[ISN] Windows & .NET Magazine Security UPDATE--June 25, 2003

From: InfoSec News (isnat_private)
Date: Thu Jun 26 2003 - 01:53:07 PDT

  • Next message: InfoSec News: "RE: [ISN] Pope moves against hackers"

    ====================
    
    ==== This Issue Sponsored By ====
    
    SPI Dynamics
    http://list.winnetmag.com/cgi-bin3/DM/y/eRWs0CJgSH0CBw0BA3h0Am
    
    J.A. Korsmeyer, Inc.
    http://list.winnetmag.com/cgi-bin3/DM/y/eRWs0CJgSH0CBw0BA3f0Ak
    
    ====================
    
    1. In Focus: Legalizing "Hacking Back": A Comedy of Errors
    
    2. Security Risks
         - Cross-Site Scripting and Script-Injection Vulnerabilities in IE
    
    3. Announcements
         - Attend the Black Hat Briefings & Training, July 28-31 in Las
           Vegas
         - New Active Directory Web Seminar!
    
    4. Security Roundup
         - News: CERT Bulletin Leaked Early--Again
         - News: Microsoft Helps Improve Web Application Security
         - Feature: 3 Tiers for Your CA Hierarchy
    
    5. Instant Poll
         - Results of Previous Poll: Certifications and Hiring
         - New Instant Poll: Fighting Software Piracy
    
    6. Security Toolkit
         - Virus Center
         - FAQ: How Can I Enable Advanced File-System and Sharing Security
           for a Windows XP Machine in a Workgroup?
    
    7. Event
         - Storage Road Show Event Archived!
     
    8. New and Improved
         - Set Up Wireless and Wired Security with One Firewall
         - Submit Top Product Ideas
    
    9. Hot Thread
         - Windows & .NET Magazine Online Forums
             - Featured Thread: Hardening the TCP/IP Stack
    
    10. Contact Us
       See this section for a list of ways to contact us.
    
    ====================
    
    ==== Sponsor: SPI Dynamics ====
    
    ALERT: "How a Hacker Uses SQL Injection to Steal Your Data"
    It's as simple as placing additional SQL commands into a Web Form input
    box giving hackers complete access to all your backend systems! Firewalls
    and IDS will not stop such attacks because SQL Injections are NOT seen as
    intruders. Download this *FREE* white paper from SPI Dynamics for a
    complete guide to protection!
       http://list.winnetmag.com/cgi-bin3/DM/y/eRWs0CJgSH0CBw0BA3h0Am
    
    ====================
    
    ==== 1. In Focus: Legalizing "Hacking Back": A Comedy of Errors ====
       by Mark Joseph Edwards, News Editor, markat_private
    
    You might have heard about the comments that US Senator Orrin Hatch of
    Utah made about fighting copyright piracy. In brief, Hatch advocates
    using Trojan horse technology to destroy the computers of people who
    are thought to have pirated copyrighted works more than twice.
    
    Hatch's sentiments echo ideas that those with vested interests in the
    entertainment industry have voiced before. He believes that we might
    find better ways to stop piracy. However, if stopping piracy takes
    destroying computers through Trojan horse code, he's for it. I think
    that the vast majority of you will agree that Hatch's ideas go against
    the ideals of democratic society.
    
    Such "hacking back," a form of vigilantism, involves several problems.
    First of all, catching and punishing criminals is work for law
    enforcement and judicial systems, not copyright holders. In addition,
    we currently have no way to determine from a remote location who's
    actually using a computer or how serial violations might occur.
    
    For example, one person could use a public computer, perhaps at a
    library or Internet cafe, to download files. If that person
    inadvertently or unknowingly downloads copyrighted data that wasn't
    authorized for public distribution, that's one strike against that
    computer. A second person might later make the same error. Under the
    ideas that Hatch supports, if a third person downloads copyrighted
    data not authorized for public use, the injured entity could destroy
    that computer with a Trojan horse, which the entity would probably
    launch from a remote location. Meanwhile, the library or Internet cafe
    would suffer a significant loss for something it did not "do."
    
    The idea makes little sense. I'm sure Hatch meant well in
    acknowledging software piracy as a serious problem; however, he
    doesn't seem to understand the underlying technical implications of
    this form of prevention. People have pointed out that destroying a
    computer used to download pirated material is akin to destroying the
    engine of a car because police caught the driver speeding in that car
    too often. The idea is to produce a financial loss in retaliation for
    a financial loss, but it amounts to punishing an inanimate
    technological object for the acts of its operators.
    
    The timing of Hatch's statements was rather ironic. According to a
    "Wired" report (see the first URL below), at the time the statements
    were made, Hatch's Web site was using unlicensed copyrighted
    JavaScript code to facilitate its menu system. (A notice posted on
    Milonic Solutions' Web site--see the second URL below--states that the
    license issue with Hatch's Web site has been resolved.) If Hatch's
    ideas became law, the computer running his Web site could have been
    destroyed and Hatch, a lawmaker, denied due process. I seriously doubt
    that he would have appreciated that.
       http://www.wired.com/news/politics/0,1283,59305,00.html
       http://www.milonic.co.uk/menu/
    
    According to "Wired," the JavaScript code on Hatch's Web site belongs
    to Milonic Solutions, whose menuing-system code was (at the time of
    this writing) being used without license across large parts of
    Continental Airlines' Web site. Furthermore, according to Milonic
    Solutions, someone had stripped all copyright notices from the menuing
    code Continental uses. Imagine the impact if a Trojan horse were
    legally unleashed to destroy Continental's computers. Make any sense
    to you?
    
    Many copyright holders need a way to better control unauthorized
    duplication of their works. But using Trojan horses to destroy
    computers isn't a good answer. Microsoft's Digital Rights Management
    (DRM) technology might help when it comes to certain types of data.
    But if someone really wants to pirate copyrighted materials (e.g.,
    code, multimedia, documents), current computer technology--including
    DRM--simply can't prevent that piracy 100 percent of the time. Quite a
    dilemma.
    
    ====================
    
    ==== Sponsor: J.A. Korsmeyer, Inc. ====
     
    Microsoft recommends Extensible Messaging Platform for Exchange Server
    2003 spam protection
        "Microsoft is pleased to be working with J.A. Korsmeyer, Inc., to
    build exciting new security solutions for Exchange Server 2003," said
    Chris Baker, group product manager for Exchange at Microsoft Corp.
    "Deploying Exchange Server 2003 with Extensible Messaging Platform
    will help e-mail users enjoy an increased sense of security and
    freedom from intrusive content while conducting their daily e-mail
    tasks. The elimination of objectionable content translates to lower
    TCO, decreased liability and increased productivity." Extensible
    Messaging Platform also supports Exchange Server 5.5 and 2000.
       http://list.winnetmag.com/cgi-bin3/DM/y/eRWs0CJgSH0CBw0BA3f0Ak
    
    ====================
    
    ==== 2. Security Risks ====
       contributed by Ken Pfeil, kenat_private
    
    Cross-Site Scripting and Script-Injection Vulnerabilities in IE
         Two new vulnerabilities in Microsoft Internet Explorer (IE) can
    result in the execution of arbitrary code on the vulnerable system.
    The cross-site scripting vulnerability results from IE not filtering a
    displayed URL properly and might cause the browser to render HTML
    passed in the querystring of the URL. The script-injection
    vulnerability results from a flaw in a common function that internal
    resources use. An attacker can exploit this flaw to execute script
    commands in the My Computer zone. Microsoft was notified on February
    20, 2003, but hasn't yet released a fix for these problems.
       http://www.secadministrator.com/articles/index.cfm?articleid=39344
    
    ==== 3. Announcements ====
       (from Windows & .NET Magazine and its partners)
    
    Attend the Black Hat Briefings & Training, July 28-31 in Las Vegas
       This is the world's premier technical IT security event, with lots
    of Windows sessions! 10 tracks, 15 training sessions, 1800 delegates
    from 30 nations including all of the top experts from CSOs to
    "underground" security specialists. See for yourself what the buzz is
    all about! Early-bird registration ends July 3. This event will sell
     out.
       http://list.winnetmag.com/cgi-bin3/DM/y/eRWs0CJgSH0CBw0pHV0AW
    
    New Active Directory Web Seminar!
       Discover how to securely managing Active Directory (AD) in a
    multiforest environment, establish attribute-level auditing without
    affecting AD performance, enhance secure permission management with
    "Roles," and more! There's no charge for this event but space is
    limited--register today!
       http://list.winnetmag.com/cgi-bin3/DM/y/eRWs0CJgSH0CBw0BAyl0A1
    
    ==== 4. Security Roundup ====
    
    News: CERT Bulletin Leaked Early--Again
       An anonymous person has again posted vulnerability information
    gleaned from CERT.
       http://www.secadministrator.com/articles/index.cfm?articleid=39320
    
    News: Microsoft Helps Improve Web Application Security
       Microsoft announced the release of a new guide, "Improving Web
    Application Security: Threats and Countermeasures," designed to help
    developers create intrusion-resistant applications.
       http://www.secadministrator.com/articles/index.cfm?articleid=39321
    
    Feature: 3 Tiers for Your CA Hierarchy
       Joseph Neubauer explains why setting up a three-tiered Certificate
    Authority (CA) hierarchy is usually a better approach than using a
    one- or two-level CA. Check the article out on our Web site!
       http://www.secadministrator.com/articles/index.cfm?articleid=39244
    
    ==== Hot Release ====
    
    St Bernard Software
    Network Protection Kit For IT Professionals
    Make your network more secure than ever before, and download St. Bernard
    Software's FREE Network Protection Kit! It was designed to show you how
    to handle security patch management, enforce Web usage policies, prevent
    data loss during backup due to open files. . . And that's just for starters!
    IT pros like you will get the latest information on hot-button technology
    issues including patch management! Get information-packed White Papers,
    real-life success stories and complete product information.
       http://list.winnetmag.com/cgi-bin3/DM/y/eRWs0CJgSH0CBw0BA3g0Al
    
    ====================
    
    ==== 5. Instant Poll ====
    
    Results of Previous Poll: Certifications and Hiring
       The voting has closed in Windows & .NET Magazine's Security
    Administrator Channel nonscientific Instant Poll for the question,
    "Does your company hire IT administrators based on certifications?"
    Here are the results from the 164 votes.
       -  2% We hire based largely on certifications
       - 18% We hire based on certifications and experience
       - 51% We consider certifications secondary to work experience
       - 29% We hire based only on proven experience
    
    New Instant Poll: Fighting Software Piracy
       The next Instant Poll question is, "Do you think legalizing the
    destruction of software pirates' computers is a reasonable course of
    action?" Go to the Security Administrator Channel home page and submit
    your vote for a) Yes or b) No.
       http://www.secadministrator.com
    
    ==== 6. Security Toolkit ====
    
    Virus Center
       Panda Software and the Windows & .NET Magazine Network have teamed
    to bring you the Center for Virus Control. Visit the site often to
    remain informed about the latest threats to your system security.
       http://www.secadministrator.com/panda
    
    FAQ: How Can I Enable Advanced File-System and Sharing Security for a
    Windows XP Machine in a Workgroup?
       (contributed by John Savill, http://www.windows2000faq.com)
    
    A. When an XP machine belongs to a domain with shared resources, a
    Security tab appears on the Properties dialog box for the file,
    folder, or share. You can use this tab to assign advanced sharing
    permissions. However, this tab is missing for XP machines that belong
    to a workgroup.
    
    A new feature in XP effectively logs all remote logons in a workgroup
    as Guest, regardless of the account and password credentials that the
    remote computer passes. (This approach avoids the need for different
    machines in a workgroup to replicate local accounts, which is the
    method Windows 2000 uses to enable transparent sharing.) XP locks down
    the Everyone group (to which Guest belongs) permissions, which cuts
    down on the security problems that an enabled Guest account in Win2K
    caused. Because all machines in a workgroup are effectively Guest
    connections, the advanced security features aren't very useful, which
    is why Microsoft disabled them in XP.
    
    If you want to enable advanced file-system and sharing security, you
    must disable the ForceGuest registry setting by performing the
    following steps:
       1. Start a registry editor (e.g., regedit.exe).
       2. Navigate to the
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa registry
     subkey.
       3. Double-click forceguest, set it to 0, then click OK.
       4. Restart the computer for the change to take effect.
    
    If you disable the Guest account but enable the ForceGuest setting,
    remote connections will fail, regardless of the username and password
    the user passes in--even if these credentials are valid.
    
    ==== 7. Event ====
    
    Storage Road Show Event Archived!
       Couldn't make the HP & Microsoft Network Storage Solutions Road
    Show? View the taped event archives from your Web browser!
       http://list.winnetmag.com/cgi-bin3/DM/y/eRWs0CJgSH0CBw07cD0Ai
    
    ==== 8. New and Improved ====
       by Sue Cooper, productsat_private
    
    Set Up Wireless and Wired Security with One Firewall
       WatchGuard Technologies announced the Firebox SOHO 6 Wireless, a
    line of firewall/VPN appliances that provide wireless and wired
    security for small businesses, remote offices, and telecommuters.
    Features include an integrated 802.11b Wireless Access Point (WAP),
    four-port LAN 10/100 switch, remote management from a central
    location, dynamic DNS (DDNS) support, desktop antivirus, meshed VPN
    topology, and an intuitive Web-based UI for configuration. Users are
    required to set up security on the Firebox SOHO 6 Wireless before
    enabling the wireless connection in order to ensure the network is
    protected from the outset. Each of the three Firebox SOHO 6 Wireless
    family models includes a 90-day renewable subscription to WatchGuard's
    LiveSecurity Service, for systematic updates and security
    intelligence. Contact WatchGuard Technologies at 206-521-8340 or
     informationat_private
       http://www.watchguard.com
    
    Submit Top Product Ideas
       Have you used a product that changed your IT experience by saving
    you time or easing your daily burden? Do you know of a terrific
    product that others should know about? Tell us! We want to write about
    the product in a future What's Hot column. Send your product
    suggestions to whatshotat_private
    
    ==== 9. Hot Thread ====
    
    Windows & .NET Magazine Online Forums
       http://www.winnetmag.com/forums
    
    Featured Thread: Hardening the TCP/IP Stack
       (Five messages in this thread)
    
    A user writes that his company has several security measures in place
    through Group Policy, as well as certain ACL adjustments that include
    the registry on his servers. His servers are also protected by a
    firewall. In the past, he's hardened the stack for servers sitting in
    the demilitarized zone (DMZ) that have direct connections to the
    Internet, but not for member servers. He wants to know whether it's a
    good idea for him to also harden his member servers' TCP/IP stacks.
    Lend a hand or read the responses:
       http://www.winnetmag.com/forums/rd.cfm?cid=42&tid=59755
    
    ==== Sponsored Links ====
    
    FaxBack
       Integrate FAX into Exchange/Outlook (Whitepaper, ROI, Trial)
       http://list.winnetmag.com/cgi-bin3/DM/y/eRWs0CJgSH0CBw0BAoJ0AI
    
    AutoProf
       Jerry Honeycutt Desktop Deployment Whitepaper
       http://list.winnetmag.com/cgi-bin3/DM/y/eRWs0CJgSH0CBw0BA1Z0AW
    
    ===================
    
    ==== 10. Contact Us ====
    
    About the newsletter -- lettersat_private
    About technical questions -- http://www.winnetmag.com/forums
    About product news -- productsat_private
    About your subscription -- securityupdateat_private
    About sponsoring Security UPDATE -- emedia_oppsat_private
    
    ====================
       This email newsletter is brought to you by Security Administrator,
    the print newsletter with independent, impartial advice for IT
    administrators securing Windows and related technologies. Subscribe
     today.
       http://www.secadministrator.com/sub.cfm?code=saei25xxup
    
    Thank you!
    __________________________________________________________
    Copyright 2003, Penton Media, Inc.
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Thu Jun 26 2003 - 04:17:47 PDT