**********************************************************
WINDOWS 2000 MAGAZINE SECURITY UPDATE 
**Watching the Watchers**
The weekly Windows 2000 and Windows NT security update newsletter brought 
to you by Windows 2000 Magazine and NTSecurity.net
http://www.win2000mag.com/update/ 
**********************************************************

This week's issue sponsored by

VeriSign - The Internet Trust Company 
http://www.verisign.com/cgi-bin/go.cgi?a=n016007860008000

Sunbelt Software - STAT: NT/2000 Vulnerability Scanner
http://www.sunbelt-software.com/product.cfm?id=899
(Below SECURITY ROUNDUP) 

|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-
May 10, 2000 - In this issue:

1. IN FOCUS
     - Is the Windows Platform Overpowered?

2. SECURITY RISKS
     - Aladdin eToken Allows Physical Access to Data
     - DMailWeb Buffer Overflow 
     - DNewsWeb Buffer Overflow
     - Listserv Web Archives Buffer Overflow 

3. ANNOUNCEMENTS
     - Training & Certification UPDATE--Free Email Newsletter
     - Conference and Expo on Windows 2000/NT 4.0 Security and Control

4. SECURITY ROUNDUP
     - News: New Virus Loves You
     - News: Microsoft Publishes Details of Kerberos Authorization Data 
Field

5. NEW AND IMPROVED
     - Software Prevents Receipt of Love Bug
     - Online Scanning Service Cleans Systems

6. HOT RELEASES (ADVERTISEMENT)
     - Mail Essentials: Anti-Virus Gateway for Exchange!
     - Network-1 Security Solutions - Securing e-Business Networks 

7. SECURITY TOOLKIT
     - Book Highlight: Virtual Private Networking: A View from the 
Trenches
     - Tip: Limit Buffer Size on IIS
     - Writing Secure Code: Writing a Secure POP3 Server

8. HOT THREADS 
     - Windows 2000 Magazine Online Forums
         Ctrl-Alt-Del Doesn't Appear
     - Win2KSecAdvice Mailing List
         VF.EXE Free Anti-Worm Tool Released
         Windows 95/98 Denial of Service Using NetBIOS
     - HowTo Mailing List
         Remove Messages and Attachments from Exchange Server
         How Can I Identify Sniffer Programs?

~~~~ SPONSOR: VERISIGN - THE INTERNET TRUST COMPANY ~~~~
Protect your servers with 128-bit SSL encryption!
Get VeriSign's FREE guide, "Securing Your Web Site for Business." You will 
learn everything you need to know about using SSL to encrypt your 
e-commerce transactions for serious online security. Click here!
http://www.verisign.com/cgi-bin/go.cgi?a=n016007860008000

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Want to sponsor Windows 2000 Magazine Security UPDATE? Contact Jim Langone 
(Western Advertising Sales Manager) at 800-593-8268 or jim@win2000mag.com, 
OR Tanya T. TateWik (Eastern and International Advertising Sales Manager) 
at 877-217-1823 or ttatewik@win2000mag.com.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

1. ========== IN FOCUS ==========

Hello everyone,

When I arrived at work last Thursday morning, I had three email messages 
waiting in my inbox, one of which contained the recently discovered Love 
Letter virus. Apparently, someone I don’t know had stored my email address 
in his address book. Later, when that person became infected with the Love 
Letter virus, the virus sent a copy of itself to me and everyone else in 
his address book. But because I don't open attachments that I didn't ask to 
receive, my systems remain unaffected.
   Anyone can inadvertently receive a script-based virus, but not everyone 
understands the need to guard against that event. Many people don't think 
seriously about virus protection until after they've suffered damage.
   Microsoft says viruses don't necessarily represent security issues, but 
instead are a social phenomenon. What Microsoft doesn't say is that virus 
writers routinely target Internet Explorer (IE) and Outlook clients because 
of their functionality. Virus writers claim that it's easy to spread a 
virus on Windows platforms because of powerful scripting technology 
installed as part of the tightly integrated desktop and Microsoft Office 
applications.
   Many security professionals think Microsoft's approach to scripting 
allows too much access to OS resources. Many developers cite Java as a 
preferred language for secure desktop scripting because of its sandbox 
security technology. According to Symantec's Antivirus Research Center 
database (http://www.symantec.com/avcenter/vinfodb.html), there are 
currently only five variations of Java-based viruses, but there are 28 
VBScript-based viruses with 81 variations of those original 28. The 
database reveals that Love Letter is the most prolific virus to date.
   According to research firm Computer Economics 
(http://www.computereconomics.com), more than 78 million people received a 
copy of the Love Letter virus in the first several days of its spread. 
Michael Erbschloe, vice president of research for the company, said the 
virus caused $6.7 billion in damage during the first 5 days. That figure is 
expected to reach $10 billion or more before Love Letter and all of the 
variants have been eradicated.
   In this week's Time Magazine, Microsoft Chairman Bill Gates implied that 
if Microsoft were split into two companies, new versions of Microsoft 
products might become hard to obtain. Gates also implied that those new 
versions could protect against various intrusions similar to the Love 
Letter virus. Is Microsoft now headed into the antivirus software arena, or 
is Gates just admitting that the company could improve the security of its 
scripting technology?
   In either case, we can protect against viral nuisances today, regardless 
of how Microsoft structures its company tomorrow. Anything from complete 
Windows Scripting Host removal to centrally managed file attachment 
filtering and virus scanning would suffice.
   I've heard people complain loudly over the past few years that they 
think Microsoft's software is overpowered and too tightly integrated, but 
up until the Love Letter virus outbreak, I didn't share that opinion. I was 
more inclined to think that training was the answer for controlling all 
this powerful network-enabled software. But now I see the situation 
differently.
   The Love Letter virus clearly points out that not everyone understands 
the ramifications of using Microsoft's embedded and integrated 
technologies. Relatively few users receive training before they are exposed 
to a Microsoft desktop. For most, training either comes after the fact or 
from the school of hard knocks, whichever happens first.
   Has Microsoft's advancements with embedded and integrated out-of-the-box 
technology outpaced the average end users' ability to understand and 
control that functionality in a reasonably secure fashion? Stop by our Web 
site and post your opinion--you'll find this editorial and a new survey 
linked on the home page. Until next time, have a great week.

Sincerely,
Mark Joseph Edwards, News Editor
mark@ntsecurity.net

2. ========== SECURITY RISKS =========
(contributed by Mark Joseph Edwards, mark@ntsecurity.net)

* ALADDIN ETOKEN ALLOWS PHYSICAL ACCESS TO DATA
Aladdin Knowledge Systems manufactures a hardware-based USB electronic 
token system based on smart card technology that is used for data 
integrity, authentication, and encryption. The L0pht discovered that by 
using simple hand tools and widely available chip manipulation tools, an 
intruder can compromise eTokens without the end user being aware of the 
breach.
   http://www.ntsecurity.net/go/load.asp?iD=/security/etoken1.htm

* DMAILWEB BUFFER OVERFLOW 
Cerberus Security discovered a remotely exploitable buffer overrun in 
Netwin's DMailWeb Common Gateway Interface (CGI) program. By using long URL 
parameters (group and utag), an attacker can overflow a buffer and execute 
arbitrary code on the Web server. The vendor has issued a new version of 
the software to correct the problem.
   http://www.ntsecurity.net/go/load.asp?iD=/security/dmailweb1.htm

* DNEWSWEB BUFFER OVERFLOW
Cerberus Security discovered a problem similar to the problem in DMailWeb, 
where a remotely exploitable buffer overrun is present in the DNewsWeb CGI 
program. An intruder can use a long URL parameter (group and utag) to 
overflow a buffer and execute arbitrary code on the Web server. The vendor 
has issued a new version of the software to correct the matter.
   http://www.ntsecurity.net/go/load.asp?iD=/security/dnewsweb1.htm

* LISTSERV WEB ARCHIVES BUFFER OVERFLOW 
The Cerberus Security Team has discovered a remotely exploitable buffer 
overflow in L-Soft's Listserv Web Archive component. By sending a 
specifically formed request to the server, an intruder can overflow a 
buffer, which could let arbitrary code execute on the server. L-Soft has 
issued a patch to correct the problem.
   http://www.ntsecurity.net/go/load.asp?iD=/security/listserv1.htm

3. ========== ANNOUNCEMENTS ==========

* TRAINING & CERTIFICATION UPDATE--FREE EMAIL NEWSLETTER
If you're preparing for a certification exam, you know how important it is 
to get advice and tips from the people who've been there. Sign up for our 
latest email newsletter at our Training and Certification site 
(http://www.win2000mag.net/training/index.html), and start getting
hints to help you pass your exams on the first try.

* CONFERENCE AND EXPO ON WINDOWS 2000/NT 4.0 SECURITY AND CONTROL
The Conference and Expo on Windows 2000/NT 4.0 Security and Control comes 
to Boston, July 11 through 13, 2000, with optional workshops on July 10 and 
July 13. Produced by MIS Training Institute and its security division, 
Information Security Institute, and co-sponsored by Windows 2000 Magazine, 
this conference is the place to gain the technical skills and real-world 
knowledge you need to successfully implement and exploit Microsoft’s newest 
OS. For more details or to register, call 508-879-7999, ext. 346, or go to
http://www.misti.com/conference_show.asp?id=NT00US.

4. ========== SECURITY ROUNDUP ==========

* NEWS: NEW VIRUS LOVES YOU
A new virus has spread rapidly over the past week. The virus, now called 
Love Letter, spreads through email as a file attachment targeted at Outlook 
and Internet Explorer (IE) users. The newly discovered virus is a Visual 
Basic (VB)-based script that arrives with a message subject of "ILOVEYOU." 
Reports indicate that variations of the virus are already spreading.
   The email contains one line of text and the virus file attachment. The 
text reads "kindly check the attached LOVELETTER coming from me," and the 
attached file named "LOVE-LETTER-FOR-YOU.TXT.VBS," is a VB script designed 
to replicate the virus and destroy particular files on the infected system. 
Variations of the virus might have a subject line of "FW: Joke," "Joke," or 
something similar, where the email contains a copy of the virus in a file 
attachment named veryfunny.vbs.
   http://www.ntsecurity.net/go/2c.asp?f=/news.asp?IDF=105&TB=news

* NEWS: MICROSOFT PUBLISHES DETAILS OF KERBEROS AUTHORIZATION DATA FIELD
Microsoft has published details about the authorization data field of 
Kerberos v5 authentication protocol used in Windows 2000. Kerberos is a 
network authentication protocol that engineers designed at the 
Massachusetts Institute of Technology (MIT) to provide proof of identity on 
a network. Heated conversations took place on various Internet sites in 
recent months regarding Microsoft's intentions for the Kerberos protocol.
   http://www.ntsecurity.net/go/2c.asp?f=/news.asp?IDF=128&TB=news

~~~~ SPONSOR: SUNBELT SOFTWARE--STAT: NT/2000 VULNERABILITY SCANNER ~~~~
Ever had that feeling of ACUTE PANIC that a hacker has invaded your 
network? Plug NT/2000's over 850 holes before they plug you. You _have_ to 
protect your LAN _before_ it gets attacked. STAT comes with a responsive 
web-update service and a dedicated Pro SWAT team that helps you to hunt 
down and kill Security holes. Built by anti-hackers for DOD sites. Download 
a demo copy before you become a statistic.
http://www.sunbelt-software.com/product.cfm?id=899

5. ========== NEW AND IMPROVED ==========
(contributed by Judy Drennen, products@win2000mag.com)

* SOFTWARE PREVENTS RECEIPT OF LOVE BUG
20th Century Fox invested in Elron Software's Message Inspector, and the 
customized software prevented the receipt of the "I Love You" virus at its 
Los Angeles headquarters. As the virus spread across the globe, Message 
Inspector halted at least 40 messages attempting to infiltrate the email of 
more than 3500 20th Century Fox employees. Message Inspector helps 
organizations minimize the risks associated with email in the workplace.
   http://www.elronsoftware.com/connection/

* ONLINE SCANNING SERVICE CLEANS SYSTEMS
Trend Micro announced that protection for the new and quickly spreading 
VBScript worm-type virus VBS-LOVELETTER is available now. Trend Micro 
recommends that its customers update their virus protection software with a 
new emergency virus update pattern 693 available from 
http://www.antivirus.com/download/pattern.asp. Noncustomers can take 
advantage of a free online service at http://housecall.antivirus.com to 
ensure their products are not infected.

6. ========== HOT RELEASES (ADVERTISEMENT) ==========

* MAIL ESSENTIALS: ANTI-VIRUS GATEWAY FOR EXCHANGE!
Flooded with attachments with viruses, email jokes, MP3s? Quarantine such 
emails and keep your server healthy and your company out of legal trouble! 
Mail essentials adds virus scanning, content filtering & more to your 
Exchange server.
http://www.gfi.com/exchmesav.shtml

* NETWORK-1 SECURITY SOLUTIONS - SECURING E-BUSINESS NETWORKS 
Secure your critical NT/2000 servers now. CyberwallPLUS-SV is the first 
embedded firewall for NT servers. It secures servers with network access 
controls and intrusion prevention.  Visit
http://www.network-1.com/SVeval/index.htm for a free evaluation kit and 
white paper.

7. ========== SECURITY TOOLKIT ==========

* BOOK HIGHLIGHT: VIRTUAL PRIVATE NETWORKING: A VIEW FROM THE TRENCHES
By Bruce Perlmutter and Jonathan L. Zarkower
Online Price: $44.99
Hardcover; 400 Pages
Published by Prentice Hall, November 1999
ISBN 0130203351

Get expert tips for design, migration, implementation, and ongoing 
management of VPNs. Develop a holistic approach that includes such elements 
as User Authentication and Quality of Service (QoS) to make your network 
run more smoothly, and learn about deployment levels, tunneling protocols, 
service level guarantees, and traffic management.

For Windows 2000 Magazine Security UPDATE readers only--Receive an 
additional 10 percent off the online price by typing WIN2000MAG in the 
discount field on the Shopping Basket Checkout page. To order this book, go 
to

http://www.fatbrain.com/shop/info/0130203351?from=win2000mag

or visit the Windows 2000 Magazine Network Bookstore at
http://www1.fatbrain.com/store.cl?p=win2000mag&s=97772.

* TIP: LIMIT BUFFER SIZE ON IIS
(contributed by Mark Joseph Edwards, mark@ntsecurity.net)

If you read the Win2KSecurity Advice mailing list, you know that Marc (from 
the eEye Digital Security Team) recently pointed out that a new Microsoft 
Support Online article reveals a useful security configuration setting 
within IIS.
   If you run IIS on Windows NT with Service Pack 5 (SP5) or later, you 
should take advantage of a new Registry key, MaxClientRequestBuffer. The 
key lets a user set a maximum limit for the cumulative size (in bytes) of 
the URL request line and header fields sent in a request to IIS.
   In IIS 4.0, the default maximum size of request line and header fields 
is 2MB, and in IIS 5.0, the size is only 128KB. By taking advantage of the 
larger size on IIS 4.0, an attacker could launch Denial of Service (DoS) 
attacks against the server by repeatedly consuming large amounts of server 
memory. By adjusting the Registry, administrators can control that size to 
reduce the chance of successful attacks.
   Be sure to read Support Online article Q260694 for complete details 
about the Registry key, and also read security bulletin MS00-023 to learn 
how excessively large buffers can lead to DoS attacks against your 
servers.
  http://support.microsoft.com/support/kb/articles/q260/6/94.asp
  http://www.microsoft.com/TechNet/security/bulletin/ms00-023.asp
  http://www.ntsecurity.net/go/load.asp?id=/security/win2ksecadvice.htm

* WRITING SECURE CODE: WRITING A SECURE POP3 SERVER
Part of writing secure code is considering security issues before you 
start. In his most recent column, David LeBlanc begins a series of articles 
that walk you through the thought process of designing secure TCP/IP-based 
services. In the first article, LeBlanc uses a simple POP3 server as an 
example to point out items to consider when designing code that can fend 
off future attackers. Be sure to read LeBlanc's latest column to learn 
about the more common gotchas of today's code design.
   http://www.ntsecurity.net/go/seccode.asp

8. ========== HOT THREADS ==========

* WINDOWS 2000 MAGAZINE ONLINE FORUMS

The following text is from a recent threaded discussion on the Windows 
2000 Magazine online forums (http://www.win2000mag.com/support). 

May 04, 2000, 02:28 P.M.
Ctrl-Alt-Del Doesn't Appear 

A while ago, I set up my computer to bypass the ctrl+alt+del portion of 
logon. Turn on the computer and it will go all the way to the desktop, no 
logon required. I'd like to change it back to normal, but I can't remember 
how I did it in the first place. Please help. Thanks in advance.

Thread continues at
http://www.winntmag.com/support/Forums/Application/Index.cfm?CFApp=69&Message_ID=101826.

* WIN2KSECADVICE MAILING LIST
Each week we offer a quick recap of some of the highlights from the
Win2KSecAdvice mailing list. The following threads are in the spotlight
this week.

1. VF.EXE Free Anti-Worm Tool Released
The VF tool was written by Cerberus Information Security. The tool goes 
through the Registry and removes application/file extension mappings for 
VBS, VBE, WSF, WSH, JS and JSE files so that any viruses or worms that rely 
on these associations will therefore fail. Source code is provided along 
with a binary executable that can run over a network.
http://www.ntsecurity.net/go/w.asp?A2=IND0005B&L=WIN2KSECADVICE&P=88
http://www.ntsecurity.net/go/w.asp?A2=IND0005B&L=WIN2KSECADVICE&P=197

2. Windows 95/98 Denial of Service Using NetBIOS
A binary program was found in the wild and analyzed to reveal a new exploit 
being targeted at Windows 95 and 98 users. By using a NetBIOS session 
request packet with a null source name, Windows will respond in various 
unexpected ways, including a complete system lockup.
http://www.ntsecurity.net/go/w.asp?A2=IND0005A&L=WIN2KSECADVICE&P=948

Follow this link to read all threads for May, Week 1:
   http://www.ntsecurity.net/go/w.asp?A1=ind0005a&L=win2ksecadvice

* HOWTO MAILING LIST
Each week we offer a quick recap of some of the highlights from the
HowTo for Security mailing list. The following threads are in the
spotlight this week.

1. Remove Messages and Attachments from Exchange Server
Microsoft has provided ExMerge, which can remove messages from the Exchange 
Message Store. The utility has other uses, but in this message, I will show 
you how to use ExMerge to clean up your Exchange Message Store in the event 
of a user sending a large attachment to your entire organization; a virus 
outbreak; or when users store inappropriate items in the message store, 
such as large multimedia files.
http://www.ntsecurity.net/go/L.asp?A2=IND0005B&L=HOWTO&P=79

2. How Can I Identify Sniffer Programs? 
I have just downloaded and installed LANguard from GFI, the people who do 
Mail Essentials. It immediately identified that one of the NT Workstation 
nodes on my client's network is running a sniffer program. If a computer is 
running a sniffer of some kind, how can I find out what the sniffer is?
http://www.ntsecurity.net/go/L.asp?A2=IND0005A&L=HOWTO&P=2349

Follow this link to read all threads for May, Week 1: 
   http://www.ntsecurity.net/go/l.asp?A1=ind0005a&L=howto

|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-

WINDOWS 2000 MAGAZINE SECURITY UPDATE STAFF
News Editor - Mark Joseph Edwards (mje@win2000mag.com)
Ad Sales Manager (Western) - Jim Langone (jim@win2000mag.com)
Ad Sales Manager (Eastern) - Tanya T. TateWik (ttatewik@win2000mag.com)
Associate Publisher/Network - Martha Schwartz (mschwartz@win2000mag.com)
Editor - Gayle Rodcay (gayle@win2000mag.com)
New and Improved – Judy Drennen (products@win2000mag.com)
Copy Editor – Judy Drennen (jdrennen@win2000mag.com)

|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-

========== GET UPDATED! ==========
Receive the latest information about the Windows 2000 and Windows NT 
topics of your choice, including Win2K Pro, Exchange Server, thin-client, 
training and certification, SQL Server, IIS administration, XML, 
application service providers, and more. Subscribe to our other FREE email 
newsletters at
http://www.win2000mag.com/sub.cfm?code=up00inxwnf.



SUBSCRIBE/UNSUBSCRIBE/CHANGE ADDRESS

Thank you for reading Windows 2000 Magazine Security UPDATE.

You are currently subscribed to securityupdate as: packet@PACKETSTORM.SECURIFY.COM

To subscribe, go to the UPDATE home page at
http://www.win2000mag.com/update
or send a blank email to join-securityupdate@list.win2000mag.net.

To remove yourself from the list, send a blank email to
leave-securityupdate-120275L@list.win2000mag.net.

To change your email address, send a message with the sentence

set securityupdate email="new email address"

as the message text to lyris@list.win2000mag.net. Replace the words "new email address" with your new email address (include the quotes).

If you have questions or problems with your UPDATE subscription, please contact securityupdate@win2000mag.com. We will address your questions or problems as quickly as we can, but please allow 2 issues for resolution.

|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|

Copyright 2000, Windows 2000 Magazine