**********************************************************
WINDOWS 2000 MAGAZINE SECURITY UPDATE
**Watching the Watchers**
The weekly Windows 2000 and Windows NT security update newsletter brought
to you by Windows 2000 Magazine and NTSecurity.net
http://www.win2000mag.com/update/
**********************************************************
This week's issue sponsored by
Trend Micro -- Your Internet VirusWall
http://www.antivirus.com/welcome/tax_stress041200.htm
How to Detect Denial of Service Attacks in Real-Time
http://www.win2000mag.com/jump.cfm?ID=25
(Below SECURITY ROUNDUP)
|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-
April 12, 2000 - In this issue:
1. IN FOCUS
- Sting Operations in Effect
2. SECURITY RISKS
- RealPlayer Buffer Overflow Condition
- Cold Fusion Forums Exposed
- Bypass Excel Code Execution Warning Dialogs
3. ANNOUNCEMENTS
- Spruce Up Your Web Site with Windows 2000 Headlines
- Put Your Knowledge of Microsoft Products to the Test!
- Windows 2000 Magazine Presents: The Windows 2000 Experience
4. SECURITY ROUNDUP
- News: Shun the Frumious Bandersnatch
- News: Bullet Product Might Raise Privacy Concerns
- News: Managed Intrusion Detection Services
5. NEW AND IMPROVED
- Managed Antivirus Solution
- Free Open Source Security Tool
6. HOT RELEASES (ADVERTISEMENT)
- GFI's LANguard - Internet/Network Access Control
- Network-1 Security Solutions – Securing e-Business Networks
7. SECURITY TOOLKIT
- Book Highlight: SSL and TLS Essentials: Securing the Web
- Tip: Enable IPSec Logging
8. HOT THREADS
- Windows 2000 Magazine Online Forums
System Account Locked Out
- Win2KSecAdvice Mailing List
PCAnywhere Weak Password Encryption
- HowTo Mailing List
NTLMV2 on Win95 RAS Clients
Null Session Logon
~~~~ SPONSOR: TREND MICRO -- YOUR INTERNET VIRUSWALL ~~~~
As the deadline for filing income taxes draws closer, you would have one
less worry if you had Trend Micro's reliable antivirus software on your
network servers. A world leader in antivirus and content security
technologies, Trend Micro's centrally web-managed Internet gateway, Notes
and Exchange email server, desktop machine and network server protection
forms a protective, content security VirusWall around your entire
enterprise network.
http://www.antivirus.com/welcome/tax_stress041200.htm
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Want to sponsor Windows 2000 Magazine Security UPDATE? Contact Jim Langone
(Western Advertising Sales Manager) at 800-593-8268 or jim@win2000mag.com,
OR Tanya T. TateWik (Eastern and International Advertising Sales Manager)
at 877-217-1823 or ttatewik@win2000mag.com.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
1. ========== IN FOCUS ==========
Hello everyone,
Have you considered building a honey pot on your network? A honey pot is a
device designed to catch intruders by fooling the intruder with false
presentation. Such devices can be very simple or incredibly complex,
depending on what you want them to do. In any case, honey pots are decoys
that emulate either part or all of a network.
Traditionally, such devices have been used to steer attackers into what
appears to be an easy target, when in most cases, it's an attacker's worst
nightmare. When the attacker takes the bait and begins banging away at the
honey pot, the honey pot records all actions so they can be analyzed to
learn how the attacker works. Additionally, a company can often use that
information as evidence to convict the attacker of any committed crimes. In
a nutshell, a honey pot acts like a sneaky virtual undercover cop.
I've heard faint grumblings recently regarding new sting operations on
the Internet that are designed to lure hotshot Web and e-commerce site
crackers into certain doom. The operations take honey pots one step
further. Now that you can emulate an entire network with software, why not
add full-blown e-commerce storefronts to further sweeten the pot? I think
that's a great idea and, if rumors are correct, that's exactly what's
happening en force. Sources tell me these new honey pots leave no stone
unturned when it comes to presentation. Names, addresses, credit card
information, prior purchasing records, personal preferences, and more are
included to give these sites the most authentic feel possible.
If your network doesn't have a honey pot, perhaps you should consider
building one. Such devices offer value as a way to gather evidence, as a
deterrent, and as an educational tool that can teach administrators how a
given site cracker works. You can build a simple honey pot using scripts,
compiled code, and tools such as the VMware emulator
(http://www.vmware.com), or you might want to use a commercially designed
product such as Network Associates' Sting (http://www.nai.com) or Recourse
Technologies' ManTrap (http://www.recourse.com).
On another note, last week, I mentioned application service providers
(ASPs) and their exposure to attack. I said that ASPs are sitting ducks,
which is true if the ASPs provide service via the Internet. But many of you
wrote to remind me that there is still such a thing as private circuits,
which lend tremendous value to an ASP-based solution. Thanks to everyone
that sent me thoughts and suggestions.
Private circuits are a fabulous idea when it comes to ASP connections.
With private circuits, the chances for an attack against your network are
dramatically reduced. Furthermore, network response times will be more
consistent because you probably don't have to share bandwidth with the rest
of the world as you do on the public Internet.
In addition to those advantages, private circuits restrict the types of
attacks that an intruder can launch. Flooding a network or sniffing packets
is difficult when you don't have a connection or path into that network.
Private circuitry means that an attacker must have inside help or take
extreme measures to cause even the slightest disruption to your network. A
construction crew is likely to be more burdensome than a potential cracker.
I can't tell you how many times such a crew has accidentally cut one of my
fiber cables while trying to push pipe or repair a sidewalk.
ASPs promise to make business operations simpler for all. And if you're
willing to buy into that solution now as an early adopter of such
technology, consider the peaceful feeling you could enjoy by knowing your
connection to an ASP is totally private. If you do the math and weigh the
real-world risks, I think you'll find that private circuits are clearly the
way to go. Until next time, have a great week.
Sincerely,
Mark Joseph Edwards, News Editor
mark@ntsecurity.net
2. ========== SECURITY RISKS =========
(contributed by Mark Joseph Edwards, mark@ntsecurity.net)
* REALPLAYER BUFFER OVERFLOW CONDITION
Adam Munter discovered a buffer overflow condition in the Win32 version of
RealNetworks' RealPlayer basic client, versions 6 and 7. The overflow
occurs when a user enters more than 299 characters as a location from which
to retrieve media files. If RealPlayer is embedded into a Web page, the
overflow condition might also cause the browser to crash.
http://www.ntsecurity.net/go/load.asp?iD=/security/realplayer1.htm
* COLD FUSION FORUMS EXPOSED
Allaire's Cold Fusion contains a bug that lets users view and post to
secure conference threads via unsecured conferences and via email.
According to Allaire's report, the security problem in the code exists in
certain unscoped variables and the base-coding schema of forums. The
problem involves the variable rightAccessAllForums, which the forum code
doesn't handle properly. The bug lets a user post and view conferences that
they're not part of or lets users sign up for forums that haven't yet been
created.
http://www.ntsecurity.net/go/load.asp?iD=/security/coldfusion2.htm
* BYPASS EXCEL CODE EXECUTION WARNING DIALOGS
When an Excel user starts a macro that resides outside of the current
spreadsheet (e.g., in another spreadsheet), Excel by design generates a
warning dialog box. However, this dialog box is not generated if the macro
consists of Excel 4.0 Macro Language commands in an external text file.
3. ========== ANNOUNCEMENTS ==========
* SPRUCE UP YOUR WEB SITE WITH WINDOWS 2000 HEADLINES
Add instant depth to your Web site's content by posting Windows 2000
(Win2K) news headlines, industry commentary and analysis, and IT poll
results. Our headlines, updated daily, will keep your Web visitors current
on the latest happenings in the IT world by linking them to full news
articles and editorials at Windows 2000 Magazine online. Registration and
maintenance is easy--and free! To find out more, visit
http://www.win2000mag.net/affiliateprog/affiliateprog.html.
* PUT YOUR KNOWLEDGE OF MICROSOFT PRODUCTS TO THE TEST!
Play the Microsoft TechNet Puzzler and use your expertise to win a trip to
the Tech-Ed 2000 Conference in Orlando and a BMW Z3 Roadster!
http://www.microsoft.com/technet/puzzler/default.asp
* WINDOWS 2000 MAGAZINE PRESENTS: THE WINDOWS 2000 EXPERIENCE
Before making any decisions about Windows 2000 (Win2K), get all the
facts from a trusted source. The Windows 2000 Experience Web site
gives you the how-to knowledge, resources, and product information
you need to evaluate and deploy Win2K. Check out our news, in-depth
articles, forums, and product offerings--all focused squarely on Win2K.
http://www.windows2000experience.com
4. ========== SECURITY ROUNDUP ==========
* NEWS: SHUN THE FRUMIOUS BANDERSNATCH
Encryption uses nontraditional methods to communicate a meaning, just as
Lewis Carroll wrote in nontraditional lingo when composing the famous poem,
Jabberwocky. That's what the 6th Circuit Court of Appeals said Tuesday,
April 4, when it declared that encryption code is protected by the First
Amendment. The court decided that phrases such as Carroll's "shun the
frumious bandersnatch" are no different than a computer-encrypted message,
and thus, obscure forms of communication are protected under the First
Amendment.
http://www.ntsecurity.net/go/2c.asp?f=/news.asp?IDF=115&TB=news
* NEWS: BULLET PRODUCT MIGHT RAISE PRIVACY CONCERNS
Internet Security Systems (ISS) in Atlanta has developed a new product
(code-named Bullet) that lets companies scan a Web site visitor's PC for
Trojans and viruses. The tool is designed to prevent spread of such
nuisances to e-commerce sites. Company CEO Thomas Noonan said the use of
such technology might cause privacy invasion concerns.
http://www.cnn.com/2000/TECH/computing/04/06/scan.visitors.idg
* NEWS: MANAGED INTRUSION DETECTION SERVICES
Counterpane Internet Security and Internet Security Systems (ISS) have
begun offering managed intrusion detection services. Counterpane's
technology involves a black box based on Linux, which captures data and
transmits that data back to Counterpane for analysis. The ISS solution
involves the use of its SafeSuite platform, where the ISS supplies
personnel to a company's operation center.
http://www.nwfusion.com/news/2000/0403intrusion.html
~~~~ SPONSOR: HOW TO DETECT DENIAL OF SERVICE ATTACKS IN REAL-TIME ~~~~
Protect yourself against Denial of Service (DoS) attacks with NetProwler
and Intruder Alert by transparently monitoring traffic in real-time and
reacting instantly. Learn about DoS attacks with your FREE guide,
"Everything You Need to Know About Intrusion Detection," at:
http://www.win2000mag.com/jump.cfm?ID=25
AXENT is the leading provider of e-security solutions for your business,
delivering integrated products and expert services to 45 of the Fortune 50
companies.
5. ========== NEW AND IMPROVED ==========
(contributed by Judy Drennen, products@win2000mag.com)
* MANAGED ANTIVIRUS SOLUTION
SonicWALL and myCIO.com announced a strategic partnership to protect
customers against viruses. SonicWALL protects users against viruses by
embedding antivirus enforcement policies developed around myCIO.com's
VirusScan ASaP antivirus application service into the company's SonicWALL
line of Internet security appliances. This approach delivers a Web-based,
easy-to-use solution to protect e-business from prevalent network threats.
The antivirus software upgrade to the SonicWALL Internet security appliance
will be available in Q2, 2000, and runs on Windows 2000 (Win2K), Windows
NT, and Windows 9x. For more information, contact SonicWALL, 408-745-9600
or visit the company Web site, or you can contact myCIO.com at its company
Web site.
http://www.sonicwall.com
http://www.mycio.com
* FREE OPEN SOURCE SECURITY TOOL
Reliable Software Technologies (RST) announced ITS4, a free, open-source
software tool that identifies more than 130 of the most common security
problems during the software development and auditing process. ITS4
codifies security expertise into rules used to identify potential security
problems in source code. ITS4 statically scans C and C++ source code for
potential security vulnerabilities. The product is a command-line tool that
works across UNIX environments and will also run on Windows if you have
CygWin installed. The CygWin tools function by using the CygWin library,
which provides a UNIX-like API on top of the Win32 API. For more
information, contact Reliable Software Technologies at 703-404-5757 or go
to its Web site.
http://www.rstcorp.com
6. ========== HOT RELEASES (ADVERTISEMENT) ==========
* GFI'S LANGUARD - INTERNET/NETWORK ACCESS CONTROL
Concerned about unproductive Internet use at work? GFI’s LANguard monitors
all Internet traffic to prevent this. LANguard lets you specify which sites
& what type of content are allowed. For your free 5-user version, visit:
http://www.gfi.com/securitylan.shtml!
* NETWORK-1 SECURITY SOLUTIONS – SECURING E-BUSINESS NETWORKS
Getting nervous about denial of service attacks? CyberwallPLUS-SV is the
first embedded firewall for NT servers. It secures servers with network
access controls and intrusion prevention. Visit
http://www.network-1.com/products/svintro.htm for a free evaluation kit and
white paper.
7. ========== SECURITY TOOLKIT ==========
* BOOK HIGHLIGHT: SSL AND TLS ESSENTIALS: SECURING THE WEB
By Stephen Thomas
Online Price $27.95
Softcover; 197 Pages
Published By John Wiley & Sons, March 2000
ISBN 0471383546
This book provides an inside look at secure Web transactions with Secure
Socket Layer (SSL) encryption and the much-anticipated Transport Layer
Security (TLS). E-businesses have long used SSL, a public key cryptography
method, to encrypt sensitive information, verify a user's identity before
allowing access, and discourage spoofing. However, because SSL is a closed
protocol, Web programmers had no resources for adding advanced security
measures--until now. Written by the author of "IPng and the TCP/IP
Protocols" (Wiley), "SSL and TLS Essentials" contains the complete
documentation of SSL, plus coverage of TLS and Microsoft's Server Gated
Cryptography (SGC). The book also provides a concise tutorial in
cryptography using eight real-world scenarios that illustrate protocol
operations and details of SSL messaging.
For Windows 2000 Magazine Security UPDATE readers only--Receive an
additional 10 percent off the online price by typing WIN2000MAG in the
discount field on the Shopping Basket Checkout page. To order this book, go
to:
http://www.fatbrain.com/shop/info/0471383546?from=win2000mag
Or visit the Windows 2000 Magazine Network Bookstore at:
http://www1.fatbrain.com/store.cl?p=win2000mag&s=97772
TIP: ENABLE IPSEC LOGGING
(contributed by http://www.ntfaq.com)
A reader asks whether it's possible to enable logging for IPSec. The answer
is yes. To enable IPSec logging, perform the following Registry change, but
be careful. Incorrect Registry edits can lead to a non-bootable system.
Start the Registry Editor (regedit.exe) and move to
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PolicyAgent.
From the Edit menu, select New, then Key, and then define the key name as
"Oakley" without the quotes. Next, select the newly created Oakley key and
then select New, DWORD Value from the Edit menu. Enter the DWORD name as
"EnableLogging" without the quotes and set its value to 1. After you've
completed the definitions, restart the PolicyAgent service so that the
changes take affect. Keep in mind that the logs will be written to the
%systemroot%\debug\oakley.log file.
8. ========== HOT THREADS ==========
* WINDOWS 2000 MAGAZINE ONLINE FORUMS
The following text is from a recent threaded discussion on the Windows
2000 Magazine online forums (http://www.win2000mag.com/support).
April 04, 2000, 09:11 A.M.
System Account Locked Out
I have just implemented password policies on one of our domains and am
getting a message in the Event Log saying that the user account is locked
out for account ID SYSTEM. All seems to be working okay but I'm not sure
what this means. Can anyone tell me what this message means? Will
"something" not be working? Thanks in advance.
Thread continues at
http://www.win2000mag.com/support/Forums/Application/Index.cfm?CFApp=69&Message_ID=97839.
* WIN2KSECADVICE MAILING LIST
Each week we offer a quick recap of some of the highlights from the
Win2KSecAdvice mailing list. The following thread is in the spotlight
this week:
PCAnywhere Weak Password Encryption
When users log on, they are prompted for an NT username and password. The
username and password are then encrypted through the PCAnywhere method and
decrypted by the host computer for validation by the NT domain controller.
Someone snooping on the traffic between the two stations can unlock both
the PCAnywhere and NT account.
http://www.ntsecurity.net/go/w.asp?A2=IND0004B&L=WIN2KSECADVICE&P=184
Follow this link to read all threads for April, Week 2:
http://www.ntsecurity.net/go/win2ks-l.asp?s=win2ksec
* HOWTO MAILING LIST
Each week we offer a quick recap of some of the highlights from the
HowTo for Security mailing list. The following threads are in the
spotlight this week:
1. NTLMV2 on Win95 RAS Clients
I am trying to implement NTLMV2 authentication for WIN95 RAS clients. I
have followed KB article Q239869 and installed the dsclient.exe, verified
it's installed as outlined, and performed the Registry hack to level 3
(send NTLM2 responses only). However an SMB capture reveals that only the
LM hash is being used, the NTLM hash is zero filled. The DCs are SP6a. What
am I missing?
http://www.ntsecurity.net/go/L.asp?A2=IND0004A&L=HOWTO&P=2274
2. Null Session Logon
The book I have on NT security briefly mentions that the threat with the
Null Credentials logon is that it allows a Null session connection over the
Named Pipe Share(IPC$) and this can allow a potential intruder to obtain a
listing of user account names, account policy settings.
http://www.ntsecurity.net/go/L.asp?A2=IND0004A&L=HOWTO&P=1621
Follow this link to read all threads for April, Week 2:
http://www.ntsecurity.net/go/l.asp?s=howto
|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-
WINDOWS 2000 MAGAZINE SECURITY UPDATE STAFF
News Editor - Mark Joseph Edwards (mje@win2000mag.com)
Ad Sales Manager (Western) - Jim Langone (jim@win2000mag.com)
Ad Sales Manager (Eastern) - Tanya T. TateWik (ttatewik@win2000mag.com)
Associate Publisher/Network - Martha Schwartz (mschwartz@win2000mag.com)
Editor - Gayle Rodcay (gayle@win2000mag.com)
New and Improved – Judy Drennen (products@win2000mag.com)
Copy Editor – Judy Drennen (jdrennen@win2000mag.com)
|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-
========== GET UPDATED! ==========
Receive the latest information about the Windows 2000 and Windows NT topics
of your choice. Subscribe to these other FREE email newsletters at
http://www.win2000mag.com/sub.cfm?code=up99inxsup.
Windows 2000 Magazine UPDATE
Windows 2000 Magazine Thin-Client UPDATE
Windows 2000 Magazine Exchange Server UPDATE
Windows 2000 Magazine Storage UPDATE
Windows 2000 Pro UPDATE
ASP Review UPDATE
SQL Server Magazine UPDATE
SQL Server Magazine XML UPDATE
IIS Administrator UPDATE
WinInfo UPDATE
SUBSCRIBE/UNSUBSCRIBE/CHANGE ADDRESS
Thank you for reading Windows 2000 Magazine Security UPDATE.
You are currently subscribed to securityupdate as: packet@PACKETSTORM.SECURIFY.COM
To subscribe, go to the UPDATE home page at
http://www.win2000mag.com/update
or send a blank email to join-securityupdate@list.win2000mag.net.
To remove yourself from the list, send a blank email to
leave-securityupdate-120275L@list.win2000mag.net.
To change your email address, send a message with the sentence
set securityupdate email="new email address"
as the message text to securityupdate@list.win2000mag.net. Replace the words "new email address" with your new email address (include the quotes).
If you have questions or problems with your UPDATE subscription, please contact securityupdate@win2000mag.com. We will address your questions or problems as quickly as we can, but please allow 2 issues for resolution.
|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|
Copyright 2000, Windows 2000 Magazine