[ISN] Windows & .NET Magazine Security UPDATE--October 8, 2003

From: InfoSec News (isn@private)
Date: Wed Oct 08 2003 - 07:49:16 PDT

  • Next message: InfoSec News: "[ISN] Nmap Version Detection Rocks"

    ==== This Issue Sponsored By ====
    
    TNT Software
       http://list.winnetmag.com/cgi-bin3/DM/y/ec5S0CJgSH0CBw0BC120A4
    
    Shavlik HFNetChkPro Patch Management
       http://list.winnetmag.com/cgi-bin3/DM/y/ec5S0CJgSH0CBw076e0Ah
    
    ====================
    
    1. In Focus: The Dangers of Uncontrolled Software Use
    
    2. Announcements
         - New White Paper on Exchange 2003 Deployment
         - Check Out Our 2 New Web Seminars!
    
    3. Security News and Features
         - Recent Security Vulnerabilities
         - News: Microsoft Preps Major Security Strategy Shift
         - News: XP Security Rollup Package in Beta
         - News: Microsoft Faces Security Class-Action Suit
         - Feature: How to Build a Snort Server
    
    4. Security Toolkit
         - Virus Center
             - Virus Alert: Trj/Hatoy.A
         - FAQ: How do I prevent administrators from successfully using
           L0phtCrack?
         - Featured Thread: How to Stop Viruses from Spreading
    
    5. Event
         - The Mobile & Wireless Road Show Is Coming to Tampa and Atlanta!
    
    6. New and Improved
         - Control USB and FireWire Devices
         - Secure All Data
         - Tell Us About a Hot Product and Get a T-Shirt
    
    7. Contact Us
       See this section for a list of ways to contact us.
    
    ==== Sponsor: TNT Software ====
       FREE Download: Automate Event Log Monitoring
       Automate event log monitoring, provide real-time intrusion
    detection, and satisfy mandated auditing requirements all with TNT
    Software's ELM Log Manager. Preferred by small businesses because of
    its ease of use and Fortune 500 companies because of its reliability,
    ELM 3.1 is the affordable solution with the scalability to consolidate
    MILLIONs of events and Syslog messages a day, display them in custom
    views, launch critical alerts, and schedule reports. Download your
    FREE 30 day fully functional evaluation software NOW and start
    experiencing the benefits of automated log monitoring.
       http://list.winnetmag.com/cgi-bin3/DM/y/ec5S0CJgSH0CBw0BC120A4
    
    ====================
    
    ==== 1. In Focus: The Dangers of Uncontrolled Software Use ====
       by Mark Joseph Edwards, News Editor, mark@private
    
    Surely, most of you know about various peer-to-peer (P2P) software
    packages, such as KaZaA and the soon-to-be-revived Napster. Millions
    of people use P2P software to trade files, sometimes in violation of
    copyright laws.
    
    Businesses should be aware of such software and control its use on
    their networks. One reason for doing so is that P2P software can
    consume huge amounts of bandwidth. Another reason is that employees
    might use P2P software to break the law while using company resources.
    Yet another reason is that employees should be spending their time
    working and not trading files on company time.
    
    A new reason surfaced last week. I read an interesting post on a
    security mailing list regarding the P2P software and network called
    Earth Station 5 (ES5). The makers of ES5 claim to provide stealth
    activity and cloaking to protect users' privacy. They also claim to
    provide protection against viruses and other erroneous files, along
    with a variety of Web services.
       http://www.earthstation5.com
    
    What was so interesting about the post I read regarding ES5 is that
    the product has a serious security hole that lets any ES5 user delete
    files on another user's computer. The person who discovered the hole
    is convinced that due to the nature of the problem he found, the
    creators must have intentionally built in the ability to delete files
    on users' computers as some sort of back door.
    
    That's a strong accusation to make, and although the product
    definitely has the security hole, I don't yet know whether the makers
    of ES5 actually put a back door in on purpose. Whether they did or
    didn't, the matter points out the seriousness of not controlling what
    types of traffic are allowed to traverse your network and what sort of
    software users can install on their machines, if any. In the case of
    ES5, a remote user could wipe out critical files on your systems,
    leading to all sorts of problems.
    
    Chances are that your company frowns on P2P use, but does it try to
    prevent it? You might recall that I mentioned a new hybrid technology,
    Passive Vulnerability Scanners (PVSs), last week. A PVS would be a
    great way to find out immediately whether someone had installed
    unwanted software (such as a P2P client) on your company's computer,
    as opposed to finding out later through some sort of periodic audit.
    But you don't necessarily have to use a PVS to detect the use of
    unwanted software in real time.
    
    If you have a flexible Intrusion Detection System (IDS) in place, you
    might be able to create IDS rules that can detect traffic from
    unwanted software the instant it moves traffic across your network. As
    you know, one very popular IDS tool, Snort, allows users plenty of
    flexibility to create custom rules. So you could develop a Snort rule
    that detects traffic from various types of software.
    
    Martin Roesch (creator of Snort) and Hugh Njemanze (founder of
    ArcSight) gave a Webcast last week that was sponsored by The SysAdmin,
    Audit, Network, Security (SANS) Institute. Roesch discussed "the use
    of passive network discovery, behavioral profiling and vulnerability
    analysis techniques" along with "intrusion detection, reducing false
    positives and negatives as well as opportunities for evasion."
    Njemanze discussed "how the context and robust correlation techniques
    of centralized security management take maximum advantage of the
    alarms and alerts produced not only by IDSs but also all the other
    security-relevant sources of information that are available."
    
    The Webcast is archived at SANS, so you can check it out after
    registering. You can find the synopsis and links to it at the SANS Web
    site. Be sure to check out the list of upcoming Webcasts too--at the
    second URL below.
       http://www.sans.org/webcasts/show.php?webcastid=90419
       http://www.sans.org/webcasts
    
    ====================
    
    ==== Sponsor: Shavlik HFNetChkPro Patch Management  ====
       Get Patched Now with Shavlik HFNetChkPro
       Immediately deploy critical patches, including MS03-040, with
    Shavlik HFNetChkPro patch management software and make a powerful
    impact on your enterprise security. HFNetChkPro is a must-have for any
    busy network administrator in charge of security updates. Its
    easy-to-use interface makes patch management a breeze. Create machine
    groups or patch groups for quick scanning and deployment and produce
    management reports in minutes. Download the free version of
    HFNetChkPro with no time-outs at
    http://list.winnetmag.com/cgi-bin3/DM/y/ec5S0CJgSH0CBw076e0Ah .
    
    ====================
    
    ==== 2. Announcements ====
       (from Windows & .NET Magazine and its partners)
    
    New White Paper on Exchange 2003 Deployment
       In this timely white paper, Microsoft Exchange expert Kieran
    McCorry, from HP's Exchange consulting group, outlines the best
    options for organizations migrating to Exchange Server 2003. The paper
    outlines inter- and intra-organizational migration issues and the
    benefits of server consolidation during deployment. Get your copy
    today!
       http://list.winnetmag.com/cgi-bin3/DM/y/ec5S0CJgSH0CBw0BC130A5
    
    Check Out Our 2 New Web Seminars!
       "Plan, Migrate, Manage: Shifting Seamlessly from NT4 to Windows
    2003" will help you discover tips and tricks to maximize planning,
    administration, and performance. "The Secret Costs of Spam ... What
    You Don't Know Can Hurt You" will show you how to quantify costs and
    find antispam solutions. Register today!
       http://list.winnetmag.com/cgi-bin3/DM/y/ec5S0CJgSH0CBw02lB0Av
    
    ====================
    
    ==== Virus Update from Panda Software ====
       Check for the latest anti-virus information and tools, including
    weekly virus reports, virus forecasts, and virus prevention tips, at
    Panda Software's Center for Virus Control.
       http://list.winnetmag.com/cgi-bin3/DM/y/ec5S0CJgSH0CBw0BBlT0Ab
    
    Viruses routinely infect "fully protected" networks. Is total
    protection possible? Find answers in the free guide HOW TO KEEP YOUR
    COMPANY 100% VIRUS FREE from Panda Software. Learn how viruses enter
    networks, what they do, and the most effective weapons to combat them.
    Protect your network effectively and permanently - download today!
       http://list.winnetmag.com/cgi-bin3/DM/y/ec5S0CJgSH0CBw0BBDp0AP
    
    ====================
    
    ==== 3. Security News and Features ====
    
    Recent Security Vulnerabilities
       If you subscribe to this newsletter, you also receive Security
    Alerts, which inform you about recently discovered security
    vulnerabilities. You can also find information about these discoveries
    at
       http://www.secadministrator.com/articles/index.cfm?departmentid=752
    
    News: Microsoft Preps Major Security Strategy Shift
       Under attack from various quarters because of the perceived lack of
    security in its products, Microsoft is close to announcing a strategy
    shift in its Trustworthy Computing initiative. According to executives
    from the software giant, Microsoft's short-term strategy will shift
    from patch management to what the company calls "securing the
    perimeter."
       http://secadministrator.com/articles/index.cfm?articleid=40423
    
    News: XP Security Rollup Package in Beta
       Microsoft hasn't officially made any announcements yet; however,
    according to Neowin.net, Microsoft has released a beta version of its
    forthcoming Security Rollup Package 1 (SRP1) for Windows XP.
       http://secadministrator.com/articles/index.cfm?articleid=40403
    
    News: Microsoft Faces Security Class-Action Suit
       A consumer in California filed a class-action lawsuit on behalf of
    potentially millions of additional plaintiffs against Microsoft this
    week, claiming that the software giant's dominant Windows platform is
    vulnerable to dangerous virus attacks that could trigger "massive" and
    "cascading" failures of the world's networks. Given Microsoft's
    unbelievable security problems this year and public admissions by the
    company's executives that the worst was yet to come, it's likely that
    this lawsuit and others like it were inevitable.
       http://secadministrator.com/articles/index.cfm?articleid=40437
    
    Feature: How to Build a Snort Server
       Intrusion Detection Systems (IDSs) are an important part of any
    network. One free, open-source tool for implementing an IDS on
    networks is Snort. (If you're unfamiliar with IDSs, see "Protect Your
    Network from Intrusion" at the first URL below and "Deploy Your
    Network IDS Effectively" at the second URL below.) To build a Snort
    server in a Windows 2000 environment, you need to install and secure
    Win2K Server, install Snort and its companion files, and test Snort's
    various modes. Read Morris Lewis's article (at the third URL below)
    for details.
       http://secadministrator.com/articles/index.cfm?articleid=24650
       http://secadministrator.com/articles/index.cfm?articleid=25013
       http://secadministrator.com/articles/index.cfm?articleid=26449
    
    ====================
    
    ==== Hot Release: Free Trial SSL Certificate from Thawte ====
       Take your first step towards giving your online business a
    competitive advantage. Test-drive a Thawte SSL certificate - our easy
    online guide will show you how. Click here to get started:
       http://list.winnetmag.com/cgi-bin3/DM/y/ec5S0CJgSH0CBw0BC140A6
    
    ====================
    
    ==== 4. Security Toolkit ====
    
    Virus Center
       Panda Software and the Windows & .NET Magazine Network have teamed
    to bring you the Center for Virus Control. Visit the site often to
    remain informed about the latest threats to your system security.
       http://www.secadministrator.com/panda
    
    Virus Alert: Trj/Hatoy.A
       Panda Software reports that a new Trojan horse, Hatoy.A, is
    spreading via Web browsers. Hatoy.A affects users of Microsoft
    Internet Explorer (IE) by exploiting a known vulnerability in the
    browser for which no patch is currently available. The Trojan horse
    manipulates users' systems to change DNS entries so that users are
    redirected to a site different from the one whose URL they entered.
    For more information about Hatoy.A, see Panda's report:
       http://www.pandasoftware.com/about/press/viewnews.aspx?noticia=4211
    
    FAQ: How do I prevent administrators from successfully using
    L0phtCrack?
       contributed by John Savill, http://www.windows2000faq.com
    
    A: In Windows 2000, thanks to automatic activation of the Syskey
    utility, @stake's L0phtCrack is useless against password hashes in the
    SAM or Active Directory (AD) unless the user has Administrator access.
    You can't stop administrators who use L0phtCrack from cracking
    passwords; you can only slow them down. To do so, begin by adding the
    NoLmHash registry value described in the Microsoft article "How to
    Prevent Windows from Storing a LAN Manager Hash of Your Password in
    Active Directory and Local SAM Databases" (at the URL below). However,
    keep in mind that even after you set the new registry key, an
    administrator can use L0phtCrack to crack passwords.
       Syskey encrypts password hashes stored on disk in the SAM or in AD
    on domain controllers (DCs). However, an administrator can use
    L0phtCrack to dump password hashes from OS memory because password
    hashes in memory aren't encrypted. When you enable NoLmHash, Win2K
    doesn't automatically delete the LAN Manager hash for users. To get
    rid of the hash, you must reset each user's password.
       Even after you reset passwords, however, administrators can use
    L0phtCrack because Win2K stores two hashes for each account: the old,
    weak LAN Manager hash and a stronger Windows NT hash. L0phtCrack can
    use either hash but takes longer to crack accounts when only the NT
    hash is present.
       http://support.microsoft.com/?kbid=299656
    
    Featured Thread: How to Stop Viruses from Spreading
       (Five messages in this thread)
    A user writes that he's an administrator for 200 computers. He wants
    to know whether he should put a firewall on every workstation on his
    network to stop viruses from spreading or use some other approach.
    Lend a hand or read the responses:
       http://www.winnetmag.com/forums/messageview.cfm?catid=42&threadid=63446
    
    ==== 5. Event ====
    
    The Mobile & Wireless Road Show Is Coming to Tampa and Atlanta!
       Learn more about the wireless and mobility solutions that are
    available today, plus discover how going wireless can offer low risk,
    proven performance, and compatibility with existing and emerging
    industry standards. Register now for this free, 12-city event!
       http://list.winnetmag.com/cgi-bin3/DM/y/ec5S0CJgSH0CBw0BA8Y0An
    
    ==== 6. New and Improved ====
       by Jason Bovberg, products@private
    
    Control USB and FireWire Devices
       SmartLine released DeviceLock 5.5, a security solution that lets
    you restrict access to USB and FireWire (IEEE 1394) devices on Windows
    2003/XP/2000/NT 4.0 machines. Standard Windows access-control
    solutions don't permit the assignment of permissions for USB and
    FireWire ports. DeviceLock gives you control over which users can
    access these ports and certain devices (e.g., floppy-disk drives,
    CD-ROM drives, tape devices) on a local computer. DeviceLock costs $35
    for a single-user license. A free, fully functional demonstration
    version is available for download from SmartLine's Web site. For more
    information about DeviceLock, contact SmartLine on the Web.
       http://www.devicelock.com
    
    Secure All Data
       Cypherix announced Cryptainer LE, 128-bit data-encryption software.
    Cryptainer LE stores all sensitive information in encrypted 5MB ghost
    drives that appear and disappear at your convenience. Only the user
    who owns a specific passkey can view, access, browse, or modify files
    inside a ghost drive. You can install and run programs inside this
    encrypted drive. Cryptainer LE runs on Windows XP/2000/Me/9x and
    conforms to international standards. It runs as a special Windows
    device driver operating on a 128-bit implementation of the Blowfish
    algorithm in Cipher Block Chaining (CBC) mode, with a block size of 64
    bytes. Cryptainer LE is a free, fully functional product that you can
    download from Cypherix's Web site. For more information about
    Cryptainer LE, contact Cypherix on the Web.
       http://www.cypherix.co.uk/cryptainerle/index.htm
    
    Tell Us About a Hot Product and Get a T-Shirt!
       Have you used a product that changed your IT experience by saving
    you time or easing your daily burden? Tell us about the product, and
    we'll send you a Windows & .NET Magazine T-shirt if we write about the
    product in a future Windows & .NET Magazine What's Hot column. Send
    your product suggestions with information about how the product has
    helped you to whatshot@private
    
    ===================
    
    ==== Sponsored Links ====
    
    CrossTec
       Free Download - NEW NetOp 7.6 - faster, more secure, remote support
       http://list.winnetmag.com/cgi-bin3/DM/y/ec5S0CJgSH0CBw0BBnb0Ar
    
    Microsoft
       Attend a Microsoft(R) Office System Launch Event -- Get a FREE Eval
    Kit
       http://list.winnetmag.com/cgi-bin3/DM/y/ec5S0CJgSH0CBw0BCqD0AR
    
    ===================
    
    ==== 7. Contact Us ====
    
    About the newsletter -- letters@private
    About technical questions -- http://www.winnetmag.com/forums
    About product news -- products@private
    About your subscription -- securityupdate@private
    About sponsoring Security UPDATE -- emedia_opps@private
    
    This email newsletter is brought to you by Security Administrator, the
    print newsletter with independent, impartial advice for IT
    administrators securing Windows and related technologies. Subscribe
    today.
       http://www.secadministrator.com/sub.cfm?code=saei25xxup
    
    To make other changes to your email account such as change your email
    address, update your profile, and subscribe or unsubscribe to any of
    our email newsletters, simply log on to our Email Preference Center.
       http://www.winnetmag.com/email
    
    __________________________________________________________
    Copyright 2003, Penton Media, Inc.
    
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomo@private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Wed Oct 08 2003 - 11:05:35 PDT