[ISN] Security UPDATE, September 25, 2002

From: InfoSec News (isnat_private)
Date: Wed Sep 25 2002 - 23:32:15 PDT

  • Next message: InfoSec News: "[ISN] NCS prepping 'gee-whiz' pilot"

    ********************
    Windows & .NET Magazine Security UPDATE--brought to you by Security
    Administrator, a print newsletter bringing you practical, how-to
    articles about securing your Windows .NET Server, Windows 2000, and
    Windows NT systems.
       http://www.secadministrator.com
    ********************
    
    ~~~~ THIS ISSUE SPONSORED BY ~~~~
    
    "Tee-Off" at MEC with Sybari Software
      http://list.winnetmag.com/cgi-bin3/flo?y=eNfX0CJgSH0CBw041j0AD
    
    Get the Most ROI Out of Your Patch Software
       http://list.winnetmag.com/cgi-bin3/flo?y=eNfX0CJgSH0CBw0rf10AB
       (below IN FOCUS)
    
    ~~~~~~~~~~~~~~~~~~~~
    
    ~~~~ SPONSOR: "TEE-OFF" AT MEC WITH SYBARI SOFTWARE ~~~~
       An out-of-the-box, suite solution for virus protection may not be
    the value you bargained for . . . visit Sybari's booth (#300) at MEC
    and learn how with Antigen you can deploy up to six of the leading
    virus scan engine technologies, as well as advanced file and content
    filtering features including subject line, sender, and domain
    filtering, delivering the most comprehensive virus scanning on the
    market today. At MEC play THE SYBARI OPEN and enter to win one of
    three valuable prizes each day. Not going to MEC? Attend an Antigen
    web demo by October 31st and get a free Sybari t-shirt. Register at
     http://list.winnetmag.com/cgi-bin3/flo?y=eNfX0CJgSH0CBw041j0AD
    
    ~~~~~~~~~~~~~~~~~~~~
    
    September 25, 2002--In this issue:
    
    1. IN FOCUS
         - National Cyberspace Security: It's Time to Regulate
           Manufacturers
    
    2. SECURITY RISKS
         - Multiple Vulnerabilities in Microsoft VM
         - Multiple Vulnerabilities in Microsoft RDP
    
    3. ANNOUNCEMENTS
         - Planning on Getting Certified? Make Sure to Pick Up Our New
           eBook!
         - Mark Minasi and Paul Thurrott Are Bringing Their Security
           Expertise to You!
    
    4. SECURITY ROUNDUP
         - Feature: Product of the Year
         - Feature: Best Security Products
         - Feature: A Look at Win.NET Server Security
    
    5. HOT RELEASES (ADVERTISEMENTS)
         - SPI Dynamics
         - FREE Network Security Web Seminars
         - FREE Security Assessment Tool
    
    6. SECURITY TOOLKIT
         - Virus Center
         - FAQ: How Can I Prevent Microsoft Internet Explorer (IE) From
           Caching Secure Sockets Layer (SSL) Pages?
    
    7. NEW AND IMPROVED
         - Software to Catch Hackers
         - Metadata Management for Law Firms
         - Submit Top Product Ideas
     
    8. HOT THREADS
         - Windows & .NET Magazine Online Forums
             - Featured Thread: Threat from Within
         - HowTo Mailing List
             - Featured Thread: Failed Trust
    
    9. CONTACT US
       See this section for a list of ways to contact us.
    
    ~~~~~~~~~~~~~~~~~~~~
    
    1. ==== IN FOCUS ====
       (contributed by Mark Joseph Edwards, News Editor,
    markat_private)
    
    * NATIONAL CYBERSPACE SECURITY: IT'S TIME TO REGULATE MANUFACTURERS
    
    Last week, the US government unveiled a newly drafted strategy to
    secure cyberspace. The strategy calls for home-based users to
    voluntarily learn more about security and for all computer users
    (home, government, business) to do more to secure systems. A 65-page
    document outlining the strategy is available at the URL below.
       http://www.whitehouse.gov/pcipb/
    
    According to the President's Critical Infrastructure Protection Board
    Web site, the plan was drafted after "town hall meetings were held
    around the country, and fifty-three clusters of key questions were
    published to spark public debate. Even more input is needed. The
    public has 60 days to offer further input."
    
    I've received press releases from several technology companies that
    support the strategy. But based on news reports I've read, other
    businesses and individuals have complained about the plan. Their
    objections include that the plan isn't comprehensive enough, that it
    targets government and home users more closely than businesses, and
    that it might cost businesses too much to implement when profits are
    down in an ailing economy. I want to discuss what the plan
    emphasizes--and more importantly--what it doesn't emphasize.
    
    According to "The Washington Post," Bruce Schneier, chief technology
    officer (CTO) of Counterpane Internet Security, said, "You really have
    to ask why CEOs would bother to follow any of these recommendations,
    particularly at a time when most companies' earnings are down 20
    percent. The fact is, companies aren't rewarded for altruism; they're
    rewarded by the strength of their stock price."
       http://www.washingtonpost.com/wp-dyn/articles/A35812-2002Sep18.html
    
    One notable security industry figure, Allan Paller, research director
    of the SysAdmin, Audit, Network, and Security (SANS) Institute, seems
    to have forgotten that we live in a democratic society. According to
    "The Washington Post" story, "[Paller] believes the 60-day public
    comment period will help to show who has worked hardest to weaken the
    plan." Paller said, "The whiners will now have a spotlight shone on
    them."
    
    So will most businesses respond to the plan, and are all its critics
    trying to weaken it? Many of us believe that the problem with security
    in cyberspace resides largely in faulty software. You've sent email
    messages to me stating that view, and I've written about my own
    concerns (see the first URL below). In "eWEEK," Wyatt Starnes, CEO and
    cofounder of security vendor Tripwire, echoes that sentiment in his
    response to the draft strategy: "I'd like to see them make software
    companies take responsibility for the reliability of their products."
       http://www.secadministrator.com/articles/index.cfm?articleid=23161
       http://www.eweek.com/article2/0,3959,547303,00.asp
    
    Perhaps if software companies were liable by law for their products'
    lack of security, we wouldn't need such a weighty plan to secure
    cyberspace. We know that regulation works reasonably well in other
    industries.
    
    Consider that Microsoft currently controls 80 percent of the desktop
    market, not to mention the server market space. Doesn't it make sense
    that if software vendors, including Microsoft, were legally obligated
    to roll out the most secure products possible--or face stiff
    consequences--more than 80 percent of the computers on the planet
    would be more secure (and less of a risk to any country's national
    security)? Why are companies in the computer industry still exempt
    from liability?
    
    Although the government is taking an admirable path to better computer
    security, it doesn't seem to notice the more obvious problem of an
    unregulated and not-liable software industry. Why impose restrictions
    on home users, government, and general business users while neglecting
    the manufacturers of faulty software? Wouldn't it be equally effective
    to consider regulating software manufacturers--or am I missing some
    relevant points?
    
    If you agree that we need to regulate software manufacturers, it's
    time to contact your government representatives and urge them to
    institute strong software regulation. (You can find contact
    information for your representatives at the URL below.)
       http://clerk.house.gov/members/index.php
    
    ~~~~~~~~~~~~~~~~~~~~
    
    ~~~~ SPONSOR: GET THE MOST ROI OUT OF YOUR PATCH SOFTWARE ~~~~
       Network security is an invaluable asset. What is the risk to your
    company if a hacker exploits an unknown weakness? UpdateEXPERT is a
    patch validation and remediation tool that scans networks for missing
    hotfixes, and FIXES discovered weaknesses for increased protection.
    Supporting Windows NT4/2000/XP, SQL Server, Exchange Server, IE,
    Outlook and other critical applications, UpdateEXPERT features an
    exclusive patch database that has been tested for deployment
    interdependencies.  Scan, validate, and install updates remotely
    without a required client agent.
       FREE 15-day live trial and Whitepaper!
       http://list.winnetmag.com/cgi-bin3/flo?y=eNfX0CJgSH0CBw0rf10AB
    
    ~~~~~~~~~~~~~~~~~~~~
    
    2. ==== SECURITY RISKS ====
       (contributed by Ken Pfeil, kenat_private)
    
    * MULTIPLE VULNERABILITIES IN MICROSOFT VM
       Three new vulnerabilities exist in Microsoft Virtual Machine (VM),
    the most serious of which can give an attacker complete control over
    the vulnerable system. The first vulnerability exposes a flaw in the
    way the Java Database Connectivity (JDBC) classes evaluate a request
    to load and execute a DLL on the user's system. The second
    vulnerability also involves the JDBC classes and exposes certain
    functions in the classes that don't correctly validate the handles
    provided as input. The third vulnerability involves a class that
    provides XML support for Java applications. The vendor, Microsoft, has
    released Security Bulletin MS02-052 (Flaw in Microsoft VM JBDC Classes
    Could Allow Code Execution) to address these vulnerabilities and
    recommends that affected users apply the appropriate patch mentioned
    in the bulletin. For a detailed explanation of the risks and a link to
    the patch, be sure to visit our Web site.
       http://www.secadministrator.com/articles/index.cfm?articleid=26735
    
    * MULTIPLE VULNERABILITIES IN MICROSOFT RDP
      Two vulnerabilities exist in Microsoft RDP. The first is an
    information-disclosure vulnerability that forwards unencrypted
    checksums of plaintext data under Windows XP and Windows 2000. An
    attacker can use these checksums to conduct a cryptographic attack to
    recover session traffic. The second vulnerability is a Denial of
    Service (DoS) condition in XP's Remote Desktop service when this
    service uses RDP. By sending specially malformed packets to the
    service (which by default runs on TCP port 3389), an attacker can
    crash the vulnerable system. The vendor, Microsoft, has released
    Security Bulletin MS02-051 (Cryptographic Flaw in RDP Protocol can
    Lead to Information Disclosure) to address these vulnerabilities and
    recommends that affected users apply the appropriate patch mentioned
    in the bulletin. For a detailed explanation of the risks and a link to
    the patch, be sure to visit our Web site.
       http://www.secadministrator.com/articles/index.cfm?articleid=26734
    
    3. ==== ANNOUNCEMENTS ====
       (brought to you by Windows & .NET Magazine and its partners)
    
    * PLANNING ON GETTING CERTIFIED? MAKE SURE TO PICK UP OUR NEW EBOOK!
       "The Insider's Guide to IT Certification" eBook is hot off the
    presses and contains everything you need to know to help you save time
    and money while preparing for certification exams from Microsoft,
    Cisco Systems, and CompTIA and have a successful career in IT. Get
    your copy of the Insider's Guide today!
       http://list.winnetmag.com/cgi-bin3/flo?y=eNfX0CJgSH0CBw038F0Ah
    
    * MARK MINASI AND PAUL THURROTT ARE BRINGING THEIR SECURITY EXPERTISE
    TO YOU!
       Windows & .NET Magazine Network Road Show 2002 is coming this
    October to New York, Chicago, Denver, and San Francisco! Industry
    experts Mark Minasi and Paul Thurrott will show you how to shore up
    your system's security and what desktop security features are planned
    for Microsoft .NET and beyond. Sponsored by NetIQ, Microsoft, and
    Trend Micro. Registration is free, but space is limited so sign up
    now!
       http://list.winnetmag.com/cgi-bin3/flo?y=eNfX0CJgSH0CBw03lK0Ae
    
    4. ==== SECURITY ROUNDUP ====
    
    * FEATURE: PRODUCT OF THE YEAR
       In a competition in which the winner was determined by write-in
    vote only, our Windows & .NET Magazine readers chose BindView's
    bv-Control for Windows as the product of the year. BindView's
    bv-Control is a proactive security management solution. The company's
    flagship product family effectively secures, automates, and lowers the
    cost of managing Windows .NET Server (Win.NET Server) 2003, Enterprise
    Edition servers and directories, Windows 2000, and Windows NT. To read
    more about it, visit our Web site.
       http://www.secadministrator.com/articles/index.cfm?articleid=26308
    
    * FEATURE: BEST SECURITY PRODUCTS
       We've completed the poll in which readers cast votes for their
    favorite security software! Categories of products include antivirus
    software for clients, servers, wireless networks, and Microsoft
    Exchange; digital encryption/signature signing software; firewalls;
    intrusion detection software; password-auditing software; security
    scanners; third-party authentication software; application security
    software; and security information management software. To see the
    results, visit our Web site.
      http://www.secadministrator.com/articles/index.cfm?articleid=26315
    
    * NEWS: A LOOK AT WIN.NET SERVER SECURITY
       As part of a continuing look at the more intriguing new features in
    Windows .NET Server (Win.NET Server) 2003, Paul Thurrott examines some
    of the OS's security improvements. The timing for such improvements is
    crucial: Microsoft has issued 48 security bulletins this year and is
    on track to beat last year's record of 60 bulletins. Paul comments,
    "What a wonderful accomplishment."
       http://www.secadministrator.com/articles/index.cfm?articleid=26721
    
    5. ==== HOT RELEASES (ADVERTISEMENTS) ====
    
    * SPI DYNAMICS
       ALERT! - Cross-Site Scripting Holes in Web Applications
       Cross-site scripting vulnerabilities in web applications allow
    hackers to compromise confidential information, steal cookies and
    create requests that can be mistaken for those of a valid user!!
    Download this *FREE* white paper
       http://list.winnetmag.com/cgi-bin3/flo?y=eNfX0CJgSH0CBw041k0AE
    
    * FREE NETWORK SECURITY WEB SEMINARS
       Want to bullet-proof your networks against malicious code? Register
    now for one or more web seminars and gain the experience from the
    world's leading virus experts. Seating is limited, register today to
    ensure your spot!
       http://list.winnetmag.com/cgi-bin3/flo?y=eNfX0CJgSH0CBw041l0AF
    
    * FREE SECURITY ASSESSMENT TOOL
       Aelita InTrust(tm) closes the gap between policy and IT
    infrastructure, simplifying your regulatory compliance efforts. HIPAA?
    Gramm-Leach-Bliley? BS7799/ISO17799? Let Aelita provide your
    compliance solution. Start with our FREE security assessment tool:
    Aelita InTrust Audit Advisor!
       http://list.winnetmag.com/cgi-bin3/flo?y=eNfX0CJgSH0CBw041m0AG
    
    6. ==== SECURITY TOOLKIT ====
    
    * VIRUS CENTER
       Panda Software and the Windows & .NET Magazine Network have teamed
    to bring you the Center for Virus Control. Visit the site often to
    remain informed about the latest threats to your system security.
       http://www.secadministrator.com/panda
    
    * FAQ: HOW CAN I PREVENT MICROSOFT INTERNET EXPLORER (IE) FROM CACHING
    SECURE SOCKETS LAYER (SSL) PAGES?
       ( contributed by John Savill, http://www.windows2000faq.com )
    
    A. By default, IE caches all pages, regardless of whether the pages
    are secure (e.g., HTTP Secure--HTTPS--pages, which use SSL). If you
    don't want IE to cache these secure pages, you can perform the
    following steps for each user:
       1. Start a registry editor (e.g., regedit.exe).
       2. Navigate to the
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet
    Settings registry subkey.
       3. From the Edit menu, select New, DWORD Value.
       4. Enter a name of DisableCachingOfSSLPages, then press Enter.
       5. Double-click the new value, set it to 1 to disable caching of
    SSL pages, then click OK.
       6. Close the registry editor.
       7. Log off and log on for the change to take effect.
    
    7. ==== NEW AND IMPROVED ====
       (contributed by Judy Drennen, productsat_private)
    
    * SOFTWARE TO CATCH HACKERS
       FutureWare released HackerTracker, software that scans a Web
    server's standard World Wide Web Consortium (W3C) Extended Format log
    files to identify attacks. You can use the intruder's IP address to
    block further access at the server, at a front-end router, or at a
    firewall, as well as to contact the intermediate ISPs who handle
    intruder's traffic for their tracking and security efforts.
    HackerTracker runs on Windows XP, Windows 2000, Windows NT, and
    Windows 9x and costs $59 for a single-user registration. Contact
    FutureWare at 714-446-0765.
       http://www.futurewaredc.com/hackertracker
    
    * METADATA MANAGEMENT FOR LAW FIRMS
       SoftWise released Out-of-Sight 2.0, a metadata management utility
    enhanced to let law firms reduce risks and avoid potential
    embarrassments by managing the metadata in electronically distributed
    documents. The utility lets users remove unwanted metadata from
    Microsoft Excel XP, Excel 2000, and Excel 97 in addition to Word, and
    it lets administrators manage and establish standards using a simple
    GUI interface. Out-of-Sight integrates with Microsoft Outlook XP and
    Outlook 2000. A 30-day evaluation copy of Out-of-Sight 2.0 is
    available from the Web site, or call 718-876-9776 for a free
    evaluation.
       http://www.softwise.net
    
    * SUBMIT TOP PRODUCT IDEAS
       Have you used a product that changed your IT experience by saving
    you time or easing your daily burden? Do you know of a terrific
    product that others should know about? Tell us! We want to write about
    the product in a future What's Hot column. Send your product
    suggestions to whatshotat_private
    
    8. ==== HOT THREADS ====
    
    * WINDOWS & .NET MAGAZINE ONLINE FORUMS
       http://www.winnetmag.com/forums
    
    Featured Thread: Threat from Within
       (Seven messages in this thread)
    
    Dannyboy writes that a member of his staff has been sniffing around
    the network by connecting to printers by their IP address, connecting
    to other users' machines, and trying to schedule tasks. He wants to
    know whether this can be prevented. He thinks that all permissions on
    his servers are tight, so the user can't view sensitive information.
    He wants to know how other administrators would treat this situation
    and deal with the user. Also, is there any security software that can
    monitor an employee's actions on a Windows 2000 Professional machine?
    Read the responses or lend a hand at:
       http://www.winnetmag.com/forums/rd.cfm?cid=42&tid=45970
    
    * HOWTO MAILING LIST
    
    Featured Thread: Failed Trust
       (One message in this thread)
    
    Dimitry writes that he has a Windows 2000-based domain server. When he
    adds a Windows NT 4.0 Workstation to the domain, no one from the
    domain can access that PC. When they try to do so, they receive the
    message, "The trust between this workstation and the primary domain
    failed." Read the responses or lend a hand at the following URL:
       http://63.88.172.96/listserv/page_listserv.asp?A2=IND0209C&L=HOWTO&P=305
    
    9. ==== CONTACT US ====
       Here's how to reach us with your comments and questions:
    
    * ABOUT IN FOCUS -- markat_private
    
    * ABOUT THE NEWSLETTER IN GENERAL -- vpattersonat_private (please
    mention the newsletter name in the subject line)
    
    * TECHNICAL QUESTIONS -- http://www.winnetmag.com/forums
    
    * PRODUCT NEWS -- productsat_private
    
    * QUESTIONS ABOUT YOUR SECURITY UPDATE SUBSCRIPTION? Customer
    Support -- securityupdateat_private
    
    * WANT TO SPONSOR SECURITY UPDATE? emedia_oppsat_private
    
    ********************
    
       This email newsletter is brought to you by Security Administrator,
    the print newsletter with independent, impartial advice for IT
    administrators securing a Windows 2000/Windows NT enterprise.
    Subscribe today!
       http://www.secadministrator.com/sub.cfm?code=saei25xxup
    
       Receive the latest information about the Windows and .NET topics of
    your choice. Subscribe to our other FREE email newsletters.
       http://www.winnetmag.com/email
    
    |-+-|-+-|-+-|-+-|-+-|
    
    Thank you for reading Security UPDATE.
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Thu Sep 26 2002 - 02:27:44 PDT