Information Security News
mailing list archives
Security UPDATE, February 5, 2003
From: InfoSec News <isn () c4i org>
Date: Thu, 6 Feb 2003 00:16:51 -0600 (CST)
Windows & .NET Magazine Security UPDATE--brought to you by Security
Administrator, a print newsletter bringing you practical, how-to
articles about securing your Windows Server 2003, Windows 2000, and
Windows NT systems.
~~~~ THIS ISSUE SPONSORED BY ~~~~
Black Hat Windows Security Briefings & Training
Windows Powered NAS Web Seminar
(below IN FOCUS)
~~~~ SPONSOR: BLACK HAT WINDOWS SECURITY BRIEFINGS & TRAINING ~~~~
Spooked about Windows security? Getting "slammed" hard by worms?
Find all of the solutions at Black Hat Windows Security Briefings &
Training, February 24-27 in Seattle, the world's premier technical
event for Windows security experts. All of the top experts you've read
about recently are speaking. Fully supported by Microsoft, with new MS
hosted training sessions just added!
Visit http://list.winnetmag.com/cgi-bin3/flo/y/ePUv0CJgSH0CBw0pHV0AV to
February 5, 2003--In this issue:
1. IN FOCUS
- Report Says Cyber Threats Rising, New Areas of Risk
2. SECURITY RISKS
- Session Authentication Vulnerability in Compaq Insight Manager
- DoS in Microsoft Win2K Terminal Services
- Don't Miss Our 2 New Security Web Seminars in March!
- Windows & .NET Magazine Connections: Learn from the Writers You
Know and Trust
4. SECURITY ROUNDUP
- News: Microsoft Renames Palladium, Gives Up Trademark Hunt
- Feature: SQL Server SP3: To Install or Not to Install?
- News: Microsoft Revised Five Security Bulletins
5. INSTANT POLL
- Results of Previous Poll: Security Administrative Duties
- New Instant Poll: Slammer/Sapphire Worm
6. SECURITY TOOLKIT
- Virus Center
- Virus Alert: W32/SQLSlammer
- FAQ: Having Trouble Enabling SSL on Your Site?
7. NEW AND IMPROVED
- Centrally Manage Sidewinder Firewalls
- Capture and Analyze Your Network Traffic
- Submit Top Product Ideas
8. HOT THREAD
- Windows & .NET Magazine Online Forums
- Featured Thread: Do IPSec Policies Slow Server Response?
- HowTo Mailing List:
- Featured Thread: Are MAILTO and POST Safe for Transactions?
9. CONTACT US
See this section for a list of ways to contact us.
1. ==== IN FOCUS ====
(contributed by Mark Joseph Edwards, News Editor,
mark () ntsecurity net)
* REPORT SAYS CYBER THREATS RISING, NEW AREAS OF RISK
One glaringly apparent aspect of the Slammer/Sapphire worm is that it
didn't carry a destructive payload. That is, it did no damage to the
systems to which it propagated. Instead, it consumed huge amounts of
bandwidth because it could spread so rapidly. For a great technical
analysis of the worm, visit one of the URLs below:
Unlike Slammer/Sapphire, many intrusive pieces of code have carried
destructive payloads, and some of them also propagated by a variety of
means, including through file systems, file-sharing systems, email
systems, and open ports with vulnerable services. Nimda, Opaserv,
Bugbear, and Klez are examples of such malicious code.
This week, Symantec released the "Symantec Internet Security Threat
Report, Volume III," available at the URL below. According to the new
report, the Opaserv, Bugbear, and Klez threats alone accounted for
nearly 80 percent of all malicious code during the past 6 months.
Symantec says we should expect to see even more virus and worm
intrusions that use a blended type of attack.
The report states that "the variety of threat types that facilitate
compromises of data/system availability, confidentiality, and
integrity is clearly increasing. While historical data analysis
indicates that Windows 32 threats, blended threats, and
self-replicating mass-mailers are all on the rise, there are several
risks based on market analysis that also warrant close attention."
Those risks include Instant Messaging (IM), peer-to-peer (P2P)
applications, and mobile devices. Symantec's report states that
according to Gartner, as of fourth quarter 2002, about 70 percent of
enterprises use unmanaged IM software on their networks. As a result
of IM's popularity, we might see virus and worm designers begin to use
IM applications to spread code more widely than ever before.
P2P networks are in the same boat as IM networks. Napster made P2P
networks hugely popular, and since Napster's demise, other popular
networks have cropped up (e.g., KaZaA, Limeware, Morpheus). Infectious
code has already traversed P2P networks. And as P2P application use
rises, so does the potential for virus and worm propagation.
Wireless networking is hugely popular and growing by leaps. Many
businesses already use wireless LANs (WLANs) to support countless
mobile laptop users, and to a lesser extent, mobile PDA users, such as
those who use Palm and Research In Motion's (RIM's) BlackBerry. As the
computing power of new mobile devices (including cell phone/PDA
combinations) increases, so does the risk of virus and worm intrusion.
Symantec points out that the "always-on" nature of such devices, as
well as their tendency to be remotely connected to sensitive data,
will attract intrusion attempts.
So when I consider little worms such as Slammer/Sapphire in
conjunction with intrusive nuisances such as Nimda (or Opaserv,
Bugbear, and Klez) and the many systems on the Internet with unpatched
vulnerabilities, what comes to mind is a stage set for a more serious
disaster. And Symantec's overall report points out that potential.
We need to realize that someday, probably sooner than later, someone
will likely release an incredibly nasty worm that will wreak havoc on
systems by using every point of attack it can find. To be as prepared
as possible, you need to use the most up-to-date antivirus software,
firewalls, Intrusion Detection Systems (IDSs), and monitoring
solutions possible. You must also audit your systems regularly to
ensure compliance with your security policies. Because as we saw with
Slammer/Sapphire, if you aren't part of the solution, you are or might
become part of the problem.
~~~~ SPONSOR: WINDOWS POWERED NAS WEB SEMINAR ~~~~
NEW WEB SEMINAR: AN INTRODUCTION TO WINDOWS POWERED NAS
Would you like to find out how to consolidate your Windows NT
file servers while reducing costs? Or, do you need to formulate a
solid disaster recovery plan? Mark Smith, a former MIS manager and
founder of Windows & .NET Magazine, will illustrate how Windows
Powered NAS can help you address these issues and more -- without
impacting day-to-day business.
Register today at:
2. ==== SECURITY RISKS ====
(contributed by Ken Pfeil, ken () winnetmag com)
* SESSION AUTHENTICATION VULNERABILITY IN COMPAQ INSIGHT MANAGER
An authentication vulnerability in Hewlett-Packard's (HP's) Compaq
Insight Manager HTTP 5.1.0 can let a nonprivileged user access the
system. If a legitimate user logs on to the Web Agent Service through
HTTP Secure (HTTPS) on port 2301 and doesn't use the logout function,
the session remains valid for 15 minutes, even after the browser is
closed. This time frame can let a nonprivileged user on the same system
log on with privileged access. Compaq says that version 5.3 isn't
vulnerable to this condition.
* DoS MICROSOFT WIN2K TERMINAL SERVICES
A vulnerability in Windows 2000 Server Terminal Services can let a
malicious user force a reboot of the terminal server. Microsoft hasn't
released a fix or a response. The discoverer's posted workaround for
Win2K suggests removing all permissions on msgina.dll for Power Users,
Users, and Everyone.
3. ==== ANNOUNCEMENTS ====
(brought to you by Windows & .NET Magazine and its partners)
* DON'T MISS OUR 2 NEW SECURITY WEB SEMINARS IN MARCH!
Windows & .NET Magazine has two new Web seminars to help you
address your security concerns. There is no fee to attend "Selling the
Importance of Security: 5 Ways to Get Your Manager's Attention" and
"Building an Ultra Secure Extranet on a Shoe String," but space is
limited, so register today!
* WINDOWS & .NET MAGAZINE CONNECTIONS: LEARN FROM THE WRITERS YOU KNOW
In-depth coverage by the world's top gurus of Windows security:
Keeping Up with Service Packs and Security Patches, Identity
Management with PKI, Implementing Security with Group Policy, Defend
your networks by planning your own "Hack Attack," Using Event Logs to
identify intruder activity, Securing wireless LANs, Managing AD
Security with ADSI and WSH, Making IIS a Secure Web Server, and more.
4. ==== SECURITY ROUNDUP ====
* NEWS: MICROSOFT RENAMES PALLADIUM, GIVES UP TRADEMARK HUNT
Microsoft has revealed that it has given up trying to trademark
"Palladium," the term it had given to its secure computing initiative.
The company says that the technologies once called Palladium will now
go by the name Next Generation Secure Computing Base, which it feels
is more accurate and mature.
* FEATURE: SQL SERVER SP3: TO INSTALL OR NOT TO INSTALL?
Microsoft released SQL Server 2000 Service Pack 3 (SP3) on January
17, raising the inevitable question, "To install or not to install?"
SQL Server Product Support Services (PSS) recommends applying the
latest service pack even if you're not aware of a specific fix that
will help you. If you're contemplating whether to install this service
pack (especially because it helps protect against attacks such as the
Slammer/Sapphire worm), be sure to read what Brian Moran has to say
* NEWS: MICROSOFT REVISED FIVE SECURITY BULLETINS
Microsoft has recently revised five security bulletins: MS02-071
(Flaw in Windows WM_TIMER Message Handling Could Enable Privilege
Escalation), MS02-039 (Buffer Overruns in SQL Server 2000 Resolution
Service Could Enable Code Execution), MS02-056 (Cumulative Patch for
SQL Server), MS02-043 (Cumulative Patch for SQL Server), MS02-032 (26
June 2002 Cumulative Patch for Windows Media Player). Security
bulletin MS02-061 supersedes bulletins MS02-039, MS02-056, and
MS02-043; technicians made notes about patch loading order in
conjunction with hotfix 317748. The revision to MS02-032 fixes a
broken link to the related patch.
5. ==== INSTANT POLL ====
* RESULTS OF PREVIOUS POLL: SECURITY ADMINISTRATIVE DUTIES
The voting has closed in Windows & .NET Magazine's Security
Administrator Channel nonscientific Instant Poll for the question,
"Does your company use Microsoft Internet Security and Acceleration
(ISA) Server 2000?" Here are the results from the 168 votes.
(Deviations from 100 percent are due to rounding errors.)
- 64% Tightening general security
- 17% Defending against network attacks
- 5% Defending against Web site attacks
- 8% Filtering Junk email
- 5% Controlling employee surfing habits
* NEW INSTANT POLL: SLAMMER/SAPPHIRE WORM
The next Instant Poll question is, "Did the Slammer/Sapphire worm
directly affect your network, connectivity, or computerized activities
directly?" Go to the Security Administrator Channel home page and
submit your vote for a) Yes or b) No.
6. ==== SECURITY TOOLKIT ====
* VIRUS CENTER
Panda Software and the Windows & .NET Magazine Network have teamed
to bring you the Center for Virus Control. Visit the site often to
remain informed about the latest threats to your system security.
* VIRUS ALERT: W32/SQLSlammer
Slammer is a worm that has the following characteristics:
- It attacks only servers that run Microsoft SQL Server or
Microsoft SQL Server Desktop Engine (MSDE).
- It carries out its infection by exploiting a buffer-overrun
vulnerability in SQL servers that don't have Service Pack 3 (SP3)
- Its strategy involves sending out multiple 376-byte files that
contain the worm's code.
Indications that Slammer has infected a machine include heavy traffic
to UDP port 1434--the SQL Server Resolution Service Port.
* FAQ: HAVING TROUBLE ENABLING SSL ON YOUR SITE?
( contributed by Brett Hill, http://www.iisanswers.com )
A: A reader is trying to enable Secure Sockets Layer (SSL) on a
company Web site. The company has installed a certificate but can't
create an HTTP Secure (HTTPS) connection. The site works fine with
HTTP, but HTTPS causes the Web browser to wait for a long time, then
time out because it can't reach the server.
Troubleshooting SSL connection problems can be tedious. Brett Hill
offers a list of common problems to look for on your servers, along
with detailed explanations. Check out the list of potential problems
and their solutions on our Web site:
7. ==== NEW AND IMPROVED ====
(contributed by Sue Cooper, products () winnetmag com)
* CENTRALLY MANAGE SIDEWINDER FIREWALLS
Secure Computing released Sidewinder G2 Enterprise Manager, a
rack-mount security appliance that provides central policy management
and an audit-log and configuration-backup repository for your
distributed Sidewinder firewalls. The appliance is built on Secure
Computing's hardened version of UNIX, the SecureOS UNIX OS, which has
never been compromised. Your network access policies and Security logs
are stored in the system's SQL database. The Sidewinder G2 performs
its secure, browser-based management through a Windows software
package. Contact Secure Computing at 800-379-4944, 408-979-6572, or
sales () securecomputing com
* CAPTURE AND ANALYZE YOUR NETWORK TRAFFIC
Sandstorm Enterprises announced NetIntercept 1.2, a hardware-based
Network Forensics Analysis Tool (NFAT). NetIntercept can tell you who
sent what information where, why information isn't moving, and how
your systems were attacked. New features include Secure Sockets Layer
(SSL) session decryption and analysis and an option to write to DVD
archive media. NetIntercept 1.2 contains improved netmask-management
and content-search capabilities. For more information about
NetIntercept 1.2, contact Sandstorm Enterprises at 617-426-5056 and
sales () sandstorm net
* SUBMIT TOP PRODUCT IDEAS
Have you used a product that changed your IT experience by saving
you time or easing your daily burden? Do you know of a terrific
product that others should know about? Tell us! We want to write about
the product in a future What's Hot column. Send your product
suggestions to whatshot () winnetmag com
8. ==== HOT THREAD ====
* WINDOWS & .NET MAGAZINE ONLINE FORUMS
Featured Thread: Do IPSec Policies Slow Server Response?
(Three messages in this thread)
A user writes that he has set up an IP Security (IPSec) policy to
permit incoming traffic only on certain ports. He wants to know
whether such a policy will slow down requests to the server. Lend a
hand or read the responses:
* HOWTO MAILING LIST
Featured Thread: Are MAILTO and POST Safe for Transactions?
(Three messages in this thread)
A user wants to know what the dangers are if someone sends a credit
card number over the Internet using MAILTO and POST links? Read the
responses or lend a hand at the following URL:
9. ==== CONTACT US ====
Here's how to reach us with your comments and questions:
* ABOUT IN FOCUS -- mark () ntsecurity net
* ABOUT THE NEWSLETTER IN GENERAL -- letters () winnetmag com (please
mention the newsletter name in the subject line)
* TECHNICAL QUESTIONS -- http://www.winnetmag.com/forums
* PRODUCT NEWS -- products () winnetmag com
* QUESTIONS ABOUT YOUR SECURITY UPDATE SUBSCRIPTION? Customer
Support -- securityupdate () winnetmag com
* WANT TO SPONSOR SECURITY UPDATE? emedia_opps () winnetmag com
This email newsletter is brought to you by Security Administrator,
the print newsletter with independent, impartial advice for IT
administrators securing a Windows 2000/Windows NT enterprise.
Receive the latest information about the Windows and .NET topics of
your choice. Subscribe to our other FREE email newsletters.
Thank you for reading Security UPDATE.
MANAGE YOUR ACCOUNT
You can manage your entire Windows & .NET Magazine Network email
newsletter account on our Web site. Simply log on and you can change
your email address, update your profile information, and subscribe or
unsubscribe to any of our email newsletters all in one place.
Copyright 2003, Penton Media, Inc.
ISN is currently hosted by Attrition.org
To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.
- Security UPDATE, February 5, 2003 InfoSec News (Feb 06)