[ISN] Security UPDATE, October 16, 2002

From: InfoSec News (isnat_private)
Date: Wed Oct 16 2002 - 23:47:56 PDT

  • Next message: InfoSec News: "Re: [ISN] Spam Masquerades as Admin Alerts"

    ********************
    Windows & .NET Magazine Security UPDATE--brought to you by Security
    Administrator, a print newsletter bringing you practical, how-to
    articles about securing your Windows .NET Server, Windows 2000, and
    Windows NT systems.
       http://www.secadministrator.com
    ********************
    
    ~~~~ THIS ISSUE SPONSORED BY ~~~~
    
    UltraBac Offers the Most Backup & Restore Options
       http://list.winnetmag.com/cgi-bin3/flo?y=eNyZ0CJgSH0CBw05V10AF
    
    Real Time Monitoring Is a Security Requirement
       http://list.winnetmag.com/cgi-bin3/flo?y=eNyZ0CJgSH0CBw02Jr0A4
       (below IN FOCUS)
    
    ~~~~~~~~~~~~~~~~~~~~
    
    ~~~~ SPONSOR: ULTRABAC OFFERS THE MOST BACKUP & RESTORE OPTIONS ~~~~
       UltraBac Software announces UltraBac v7.0.2 with the ability to use
    any FTP server or IBM's Tivoli Storage Manager (TSM) as storage
    devices for backup and restore operations. The FTP Device allows
    administrators to perform backup & restore operations to any FTP
    server connected to the Internet by simply entering the server's
    address as the backup path. By including FTP and TSM devices as backup
    paths, UltraBac now sets a new industry standard by offering more
    backup and restore options than any other application. Backup options
    include writing data to any type of local or remote media, including
    disk, tape, CD-RW and optical. Download a free live trial
       http://list.winnetmag.com/cgi-bin3/flo?y=eNyZ0CJgSH0CBw05V10AF
    
    ~~~~~~~~~~~~~~~~~~~~
    
    October 16, 2002--In this issue:
    
    1. IN FOCUS
         - Microsoft .NET Passport Must Set Security Bar Higher
    
    2. SECURITY RISKS
         - DoS in Oracle 9i Application Server for Windows
         - Multiple Vulnerabilities in Microsoft Services for UNIX 3.0
         - BearShare File-Sharing Directory Traversal Vulnerability
         - Multiple Vulnerabilities in Microsoft SQL Server, MSDE 2000,
           and MSDE 1.0
    
    3. ANNOUNCEMENTS
         - The Exchange Solutions You've Been Searching For!
         - Planning on Getting Certified? Make Sure to Pick Up Our New
           eBook!
    
    4. SECURITY ROUNDUP
        - News: RSA Security and iRevolution Give Passport Two-Factor
          Authentication
        - Feature: Vendor-Specific Security Settings
        - Feature: Palladium's Glacial Approach
    
    5. HOT RELEASES (ADVERTISEMENTS)
         - Spectracom's Netclock, for Secure Network Time
         - Protect Your Infrastructure
    
    6. INSTANT POLL
         - Results of Previous Poll: Using Snort
         - New Instant Poll: Microsoft .NET Passport
    
    7. SECURITY TOOLKIT
         - Virus Center
         - FAQ: How Can I Configure the Grace Period That Windows Uses for
           Password-Protected Screen Savers?
    
    8. NEW AND IMPROVED
         - Integrated Security Solution for USB Keys and SSL Acceleration
         - Tips for Troubleshooting and Preventing Internet-Based Computer
           Intrusions
         - Submit Top Product Ideas
     
    9. HOT THREADS
         - Windows & .NET Magazine Online Forums
             - Featured Thread: Port Mappings
    
    10. CONTACT US
       See this section for a list of ways to contact us.
    
    ~~~~~~~~~~~~~~~~~~~~
    
    1. ==== IN FOCUS ====
       (contributed by Mark Joseph Edwards, News Editor,
    markat_private)
    
    * MICROSOFT .NET PASSPORT MUST SET SECURITY BAR HIGHER
    
    Although in the past Microsoft lambasted open-source projects as
    inherently insecure, the company has chosen to embrace the idea of
    open source by using the Kerberos protocol--again. According to
    vnunet.com  (see the URL below), Microsoft will marry its technology
    with Kerberos technology to make its next generation of .NET Passport
    more secure and somewhat open-source.
       http://www.vnunet.com/news/1125551
    
    The last time Microsoft began to use Kerberos technology, in
    conjunction Windows 2000, critics screamed because Microsoft had
    apparently inserted undocumented modifications into the technology.
    Twisting open-source code into proprietary technology through
    undocumented changes is a definite no-no. Now, however, Microsoft is
    turning to Kerberos to improve .NET Passport security in response to
    the Federal Trade Commission (FTC) scrutiny that resulted in specific
    charges.
       http://www.microsoft.com/netservices/passport
    
    Microsoft described its .NET Passport, launched in 1999, as "a suite
    of Web-based services that makes using the Internet and purchasing
    online easier and faster. .NET Passport provides users with single
    sign-in (SSI) and fast purchasing capability at a growing number of
    participating sites, reducing the amount of information users must
    remember or retype." Many popular shopping sites, including eBay
    (which recently acquired PayPal), offer .NET Passport as a means to
    conduct business through their portals.
       http://www.microsoft.com/netservices/passport/overview.asp
    
    Because SSI is the core feature of .NET Passport, Kerberos is an
    obvious choice to use as part of the core methodology of
    authentication. To learn more about Microsoft's Kerberos
    implementation, read Jan De Clerq's article "Win.NET Server Kerberos"
    on our Web site (see the URL below). De Clerq discusses the new
    Kerberos delegation features that Microsoft has embedded in Windows
    .NET Server (Win.NET Server) 2003.
       http://www.secadministrator.com/articles/index.cfm?articleid=26450
    
    According to the FTC, Microsoft made false claims about .NET
    Passport's security and privacy. Microsoft recently came to an
    agreement with the commission (see the URL below) by which the company
    will work to mend the problems. Under the agreement, Microsoft will
    change the way the company communicates with consumers about the
    security and privacy of the .NET Passport service and change the way
    Kids Passport works to some extent, as you'll see below.
       http://www.ftc.gov/opa/2002/08/microsoft.htm
    
    As Microsoft Senior Vice President and General Counsel Brad Smith
    noted, "The FTC's complaint asserts that we should have taken
    additional security steps earlier in the operation of the Passport
    service." Smith went on to say: "Even though we know of no instance
    where a Passport user's information has ever been compromised, in
    hindsight we wish we had held ourselves to an even higher bar."
    
    The FTC's complaints were certainly justified, however. You might
    recall that in November 2001, I wrote about one researcher who
    required just 30 minutes to discover that when Hotmail and .NET
    Passport were combined, an intruder could quickly empty a user's
    "wallet." On Microsoft's behalf, Smith acknowledged .NET Passport's
    shortcomings and promised change: "Consistent with our heightened
    security obligations, we accept responsibility for the past and will
    focus on living up to this high level of responsibility in the
    future."
       http://www.secadministrator.com/articles/index.cfm?articleid=23161
    
    Toward that goal, according to Microsoft Corporate Vice President
    Brian Arbogast, the company will "document the comprehensive
    information security program that protects the security,
    confidentiality, and integrity of the personal information collected
    from our customers. We will also ensure that a third-party
    professional firm reviews, advises us, and ultimately certifies that
    our information-security program is designed and operates with
    sufficient effectiveness to provide reasonable assurances that the
    security, confidentiality, and integrity of every Passport user's
    information is protected. We will also ensure that all of the
    statements we make about the service are accurate and clear. Finally,
    we will strengthen training for all the managers involved with
    Passport, to ensure that they understand and comply fully with this
    order."
    
    The FTC also raised concerns about Kids Passport, particularly noting
    that children could bypass the controls their parents placed on the
    technology. Microsoft said that it has taken steps to remedy that
    situation by making Kids Passport more "kid-proof."
    
    The new agreement with the FTC will be in force for 20 years. To read
    more about Microsoft's perspective on the agreement, visit the Web
    site at the URL below. In related news, Microsoft has licensed
    security technology from RSA Security that will strengthen the
    authentication mechanisms .NET Passport uses. Be sure to read about
    that licensing agreement in the related news item in this newsletter.
       http://www.microsoft.com/presspass/features/2002/aug02/08-08passport.asp
    
    ~~~~~~~~~~~~~~~~~~~~
    
    ~~~~ SPONSOR: REAL TIME MONITORING IS A SECURITY REQUIREMENT ~~~~
       A proactive IT Manager installed ELM Enterprise Manager 3.0 on his
    critical servers to assess the benefits of real time monitoring. A
    week later, EEM 3.0 paged him as a disgruntled employee was attempting
    to access confidential personal files. Within minutes, the hacker was
    escorted off company property. Use ELM Enterprise Manager 3.0 to
    monitor the health and status of your systems, protect your
    intellectual property, and prevent avoidable downtime. Download your
    FREE 30-day evaluation copy at:
       http://list.winnetmag.com/cgi-bin3/flo?y=eNyZ0CJgSH0CBw02Jr0A4
    
    ~~~~~~~~~~~~~~~~~~~~
    
    2. ==== SECURITY RISKS ====
       (contributed by Ken Pfeil, kenat_private)
    
    * DoS IN ORACLE 9I APPLICATION SERVER FOR WINDOWS
       @stake discovered a Denial of Service (DoS) condition in Oracle 9i
    Application Server's Web Cache Manager Tool. An attacker who sends a
    specially formatted HTTP GET request to the port on which the Web
    Cache Administration process is listening can crash the administration
    process. The vendor, Oracle, has released Oracle Security Alert #43 to
    address this vulnerability but hasn't released a patch. The company
    will include a fix for this vulnerability in Oracle 9i Application
    Server 9.02.
       http://www.secadministrator.com/articles/index.cfm?articleid=26941
    
    * MULTIPLE VULNERABILITIES IN MICROSOFT SERVICES FOR UNIX 3.0
       Three new vulnerabilities exist in the Windows Help Facility, one
    of which could let an attacker execute arbitrary code on the
    vulnerable system. These new vulnerabilities consist of an integer
    overflow in the XML Data Reduced (XDR) library, a buffer overrun in
    remote procedure calls (RPCs), and an RPC implementation error. The
    vendor, Microsoft, has released Security Bulletin MS02-057 (Flaw in
    Services for Unix 3.0 Interix SDK Could Allow Code Execution) to
    address these vulnerabilities and recommends that affected users
    immediately apply the patch mentioned in the bulletin.
       http://www.secadministrator.com/articles/index.cfm?articleid=26889
    
    * BEARSHARE FILE-SHARING DIRECTORY TRAVERSAL VULNERABILITY
       A directory traversal vulnerability exists in the file-sharing
    program BearShare. This vulnerability stems from a flaw in the
    personal Web server portion of BearShare that could let an attacker
    view any file on the vulnerable system by issuing a specially crafted
    HTTP request. The vendor, Free Peers, has released version 4.0.6 to
    address the traversal issue described above, but the software is still
    vulnerable if an attacker uses certain HTTP requests, which the
    article lists. Free Peers hasn't yet addressed this second variant of
    the same problem.
       http://www.secadministrator.com/articles/index.cfm?articleid=26890
    
    * MULTIPLE VULNERABILITIES IN MICROSOFT SQL SERVER, MSDE 2000, AND
    MSDE 1.0
       Three new vulnerabilities exist in Microsoft SQL Server, Microsoft
    SQL Server Desktop Engine (MSDE) 2000, and Microsoft Data Engine
    (MSDE) 1.0, the most serious of which could let an attacker execute
    arbitrary code on the vulnerable system. The vulnerabilities are a
    buffer overrun in a section of code in SQL Server 2000 and MSDE 2000
    associated with user authentication, a buffer-overrun vulnerability
    that occurs in one of the Database Console Commands shipped as part of
    SQL Server 2000 and SQL Server 7.0, and a vulnerability associated
    with SQL Server 2000 and SQL Server 7.0 scheduled jobs. The vendor,
    Microsoft, has released Security Bulletin MS02-056 (Cumulative Patch
    for SQL Server) to address these vulnerabilities and recommends that
    affected users immediately apply the appropriate patch mentioned in
    the bulletin.
       http://www.secadministrator.com/articles/index.cfm?articleid=26888
    
    3. ==== ANNOUNCEMENTS ====
       (brought to you by Windows & .NET Magazine and its partners)
    
    * THE EXCHANGE SOLUTIONS YOU'VE BEEN SEARCHING FOR!
       Our popular IT Buyers' Directories (ITBDs) are online catalogs of
    the hottest vendor solutions around. Our latest ITBD highlights the
    solutions and services that will help you protect, migrate, and
    administer your Exchange server. Download your copy today at
       http://list.winnetmag.com/cgi-bin3/flo?y=eNyZ0CJgSH0CBw05Ji0Ax
    
    * PLANNING ON GETTING CERTIFIED? MAKE SURE TO PICK UP OUR NEW EBOOK!
       "The Insider's Guide to IT Certification" eBook is hot off the
    presses and contains everything you need to know to help you save time
    and money while preparing for certification exams from Microsoft,
    Cisco Systems, and CompTIA and have a successful career in IT. Get
    your copy of the Insider's Guide today!
       http://list.winnetmag.com/cgi-bin3/flo?y=eNyZ0CJgSH0CBw038F0A3
    
    4. ==== SECURITY ROUNDUP ====
    
    * NEWS: RSA SECURITY AND iREVOLUTION GIVE PASSPORT TWO-FACTOR
    AUTHENTICATION
       RSA Security and iRevolution announced a strategic relationship to
    provide two-factor authentication to Microsoft Passport. The two
    companies will create a solution designed to provide Passport users
    single sign-on (SSO) capabilities using RSA Mobile software.
       http://www.secadministrator.com/articles/index.cfm?articleid=26976
    
    * FEATURE: VENDOR-SPECIFIC SECURITY SETTINGS
       Ed Roth tells you how to configure Wired Equivalent Privacy (WEP)
    encryption settings for a variety of different wireless network gear,
    including SMC Networks, Linksys, D-Link Systems, NETGEAR, Siemens, and
    SOHOware.
       http://www.secadministrator.com/articles/index.cfm?articleid=26410
    
    * FEATURE: PALLADIUM'S GLACIAL APPROACH
       Palladium is based on the theory that software alone can't
    adequately protect users and data in our connected world. According to
    Microsoft, Palladium will do almost everything but balance your
    checkbook: It will stop viruses, worms, and spam; it will understand
    who you are and prevent malicious users from accessing information you
    intend to send to certain individuals; it will safeguard your privacy.
    Read Paul Thurrott's editorial about Palladium at the URL below.
       http://www.secadministrator.com/articles/index.cfm?articleid=26375
    
    5. ==== HOT RELEASES (ADVERTISEMENTS)====
    
    * SPECTRACOM'S NETCLOCK, FOR SECURE NETWORK TIME
       Does your network depend on a Time Source that's outside your
    Firewall? Doesn't your network need an accurate clock source?
    Spectracom's NetClock/NTP (Network Time Provider) or NetClock/TM (Time
    Machine) can help you. See how at:
       http://list.winnetmag.com/cgi-bin3/flo?y=eNyZ0CJgSH0CBw02fF0An
       http://list.winnetmag.com/cgi-bin3/flo?y=eNyZ0CJgSH0CBw05V20AG
    
    * PROTECT YOUR INFRASTRUCTURE
       How do you make sure only the right people access your vital
    systems? IBM can help build trust into your e-business relationships.
    Get the IBM white paper, "Linking Security Needs to e-business
    Evolution" at http://www.ibm.com/e-business/playtowin/n296
    
    6. ==== INSTANT POLL ====
    
    * RESULTS OF PREVIOUS POLL: USING SNORT
       The voting has closed in Windows & .NET Magazine's Security
    Administrator Channel nonscientific Instant Poll for the question, "Do
    you use Snort to implement an Intrusion Detection System (IDS) on your
    network?" Here are the results (+/- 2 percent) from the 1220 votes:
       -  91% Yes
       -   9% No
    
    * NEW INSTANT POLL: MICROSOFT .NET PASSPORT
       The next Instant Poll question is, "Do you currently use Microsoft
    .NET Passport?" Go to the Security Administrator Channel home page and
    submit your vote for a) Yes, or b) No.
       http://www.secadministrator.com
    
    7. ==== SECURITY TOOLKIT ====
    
    * VIRUS CENTER
       Panda Software and the Windows & .NET Magazine Network have teamed
    to bring you the Center for Virus Control. Visit the site often to
    remain informed about the latest threats to your system security.
       http://www.secadministrator.com/panda
    
    * FAQ: HOW CAN I CONFIGURE THE GRACE PERIOD THAT WINDOWS USES FOR
    PASSWORD-PROTECTED SCREEN SAVERS?
       ( contributed by John Savill, http://www.windows2000faq.com )
    
    A. By default, when you activate a password-protected screen saver,
    Windows provides a brief grace period during which keyboard and mouse
    activity will stop the screen saver and let you access the system
    without having to enter the password. To modify this grace period,
    perform the following steps:
       1. Start a registry editor (e.g., regedit.exe).
       2. Navigate to the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
    NT\CurrentVersion\Winlogon registry subkey.
       3. From the Edit menu, select New, DWORD Value.
       4. Enter a name of ScreenSaverGracePeriod, then press Enter.
       5. Double-click the new value, set the "Value data" to the number
    of seconds (from 0 to 2,147,483) that you want to use for the grace
    period, set the Base type to decimal, then click OK.
       6. Restart the machine for the change to take effect.
    
    8. ==== NEW AND IMPROVED ====
       (contributed by Judy Drennen, productsat_private)
    
    * INTEGRATED SECURITY SOLUTIONS FOR USB KEYS AND SSL ACCELERATION
       Rainbow Technologies eSecurity and i-Security Solutions Limited
    (i-SSL) announced a partnership to integrate Rainbows's iKey and
    CryptoSwift products with i-SSL's i-Secur products. The partnership
    will provide one-stop, seamlessly integrated security services and
    solutions to customers in the Asian Pacific IT security market. "Our
    partnership with Rainbow further enhances our ability to create,
    deliver and support world-class security solutions tailored to the
    specific needs of Asian and international customers," said Frederick
    Chang, CEO of i-SSL. "Rainbow's security solutions complement our
    i-Secur suite of products to provide user-friendly e-applications
    embedded with strong security measures." Contact Rainbow at
    949-450-7377 or go to the Web sites listed below.
       http://www.rainbow.com
       http://www.issl.com.hk
    
    * TIPS FOR TROUBLESHOOTING AND PREVENTING INTERNET-BASED COMPUTER
    INTRUSIONS
       Sybex released "Absolute PC Security and Privacy" by Michael
    Miller, a solutions-oriented book that shows users how to detect and
    seal security holes, how to reduce the chance of attack, and how to
    recognize when an attack is underway and stop it in progress. The book
    contains solutions for addressing the most common Internet-based
    intrusions including viruses, privacy theft, and email spam. Written
    for average computer users, Miller's book offers easy-to-follow
    instructions and practical advice. The book (ISBN 0-7821-4127) costs
    $34.99. Contact Sybex at its Web site for more information.
       http://www.sybex.com
    
    * SUBMIT TOP PRODUCT IDEAS
       Have you used a product that changed your IT experience by saving
    you time or easing your daily burden? Do you know of a terrific
    product that others should know about? Tell us! We want to write about
    the product in a future What's Hot column. Send your product
    suggestions to whatshotat_private
    
    9. ==== HOT THREADS ====
    
    * WINDOWS & .NET MAGAZINE ONLINE FORUMS
       http://www.winnetmag.com/forums
    
    Featured Thread: Port Mappings
       (Five messages in this thread)
    
    A reader wants to know about any articles or Web sites that offer a
    list of ports and maps those ports to malicious applications such as
    Trojan horses or known intruder tools. Such Web pages do exist, as the
    responses demonstrate.
       http://www.winnetmag.com/forums/rd.cfm?cid=42&tid=47344
    
    10. ==== CONTACT US ====
       Here's how to reach us with your comments and questions:
    
    * ABOUT IN FOCUS -- markat_private
    
    * ABOUT THE NEWSLETTER IN GENERAL -- lettersat_private (please
    mention the newsletter name in the subject line)
    
    * TECHNICAL QUESTIONS -- http://www.winnetmag.com/forums
    
    * PRODUCT NEWS -- productsat_private
    
    * QUESTIONS ABOUT YOUR SECURITY UPDATE SUBSCRIPTION? Customer
    Support -- securityupdateat_private
    
    * WANT TO SPONSOR SECURITY UPDATE? emedia_oppsat_private
    
    ********************
    
       This email newsletter is brought to you by Security Administrator,
    the print newsletter with independent, impartial advice for IT
    administrators securing a Windows 2000/Windows NT enterprise.
    Subscribe today!
       http://www.secadministrator.com/sub.cfm?code=saei25xxup
    
       Receive the latest information about the Windows and .NET topics of
    your choice. Subscribe to our other FREE email newsletters.
       http://www.winnetmag.com/email
    
    |-+-|-+-|-+-|-+-|-+-|
    
    Thank you for reading Security UPDATE.
    __________________________________________________________
    Copyright 2002, Penton Media, Inc.
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Thu Oct 17 2002 - 02:33:30 PDT