**********************************************************
WINDOWS NT MAGAZINE SECURITY UPDATE
**Watching the Watchers**
The weekly Windows NT security update newsletter brought to you by
Windows NT Magazine and NTsecurity.net
http://www.winntmag.com/update/
**********************************************************

This week's issue sponsored by

Trend Micro -- Your Internet Virus Wall
http://www.antivirus.com/welcome/winnt071499.htm

Free On-Line Seminar: How to Defend NT Servers
http://www.network-1.com/seminar
(Below Security Roundup)

|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-
January 19, 2000 - In this issue:

1. IN FOCUS
     - Who's Watching Who?

2. SECURITY RISKS
     - Local Procedure Call Elevates Privileges
     - Super Mail Denial of Service Condition

3. ANNOUNCEMENTS
     - Technology Week--Microsoft's Professional Trainer Conference

4. SECURITY ROUNDUP
     - News: IIS Certificates Can Crash Netscape Communicator
     - News: E-Lock Technologies Introduces Assured Office
     - Review: Lucent Technologies' Newly Expanded VPN Line
     - Feature: Speech Recognition Technology

5. NEW AND IMPROVED
     - On-the-Fly Protection from Viruses
     - Secure E-Business

6. HOT RELEASE (ADVERTISEMENT)
     - VeriSign - The Internet Trust Company

7. SECURITY TOOLKIT
     - Book Highlight: Undocumented Windows NT
     - Tip: Before You Say "It's Safe"

8. HOT THREADS
     - Windows NT Magazine Online Forums:
        * BDC or Standard Server?
     - Win2KSecAdvice Mailing List:
        * Exchange Security and Renaming Users - A Cautionary Tale
     - HowTo Mailing List:
        * IIS Parent Path Question

~~~~ SPONSOR: TREND MICRO -- YOUR INTERNET VIRUS WALL ~~~~
Think you've seen the REAL Phantom Menace? Imagine a virus attack
holding your network hostage! Protect your empire with Trend's wide
range of antivirus solutions. Trend is a world leader in antivirus
technologies offering protection -- for the Internet gateway, Notes and
Exchange email servers, the desktop and everywhere in between - that
form a protective, virtual VirusWall around your network. For more
information, call 800-228-5651 or click the link above.
http://www.antivirus.com/welcome/winnt071499.htm

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Want to sponsor Windows NT Magazine Security UPDATE? Contact Vicki
Peterson (Western and International Advertising Sales Manager) at 877-
217-1826 or vpeterson@winntmag.com, OR Tanya T. TateWik (Eastern
Advertising Sales Manager) at 877-217-1823 or ttatewik@winntmag.com.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

1. ========== IN FOCUS ==========

Hello everyone,

I haven't bought much over the Internet, and until current trends
improve, I probably won't buy much in the future. Consumer-based e-
commerce isn't safe yet. Sure, you can probably trust a handful of
vendors with electronic transactions, but you're still accepting a huge
risk because no standard exists for gauging information security
compliance for e-commerce. You have to accept the vendor's word when it
alleges that its systems are secure, and in most cases the vendor's
word about security is backed up with nothing.
  Case in point: Last week, hackers found that several large e-commerce
sites, including CD Universe, contained major security risks that
exposed customer information, including credit card numbers. The
intruders probed some sites and pointed them out. In other cases,
intruders actually cracked the sites and stole credit card data and
then held the data for ransom. So who's watching who? The black hats
are apparently watching everyone and everything that comes into view,
but where are the white hats to keep the black hats at bay?
   Every time I hear about intruders cracking an e-commerce site, I get
colder toward making online purchases. The last thing we need is our
credit card numbers in the hands of a system cracker. So how can we
help prevent credit card theft without giving up on e-commerce? The
answer is, we can't. For now, if we use e-commerce, we must accept the
risk because we don't know which sites to trust and which ones to shy
away from.
   We need a method to determine which e-commerce sites are secure and
which sites remain in question. How else can we learn to trust e-
commerce with a given vendor? Perhaps we need an international
standards body to develop a system of testing and rating a site's e-
commerce security. If a Web site passes the required examinations, it
could display a seal of approval.
   I remember hearing talk about forming a security standards
organization, but I never heard whether it came to pass. Based on last
week's discoveries regarding lax security on various e-commerce sites,
I'd have to guess that either no such body exists or it's being ignored
by e-commerce site developers.
   If you're aware of any such organization or standards for e-commerce
security, please share with me what you know. Until next time, have a
great week.

Sincerely,
Mark Joseph Edwards, News Editor
mark@ntsecurity.net

2. ========== SECURITY RISKS =========
(contributed by Mark Joseph Edwards, mark@ntsecurity.net)

* LOCAL PROCEDURE CALL ELEVATES PRIVILEGES
Bindview discovered a serious security problem within Windows NT 4.0.
Because of a flaw in the API call NtImpersonateClientOfPort, any local
system user can impersonate any other user on the machine, including
the LocalSystem account. The problem affects all NT 4.0 systems up to
and including Service Pack 6a (SP6a). Bindview tested its exploit on
Windows 2000 (Win2K) Release Candidate 2 (RC2) and found that the
system was not vulnerable. Microsoft is aware of the problem and has
released an FAQ, Support Online article Q247869, and hotfixes for Intel
and Alpha platforms.
   http://www.ntsecurity.net/go/load.asp?iD=/security/lpc1.htm
   http://www.microsoft.com/security/bulletins/MS00-003faq.asp
   http://support.microsoft.com/support/kb/articles/q247/8/69.asp

* SUPER MAIL DENIAL OF SERVICE CONDITION
UssrLabs discovered a memory leak that might lead to a denial of
service (DoS) condition because of the way the service handles client
data. According to UssrLabs, the software appears to store all client
data in memory during a session and might not properly handle memory
allocation and deallocation during a session. The vendor, Nosque
Workshop, is aware of the problem but has not yet responded.
   http://www.ntsecurity.net/go/load.asp?iD=/security/superm.htm

3. ========== ANNOUNCEMENTS ==========

* TECHNOLOGY WEEK--MICROSOFT'S PROFESSIONAL TRAINER CONFERENCE
If you're a professional trainer on Microsoft products, this event is
for you! Technology Week, which will take place February 6 to 11 in New
Orleans, is an exclusive opportunity to get the training you need
directly from Microsoft courseware teams. Microsoft designed the
sessions to develop your technical knowledge and enhance your training
skills. Session topics include Windows 2000 Administration and Support,
Windows 2000 Infrastructure Design, Exchange 2000 Server, SQL Server,
Knowledge Management/Collaboration, BackOffice Server Integration, MSDN
Training, and instructional skills.
   Technology Week provides optimum learning with minimum downtime in
your career. Attendance is limited--register today!
   http://www.microsoft.com/mct/techweek

4. ========== SECURITY ROUNDUP ==========

* NEWS: IIS CERTIFICATES CAN CRASH NETSCAPE COMMUNICATOR
A bug in Internet Information Server (IIS) can cause Netscape
Communicator 4.7 browsers to crash while negotiating encryption using
digital certificates. The problem affects both Macintosh and Windows
versions of Netscape Communicator.
   By default, international versions of Netscape Communicator 4.7
accept 56-bit digital certificates, but IIS 4.0 does not correctly
support 56-bit certificates. Therefore, when Netscape Communicator
tries to negotiate the use of stronger 128-bit encryption, the browser
crashes.
   http://www.ntsecurity.net/go/2c.asp?f=/news.asp?IDF=202&TB=news

* NEWS: E-LOCK TECHNOLOGIES INTRODUCES ASSURED OFFICE
Microsoft Office is the most popular office suite in use today. E-Lock
Technologies' Assured Office enhances the value of Office by adding
public key infrastructure (PKI)-based digital security to make Office a
comprehensive e-business solution. The seamless integration of Assured
Office digital signing and encryption features within Office enables
organizations to conduct e-business using their existing business
processes.
   http://www.ntsecurity.net/go/2c.asp?f=/news.asp?IDF=201&TB=news

* REVIEW: LUCENT TECHNOLOGIES' NEWLY EXPANDED VPN LINE
In his review for InternetWeek, Salvatore Salamone covers Lucent
Technologies' newly expanded hardware-based VPN product line. According
to the review, "The new Secure VPN line offers a price/performance
range from less than $1000 for a VPN-enabled Pipeline router that can
handle 50 IP Security tunnels to about $45,000 for an Access Point
router designed to handle up to 4000 IPSec tunnels and a high-speed
interface such as OC-3 (155 Mbps)."
   http://www.ntsecurity.net/go/2c.asp?f=/reviews.asp?IDF=114&TB=r

* FEATURE: SPEECH RECONITION TECHNOLOGY
In her feature for Planet IT, Diane Levine discusses voice recognition
technology and its ever-increasing popularity as a security mechanism.
Diane mentions a couple useful products for PCs, including SaftyLatch,
VoiceCrypt, and L&H voice recognition technology.
   http://www.ntsecurity.net/go/2c.asp?f=/features.asp?IDF=146&TB=f

~~~~ SPONSOR: FREE ON-LINE SEMINAR: HOW TO DEFEND NT SERVERS ~~~~
Attend Network-1’s on-line seminar, "Defending NT Servers in the New e-
Commerce Age", hosted by security expert Dr. Bill Hancock.  This 30-
minute web-based seminar is a must for IT professionals who are
responsible for securing Windows NT servers in  "electronically open"
organizations.
How to attend:
Just point your browser to www.network-1.com/seminar and register. We
offer the seminar at three convenient times.
Join Network-1 and Dr. Hancock at our on-line seminar and get ready for
the e-Commerce Age.

5. ========== NEW AND IMPROVED ==========
(contributed by Carolyn Mascarenas, products@winntmag.com)

* ON-THE-FLY PROTECTION FROM VIRUSES
Gordano announced an agreement with Command Software that lets NTMail
and NTList customers receive on-the-fly protection from emailed
viruses. NTMail is an SMTP-based email server for Windows NT. NTList
provides electronic list management for NT. Gordano’s Virus Scanner
Manager (VSM) and Command Software’s antivirus product (CASV) are now
available from Gordano. NTMail and NTList support major antivirus
packages, and you can still choose which virus scanner you want to use.
The partnership offers a virus scanner feeding directly from NTMail-VSM
from a DLL. Using the products together provides Internet mail server
protection. For pricing, contact Gordano, 877-292-1142.
   http://www.gordano.com

* SECURE E-BUSINESS
Internet Security Systems (IIS), a provider of security management
solutions for e-business, and iXL, an Internet services company, signed
a strategic agreement to deliver security solutions to maintain secure
implementation and ongoing e-business protection of iXL’s clients.
Through the agreement, ISS will provide crucial security solutions,
including strategic lifecycle consulting and remote managed services to
iXL clients. The partnership will help e-businesses manage security
risks to protect the confidentiality, integrity, and availability of
critical systems and data. For additional information, contact iXL,
888-495-1122.
   http://www.ixl.com

6. ========== HOT RELEASE (ADVERTISEMENT) ==========

* VERISIGN - THE INTERNET TRUST COMPANY
Protect your servers with 128-bit SSL encryption today!
Get VeriSign's FREE guide, "Securing Your Web Site for Business." Learn
everything you need to know about using SSL to encrypt your e-commerce
transactions for serious online security. Click here!
http://www.verisign.com/cgi-bin/go.cgi?a=n016005190013000

7. ========== SECURITY TOOLKIT ==========

* BOOK HIGHLIGHT: UNDOCUMENTED WINDOWS NT
By Prasad Dabak
Online Price: $27.95
Softcover; 335 pages
Published by IDG Books Worldwide, September 1999

Get the inside story on Windows NT APIs. Use the interfaces underlying
the Win32 interface to invent new ways to solve problems, discover how
to hook system services not documented in the NT software development
kit (SDK), and learn about security holes inherent in the design of NT
and how you can address them. Also, master techniques for analyzing NT
yourself, get a better understanding of the Memory Management
architecture, modify and administer NT systems to make them more fault
tolerant, and compare and contrast popular Win32 implementations.

For Windows NT Magazine Security UPDATE readers only--Receive an
additional 10 PERCENT off the online price by typing WINNTMAG in the
referral field on the Shopping Basket Checkout page. To order this
book, go to http://www.fatbrain.com/shop/info/0764545698?from=SUT864.

* TIP: BEFORE YOU SAY "IT'S SAFE"
(contributed by Mark Joseph Edwards, mark@ntsecurity.net)

With so many blatant security risks appearing on large e-commerce sites
lately, I think it's prudent to remind you of a basic security tip that
most diligent administrators practice. That practice is called double-
checking your system security.
   After you've built and configured a system (including any custom
application code), have at least one other party inspect that system
for security shortcomings before you declare the system safe for daily
use, especially if third parties have developed applications for your
system. Although you should inspect any systems yourself, both manually
and programmatically using the security scanners of your choice, don't
assume your checks are sufficient. To be safe, consider using a third
party to check your system.

8. ========== HOT THREADS ==========

* WINDOWS NT MAGAZINE ONLINE FORUMS

The following text is from a recent threaded discussion on the Windows
NT Magazine online forums (http://www.winntmag.com/support).

January 14, 2000, 08:34 A.M.
BDC or Standard Server?
I just took a new job and the company has four Windows NT servers. I
know which one the PDC is. Where do I look to see if the others were
installed as BDCs or standard servers? Do you have to set up
replication for a BDC to copy the SAM?

Thread continues at
http://www.winntmag.com/support/Forums/Application/Index.cfm?CFApp=69&Messag
e_ID=85933

* WIN2KSECADVICE MAILING LIST
Each week we offer a quick recap of some of the highlights from the
Win2KSecAdvice mailing list. The following thread is in the spotlight
this week:

1. EXCHANGE SECURITY AND RENAMING USERS – A CAUTIONARY TALE
http://www.ntsecurity.net/go/w.asp?A2=IND0001B&L=WIN2KSECADVICE&P=849

Follow this link to read all threads for Jan. Week 3:
   http://www.ntsecurity.net/go/win2ks-l.asp?s=win2ksec

* HOWTO MAILING LIST
Each week we offer a quick recap of some of the highlights from the
"HowTo for Security" mailing list. The following thread is in the
spotlight this week:

1. IIS PARENT PATH QUESTION
http://www.ntsecurity.net/go/L.asp?A2=IND0001C&L=HOWTO&P=83

Follow this link to read all threads for Jan. Week 3:
   http://www.ntsecurity.net/go/l.asp?s=howto

|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-

WINDOWS NT MAGAZINE SECURITY UPDATE STAFF
News Editor - Mark Joseph Edwards (mje@winntmag.com)
Ad Sales Manager (Western and International) - Vicki Peterson
(vpeterson@winntmag.com)
Ad Sales Manager (Eastern) - Tanya T. TateWik (ttatewik@winntmag.com)
Editor - Gayle Rodcay (gayle@winntmag.com)
New and Improved – Carolyn Mascarenas (products@winntmag.com)
Copy Editor – Judy Drennen (jdrennen@winntmag.com)

|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-

Thank you for reading Windows NT Magazine Security UPDATE

To subscribe, go to http://www.winntmag.com/update or send email to
listserv@listserv.ntsecurity.net with the words "subscribe
securityupdate anonymous" in the body of the message without the
quotes.

To unsubscribe, send email to listserv@listserv.ntsecurity.net with the
words "unsubscribe securityupdate" in the body of the message without
the quotes.

To change your email address, you must first unsubscribe by sending
email to listserv@listserv.ntsecurity.net with the words "unsubscribe
securityupdate" in the body of the message without the quotes. Then,
resubscribe by going to http://www.winntmag.com/update and entering
your current contact information or by sending email to
listserv@listserv.ntsecurity.net with the words "subscribe
securityupdate anonymous" in the body of the message without the
quotes.

========== GET UPDATED! ==========
Receive the latest information on the NT topics of your choice.
Subscribe to these other FREE email newsletters at
http://www.winntmag.com/sub.cfm?code=up99inxsup.

Windows NT Magazine UPDATE
Windows NT Magazine Thin-Client UPDATE
Windows NT Exchange Server UPDATE
Windows 2000 Pro UPDATE
ASP Review UPDATE
SQL Server Magazine UPDATE

|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-
Copyright 2000, Windows NT Magazine

Security UPDATE Newsletter is powered by LISTSERV software
http://www.lsoft.com/LISTSERV-powered.html