Information Security News
mailing list archives
Security UPDATE, September 5, 2001
From: InfoSec News <isn () c4i org>
Date: Thu, 6 Sep 2001 01:09:36 -0500 (CDT)
Windows 2000 Magazine Security UPDATE--brought to you by Security
Administrator, a print newsletter bringing you practical, how-to
articles about securing your Windows 2000 and NT systems.
~~~~ THIS ISSUE SPONSORED BY...15 MIN. LATER HE WAS IN THE PRINCIPAL'S
~~~~ SPONSOR: ...15 MIN. LATER HE WAS IN THE PRINCIPAL'S OFFICE! ~~~~
A high school network administrator installed Event Log
Monitor on classroom servers to evaluate system performance. The
next day, ELM alerted him that a student was trying to break
into the system. Within 15 minutes, the would-be hacker was in
the Principal's office waiting for his parents to arrive. Use
Event Log Monitor to keep tabs on your security perimeter.
Because these aren't the only computers teenagers like to hack
For more information, visit
September 5, 2001--In this issue:
1. IN FOCUS
- Parasitic Computing
2. SECURITY RISK
- Multiple Vulnerabilities in Mozilla Bugzilla
- New!! Get on the Fast Track with T-SQL Solutions!
- Sound Off About Your Technical Training Needs!
4. SECURITY ROUNDUP
- News: Grand Jury Indicts Russian Company and Programmer
- News: New Worm Masquerades as Email from Microsoft Technical
- News: Microsoft Confirms Tagging Beta XP CDs
- News: Microsoft Releases IE 6 to Web
- News: Microsoft Releases New IIS Lockdown Tool
- Feature: Create Home Directories and Set NTFS Permissions with a
- Review: bv-Control for Internet Security 3.0
5. HOT RELEASE (ADVERTISEMENT)
- Sponsored by Verisign - The Internet Trust Company
6. SECURITY TOOLKIT
- Book Highlight: Malicious Mobile Code: Virus Protection for
- Virus Center
- Virus Alert: X97M/Laroux.DO
- Tip: Resetting Lost Passwords
7. NEW AND IMPROVED
- Extend Policy-Based Security to Remote Users
- Fix Security Vulnerabilities and Stability Problems
8. HOT THREAD
- Windows 2000 Magazine Online Forums
- Featured Thread: Restricted Desktops
9. CONTACT US
See this section for a list of ways to contact us.
1. ==== COMMENTARY ====
Is there an end to the ways in which attackers can exploit a networked
computer system? Probably not. I read an interesting story in the
current issue of "Nature" magazine (see URL below) entitled "Parasitic
Computing" that reveals yet another way intruders can attack networked
systems. The article, written by three men from the University of Notre
Dame, discusses a method of exploiting nuances of the TCP/IP protocol
family to cause systems to unwittingly participate in a distributed
computing effort (e.g., solving mathematical problems). Exploits of this
type are possible by relying on the TCP checksum status of packets as
mathematical indicators for a given formula.
In summary, attackers construct packets that contain a candidate answer
for a given math problem, then send the packets to remote systems that
test the potential answer during normal packet checksum analysis.
Because the attackers specifically construct the packets in a particular
manner, when a target system receives that packet, the packet's checksum
should succeed only when it contains the correct response to the
mathematical problem. In this way, a system made to perform such
computations responds back to the rogue client only when it actually has
a correct answer to the problem.
As an example, the story points out that the HTTP protocol is required
to respond to all requests received. But in the case of this type of
parasitic computing, the HTTP service won't understand a valid packet's
message, so it will simply respond to the client that it didn't
understand the request. The client can then interpret that response as
an acknowledgement that the packet contained the answer to the
mathematical problem. And it's unlikely that the HTTP service would log
anything because the attacker didn't make a valid request, and the
system never established a valid session.
Interesting, don't you think? But don't worry about stolen CPU cycles
too much just yet. The proof-of-concept the story presents--by the
authors' own admission--isn't efficient enough to be useful for a
practical exploit. Nevertheless, the authors point out that any
impracticality is a function of the limitations in their proof-of-
concept and not necessarily reflective of limitations of the overall
concept of parasitic computing. It's entirely possible to develop a
program that more efficiently exploits checksum analysis, and guarding
against that type of unauthorized CPU usage is difficult. Read the story
and tell me know what you think.
On another note, in the August 15 Security UPDATE, I reported that
Microsoft had released its new Post-Service Pack 6a (SP6a) Security
Rollup Package (SRP). Since that time, I've received numerous email
messages about a serious problem with the SRP. In some cases, when you
uninstall the SRP, the system no longer boots properly. This problem
occurs on systems that have SYSKEY installed to protect the SAM
database. The NTBugTraq mailing list recently posted a workaround for
this problem. A list member reports that to successfully uninstall the
SRP, you must first edit the associated uninst.inf file (located in the
\%SYSTEMROOT%\$NtUninstallQ299444$ directory) to remove the entries for
the lsasrv.dll and samsrv.dll files, which are located in the section
labeled [systemroot\system32.restore.nodely.files]. After you remove the
entries, you can safely uninstall the SRP without causing the system to
hang during its boot phase.
Before I sign off this week, I want to ask if you've seen our monthly
Security Administrator print newsletter? If you haven't, you're missing
some really good content! In the current issue (September 2001), you'll
find articles about manipulating services with scripts; securing Windows
2000 certificate services; removing C-2 compliant settings; securing
private key storage, remote procedure call (RPC), and firewall
configuration; properly applying security settings in Group Policy
Objects (GPOs); tips on using IP Security (IPSec); and much more. Stop
by our home page (see the URL below), and sign up for a free sample
issue. It's a great resource! Until next time, have a great week.
Mark Joseph Edwards, News Editor, mark () ntsecurity net
2. ==== SECURITY RISK ====
(contributed by Ken Pfeil, ken () win2000mag com)
* MULTIPLE VULNERABILITIES IN MOZILLA BUGZILLA
Multiple vulnerabilities exist in the Bugzilla Web-based bug-tracking
system available from Mozilla.org, some of which include unauthorized
access to confidential information and passwords being stored in plain
text. Mozilla.org has released version 2.14, which fixes the
3. ==== ANNOUNCEMENTS ====
* NEW!! GET ON THE FAST TRACK WITH T-SQL SOLUTIONS!
T-SQL Solutions, a monthly print newsletter from SQL Server Magazine,
provides practical advice and multilevel code examples geared to SQL
Server developers and administrators. T-SQL Solutions features exclusive
content, how-to articles, tips, tricks, and programming techniques
offered by SQL Server experts. Reserve your FREE sample issue today.
* SOUND OFF ABOUT YOUR TECHNICAL TRAINING NEEDS!
Windows 2000 Magazine is conducting a short survey designed to
measure your technical training experiences and requirements. Don't miss
this opportunity to weigh in with your peers. Tell us what you think
4. ==== SECURITY ROUNDUP ====
* NEWS: GRAND JURY INDICTS RUSSIAN COMPANY AND PROGRAMMER
On August 27, a US grand jury handed down a five-count indictment
that charges Russian company Elcomsoft and one of its programmers,
Dmitry Sklyarov, with trafficking and conspiracy to traffic devices that
circumvent copyright protections. Go to the following URL to learn more.
* NEWS: NEW WORM MASQUERADES AS EMAIL FROM MICROSOFT TECHNICAL SUPPORT
Antivirus software-maker Central Command issued a warning on August
30 about a newly discovered worm that masquerades as an email from
Microsoft Technical Support. See the URL below for more details.
* NEWS: MICROSOFT CONFIRMS TAGGING BETA XP CDS
In a message to security expert Steve Gibson, Microsoft admitted on
August 28 that it had secretly tagged the Windows XP downloads for
technical beta testers to catch the software pirates who had been giving
out builds of the product for the past year.
* NEWS: MICROSOFT RELEASES IE 6 TO WEB
Microsoft has released a version of Internet Explorer (IE) that users
can download free from the Web. IE 6 arrives with a little controversy--
the browser lacks support for the older Netscape-compatible plug-ins.
* NEWS: MICROSOFT RELEASES NEW IIS LOCKDOWN TOOL
Microsoft released a new security tool called IIS Lockdown that lets
users quickly secure a Microsoft Internet Information Services (IIS) 5.0
or Internet Information Server (IIS) 4.0 system.
* FEATURE: CREATE HOME DIRECTORIES AND SET NTFS PERMISSIONS WITH A WEB
In his feature for our Win32 Scripting Newsletter, Ethan Wilansky
offers a Web script that displays a Web form that Help desk operators
can use to create home directories and set NTFS permissions. The script
uses a variety of scripting technologies, including Windows Management
* REVIEW: BV-CONTROL FOR INTERNET SECURITY 3.0
BindView's bv-Control for Internet Security 3.0 is a high-end
security-management product designed to be a small to midsized network's
first line of defense against security breaches. BindView has built bv-
Control for Internet Security on the battle-proven architecture of its
bv-Control network-management suite. Learn all about it in Jonathan
Chau's review on our Web site!
5. ==== HOT RELEASE (ADVERTISEMENT)
* SPONSORED BY VERISIGN - THE INTERNET TRUST COMPANY
Which security solution is right for your Web site? Get your
FREE guide, "Securing Your Web Site For Business," to learn the
facts. In the guide, find solutions for:
* Encrypting online transactions
* Securing corporate intranets
6. ==== SECURITY TOOLKIT ====
* BOOK HIGHLIGHT: MALICIOUS MOBILE CODE: VIRUS PROTECTION FOR WINDOWS
By Roger A. Grimes
Fatbrain Online Price: $27.96
Softcover; 400 pages
Published by O'Reilly & Associates, August 2001
For more information or to purchase this book, go to link at the end of
this book highlight and enter WIN2000MAG as the discount code when you
order the book.
* VIRUS CENTER
Panda Software and the Windows 2000 Magazine Network have teamed to
bring you the Center for Virus Control. Visit the site often to remain
informed about the latest threats to your system security.
Virus Alert: X97M/Laroux.DO
X97M/Laroux.DO is a macro virus that infects Microsoft Excel 97
spreadsheets. The virus creates a file called vera.xls in the Excel 97
Startup directory. When a user runs Excel, vera.xls automatically loads
and infects any other Excel files used from that point on.
* TIP: RESETTING LOST PASSWORDS
(contributed by Wu Wen Long, wuwenlong () singapore com)
One of our readers, Wu Wen Long, sent the following tip regarding a way
to reset lost passwords. "I discovered a method for using the Spooler
service to work around lost passwords on a Windows NT 4.0 Service Pack 5
(SP5) system. By default, the Spooler service starts automatically under
the system account. When a user loses a password, log on to the system
(you can log on with an account that doesn't have Administrator
permissions) and rename spoolss.exe as spoolss.bak and usrmgr.exe as
spoolss.exe. Restart the system. User Manager will appear under the
system account, so you can modify the user's account, including
resetting the username and password."
7. ==== NEW AND IMPROVED ====
(contributed by Scott Firestone, IV, products () win2000mag com)
* EXTEND POLICY-BASED SECURITY TO REMOTE USERS
InfoExpress released CyberArmor 2.0, a centrally managed firewall
suite that includes CyberArmor client, Policy Manager, CyberServer, and
CyberConsole to let you extend policy-based security to remote users who
access corporate networks. CyberArmor client protects the end-user's PC
and notifies users and CyberServer of attacks. Policy Manager creates
and manages policies, run-time settings, and automatic updates.
CyberServer logs user events and threats into a database. CyberConsole
lets you view remote user systems and manage incidents through the
database. For pricing, contact InfoExpress at 650-623-0260.
* FIX SECURITY VULNERABILITIES AND STABILITY PROBLEMS
St. Bernard Software released UpdateEXPERT 5.1, automated research,
inventory, deployment, and validation software that lets you fix
security vulnerabilities and stability problems. The software
inventories networked machines and identifies installed OS and
application updates. You can research and select updates for
applications, and the software remotely deploys and validates the
selected updates. For pricing, contact St. Bernard Software at 858-676-
2277 or 800-782-3762.
8. ==== HOT THREAD ====
* WINDOWS 2000 MAGAZINE ONLINE FORUMS
Featured Thread: Restricted Desktops
(Four messages in this thread)
Clint wants to know where he can find good articles on how to manage and
restrict Windows 98 user desktops used with a Windows 2000 server. Read
more about the question and the responses, or lend a hand at the
9. ==== CONTACT US ====
Here's how to reach us with your comments and questions:
* ABOUT THE COMMENTARY -- mark () ntsecurity net
* ABOUT THE NEWSLETTER IN GENERAL -- mlibbey () win2000mag com; please
mention the newsletter name in the subject line.
* TECHNICAL QUESTIONS -- http://www.win2000mag.net/forums
* PRODUCT NEWS -- products () win2000mag com
* QUESTIONS ABOUT YOUR SECURITY UPDATE SUBSCRIPTION? -- Email Customer
Support at securityupdate () win2000mag com
* WANT TO SPONSOR SECURITY UPDATE? emedia_opps () win2000mag com
Receive the latest information about the Windows 2000 and Windows NT
topics of your choice. Subscribe to our other FREE email newsletters.
Thank you for reading Security UPDATE.
ISN is currently hosted by Attrition.org
To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.
- Security UPDATE, September 5, 2001 InfoSec News (Sep 06)