[ISN] Security UPDATE, November 13, 2002

From: InfoSec News (isnat_private)
Date: Wed Nov 13 2002 - 23:35:56 PST

  • Next message: InfoSec News: "[ISN] Florida: The cybersecurity state"

    ********************
    Windows & .NET Magazine Security UPDATE--brought to you by Security
    Administrator, a print newsletter bringing you practical, how-to
    articles about securing your Windows .NET Server, Windows 2000, and
    Windows NT systems.
       http://www.secadministrator.com
    ********************
    
    ~~~~ THIS ISSUE SPONSORED BY ~~~~
    
    FREE Security Assessment Tool!
       http://list.winnetmag.com/cgi-bin3/flo?y=eOR10CJgSH0CBw06GA0Aw
    
    Tips & Tricks Web Summit
       http://list.winnetmag.com/cgi-bin3/flo?y=eOR10CJgSH0CBw05nz0AX
       (below IN FOCUS)
    
    ~~~~~~~~~~~~~~~~~~~~
    
    ~~~~ SPONSOR: FREE SECURITY ASSESSMENT TOOL! ~~~~
       Do you comply with industry security regulations or corporate
    security policies? Download the FREE Aelita InTrust(tm) Audit Advisor
    to identify systems that are not compliant with industry standard
    security policies, such as those published by SANS and the NSA, or
    your company specific policies. Then check out Aelita InTrust to
    consolidate IT audit data and produce compliance reports for industry
    regulations and policies.  Download your FREE tool today!
       http://list.winnetmag.com/cgi-bin3/flo?y=eOR10CJgSH0CBw06GA0Aw
    ~~~~~~~~~~~~~~~~~~~~
    
    November 13, 2002--In this issue:
    
    1. IN FOCUS
         - Security Assertion Markup Language
    
    2. SECURITY RISKS
         - Buffer-Overrun Vulnerability in Oracle iSQL
         - DoS in Microsoft Windows XP and Win2K PPTP
         - Multiple Vulnerabilities in Microsoft IIS 5.1, 5.0, and 4.0
    
    3. ANNOUNCEMENTS
         - How Can You Reclaim 30% to 50% of Windows Server Space?
         - Give Us Your Feedback and Be Entered to Win a Digital Camera
    
    4. SECURITY ROUNDUP
         - News: Common Criteria Configuration Guides for Win2K
         - Feature: EventComb: It's Free; It's Essential; Get It!
         - Fire & Water Toolkit Beta Available
    
    5. HOT RELEASES (ADVERTISEMENTS)
         - Focus your IT resources
         - Test Your Web Applications for Security Flaws!
    
    6. INSTANT POLL
         - Results of Previous Poll: Reading the EULA
         - New Instant Poll: Using SAML
    
    7. SECURITY TOOLKIT
         - Virus Center
         - FAQ: How Can I Clear My Customized Folder Settings in Windows
           XP?
    
    8. NEW AND IMPROVED
         - User-Friendly Finger Image Reader
         - Security Solution for Network Clients and Remote Users
         - Submit Top Product Ideas
     
    9. HOT THREADS
         - Windows & .NET Magazine Online Forums
             - Featured Thread: Securing Servers Under Insecure Conditions
         - HowTo Mailing List
             - Featured Thread: Promoting a DC
     
    10. CONTACT US
       See this section for a list of ways to contact us.
    
    ~~~~~~~~~~~~~~~~~~~~
    
    1. ==== IN FOCUS ====
       (contributed by Mark Joseph Edwards, News Editor,
    markat_private)
    
    * SECURITY ASSERTION MARKUP LANGUAGE
    
    Last week, the Organization for the Advancement of Structured
    Information Standards (OASIS) approved the new Security Assertion
    Markup Language (SAML), which has been in development for some time.
    SAML uses XML to enable new Web-based security functions that
    interoperate across different Web sites, which will help create
    federated networks.
       http://www.oasis-open.org/committees/security
    
    In April 2002, Microsoft, IBM, and VeriSign announced Web Services
    Security (WS-Security), and in the June 12, 2002, Security UPDATE
    commentary, I discussed WS-Security to some extent (see the first URL
    below). The specification will support many types of credential
    information, including Kerberos, public key infrastructure (PKI),
    Extensible Rights Markup Language (XrML), SAML, and Secure Sockets
    Layer (SSL)/Transport Layer Security (TLS). Sun Microsystems also
    announced Liberty Alliance, its effort to help develop federated
    network technology.
       http://www.secadministrator.com/articles/index.cfm?articleid=25593
       http://www.ws-i.org
    
    According to James Kobielus, senior analyst at Burton Group, "SAML 1.0
    supports secure interchange of authentication and authorization
    information by leveraging the core Web services standards of
    Extensible Markup Language (XML), Simple Object Access Protocol
    (SOAP), and Transport Layer Security (TLS). Most vendors of Web access
    management solutions have committed to SAML 1.0 and are currently
    implementing the specification in their products."
       http://www.oasis-open.org/news/oasis_news_11_06_02.shtml
    
    Joe Pato of Hewlett-Packard (HP), co-chair of the OASIS Security
    Services Technical Committee, said that a major SAML design goal was
    single sign-on (SSO) capabilities, which would let users authenticate
    in one domain and access resources in another domain. SAML 1.0
    includes that capability. In addition, according to Pato, "Several
    profiles of SAML are currently being defined that support different
    styles of SSO and the securing of SOAP payloads."
    
    If you're completely unfamiliar with WS-Security, read Christa
    Anderson's summary of the technology, which helps explain what it is
    and what it can do. You'll find her article, "WS-Security Sets
    Standard for Web Services Transactions" at the URL below.
       http://www.secadministrator.com/articles/index.cfm?articleid=24401
    
    If you're a Web developer or you administer Web server security, you
    might be interested in reading about SAML assertions and protocols.
    The document you'll find at the first URL below outlines the syntax
    and semantics. Another specification document can help you obtain a
    better understanding of how SAML works with WS-Security. That document
    (see the second URL below) describes how to use WS-Security headers to
    securely add SAML assertions.
       http://www.oasis-open.org/committees/security/docs/cs-sstc-core-01.pdf
       http://www.oasis-open.org/committees/security/docs/draft-sstc-ws-sec-profile-04.pdf
    
    But there's a catch regarding Microsoft's implementation of SAML. In
    July, "Network World Fusion" (see the first URL below) reported that
    Microsoft is implementing SAML 1.0, but only to a limited extent. In
    the article, Kobielus said, "[Microsoft is] not implementing the full
    suite of SAML assertions and profiles the way others are ... At some
    point you have to ask what is the purpose, if Microsoft is going to do
    it their own way." The article points out that Microsoft used the same
    tactic when the company implemented Kerberos in Windows 2000. To learn
    more about how Microsoft implements SAML, be sure to read the related
    Microsoft document, "WS-Security Profile for XML-based Tokens," on the
    Microsoft Web site (see the second URL below).
       http://www.nwfusion.com/news/2002/0716msla.html
       http://msdn.microsoft.com/library/en-us/dnglobspec/html/ws-security-xml-tokens.asp
    
    According to OASIS, Baltimore Technologies, BEA Systems, Computer
    Associates (CA), Entrust, HP, Hitachi, IBM, Netegrity, Oblix,
    OpenNetwork, Quadrasis, RSA Security, Sun, VeriSign, and other members
    of the OASIS Security Services Technical Committee developed the SAML
    OASIS Open Standard.
    
    Many vendors support SAML, and some of you might have begun using the
    technology before its official approval. Please participate in our
    Instant Poll this week and tell us whether you use SAML or some other
    credential technology for your Web applications.
    
    ~~~~~~~~~~~~~~~~~~~~
    
    ~~~~ SPONSOR: TIPS & TRICKS WEB SUMMIT ~~~~
       ATTEND OUR FREE TIPS & TRICKS WEB SUMMIT
       Join us on December 19th for our Tips & Tricks Web Summit featuring
    three eye-opening events: Disaster Recovery Tips & Tricks, Intrusion
    Detection: Win2K Security Log Secrets, and Merging Exchange Systems:
    Tips for Managing 5 Key Challenges. There is no charge for this event,
    but space is limited so register today!        
     http://list.winnetmag.com/cgi-bin3/flo?y=eOR10CJgSH0CBw05nz0AX
    ~~~~~~~~~~~~~~~~~~~~
    
    2. ==== SECURITY RISKS ====
       (contributed by Ken Pfeil, kenat_private)
    
    * BUFFER-OVERRUN VULNERABILITY IN ORACLE ISQL
       A vulnerability exists in Oracle's iSQL*Plus Web-based application
    that lets an attacker compromise the vulnerable system and obtain
    system-level access. This vulnerability stems from a buffer-overflow
    condition in the iSQL application. The vendor, Oracle, has released
    Security Alert #46 to address this vulnerability and recommends that
    affected users apply the appropriate patch mentioned in Oracle's
    alert.
       http://www.secadministrator.com/articles/index.cfm?articleid=27240
    
    * DoS IN MICROSOFT WINDOWS XP AND WIN2K PPTP
       A Denial of Service (DoS) vulnerability exists in Windows XP and
    Windows 2000 PPTP. This DoS vulnerability results from an unchecked
    buffer in a section of code that processes the control data used to
    establish, maintain, and tear down PPTP connections. The vendor,
    Microsoft, has released Security Bulletin MS02-063 (Unchecked Buffer
    in PPTP Implementation Could Enable Denial of Service Attacks) to
    address this vulnerability and recommends that affected users apply
    the appropriate patch mentioned in the bulletin.
       http://www.secadministrator.com/articles/index.cfm?articleid=27227
    
    * MULTIPLE VULNERABILITIES IN MICROSOFT IIS 5.1, 5.0, AND 4.0
       Four new vulnerabilities exist in Microsoft IIS. The most serious
    problem lets an attacker escalate privileges. Another problem results
    in a Denial of Service (DoS) condition on the vulnerable server. The
    vendor, Microsoft, has released Security Bulletin MS02-062 (Cumulative
    Patch for Internet Information Service) to address these
    vulnerabilities and recommends that affected users apply the
    appropriate patch mentioned in the bulletin. This patch is cumulative
    and addresses all previously discovered vulnerabilities.
       http://www.secadministrator.com/articles/index.cfm?articleid=27228
    
    3. ==== ANNOUNCEMENTS ====
       (brought to you by Windows & .NET Magazine and its partners)
    
    * HOW CAN YOU RECLAIM 30% TO 50% OF WINDOWS SERVER SPACE?
       Attend our newest Web seminar, brought to you by Windows & .NET
    Magazine and Precise SRM, and discover the secrets. Steven Toole will
    also advise you on how to reduce storage growth and backups by 30% and
    how to reduce storage administration by 25% or more. Space is limited
    for this important Web event, so register today!
       http://list.winnetmag.com/cgi-bin3/flo?y=eOR10CJgSH0CBw06A10Aa
    
    * GIVE US YOUR FEEDBACK AND BE ENTERED TO WIN A DIGITAL CAMERA
       Internet filtering is becoming a financial and legal concern for
    companies of all sizes. Complete our brief survey about the topic and
    you could win a digital camera. Click here!
       http://list.winnetmag.com/cgi-bin3/flo?y=eOR10CJgSH0CBw05zl0AV
    
    4. ==== SECURITY ROUNDUP ====
    
    * NEWS: COMMON CRITERIA CONFIGURATION GUIDES FOR WIN2K
       In conjunction with the announcement that Windows 2000 received the
    highest security certification level available to an OS, Microsoft
    released two new guides, the "Common Criteria Evaluated Configuration
    User's Guide," and the "Common Criteria Evaluated Configuration
    Administrator's Guide," which help people configure the OS securely.
       http://www.secadministrator.com/articles/index.cfm?articleid=27178
    
    * FEATURE: EVENTCOMB: IT'S FREE; IT'S ESSENTIAL; GET IT!
       EventComb is a new free tool from Microsoft that lets you search
    event logs for specific information. EventComb is part of a Microsoft
    document called "Security Operations Guide for Windows 2000 Server."
    To obtain EventComb, you need to go to Microsoft's Web site (the URL
    is linked in this article) and download secops.exe. When you run
    secops.exe, the program creates a folder called SecurityOps. Within
    SecurityOps is a folder named EventComb, which contains a compiled
    HTML Help file and the EventComb program.
       http://www.secadministrator.com/articles/index.cfm?articleid=27132
    
    * NEWS: FIRE & WATER TOOLKIT BETA AVAILABLE
       NTObjectives (NTO) announced that its new Fire & Water Toolkit is
    now available for public beta. The toolkit is an assessment and
    defense tool that you can use on local and remote networks. NTO said,
    "Fire & Water is a collection of cohesive, interactive command-line
    tools that perform network discovery, mapping, assessment, and
    reporting, as well as robust Web server defense." By using XML output
    interactively, Fire & Water can effectively manage multiple scans and
    their resulting output through standard output in the command line,
    Comma Separated Value (CSV), and HTML reports (created through
    Extensible Style Language--XSL templates provided with the tools) or
    through custom report formats.
       http://www.secadministrator.com/articles/index.cfm?articleid=27273
    
    5. ==== HOT RELEASES (ADVERTISEMENTS) ====
    
    * FOCUS YOUR IT RESOURCES
       Learn how better infrastructure management practices can speed the
    integration of e-business enterprises, while providing assurance of
    continuous availability, flexibility and scalability. Get the IBM
    white paper, "Infrastructure Resource Management: A Holistic
    Approach," at
       http://www.ibm.com/e-business/playtowin/n339
    
    * TEST YOUR WEB APPLICATIONS FOR SECURITY FLAWS!
       ALERT! "Outsmart Web Application Attackers"
       75% of today's successful hacks involve Web Application attacks
    such as SQL Injection and Cross-Site Scripting. All undetectable by
    Firewalls and IDS!
       FREE 15 Day Product Trial which delivers a Comprehensive
    Vulnerability Report
       http://list.winnetmag.com/cgi-bin3/flo?y=eOR10CJgSH0CBw06GB0Ax
    
    6. ==== INSTANT POLL ====
     
    * RESULTS OF PREVIOUS POLL: READING THE EULA
       The voting has closed in Windows & .NET Magazine's Security
    Administrator Channel nonscientific Instant Poll for the question, "Do
    you read the End User License Agreement (EULA) before you install new
    software?" Here are the results (+/- 2 percent) from the 540 votes:
       -  3% Always
       - 19% Sometimes
       - 31% Rarely
       - 46% Never
     
    * NEW INSTANT POLL: USING SAML
       The next Instant Poll question is, "Do you use Security Assertion
    Markup Language (SAML) for security in your Web applications?" Go to
    the Security Administrator Channel home page and submit your vote for
    a) Yes, b) No, c) Not yet, but we will, d) No--We use Extensible
    Rights Markup Language (XrML), and e) No--We use other security
    technology.
       http://www.secadministrator.com
    
    7. ==== SECURITY TOOLKIT ====
    
    * VIRUS CENTER
       Panda Software and the Windows & .NET Magazine Network have teamed
    to bring you the Center for Virus Control. Visit the site often to
    remain informed about the latest threats to your system security.
       http://www.secadministrator.com/panda
    
    * FAQ: HOW CAN I CLEAR MY CUSTOMIZED FOLDER SETTINGS IN WINDOWS XP?
       ( contributed by John Savill, http://www.windows2000faq.com )
    
    A. To clear any customized folder settings, perform the following
    steps:
       1. Start a registry editor (e.g., regedit.exe).
       2. Navigate to the
    HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell registry subkey.
       3. Delete the Bags and BagMRU subkeys.
       4. Navigate to the
    HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam registry
     subkey.
       5. Delete the Bags and BagMRU subkeys.
       6. Close the registry editor, then reboot the machine for the
    changes to take effect.
    
    8. ==== NEW AND IMPROVED ====
       (contributed by Judy Drennen, productsat_private)
    
    * USER-FRIENDLY FINGER IMAGE READER
       Biometric Access Corporation (BAC) announced a USB model of the
    SecureTouch PC, the company's latest computer/network control product.
    The USB model PC replaces its predecessor, the SecureTouch 2000. The
    product secures employee workstations, protects patient health
    records, grants access to transaction-authorization codes, clocks
    in/out on time and attendance applications, and enables manager
    override approvals on point-of-sale systems. SecureTouch PC runs on
    Windows XP, Windows 2000, Windows NT, Windows Me, and Windows 9x.
    Contact BAC for pricing information at 800-873-4133 or go to the Web
    site for more information.
       http://www.biometricaccess.com
    
    * SECURITY SOLUTION FOR NETWORK CLIENTS AND REMOTE USERS
       Symantec announced Symantec Client Security, an integrated security
    solution for network clients and remote users. Symantec Client
    Security integrates antivirus, personal firewall, and
    intrusion-detection technologies to effectively protect desktops
    against today's blended threats. To reduce administration time,
    administrators can easily deploy Symantec Client Security by using one
    of three prepackaged installations--full installation, lightly
    managed, and thin client (the smallest possible footprint without
    sacrificing protection). For pricing information, contact Symantec at
    408-517-8000.
       http://www.symantec.com
    
    * SUBMIT TOP PRODUCT IDEAS
       Have you used a product that changed your IT experience by saving
    you time or easing your daily burden? Do you know of a terrific
    product that others should know about? Tell us! We want to write about
    the product in a future What's Hot column. Send your product
    suggestions to whatshotat_private
    
    9. ==== HOT THREADS ====
    
    * WINDOWS & .NET MAGAZINE ONLINE FORUMS
       http://www.winnetmag.com/forums
    
    Featured Thread: Securing Servers Under Insecure Conditions
       (Eight messages in this thread)
    
    A user writes that he has a client who has servers located in
    facilities without locked rooms. Some of the servers run Windows NT
    4.0 and some run Windows 2000. He wonders how to secure servers at
    these sites when he can't physically lock the server in a room. Read
    the responses or lend a hand at the following URL:
       http://www.winnetmag.com/forums/messageview.cfm?catid=42&threadid=49147
    
    * HOWTO MAILING LIST
       http://63.88.172.96/listserv/page_listserv.asp?a0=howto
    
    Featured Thread: Promoting a DC
       (Nine messages in this thread)
    
    A user writes that he has two Windows 2000 servers. One of them is the
    PDC and the other is a BDC. The PDC suffered a hard drive error. He
    wonders how to promote the BDC to take the PDC's place. Because there
    are no PDCs or BDCs in Win2K, you'll want to read what other users
    have said or lend a hand at the following URL:
       http://63.88.172.96/listserv/page_listserv.asp?A2=IND0211A&L=HOWTO&P=1861
    
    10. ==== CONTACT US ====
       Here's how to reach us with your comments and questions:
    
    * ABOUT IN FOCUS -- markat_private
    
    * ABOUT THE NEWSLETTER IN GENERAL -- lettersat_private (please
    mention the newsletter name in the subject line)
    
    * TECHNICAL QUESTIONS -- http://www.winnetmag.com/forums
    
    * PRODUCT NEWS -- productsat_private
    
    * QUESTIONS ABOUT YOUR SECURITY UPDATE SUBSCRIPTION? Customer
    Support -- securityupdateat_private
    
    * WANT TO SPONSOR SECURITY UPDATE? emedia_oppsat_private
    
    ********************
    
       This email newsletter is brought to you by Security Administrator,
    the print newsletter with independent, impartial advice for IT
    administrators securing a Windows 2000/Windows NT enterprise.
    Subscribe today!
       http://www.secadministrator.com/sub.cfm?code=saei25xxup
    
       Receive the latest information about the Windows and .NET topics of
    your choice. Subscribe to our other FREE email newsletters.
       http://www.winnetmag.com/email
    
    |-+-|-+-|-+-|-+-|-+-|
    
    Thank you for reading Security UPDATE.
    
    MANAGE YOUR ACCOUNT
       You can manage your entire Windows & .NET Magazine Network email
    newsletter account on our Web site. Simply log on and you can change
    your email address, update your profile information, and subscribe or
    unsubscribe to any of our email newsletters all in one place.
       http://www.winnetmag.com/email
    
    Thank you!
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Thu Nov 14 2002 - 02:37:13 PST