID and password for the SQL Server, that is,
    the attacks are unauthenticated. The second section will cover those
    attacks that do require authentication; to succeed the user must be
    logged onto the SQL Server. The third section will consider those
    attacks that can be launched from a compromised server. The final and
    fourth section will touch briefly upon attacks via the Web using SQL
    Injection."
       http://www.nextgenss.com/papers/tp-SQL2000.pdf
    
    "Threat Profiling Microsoft SQL Server" discusses SQL Monitor port
    attacks, network-sniffing opportunities, brute-force attacks,
    file-system attacks, Trojan horses in extended stored procedures,
    client attacks (e.g., against the SQL Enterprise Manager), navigating
    the database server, password cracking, bypassing access controls, and
    more. The paper lists a series of tools you need to obtain before you
    start. Minimally, you'll need various SQL client tools (such as Query
    Analyzer and ODBCPing), Microsoft Visual C++, SQLPing, NGSSQuirreL,
    NGSSQLCrack, and NGSSniff. The SQL Server CD-ROM contains SQL client
    tools. SQLSecurity.com (see the first URL below) offers SQLPing.
    NGSSoftware offers the latter three tools through the company's Web
    site (see the second URL below). According to NGSSoftware, NGSSQuirreL
    is an auditing tool that can find and fix holes in the SQL Server;
    NGSSQLCrack can crack the passwords of standard SQL logins; and
    NGSSniff is a network traffic capture and analysis tool. Overall, the
    paper contains a wealth of information about securing your SQL Server.
       http://www.sqlsecurity.com/desktopdefault.aspx
       http://www.nextgenss.com
    
    Other steps you can take toward SQL Server security include keeping up
    with Microsoft security bulletins and reviewing other resources.
    Microsoft has issued 11 security bulletins for SQL Server 2000 so far,
    including a cumulative patch in August 2002 that contains all the
    other security patches. Be sure you've loaded the ones you might
    need--or the cumulative patch if you want to load them all.
       http://www.microsoft.com/technet/security/current.asp?productid=30
    
    SQL Server Magazine and its related Web site often discuss SQL Server
    security. For example, when you visit the Web site (see the URL
    below), you'll find Michael Otey's article "Free SQL Server Tools,"
    which discusses his favorite free SQL Server tools, among which are
    security-related tools. You'll also find Kalen Delaney's article "Safe
    Transit," which discusses how to ensure that user and passwords match
    up after a database restoration.
       http://www.sqlmag.com
    
    Regularly reviewing the potential threats to your SQL Server will help
    keep it secure. I hope the resources mentioned will support that
    review process.
    
    ~~~~~~~~~~~~~~~~~~~~
    
    ~~~~ SPONSOR: VERISIGN - THE VALUE OF TRUST ~~~~
       Get the strongest server security -- 128-bit SSL encryption!
       Download VeriSign's FREE guide, "Securing Your Web Site for
    Business" and learn everything you need to know about using SSL to
    encrypt your e-commerce transactions for serious online security.
    Click here!
       http://list.winnetmag.com/cgi-bin3/flo?y=eNTO0CJgSH0CBw04gK0A8
    
    ~~~~~~~~~~~~~~~~~~~~
    
    2. ==== SECURITY RISKS ====
       (contributed by Ken Pfeil, kenat_private)
    
    * APPLICATION EXECUTION VULNERABILITY IN MICROSOFT VISUAL FOXPRO 6.0
       Cristobal Bielza and Juan Carlos G. Cuartango from Instituto
    Seguridad Internet discovered a vulnerability in Microsoft Visual
    FoxPro 6.0 that can result in an attacker gaining control over the
    vulnerable system. This vulnerability stems from a Visual FoxPro
    installation in which the application doesn't register itself with
    Microsoft Internet Explorer (IE). As a result, an attacker can use a
    Web page or HTML email to launch an application on the vulnerable
    system. Microsoft has released Security Bulletin MS02-049 (Flaw Could
    Enable Web Page to Launch Visual FoxPro 6.0 Application Without
    Warning) to address this vulnerability.
       http://www.secadministrator.com/articles/index.cfm?articleid=26543
    
    * MULTIPLE VULNERABILITIES IN CISCO VPN 3000 SERIES CONCENTRATOR AND
    VPN 3002 HARDWARE CLIENT
       Multiple vulnerabilities exist in Cisco Systems' VPN 3000 series
    concentrators and VPN 3002 Hardware Client that can result in
    information disclosure, Denial of Service (DoS) conditions, and
    unauthenticated display of passwords on the vulnerable devices. Cisco
    has issued a notice regarding these vulnerabilities and recommends
    that affected users upgrade to a fixed release of its software through
    regular support channels or the Cisco Web site.
       http://www.secadministrator.com/articles/index.cfm?articleid=26501
    
    3. ==== ANNOUNCEMENTS ====
       (brought to you by Windows & .NET Magazine and its partners)
    
    * MARK MINASI AND PAUL THURROTT ARE BRINGING THEIR SECURITY EXPERTISE
    TO YOU!
       Windows & .NET Magazine Network Road Show 2002 is coming this
    October to New York, Chicago, Denver, and San Francisco!  Industry
    experts Mark Minasi and Paul Thurrott will show you how to shore up
    your system's security and what desktop security features are planned
    for Microsoft .NET and beyond. Sponsored by NetIQ, Microsoft, and
    Trend Micro. Registration is free, but space is limited so sign up
    now!
       http://list.winnetmag.com/cgi-bin3/flo?y=eNTO0CJgSH0CBw03lK0AD
    
    * UNIX, LINUX, AND WINDOWS: MANAGING THE UNRULY TRINITY
       Sign up for our latest Web seminar at which we'll discuss the
    concerns associated with managing a heterogeneous server environment.
    You'll learn more about the management characteristics of each
    platform and about existing management solutions and how well they
    work. Sponsored by NetIQ. There's no charge for this online event, but
    space is limited so register now at
       http://list.winnetmag.com/cgi-bin3/flo?y=eNTO0CJgSH0CBw04Wf0AK
    
    4. ==== SECURITY ROUNDUP ====
    
    * NEWS: MICROSOFT RELEASES WINDOWS XP SP1
       Delivering on its promise to release Windows XP Service Pack 1
    (SP1), Microsoft issued the critical upgrade to its latest desktop OS
    on September 9. With XP SP1's release to manufacturing (RTM), the
    company provides its first comprehensive set of bug and security fixes
    for the fastest-selling Windows version ever. XP users can download
    the SP1 release for free from the Microsoft Web site or order the
    release on CD-ROM for about $10.
       http://www.wininformant.com/articles/index.cfm?articleid=26555
    
    * NEWS: MICROSOFT SOLVES WINDOWS HACKING MYSTERY
       The notion that Windows users might be the targets of attacks is
    nothing new, given the platform's vast market domination and the sheer
    number of Windows-based desktops and servers. But a mysterious new
    type of attack had security watchdogs and Microsoft itself baffled.
    Now the problem has been identified, and it's apparently not a new
    security vulnerability.
       http://www.wininformant.com/articles/index.cfm?articleid=26566
    
    5. ==== SECURITY TOOLKIT ====
    
    * VIRUS CENTER
       Panda Software and the Windows & .NET Magazine Network have teamed
    to bring you the Center for Virus Control. Visit the site often to
    remain informed about the latest threats to your system security.
       http://www.secadministrator.com/panda
    
    * FAQ: HOW CAN I PREVENT USERS FROM CHANGING THEIR PASSWORDS EXCEPT
    WHEN WINDOWS 2000 PROMPTS THEM TO?
       ( contributed by John Savill, http://www.windows2000faq.com )
    
    A. You can configure your domain through a group policy so that users
    can change their passwords only when the system prompts them:
       1. Start the Microsoft Management Console (MMC) Active Directory
    Users and Computers snap-in (Start, Programs, Administrative Tools,
    Active Directory Users and Computers).
       2. Right-click the container (site/domain or organizational
    unit--OU) on which you want to enforce the policy, and select
     Properties.
       3. Select the Group Policy tab.
       4. Select the policy and click Edit.
       5. Expand User Configuration, Administrative Templates, System,
     Logon/Logoff.
       6. Double-click Disable Change Password, and on the Policy tab,
    select Enabled.
       7. Click Apply, then OK.
       8. Close all dialog boxes.
       9. Refresh the policy with the following command:
          C:\> secedit /refreshpolicy user_policy
    
    You can also configure this feature on a per-user basis. To do so,
    perform the following steps:
       1. Start regedit.exe.
       2. Go to
     HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies.
    If the System key exists, select it. Otherwise create it (Edit, New,
    Key, System).
       3. Under System, create a new value of type DWORD (Edit, New, DWORD
     value).
       4. Type a name of DisableChangePassword, and press Enter.
       5. Double-click the new value, and set it to 1. Click OK.
       6. Close regedit.exe.
    
    6. ==== NEW AND IMPROVED ====
       (contributed by Judy Drennen, productsat_private)
    
    * ANTISPAM SERVER FOR THE ENTERPRISE
       Mail-Filters.com announced SpamCure, a filtering server designed to
    eliminate junk email messages from coming into businesses and
    enterprises from the Internet. SpamCure works best for organizations
    with 50 to 50,000 mailboxes. Each email message is subjected to 11
    categories of tests, which results in 95 percent of all spam messages
    being identified and categorized. After spam has been identified, the
    customer can choose, by domain or mailbox, how it's handled. SpamCure
    runs on Windows 2000 Server, and the price starts at $2.75 per mailbox
    and decreases as the number of mailboxes increases. Contact
    Mail-Filters at 650-212-6245.
       http://www.mail-filters.com
    
    * LOCK UP YOUR HARD DISK
       Innovative Security Products announced the Lid Lock Padlock, a lock
    to secure your data and components inside your PC. The lock won't
    damage your equipment and includes a proprietary component that
    prevents break-ins. It can be installed in less than a minute and
    includes a resettable combination padlock. Your organization can code
    all its padlocks differently, code them all alike, or code by
    department. The Lid Lock Padlock costs $9.95. Contact Innovative
    Security Products at 913-385-2002.
       http://www.wesecure.com
    
    * SUBMIT TOP PRODUCT IDEAS
       Have you used a product that changed your IT experience by saving
    you time or easing your daily burden? Do you know of a terrific
    product that others should know about? Tell us! We want to write about
    the product in a future What's Hot column. Send your product
    suggestions to whatshotat_private
    
    7. ==== HOT THREADS ====
    
    * WINDOWS & .NET MAGAZINE ONLINE FORUMS
       http://www.winnetmag.com/forums
    
    Featured Thread: Obtaining Hashes from the Win2K SAM Database
       (Two messages in this thread)
    
    Tony writes that in Windows NT, you can get a copy of the SAM (or
    password hashes) to feed into L0phtCrack. Within a reasonable time,
    you can crack the user accounts and passwords. But in Windows 2000,
    things change drastically because Microsoft allows the use of 128-bit
    encryption algorithms through Syskey. Is there a way to get the
    password hashes from a Win2K machine to which you have physical but
    not administrative access? Read the responses or lend a hand:
       http://www.winnetmag.com/forums/rd.cfm?cid=42&tid=45005
    
    8. ==== CONTACT US ====
       Here's how to reach us with your comments and questions:
    
    * ABOUT IN FOCUS -- markat_private
    
    * ABOUT THE NEWSLETTER IN GENERAL -- vpattersonat_private (please
    mention the newsletter name in the subject line)
    
    * TECHNICAL QUESTIONS -- http://www.winnetmag.com/forums
    
    * PRODUCT NEWS -- productsat_private
    
    * QUESTIONS ABOUT YOUR SECURITY UPDATE SUBSCRIPTION? Customer
    Support -- securityupdateat_private
    
    * WANT TO SPONSOR SECURITY UPDATE? emedia_oppsat_private
    
    ********************
    
       This email newsletter is brought to you by Security Administrator,
    the print newsletter with independent, impartial advice for IT
    administrators securing a Windows 2000/Windows NT enterprise.
    Subscribe today!
       http://www.secadministrator.com/sub.cfm?code=saei25xxup
    
       Receive the latest information about the Windows and .NET topics of
    your choice. Subscribe to our other FREE email newsletters.
       http://www.winnetmag.com/email
    
    |-+-|-+-|-+-|-+-|-+-|
    
    Thank you for reading Security UPDATE.
    
    MANAGE YOUR ACCOUNT
       You can manage your entire Windows & .NET Magazine Network email
    newsletter account on our Web site. Simply log on and you can change
    your email address, update your profile information, and subscribe or
    unsubscribe to any of our email newsletters all in one place.
       http://www.winnetmag.com/email
    
    Thank you!
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Thu Sep 12 2002 - 01:44:02 PDT