[ISN] Security UPDATE, February 5, 2003

From: InfoSec News (isnat_private)
Date: Wed Feb 05 2003 - 22:16:51 PST

  • Next message: InfoSec News: "[ISN] Cracking an algorithm bit by bit conclusion."

    ********************
    Windows & .NET Magazine Security UPDATE--brought to you by Security
    Administrator, a print newsletter bringing you practical, how-to
    articles about securing your Windows Server 2003, Windows 2000, and
    Windows NT systems.
       http://www.secadministrator.com
    ********************
    
    ~~~~ THIS ISSUE SPONSORED BY ~~~~
    
    Black Hat Windows Security Briefings & Training
       http://list.winnetmag.com/cgi-bin3/flo/y/ePUv0CJgSH0CBw0pHV0AV
    
    Windows Powered NAS Web Seminar
       http://list.winnetmag.com/cgi-bin3/flo/y/ePUv0CJgSH0CBw07Ra0At
       (below IN FOCUS)
    
    ~~~~~~~~~~~~~~~~~~~~
    
    ~~~~ SPONSOR: BLACK HAT WINDOWS SECURITY BRIEFINGS & TRAINING ~~~~
       Spooked about Windows security? Getting "slammed" hard by worms? 
    Find all of the solutions at Black Hat Windows Security Briefings &
    Training, February 24-27 in Seattle, the world's premier technical
    event for Windows security experts. All of the top experts you've read
    about recently are speaking. Fully supported by Microsoft, with new MS
    hosted training sessions just added! 
    Visit http://list.winnetmag.com/cgi-bin3/flo/y/ePUv0CJgSH0CBw0pHV0AV to
    register.
    ~~~~~~~~~~~~~~~~~~~~
    
    February 5, 2003--In this issue:
    
    1. IN FOCUS
         - Report Says Cyber Threats Rising, New Areas of Risk
    
    2. SECURITY RISKS
         - Session Authentication Vulnerability in Compaq Insight Manager
         - DoS in Microsoft Win2K Terminal Services
    
    3. ANNOUNCEMENTS
         - Don't Miss Our 2 New Security Web Seminars in March!
         - Windows & .NET Magazine Connections: Learn from the Writers You
           Know and Trust
    
    4. SECURITY ROUNDUP
         - News: Microsoft Renames Palladium, Gives Up Trademark Hunt
         - Feature: SQL Server SP3: To Install or Not to Install?
         - News: Microsoft Revised Five Security Bulletins
    
    5. INSTANT POLL
         - Results of Previous Poll: Security Administrative Duties
         - New Instant Poll: Slammer/Sapphire Worm
    
    6. SECURITY TOOLKIT
         - Virus Center
            - Virus Alert: W32/SQLSlammer
         - FAQ: Having Trouble Enabling SSL on Your Site?
    
    7. NEW AND IMPROVED
         - Centrally Manage Sidewinder Firewalls
         - Capture and Analyze Your Network Traffic
         - Submit Top Product Ideas
    
    8. HOT THREAD
         - Windows & .NET Magazine Online Forums
             - Featured Thread: Do IPSec Policies Slow Server Response?
          - HowTo Mailing List:
             - Featured Thread: Are MAILTO and POST Safe for Transactions?
    
    9. CONTACT US
       See this section for a list of ways to contact us.
    
    ~~~~~~~~~~~~~~~~~~~~
    
    1. ==== IN FOCUS ====
       (contributed by Mark Joseph Edwards, News Editor,
    markat_private)
    
    * REPORT SAYS CYBER THREATS RISING, NEW AREAS OF RISK
    
    One glaringly apparent aspect of the Slammer/Sapphire worm is that it
    didn't carry a destructive payload. That is, it did no damage to the
    systems to which it propagated. Instead, it consumed huge amounts of
    bandwidth because it could spread so rapidly. For a great technical
    analysis of the worm, visit one of the URLs below:
       http://www.caida.org/analysis/security/sapphire/
       http://www.silicondefense.com/sapphire/
       http://www.cs.berkeley.edu/~nweaver/sapphire/
    
    Unlike Slammer/Sapphire, many intrusive pieces of code have carried
    destructive payloads, and some of them also propagated by a variety of
    means, including through file systems, file-sharing systems, email
    systems, and open ports with vulnerable services. Nimda, Opaserv,
    Bugbear, and Klez are examples of such malicious code.
    
    This week, Symantec released the "Symantec Internet Security Threat
    Report, Volume III," available at the URL below. According to the new
    report, the Opaserv, Bugbear, and Klez threats alone accounted for
    nearly 80 percent of all malicious code during the past 6 months.
    Symantec says we should expect to see even more virus and worm
    intrusions that use a blended type of attack.
       http://enterprisesecurity.symantec.com/content.cfm?articleid=1539
    
    The report states that "the variety of threat types that facilitate
    compromises of data/system availability, confidentiality, and
    integrity is clearly increasing. While historical data analysis
    indicates that Windows 32 threats, blended threats, and
    self-replicating mass-mailers are all on the rise, there are several
    risks based on market analysis that also warrant close attention."
    
    Those risks include Instant Messaging (IM), peer-to-peer (P2P)
    applications, and mobile devices. Symantec's report states that
    according to Gartner, as of fourth quarter 2002, about 70 percent of
    enterprises use unmanaged IM software on their networks. As a result
    of IM's popularity, we might see virus and worm designers begin to use
    IM applications to spread code more widely than ever before.
    
    P2P networks are in the same boat as IM networks. Napster made P2P
    networks hugely popular, and since Napster's demise, other popular
    networks have cropped up (e.g., KaZaA, Limeware, Morpheus). Infectious
    code has already traversed P2P networks. And as P2P application use
    rises, so does the potential for virus and worm propagation.
    
    Wireless networking is hugely popular and growing by leaps. Many
    businesses already use wireless LANs (WLANs) to support countless
    mobile laptop users, and to a lesser extent, mobile PDA users, such as
    those who use Palm and Research In Motion's (RIM's) BlackBerry. As the
    computing power of new mobile devices (including cell phone/PDA
    combinations) increases, so does the risk of virus and worm intrusion.
    Symantec points out that the "always-on" nature of such devices, as
    well as their tendency to be remotely connected to sensitive data,
    will attract intrusion attempts.
    
    So when I consider little worms such as Slammer/Sapphire in
    conjunction with intrusive nuisances such as Nimda (or Opaserv,
    Bugbear, and Klez) and the many systems on the Internet with unpatched
    vulnerabilities, what comes to mind is a stage set for a more serious
    disaster. And Symantec's overall report points out that potential.
    
    We need to realize that someday, probably sooner than later, someone
    will likely release an incredibly nasty worm that will wreak havoc on
    systems by using every point of attack it can find. To be as prepared
    as possible, you need to use the most up-to-date antivirus software,
    firewalls, Intrusion Detection Systems (IDSs), and monitoring
    solutions possible. You must also audit your systems regularly to
    ensure compliance with your security policies. Because as we saw with
    Slammer/Sapphire, if you aren't part of the solution, you are or might
    become part of the problem.
    
    ~~~~~~~~~~~~~~~~~~~~
    
    ~~~~ SPONSOR: WINDOWS POWERED NAS WEB SEMINAR ~~~~
       NEW WEB SEMINAR: AN INTRODUCTION TO WINDOWS POWERED NAS
       Would you like to find out how to consolidate your Windows NT
    file servers while reducing costs? Or, do you need to formulate a
    solid disaster recovery plan? Mark Smith, a former MIS manager and
    founder of Windows & .NET Magazine, will illustrate how Windows
    Powered NAS can help you address these issues and more -- without
    impacting day-to-day business.
       Register today at:
       http://list.winnetmag.com/cgi-bin3/flo/y/ePUv0CJgSH0CBw07Ra0At
    ~~~~~~~~~~~~~~~~~~~~
    
    2. ==== SECURITY RISKS ====
       (contributed by Ken Pfeil, kenat_private)
    
    * SESSION AUTHENTICATION VULNERABILITY IN COMPAQ INSIGHT MANAGER
       An authentication vulnerability in Hewlett-Packard's (HP's) Compaq 
    Insight Manager HTTP 5.1.0 can let a nonprivileged user access the 
    system. If a legitimate user logs on to the Web Agent Service through 
    HTTP Secure (HTTPS) on port 2301 and doesn't use the logout function, 
    the session remains valid for 15 minutes, even after the browser is 
    closed. This time frame can let a nonprivileged user on the same system 
    log on with privileged access. Compaq says that version 5.3 isn't 
    vulnerable to this condition.
       http://www.secadministrator.com/articles/index.cfm?articleid=37863
    
    * DoS MICROSOFT WIN2K TERMINAL SERVICES
       A vulnerability in Windows 2000 Server Terminal Services can let a
    malicious user force a reboot of the terminal server. Microsoft hasn't
    released a fix or a response. The discoverer's posted workaround for
    Win2K suggests removing all permissions on msgina.dll for Power Users,
    Users, and Everyone.
       http://www.secadministrator.com/articles/index.cfm?articleid=37878
    
    3. ==== ANNOUNCEMENTS ====
       (brought to you by Windows & .NET Magazine and its partners)
    
    * DON'T MISS OUR 2 NEW SECURITY WEB SEMINARS IN MARCH!
       Windows & .NET Magazine has two new Web seminars to help you
    address your security concerns. There is no fee to attend "Selling the
    Importance of Security: 5 Ways to Get Your Manager's Attention" and
    "Building an Ultra Secure Extranet on a Shoe String," but space is
    limited, so register today!
       http://list.winnetmag.com/cgi-bin3/flo/y/ePUv0CJgSH0CBw02lB0Aj
    
    * WINDOWS & .NET MAGAZINE CONNECTIONS: LEARN FROM THE WRITERS YOU KNOW
    AND TRUST
       In-depth coverage by the world's top gurus of Windows security:
    Keeping Up with Service Packs and Security Patches, Identity
    Management with PKI, Implementing Security with Group Policy, Defend
    your networks by planning your own "Hack Attack," Using Event Logs to
    identify intruder activity, Securing wireless LANs, Managing AD
    Security with ADSI and WSH, Making IIS a Secure Web Server, and more.
       http://list.winnetmag.com/cgi-bin3/flo/y/ePUv0CJgSH0CBw0KXQ0A4
    
    4. ==== SECURITY ROUNDUP ====
    
    * NEWS: MICROSOFT RENAMES PALLADIUM, GIVES UP TRADEMARK HUNT
       Microsoft has revealed that it has given up trying to trademark
    "Palladium," the term it had given to its secure computing initiative.
    The company says that the technologies once called Palladium will now
    go by the name Next Generation Secure Computing Base, which it feels
    is more accurate and mature.
       http://www.secadministrator.com/articles/index.cfm?articleid=37770
    
    * FEATURE: SQL SERVER SP3: TO INSTALL OR NOT TO INSTALL?
       Microsoft released SQL Server 2000 Service Pack 3 (SP3) on January
    17, raising the inevitable question, "To install or not to install?"
    SQL Server Product Support Services (PSS) recommends applying the
    latest service pack even if you're not aware of a specific fix that
    will help you. If you're contemplating whether to install this service
    pack (especially because it helps protect against attacks such as the
    Slammer/Sapphire worm), be sure to read what Brian Moran has to say
    about it.
       http://www.secadministrator.com/articles/index.cfm?articleid=37857
    
    * NEWS: MICROSOFT REVISED FIVE SECURITY BULLETINS
       Microsoft has recently revised five security bulletins: MS02-071
    (Flaw in Windows WM_TIMER Message Handling Could Enable Privilege
    Escalation), MS02-039 (Buffer Overruns in SQL Server 2000 Resolution
    Service Could Enable Code Execution), MS02-056 (Cumulative Patch for
    SQL Server), MS02-043 (Cumulative Patch for SQL Server), MS02-032 (26
    June 2002 Cumulative Patch for Windows Media Player). Security
    bulletin MS02-061 supersedes bulletins MS02-039, MS02-056, and
    MS02-043; technicians made notes about patch loading order in
    conjunction with hotfix 317748. The revision to MS02-032 fixes a
    broken link to the related patch.
       http://www.secadministrator.com/articles/index.cfm?articleid=37905
    
    5. ==== INSTANT POLL ====
     
    * RESULTS OF PREVIOUS POLL: SECURITY ADMINISTRATIVE DUTIES
       The voting has closed in Windows & .NET Magazine's Security
    Administrator Channel nonscientific Instant Poll for the question,
    "Does your company use Microsoft Internet Security and Acceleration
    (ISA) Server 2000?" Here are the results from the 168 votes.
    (Deviations from 100 percent are due to rounding errors.)
       - 64% Tightening general security
       - 17% Defending against network attacks
       -  5% Defending against Web site attacks
       -  8% Filtering Junk email
       -  5% Controlling employee surfing habits
     
    * NEW INSTANT POLL: SLAMMER/SAPPHIRE WORM
       The next Instant Poll question is, "Did the Slammer/Sapphire worm
    directly affect your network, connectivity, or computerized activities
    directly?" Go to the Security Administrator Channel home page and
    submit your vote for a) Yes or b) No.
       http://www.secadministrator.com
    
    6. ==== SECURITY TOOLKIT ====
    
    * VIRUS CENTER
       Panda Software and the Windows & .NET Magazine Network have teamed
    to bring you the Center for Virus Control. Visit the site often to
    remain informed about the latest threats to your system security.
       http://www.secadministrator.com/panda
    
    * VIRUS ALERT: W32/SQLSlammer
       Slammer is a worm that has the following characteristics:
       - It attacks only servers that run Microsoft SQL Server or
    Microsoft SQL Server Desktop Engine (MSDE).
       - It carries out its infection by exploiting a buffer-overrun
    vulnerability in SQL servers that don't have Service Pack 3 (SP3)
     installed.
       - Its strategy involves sending out multiple 376-byte files that
    contain the worm's code.
    
    Indications that Slammer has infected a machine include heavy traffic
    to UDP port 1434--the SQL Server Resolution Service Port.
       http://63.88.172.96/panda/index.cfm?fuseaction=virus&virusid=1350
    
    * FAQ: HAVING TROUBLE ENABLING SSL ON YOUR SITE?
       ( contributed by Brett Hill, http://www.iisanswers.com )
    
    A: A reader is trying to enable Secure Sockets Layer (SSL) on a
    company Web site. The company has installed a certificate but can't
    create an HTTP Secure (HTTPS) connection. The site works fine with
    HTTP, but HTTPS causes the Web browser to wait for a long time, then
    time out because it can't reach the server.
       Troubleshooting SSL connection problems can be tedious. Brett Hill
    offers a list of common problems to look for on your servers, along
    with detailed explanations. Check out the list of potential problems
    and their solutions on our Web site:
       http://www.secadministrator.com/articles/index.cfm?articleid=37815
    
    7. ==== NEW AND IMPROVED ====
       (contributed by Sue Cooper, productsat_private)
    
    * CENTRALLY MANAGE SIDEWINDER FIREWALLS
       Secure Computing released Sidewinder G2 Enterprise Manager, a
    rack-mount security appliance that provides central policy management
    and an audit-log and configuration-backup repository for your
    distributed Sidewinder firewalls. The appliance is built on Secure
    Computing's hardened version of UNIX, the SecureOS UNIX OS, which has
    never been compromised. Your network access policies and Security logs
    are stored in the system's SQL database. The Sidewinder G2 performs
    its secure, browser-based management through a Windows software
    package. Contact Secure Computing at 800-379-4944, 408-979-6572, or
    salesat_private
       http://www.securecomputing.com
    
    * CAPTURE AND ANALYZE YOUR NETWORK TRAFFIC
       Sandstorm Enterprises announced NetIntercept 1.2, a hardware-based
    Network Forensics Analysis Tool (NFAT). NetIntercept can tell you who
    sent what information where, why information isn't moving, and how
    your systems were attacked. New features include Secure Sockets Layer
    (SSL) session decryption and analysis and an option to write to DVD
    archive media. NetIntercept 1.2 contains improved netmask-management
    and content-search capabilities. For more information about
    NetIntercept 1.2, contact Sandstorm Enterprises at 617-426-5056 and
    salesat_private
       http://www.sandstorm.net
    
    * SUBMIT TOP PRODUCT IDEAS
       Have you used a product that changed your IT experience by saving
    you time or easing your daily burden? Do you know of a terrific
    product that others should know about? Tell us! We want to write about
    the product in a future What's Hot column. Send your product
    suggestions to whatshotat_private
    
    8. ==== HOT THREAD ====
    
    * WINDOWS & .NET MAGAZINE ONLINE FORUMS
       http://www.winnetmag.com/forums
    
    Featured Thread: Do IPSec Policies Slow Server Response?
       (Three messages in this thread)
    
    A user writes that he has set up an IP Security (IPSec) policy to
    permit incoming traffic only on certain ports. He wants to know
    whether such a policy will slow down requests to the server. Lend a
    hand or read the responses:
       http://www.winnetmag.com/forums/rd.cfm?cid=42&tid=52918
    
    * HOWTO MAILING LIST
       http://63.88.172.96/listserv/page_listserv.asp?s=howto
    
    Featured Thread: Are MAILTO and POST Safe for Transactions?
       (Three messages in this thread)
    
    A user wants to know what the dangers are if someone sends a credit
    card number over the Internet using MAILTO and POST links? Read the
    responses or lend a hand at the following URL:
       http://63.88.172.96/listserv/page_listserv.asp?A2=IND0301E&L=HOWTO&P=281
    
    9. ==== CONTACT US ====
       Here's how to reach us with your comments and questions:
    
    * ABOUT IN FOCUS -- markat_private
    
    * ABOUT THE NEWSLETTER IN GENERAL -- lettersat_private (please
    mention the newsletter name in the subject line)
    
    * TECHNICAL QUESTIONS -- http://www.winnetmag.com/forums
    
    * PRODUCT NEWS -- productsat_private
    
    * QUESTIONS ABOUT YOUR SECURITY UPDATE SUBSCRIPTION? Customer
    Support -- securityupdateat_private
    
    * WANT TO SPONSOR SECURITY UPDATE? emedia_oppsat_private
    
    ********************
    
       This email newsletter is brought to you by Security Administrator,
    the print newsletter with independent, impartial advice for IT
    administrators securing a Windows 2000/Windows NT enterprise.
    Subscribe today!
       http://www.secadministrator.com/sub.cfm?code=saei25xxup
    
       Receive the latest information about the Windows and .NET topics of
    your choice. Subscribe to our other FREE email newsletters.
       http://www.winnetmag.com/email
    
    |-+-|-+-|-+-|-+-|-+-|
    
    Thank you for reading Security UPDATE.
    
    MANAGE YOUR ACCOUNT
       You can manage your entire Windows & .NET Magazine Network email
    newsletter account on our Web site. Simply log on and you can change
    your email address, update your profile information, and subscribe or
    unsubscribe to any of our email newsletters all in one place.
       http://www.winnetmag.com/email
    
    Thank you!
    __________________________________________________________
    Copyright 2003, Penton Media, Inc.
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Thu Feb 06 2003 - 01:33:31 PST