**********************************************************
WINDOWS 2000 MAGAZINE SECURITY UPDATE 
**Watching the Watchers**
The weekly Windows 2000 and Windows NT security update newsletter 
brought to you by Windows 2000 Magazine and NTSecurity.net
http://www.win2000mag.com/update/ 
**********************************************************

This week's issue sponsored by
Trend Micro -- Your Internet VirusWall
http://www.antivirus.com/memorialday.htm

Network-1 Security Solutions - NT/2000 Host Firewalls
http://www.network-1.com/eval/eval6992.htm
(Below SECURITY ROUNDUP) 

|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-
May 24, 2000 - In this issue:

1. IN FOCUS
     - Is PKI Secure Enough?

2. SECURITY RISKS
     - Offline Explorer Exposes System Files
     - NiteServer FTP Server Denial of Service
     - Windows IP Fragment Reassembly
     - Internet Explorer Frame Domain Verification
     - Internet Explorer Unauthorized Cookie Access
     - Internet Explorer Malformed Component Attribute
     - Unchecked Buffer in Lotus Domino 5.0.1
     - Crashing NetProwler 3.0
     - BlackICE Blank Password and Code Execution

3. ANNOUNCEMENTS
     - Windows 2000/NT 4.0 Security and Control Conference and Expo
     - Microsoft Tech-Ed 2000 WebCast

4. SECURITY ROUNDUP
     - News: New Love Packs a Wallop
     - News: The Upcoming Outlook Security Patch: Should You Load It? 

5. NEW AND IMPROVED
     - Improved Internet Update Speed
     - Internet Banking Services and Internet 911

6. HOT RELEASE (ADVERTISEMENT)
     - Mail Essentials: Anti-Virus Gateway for Exchange!
     - Palm IIIc Giveaway - Windows NT Security Survey

7. SECURITY TOOLKIT
     - Book Highlight: Internet and Intranet Security Management: Risks 
and Solutions
     - Tip: Make My Computer Show Current Username and Machine Name
     - Ultimate Security Toolkit: SecurePC
     - Writing Secure Code: Parsing POP Input
     - Windows 2000 Security: Delegating Password Reset Control

8. HOT THREADS 
     - Windows 2000 Magazine Online Forums
         Migrating a BDC to a New Domain 
     - Win2KSecAdvice Mailing List
         Possible New Email Virus Concept and Bypass IE Settings
     - HowTo Mailing List
         Biometrics Security

~~~~ SPONSOR: TREND MICRO--YOUR INTERNET VIRUSWALL ~~~~
Stop LOVELETTER and other viruses as you prepare for the long Memorial 
Day weekend to make sure your network doesn't also take a vacation! 
Install Trend Micro's reliable antivirus software across your network 
to keep it running and virus-free. A world leader in antivirus and 
content security technologies, Trend Micro's centrally web-managed 
Internet gateway, Notes and Exchange email server, desktop machine and 
network server protection--forms an ironclad content security VirusWall 
around your entire enterprise network. A FREE 30-day evaluation is at 
http://www.antivirus.com/memorialday.htm

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Want to sponsor Windows 2000 Magazine Security UPDATE? Contact Jim 
Langone (Western Advertising Sales Manager) at 800-593-8268 or 
jim@win2000mag.com, OR Tanya T. TateWik (Eastern and International 
Advertising Sales Manager) at 877-217-1823 or ttatewik@win2000mag.com.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

1. ========== IN FOCUS ==========

Hello everyone,

If e-commerce is a hot subject, then so is public key infrastructure 
(PKI). But what value does PKI really have? If you ask some experts, 
the answer is little value if any, and the cited reasons are many. I 
recently read an article, "Ten Risks of PKI: What You're not Being Told 
about Public Key Infrastructure," by Carl Ellison and Bruce Schneier. 
Ellison is a senior security architect for Intel, and Schneier is 
founder of Counterpane Internet Security and author of "Applied 
Cryptography," the Blowfish and Twofish encryption algorithms, and 
other published material. In the article, the men address the question 
of whether PKI is really needed for e-commerce. 
   Ellison and Schneier remind us that e-commerce doesn't need PKI 
because e-commerce is already flourishing, with online vendors 
everywhere taking orders that lack a PKI-based certificate. On the 
other hand, Ellison and Schneier suggest that PKI does, in fact, need 
e-commerce to flourish; without it, PKI is a dead market. 
   To support those allegations, the authors discuss ten risks 
associated with PKI. To summarize, Ellison and Schneier point out that 
no mechanism exists to determine who used a given key, and certificate 
common names don't offer an easy way to identify the certificate owner. 
The authors present a long list of items related to how certificate 
information is mishandled during and after key generation and point out 
that when it comes to information security, people generally 
misunderstand the word trust. 
   Ellison and Schneier make some great points when suggesting that PKI 
technology is short-sighted on security and long-sighted on profit 
making. Although the article offers no thoughts about replacements for 
PKI, it did shoot down the entire idea of single sign-on (SSO) 
technology, citing PKI as the culprit behind SSO popularity. Ellison 
and Schneier think that if it weren't for marketing hype and the mad 
rush toward e-commerce, people would realize just how insecure PKI 
technology is. 
   Take some time to read their article 
(http://www.counterpane.com/pki-risks-ft.txt), and let me know what you 
think. I'm also interested in whether your company depends on PKI for 
some amount of security? If so, how do you use it? If not, is it a 
consideration for future e-commerce or SSO projects? Does the article 
by Ellison and Schneier change your opinion? Stop by our home page 
(http://www.ntsecurity.net) and take the latest survey, or send me your 
thoughts by email. I'm anxious to know what you think. Until next time, 
have a great week.

Sincerely,
Mark Joseph Edwards, News Editor
mark@ntsecurity.net

2. ========== SECURITY RISKS =========
(contributed by Mark Joseph Edwards, mark@ntsecurity.net)

* OFFLINE EXPLORER EXPOSES SYSTEM FILES
A user named Wyzewun reported a security risk in MetaProduct's Offline 
Explorer. According to the report, Offline Explorer starts a service on 
port 800 that lets an intruder remotely view a Web user's cache. The 
service is vulnerable to directory traversal bugs, which let remote 
users connect to a system and view files that reside outside of the 
cache directory. The remote user can access files using the long-known 
"GET ..\.." command sequence style. MetaProducts is aware of the issue 
but has not yet responded. 
   http://www.ntsecurity.net/go/load.asp?iD=/security/offexpl1.htm

* NITESERVER FTP SERVER DENIAL OF SERVICE
A user named Wyzewun reported four security problems in the NiteServer 
FTP server software. When the daemon receives 40 or more USER commands, 
the system runs out of memory and crashes. When a password command 
(PASS) is not terminated and the service is continually sent 
characters, the system allocates memory for those characters until it 
runs out of memory. Sending the service a PORT command followed by an 
immediate client disconnect causes the FTP service to stop accepting 
connections. Sending a long parameter with the RNTO command causes the 
server to stop accepting connections. The vendor is aware of the 
problem but has not yet responded.
   http://www.ntsecurity.net/go/load.asp?iD=/security/niteftp1.htm

* WINDOWS IP FRAGMENT REASSEMBLY
BindView's Razor Team discovered that sending large numbers of 
identical, fragmented IP packets to a Windows 2000 or Windows NT 4.0 
host might cause the host to stop responding for the duration of the 
attack due to 100 percent CPU utilization. Microsoft has released a 
patch to correct the problem.
   http://www.ntsecurity.net/go/load.asp?iD=/security/windows3.htm

* INTERNET EXPLORER FRAME DOMAIN VERIFICATION
Andrew Nosenko reported that Internet Explorer (IE) lets a user 
retrieve another user's files through a bug in cross-frame navigation 
security checks. According to Microsoft's report, when a Web server 
opens a frame within a window under IE, the IE security model should 
let the parent window access the data in the frame only if the two 
windows are in the same domain. However, two functions available in IE 
do not properly perform domain checking, and the parent window can open 
a frame that contains a file on the local computer. This might let a 
malicious Web site operator view files on the computer of a visiting 
user. Microsoft has released a patch to correct the problem.
   http://www.ntsecurity.net/go/load.asp?iD=/security/ie5-17.htm

* INTERNET EXPLORER UNAUTHORIZED COOKIE ACCESS
Marc Slemko reported a problem in Internet Explorer (IE) that might let 
a Web site operator add, read, or change cookies without a user's 
authorization. According to Microsoft's bulletin, the IE security model 
restricts cookies so that only sites within the originator's domain can 
read them. However, by using a specifically malformed URL, a malicious 
Web site operator can access another site's cookies and read, add or 
change them. Microsoft has released a patch to correct this issue.
   http://www.ntsecurity.net/go/load.asp?iD=/security/ie5-18.htm

* INTERNET EXPLORER MALFORMED COMPONENT ATTRIBUTE
The Japanese group UNYUN reported that the code used to invoke ActiveX 
components in Internet Explorer (IE) has an unchecked buffer. Through 
the bug, a Web site operator can cause code to run on a remote user's 
computer without the user's knowledge. The unchecked buffer is exposed 
only when certain attributes are specified in conjunction with each 
other. Microsoft has released a patch to correct the problem.
   http://www.ntsecurity.net/go/load.asp?iD=/security/ie5-19.htm

* UNCHECKED BUFFER IN LOTUS DOMINO 5.0.1
Michal Zalewski discovered that Lotus Domino Server 5.0.1 has an 
unchecked buffer that can let arbitrary code run on the server. During 
an SMTP mail session, the client requires a MAIL FROM command to tell 
the server who the mail is from. By appending 4KB of characters to the 
end of the email address in the MAIL FROM command, a malicious user can 
crash the server. The vendor is aware of the problem but has not yet 
responded. 
   http://www.ntsecurity.net/go/load.asp?iD=/security/domino5-1.htm

* CRASHING NETPROWLER 3.0
A researcher named rain.forest.puppy discovered that by sending two 
fragmented packets to a machine monitored by Axent Technologies' 
NetProwler, an attacker can crash the service. The packets must be sent 
to a machine being monitored by a spoofed source address of the actual 
NetProwler monitoring system. Axent Technologies is aware of this 
matter but has not yet responded. 
   http://www.ntsecurity.net/go/load.asp?iD=/security/netprowler3-1.htm

* BLACKICE BLANK PASSWORD AND CODE EXECUTION
According to a bulletin released by rain.forest.puppy (the discoverer), 
Network ICE's BlackICE product has two security problems. First, the 
software uses a default logon of iceman, with no password. Any user 
with that knowledge can log on to a BlackICE server on port 8081 or 
send it security alerts on port 8082. Second, BlackICE uses the 
Microsoft Jet 3.5 engine to store alerts. As you know, the Jet engine 
is vulnerable to various attacks. The vendor has released a patch for 
these problems.
   http://www.ntsecurity.net/go/load.asp?iD=/security/icecap1.htm

3. ========== ANNOUNCEMENTS ==========

* WINDOWS 2000/NT 4.0 SECURITY AND CONTROL CONFERENCE AND EXPO
The Windows 2000/NT 4.0 Security and Control Conference and Expo comes 
to Boston, July 11 through 13, 2000, with optional workshops on July 10 
and July 13. Produced by MIS Training Institute and its security 
division, Information Security Institute, and co-sponsored by Windows 
2000 Magazine, this conference is the place to gain the technical 
skills and real-world knowledge you need to successfully implement and 
exploit Microsoft’s newest OS. For more details or to register, call 
508-879-7999, ext. 346, or go to
http://www.misti.com/conference_show.asp?id=NT00US.

* MICROSOFT TECH-ED 2000 WEBCAST
The Microsoft Tech-Ed 2000 WebCast, June 5 through 8, is for developers 
and IT professionals who need the technical content being presented at 
Microsoft Tech-Ed 2000 but can’t attend. You can view a total of 36 
session for only $99.00. There will be a Q&A session with the WebCast 
audience after each of the 18 live sessions, including live Q&A with 
Bill Gates and Bob Muglia after their keynotes. Register today at
http://msdn.microsoft.com/events/tewebcast/default.asp.

4. ========== SECURITY ROUNDUP ==========

* NEWS: NEW LOVE PACKS A WALLOP
As expected, several variations of the Love Letter worm are making 
their way around the Internet. The latest rendition, named New Love, is 
far meaner and trickier than the rest. As with Love Letter, New Love 
spreads by sending itself as a file attachment to all addresses in the 
Outlook address book. The difference is that New Love attaches itself 
to an email using a random filename derived from the victim's list of 
recently opened documents (as seen under Start, Documents), but the 
attachment will always have a .vbs extension. Be sure to read the 
entire story to learn what else New Love can do to a system.
   http://www.ntsecurity.net/go/2c.asp?f=/news.asp?IDF=143&TB=news

* NEWS: THE UPCOMING OUTLOOK SECURITY PATCH: SHOULD YOU LOAD IT? 
Microsoft will release a security patch for Outlook 2000 and Outlook 98 
sometime this week. If you're looking for details about that patch or 
wondering how to protect Outlook 97 mail clients from viral infection, 
be sure to read the advice from Windows 2000 Magazine contributor Sue 
Mosher. In the May 19 edition of her Exchange Messaging Outlook 
newsletter, Mosher covers the finer points of the patch to help you 
decide whether you should load it and whether the patch is enough to 
stop dangerous viruses and worms.
   http://www.ntsecurity.net/go/2c.asp?f=/news.asp?IDF=142&TB=news

~~~~ SPONSOR: NETWORK-1 SECURITY SOLUTIONS--NT/2000 HOST FIREWALLS ~~~~
The #1 rule in network security is, "You can hack what you can’t 
access." CyberwallPLUS is the world’s best packet filtering firewall. 
It provides fine grain access control for all NT/2000 servers and 
desktops. CyberwallPLUS is the only firewall that gives system 
administrators the intrusion detection and prevention needed to secure 
hosts and cost-effectively scale to preserve performance and 
reliability. It stops hackers dead.
Visit http://www.network-1.com/eval/eval6992.htm for a free 
CyberwallPLUS evaluation kit and white paper.

5. ========== NEW AND IMPROVED ==========
(contributed by Judy Drennen, products@win2000mag.com)

* IMPROVED INTERNET UPDATE SPEED
Symantec announced significant improvement of its LiveUpdate 
infrastructure to handle the increase in Internet update requests that 
a virus crisis triggers. Symantec will improve the availability and 
speed at which customers can get updates via the Internet by 800 
percent. Symantec will also increase the number of LiveUpdate servers 
to more than 2000, which will provide local access to customers in all 
major markets around the world. For more information, go to the 
Symantec Press Center on the Web site.
   http://www.symantec.com/PressCenter/ 

* INTERNET BANKING SERVICES AND INTERNET 911
Internet Security Systems (ISS) announced the first online banking 
services based on new Online Scanning technology and announced the 
launch of an expanded Emergency Response Service--the 911 of the 
Internet. ISS has also expanded its SAFEsuite software platform and 
launched a strategic e-business insurance alliance with INSUREtrust. 
For more information on these products, visit the ISS Web site.
   http://www.iss.net/company/press_office/pressrel2000.php

6. ========== HOT RELEASE (ADVERTISEMENT) ==========

* MAIL ESSENTIALS: ANTI-VIRUS GATEWAY FOR EXCHANGE!
Worried about email attachments with viruses, infected VB-scripts, 
dangerous executables? Quarantine such emails and keep your server 
healthy - with Mail essentials! Mail essentials adds virus scanning, 
content filtering & more to your Exchange server.
http://www.gfi.com/exchmesbug.shtml

* PALM IIIC GIVEAWAY - WINDOWS NT SECURITY SURVEY
WIN A PALM IIIc - NO PURCHASE OR LIST SUBSCRIPTION REQUIRED. The Palm 
IIIc is the first Palm Organizer with a COLOR screen. You could win one 
by completing our five minute computer security survey. 
http://www.tpis.com.au/survey

7. ========== SECURITY TOOLKIT ==========

* BOOK HIGHLIGHT: INTERNET AND INTRANET SECURITY MANAGEMENT: RISKS AND 
SOLUTIONS
By Lech Janczewski
Online Price:  $69.95
Softcover; 250 pages
Published by Idea Group Publishing, February 2000
ISBN 1878289713
"Internet and Intranet Security Management: Risks and Solutions" 
addresses information security concerns from the managerial, global 
point of view. To order this book, go to
http://www.fatbrain.com/shop/info/1878289713?from=win2000mag
or visit the Windows 2000 Magazine Network Bookstore at
http://www1.fatbrain.com/store.cl?p=win2000mag&s=97772

* TIP: MAKE MY COMPUTER SHOW CURRENT USERNAME AND MACHINE NAME
(contributed by http://www.windows2000faq.com)

As you know, each Windows desktop has a My Computer icon. Clicking the 
icon opens the My Computer folder, displaying available resources such 
as hard disks, printers, Dialup Networking, scheduled tasks, and mobile 
device connections. Did you know you can change the folder name to 
display the locally logged in user's name? 
   To do so, open Regedt32.exe and navigate to HKEY_CLASSES_ROOT\CLSID\ 
subtree, locate the key named 20D04FE0-3AEA-1069-A2D8-08002B30309D, and 
follow one of the two instruction sets below, depending on whether you 
have Windows 2000 or Windows NT 4.0. 
   For Win2K systems, select and edit LocalizedString. Copy its text 
contents to a safe location such as Notepad. The contents should be 
something similar to "@D:\WINNT\system32\shell32.dll,-9216@1033,My 
Computer" without the quotes. Next, delete the LocalizedString value. 
Create a new value with the same name (LocalizedString) with a type of 
REG_EXPAND_SZ. Paste the saved text into the text field of the newly 
created value, but edit the prefix before saving it. Replace the text 
"My Computer" in the string with "%username% on %computername%" without 
the quotes. For example, a modified string might read 
@D:\WINNT\system32\shell32.dll,-9216@1033,%username% on %computername%.
   For NT 4.0 systems, select the <No Name> item in the right pane and 
delete it. On the Edit menu, click Add Value, and leave the Value Name 
blank. Select a Data Type of REG_EXPAND_SZ and in the string box enter 
"%userName% on %computername%" without the quotes. Now close Regedt32 
and refresh the desktop to see the new display caption.

* ULTIMATE SECURITY TOOLKIT: SECUREPC
SecurePC lets administrators select the rights and privileges that end 
users have on their workstations. You can use the product to configure 
policies that protect Windows NT, Windows 9x, and Windows 3.x 
workstations. Steve Manzuik takes a close look at the tool in his 
current Web exclusive column. Be sure to read the entire review on our 
Web site.
   http://www.ntsecurity.net/go/ultimate.asp

* WRITING SECURE CODE: PARSING POP INPUT
In his current Web exclusive column, David LeBlanc addresses the 
question, "What do you need to know to protect your POP3 server when 
handling user input?" As you'll learn, you need to come up with a 
function that lets you retrieve a line of user input from a socket 
without overflowing the buffers. Be sure to read the entire article on 
our Web site, where you'll find LeBlanc's complete source code 
examples. 
   http://www.ntsecurity.net/go/seccode.asp
 
* WINDOWS 2000 SECURITY: DELEGATING PASSWORD RESET CONTROL
A key example of the power of Windows 2000's Active Directory (AD) is 
its ability to let nonadministrators (e.g., Help Desk staff) reset 
forgotten passwords without granting these users sweeping 
administrative authority. In addition, AD lets administrators monitor 
this sensitive activity. As a security administrator working with 
Win2K, you need to understand how to delegate password reset authority. 
To learn all about this new OS feature, read Randy Franklin Smith's Web 
exclusive column on our Web site.
   http://www.ntsecurity.net/go/win2ksec.asp

8. ========== HOT THREADS ==========

* WINDOWS 2000 MAGAZINE ONLINE FORUMS

The following text is from a recent threaded discussion on the Windows 
2000 Magazine online forums (http://www.win2000mag.com/support). 

May 17, 2000, 12:21 P.M. 
Migrating a BDC to a New Domain 
Does anyone know of a way to migrate a BDC from one domain to another 
without rebuilding the server. One would think with all the corporate 
mergers that there would be a way to facilitate this move? Any advice 
will be helpful. 

Thread continues at
http://www.win2000mag.com/support/Forums/Application/Index.cfm?CFApp=69&Message_ID=103550.

* WIN2KSECADVICE MAILING LIST
Each week we offer a quick recap of some of the highlights from the
Win2KSecAdvice mailing list. The following threads are in the spotlight
this week.

Possible New Email Virus Concept and Bypass IE Settings
While looking for a way to bypass the Internet Explorer Security 
setting that disables all downloads, I noticed that IE automatically 
downloads image files (unless you have images disabled) and stores them 
in the Temporary Internet Files folder. I did some testing on how IE 
(IE 5.0, Win98) handles those image files and found that it downloads 
the first few bytes, checks for a valid image file header, and if the 
header is present, it will download the rest of the file. 
http://www.ntsecurity.net/go/w.asp?A2=IND0005c&L=WIN2KSECADVICE&P=88

Follow this link to read all threads for May, Week 3:
   http://www.ntsecurity.net/go/w.asp?A1=ind0005c&L=win2ksecadvice

* HOWTO MAILING LIST
Each week we offer a quick recap of some of the highlights from the
HowTo for Security mailing list. The following threads are in the
spotlight this week.

Biometrics Security
I have noticed that Compaq has released its own biometric hardware, and 
it's cheap ($99 dollars per unit) for a small number of clients. I have 
a couple of questions on biometric security. Is it better than regular 
text-based passwords? Would it remove the threat of L0phtCrack? 
http://www.ntsecurity.net/go/L.asp?A2=IND0005d&L=HOWTO&P=79

Follow this link to read all threads for May, Week 3:
   http://www.ntsecurity.net/go/l.asp?A1=ind0005c&L=howto

|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-

WINDOWS 2000 MAGAZINE SECURITY UPDATE STAFF
News Editor - Mark Joseph Edwards (mje@win2000mag.com)
Ad Sales Manager (Western) - Jim Langone (jim@win2000mag.com)
Ad Sales Manager (Eastern) - Tanya T. TateWik (ttatewik@win2000mag.com)
Associate Publisher/Network - Martha Schwartz (mschwartz@win2000mag.com)
Editor - Gayle Rodcay (gayle@win2000mag.com)
New and Improved - Judy Drennen (products@win2000mag.com)
Copy Editor - Judy Drennen (jdrennen@win2000mag.com)

|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-

========== GET UPDATED! ==========
Receive the latest information about the Windows 2000 and Windows NT 
topics of your choice, including Win2K Pro, Exchange Server, thin-
client, training and certification, SQL Server, IIS administration, 
XML, application service providers, and more. Subscribe to our other 
FREE email newsletters at
http://www.win2000mag.com/sub.cfm?code=up00inxwnf.

|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-


SUBSCRIBE
To subscribe send a blank email to
subscribe-Security_UPDATE@list.win2000mag.net.

UNSUBSCRIBE
To unsubscribe, send an email to U-A3.15.87030@list.win2000mag.net. Or
click http://go.win2000mag.net:80/UM/U.ASP?A3.15.87030 and you will be
removed from the list. Thank you!

If you have questions or problems with your UPDATE subscription, please
contact 
securityupdate@win2000mag.com. 
___________________________________________________________
Copyright 2000, Windows 2000 Magazine