Information Security News
mailing list archives
Security UPDATE, October 24, 2001
From: InfoSec News <isn () c4i org>
Date: Thu, 25 Oct 2001 03:40:04 -0500 (CDT)
Windows 2000 Magazine Security UPDATE--brought to you by Security
Administrator, a print newsletter bringing you practical, how-to
articles about securing your Windows 2000 and NT systems.
~~~~ THIS ISSUE SPONSORED BY ~~~~
Aelita Secures Windows 2000 & Active Directory
~~~~ SPONSOR: AELITA SECURES WINDOWS 2000 & ACTIVE DIRECTORY ~~~~
Aelita EventAdmin closes the gap in security management. Combining
sophisticated data collection with powerful analysis, reporting and
archiving technologies, EventAdmin delivers a new level of security and
visibility into your Windows NT- and Windows 2000-centric environments
that include Microsoft .NET Enterprise Servers, Novell NDS and UNIX
systems. Focusing on current and historical data, EventAdmin extends
real-time monitoring tools and allows IT professionals to track and
analyze user activity patterns, implement and enforce enterprise audit
and security policies, increase network visibility, investigate
problems and prevent disasters. Get your FREE evaluation copy today!
October 24, 2001--In this issue:
1. IN FOCUS
- Information Anarchy: The Blame Game?
2. SECURITY RISKS
- Denial of Service in Windows Terminal Services
- Arbitrary File Disclosure Vulnerability in Novell GroupWise
- Denial of Service in Citrix Metaframe
- What's the Right Way to Tackle Home Networking?
- Are You Getting Everything You Need from WebSphere?
4. INSTANT POLL
- Results of Previous Poll: Drop Microsoft IIS?
- Instant Poll: Full Disclosure
5. SECURITY ROUNDUP
- News: Microsoft Introduces Security Bulletin Severity Rating
- News: Hacker Breaks DRM; Microsoft Considers Legal Action
- Buyer's Guide: Job Scheduling Software
6. HOT RELEASE (ADVERTISEMENT)
- VeriSign - The Internet Trust Company
7. SECURITY TOOLKIT
- Book Highlight: Hacking Exposed: Network Security Secrets and
- Virus Center
- FAQ: Why Do I Receive an Error Message in Win2K That Says My
Password Must Be at Least 18,770 Characters?
8. NEW AND IMPROVED
- Protect Data from Attacks
- Replace Passwords with Biometric Technology
9. HOT THREADS
- Windows 2000 Magazine Online Forums
- Featured Thread: Thread: Win2K Server and Me Policies
- HowTo Mailing List
- Featured Thread: Permissions Affected After NTFS File
10. CONTACT US
See this section for a list of ways to contact us.
1. ==== COMMENTARY ====
Full disclosure of security risk information is still under fire--this
time driven by the recent outbreak of malicious worms such as Code Red
and Nimda. Last week, Microsoft published an essay (URL below) written
by Scott Culp, manager of the Microsoft Security Response Center. In
the essay, Culp refers to full disclosure as "information anarchy" and
says that Microsoft is working with other industry leaders to form a
consensus protesting such information release. The company will ask its
customers to support the adoption of the resulting consensus.
The central concern with full disclosure is that people often take
vulnerability demonstration code--sometimes released in fully
functional form--and use the code to create a weapon against
unsuspecting users. "But regardless of whether the [security
vulnerability] remediation takes the form of a patch or a workaround,"
Culp wrote, "an administrator doesn't need to know how a vulnerability
works in order to understand how to protect against it, any more than a
person needs to know how to cause a headache in order to take an
aspirin." Although he's right to a certain extent, we need to consider
a larger perspective.
Worms such as Code Red and Nimda definitely played upon well-known bugs
for which patches had long since been available. Those worms showed us
how many administrators don't consider security to be a priority in
operating their systems. Granted, the worm writers seem malicious in
releasing such nuisances, but is there a silver lining to those dark
clouds? I think so. As a result of regularly demonstrated
administrative complacency, Microsoft has adopted significant new
policies and practices. The company has expanded its customer support
efforts and is committed to providing even more robust security in its
products and more robust tools to help automate and manage security.
For example, because of these worms, Microsoft is now giving in a bit
to the habits and needs of its customers instead of the somewhat
idealistic visions of its software architects. So who benefits in the
overall scenario? Everyone does. Culp wrote, "Customers who are
considering hiring security consultants can ask them what their
policies are regarding information anarchy, and make an informed buying
decision based on the answer. And security professionals only need to
exercise some self-restraint."
In reality, Microsoft doesn't benefit by condemning the sharing of
detailed vulnerability information. Instead, the company should be
scolding the misguided focus and relative complacency of its customers'
administrative efforts. It seems that Microsoft is doing that now
indirectly with its new Strategic Technology Protection Program (STPP-
URL below). The effects should benefit information security in general,
but getting a new program fully operational takes time. Perhaps any new
consensus is going a bit too far too soon. In any event, a new
consensus will benefit Microsoft by buying the company some time to get
STPP into full swing. So again, who benefits from any new consensus in
the long run? As Culp pointed out, "Even in the best of conditions, it
will still be possible to write worms." So a new consensus won't
eliminate the core problems of administrative latency and faulty code.
The full-disclosure problem comes down to timing on three fronts:
Researchers publish explicit details in many cases without enough
consideration for the time required for companies to develop a patch
and coax customers into loading the patch; users wait too long to apply
patches, if they apply them at all; and Microsoft product cycles are
probably still far too quick to market for effective code development.
What do you think about full disclosure? Is it a detriment or a benefit
to the user community, or does it seem to balance out fairly equally in
the bigger picture? Stop by our home page and take the Instant Poll.
We're eager to learn your perspective. And if you want to express
detailed comments regarding any new consensus, you can post them in
response to this editorial--you'll find a copy posted on our home page.
Until next time, have a great week.
Mark Joseph Edwards, News Editor, mark () ntsecurity net
2. ==== SECURITY RISKS ====
(contributed by Ken Pfeil, ken () win2000mag com)
* DENIAL OF SERVICE IN WINDOWS TERMINAL SERVICES
Luciano Martins of Deloitte & Touche Argentina reported that a
vulnerability exists in Microsoft Windows 2000 and Windows NT 4.0 RDP
service that can result in a Denial of Service (DoS) attack. The attack
can occur because of a problem in the service that doesn't properly
handle a particular series of data packets. To cause the service to
fail, an attacker doesn't have to connect to the service but only send
this series of data packets to the port on which RDP is listening.
Microsoft released Security Bulletin MS01-052 to address this
vulnerability. Win2K Datacenter patches are hardware-specific and will
be available from the OEM when they're ready. Microsoft rates the
severity of this vulnerability as low risk to Internet systems,
moderate risk to intranet systems, and no risk to client systems.
Microsoft has temporarily pulled the related patch offline due to
numerous reports that the patch breaks system functionality in many
cases. The company intends to make the patch available again shortly.
* ARBITRARY FILE DISCLOSURE VULNERABILITY IN NOVELL GROUPWISE
Mike Shema of Foundstone reported that a vulnerability exists in
Novell's GroupWise Server 6.0 and 5.5 for Windows 2000 that can let an
attacker view files located anywhere on the server. The servlet
"webacc" located in /servlet/ typically accesses templates located in
webroot. However, if an attacker knows the filename and location and
appends the file with a null character, the servlet also permits full
directory-path traversal. Novell recommends that users obtain a fix
available through regular support channels.
* DENIAL OF SERVICE IN CITRIX METAFRAME
Justine Bone, Glyn Geoghegan, and Paul Davies, of Internet Security
Systems, discovered that a vulnerability exists in the Citrix MetaFrame
server application that lets an attacker crash the server, resulting in
a Denial of Service (DoS). An improper handling of multiple sessions on
the Citrix server causes this DoS condition. By spoofing the protocol
that runs between the MetaFrame client and server, an attacker can
start multiple fake sessions with the affected server. Citrix
recommends that users install the appropriate hotfixes that the vendor
will make available soon.
3. ==== ANNOUNCEMENTS ====
* WHAT'S THE RIGHT WAY TO TACKLE HOME NETWORKING?
It starts with a subscription to Connected Home Magazine! Each issue
(starting with our premiere issue in February 2002), will bring you the
latest how-to advice to help you connect a home network, select home
automation equipment, and much more! Our experts have seen it all, and
are sharing what they know. Subscribe today!
* ARE YOU GETTING EVERYTHING YOU NEED FROM WEBSPHERE?
Check out WebSphere Professional magazine, for developers and system
administrators WebSphereWire e-newsletter, with news and analysis;
WebSpherePro System Admin Tips e-newsletter, with tips and techniques;
and WebSpherePro Developer Tips e-newsletter, with technical tips. The
e-newsletters are FREE--and so is the premiere issue of WebSphere
Professional. Get them at the following URL.
4. ==== INSTANT POLL ====
* RESULTS OF PREVIOUS POLL: DROP MICROSOFT IIS?
The voting has closed in Windows 2000 Magazine's Security
Administrator Channel nonscientific Instant Poll for the question,
"Does your company plan to do one of the following? a) Move to a yet-
to-be-determined platform, b) Move to Apache c) Move to iPlanet, d)
Consider the recommendation, or e) Not change--you need Microsoft
technology?" Here are the results (+/-2 percent) from the 601 votes:
6% Move to a yet-to-be-determined platform
26% Move to Apache
2% Move to iPlanet
12% Consider the recommendation
53% Not change--you need Microsoft technology
* INSTANT POLL: FULL DISCLOSURE
Microsoft is working with other industry leaders to form a consensus
protesting information release or "full disclosure." The company will
ask its customers to support the adoption of the resulting consensus.
The current Instant Poll question is, "What do you think about full
disclosure?" a) It's an overall detriment to the user community as a
whole, b) It's a benefit, or c) It seems to balance out fairly equally
in the bigger picture? Go to the Security Administrator Channel home
page and submit your vote.
5. ==== SECURITY ROUNDUP ====
* NEWS: MICROSOFT INTRODUCES SECURITY BULLETIN SEVERITY RATING SYSTEM
Microsoft has instituted a severity rating system that it will apply
to new security bulletins and related patches. The company designed the
new system to help customers decide which patches they should apply for
their network environments.
The new rating system is a matrix of three severity levels in
conjunction with three system environments. The severity levels are
Critical, Moderate, and Low, and the environments are Internet Servers,
Internal Servers, and Client Systems.
* NEWS: HACKER BREAKS DRM; MICROSOFT CONSIDERS LEGAL ACTION
Microsoft might seek legal action against a hacker who at least
partially compromised the company's Digital Rights Management (DRM)
software, which helps prevent consumers from pirating music. In a self-
described "act of civil disobedience," an anonymous hacker published
the hack, dubbed FreeMe, on the Internet this week. Breaking DRM
software is illegal under the Digital Millennium Copyright Act (DMCA),
a statute implemented in 1998. The Electronic Frontier Foundation
(EFF), however, is challenging DMCA's legality in a New York court.
* BUYER'S GUIDE: JOB SCHEDULING SOFTWARE
The growing number of job-scheduling packages that work in Windows
2000 and Windows NT environments signals the maturation of Windows in
the enterprise and of Windows users themselves. With the variety of
feature sets and price ranges in our job scheduling Buyer's Guide,
you're sure to find something to meet your needs.
6. ==== HOT RELEASE (ADVERTISEMENT) ====
* VERISIGN - THE INTERNET TRUST COMPANY
Secure your servers with 128-bit SSL encryption! Grab your copy of
VeriSign's FREE Guide, "Securing Your Web site for Business," and learn
about using SSL to encrypt e-commerce transactions. Get it now!
7. ==== SECURITY TOOLKIT ====
* BOOK HIGHLIGHT: HACKING EXPOSED: NETWORK SECURITY SECRETS AND
By Stuart McClure, George Kurtz, Joel Scambray
List Price: $49.99
Fatbrain Online Price: $34.99
Hardcover; 729 pages
Published by McGraw-Hill Professional Book Group, September 2001
For more information or to purchase this book, go to
and enter WIN2000MAG as the discount code when you order the book.
* VIRUS CENTER
Panda Software and the Windows 2000 Magazine Network have teamed to
bring you the Center for Virus Control. Visit the site often to remain
informed about the latest threats to your system security.
* FAQ: WHY DO I RECEIVE AN ERROR MESSAGE IN WIN2K THAT SAYS MY PASSWORD
MUST BE AT LEAST 18,770 CHARACTERS?
( contributed by John Savill, http://www.windows2000faq.com )
A. This error occurs when you're running Windows 2000 Service Pack 1
(SP1) and you connect to an MIT realm and select Change Password from
the Security dialog box (Ctrl+Alt+Del). (An MIT realm is a Kerberos
realm used for authentication in the same way that Win2K uses Kerberos
5 for authentication.) The full error you'll receive is "Your password
must be at least 18,770 characters and cannot repeat any of your
previous 30,689 passwords. Please type a different password. Type a
password that meets these requirements in both text boxes."
To correct this problem, contact Microsoft Product Support Services
(PSS) and request an updated msgina.dll file (version 5.0.2195.3351 or
8. ==== NEW AND IMPROVED ====
(contributed by Scott Firestone, IV, products () win2000mag com)
* PROTECT DATA FROM ATTACKS
Gianus Technologies released Phantom Total Security, software that
protects laptop or PC data by making the data invisible to intruders,
unauthorized users, and viruses. The software splits the hard disk into
two parts, and when you click an icon, the software makes one of the
parts invisible. You can drag files and documents between the two parts
of the hard disk. Phantom Total Security runs on Windows 2000, Windows
NT, Windows Me, and Windows 9x systems. For pricing, contact Gianus
Technologies at 212-838-7070.
* REPLACE PASSWORDS WITH BIOMETRIC TECHNOLOGY
BioconX released BioconX 3.5, security software that applies
biometrics to replace passwords. The software strengthens access
control by centralizing all users' biometric templates and system
authorization profiles. The software authenticates the users' identity
by comparing their fingerprint or the iris of their eye against all
stored templates. The software then lets users access all servers and
applications for which they have authorization. For pricing, contact
BioconX at 952-835-5321.
9. ==== HOT THREADS ====
* WINDOWS 2000 MAGAZINE ONLINE FORUMS
Featured Thread: Win2K Server and Me Policies
(One message in this thread)
Martin used policy editor to secure Windows 98 and Windows 95 desktops
when either networked with NT Server or used as standalones. When he
comes across a desktop with Windows Me, he can't secure it in either
environment or in policy editor for Windows Me. Can you help? Read more
about the questions and responses or lend a hand at the following URL:
* HOWTO MAILING LIST
Featured Thread: Permissions Affected After NTFS File Conversion
(Ten messages in this thread)
This user is having problems after converting Windows NT systems from
FAT disk partitions to NTFS partitions. After the conversion, users are
experiencing problems where they are prompted to log on when they access
certain shortcuts or Start Menu items. The logon prompting relates to
\MachineName\C$ administrative share. Can you help? Read the responses
or lend a hand at the following URL:
10. ==== CONTACT US ====
Here's how to reach us with your comments and questions:
* ABOUT THE COMMENTARY -- mark () ntsecurity net
* ABOUT THE NEWSLETTER IN GENERAL -- mlibbey () win2000mag com; please
mention the newsletter name in the subject line.
* TECHNICAL QUESTIONS -- http://www.win2000mag.net/forums
* PRODUCT NEWS -- products () win2000mag com
* QUESTIONS ABOUT YOUR SECURITY UPDATE SUBSCRIPTION? -- Email Customer
Support at securityupdate () win2000mag com
* WANT TO SPONSOR SECURITY UPDATE? -- emedia_opps () win2000mag com
Receive the latest information about the Windows 2000 and Windows NT
topics of your choice. Subscribe to our other FREE email newsletters.
Thank you for reading Security UPDATE.
To subscribe, send a blank email to mailto:Security_UPDATE_Sub () lists win2000mag net
ISN is currently hosted by Attrition.org
To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.
- Security UPDATE, October 24, 2001 InfoSec News (Oct 25)