[ISN] Security UPDATE, February 19, 2003

From: InfoSec News (isnat_private)
Date: Thu Feb 20 2003 - 00:33:20 PST

  • Next message: InfoSec News: "[ISN] Study lauds open-source code quality"

    ********************
    Windows & .NET Magazine Security UPDATE--brought to you by Security
    Administrator, a print newsletter bringing you practical, how-to
    articles about securing your Windows Server 2003, Windows 2000, and
    Windows NT systems.
       http://www.secadministrator.com
    ********************
    
    ~~~~ THIS ISSUE SPONSORED BY ~~~~
    
    Security on All Workstations Compromised in Minutes
       http://list.winnetmag.com/cgi-bin3/flo/y/ePen0CJgSH0CBw07sL0AF
    
    Windows & .NET Magazine Network Web Seminars
        http://list.winnetmag.com/cgi-bin3/flo/y/ePen0CJgSH0CBw02lB0Ar
       (below IN FOCUS)
    
    ~~~~~~~~~~~~~~~~~~~~
    
    ~~~~ SPONSOR: SECURITY ON ALL WORKSTATIONS COMPROMISED IN MINUTES ~~~~
       In just a few minutes any of your domain users could become the
    administrator of ALL your machines without your knowledge. A quick
    search of Google.com for password crackers is all it takes. There is a
    solution. Download our guide to plugging the DISTRIBUTED CREDENTIALS
    FLAW in Windows.
       http://list.winnetmag.com/cgi-bin3/flo/y/ePen0CJgSH0CBw07sL0AF
    
    ~~~~~~~~~~~~~~~~~~~~
    
    February 19, 2003--In this issue:
    
    1. IN FOCUS
         - Security Reconnaissance with Honeyd and HoneyWeb
    
    2. SECURITY RISKS
         - Multiple Vulnerabilities in Opera Web Browser
         - Brute-Force Vulnerability in Aprelium's Abyss Web Server
         - Buffer-Overrun Vulnerability in Celestial Software's Absolute
           Telnet
    
    3. ANNOUNCEMENTS
         - Pharma-IT Summit: Real-World Solutions for Today's Pharma-IT
           Challenges, March 31, 2003
         - Try Windows & .NET Magazine!
    
    4. SECURITY ROUNDUP
         - News: Sanctum Announces AppScan Developer Edition
         - News: Microsoft Offers Less-Technical Security Information
         - News: KeyLabs Says Sygate OutperformsSymantec
         - News: Peace of Mind While Shopping Online
    
    5. INSTANT POLL
         - Results of Previous Poll: Slammer/Sapphire Worm
         - New Instant Poll: Early Warning Network
    
    6. SECURITY TOOLKIT
         - Virus Center
         - FAQ: How Can I Prevent Users from Importing or Exporting Their
           Microsoft Internet Explorer (IE) Favorites?
    
    7. NEW AND IMPROVED
         - Block User-Installed Wireless Networks
         - Secure Servers Attached to KVM Switches
         - Submit Top Product Ideas
    
    8. HOT THREAD
         - Windows & .NET Magazine Online Forums
             - Featured Thread: ISA Feature Pack 1 and SSL Certificates
    
    9. CONTACT US
       See this section for a list of ways to contact us.
    
    ~~~~~~~~~~~~~~~~~~~~
    
    1. ==== IN FOCUS ====
       (contributed by Mark Joseph Edwards, News Editor,
    markat_private)
    
    * SECURITY RECONNAISSANCE WITH HONEYD AND HONEYWEB
    
    Do you have layered security in place? If so, do your layers include
    features that help you determine which kinds of attacks are targeting
    your networks? Many of you probably have probing and attack-detection
    tools in place, such as an Intrusion Detection System (IDS), but you
    can take that sort of attack-detection technology further by adding a
    honeypot to your network.
    
    I've written about various honeypot technologies in the past,
    including information about various network, system, and service
    emulators. For example, some honeypot technologies can mimic
    particular system architecture, and others can emulate services such
    as SMTP mail servers to help thwart spammers. You can find several
    articles about honeypots through the search URL below.
       http://search.winnetmag.com/query.html?qt=honeypot&site=security
    
    On Lance Spitzner's Tracking Hackers Web site (see the first URL
    below), he defines a honeypot as "a security resource [whose] value
    lies in being probed, attacked, or compromised." If you're interested
    in honeypot technology, know that a new version of Honeyd (see the
    second URL below) was released over the weekend, along with a new
    challenge for people to contribute to the project.
       http://www.tracking-hackers.com
       http://www.citi.umich.edu/u/provos/honeyd/
    
    Niels Provos, who developed Honeyd, explains that "Honeyd is a virtual
    honeypot running as a small daemon to create virtual hosts on a
    network. The hosts can be configured to run arbitrary services, and
    their personality can be adapted so that they appear to be running
    certain operating systems." Honeyd monitors unused IP addresses on a
    network to develop a virtual network of honeypots to help detect
    probing and intrusion.
    
    Honeyd listens for TCP, UDP, and some types of Internet Control
    Message Protocol (ICMP) traffic to help detect activity directed at
    your network's unused IP addresses, to which no one should be sending
    traffic in the first place. If you want to establish bogus services to
    interact with potential intruders, you can use Honeyd to do that as
    well. One of Honeyd's slick features is its ability to spoof a given
    system type at the kernel level to help thwart tools such as Xprobe
    and Nmap, which are designed to detect exact OS types, such as Windows
    or a Cisco Systems router OS.
    
    Along with the release of Honeyd 0.5, Provos has issued an invitation
    to contribute to the Honeyd project by developing useful feature
    additions and improvements. Potential contributors can work on
    developments such as additional service emulators and forensics tools
    for analysis and visualization of Honeyd log files and a GUI. You can
    read more about the challenge at the Honeyd Web site, hosted at the
    University of Michigan.
       http://www.citi.umich.edu/u/provos/honeyd/challenge.html
    
    Other useful honeypot tools work in conjunction with Honeyd, or you
    can run them standalone. One such tool is HoneyWeb, written by Kevin
    Timm and available at the URL below. HoneyWeb is a new tool that can
    emulate various Web server platforms, including Apache, Netscape, and
    Microsoft IIS. HoneyWeb deceives intruders by emulating HTTP headers
    and delivering Web pages.
       http://www.var-log.com/files
    
    For example, HoneyWeb looks at incoming URL requests, determines which
    platform they suit, and returns headers and Web pages that emulate
    that platform. As I interpret the somewhat sparse documentation, the
    tool can also track URL requests persistently. So if the same user
    makes a UNIX-style request and then a Microsoft-style request (in a
    configurable time frame), the system can return a 404 error to
    maintain consistency with the type of Web platform being emulated.
    HoneyWeb can spoof other kinds of content, and it can return bogus
    directory listings for a given root path URL or a bogus rendition of
    an .htaccess file.
    
    Timm developed HoneyWeb in the Python programming language. To learn
    more about HoneyWeb, visit the first URL below and also read the
    readme text in the program archive file. If you want to try HoneyWeb,
    you need to obtain a copy of Python for your platform at the second
    URL below. HoneyWeb also supports Secure Sockets Layer (SSL) by using
    Stunnel as an add-on. You can obtain Stunnel at the third URL below.
       http://www.var-log.com/files/HoneyWeb.txt
       http://www.python.org
       http://www.stunnel.org
    
    If you don't use a honeypot on your network, why not consider
    installing one? It might pick up on subtle forms of probing and
    identify attacks that your IDS might not be able to detect. Using a
    honeypot can increase your awareness of the type of attacks your
    network faces and help you keep your network more secure.
    
    ~~~~~~~~~~~~~~~~~~~~
    
    ~~~~ SPONSOR: WINDOWS & .NET MAGAZINE NETWORK WEB SEMINARS ~~~~
        DON'T MISS OUR WEB SEMINARS IN MARCH!
        Windows & .NET Magazine has 3 new Web seminars to help you address
    your security and storage concerns.  There is no fee to attend
    "Selling the Importance of Security: 5 Ways to Get Your Manager's
    Attention", " Building an Ultra Secure Extranet on a Shoe String", or
    "An Introduction to Windows Powered NAS," but space is limited, so
    register for all 3 events today!
       http://list.winnetmag.com/cgi-bin3/flo/y/ePen0CJgSH0CBw02lB0Ar
    
    ~~~~~~~~~~~~~~~~~~~~
    
    2. ==== SECURITY RISKS ====
       (contributed by Ken Pfeil, kenat_private)
    
    * MULTIPLE VULNERABILITIES IN OPERA WEB BROWSER
       Opera Software's Opera Web Browser 7.0 and earlier contains five
    newly discovered vulnerabilities. Three of these vulnerabilities
    permit full read access to the user's file system and let an intruder
    list contents of directories, read files, and access email messages on
    the vulnerable system. The other two vulnerabilities expose sensitive
    private information about the user by permitting Web access to URLs
    that the user has recently visited. Opera Software has released Opera
    Web Browser 7.01, which isn't vulnerable to these conditions.
       http://www.secadministrator.com/articles/index.cfm?articleid=38021
    
    * BRUTE-FORCE VULNERABILITY IN APRELIUM'S ABYSS WEB SERVER
       A vulnerability in Aprelium Technologies' Abyss Web Server 1.1.2
    and earlier lets an attacker gain administrative access to the Web
    server. An attacker can connect to the remote Web management interface
    at http://abyss_server:9999 and use a brute-force method to access the
    server. An attacker can use an indefinite number of attempts to enter
    a valid username and password; the software uses no delay to penalize
    wrong attempts. Abyss has no logging for port 9999 (unlike the
    access.log file for port 80). Aprelium has been notified and will
    release a patch or new version that isn't vulnerable to these
    conditions.
       http://www.secadministrator.com/articles/index.cfm?articleid=38022
    
    * BUFFER-OVERRUN VULNERABILITY IN CELESTIAL SOFTWARE'S ABSOLUTE TELNET
       A vulnerability in Celestial Software's Absolute Telnet 2.11 and
    Absolute Telnet 2.00 can lead to arbitrary execution of code on the
    vulnerable system. This vulnerability is a result of insufficient
    bounds checking in the code that sets the program's title bar.
    Celestial Software has released Absolute Telnet 2.12 Release Candidate
    10 (RC10), which isn't vulnerable to this condition.
       http://www.secadministrator.com/articles/index.cfm?articleid=37999
    
    3. ==== ANNOUNCEMENTS ====
       (brought to you by Windows & .NET Magazine and its partners)
    
    * PHARMA-IT SUMMIT: REAL-WORLD SOLUTIONS FOR TODAY'S PHARMA-IT
    CHALLENGES, MARCH 31, 2003
       Annual executive conference highlights the increased focus on IT
    security in global pharmaceutical enterprises. Networking, case
    studies, intensive workshops forums help CIOs, CTOs, CFOs, VPs and
    other top-decision-makers leverage pharmaceutical IT solutions
    successfully. Keynote presentations by executives from Aventis,
    Novartis, Astrazeneca, Hoffman-Laroche and Pfizer, plus US Dept. of
    Health & Human Services.
       http://list.winnetmag.com/cgi-bin3/flo/y/ePen0CJgSH0CBw07QH0Ab
    
    * TRY WINDOWS & .NET MAGAZINE!
      Every issue of Windows & .NET Magazine includes intelligent,
    impartial, and independent coverage of security, Active Directory,
    Microsoft Exchange Server, and more. Our expert authors deliver how-to
    content you simply can't find anywhere else. Try a sample issue today,
    and find out what more than 100,000 readers know that you don't!
       http://list.winnetmag.com/cgi-bin3/flo/y/ePen0CJgSH0CBw07q40An
    
    4. ==== SECURITY ROUNDUP ====
    
    * NEWS: SANCTUM ANNOUNCES APPSCAN DEVELOPER EDITION
       Sanctum announced AppScan Developer Edition (DE) 1.5, which helps
    create secure Web applications. AppScan DE is integrated seamlessly
    into Microsoft Visual Studio .NET for support using the C#, C++, and
    J# programming languages. The product helps developers create unit
    tests and validation processes, provides defect analysis, and offers
    recommendations for code improvement.
       http://www.secadministrator.com/articles/index.cfm?articleid=38007
    
    * NEWS: MICROSOFT OFFERS LESS-TECHNICAL SECURITY INFORMATION
       Microsoft now offers news about product security problems to
    less-technical users, such as home users and corporate executives who
    don't need exact details. Users can subscribe to the new security
    alerting service at the Microsoft Security Update Web site.
       http://www.secadministrator.com/articles/index.cfm?articleid=38011
    
    * NEWS: KEYLABS SAYS SYGATE OUTPERFORMS SYMANTEC
       Sygate Technologies announced that independent testing laboratory
    KeyLabs conducted a comparison test that showed that the company's
    Sygate Secure Enterprise 3.0 outperformed Symantec's Client Security
    2.0.
       http://www.secadministrator.com/articles/index.cfm?articleid=38006
    
    * NEWS: PEACE OF MIND WHILE SHOPPING ONLINE
       ScanAlert is helping e-commerce sites increase sales while offering
    online shoppers a little more peace of mind. The company's HACKER SAFE
    service helps consumers determine whether a given e-commerce site is
    secure enough to trust with handling sensitive information, such as
    credit card numbers.
       http://www.secadministrator.com/articles/index.cfm?articleid=38018
    
    5. ==== INSTANT POLL ====
     
    * RESULTS OF PREVIOUS POLL: SLAMMER/SAPPHIRE WORM
       The voting has closed in Windows & .NET Magazine's Security
    Administrator Channel nonscientific Instant Poll for the question,
    "Did the Slammer/Sapphire worm directly affect your network,
    connectivity, or computerized activities directly?" Here are the
    results from the 250 votes. (Deviations from 100 percent are due to
    rounding errors.)
       - 24% Yes
       - 76% No
     
    * NEW INSTANT POLL: EARLY WARNING NETWORK
       The next Instant Poll question is, "Do you participate in an 'early
    warning' network that gathers forensic information from firewall and
    Intrusion Detection System (IDS) logs?" Go to the Security
    Administrator Channel home page and submit your vote for a)
    Yes--DShield.org, b) Yes--Symantec DeepSight Analyzer, c) Both of the
    above, d) Other, or e) No.
       http://www.secadministrator.com
    
    6. ==== SECURITY TOOLKIT ====
    
    * VIRUS CENTER
       Panda Software and the Windows & .NET Magazine Network have teamed
    to bring you the Center for Virus Control. Visit the site often to
    remain informed about the latest threats to your system security.
       http://www.secadministrator.com/panda
    
    * FAQ: HOW CAN I PREVENT USERS FROM IMPORTING OR EXPORTING THEIR
    MICROSOFT INTERNET EXPLORER (IE) FAVORITES?
       ( contributed by John Savill, http://www.windows2000faq.com )
    
    A. By default, users can use the File, Import and Export menu option
    in IE to import and export their IE Favorites. You can disable this
    functionality by performing the following steps:
       1. Start a registry editor (e.g., regedit.exe).
       2. Navigate to the HKEY_CURRENT_USER\Software\Policies\Microsoft
    registry subkey.
       3. If the Internet Explorer subkey doesn't exist, create it (from
    the Edit menu, select New, Key and type "Internet Explorer" without
    the quotes), then navigate to that subkey.
       4. From the Edit menu, select New, DWORD Value.
       5. Enter the name DisableImportExportFavorites, then press Enter.
       6. Double-click the new value, set it to 1, then click OK.
    
    The change takes effect immediately. Users will still be able to run
    the Import and Export Wizard, but when they click Finish, the wizard
    will inform them that it has been disabled.
    
    7. ==== NEW AND IMPROVED ====
       (contributed by Sue Cooper, productsat_private)
    
    * BLOCK USER-INSTALLED WIRELESS NETWORKS
       SecureWave released WaveLock, a free utility that blocks access to
    the wireless network adapters and wireless LAN (WLAN) cards that
    Windows XP and Windows 2000 supported. WaveLock detects attempts to
    install wireless network adapters and prevents their drivers from
    loading, rendering the adapters inoperative and ensuring that users
    who know about these preinstalled drivers don't compromise your
    networks. For more information or to download WaveLock, visit the
    following URLs:
       http://securewave.com/products/free_utilities/wavelock.html
       http://securewave.com
    
    * SECURE SERVERS ATTACHED TO KVM SWITCHES
       Belkin introduced the OmniView SE Plus Series Keyboard/Video/Mouse
    (KVM) Switch, which gives you control over multiple-platform servers
    from a single console. Product security has been enhanced to prevent
    unintended information exchange between secure and nonsecure servers
    connected to the Switch. The new KVM switch supports PS/2-style and
    USB servers in two-port or four-port models. For pricing or more
    information, contact Belkin at 800-223-5546 or through its Web site.
       http://www.belkin.com
    
    * SUBMIT TOP PRODUCT IDEAS
       Have you used a product that changed your IT experience by saving
    you time or easing your daily burden? Do you know of a terrific
    product that others should know about? Tell us! We want to write about
    the product in a future What's Hot column. Send your product
    suggestions to whatshotat_private
    
    8. ==== HOT THREAD ====
    
    * WINDOWS & .NET MAGAZINE ONLINE FORUMS
       http://www.winnetmag.com/forums
    
    Featured Thread: ISA Feature Pack 1 and SSL Certificates
       (Three messages in this thread)
    
    A user in the Netherlands writes that he believes that since the
    release of Microsoft Internet Security and Acceleration (ISA) Server
    Feature Pack 1, it's no longer necessary to configure a demilitarized
    zone (DMZ) to secure his network when he wants only to securely expose
    his Microsoft Exchange Server to his employees through the Internet.
    Is this correct? He believes that he'll have to use a Secure Sockets
    Layer (SSL) certificate, and he has questions about the best approach
    to do so. Lend a hand or read the responses:
       http://www.winnetmag.com/forums/rd.cfm?cid=42&tid=54270
    
    9. ==== CONTACT US ====
       Here's how to reach us with your comments and questions:
    
    * ABOUT IN FOCUS -- markat_private
    
    * ABOUT THE NEWSLETTER IN GENERAL -- lettersat_private (please
    mention the newsletter name in the subject line)
    
    * TECHNICAL QUESTIONS -- http://www.winnetmag.com/forums
    
    * PRODUCT NEWS -- productsat_private
    
    * QUESTIONS ABOUT YOUR SECURITY UPDATE SUBSCRIPTION? Customer
    Support -- securityupdateat_private
    
    * WANT TO SPONSOR SECURITY UPDATE? emedia_oppsat_private
    
    ********************
    
       This email newsletter is brought to you by Security Administrator,
    the print newsletter with independent, impartial advice for IT
    administrators securing a Windows 2000/Windows NT enterprise.
    Subscribe today!
       http://www.secadministrator.com/sub.cfm?code=saei25xxup
    
       Receive the latest information about the Windows and .NET topics of
    your choice. Subscribe to our other FREE email newsletters.
       http://www.winnetmag.com/email
    
    |-+-|-+-|-+-|-+-|-+-|
    
    Thank you for reading Security UPDATE.
    
    MANAGE YOUR ACCOUNT
       You can manage your entire Windows & .NET Magazine Network email
    newsletter account on our Web site. Simply log on and you can change
    your email address, update your profile information, and subscribe or
    unsubscribe to any of our email newsletters all in one place.
       http://www.winnetmag.com/email
    
    Thank you!
    __________________________________________________________
    Copyright 2003, Penton Media, Inc.
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Thu Feb 20 2003 - 02:57:08 PST