********************************************************** WINDOWS 2000 MAGAZINE SECURITY UPDATE **Watching the Watchers** The weekly Windows 2000 and Windows NT security update newsletter brought to you by Windows 2000 Magazine and NTSecurity.net http://www.win2000mag.com/update/ ********************************************************** This week's issue sponsored by Trend Micro http://antivirus.com/SecureValentine1.htm Network-1 Security Solutions – Embedded NT Firewalls http://www.network-1.com/eval/eval6992.htm (Below Security Roundup) |-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+- February 16, 2000 - In this issue: 1. IN FOCUS - Something Old, Something New: DNS Hijacking 2. SECURITY RISKS - Timbuktu Pro Denial of Service - SNMP Trap Watcher Denial of Service - Internet Anywhere Denial of Service - Firewall-1 Allows Unauthorized TCP Connections - MySQL Allows Password Bypass - Novell GroupWise Denial of Service 3. ANNOUNCEMENTS - Security Poll: What Will the Recent DDoS Attacks Lead to? - Windows 2000 Magazine Presents the Windows 2000 Experience - Technical Pursuit 2000 4. SECURITY ROUNDUP - News: RSA Security Site Ransacked - News: Microsoft Outlines New Windows 2000 Security Strategy - News: Why Deny Read Access To Executable Content? - Feature: Avoiding Database Security Problems 5. NEW AND IMPROVED - Protection Against Internet Attack Tools - Cluster Firewall Assures Monitoring and Restart - VPN Suite Provides Secure Access to Remote Users 6. HOT RELEASE (ADVERTISEMENT) - VeriSign - The Internet Trust Company 7. SECURITY TOOLKIT - Book Highlight: Creating and Implementing Virtual Private Networks Gold Book - Tip: Protect Your InterNIC DNS Records - Review: InspectorScan 5.0 - Feature: Avoid Database Security Problems 8. HOT THREADS - Windows 2000 Magazine Online Forums: * Help with Mapping Drives - Win2KSecAdvice Mailing List: * WebSpeed Security Issue * More SQL Hacking with IIS 4 Through Access Driver - HowTo Mailing List: * NT 4 and DSL Security Question * System Policies ~~~~ SPONSOR: TREND MICRO ~~~~ Your network can be "broken" much like your heart. So no matter how things went for you on Valentine's Day, you can strike up an ideal match for your network with the Trend InterScan product family. PROTECT THE HEART of your network with Trend's wide range of ANTIVIRUS solutions. Trend is a leader in antivirus technologies -- offering protection and security for the Internet gateway, Notes and Exchange email servers, the desktop, and everywhere in between -- that builds a protective, virtual VirusWall around the information pulse of your network. http://antivirus.com/SecureValentine1.htm ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Want to sponsor Windows 2000 Magazine Security UPDATE? Contact Vicki Peterson (Western and International Advertising Sales Manager) at 877- 217-1826 or vpeterson@win2000mag.com, OR Tanya T. TateWik (Eastern Advertising Sales Manager) at 877-217-1823 or ttatewik@win2000mag.com. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 1. ========== IN FOCUS ========== Hello everyone, Every day, intruders break into and deface Web sites. The methods these crackers use are incredibly numerous. In most cases, someone failed to establish adequate security controls, and an intruder was able to penetrate the network. That assumption might seem obvious, but malicious users can use methods to subvert a normally functioning system without actually penetrating that system's security. One recent example is RSA Security. Intruders allegedly defaced the company's Web site this past weekend. After reading the initial news reports regarding the defacement, I was slightly startled. After all, RSA Security is a big name in the security industry and should be able to keep its networks reasonably secure. I wondered whether the report was true. Did someone really deface the RSA Security Web site? As it turns out, the answer is yes and no. To me, a Web site defacement means someone broke into a network, gained access to relevant file systems, and modified the HTML for the site's home page. The alleged defacement of RSA Security's Web site did not follow that scenario. No one broke into RSA Security's network, no one penetrated its security, and no one modified any of its Web server files. No one actually cracked RSA Security's site at all. If no one defaced the site, what did happen? The answer is very old and very simple: DNS hijacking. At least two forms of DNS hijacking can occur on the Internet. One hijack attack involves spoofing DNS records, and the other method involves taking over InterNIC database records. From the information available at the time of this writing, it appears that intruders used the former method to spoof, not deface, RSA Security's Web site. I use the word spoof because that's exactly how the attack works: Someone creates a fake Web page and then redirects traffic to that fake page by manipulating various DNS records. When unsuspecting users see the spoofed Web page, they assume an intruder cracked the real Web site. In reality, the site was not cracked at all. In the case of RSA Security's Web site hijack, someone diverted traffic to a fake Web page after gaining access to an upstream DNS server out of RSA Security's direct control. The intruder accessed the DNS server and temporarily modified its DNS records so those queries destined for RSA Security's Web site would divert to the fake RSA Security Web site. It's that simple. People thought they had landed on the real RSA Security site when, in fact, they simply landed on a spoofed site at another IP address. If you understand basic DNS architecture, you can understand how this attack could happen to any domain on the Internet. DNS record spoofing is a trivial way to spoof a real Web site crack. And to make matters worse for the hijacked site, the hijacking misleads people into thinking intruders cracked the Web site at Company A, when intruders actually cracked the DNS server at Company B. Company B usually goes unmentioned in the flurry of press reports regarding the attack. If I knew who Company B was in the RSA Security case, I'd report that information to you, but I’ve been unable to obtain that company's name. The problem with these types of hijacking attacks is that in most cases, administrators control only their DNS records. You can’t defend against this type of Web site attack because you have little, if any, control over upstream DNS records. All you can do is monitor your site using third-party Web page integrity-checker tools and take action the instant you suspect a traffic diversion. Defending against the second DNS hijack type is easy because of the attack’s nature. In a nutshell, a malicious user can perform this type of DNS hijack by creating fake mail accounts, spoofing valid mail accounts, and flooding the inbox of the technical and administrative contacts listed for a given domain. This attack is successful only if you don't use authentication for your InterNIC records, or if you disregard the flood of email you receive from an intruder that uses this method of attack. In most cases, the flood of email looks like a slew of InterNIC confirmation messages. The attack relies on the hope that less-experienced administrators will mistake these messages for some kind of mail error and simply delete them all instead of examining each one. To protect your system against this second type of domain hijack, modify your InterNIC domain records so that they require some level of authentication before anyone can make changes. To learn how to add an authentication requirement to your InterNIC records, review the tip in the Security Toolkit section of this newsletter. Until next time, have a great week! Mark Joseph Edwards, News Editor mark@ntsecurity.net 2. ========== SECURITY RISKS ========= (contributed by Mark Joseph Edwards, mark@ntsecurity.net) * TIMBUKTU PRO DENIAL OF SERVICE Laurent Levier discovered a denial of service (DoS) condition in Netopia's Timbuktu Pro software. By performing a specific series of connections and disconnections, an intruder can cause the authentication protocol to misbehave, thereby causing the software to hang. Netopia is aware of the problem and is working on a fix. http://www.ntsecurity.net/go/load.asp?iD=/security/timbuk1.htm * SNMP TRAP WATCHER DENIAL OF SERVICE Paul Timmons reported that by sending a trap string of more than 306 characters to the SNMP Trap Watcher 1.16 monitoring system, an intruder can crash the software. BTT Software has released an updated version of the software that is not vulnerable to this attack. http://www.ntsecurity.net/go/load.asp?iD=/security/trap1.htm * INTERNET ANYWHERE DENIAL OF SERVICE Nubuo Miwa reported two problems with True North Software's Internet Anywhere 3.1.3 mail server. By sending a specific string of characters as the parameter of the RETR POP3 command, an intruder can crash the server. In addition, if an intruder opens 3000 or more connections on the SMTP port, the server will respond with an error reporting too many connects. By establishing a second large set of connections (800 or more) immediately after the first 3000 connections, the intruder can crash the service. True North is working on a fix as of this writing. http://www.ntsecurity.net/go/load.asp?iD=/security/ia1.htm * FIREWALL-1 ALLOWS UNAUTHORIZED TCP CONNECTIONS John McDonald and Thomas Lopatic reported a problem with Checkpoint Technologies' Firewall-1 software. According to the report, using particular techniques, an intruder can trick the firewall into opening TCP ports to an FTP server behind the firewall. Checkpoint is working on a fix for the problem. http://www.ntsecurity.net/go/load.asp?iD=/security/fw1-1.htm * MYSQL ALLOWS PASSWORD BYPASS Robert van der Meulen/Emphyrio and Willem Pinckaers discovered a vulnerability in MySQL Server that lets a remote user bypass password checking. The problem is the result of faulty string checking. You can download a patch at the following URL. http://www.ntsecurity.net/go/load.asp?iD=/security/mysql1.htm * NOVELL GROUPWISE DENIAL OF SERVICE Adam Gray discovered that by sending a specific URL to the Web Access interface of a Novell GroupWise 5.5 server, a malicious user can crash the server. Novell is aware of the problem and has issued a patch. GroupWise users should install Service Pack 1 (SP1) for the GroupWise Enhancement Pack, which is available from Novell's technical support. http://www.ntsecurity.net/go/load.asp?iD=/security/grpwse1.htm http://support.novell.com/additional/ 3. ========== ANNOUNCEMENTS ========== * SECURITY POLL: WHAT WILL THE RECENT DDOS ATTACKS LEAD TO? The recent distributed denial of service (DDoS) attacks have a lasting effect on the Internet community. What will that effect be in the long run? We've posted a new poll that asks the question, "What will the recent DDoS attacks lead to?" Stop by our home page and submit your answer today. http://www.ntsecurity.net * WINDOWS 2000 MAGAZINE PRESENTS THE WINDOWS 2000 EXPERIENCE Before making any decision concerning Windows 2000 (Win2K), get the facts from a trusted source. The Windows 2000 Experience Web site brings to you the how-to knowledge, resources, and product information you need to evaluate and deploy Win2K. Everything you expect in a deep, high-quality site: news, in-depth articles, forums, product offerings-- all focused squarely on Win2K. Visit the Web site at http://www.windows2000experience.com. * TECHNICAL PURSUIT 2000 Windows 2000 Magazine's "Technical Pursuit 2000" is your chance to show up the experts and win cool prizes! Match wits with Windows 2000 (Win2K) mavens Mark Smith, Sean Daily, and Kathy Ivens at the Windows 2000 Conference and Expo in San Francisco from February 15 to 17, 2000. "Technical Pursuit 2000" will be held at 11:00 A.M. and 2:00 P.M. on February 15 and 16, and at noon on February 17. To enter, drop by the Windows 2000 Magazine booth (#1315) at the Expo and pick up your free raffle ticket. A drawing will be held 10 minutes before each game to select a contestant. Contestants will try to answer five Win2K-related questions to win up to $250 in cash. On the final day of the Expo, we're giving away $500 for five correct answers! We'll also be giving away free prizes every hour during the entire conference, so you have plenty of chances to win. 4. ========== SECURITY ROUNDUP ========== * NEWS: RSA SECURITY SITE RANSACKED Even top security firms occasionally fall prey to network intruders. A recent case is RSA Security, whose Web site was hijacked on Saturday. Intruders didn't change the home page, but instead diverted traffic to a spoofed lookalike site. The give away that the site was spoofed was the suffix added to the company's slogan: "The most trusted name in E- commerce security has been owned." Intruders routinely use the term "owned" to mean that they’ve broken into a site and might have left backdoors. For a link to a copy of the spoofed RSA Security home page, visit the URL below. http://www.ntsecurity.net/go/2c.asp?f=/news.asp?IDF=209&TB=news * NEWS: MICROSOFT OUTLINES NEW WINDOWS 2000 SECURITY STRATEGY On January 18, Brian Valentine, Microsoft’s senior vice president in charge of Windows 2000 (Win2K) and Windows 98, outlined Microsoft’s new Win2K security strategy in an address at the RSA 2000 security conference. Valentine announced that Win2K will ship worldwide with 128-bit encryption. He explained that Microsoft sees Win2K as a chance to respond to the security crisis that the rise of the Internet has created. Read the rest of C. Thi Nguyen's Web exclusive story for Windows 2000 Magazine on our Web site. http://www.ntsecurity.net/go/2c.asp?f=/news.asp?IDF=212&TB=news * NEWS: WHY DENY READ ACCESS TO EXECUTABLE CONTENT? Reader Jerry Walsh recently posted some interesting comments to the Win2KSecAdvice mailing list. Walsh points out the need to secure Web directories against unwanted actions. Case in point: ASP processing. Many developers code their programs in pieces and place those pieces in separate files for later inclusion in applications. This approach is a fantastic way to make code portable and to avoid developing other applications in the future. A programmer only needs to code an include statement to use the portable code base. The concern is not the code or its processing, but how the server stores the code. Read the rest of this Web exclusive for NTSecurity.net on our Web site. http://www.ntsecurity.net/go/2c.asp?f=/news.asp?IDF=210&TB=news ~~~~ SPONSOR: NETWORK-1 SECURITY SOLUTIONS – EMBEDDED NT FIREWALLS ~~~~ Don’t let your network become a target of denial of service attacks. Defend it with CyberwallPLUS - the first embedded firewall designed specifically to protect NT servers. It is the only firewall that gives system administrators the network access control and intrusion prevention needed to secure valuable servers and cost-effectively scale to preserve performance and reliability. CyberwallPLUS gives NT a whole new meaning – No Trespassing. Visit http://www.network-1.com/eval/eval6992.htm for a free CyberwallPLUS evaluation kit and white paper. 5. ========== NEW AND IMPROVED ========== (contributed by Judy Drennen, products@win2000mag.com) * PROTECTION AGAINST INTERNET ATTACK TOOLS In response to the recent spate of hacker attacks on major Web sites, Computer Associates (CA) announced the immediate availability of updates to the company's eTrust Intrusion Detection and eTrust Anti- Virus solutions. These updates provide detection for tools that hackers use against major e-businesses. Hackers have used distributed attacks against e-businesses using Denial of Service (DoS) tools such as Tribal Flood Network 2K (TFN2K). eTrust Anti-Virus and eTrust Intrusion Detection defend against viruses and other forms of malicious mobile code such as TFN2K. eTrust Intrusion Detection also detects intrusion and attempts to gain malicious access to systems through techniques such as buffer overflow. CA is offering free downloads of antivirus software at http://antivirus.cai.com. CA is also offering free trial downloads of the eTrust Intrusion Detection solution at http://www.cai.com/solutions/enterprise/etrust/. For more information, contact Computer Associates, 1-631-342-2542. http://www.cai.com * CLUSTER FIREWALL ASSURES MONITORING AND RESTART Legato Systems announced Legato Cluster Firewall, components of which the company codeveloped with Network Associates to provide continuous availability of its Gauntlet firewall. Legato Cluster Firewall provides a streamlined clustering solution for up to four Solaris servers running Network Associates' Gauntlet firewall solution. Legato's product keeps the firewall available by monitoring and restarting Gauntlet services and replicates the Gauntlet firewall's log file data for faster recovery. You can upgrade Legato Cluster Firewall to support additional servers. Legato Cluster Firewall is the first heterogeneous cluster solution supporting both UNIX and Windows NT. Legato Cluster Firewall is priced at $5000 per server. For information about a special discount available through the end of March 2000, contact Legato Systems, 650-812-6000. http://www.legato.com * VPN SUITE PROVIDES SECURE ACCESS TO REMOTE USERS InfoExpress announced FireWalker VPN Suite, a software suite that helps organizations provide secure remote access to their user community. FireWalker VPN Suite enables organizations to share corporate resources with employees, partners, and customers, without requiring users to adjust network, computer, or application settings. FireWalker VPN Suite consists of InfoExpress' multimode remote access VPN client and a personal firewall to protect the growing number of home users exposed to high-risk DSL and cable connections and laptop PCs accessing the corporate network over dial-up connections or on the LAN. Remote PC components for FireWalker VPN Suite are available for Windows NT and Windows 9x, and support for Windows 2000 (Win2K) will be available in the first quarter of 2000. Pricing for FireWalker VPN suite starts at $129 per seat. For more information, contact InfoExpress, 650-947-7880. http://www.infoexpress.com 6. ========== HOT RELEASE (ADVERTISEMENT) ========== * VERISIGN - THE INTERNET TRUST COMPANY Building an intranet or extranet? Protecting your company's confidential data is critical when designing new Web applications. Get VeriSign's Guide "Securing Intranet and Extranet Servers" at: http://www.verisign.com/cgi-bin/go.cgi?a=n033305190150000 7. ========== SECURITY TOOLKIT ========== * BOOK HIGHLIGHT: CREATING AND IMPLEMENTING VIRTUAL PRIVATE NETWORKS GOLD BOOK By Casey Wilson and Peter Doak Online Price: $31.95 Softcover; 558 pages Published by Coriolis Group Books, November 1999 Creating and Implementing Virtual Private Networks Gold Book teaches the theory, implementation, guidelines, and security aspects of VPNs. This book divulges the details behind encryption tools, government restrictions, firewall architectures, client/server technology, security tools, cryptography, and much more. For Windows 2000 Magazine Security UPDATE readers only--Receive an additional 10 PERCENT off the online price by typing WIN2000MAG in the referral field on the Shopping Basket Checkout page. To order this book, go to http://www.fatbrain.com/shop/info/1576104303?from=SUT864. * TIP: PROTECT YOUR INTERNIC DNS RECORDS (contributed by Mark Joseph Edwards, mark@ntsecurity.net) Most people know that you can register a domain name by sending a form to a domain name registrar such as Network Solutions. As you also know, Network Solutions operates the InterNIC, which maintains the root DNS server entries for several top-level domains such as the ever-popular .com addresses. But did you know you can secure your domain's InterNIC database records so that the system authenticates changes before InterNIC acts on them? To add authentication to your InterNIC database records, fill out a domain name change request form, which is available at the first URL listed below. Pay attention to fields 0b and 0c because they're the fields that enable authentication. You can select one of three authentication schemes currently supported by Network Solutions: Pretty Good Privacy (PGP), CRYPT-PW, or MAIL-FROM, in descending order of security strength. The Web page located at the second URL below explains these options in detail. Be sure to review the details carefully before you add authentication to your InterNIC records. Although no security system is 100 percent secure, I highly recommend that you use PGP as your authentication system for your InterNIC domain records. PGP authentication will drastically reduce the chances of an intruder hijacking your domain records. http://www.networksolutions.com/makechanges http://www.networksolutions.com/help/guardian.html * REVIEW: INSPECTORSCAN 5.0 When we kicked off the Ultimate Security Toolkit a few weeks ago, Steve Manziuk began with a review of eEye's security scanner product, Retina 1.7. This week, Steve looks under the hood of another Windows NT-based scanner, Shavlik Technologies' InspectorScan 5.0. InspectorScan helps systems administrators and security professionals quickly determine the system-level policy settings on multiple NT hosts. InspectorScan can scan either your entire domain or individual machines referenced by their NetBIOS names. http://www.ntsecurity.net/go/ultimate.asp * FEATURE: AVOIDING DATABASE SECURITY PROBLEMS Imagine that you must guard the Hope Diamond. You wouldn't place the diamond in the world’s most impregnable safe, then leave the lock’s combination on a yellow sticky note on the safe’s door, would you? That's essentially what happens when you become obsessed with one part of the e-commerce security puzzle, but ignore the security of key ingredients such as the database. Read the rest of Brian Moran's Web exclusive for Windows 2000 Magazine on our Web site. http://www.ntsecurity.net/go/2c.asp?f=/features.asp?IDF=150&TB=f 8. ========== HOT THREADS ========== * WINDOWS 2000 MAGAZINE ONLINE FORUMS The following text is from a recent threaded discussion on the Windows 2000 Magazine online forums (http://www.win2000mag.com/support). February 07, 2000, 06:22 A.M. Help with Mapping Drives I am having a problem with our network. I work for a company that uses mostly UNIX, and we have an NT 4.0 machine we use for logins and to store files. We are looking at giving every PC a mapped H drive. The only problem is we can only map it to the /users dir. So when anyone goes to their H drive, they see everyone's dir. They don't have access to them, but it makes it harder (or more confusing) for them to find their folder. I know that I can make each person's folder a share that only they have access to, but I was wondering if you can hide the folders that someone does not have access to. Keep in mind our network has Windows 9x for clients. Thanks for your help in advance. Thread continues at http://www.win2000mag.com/support/Forums/Application/Index.cfm?CFApp=69&Mess age_ID=89595. * WIN2KSECADVICE MAILING LIST Each week we offer a quick recap of some of the highlights from the Win2KSecAdvice mailing list. The following threads are in the spotlight this week: 1. WebSpeed Security Issue http://www.ntsecurity.net/go/w.asp?A2=IND0002B&L=WIN2KSECADVICE&P=373 2. More SQL Hacking with IIS 4 Through Access Driver http://www.ntsecurity.net/go/w.asp?A2=IND0002B&L=WIN2KSECADVICE&P=93 Follow this link to read all threads for Feb. Week 3: http://www.ntsecurity.net/go/win2ks-l.asp?s=win2ksec * HOWTO MAILING LIST Each week we offer a quick recap of some of the highlights from the HowTo for Security mailing list. The following threads are in the spotlight this week: 1. NT 4 and DSL Security Question http://www.ntsecurity.net/go/L.asp?A2=IND0002C&L=HOWTO&P=390 2. System Policies http://www.ntsecurity.net/go/L.asp?A2=IND0002C&L=HOWTO&P=299 Follow this link to read all threads for Feb. Week 3: http://www.ntsecurity.net/go/l.asp?s=howto |-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+- WINDOWS 2000 MAGAZINE SECURITY UPDATE STAFF News Editor - Mark Joseph Edwards (mje@win2000mag.com) Ad Sales Manager (Western and International) - Vicki Peterson (vpeterson@win2000mag.com) Ad Sales Manager (Eastern) - Tanya T. TateWik (ttatewik@win2000mag.com) Editor - Gayle Rodcay (gayle@win2000mag.com) New and Improved – Judy Drennen (products@win2000mag.com) Copy Editor – Judy Drennen (jdrennen@win2000mag.com) |-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+- Thank you for reading Windows 2000 Magazine Security UPDATE. To subscribe, go to http://www.win2000mag.com/update or send email to listserv@listserv.ntsecurity.net with the words "subscribe securityupdate anonymous" in the body of the message without the quotes. To unsubscribe, send email to listserv@listserv.ntsecurity.net with the words "unsubscribe securityupdate" in the body of the message without the quotes. To change your email address, you must first unsubscribe by sending email to listserv@listserv.ntsecurity.net with the words "unsubscribe securityupdate" in the body of the message without the quotes. Then, resubscribe by going to http://www.win2000mag.com/update and entering your current contact information or by sending email to listserv@listserv.ntsecurity.net with the words "subscribe securityupdate anonymous" in the body of the message without the quotes. ========== GET UPDATED! ========== Receive the latest information on the Windows 2000 and Windows NT topics of your choice. Subscribe to these other FREE email newsletters at http://www.win2000mag.com/sub.cfm?code=up99inxsup. Windows 2000 Magazine UPDATE Windows 2000 Magazine Thin-Client UPDATE Windows 2000 Exchange Server UPDATE Windows 2000 Magazine Enterprise Storage UPDATE Windows 2000 Pro UPDATE ASP Review UPDATE SQL Server Magazine UPDATE IIS Administrator UPDATE XML UPDATE |-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+- Copyright 2000, Windows 2000 Magazine Security UPDATE is powered by LISTSERV software. http://www.lsoft.com/LISTSERV-powered.html