[ISN] Windows & .NET Magazine Security UPDATE--May 21, 2003

From: InfoSec News (isnat_private)
Date: Wed May 21 2003 - 22:53:04 PDT

  • Next message: InfoSec News: "[ISN] "If We Run Out of Batteries, This War is Screwed.""

    ====================
    
    ==== This Issue Sponsored By ====
    RippleTech
       http://list.winnetmag.com/cgi-bin3/DM/y/eQ1s0CJgSH0CBw0BAOq0Ak
    
    Research in Motion
       http://list.winnetmag.com/cgi-bin3/DM/y/eQ1s0CJgSH0CBw0BAOr0Al
    (below IN FOCUS)
    
    ====================
    
    1. In Focus: Is Trustworthy Computing Trustworthy Yet?
    
    2. Security Risks
         - Arbitrary Code Execution Vulnerability in Microsoft WMP
         - Multiple Vulnerabilities in Cisco VPN 3000 Series VPN
           Concentrators
    
    3. Announcements
         - How Can You Reclaim 30% to 50% of Windows Server Space?
         - Guide to Securing Your Web Site for Business
    
    4. Security Roundup
         - News: New Technology for the Packet Police
         - News: Virtual Machine Security Melts in the Heat of Attack
         - News: It's a Worm, It's a Trojan Horse, It's a Keystroke 
           Logger. It's Fizzer
         - News: Hotmail and .NET Passport Open to Account Theft?
         - Feature: 5 Techniques for Establishing Highly Secure Systems
    
    5. Security Toolkit
         - Virus Center
         - FAQ: How Can I Track Network Users Who Use the Telnet Service
           to Remotely Log On to My Computer?
    
    6. Event
         - Security 2003 Road Show
     
    7. New and Improved
         - Install Turnkey Security Appliance Platform
         - Manage Digital Identities with PKI-Based Security
         - Submit Top Product Ideas
    
    8. Hot Thread
         - Windows & .NET Magazine Online Forums
             - Featured Thread: ISA Server Losing Persistent Route
    
    9. Contact Us
       See this section for a list of ways to contact us.
    
    ====================
    
    ==== Sponsor: RippleTech  ====
    
       Protect Your Company Now From the Trusted Intruder with Informant
       How do you find out if employees are abusing their privileges to
    access confidential corporate assets?  Most companies don’t find out
    until it’s too late.
       Informant is an internal security monitoring, auditing and
    reporting solution that tells you exactly what’s happening on your
    network . . . from the inside!  Informant’s granular data capture
    tracks an employee’s every step and notifies you of suspicious
     activity.  Its robust reporting provides instant access to the
    critical information needed to minimize security risks.  Plus,
    Informant’s sensitive file auditing can detect potential electronic
    theft of data.
       Find out now how you can protect your company’s information assets
    against internal security threats with Informant today at:
       http://list.winnetmag.com/cgi-bin3/DM/y/eQ1s0CJgSH0CBw0BAOq0Ak
    
    ====================
    
    ==== 1. In Focus: Is Trustworthy Computing Trustworthy Yet? ====
       by Mark Joseph Edwards, News Editor, markat_private
    
    Microsoft recently launched the Windows Server 2003 OS. It's probably
    the company's best effort to date at rolling out a secure product. So
    far, no one has reported security problems with the new OS, but it's
    still early. Attackers haven't yet hammered on Windows 2003 enough to
    determine whether its armor has chinks.
    
    However, Microsoft's effort to establish itself as a maker of
    trustworthy computing products has encountered some other
    difficulties. As you'll learn from the news story "Hotmail and .NET
    Passport Open to Account Theft?" in this week's Security UPDATE,
    Microsoft Passport has an exploitable vulnerability. The Passport
    problem's simplicity shows that developers didn't think broadly enough
    about how attackers might try to subvert Passport security. Microsoft
    has corrected the problem, which is good--but I'm sure Passport
    account holders wonder whether the service contains other problems.
    
    The NTBugtraq mailing list recently brought to light a second
    trustworthiness problem--with the Windows Update service. Countless
    users rely on the service to obtain patches for their Microsoft
    products. On May 12, Bob Terry posted a message to the list stating
    that while he was patching systems, Windows Update began reporting
    back to his systems that no updates were available. He wondered
    whether the service was down.
    
    NTBugtraq Editor Russ Cooper posted a reply stating that many other
    users were reporting similar problems. After comparing notes with
    other users and checking further, Cooper posted another message to the
    list that summarizes his findings. He discovered that many users had
    to tweak various aspects of their systems and perform secondary or
    tertiary checks to determine whether their systems were up-to-date.
    Below you'll find what Cooper had to say, excerpted for brevity (you
    can read Cooper's entire post at the URL below):
       http://ntbugtraq.ntadvice.com/default.asp?pid=36&sid=1&A2=ind0305&L=ntbugtraq&F=P&S=&P=4505
    
    "For at least the past several days, Windows Update has been
    providing consumers with false information. Windows Update users would
    connect [and] initiate the scan. [The scan] would complete and inform
    [users that] their system needed no patches. Wonderful, a clean bill
    of health, or so the consumer thought.
    
    "In reality, some flaw in the Windows Update process has led it to
    conclude that a system in need of critical security patches is instead
    clean and good to go on the Internet. In other words, if the security
    check fails, tell consumers they're just fine and don't need anything
    ...
    
    "You wouldn't believe the number of individual [reports about problems
    with Windows Update] I've received. No doubt Microsoft receives far
    more than I do. I can't believe that huge corporations are having the
    problems they are, nor can I believe they haven't received a
    reasonable answer from Microsoft as to why the problems exist ...
    
    "If [those at Microsoft were] serious about beginning to tackle the
    trustworthiness of Microsoft, they'd have done something a year ago
    when I first called Windows Update a dog. See for yourself, look at my
    previous musings [see the URLs below], then tell me what's been fixed
    or improved. If, like me, you see nothing ... then the Trustworthy
    Computing Initiative once again gets an 'F'."
       http://ntbugtraq.ntadvice.com/default.asp?pid=36&sid=1&A2=ind0204&L=ntbugtraq&F=P&S=&P=6886
       http://ntbugtraq.ntadvice.com/default.asp?pid=36&sid=1&A2=ind0204&L=ntbugtraq&F=P&S=&P=6990
    
    Cooper makes some reasonable observations and valid points. If Windows
    Update doesn't behave properly, Microsoft should return a message
    stating that the service is experiencing a problem instead of
    returning the ambiguous message "no updates available."
    
    The Passport vulnerability and the Windows Update errors seem to
    reveal a lack of perspective on Microsoft's part. Granted, software
    will continue to have flaws. However, if we're to trust Microsoft's
    secure computing initiative as the company undoubtedly wants us to,
    then Microsoft's software and services must become more secure--and
    that security includes being more informative.
    
    What do you think? Is Trustworthy Computing trustworthy yet? Send me
    an email with your thoughts and experiences.
    
    ====================
    
    ==== Sponsor: Research in Motion  ====
    
       NEW BLACKBERRY SECURITY WHITE PAPER
       Prevent wireless handhelds from compromising your enterprise
     security!  Download the BlackBerry Security White Paper for Microsoft
    Exchange and learn how the BlackBerry security architecture addresses
    data encryption, corporate firewalls, lost devices, and other critical
    security concerns.
       http://list.winnetmag.com/cgi-bin3/DM/y/eQ1s0CJgSH0CBw0BAOr0Al
    
    ====================
    
    ==== 2. Security Risks ====
       contributed by Ken Pfeil, kenat_private
    
    Arbitrary Code Execution Vulnerability in Microsoft WMP
       Jouko Pynnonen and Jelmer discovered that a vulnerability in
    Windows Media Player (WMP) 8.0 and WMP 7.1 can result in the execution
    of arbitrary code on the vulnerable system. This vulnerability stems
    from a flaw in the way WMP handles the download of skin files. The
    flaw could let an attacker force a file (e.g., a malicious executable)
    masquerading as a skin file into a certain location on a user's
    machine. Microsoft has released Security Bulletin MS03-017 (Flaw in
    Windows Media Player Skins Downloading could allow Code Execution) to
    address this vulnerability.
       http://www.secadministrator.com/articles/index.cfm?articleid=38993
    
    Multiple Vulnerabilities in Cisco VPN 3000 Series VPN Concentrators
       Multiple vulnerabilities exist in the Cisco VPN 3000 Series
    Concentrator, the most serious of which can let an attacker access the
    internal hosts on the IP Security (IPSec) over TCP-configured ports.
    The other two vulnerabilities can result in a Denial of Service (DoS)
    condition on the VPN Concentrator. Cisco Systems has released an
    advisory and a fix for affected customers, which you can obtain from
    the company's Web site. The company recommends that customers upgrade
    to fixed software versions, as detailed in this documentation.
       http://www.secadministrator.com/articles/index.cfm?articleid=38994
    
    ==== 3. Announcements ====
       (from Windows & .NET Magazine and its partners)
    
    How Can You Reclaim 30% to 50% of Windows Server Space?
       Attend the newest Web seminar from Windows & .NET Magazine and
    discover the secrets from the experts. We'll also advise you on how to
    reduce storage growth and backups by 30% and how to reduce storage
    administration by 25% or more. There's no charge for this important
    Web event, but space is limited so register today!
       http://list.winnetmag.com/cgi-bin3/DM/y/eQ1s0CJgSH0CBw06A10AB
    
    Guide to Securing Your Web Site for Business
       Download VeriSign's new whitepaper, "Guide to Securing Your Web
    Site For Business," and discover the practical business benefits of
    securing your Web site. You'll also learn more about the innovative
    processes and technologies VeriSign uses to address Internet security
    issues. Download your free copy now!
       http://list.winnetmag.com/cgi-bin3/DM/y/eQ1s0CJgSH0CBw0BAMg0AY
    
    ==== 4. Security Roundup ====
    
    News: New Technology for the Packet Police
       Cisco Systems has introduced new technology that will let law
    enforcement agencies and ISPs police both networks and people.
    According to Cisco, one new capability already present in routers but
    not yet deployed is the ability to tap both IP telephony calls and
    data streams. Another is a new Bandwidth Processing Engine (BPE) for
    the company's uBR7246VXR Cable Modem Termination System (CMTS).
       http://www.secadministrator.com/articles/index.cfm?articleid=39020
    
    News: Virtual Machine Security Melts in the Heat of Attack
       Sudhakar Govindavajhala and Andrew W. Appel presented a paper at
    the 2003 IEEE Symposium about Security Privacy that demonstrates a
    method of defeating security of virtual machine products such as
    Microsoft Virtual Machine (VM) and Sun Microsystems and IBM Java
    virtual machines. The men discovered that they could use a heat lamp
    to flip bits in memory chips, causing their own untrusted code to run
    within the virtual machine.
       http://www.secadministrator.com/articles/index.cfm?articleid=39024
    
    News: It's a Worm, It's a Trojan Horse, It's a Keystroke Logger. It's
    Fizzer
       A new worm, dubbed Fizzer, is spreading around the Internet through
    email and peer-to-peer (P2P) networks. Fizzer carries quite a hostile
    payload compared with past worms.
      http://www.secadministrator.com/articles/index.cfm?articleid=39016
    
    News: Hotmail and .NET Passport Open to Account Theft?
       According to a message posted by Muhammad Faisal Rauf Danka to the
    BugTraq mailing list, Microsoft's .NET Passport service is wide open
    to attackers who use a Passport user's Hotmail account to reset the
    password. Danka claims to have found a certain Passport URL that
    anyone can enter into a Web browser and thereby hijack a user's
    Passport account. Microsoft removed access to the vulnerable URL that
    Danka described.
       http://www.secadministrator.com/articles/index.cfm?articleid=39001
    
    Feature: 5 Techniques for Establishing Highly Secure Systems
       Microsoft has documented five TCP registry modifications you can
    implement to reduce a Windows 2000 system's vulnerability to Denial of
    Service (DoS) attacks and other common exploits. These techniques are
    suitable for Win2K systems connected to a WAN or the Internet and for
    sites operating under strict security controls. Read Paula Sharick's
    article on our Web site to learn about them.
       http://www.secadministrator.com/articles/index.cfm?articleid=25027
    
    
    ==== 5. Security Toolkit ====
    
    Virus Center
       Panda Software and the Windows & .NET Magazine Network have teamed
    to bring you the Center for Virus Control. Visit the site often to
    remain informed about the latest threats to your system security.
       http://www.secadministrator.com/panda
    
    FAQ: How Can I Track Network Users Who Use the Telnet Service to
    Remotely Log On to My Computer?
       contributed by Randy Franklin Smith, rsmithat_private
    
    A. You need to first enable auditing for Audit logon events and Audit
    process tracking. Then, look in your event log for an event ID 592 (a
    new process has been created) for which where the image base filename
    is tlntsess.exe. Note the Logon ID, and scan the event log for an
    event ID 528 (successful logon) with the same Logon ID. The User Name
    in event ID 528 identifies who logged on using the Telnet service.
    
    ==== 6. Event ====
    
    Security 2003 Road Show
       Join Mark Minasi and Paul Thurrott as they deliver sound security
    advice at our popular Security 2003 Road Show event.
       http://list.winnetmag.com/cgi-bin3/DM/y/eQ1s0CJgSH0CBw07Kz0AZ
    
    ==== 7. New and Improved ====
       by Sue Cooper, productsat_private
    
    Install Turnkey Security Appliance Platform
       14 South Networks announced IntraLock, a security appliance
    platform that lets you integrate several vendors' security
    applications into your servers without affecting the host platform.
    IntraLock is a turnkey solution that includes hardware that installs
    in a standard PCI slot, software, and centralized management. VPN work
    is performed on IntraLock, rather than on the server itself. IntraLock
    supports three security mechanisms: inbound, outbound, and data
    stream. IntraLock is available from Value Added Resellers (VARs) and
    systems integrators. Prices range from $2495 to $4495. Contact 14
    South Networks at 866-414-7688, 561-862-5100, or salesat_private
       http://www.14south.com
    
    Manage Digital Identities with PKI-Based Security
       Entrust released Entrust Authority Security Manager 7.0, a public
    key infrastructure (PKI)-based solution to manage the life cycles of
    certificate-based digital identities--consistently enabling
    encryption, digital signatures, and authentication capabilities across
    applications and platforms. This new version offers support for
    Microsoft smart card logon, additional key pair support for Encrypting
    File System (EFS), and improved support for Active Directory (AD).
    Enhanced policy control includes flexible storage options for digital
    identities, support for legally binding digital signatures, and
    flexible certificate lifetime policy. Improved audit and reporting
    capabilities now let you monitor status information to immediately
    address availability issues and format the reports using XML. Entrust
    Authority Security Manager 7.0 supports Windows and UNIX environments.
    Contact Entrust at 888-690-2424 or entrustat_private
       http://www.entrust.com
    
    Submit Top Product Ideas
       Have you used a product that changed your IT experience by saving
    you time or easing your daily burden? Do you know of a terrific
    product that others should know about? Tell us! We want to write about
    the product in a future What's Hot column. Send your product
    suggestions to whatshotat_private
    
    ==== 8. Hot Thread ====
    
    Windows & .NET Magazine Online Forums
       http://www.winnetmag.com/forums
    
    Featured Thread: ISA Server Losing Persistent Route
       (Two messages in this thread)
    
    A user writes that he has Microsoft Internet Security and Acceleration
    (ISA) Server 2000, which he uses as a firewall, proxy, and VPN server.
    He had the same setup on Windows NT with Proxy Server 2.0 running. In
    that configuration, he never entered a default gateway in the IP
    settings of his local NIC. Instead, he entered a persistent route in
    the route table using the command shell "route" command. He has set up
    a new box with ISA Server  and applied the same settings and theory he
    used with Proxy Server. However, he loses the persistent route every
    few days. When he uses the "route print" command, the route doesn't
    show up in the table. If he tries to add the route again using the
    "route -p add" command, he receives a response telling him that the
    route is already there. He wonders what the problem is. Lend a hand or
    read the responses:
       http://www.winnetmag.com/forums/rd.cfm?cid=42&tid=58577
    
    ==== 9. Contact Us ====
    
    About the newsletter -- lettersat_private
    About technical questions -- http://www.winnetmag.com/forums
    About product news -- productsat_private
    About your subscription -- securityupdateat_private
    About sponsoring Security UPDATE -- emedia_oppsat_private
    
    ====================
       This email newsletter is brought to you by Security Administrator,
    the print newsletter with independent, impartial advice for IT
    administrators securing Windows and related technologies. Subscribe
     today.
       http://www.secadministrator.com/sub.cfm?code=saei25xxup
    
    Thank you!
    __________________________________________________________
    Copyright 2003, Penton Media, Inc.
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Thu May 22 2003 - 01:13:05 PDT