******************** Windows & .NET Magazine Security UPDATE--brought to you by Security Administrator, a print newsletter bringing you practical, how-to articles about securing your Windows .NET Server, Windows 2000, and Windows NT systems. http://www.secadministrator.com ******************** ~~~~ THIS ISSUE SPONSORED BY ~~~~ UltraBac Offers the Most Backup & Restore Options http://list.winnetmag.com/cgi-bin3/flo?y=eNyZ0CJgSH0CBw05V10AF Real Time Monitoring Is a Security Requirement http://list.winnetmag.com/cgi-bin3/flo?y=eNyZ0CJgSH0CBw02Jr0A4 (below IN FOCUS) ~~~~~~~~~~~~~~~~~~~~ ~~~~ SPONSOR: ULTRABAC OFFERS THE MOST BACKUP & RESTORE OPTIONS ~~~~ UltraBac Software announces UltraBac v7.0.2 with the ability to use any FTP server or IBM's Tivoli Storage Manager (TSM) as storage devices for backup and restore operations. The FTP Device allows administrators to perform backup & restore operations to any FTP server connected to the Internet by simply entering the server's address as the backup path. By including FTP and TSM devices as backup paths, UltraBac now sets a new industry standard by offering more backup and restore options than any other application. Backup options include writing data to any type of local or remote media, including disk, tape, CD-RW and optical. Download a free live trial http://list.winnetmag.com/cgi-bin3/flo?y=eNyZ0CJgSH0CBw05V10AF ~~~~~~~~~~~~~~~~~~~~ October 16, 2002--In this issue: 1. IN FOCUS - Microsoft .NET Passport Must Set Security Bar Higher 2. SECURITY RISKS - DoS in Oracle 9i Application Server for Windows - Multiple Vulnerabilities in Microsoft Services for UNIX 3.0 - BearShare File-Sharing Directory Traversal Vulnerability - Multiple Vulnerabilities in Microsoft SQL Server, MSDE 2000, and MSDE 1.0 3. ANNOUNCEMENTS - The Exchange Solutions You've Been Searching For! - Planning on Getting Certified? Make Sure to Pick Up Our New eBook! 4. SECURITY ROUNDUP - News: RSA Security and iRevolution Give Passport Two-Factor Authentication - Feature: Vendor-Specific Security Settings - Feature: Palladium's Glacial Approach 5. HOT RELEASES (ADVERTISEMENTS) - Spectracom's Netclock, for Secure Network Time - Protect Your Infrastructure 6. INSTANT POLL - Results of Previous Poll: Using Snort - New Instant Poll: Microsoft .NET Passport 7. SECURITY TOOLKIT - Virus Center - FAQ: How Can I Configure the Grace Period That Windows Uses for Password-Protected Screen Savers? 8. NEW AND IMPROVED - Integrated Security Solution for USB Keys and SSL Acceleration - Tips for Troubleshooting and Preventing Internet-Based Computer Intrusions - Submit Top Product Ideas 9. HOT THREADS - Windows & .NET Magazine Online Forums - Featured Thread: Port Mappings 10. CONTACT US See this section for a list of ways to contact us. ~~~~~~~~~~~~~~~~~~~~ 1. ==== IN FOCUS ==== (contributed by Mark Joseph Edwards, News Editor, markat_private) * MICROSOFT .NET PASSPORT MUST SET SECURITY BAR HIGHER Although in the past Microsoft lambasted open-source projects as inherently insecure, the company has chosen to embrace the idea of open source by using the Kerberos protocol--again. According to vnunet.com (see the URL below), Microsoft will marry its technology with Kerberos technology to make its next generation of .NET Passport more secure and somewhat open-source. http://www.vnunet.com/news/1125551 The last time Microsoft began to use Kerberos technology, in conjunction Windows 2000, critics screamed because Microsoft had apparently inserted undocumented modifications into the technology. Twisting open-source code into proprietary technology through undocumented changes is a definite no-no. Now, however, Microsoft is turning to Kerberos to improve .NET Passport security in response to the Federal Trade Commission (FTC) scrutiny that resulted in specific charges. http://www.microsoft.com/netservices/passport Microsoft described its .NET Passport, launched in 1999, as "a suite of Web-based services that makes using the Internet and purchasing online easier and faster. .NET Passport provides users with single sign-in (SSI) and fast purchasing capability at a growing number of participating sites, reducing the amount of information users must remember or retype." Many popular shopping sites, including eBay (which recently acquired PayPal), offer .NET Passport as a means to conduct business through their portals. http://www.microsoft.com/netservices/passport/overview.asp Because SSI is the core feature of .NET Passport, Kerberos is an obvious choice to use as part of the core methodology of authentication. To learn more about Microsoft's Kerberos implementation, read Jan De Clerq's article "Win.NET Server Kerberos" on our Web site (see the URL below). De Clerq discusses the new Kerberos delegation features that Microsoft has embedded in Windows .NET Server (Win.NET Server) 2003. http://www.secadministrator.com/articles/index.cfm?articleid=26450 According to the FTC, Microsoft made false claims about .NET Passport's security and privacy. Microsoft recently came to an agreement with the commission (see the URL below) by which the company will work to mend the problems. Under the agreement, Microsoft will change the way the company communicates with consumers about the security and privacy of the .NET Passport service and change the way Kids Passport works to some extent, as you'll see below. http://www.ftc.gov/opa/2002/08/microsoft.htm As Microsoft Senior Vice President and General Counsel Brad Smith noted, "The FTC's complaint asserts that we should have taken additional security steps earlier in the operation of the Passport service." Smith went on to say: "Even though we know of no instance where a Passport user's information has ever been compromised, in hindsight we wish we had held ourselves to an even higher bar." The FTC's complaints were certainly justified, however. You might recall that in November 2001, I wrote about one researcher who required just 30 minutes to discover that when Hotmail and .NET Passport were combined, an intruder could quickly empty a user's "wallet." On Microsoft's behalf, Smith acknowledged .NET Passport's shortcomings and promised change: "Consistent with our heightened security obligations, we accept responsibility for the past and will focus on living up to this high level of responsibility in the future." http://www.secadministrator.com/articles/index.cfm?articleid=23161 Toward that goal, according to Microsoft Corporate Vice President Brian Arbogast, the company will "document the comprehensive information security program that protects the security, confidentiality, and integrity of the personal information collected from our customers. We will also ensure that a third-party professional firm reviews, advises us, and ultimately certifies that our information-security program is designed and operates with sufficient effectiveness to provide reasonable assurances that the security, confidentiality, and integrity of every Passport user's information is protected. We will also ensure that all of the statements we make about the service are accurate and clear. Finally, we will strengthen training for all the managers involved with Passport, to ensure that they understand and comply fully with this order." The FTC also raised concerns about Kids Passport, particularly noting that children could bypass the controls their parents placed on the technology. Microsoft said that it has taken steps to remedy that situation by making Kids Passport more "kid-proof." The new agreement with the FTC will be in force for 20 years. To read more about Microsoft's perspective on the agreement, visit the Web site at the URL below. In related news, Microsoft has licensed security technology from RSA Security that will strengthen the authentication mechanisms .NET Passport uses. Be sure to read about that licensing agreement in the related news item in this newsletter. http://www.microsoft.com/presspass/features/2002/aug02/08-08passport.asp ~~~~~~~~~~~~~~~~~~~~ ~~~~ SPONSOR: REAL TIME MONITORING IS A SECURITY REQUIREMENT ~~~~ A proactive IT Manager installed ELM Enterprise Manager 3.0 on his critical servers to assess the benefits of real time monitoring. A week later, EEM 3.0 paged him as a disgruntled employee was attempting to access confidential personal files. Within minutes, the hacker was escorted off company property. Use ELM Enterprise Manager 3.0 to monitor the health and status of your systems, protect your intellectual property, and prevent avoidable downtime. Download your FREE 30-day evaluation copy at: http://list.winnetmag.com/cgi-bin3/flo?y=eNyZ0CJgSH0CBw02Jr0A4 ~~~~~~~~~~~~~~~~~~~~ 2. ==== SECURITY RISKS ==== (contributed by Ken Pfeil, kenat_private) * DoS IN ORACLE 9I APPLICATION SERVER FOR WINDOWS @stake discovered a Denial of Service (DoS) condition in Oracle 9i Application Server's Web Cache Manager Tool. An attacker who sends a specially formatted HTTP GET request to the port on which the Web Cache Administration process is listening can crash the administration process. The vendor, Oracle, has released Oracle Security Alert #43 to address this vulnerability but hasn't released a patch. The company will include a fix for this vulnerability in Oracle 9i Application Server 9.02. http://www.secadministrator.com/articles/index.cfm?articleid=26941 * MULTIPLE VULNERABILITIES IN MICROSOFT SERVICES FOR UNIX 3.0 Three new vulnerabilities exist in the Windows Help Facility, one of which could let an attacker execute arbitrary code on the vulnerable system. These new vulnerabilities consist of an integer overflow in the XML Data Reduced (XDR) library, a buffer overrun in remote procedure calls (RPCs), and an RPC implementation error. The vendor, Microsoft, has released Security Bulletin MS02-057 (Flaw in Services for Unix 3.0 Interix SDK Could Allow Code Execution) to address these vulnerabilities and recommends that affected users immediately apply the patch mentioned in the bulletin. http://www.secadministrator.com/articles/index.cfm?articleid=26889 * BEARSHARE FILE-SHARING DIRECTORY TRAVERSAL VULNERABILITY A directory traversal vulnerability exists in the file-sharing program BearShare. This vulnerability stems from a flaw in the personal Web server portion of BearShare that could let an attacker view any file on the vulnerable system by issuing a specially crafted HTTP request. The vendor, Free Peers, has released version 4.0.6 to address the traversal issue described above, but the software is still vulnerable if an attacker uses certain HTTP requests, which the article lists. Free Peers hasn't yet addressed this second variant of the same problem. http://www.secadministrator.com/articles/index.cfm?articleid=26890 * MULTIPLE VULNERABILITIES IN MICROSOFT SQL SERVER, MSDE 2000, AND MSDE 1.0 Three new vulnerabilities exist in Microsoft SQL Server, Microsoft SQL Server Desktop Engine (MSDE) 2000, and Microsoft Data Engine (MSDE) 1.0, the most serious of which could let an attacker execute arbitrary code on the vulnerable system. The vulnerabilities are a buffer overrun in a section of code in SQL Server 2000 and MSDE 2000 associated with user authentication, a buffer-overrun vulnerability that occurs in one of the Database Console Commands shipped as part of SQL Server 2000 and SQL Server 7.0, and a vulnerability associated with SQL Server 2000 and SQL Server 7.0 scheduled jobs. The vendor, Microsoft, has released Security Bulletin MS02-056 (Cumulative Patch for SQL Server) to address these vulnerabilities and recommends that affected users immediately apply the appropriate patch mentioned in the bulletin. http://www.secadministrator.com/articles/index.cfm?articleid=26888 3. ==== ANNOUNCEMENTS ==== (brought to you by Windows & .NET Magazine and its partners) * THE EXCHANGE SOLUTIONS YOU'VE BEEN SEARCHING FOR! Our popular IT Buyers' Directories (ITBDs) are online catalogs of the hottest vendor solutions around. Our latest ITBD highlights the solutions and services that will help you protect, migrate, and administer your Exchange server. Download your copy today at http://list.winnetmag.com/cgi-bin3/flo?y=eNyZ0CJgSH0CBw05Ji0Ax * PLANNING ON GETTING CERTIFIED? MAKE SURE TO PICK UP OUR NEW EBOOK! "The Insider's Guide to IT Certification" eBook is hot off the presses and contains everything you need to know to help you save time and money while preparing for certification exams from Microsoft, Cisco Systems, and CompTIA and have a successful career in IT. Get your copy of the Insider's Guide today! http://list.winnetmag.com/cgi-bin3/flo?y=eNyZ0CJgSH0CBw038F0A3 4. ==== SECURITY ROUNDUP ==== * NEWS: RSA SECURITY AND iREVOLUTION GIVE PASSPORT TWO-FACTOR AUTHENTICATION RSA Security and iRevolution announced a strategic relationship to provide two-factor authentication to Microsoft Passport. The two companies will create a solution designed to provide Passport users single sign-on (SSO) capabilities using RSA Mobile software. http://www.secadministrator.com/articles/index.cfm?articleid=26976 * FEATURE: VENDOR-SPECIFIC SECURITY SETTINGS Ed Roth tells you how to configure Wired Equivalent Privacy (WEP) encryption settings for a variety of different wireless network gear, including SMC Networks, Linksys, D-Link Systems, NETGEAR, Siemens, and SOHOware. http://www.secadministrator.com/articles/index.cfm?articleid=26410 * FEATURE: PALLADIUM'S GLACIAL APPROACH Palladium is based on the theory that software alone can't adequately protect users and data in our connected world. According to Microsoft, Palladium will do almost everything but balance your checkbook: It will stop viruses, worms, and spam; it will understand who you are and prevent malicious users from accessing information you intend to send to certain individuals; it will safeguard your privacy. Read Paul Thurrott's editorial about Palladium at the URL below. http://www.secadministrator.com/articles/index.cfm?articleid=26375 5. ==== HOT RELEASES (ADVERTISEMENTS)==== * SPECTRACOM'S NETCLOCK, FOR SECURE NETWORK TIME Does your network depend on a Time Source that's outside your Firewall? Doesn't your network need an accurate clock source? Spectracom's NetClock/NTP (Network Time Provider) or NetClock/TM (Time Machine) can help you. See how at: http://list.winnetmag.com/cgi-bin3/flo?y=eNyZ0CJgSH0CBw02fF0An http://list.winnetmag.com/cgi-bin3/flo?y=eNyZ0CJgSH0CBw05V20AG * PROTECT YOUR INFRASTRUCTURE How do you make sure only the right people access your vital systems? IBM can help build trust into your e-business relationships. Get the IBM white paper, "Linking Security Needs to e-business Evolution" at http://www.ibm.com/e-business/playtowin/n296 6. ==== INSTANT POLL ==== * RESULTS OF PREVIOUS POLL: USING SNORT The voting has closed in Windows & .NET Magazine's Security Administrator Channel nonscientific Instant Poll for the question, "Do you use Snort to implement an Intrusion Detection System (IDS) on your network?" Here are the results (+/- 2 percent) from the 1220 votes: - 91% Yes - 9% No * NEW INSTANT POLL: MICROSOFT .NET PASSPORT The next Instant Poll question is, "Do you currently use Microsoft .NET Passport?" Go to the Security Administrator Channel home page and submit your vote for a) Yes, or b) No. http://www.secadministrator.com 7. ==== SECURITY TOOLKIT ==== * VIRUS CENTER Panda Software and the Windows & .NET Magazine Network have teamed to bring you the Center for Virus Control. Visit the site often to remain informed about the latest threats to your system security. http://www.secadministrator.com/panda * FAQ: HOW CAN I CONFIGURE THE GRACE PERIOD THAT WINDOWS USES FOR PASSWORD-PROTECTED SCREEN SAVERS? ( contributed by John Savill, http://www.windows2000faq.com ) A. By default, when you activate a password-protected screen saver, Windows provides a brief grace period during which keyboard and mouse activity will stop the screen saver and let you access the system without having to enter the password. To modify this grace period, perform the following steps: 1. Start a registry editor (e.g., regedit.exe). 2. Navigate to the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon registry subkey. 3. From the Edit menu, select New, DWORD Value. 4. Enter a name of ScreenSaverGracePeriod, then press Enter. 5. Double-click the new value, set the "Value data" to the number of seconds (from 0 to 2,147,483) that you want to use for the grace period, set the Base type to decimal, then click OK. 6. Restart the machine for the change to take effect. 8. ==== NEW AND IMPROVED ==== (contributed by Judy Drennen, productsat_private) * INTEGRATED SECURITY SOLUTIONS FOR USB KEYS AND SSL ACCELERATION Rainbow Technologies eSecurity and i-Security Solutions Limited (i-SSL) announced a partnership to integrate Rainbows's iKey and CryptoSwift products with i-SSL's i-Secur products. The partnership will provide one-stop, seamlessly integrated security services and solutions to customers in the Asian Pacific IT security market. "Our partnership with Rainbow further enhances our ability to create, deliver and support world-class security solutions tailored to the specific needs of Asian and international customers," said Frederick Chang, CEO of i-SSL. "Rainbow's security solutions complement our i-Secur suite of products to provide user-friendly e-applications embedded with strong security measures." Contact Rainbow at 949-450-7377 or go to the Web sites listed below. http://www.rainbow.com http://www.issl.com.hk * TIPS FOR TROUBLESHOOTING AND PREVENTING INTERNET-BASED COMPUTER INTRUSIONS Sybex released "Absolute PC Security and Privacy" by Michael Miller, a solutions-oriented book that shows users how to detect and seal security holes, how to reduce the chance of attack, and how to recognize when an attack is underway and stop it in progress. The book contains solutions for addressing the most common Internet-based intrusions including viruses, privacy theft, and email spam. Written for average computer users, Miller's book offers easy-to-follow instructions and practical advice. The book (ISBN 0-7821-4127) costs $34.99. Contact Sybex at its Web site for more information. http://www.sybex.com * SUBMIT TOP PRODUCT IDEAS Have you used a product that changed your IT experience by saving you time or easing your daily burden? Do you know of a terrific product that others should know about? Tell us! We want to write about the product in a future What's Hot column. Send your product suggestions to whatshotat_private 9. ==== HOT THREADS ==== * WINDOWS & .NET MAGAZINE ONLINE FORUMS http://www.winnetmag.com/forums Featured Thread: Port Mappings (Five messages in this thread) A reader wants to know about any articles or Web sites that offer a list of ports and maps those ports to malicious applications such as Trojan horses or known intruder tools. Such Web pages do exist, as the responses demonstrate. http://www.winnetmag.com/forums/rd.cfm?cid=42&tid=47344 10. ==== CONTACT US ==== Here's how to reach us with your comments and questions: * ABOUT IN FOCUS -- markat_private * ABOUT THE NEWSLETTER IN GENERAL -- lettersat_private (please mention the newsletter name in the subject line) * TECHNICAL QUESTIONS -- http://www.winnetmag.com/forums * PRODUCT NEWS -- productsat_private * QUESTIONS ABOUT YOUR SECURITY UPDATE SUBSCRIPTION? Customer Support -- securityupdateat_private * WANT TO SPONSOR SECURITY UPDATE? emedia_oppsat_private ******************** This email newsletter is brought to you by Security Administrator, the print newsletter with independent, impartial advice for IT administrators securing a Windows 2000/Windows NT enterprise. Subscribe today! http://www.secadministrator.com/sub.cfm?code=saei25xxup Receive the latest information about the Windows and .NET topics of your choice. Subscribe to our other FREE email newsletters. http://www.winnetmag.com/email |-+-|-+-|-+-|-+-|-+-| Thank you for reading Security UPDATE. __________________________________________________________ Copyright 2002, Penton Media, Inc. - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Thu Oct 17 2002 - 02:33:30 PDT