[ISN] Security UPDATE, April 9, 2003

From: InfoSec News (isnat_private)
Date: Thu Apr 10 2003 - 00:24:05 PDT

  • Next message: InfoSec News: "[ISN] Windows key leak threatens mass piracy"

    ********************
    Windows & .NET Magazine Security UPDATE--brought to you by Security
    Administrator, a print newsletter bringing you practical, how-to
    articles about securing your Windows Server 2003, Windows 2000, and
    Windows NT systems.
       http://www.secadministrator.com
    ********************
    
    ~~~~ THIS ISSUE SPONSORED BY ~~~~
    
    HFNetChkLT-FREE Patch Mgmt on 50 CPUs. No Timeouts!
       http://list.winnetmag.com/cgi-bin3/flo/y/eQQg0CJgSH0CBw076e0AD
    
    Experience the Benefits of Real Time Monitoring
       http://list.winnetmag.com/cgi-bin3/flo/y/eQQg0CJgSH0CBw07mN0Aj
       (below IN FOCUS)
    
    ~~~~~~~~~~~~~~~~~~~~
    
    ~~~~ SPONSOR: HFNetChkLT-FREE PATCH MGMT ON 50 CPUs. NO TIMEOUTS! ~~~~
       Introducing NEW Shavlik HFNetChkLT -- the FREE version of the new
    HFNetChkPro 4.0, an automated scanning and remediation solution from
    Shavlik, the developers of HFNetChk and MBSA for Microsoft. It
    includes loads of new features that save time for busy security
    professionals while offering greater enterprise security. HFNetChkPro
    4.0 automates patch remediation for Microsoft Office, Windows Server
    2003, Exchange, SQL, Outlook, Java Virtual Machine and more. Its
    intuitive Drag-n-Drop Patch Management interface allows you to
    precisely control which groups will be scanned, by what criteria and
    when and how patches are deployed. Visit www.shavlik.com for details!
       http://list.winnetmag.com/cgi-bin3/flo/y/eQQg0CJgSH0CBw076e0AD
    ~~~~~~~~~~~~~~~~~~~~
    
    April 9, 2003--In this issue:
    
    1. IN FOCUS
         - Test Your Forensic-Analysis Skills
    
    2. SECURITY RISKS
         - DoS in Opera 7 and Netscape 7.02 Browsers
         - Man-in-the-Middle Attack on Microsoft Terminal Services
    
    3. ANNOUNCEMENTS
         - Join the HP & Microsoft Network Storage Solutions Road Show!
         - Windows & .Net Magazine Connections: Learn from the Writers You
           Know and Trust
    
    4. SECURITY ROUNDUP
         - News: Report: Most Users Do Not Trust Microsoft
         - News: Microsoft Releases WPA for XP to Strengthen Wireless
           Security
    
    5. SECURITY TOOLKIT
         - Virus Center
         - FAQ: How Can I Enable or Disable the User's Ability to Change
           File Associations?
    
    6. NEW AND IMPROVED
         - Lock Down Systems with USB Key
         - Secure Access Through Web Browser
         - Submit Top Product Ideas
    
    7. HOT THREADS
         - Windows & .NET Magazine Online Forums
             - Featured Thread: Export Certificates to VPN Appliances
    
    8. CONTACT US
       See this section for a list of ways to contact us.
    
    ~~~~~~~~~~~~~~~~~~~~
    
    1. ==== IN FOCUS ====
       (contributed by Mark Joseph Edwards, News Editor,
    markat_private)
    
    * TEST YOUR FORENSIC-ANALYSIS SKILLS
    
    I've discussed the Honeynet Project in previous Security UPDATE
    commentaries. Last week, the project posted another "Scan of the
    Month," which makes information gathered from an attacked honeypot
    available to the public.
    
    The Honeynet Project posts the scans to let people use their
    forensic-analysis skills to analyze the log files the honeypot
    gathered. The Azusa Pacific University (APU) Honeynet Project provided
    this month's scan challenge. APU deployed a honeypot on an unpatched
    Windows 2000 system that had a blank administrator password. Attackers
    and worms compromised the system numerous times, and the honeypot
    became part of a large "botnet."
       http://www.honeynet.org/scans/scan27
    
    The Honeynet Project tailored the current challenge to beginner and
    intermediate skill levels. After analyzing the logs, you can answer
    several questions and submit your answers for review. You can use
    several tools to help you arrive at answers. The tools the Honeynet
    Project recommends include Snort (an Intrusion Detection System--IDS)
    and Ethereal, which are packet-capture and analysis tools. You'll find
    links to those tools on the Scan of the Month page, and you can read
    more about the rules of the challenge at the URL below.
       http://www.honeynet.org/scans
    
    Taking part in such challenges can help hone your forensic-analysis
    skills. If you're already proficient, further practice can help you
    keep abreast of current trends--the sorts of activities currently
    compromising systems. Because this month's challenge addresses a
    compromised Win2K system, many of you might want to consider meeting
    the challenge. Submissions to the challenge are due no later than
    April 25.
    
    Patching the Patch System
       In last week's Security UPDATE, I discussed a mishap in the
    disclosure of a vulnerability in Sendmail. A researcher posted various
    details of the vulnerability to the BugTraq mailing list, and
    Sendmail.org released a patched version of its application before its
    planned release date. I speculated and raised questions about what
    might have happened, and--as it turns out--I was wrong. I was missing
    a key fact about the situation. Reader Claus Assmann wrote to inform
    me about some of the missing details. At his suggestion, I also
    contacted Eric Allman at Sendmail.org to obtain a clearer perspective
    about what had transpired.
    
    Allman took the time to offer what he knows about events--how and when
    they occurred. The following paragraphs present what he told me in
    detail.
    
    "What we know is this: Late in the day on Tuesday, 18 March, Michal
    Zalewski reported a possible vulnerability to us. He included a sample
    case that demonstrated that there was a buffer overflow of some sort,
    but he had not created a 'proof of concept' exploit, nor did he
    speculate on the nature of the bug.
    
    "We verified the bug that night and shortly thereafter had a first
    pass at a fix, which had not yet undergone code review. Code review
    was completed later that week.
    
    "We then wanted to send the information to vendors so they could have
    a patch available. However, this was delayed due to the problems CERT
    was having with someone going by [the name] Hack4Life who seemed to
    have pretty direct access to security information going to vendors. It
    wasn't (and to the best of my knowledge, still isn't) clear where the
    leak actually was, but we had to consider at least the possibility
    that it was inside one of the vendors themselves. For this reason, we
    delayed release of the information to vendors in the hope that CERT
    could find and fix the problem. Our plan had been to go to vendors on
    Monday, 31 March ... whether or not they had succeeded.
    
    "However, some time on the night of Friday, 28 March, someone by the
    name of 'nag' posted a message to vulndiscuss [a mailing list] and
    full-disclosure asking about a 'rumor spreading about new Sendmail
    vulnerability.' That message included a patch to the problem we had
    been working on. However, the patch that was given was quite different
    from the one we had come up with, so we don't believe that the patch
    was a leak from ourselves. At this point we have no idea where it did
    come from--it could even have been independently found by someone who
    never reported it to us.
    
    "We decided to delay for a few hours so we could get some sleep, and
    we released on Saturday, 29 March. We knew that this was almost the
    worst possible time to release, but we felt that with the patch being
    distributed, it was only a matter of time before an exploit was
    created, and we had no idea if that would be hours, days, or even
    longer. As it turns out, I haven't seen an exploit in the wild today,
    almost a week later. Another security group [Internet Security
    Systems--ISS] has produced a proof-of-concept exploit, which we have
    not seen, but they did tell us that it was substantially harder to
    create than it would at first appear. Had we realized that an exploit
    was unlikely to have been released over the weekend, we might have
    delayed release until Monday, but we didn't know that at the time, and
    we felt that going out Saturday was as prudent as we could be. And
    that's what we know ..."
    
    So there you have it, another case of an unknown source somehow
    gaining access to private communications and leaking details to the
    public prematurely. Two weeks ago, I discussed this problem as it
    pertains to CERT in my Security UPDATE commentary, "Security Research:
    A Double-Edged Sword" (see the URL below). I think most people aren't
    sure why someone is intercepting communications and leaking details
    about security vulnerabilities. But we can easily see that it places a
    lot of networks at risk unnecessarily. Sooner or later, if we can't
    plug the information leaks, one could cause serious repercussions. The
    situation is both ironic and challenging: The process of finding
    security vulnerabilities and patching them before they're compromised
    has itself become compromised--and must now be patched.
       http://www.secadministrator.com/articles/index.cfm?articleid=38448
    
    ~~~~~~~~~~~~~~~~~~~~
    
    ~~~~ SPONSOR: EXPERIENCE THE BENEFITS OF REAL TIME MONITORING ~~~~
       A proactive Security Administrator installed TNT Software's ELM
    Enterprise Manager 3.1 on his servers to assess the benefits of real
    time monitoring. Within days, EEM paged him when access to a
    confidential file was denied, sent him an instant message when the QoS
    of this Exchange Server began to drop, and automatically restarted a
    failed service. EEM was promptly purchased. Download your FREE
    evaluation copy today and experience how real time monitoring will
    benefit YOU.
       http://list.winnetmag.com/cgi-bin3/flo/y/eQQg0CJgSH0CBw07mN0Aj
    ~~~~~~~~~~~~~~~~~~~~
    
    2. ==== SECURITY RISKS ====
       (contributed by Ken Pfeil, kenat_private)
    
    * DoS IN OPERA 7 AND NETSCAPE 7.02 BROWSERS
       Marc Schonefeld discovered a vulnerability in Opera 7 and Netscape
    7.02 Web browsers that can result in a Denial of Service (DoS)
    condition. The vulnerability stems from problems with JavaScript.
    Opera and Netscape haven't yet responded publicly to the problem.
       http://www.secadministrator.com/articles/index.cfm?articleid=38590
    
    * MAN-IN-THE-MIDDLE ATTACK ON MICROSOFT TERMINAL SERVICES
       Erik Forsberg discovered that Microsoft's RDP implementation of
    Terminal Services doesn't verify the server's identity when it sets up
    the encryption keys for the RDP session. This vulnerability can result
    in a potential man-in-the-middle (MITM) attack. Although Forsberg
    notified the company about this vulnerability on March 13, 2003,
    Microsoft hasn't yet responded publicly.
       http://www.secadministrator.com/articles/index.cfm?articleid=38589
    
    3. ==== ANNOUNCEMENTS ====
       (brought to you by Windows & .NET Magazine and its partners)
    
    * JOIN THE HP & MICROSOFT NETWORK STORAGE SOLUTIONS ROAD SHOW!
       Now is the time to start thinking of storage as a strategic weapon
    in your IT arsenal. Come to our 10-city Network Storage Solutions Road
    Show, and learn how existing and future storage solutions can save
    your company money--and make your job easier! There is no fee for this
    event, but space is limited. Register today!
       http://list.winnetmag.com/cgi-bin3/flo/y/eQQg0CJgSH0CBw07cD0AP
    
    * WINDOWS & .NET MAGAZINE CONNECTIONS: LEARN FROM THE WRITERS YOU KNOW
    AND TRUST
       Our event includes in-depth coverage by the world's top gurus on
    Windows security. Eye-opening sessions include Keeping Up with Service
    Packs and Security Patches, Implementing Security with Group Policy,
    Defending Your Networks by Planning Your Own "Hack Attack," Using
    Event Logs to Identify Intruder Activity, Securing Wireless LANs,
    Managing AD Security with ADSI and WSH, Making IIS a Secure Web
    Server, and more. Register today!
       http://list.winnetmag.com/cgi-bin3/flo/y/eQQg0CJgSH0CBw0KXQ0Al
    
    4. ==== SECURITY ROUNDUP ====
    
    * NEWS: REPORT: MOST USERS DO NOT TRUST MICROSOFT
       A recent Forrester Research survey brings an ugly truth to the
    forefront: The majority of IT administrators currently working with
    Microsoft products don't trust the company or believe it can produce
    secure software. According to the survey, 77 percent of respondents
    don't trust Microsoft but 90 percent still deploy Microsoft software
    in mission-critical applications.
       http://www.secadministrator.com/articles/index.cfm?articleid=38543
    
    * NEWS: MICROSOFT RELEASES WPA FOR XP TO STRENGTHEN WIRELESS SECURITY
       Microsoft announced the release of an update for Windows XP that
    introduces the Wi-Fi Protected Access (WPA) for stronger security over
    wireless LAN (WLAN) connections.
       http://www.secadministrator.com/articles/index.cfm?articleid=38556
    
    5. ==== SECURITY TOOLKIT ====
    
    * VIRUS CENTER
       Panda Software and the Windows & .NET Magazine Network have teamed
    to bring you the Center for Virus Control. Visit the site often to
    remain informed about the latest threats to your system security.
       http://www.secadministrator.com/panda
    
    * FAQ: How Can I Enable or Disable the User's Ability to Change File
    Associations?
       ( contributed by John Savill, http://www.windows2000faq.com )
    
    A. You can configure the user's computer to enable or disable the
    ability to change file associations by performing the following steps:
       1. Start a registry editor (e.g., regedit.exe).
       2. Navigate to the
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
    registry subkey to configure the computer for all users or navigate to
    the
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies
    registry subkey to configure the computer for the current user. If
    neither subkey exists, open the Edit menu and select New, Key to
    create it.
       3. From the Edit menu, select New, DWORD Value.
       4. Enter the name NoFileAssociate.
       5. Set the value to 1 to disable the user's ability to change file
    associations (this setting doesn't affect Power Users and
    Administrators); a value of 0 or a missing value lets the user change
    file associations.
       6. Click OK.
       7. Close the registry editor.
       8. Restart the computer for the changes to take effect.
    
    6. ==== NEW AND IMPROVED ====
       (contributed by Sue Cooper, productsat_private)
    
    * LOCK DOWN SYSTEMS WITH USB KEY
       imagine LAN announced LockDown Key, software that turns any
    standard USB flash drive into a security key, protecting the system
    from illegal access and theft. You first establish an administrator
    logon ID and password on the target system, then prepare the key with
    the LockDown Key security preparation utility, which enables security
    parameters and generates the key. All other users and administrators
    are then locked out of the system. Creating new keys automatically
    invalidates old keys. LockDown Key supports Windows XP/2000, and it's
    expected to cost about $29 per device license when it ships this
    quarter. Contact imagine LAN at 800-372-9776 or 603-889-3883.
       http://www.imaginelan.com
    
    * SECURE ACCESS THROUGH WEB BROWSER
       Whale Communications released the e-Gap Remote Access Appliance
    Advanced Edition (AE), an integrated hardware/software appliance to
    protect corporate data that users access from Web browsers at
    untrusted locations such as airport kiosks and Internet cafes. The
    appliance uses Secure Sockets Layer (SSL) VPN technology, which
    doesn't require the client software that an IP Security (IPSec) VPN
    requires. Features include an attachment wiper to remove all
    information recorded by a browser during a session; nonintrusive user
    timeouts; a secure logoff to ensure that credentials aren't cached at
    the client machine; and forced periodic reauthentication to ensure
    that users reauthenticate regularly. Pricing for the e-Gap Remote
    Access Appliance AE starts at $23,000. Contact Whale Communications at
    877-659-4253 or 201-947-9177.
       http://www.whalecommunications.com
    
    * SUBMIT TOP PRODUCT IDEAS
       Have you used a product that changed your IT experience by saving
    you time or easing your daily burden? Do you know of a terrific
    product that others should know about? Tell us! We want to write about
    the product in a future What's Hot column. Send your product
    suggestions to whatshotat_private
    
    7. ==== HOT THREADS ====
    
    * WINDOWS & .NET MAGAZINE ONLINE FORUMS
       http://www.winnetmag.com/forums
    
    Featured Thread: Export Certificates to VPN Appliances
       (Three messages in this thread)
    
    A user wants to know whether anyone has used Microsoft Certificate
    Server to generate certificates for third-party VPN appliances. The
    user says he keeps stumbling over the problem that the private keys
    can't be exported, so he can't generate Public-Key Cryptography
    Standard #12 (PKCS#12) containers. Lend a hand or read the responses:
       http://www.winnetmag.com/forums/rd.cfm?cid=42&tid=56943
    
    8. ==== CONTACT US ====
       Here's how to reach us with your comments and questions:
    
    * ABOUT IN FOCUS -- markat_private
    
    * ABOUT THE NEWSLETTER IN GENERAL -- lettersat_private (please
    mention the newsletter name in the subject line)
    
    * TECHNICAL QUESTIONS -- http://www.winnetmag.com/forums
    
    * PRODUCT NEWS -- productsat_private
    
    * QUESTIONS ABOUT YOUR SECURITY UPDATE SUBSCRIPTION? Customer
    Support -- securityupdateat_private
    
    * WANT TO SPONSOR SECURITY UPDATE? emedia_oppsat_private
    
    ********************
       This email newsletter is brought to you by Security Administrator,
    the print newsletter with independent, impartial advice for IT
    administrators securing a Windows 2000/Windows NT enterprise.
    Subscribe today!
       http://www.secadministrator.com/sub.cfm?code=saei25xxup
    
       Receive the latest information about the Windows and .NET topics of
    your choice. Subscribe to our other FREE email newsletters.
       http://www.winnetmag.com/email
    
    |-+-|-+-|-+-|-+-|-+-|
    
    Thank you for reading Security UPDATE.
    
    MANAGE YOUR ACCOUNT
       You can manage your entire Windows & .NET Magazine Network email
    newsletter account on our Web site. Simply log on and you can change
    your email address, update your profile information, and subscribe or
    unsubscribe to any of our email newsletters all in one place.
       http://www.winnetmag.com/email
    
    Thank you!
    __________________________________________________________
    Copyright 2003, Penton Media, Inc.
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Thu Apr 10 2003 - 03:05:55 PDT