********************************************************** WINDOWS NT MAGAZINE SECURITY UPDATE **Watching the Watchers** The weekly Windows NT security update newsletter brought to you by Windows NT Magazine and NTsecurity.net http://www.winntmag.com/update/ ********************************************************** This week's issue sponsored by UltraBac.com http://www.ultrabac.com/counter/winnt0100a.htm AXENT’s VPN Webcast -- Win a Palm Vx! http://www.axent.com/redirect/w2kupdate (Below Security Roundup) |-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+- January 26, 2000 - In this issue: 1. IN FOCUS - 2001: An Encryption Odyssey? - Follow up: Who's Watching Who? 2. SECURITY RISKS - RDISK Race Condition - InetSrv 3.0 Buffer Overflow 3. ANNOUNCEMENTS - Technology Week--Microsoft's Professional Trainer Conference - You Could Be a Winner! 4. SECURITY ROUNDUP - News: Internet Security with Windows NT 5. NEW AND IMPROVED - Email Encryption Plugin - Change-Detection Software 6. HOT RELEASE - Toshiba Copier and Fax: the 21st Century's Technological Leader 7. SECURITY TOOLKIT - Book Highlight: Securing Computer Networks: Analysis, Design, and Implementation - Tip: What's Listening on Which Port? 8. HOT THREADS - Windows NT Magazine Online Forums: * Access to the Internet - Win2KSecAdvice Mailing List: * RFPoison Is Not a Trojan - HowTo Mailing List: * RE: NT IIS Parent Path Question (answer) ~~~~ SPONSOR: ULTRABAC.COM ~~~~ Y2K Leap Year Upgrade: Convert up to FIVE backup & recovery licenses from either ArcServe or Backup Exec to UltraBac version 5.5 and receive 50% off!! (Offer good through February 29th. Limit 5 licenses per customer -- this is an exclusive offer to Update Email Newsletter readers only). For more information, call UltraBac.com today at (425) 644-6000 or visit our website at: http://www.ultrabac.com/counter/winnt0100a.htm ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Want to sponsor Windows NT Magazine Security UPDATE? Contact Vicki Peterson (Western and International Advertising Sales Manager) at 877- 217-1826 or vpeterson@winntmag.com, OR Tanya T. TateWik (Eastern Advertising Sales Manager) at 877-217-1823 or ttatewik@winntmag.com. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 1. ========== IN FOCUS ========== Hello everyone, Windows 2000 (Win2K) is ready to go. The new OS, which Microsoft released to manufacturing (RTM) in December, will soon be in the hands of early adopters across the globe and will undoubtedly be the center of attention for some time. The only other event in 2000 that will have as much of an affect on computing is the simple expiration of a patent. In September of this year, the patent on RSA encryption technology expires. Developers Rivest, Shamir, and Adelman created RSA in the 70s, and the technology has become one of the most widely used algorithms on the planet. You'll find RSA technology in such popular products as pretty good privacy (PGP). Why will the patent expiration have such a big affect on computing? Money. In the past, developers paid hefty license fees to use RSA technology. When the RSA patent expires this September, developers will have free and unrestricted access to RSA encryption. No more hefty license fees and strict licensing guidelines. In a nutshell, the patent expiration means that we'll see new products that use strong encryption, and we'll see current products that now use lesser encryption technology begin to use the stronger RSA technology. You'll enjoy stronger VPNs, safer mail clients, more secure disk drives, and more. The September patent expiration leaves 3 months before the end of the year for developers to use the newly available technology. Because of the timing, little will happen regarding new RSA developments in 2000. Instead, I think we'll see most of the new activity in encryption occurring in 2001. By the summer of 2001, not only will RSA technology be available for free, but other encryption technologies will also have come to fruition--namely CIPHERUNICORN and the Advanced Encryption Standard (AES). Where today the cornerstone of network security seems to be sophisticated session authentication and various forms of obscurity, tomorrow the cornerstone will be super strong encryption. The future is clear and the future is encryption galore. Follow up: Who's Watching Who? In my editorial last week, I talked about the danger of conducting purchases online using credit cards. Several readers wrote to rebut my stance or to inform me of protection systems that credit card companies use specifically for making online purchases. For example, according to one reader, some companies now offer special credit cards designed specifically to protect the holder from Internet-based fraud by minimizing a buyer's liability. Of those readers who disagreed with my stance, most accused me of practicing and spreading unwarranted paranoia. Readers sent me numerous every day examples that compare online buying to other forms of credit card purchases, such as buying a meal at a restaurant or paying for new sneakers at a local shoe store. The assertion was that these type of retail credit card purchases are no different than online purchases because we must still hand over our card number to a stranger. For the most part, I agree, but differences do exist that make buying online more of a risk. The differences between buying online and buying in your neighborhood are distinct, and they all boil down to trust--either we trust a vendor or we don't. When you physically visit a store, you get a first-hand view of that establishment and its personnel. You develop an overall impression of the business and its employees, with whom you must trust your credit card information. With the Internet, you lose that advantage. You can't inspect a business on the Internet, so the vendor-customer experience is limited to flashy graphics and extensive catalogs. If you’re lucky, you might be able to talk to someone at the company on the phone. The bottom line is that anybody with a computer and HTML editor can put an alleged business online, complete with credit card acceptance, so the risk of placing trust in online merchants is higher than when making a physical purchase. Even if the online vendor is reputable, how do we know the vendor is handling our information securely? To trust a business and its employees is one thing, but to trust its computer network is entirely different. When we buy at a physical business location, that business probably does not enter our credit card information into computer systems that connect to open public networks such as the Internet. But when you buy online, that's not the case. You voluntarily deliver your credit card information over a publicly available network to a publicly available computer system. So the question quickly becomes, "Is that system secure?" The point of my editorial last week was to raise the question of who is watching all these allegedly secure online merchants to ensure they are, in fact, secure? By what standard do we weigh the claim of secure e-commerce? The answer is that, to date, no standard gauge is in widespread use, so the risk of buying online remains high. Until next time, have a great week. Sincerely, Mark Joseph Edwards, News Editor mark@ntsecurity.net 2. ========== SECURITY RISKS ========= (contributed by Mark Joseph Edwards, mark@ntsecurity.net) * RDISK RACE CONDITION Arne Vidstrom reported a race condition with Windows NT's RDISK utility where a user might be able to obtain sensitive system information during a specific period of time during the program's use. The problem occurs because of loose permission settings on a file that RDISK creates. When RDISK is running, a user can view the contents of a temporary file that contains an enumerated copy of the system Registry. Microsoft has released a patch for the problem. http://www.ntsecurity.net/go/load.asp?iD=/security/rdisk1.htm http://www.microsoft.com/downloads/release.asp?ReleaseID=17384 * INETSRV 3.0 BUFFER OVERFLOW Greg Hoagland discovered a serious buffer overflow condition within InetSrv 3.0 (a Windows NT-based proxy server) that can lead to the execution of arbitrary code on the server. The problem results from an unchecked buffer in the GET command routine. For complete details on the problem, including source code that demonstrates how an intruder can overflow the buffer, please visit the URL below. http://www.ntsecurity.net/go/load.asp?iD=/security/inetsrv1.htm 3. ========== ANNOUNCEMENTS ========== * TECHNOLOGY WEEK--MICROSOFT'S PROFESSIONAL TRAINER CONFERENCE If you're a professional trainer on Microsoft products, this event is for you! Technology Week, which will take place February 6 to 11 in New Orleans, is an exclusive opportunity to get the training you need directly from Microsoft courseware teams. Microsoft designed the sessions to develop your technical knowledge and enhance your training skills. Session topics include Windows 2000 Administration and Support, Windows 2000 Infrastructure Design, Exchange 2000 Server, SQL Server, Knowledge Management/Collaboration, BackOffice Server Integration, MSDN Training, and instructional skills. Technology Week provides optimum learning with minimum downtime in your career. Attendance is limited--register today! http://www.microsoft.com/mct/techweek * YOU COULD BE A WINNER! Win a PalmPilot or one of several Amazon.com gift certificates. Hurry! Click below and do it now! Your chance won’t last forever! http://www.zoomerang.com/recipient/survey-intro.zgi?ID=83QQGW03EDJC 4. ========== SECURITY ROUNDUP ========== * NEWS: INTERNET SECURITY WITH WINDOWS NT As you recall, 2 weeks ago we placed our book, Internet Security with Windows NT, on the Web for free. The response has been phenomenal, and we're happy that you find the free offering beneficial. Several readers wrote to inform us of various problems with the HTML of the online book, citing issues ranging from broken image links to unviewable pages under certain versions of Netscape Communicator. We've now corrected the HTML formatting errors, so if you had trouble reading the book online, please come back and check it out. In addition, several readers wrote to ask whether we have plans to offer an Adobe Portable Document Format (PDF) version or a zipped file that contains all the HTML pages in one downloadable archive. The answer is no to both questions; you can only read the book on the Web. If you want to view the pages offline or print the pages, you must handle that task page by page. However, in lieu of printing the book yourself, you can still purchase a professionally printed and bound version of the book from 29th Street Press for about $20--and that's one heck of a bargain. http://www.ntsecurity.net/go/load.asp?id=/book/toc.asp ~~~~ SPONSOR: AXENT’S VPN WEBCAST -- WIN A PALM VX! ~~~~ "Everything You Need to Know About VPNs." Learn how to: Implement VPNs for site-to-site, extranets, and remote access; See the differences between firewall, hardware, software, and router VPNs; Overcome interoperability, security, and IPSec concerns; Reduce costs and increase bandwidth & uptime. Register today: http://www.axent.com/redirect/w2kupdate. AXENT is the leading provider of e-security solutions for your business, delivering integrated products and expert services to 45 of the Fortune 50. 5. ========== NEW AND IMPROVED ========== (contributed by Carolyn Mascarenas, products@winntmag.com) * EMAIL ENCRYPTION PLUGIN PC Guardian announced Encryption Plus (EP) for Email, an encryption plugin that lets you quickly enable and disable the encryption of outgoing messages. Encrypting is done in one step by selecting Encrypt to protect your confidential email messages. You can securely send encrypted email messages to non-EP for Email users--they don’t need special software to decrypt and read your executable files. All these users need is the password that you share with them. EP for Email also provides security using the Blowfish algorithm, a 192-bit block cipher. EP for Email runs on Windows NT and Windows 9x systems that support Microsoft Outlook 97 and 98. Pricing starts at $29.95 for a single-user license and $69.95 for a multiple-user license. Contact PC Guardian, 800-288-8126. http://www.pcguardian.com * CHANGE-DETECTION SOFTWARE Pedestal Software announced Intact Directory Services, change-detection software for directory servers. The software uses the Lightweight Directory Access Protocol (LDAP) to access a variety of directory servers including Microsoft’s Active Directory (AD), Novell Directory Services (NDS), and Netscape’s iPlanet Directory Server. The software monitors the health of crucial enterprise directories, identifies unauthorized tampering, and recovers from intrusions. In e-commerce, directory servers usually store digital certificates, access control information, and customer profiles. In the enterprise, directory servers store network maps, user information, and authentication data. Intact Directory Services can pinpoint potential problems in these areas before they affect business operations. The software’s central administration console, configuration wizards, and remote operation features can help you simplify deployment in a distributed client- server environment. Intact Directory Services runs on Windows 2000 (Win2K) and Windows NT systems. Pricing starts at $795 per system. Volume discounts and site licenses are available. Contact Pedestal Software, 508-520-8960. http://www.pedestalsoftware.com 6. ========== HOT RELEASE (ADVERTISEMENT) ========== * TOSHIBA COPIER AND FAX: THE 21ST CENTURY'S TECHNOLOGICAL LEADER Visit http://static.admaximize.com/redirect/0034/002266d/0002/ESV/A08/01/ to check out Toshiba's multifunctional and networking product line. No matter what your business needs: Demand more, Demand Toshiba. 7. ========== SECURITY TOOLKIT ========== * BOOK HIGHLIGHT: SECURING COMPUTER NETWORKS: ANALYSIS, DESIGN, AND IMPLEMENTATION By Eric A. Fisch and Udo W. Pooch Online Price: $55.95 Hardcover; 356 pages Published by CRC Press, June 1999 This updated guide presents expert information on analyzing, designing, and implementing all aspects of computer network security. Based on the authors' earlier work, "Computer System and Network Security," this new book addresses important concerns regarding network security. It contains new chapters on Web security issues, secure e-commerce, incident response, and two new appendices on pretty good privacy (PGP) and UNIX security fundamentals. For Windows NT Magazine Security UPDATE readers only--Receive an additional 10 PERCENT off the online price by typing WINNTMAG in the referral field on the Shopping Basket Checkout page. To order this book, go to http://www.fatbrain.com/shop/info/0849318688?from=SUT864. * TIP: WHAT'S LISTENING ON WHICH PORT? (contributed by Mark Joseph Edwards, mark@ntsecurity.net) Many of you are familiar with the netstat -a command and know that it will enumerate all listening ports on a given Windows NT machine. But how do you find out what program is actually using which port? No clear way exists to accomplish that with built-in Windows tools; however, a third-party application called Inzider can determine which program is listening on which port. Inzider is useful for general system troubleshooting and can be handy when attempting to analyze a system for suspected Trojans. For example, someone might have inserted the administrative tool BackOrifice 2000 on a system as a Trojan hidden under another process name. If that were the case, Inzider could detect that situation and inform you accordingly. Give Inzider a try. It's a slick little tool that you should consider adding to your security toolkit. You can download a copy from the URL listed below. http://ntsecurity.nu/toolbox/inzider/ 8. ========== HOT THREADS ========== * WINDOWS NT MAGAZINE ONLINE FORUMS The following text is from a recent threaded discussion on the Windows NT Magazine online forums (http://www.winntmag.com/support). January 24, 2000, 12:58 P.M. Access to the Internet I have been instructed that certain people in our company are NOT to have Internet access, but need Internet email. In order to disable Internet access I could remove DNS. But then I wouldn’t be able to get to my POP server for email. What is the easiest way to do this? I checked and was told my firewall can’t do anything. I’m in the process of upgrading--any ideas? Thread continues at http://www.winntmag.com/support/Forums/Application/Index.cfm?CFApp=69&Messag e_ID=87301 * WIN2KSECADVICE MAILING LIST Each week we offer a quick recap of some of the highlights from the Win2KSecAdvice mailing list. The following threads are in the spotlight this week: 1. RFPoison Is Not a Trojan http://www.ntsecurity.net/go/w.asp?A2=IND0001D&L=WIN2KSECADVICE&P=325 Follow this link to read all threads for Jan. Week 4: http://www.ntsecurity.net/go/win2ks-l.asp?s=win2ksec * HOWTO MAILING LIST Each week we offer a quick recap of some of the highlights from the "HowTo for Security" mailing list. The following threads are in the spotlight this week: 1. RE: NT IIS PARENT PATH QUESTION (ANSWER) http://www.ntsecurity.net/go/L.asp?A2=IND0001D&L=HOWTO&P=83 Follow this link to read all threads for Jan. Week 4: http://www.ntsecurity.net/go/l.asp?s=howto |-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+- WINDOWS NT MAGAZINE SECURITY UPDATE STAFF News Editor - Mark Joseph Edwards (mje@winntmag.com) Ad Sales Manager (Western and International) - Vicki Peterson (vpeterson@winntmag.com) Ad Sales Manager (Eastern) - Tanya T. TateWik (ttatewik@winntmag.com) Editor - Gayle Rodcay (gayle@winntmag.com) New and Improved – Carolyn Mascarenas (products@winntmag.com) Copy Editor – Judy Drennen (jdrennen@winntmag.com) |-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+- Thank you for reading Windows NT Magazine Security UPDATE To subscribe, go to http://www.winntmag.com/update or send email to listserv@listserv.ntsecurity.net with the words "subscribe securityupdate anonymous" in the body of the message without the quotes To unsubscribe, send email to listserv@listserv.ntsecurity.net with the words "unsubscribe securityupdate" in the body of the message without the quotes. To change your email address, you must first unsubscribe by sending email to listserv@listserv.ntsecurity.net with the words "unsubscribe securityupdate" in the body of the message without the quotes. Then, resubscribe by going to http://www.winntmag.com/update and entering your current contact information or by sending email to listserv@listserv.ntsecurity.net with the words "subscribe securityupdate anonymous" in the body of the message without the quotes. ========== GET UPDATED! ========== Receive the latest information on the NT topics of your choice. Subscribe to these other FREE email newsletters at http://www.winntmag.com/sub.cfm?code=up99inxsup. Windows NT Magazine UPDATE Windows NT Magazine Thin-Client UPDATE Windows NT Exchange Server UPDATE Windows 2000 Pro UPDATE ASP Review UPDATE SQL Server Magazine UPDATE |-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+- Copyright 2000, Windows NT Magazine Security UPDATE Newsletter is powered by LISTSERV software http://www.lsoft.com/LISTSERV-powered.html