[ISN] Security UPDATE, February 26, 2003

From: InfoSec News (isnat_private)
Date: Wed Feb 26 2003 - 22:55:32 PST

  • Next message: InfoSec News: "[ISN] Mobile phone hacking set to spread: AU experts"

    ********************
    Windows & .NET Magazine Security UPDATE--brought to you by Security
    Administrator, a print newsletter bringing you practical, how-to
    articles about securing your Windows Server 2003, Windows 2000, and
    Windows NT systems.
       http://www.secadministrator.com
    ********************
    
    ~~~~ THIS ISSUE SPONSORED BY ~~~~
    
    Tivoli. Intelligent Management Software Solutions.
       http://www-3.ibm.com/software/tivoli/resource-center/index.jsp?section=guides
    
    ALERT: Outsmart SQL Injection Attackers
       http://list.winnetmag.com/cgi-bin3/flo/y/ePm60CJgSH0CBw07xv0AE
       (below IN FOCUS)
    
    ~~~~~~~~~~~~~~~~~~~~
    
    ~~~~ SPONSOR: TIVOLI. INTELLIGENT MANAGEMENT SOFTWARE SOLUTIONS. ~~~~
       To compete in today's environment, companies need to provide access
    to more information than before. The challenge is to effectively
    manage user identities & access through the lifecycle. Learn how
    Tivoli identity management software can help get users, systems, and
    applications online fast:
       http://www-3.ibm.com/software/tivoli/resource-center/index.jsp?section=guides
    ~~~~~~~~~~~~~~~~~~~~
    
    February 26, 2003--In this issue:
    
    1. IN FOCUS
         - Tracking Security Threats and Trends
    
    2. SECURITY RISKS
         - Three Buffer Overflows in Oracle Database Server
         - WebDAV Vulnerability in Oracle 9i
    
    3. ANNOUNCEMENTS
         - Join the HP & Microsoft Network Storage Solutions Road Show!
         - Our Active Directory Web Seminar Is in Just 3 Weeks!
    
    4. SECURITY ROUNDUP
         - News: Windows XP Wide Open Using Win2K CD-ROM
         - Feature: Getting to the Root of Slammer
         - Feature: Coding Defensively
    
    5. HOT RELEASE (ADVERTISEMENT)
         - Best Practices for Designing Secure Active Directory
    
    6. SECURITY TOOLKIT
         - Virus Center
         - FAQ: How Can I Prevent Windows Media Player (WMP) from
           Processing HTML Scripts Contained in Media Files?
    
    7. NEW AND IMPROVED
         - Secure Your IM Communications
         - Take Control of Your Users' Authentication Credentials
         - Submit Top Product Ideas
    
    8. HOT THREAD
         - Windows & .NET Magazine Online Forums
             - Featured Thread: MAC Address Security
    
    9. CONTACT US
       See this section for a list of ways to contact us.
    
    ~~~~~~~~~~~~~~~~~~~~
    
    1. ==== IN FOCUS ====
       (contributed by Mark Joseph Edwards, News Editor,
    markat_private)
    
    * TRACKING SECURITY THREATS AND TRENDS
    
    Are you aware of the networks that track events and trends related to
    specific threats and ongoing attacks? You can participate in these
    threat-analysis networks, and in return, they offer information that
    can help you become aware of potential threats to your own network,
    sometimes well in advance of any actual attack.
    
    Several networks (e.g., DShield.org, myNetWatchman, Symantec's
    DeepSight Analyzer, Internet Security Systems'--ISS's--X-Force Threat
    Analysis Service--XFTAS) collect security information and offer it to
    the public in the form of a worldwide security trend monitoring
    report. These networks receive input from a wide array of users'
    networks around the globe, all contributing information into a central
    repository. Intrusion Detection Systems (IDSs) and firewall logs
    running on the participating local networks provide the information.
    
    Each threat-analysis network provides client-side software that
    gathers log information, parses it into a common format, and transmits
    the data back to a central repository. DShield.org client software
    works with more than three dozen various types of IDS and firewall
    systems; myNetWatchman client software and Symantec's DeepSight
    Analyzer service client software work with about two dozen IDS and
    firewall systems each.
    
    DShield.org is by far the most open of the networks. Anyone can visit
    the related Web site and immediately view both graphical and
    text-based reports that show current threat trends and historic data.
    For example, when you visit the Web site home page, you'll find a
    prominent graphical map of the world with pie charts for various
    continents. The pie charts give a quick view of threat trends based on
    aggregate information that shows which ports are being probed most
    often. Next to the graphic is a brief list of the port numbers and the
    services typically associated with those ports.
       http://www.dshield.org
    
    When I visited the DShield.org Web site Monday morning, I saw that
    port 1434, which is related to Microsoft SQL Server, is still among
    the top targets. This information might mean that the Slammer/Sapphire
    worm is still trying to spread around the Internet.
    
    One interesting feature of DShield.org is that you can obtain graphic
    and text-based data files of threat trends to incorporate into your
    own Web pages. The data shows the current most frequently probed ports
    as well as the IP addresses that are conducting the most probing. This
    can provide information about current trends at a glance. DShield.org
    operates in association with the SysAdmin, Audit, Network, Security
    (SANS) Institute, which hosts the Internet Storm Center. The Internet
    Storm Center offers additional information, such as threat-analysis
    reports.
       http://isc.sans.org
    
    myNetWatchman is a free public service without any membership
    requirements. The myNetWatchman Web site home page is basic and
    doesn't provide the extensive information that DShield.org provides,
    but it's useful in conjunction with the other threat-analysis
    information networks.
       http://www.mynetwatchman.com
    
    Symantec's DeepSight Analyzer is a free service, but only participants
    who provide IDS and firewall logs can view aggregate information that
    the service provides. The service's Web site home page has a basic
    display of threat counts, but no further useful details for visitors.
    To learn more about the service, visit the Web site, and consider
    joining the network if it supports your particular IDS or firewall.
    Symantec also offers a paid service, DeepSight Threat Management
    System, which offers alert and notification information tailored to
    your IT infrastructure.
       http://analyzer.securityfocus.com
       http://enterprisesecurity.symantec.com/products/products.cfm?productid=158
    
    ISS's XFTAS is a paid annual service similar to the Symantec paid
    offering. Customers receive access to helpful security-related
    information and can personalize their accounts to obtain the
    information they need.
       https://gtoc.iss.net
    
    Joining one or more of these networks can increase your ability to
    keep your network secure, which leads to a better Return on Investment
    (ROI) for your overall security budget (and might even increase
    productivity and free up time and money for other security resources).
    If your budget allows, consider subscribing to the paid services that
    ISS and Symantec offer. If you can't afford such security resources
    right now, know that you can participate in DShield.org and
    myNetWatchman by investing some of your time.
    
    Please take a moment to respond to the current Security Administrator
    Instant Poll question, "Do you participate in an 'early warning'
    network that gathers forensic information from firewall and Intrusion
    Detection System (IDS) logs?" at the URL below. If you know about
    additional threat-analysis networks, send me an email message about
    them.
       http://www.secadministrator.com
    
    ~~~~~~~~~~~~~~~~~~~~
    
    ~~~~ SPONSOR: ALERT: OUTSMART SQL INJECTION ATTACKERS ~~~~
       Learn How a Hacker Launches a SQL Injection Attack - Step-by-Step!
       It's as simple as placing additional SQL commands into an input box
    on a web form which gives hackers complete access to all your backend
    data! Firewalls and IDS will not stop SQL Injection attempts because
    they are NOT seen as intrusions. Download this *FREE* white paper from
    SPI Dynamics for a complete guide to protection!
       http://list.winnetmag.com/cgi-bin3/flo/y/ePm60CJgSH0CBw07xv0AE
    ~~~~~~~~~~~~~~~~~~~~
    
    2. ==== SECURITY RISKS ====
       (contributed by Ken Pfeil, kenat_private)
    
    * THREE BUFFER OVERFLOWS IN ORACLE DATABASE SERVER
       Three vulnerabilities in Oracle Database Server can result in
    remote compromise of a vulnerable server. These vulnerabilities stem
    from an overflow in the database server's authentication process, a
    remotely exploitable buffer-overflow flaw in the TO_TIMESTAMP_TZ
    function, and a remotely exploitable buffer-overflow vulnerability in
    the TZ_OFFSET function. More details are available at the three URLs
    below. Oracle has released a bulletin regarding these matters.
       http://www.secadministrator.com/articles/index.cfm?articleid=38073
       http://www.secadministrator.com/articles/index.cfm?articleid=38075
       http://www.secadministrator.com/articles/index.cfm?articleid=38076
    
    * WEBDAV VULNERABILITY IN ORACLE 9i
       A vulnerability in Oracle9i Application Server can result in remote
    compromise of the vulnerable server. This vulnerability stems from a
    flaw in the implementation of WWW Distributed Authoring and Versioning
    (WebDAV) on the server. By crafting a specially formed format string
    and sending it to the Web server, an attacker can overwrite addresses
    with arbitrary values, thereby granting the attacker control of the
    server. Oracle has released a bulletin regarding this problem.
       http://www.secadministrator.com/articles/index.cfm?articleid=38074
    
    3. ==== ANNOUNCEMENTS ====
       (brought to you by Windows & .NET Magazine and its partners)
    
    * JOIN THE HP & MICROSOFT NETWORK STORAGE SOLUTIONS ROAD SHOW!
       Now is the time to start thinking of storage as a strategic weapon
    in your IT arsenal. Come to our 10-city Network Storage Solutions Road
    Show, and learn how existing and future storage solutions can save
    your company money--and make your job easier! There is no fee for this
    event, but space is limited. Register today!
       http://list.winnetmag.com/cgi-bin3/flo/y/ePm60CJgSH0CBw07cD0A2
    
    * OUR ACTIVE DIRECTORY WEB SEMINAR IS IN JUST 3 WEEKS!
       Join us as Precise SRM shows you how to leverage Active Directory
    to assess storage usage, reclaim wasted disk space, and control
    storage growth. You'll learn how to use AD to save countless hours
    managing server growth, get back up to half of your server space right
    away, and even reduce storage growth and backups by 30 percent or
    more! There is no charge for this event, but space is limited, so
    register today!
       http://list.winnetmag.com/cgi-bin3/flo/y/ePm60CJgSH0CBw07uv0AB
    
    4. ==== SECURITY ROUNDUP ====
    
    * NEWS: WINDOWS XP WIDE OPEN USING WIN2K CD-ROM
       An interesting glitch has turned up in Windows XP. According to a
    report published in a newsletter ("Brian's Buzz on Windows") from
    Briansbuzz.com, an intruder can access an XP system without
    restriction by simply using a Windows 2000 CD-ROM to launch a Recovery
    Console.
       http://www.secadministrator.com/articles/index.cfm?articleid=38072
    
    * FEATURE: GETTING TO THE ROOT OF SLAMMER
       A commentary by Brian Moran has generated a wide range of heated
    opinions. In his SQL Server UPDATE commentary, Brian criticized DBAs
    for failing to apply the hotfix that would have shut down the SQL
    Slammer/Sapphire worm ("After the Slammer"). Brian then apologized to
    DBAs for oversimplifying the Slammer/Sapphire situation and laying all
    the blame on their shoulders ("SQL Server DBAs Deserve an Apology").
    Brian also asked SQL Server UPDATE readers to share what they think
    Microsoft can and should do to help us maintain secure systems. Read
    the article to learn what readers had to say.
       http://www.secadministrator.com/articles/index.cfm?articleid=38086
    
    * FEATURE: CODING DEFENSIVELY
       Michael Otey talks with many application developers who think that
    security isn't their concern. In their view, Microsoft and the
    security, network, or database administrator are responsible for
    security--in other words, someone else. Developers with this mentality
    think it's enough to get the database application running, but that
    attitude doesn't fly in today's world of Web applications.
       http://www.secadministrator.com/articles/index.cfm?articleid=37813
    
    5. ==== HOT RELEASE (ADVERTISEMENT) ====
    
    * BEST PRACTICES FOR DESIGNING SECURE ACTIVE DIRECTORY
       Download this free technical white paper now from Windows & .NET
    Magazine's White Paper Central. Brought to you courtesy of Aelita
    Software.
       http://www.aelita.com/winnetmag020403
    
    6. ==== SECURITY TOOLKIT ====
    
    * VIRUS CENTER
       Panda Software and the Windows & .NET Magazine Network have teamed
    to bring you the Center for Virus Control. Visit the site often to
    remain informed about the latest threats to your system security.
       http://www.secadministrator.com/panda
    
    * FAQ: HOW CAN I PREVENT WINDOWS MEDIA PLAYER (WMP) FROM PROCESSING
    HTML SCRIPTS CONTAINED IN MEDIA FILES?
       ( contributed by John Savill, http://www.windows2000faq.com )
    
    A. Microsoft Security Bulletin MS02-032 ("26 June 2002 Cumulative
    Patch for Windows Media Player") identifies several version-specific
    patches to secure WMP against script attacks. To manually disable
    WMP's HTML-processing feature, perform the following steps:
       1. Start a registry editor (e.g., regedit.exe).
       2. Navigate to the
    HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences subkey.
       3. From the Edit menu, select New, DWORD Value.
       4. Enter a name of PlayerScriptCommandsEnabled, then press Enter.
       5. Double-click the new value, set it to 0 to prevent WMP from
    processing HTML scripts in media files, then click OK.
       6. Close the registry editor.
       7. Restart WMP.
    
    7. ==== NEW AND IMPROVED ====
       (contributed by Sue Cooper, productsat_private)
    
    * SECURE YOUR IM COMMUNICATIONS
       Akonix Systems released Akonix L7 Enterprise 2.0, software to
    manage and secure public Instant Messaging (IM) communications between
    your employees, partners, and customers. You can enforce corporate
    policies, protect against viruses, eliminate known security loopholes,
    keep internal messages secure, and report on IM employee usage.
    Logging and archiving features help you meet government and industry
    compliance regulations. Pricing is on a subscription basis and starts
    at $2250 per year for up to 50 users. Contact Akonix Systems at
    619-814-2330 and salesat_private
       http://www.akonix.com
    
    * TAKE CONTROL OF YOUR USERS' AUTHENTICATION CREDENTIALS
       Datakey announced Datakey Axis, a turnkey solution that lets you
    consolidate all user-authentication credentials (passwords,
    certificates, shared secrets, biometric templates) onto one smart card
    and automates policy, credential, and desktop management in a
    centralized management center. Datakey Axis lets you enforce strong
    password policies and transparently push updated credentials to users'
    smart cards as they log on to the network, without their knowledge.
    Datakey Axis will be available in April 2003. Contact Datakey at
    952-890-6850 and infoat_private
       http://www.datakey.com
    
    * SUBMIT TOP PRODUCT IDEAS
       Have you used a product that changed your IT experience by saving
    you time or easing your daily burden? Do you know of a terrific
    product that others should know about? Tell us! We want to write about
    the product in a future What's Hot column. Send your product
    suggestions to whatshotat_private
    
    8. ==== HOT THREAD ====
    
    * WINDOWS & .NET MAGAZINE ONLINE FORUMS
       http://www.winnetmag.com/forums
    
    Featured Thread: MAC Address Security
       (Three messages in this thread)
    
    A user wants to know whether he can prevent access to a network
    through an adapter's media access control (MAC) address. Lend a hand
    or read the responses:
       http://www.winnetmag.com/forums/rd.cfm?cid=42&tid=54631
    
    9. ==== CONTACT US ====
       Here's how to reach us with your comments and questions:
    
    * ABOUT IN FOCUS -- markat_private
    
    * ABOUT THE NEWSLETTER IN GENERAL -- lettersat_private (please
    mention the newsletter name in the subject line)
    
    * TECHNICAL QUESTIONS -- http://www.winnetmag.com/forums
    
    * PRODUCT NEWS -- productsat_private
    
    * QUESTIONS ABOUT YOUR SECURITY UPDATE SUBSCRIPTION? Customer
    Support -- securityupdateat_private
    
    * WANT TO SPONSOR SECURITY UPDATE? emedia_oppsat_private
    
    ********************
    
       This email newsletter is brought to you by Security Administrator,
    the print newsletter with independent, impartial advice for IT
    administrators securing a Windows 2000/Windows NT enterprise.
    Subscribe today!
       http://www.secadministrator.com/sub.cfm?code=saei25xxup
    
       Receive the latest information about the Windows and .NET topics of
    your choice. Subscribe to our other FREE email newsletters.
       http://www.winnetmag.com/email
    
    |-+-|-+-|-+-|-+-|-+-|
    
    Thank you for reading Security UPDATE.
    
    MANAGE YOUR ACCOUNT
       You can manage your entire Windows & .NET Magazine Network email
    newsletter account on our Web site. Simply log on and you can change
    your email address, update your profile information, and subscribe or
    unsubscribe to any of our email newsletters all in one place.
       http://www.winnetmag.com/email
    
    Thank you!
    __________________________________________________________
    Copyright 2003, Penton Media, Inc.
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Thu Feb 27 2003 - 01:22:01 PST