[ISN] Security UPDATE, April 30, 2003

From: InfoSec News (isnat_private)
Date: Thu May 01 2003 - 00:58:51 PDT

  • Next message: InfoSec News: "[ISN] Homeland Security Office Asks for Tech Help"

    ********************
    Windows & .NET Magazine Security UPDATE--brought to you by Security
    Administrator, a print newsletter bringing you practical, how-to
    articles about securing your Windows Server 2003, Windows 2000, and
    Windows NT systems.
       http://www.secadministrator.com
    ********************
    
    ~~~~ THIS ISSUE SPONSORED BY ~~~~
    
    HFNetChkLT-FREE Patch Mgmt on 50 CPUs. No Timeouts!
       http://list.winnetmag.com/cgi-bin3/DM/y/eQig0CJgSH0CBw076e0Ab
    
    HP & Microsoft Network Storage Solutions Road Show
       http://list.winnetmag.com/cgi-bin3/DM/y/eQig0CJgSH0CBw07cD0An
       (below IN FOCUS)
    
    ~~~~~~~~~~~~~~~~~~~~
    
    ~~~~ SPONSOR: HFNetChkLT-FREE PATCH MGMT ON 50 CPUS. NO TIMEOUTS! ~~~~
       Introducing NEW Shavlik HFNetChkLT -- the FREE version of the new
    HFNetChkPro 4.0, an automated scanning and remediation solution from
    Shavlik, the developers of HFNetChk and MBSA for Microsoft. It
    includes loads of new features that save time for busy security
    professionals while offering greater enterprise security. HFNetChkPro
    4.0 automates patch remediation for Microsoft Office, Windows Server
    2003, Exchange, SQL, Outlook, Java Virtual Machine and more. Its
    intuitive Drag-n-Drop Patch Management interface allows you to
    precisely control which groups will be scanned, by what criteria and
    when and how patches are deployed. Visit www.shavlik.com to download
    it!
       http://list.winnetmag.com/cgi-bin3/DM/y/eQig0CJgSH0CBw076e0Ab
    ~~~~~~~~~~~~~~~~~~~~
    
    April 30, 2003--In this issue:
    
    1. IN FOCUS
         - The Legal Liability of Information Security
    
    2. SECURITY RISKS
         - Multiple Vulnerabilities in Microsoft IE
         - MHTML Arbitrary Code Execution in Microsoft Outlook Express
         - Buffer Overflow in Cisco ACS for Windows
    
    3. ANNOUNCEMENTS
         - Get Armed with the Same Security Protection Used by the
           Department of Defense!
         - Microsoft TechEd 2003, June 1-6, Dallas, TX
    
    4. SECURITY ROUNDUP
         - News: NetVision Helps Patrol NetWare Servers
         - News: Microsoft Releases Windows Server 2003 Resource Kit Tools
         - News: Microsoft Partners with Storage Industry for Enhanced
           Storage Security
         - Feature: Protect Your Network from Intrusion
    
    5. INSTANT POLL
         - Results of Previous Poll: Windows Server 2003
         - New Instant Poll: Cyber-Insurance
    
    6. SECURITY TOOLKIT
         - Virus Center
         - FAQ: How Can I Audit Users Who Start and Stop Services?
    
    7. NEW AND IMPROVED
         - Protect Back-End Storage
         - Secure Enterprise Applications
         - Submit Top Product Ideas
    
    8. HOT THREADS
         - Windows & .NET Magazine Online Forums
             - Featured Thread: How Do I Establish a Cisco VPN Tunneling
               Solution?
         - HowTo Mailing List
             - Featured Thread: Are MAILTO and POST Safe for Transactions?
    
    9. CONTACT US
       See this section for a list of ways to contact us.
    
    ~~~~~~~~~~~~~~~~~~~~
    
    1. ==== IN FOCUS ====
       (contributed by Mark Joseph Edwards, News Editor,
    markat_private)
    
    * THE LEGAL LIABILITY OF INFORMATION SECURITY
    
    In last week's Security UPDATE commentary, I discussed the changing
    legal landscape regarding security. I have a bit more to say about the
    subject. The SysAdmin, Audit, Network, Security (SANS) Institute
    recently offered the Webcast "Legal Liability For Information
    Security: Ask the Experts." If you didn't tune in, you missed some
    interesting perspectives. (For a rebroadcast of the SANS Webcast,
    visit the URL below. Register and follow the instructions to access
    the show in the archives.)
       http://www.sans.org/webcasts/042303.php
    
    In one segment of the Webcast, attorney Marc Zwillinger offered his
    opinions about how torts will soon affect companies based on their
    information security practices (or the lack thereof). Without getting
    into complicated legal interpretations, one can define a tort as
    basically damage, injury, or a wrongful act that occurs either
    willfully or through negligence.
    
    In the past, to get into trouble in the arena of information security,
    you typically had to either break the law or break or violate a
    contract. Legal experts now think we'll start to see litigants suing
    entities for torts civilly--and perhaps even prosecuting them
    criminally, depending on the circumstances.
    
    For example, if your company is aware that it runs an open mail relay,
    and a spammer uses your mail system to send email in a way that causes
    harm or damage to another entity, your company has effectively
    committed a tort and might be found liable in a court of law. In
    another example, if you don't properly secure private user or customer
    information and that information becomes compromised, you might be
    held liable for civil damages.
    
    In the United States, almost anyone can sue someone else for almost
    any reason. So staying out of court might become increasingly
    difficult in some security-related instances. The legal experts note
    several ways you can help prevent litigation regarding your
    information security.
    
    One of the key factors in determining liability is whether you've
    taken reasonable steps toward keeping your systems and information
    secure. Another factor is how you respond to security incidents. These
    factors will probably determine whether and how you're found liable in
    the event that someone brings a legal action against you or your
    company. How you handle those matters--which steps you've taken to
    keep information secure and how you respond to security
    incidents--might also affect whether you qualify for cyber-insurance.
    
    When asked which were the most important security-related steps to
    take, members of the legal panel recommended that you explicitly
    assign responsibilities for security matters, put those assignments in
    writing, and have the responsible parties sign them physically,
    digitally, or both. You should take appropriate action before
    something becomes a problem for your business. You must be aware of
    the different layers of law under which you operate (local, county,
    state, federal, international) and respond to requirements
    accordingly. Find a capable lawyer to help ensure you aren't caught
    off guard. Finally, be sure you assign access rights and
    responsibilities carefully, after assessing people's skill levels and
    their need for access relative to their specific tasks and your
    business needs. Doing so can help avoid liabilities stemming from
    negligence.
    
    Do the insurance and the legal industries seem poised to start
    steering the information security industry more directly toward what
    it must do and how to do it? Will a day come when people won't be able
    to connect to the Internet without a proper license and
    cyber-insurance of some sort? I hope such potential changes won't
    occur--at least until after the day that computer software and
    hardware vendors become legally liable for defective products. I think
    many people agree that, like automobiles, software and hardware should
    have both better "precautionary devices" and more knowledgeable
    "drivers."
    
    In any case, it's clear that your company's security practices must be
    stated, assigned, and carried out to keep your company out of court in
    case of a mishap. You should know which security elements will come
    into play when courts make decisions about liability and take steps to
    address those elements--not only to avoid litigation but also to
    protect your company, its customers, and you.
    
    ~~~~~~~~~~~~~~~~~~~~
    
    ~~~~ SPONSOR: HP & MICROSOFT NETWORK STORAGE SOLUTIONS ROAD SHOW ~~~~
        TIME IS RUNNING OUT TO CATCH OUR STORAGE ROAD SHOW!
        Attend the HP & Microsoft Network Storage Solutions Road Show, and
    learn how existing and future storage solutions can save your company
    money--and make your job easier! Attendees have lots of chances to win
    incredible prizes. There is absolutely no fee for this event, but
    space is limited. We've just added Minneapolis to our list of cities,
    so register now!
       http://list.winnetmag.com/cgi-bin3/DM/y/eQig0CJgSH0CBw07cD0An
    ~~~~~~~~~~~~~~~~~~~~
    
    2. ==== SECURITY RISKS ====
       (contributed by Ken Pfeil, kenat_private)
    
    * MULTIPLE VULNERABILITIES IN MICROSOFT IE
       Mark Litchfield of Next Generation Security Software (NGSSoftware),
    Andreas Sandblad, and Jouko Pynnonen of Oy Online Solutions discovered
    that Microsoft Internet Explorer (IE) 6.0, IE 5.5, and IE 5.01 contain
    four vulnerabilities, the most serious of which can result in the
    execution of arbitrary code on the vulnerable system. Microsoft has
    released Security Bulletin MS03-015 (Cumulative Patch for Internet
    Explorer) to address these vulnerabilities and recommends that
    affected users immediately apply the appropriate patch mentioned in
    the bulletin. For more details about these problems as well as links
    to the bulletin visit our Web site.
       http://www.secadministrator.com/articles/index.cfm?articleid=38781
    
    * MHTML ARBITRARY CODE EXECUTION IN MICROSOFT OUTLOOK EXPRESS
       Microsoft reported a vulnerability in Microsoft Outlook Express 6.0
    and Outlook Express 5.5 that can result in the execution of arbitrary
    code on the vulnerable system. This vulnerability is a result of flaw
    in the Mime Encapsulation of Aggregate HTML (MHTML) URL Handler. To
    exploit this vulnerability, an attacker can construct a URL and either
    host it on a Web site or send it by email. In the Web-based scenario,
    when a user clicks the site-hosted URL, the attacker can then read or
    launch files already present on the local machine. Microsoft has
    released Security Bulletin MS03-014 (Cumulative Patch for Outlook
    Express) to address this vulnerability and recommends that affected
    users immediately apply the patch mentioned in the bulletin.
       http://www.secadministrator.com/articles/index.cfm?articleid=38780
    
    * BUFFER OVERFLOW IN CISCO ACS FOR WINDOWS
       Cisco Secure ACS for Windows contains a buffer-overflow condition
    that can permit a Denial of Service (DoS) attack and a root
    compromise. The problem appears to lie in the software's handling of
    logon sequences. Cisco Systems recommends that customers either
    upgrade to repaired versions of Cisco Secure ACS or install Cisco
    Secure ACS so that it denies or restricts access to management
    interfaces. Users who want to restrict access to management interfaces
    need to block access to ACS on port 2002. Cisco has released a
    bulletin and free upgrades, which you can download from the company's
    Web site.
       http://www.secadministrator.com/articles/index.cfm?articleid=38778
    
    3. ==== ANNOUNCEMENTS ====
       (brought to you by Windows & .NET Magazine and its partners)
    
    * GET ARMED WITH THE SAME SECURITY PROTECTION USED BY THE DEPARTMENT
    OF DEFENSE!
       Computer security is a top priority for organizations and
    individuals because you don't want to leave confidential data open to
    intrusion. Now, individuals can get the same protection offered for
    corporate and government networks. For $69.95 Harris STAT Scanner Home
    Edition enables you to accurately identify and eliminate security
    deficiencies.
       http://list.winnetmag.com/cgi-bin3/DM/y/eQig0CJgSH0CBw082R0AF
    
    * MICROSOFT TECHED 2003, JUNE 1-6, DALLAS, TX
       Realize your potential at TechEd 2003, Microsoft's premier
    technical conference. Join network administrators, developers,
    architects, and messaging/security specialists for sessions on Windows
    Server 2003, Visual Studio .NET 2003, and all .NET developer
    languages. 350+ technical sessions, hands-on labs, free betas, demos.
    Don't miss this opportunity; make sure to register today!
       http://list.winnetmag.com/cgi-bin3/DM/y/eQig0CJgSH0CBw08vb0Ad
    
    4. ==== SECURITY ROUNDUP ====
    
    * NEWS: NETVISION HELPS PATROL NETWARE SERVERS
       NetVision announced a new product that fills a need for Fortune 500
    and Fortune 1000 companies: eDirectory Policy Manager Knowledge Module
    for PATROL. The module is an intrusion prevention and remediation
    solution that integrates BMC Software's PATROL management platform and
    Novell NetWare servers. NetVision will comarket the new knowledge
    module with BMC Software.
       http://www.secadministrator.com/articles/index.cfm?articleid=38763
    
    * NEWS: MICROSOFT RELEASES WINDOWS SERVER 2003 RESOURCE KIT TOOLS
       Microsoft released its free set of resource kit tools for Windows
    Server 2003. The "Microsoft Windows Server 2003 Resource Kit" includes
    utilities that administrators, developers, and power users can use to
    manage Active Directory (AD), group policy, TCP/IP networks, the
    registry, security, scalability, and many other aspects of the Windows
    2003 OS. The resource kit tools run on Windows XP and any member of
    the Windows 2003 family of products.
     
     http://www.winnetmag.com/windowsserver2003/index.cfm?articleid=38747
    
    * NEWS: MICROSOFT PARTNERS WITH STORAGE INDUSTRY FOR ENHANCED STORAGE
    SECURITY
       Microsoft has announced plans to help enhance Storage Area Network
    (SAN) security. The company is working with the storage industry to
    promote the adoption of the Internet Engineering Task Force (IETF)
    standard Remote Authentication Dial-In User Service (RADIUS) protocol,
    which is part of its Windows Server 2003 and Windows 2000 OS platforms
    and integrates with Active Directory (AD). Microsoft's industry
    partners for RADIUS include SAN fabric vendors such as Brocade
    Communications Systems, McDATA, and QLogic.
       http://www.secadministrator.com/articles/index.cfm?articleid=38753
    
    * FEATURE: PROTECT YOUR NETWORK FROM INTRUSION
       When you think about intrusion detection, consider a modern
    paraphrase of an old question: "If an attack occurs on your network
    and no one knows about it, did the attack really occur?" Detecting
    attacks on your network is crucial, but doing so is also difficult.
    That's where intrusion detection comes in. Intrusion detection is
    important, especially in a multilayered defense-in-depth strategy. To
    learn more about intrusion detection, read Jason Harper's article on
    our Web site.
       http://www.secadministrator.com/articles/index.cfm?articleid=24650
    
    5. ==== INSTANT POLL ====
     
    * RESULTS OF PREVIOUS POLL: WINDOWS SERVER 2003
       The voting has closed in Windows & .NET Magazine's Security
    Administrator Channel nonscientific Instant Poll for the question,
    "Will your company upgrade to Windows Server 2003 for better
    security?" Here are the results from the 203 votes.
       - 31% Yes--within 1 year
       - 10% Yes--within 2 years
       -  8% Yes--within 3 years
       - 21% Not sure
       - 30% No
     
    * NEW INSTANT POLL: CYBER-INSURANCE
       The next Instant Poll question is, "Does your company have
    cyber-insurance?" Go to the Security Administrator Channel home page
    and submit your vote for a) Yes--We have it, b) No--But we plan to
    obtain it, c) No--We won't get it until it's required by law, or d)
    No.
       http://www.secadministrator.com
    
    6. ==== SECURITY TOOLKIT ====
    
    * VIRUS CENTER
       Panda Software and the Windows & .NET Magazine Network have teamed
    to bring you the Center for Virus Control. Visit the site often to
    remain informed about the latest threats to your system security.
       http://www.secadministrator.com/panda
    
    * FAQ: HOW CAN I AUDIT USERS WHO START AND STOP SERVICES?
       (contributed by Randy Franklin Smith, rsmithat_private)
    
    A: Like files and folders, services are access-controlled objects, and
    every access-controlled object has a security descriptor. Part of a
    service's security descriptor is the system ACL (SACL), which you can
    use to track access to that object. The only way to view or change a
    service's current SACL is through security templates.
       To reach the security templates, log on to the server and open the
    Microsoft Management Console (MMC) Security Templates snap-in. To
    create a new template, right-click the security templates path. Select
    New Template, click System Services, then double-click the appropriate
    service (e.g., Telnet). Select the "Define this policy setting in the
    template" check box, then click Edit Security to open the Security for
    Telnet dialog box. This dialog box contains the service's ACL, which
    you can use to fine-tune who has start and stop authority. To read the
    complete answer to this question and view screen shots of the dialog
    boxes, be sure to visit the URL below.
       http://www.secadministrator.com/articles/index.cfm?articleid=24669
    
    7. ==== NEW AND IMPROVED ====
       (contributed by Sue Cooper, productsat_private)
    
    * PROTECT BACK-END STORAGE
       NeoScale Systems released CryptoStor FC, a wire-speed storage
    security appliance for data storage access, transport, and privacy.
    Fully transparent, the inline storage appliance inspects storage
    traffic and applies data access controls and encryption to the data
    payload at gigabit rates. CryptoStor FC lets you centrally manage
    hundreds of storage data security policies without performance
    degradation. CryptoStor FC uses two-factor smart card authentication
    to secure remote, roles-based administration. Platform and
    application-independent, the appliance can be deployed with the Fibre
    Channel fabric, in front of storage subsystems, and behind storage
    gateways. CryptoStor FC prices start at $35,000. Contact NeoScale
    Systems at 408-586-1300 or infoat_private
       http://www.neoscale.com
    
    * SECURE ENTERPRISE APPLICATIONS
       Entrust announced Entrust Entelligence Security Provider 7.0 to
    secure desktop applications that leverage the Windows security
    framework, including their files and forms, eforms, email, VPNs, and
    wireless LANs (WLANs). With a "footprint" of less than 1MB and a
    customizable installation that leverages Windows-installer technology,
    Security Provider 7.0 lets your users access their enterprise
    applications with a single logon. Security Provider provides strong
    authentication between a Web server and an end user, protecting access
    to both Web and desktop applications. A simple self-service feature
    lets users recover file keys and encrypted messages if they forget
    their passwords. Entrust Entelligence Security Provider 7.0 supports
    Windows XP/2000/NT systems that support 128-bit encryption. Contact
    Entrust at 888-690-2424 or entrustat_private
       http://www.entrust.com
    
    * SUBMIT TOP PRODUCT IDEAS
       Have you used a product that changed your IT experience by saving
    you time or easing your daily burden? Do you know of a terrific
    product that others should know about? Tell us! We want to write about
    the product in a future What's Hot column. Send your product
    suggestions to whatshotat_private
    
    8. ==== HOT THREADS ====
    
    * WINDOWS & .NET MAGAZINE ONLINE FORUMS
       http://www.winnetmag.com/forums
    
    Featured Thread: How Do I Establish a Cisco VPN Tunneling Solution?
       (Three messages in this thread)
    
    A user wants to let his five remote users access the company network
    from the users' ISP dial-up connections in various states around the
    country. The users could then use Microsoft Outlook natively to manage
    such functions as correspondence and contacts. His network uses a
    Cisco Systems PIX Firewall, and he needs some guidance on how to
    implement a VPN tunneling solution on the firewall. He wants to know
    whether he can simply install the Cisco VPN client software on the
    remote users' machines or whether the firewall will need some special
    configuration also. Lend a hand or read the responses:
       http://www.winnetmag.com/forums/rd.cfm?cid=42&tid=57909
    
    * HOWTO MAILING LIST
       http://63.88.172.96/listserv/page_listserv.asp?s=howto
    
    Featured Thread: Are MAILTO and POST Safe for Transactions?
       (Three messages in this thread)
    
    A user wants to know what the dangers are of someone sending a credit
    card number over the Internet using MAILTO and POST links. Read the
    responses or lend a hand at the following URL:
     
     http://63.88.172.96/listserv/page_listserv.asp?A2=IND0301E&L=HOWTO&P=281
     
    9. ==== CONTACT US ====
       Here's how to reach us with your comments and questions:
    
    * ABOUT IN FOCUS -- markat_private
    
    * ABOUT THE NEWSLETTER IN GENERAL -- lettersat_private (please
    mention the newsletter name in the subject line)
    
    * TECHNICAL QUESTIONS -- http://www.winnetmag.com/forums
    
    * PRODUCT NEWS -- productsat_private
    
    * QUESTIONS ABOUT YOUR SECURITY UPDATE SUBSCRIPTION? Customer
    Support -- securityupdateat_private
    
    * WANT TO SPONSOR SECURITY UPDATE? emedia_oppsat_private
    
    ********************
       This email newsletter is brought to you by Security Administrator,
    the print newsletter with independent, impartial advice for IT
    administrators securing a Windows 2000/Windows NT enterprise.
    Subscribe today!
       http://www.secadministrator.com/sub.cfm?code=saei25xxup
    
       Receive the latest information about the Windows and .NET topics of
    your choice. Subscribe to our other FREE email newsletters.
       http://www.winnetmag.com/email
    
    |-+-|-+-|-+-|-+-|-+-|
    
    Thank you for reading Security UPDATE.
    
    MANAGE YOUR ACCOUNT
       You can manage your entire Windows & .NET Magazine Network email
    newsletter account on our Web site. Simply log on and you can change
    your email address, update your profile information, and subscribe or
    unsubscribe to any of our email newsletters all in one place.
       http://www.winnetmag.com/email
    
    Thank you!
    __________________________________________________________
    Copyright 2003, Penton Media, Inc.
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Thu May 01 2003 - 03:11:29 PDT