********************************************************** WINDOWS NT MAGAZINE SECURITY UPDATE **Watching the Watchers** The weekly Windows NT security update newsletter brought to you by Windows NT Magazine and NTsecurity.net http://www.winntmag.com/update/ ********************************************************** This week's issue sponsored by Trend Micro -- Your Internet Virus Wall http://www.antivirus.com/welcome/winnt071499.htm Free On-Line Seminar: How to Defend NT Servers http://www.network-1.com/seminar (Below Security Roundup) |-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+- January 19, 2000 - In this issue: 1. IN FOCUS - Who's Watching Who? 2. SECURITY RISKS - Local Procedure Call Elevates Privileges - Super Mail Denial of Service Condition 3. ANNOUNCEMENTS - Technology Week--Microsoft's Professional Trainer Conference 4. SECURITY ROUNDUP - News: IIS Certificates Can Crash Netscape Communicator - News: E-Lock Technologies Introduces Assured Office - Review: Lucent Technologies' Newly Expanded VPN Line - Feature: Speech Recognition Technology 5. NEW AND IMPROVED - On-the-Fly Protection from Viruses - Secure E-Business 6. HOT RELEASE (ADVERTISEMENT) - VeriSign - The Internet Trust Company 7. SECURITY TOOLKIT - Book Highlight: Undocumented Windows NT - Tip: Before You Say "It's Safe" 8. HOT THREADS - Windows NT Magazine Online Forums: * BDC or Standard Server? - Win2KSecAdvice Mailing List: * Exchange Security and Renaming Users - A Cautionary Tale - HowTo Mailing List: * IIS Parent Path Question ~~~~ SPONSOR: TREND MICRO -- YOUR INTERNET VIRUS WALL ~~~~ Think you've seen the REAL Phantom Menace? Imagine a virus attack holding your network hostage! Protect your empire with Trend's wide range of antivirus solutions. Trend is a world leader in antivirus technologies offering protection -- for the Internet gateway, Notes and Exchange email servers, the desktop and everywhere in between - that form a protective, virtual VirusWall around your network. For more information, call 800-228-5651 or click the link above. http://www.antivirus.com/welcome/winnt071499.htm ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Want to sponsor Windows NT Magazine Security UPDATE? Contact Vicki Peterson (Western and International Advertising Sales Manager) at 877- 217-1826 or vpeterson@winntmag.com, OR Tanya T. TateWik (Eastern Advertising Sales Manager) at 877-217-1823 or ttatewik@winntmag.com. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 1. ========== IN FOCUS ========== Hello everyone, I haven't bought much over the Internet, and until current trends improve, I probably won't buy much in the future. Consumer-based e- commerce isn't safe yet. Sure, you can probably trust a handful of vendors with electronic transactions, but you're still accepting a huge risk because no standard exists for gauging information security compliance for e-commerce. You have to accept the vendor's word when it alleges that its systems are secure, and in most cases the vendor's word about security is backed up with nothing. Case in point: Last week, hackers found that several large e-commerce sites, including CD Universe, contained major security risks that exposed customer information, including credit card numbers. The intruders probed some sites and pointed them out. In other cases, intruders actually cracked the sites and stole credit card data and then held the data for ransom. So who's watching who? The black hats are apparently watching everyone and everything that comes into view, but where are the white hats to keep the black hats at bay? Every time I hear about intruders cracking an e-commerce site, I get colder toward making online purchases. The last thing we need is our credit card numbers in the hands of a system cracker. So how can we help prevent credit card theft without giving up on e-commerce? The answer is, we can't. For now, if we use e-commerce, we must accept the risk because we don't know which sites to trust and which ones to shy away from. We need a method to determine which e-commerce sites are secure and which sites remain in question. How else can we learn to trust e- commerce with a given vendor? Perhaps we need an international standards body to develop a system of testing and rating a site's e- commerce security. If a Web site passes the required examinations, it could display a seal of approval. I remember hearing talk about forming a security standards organization, but I never heard whether it came to pass. Based on last week's discoveries regarding lax security on various e-commerce sites, I'd have to guess that either no such body exists or it's being ignored by e-commerce site developers. If you're aware of any such organization or standards for e-commerce security, please share with me what you know. Until next time, have a great week. Sincerely, Mark Joseph Edwards, News Editor mark@ntsecurity.net 2. ========== SECURITY RISKS ========= (contributed by Mark Joseph Edwards, mark@ntsecurity.net) * LOCAL PROCEDURE CALL ELEVATES PRIVILEGES Bindview discovered a serious security problem within Windows NT 4.0. Because of a flaw in the API call NtImpersonateClientOfPort, any local system user can impersonate any other user on the machine, including the LocalSystem account. The problem affects all NT 4.0 systems up to and including Service Pack 6a (SP6a). Bindview tested its exploit on Windows 2000 (Win2K) Release Candidate 2 (RC2) and found that the system was not vulnerable. Microsoft is aware of the problem and has released an FAQ, Support Online article Q247869, and hotfixes for Intel and Alpha platforms. http://www.ntsecurity.net/go/load.asp?iD=/security/lpc1.htm http://www.microsoft.com/security/bulletins/MS00-003faq.asp http://support.microsoft.com/support/kb/articles/q247/8/69.asp * SUPER MAIL DENIAL OF SERVICE CONDITION UssrLabs discovered a memory leak that might lead to a denial of service (DoS) condition because of the way the service handles client data. According to UssrLabs, the software appears to store all client data in memory during a session and might not properly handle memory allocation and deallocation during a session. The vendor, Nosque Workshop, is aware of the problem but has not yet responded. http://www.ntsecurity.net/go/load.asp?iD=/security/superm.htm 3. ========== ANNOUNCEMENTS ========== * TECHNOLOGY WEEK--MICROSOFT'S PROFESSIONAL TRAINER CONFERENCE If you're a professional trainer on Microsoft products, this event is for you! Technology Week, which will take place February 6 to 11 in New Orleans, is an exclusive opportunity to get the training you need directly from Microsoft courseware teams. Microsoft designed the sessions to develop your technical knowledge and enhance your training skills. Session topics include Windows 2000 Administration and Support, Windows 2000 Infrastructure Design, Exchange 2000 Server, SQL Server, Knowledge Management/Collaboration, BackOffice Server Integration, MSDN Training, and instructional skills. Technology Week provides optimum learning with minimum downtime in your career. Attendance is limited--register today! http://www.microsoft.com/mct/techweek 4. ========== SECURITY ROUNDUP ========== * NEWS: IIS CERTIFICATES CAN CRASH NETSCAPE COMMUNICATOR A bug in Internet Information Server (IIS) can cause Netscape Communicator 4.7 browsers to crash while negotiating encryption using digital certificates. The problem affects both Macintosh and Windows versions of Netscape Communicator. By default, international versions of Netscape Communicator 4.7 accept 56-bit digital certificates, but IIS 4.0 does not correctly support 56-bit certificates. Therefore, when Netscape Communicator tries to negotiate the use of stronger 128-bit encryption, the browser crashes. http://www.ntsecurity.net/go/2c.asp?f=/news.asp?IDF=202&TB=news * NEWS: E-LOCK TECHNOLOGIES INTRODUCES ASSURED OFFICE Microsoft Office is the most popular office suite in use today. E-Lock Technologies' Assured Office enhances the value of Office by adding public key infrastructure (PKI)-based digital security to make Office a comprehensive e-business solution. The seamless integration of Assured Office digital signing and encryption features within Office enables organizations to conduct e-business using their existing business processes. http://www.ntsecurity.net/go/2c.asp?f=/news.asp?IDF=201&TB=news * REVIEW: LUCENT TECHNOLOGIES' NEWLY EXPANDED VPN LINE In his review for InternetWeek, Salvatore Salamone covers Lucent Technologies' newly expanded hardware-based VPN product line. According to the review, "The new Secure VPN line offers a price/performance range from less than $1000 for a VPN-enabled Pipeline router that can handle 50 IP Security tunnels to about $45,000 for an Access Point router designed to handle up to 4000 IPSec tunnels and a high-speed interface such as OC-3 (155 Mbps)." http://www.ntsecurity.net/go/2c.asp?f=/reviews.asp?IDF=114&TB=r * FEATURE: SPEECH RECONITION TECHNOLOGY In her feature for Planet IT, Diane Levine discusses voice recognition technology and its ever-increasing popularity as a security mechanism. Diane mentions a couple useful products for PCs, including SaftyLatch, VoiceCrypt, and L&H voice recognition technology. http://www.ntsecurity.net/go/2c.asp?f=/features.asp?IDF=146&TB=f ~~~~ SPONSOR: FREE ON-LINE SEMINAR: HOW TO DEFEND NT SERVERS ~~~~ Attend Network-1’s on-line seminar, "Defending NT Servers in the New e- Commerce Age", hosted by security expert Dr. Bill Hancock. This 30- minute web-based seminar is a must for IT professionals who are responsible for securing Windows NT servers in "electronically open" organizations. How to attend: Just point your browser to www.network-1.com/seminar and register. We offer the seminar at three convenient times. Join Network-1 and Dr. Hancock at our on-line seminar and get ready for the e-Commerce Age. 5. ========== NEW AND IMPROVED ========== (contributed by Carolyn Mascarenas, products@winntmag.com) * ON-THE-FLY PROTECTION FROM VIRUSES Gordano announced an agreement with Command Software that lets NTMail and NTList customers receive on-the-fly protection from emailed viruses. NTMail is an SMTP-based email server for Windows NT. NTList provides electronic list management for NT. Gordano’s Virus Scanner Manager (VSM) and Command Software’s antivirus product (CASV) are now available from Gordano. NTMail and NTList support major antivirus packages, and you can still choose which virus scanner you want to use. The partnership offers a virus scanner feeding directly from NTMail-VSM from a DLL. Using the products together provides Internet mail server protection. For pricing, contact Gordano, 877-292-1142. http://www.gordano.com * SECURE E-BUSINESS Internet Security Systems (IIS), a provider of security management solutions for e-business, and iXL, an Internet services company, signed a strategic agreement to deliver security solutions to maintain secure implementation and ongoing e-business protection of iXL’s clients. Through the agreement, ISS will provide crucial security solutions, including strategic lifecycle consulting and remote managed services to iXL clients. The partnership will help e-businesses manage security risks to protect the confidentiality, integrity, and availability of critical systems and data. For additional information, contact iXL, 888-495-1122. http://www.ixl.com 6. ========== HOT RELEASE (ADVERTISEMENT) ========== * VERISIGN - THE INTERNET TRUST COMPANY Protect your servers with 128-bit SSL encryption today! Get VeriSign's FREE guide, "Securing Your Web Site for Business." Learn everything you need to know about using SSL to encrypt your e-commerce transactions for serious online security. Click here! http://www.verisign.com/cgi-bin/go.cgi?a=n016005190013000 7. ========== SECURITY TOOLKIT ========== * BOOK HIGHLIGHT: UNDOCUMENTED WINDOWS NT By Prasad Dabak Online Price: $27.95 Softcover; 335 pages Published by IDG Books Worldwide, September 1999 Get the inside story on Windows NT APIs. Use the interfaces underlying the Win32 interface to invent new ways to solve problems, discover how to hook system services not documented in the NT software development kit (SDK), and learn about security holes inherent in the design of NT and how you can address them. Also, master techniques for analyzing NT yourself, get a better understanding of the Memory Management architecture, modify and administer NT systems to make them more fault tolerant, and compare and contrast popular Win32 implementations. For Windows NT Magazine Security UPDATE readers only--Receive an additional 10 PERCENT off the online price by typing WINNTMAG in the referral field on the Shopping Basket Checkout page. To order this book, go to http://www.fatbrain.com/shop/info/0764545698?from=SUT864. * TIP: BEFORE YOU SAY "IT'S SAFE" (contributed by Mark Joseph Edwards, mark@ntsecurity.net) With so many blatant security risks appearing on large e-commerce sites lately, I think it's prudent to remind you of a basic security tip that most diligent administrators practice. That practice is called double- checking your system security. After you've built and configured a system (including any custom application code), have at least one other party inspect that system for security shortcomings before you declare the system safe for daily use, especially if third parties have developed applications for your system. Although you should inspect any systems yourself, both manually and programmatically using the security scanners of your choice, don't assume your checks are sufficient. To be safe, consider using a third party to check your system. 8. ========== HOT THREADS ========== * WINDOWS NT MAGAZINE ONLINE FORUMS The following text is from a recent threaded discussion on the Windows NT Magazine online forums (http://www.winntmag.com/support). January 14, 2000, 08:34 A.M. BDC or Standard Server? I just took a new job and the company has four Windows NT servers. I know which one the PDC is. Where do I look to see if the others were installed as BDCs or standard servers? Do you have to set up replication for a BDC to copy the SAM? Thread continues at http://www.winntmag.com/support/Forums/Application/Index.cfm?CFApp=69&Messag e_ID=85933 * WIN2KSECADVICE MAILING LIST Each week we offer a quick recap of some of the highlights from the Win2KSecAdvice mailing list. The following thread is in the spotlight this week: 1. EXCHANGE SECURITY AND RENAMING USERS – A CAUTIONARY TALE http://www.ntsecurity.net/go/w.asp?A2=IND0001B&L=WIN2KSECADVICE&P=849 Follow this link to read all threads for Jan. Week 3: http://www.ntsecurity.net/go/win2ks-l.asp?s=win2ksec * HOWTO MAILING LIST Each week we offer a quick recap of some of the highlights from the "HowTo for Security" mailing list. The following thread is in the spotlight this week: 1. IIS PARENT PATH QUESTION http://www.ntsecurity.net/go/L.asp?A2=IND0001C&L=HOWTO&P=83 Follow this link to read all threads for Jan. Week 3: http://www.ntsecurity.net/go/l.asp?s=howto |-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+- WINDOWS NT MAGAZINE SECURITY UPDATE STAFF News Editor - Mark Joseph Edwards (mje@winntmag.com) Ad Sales Manager (Western and International) - Vicki Peterson (vpeterson@winntmag.com) Ad Sales Manager (Eastern) - Tanya T. TateWik (ttatewik@winntmag.com) Editor - Gayle Rodcay (gayle@winntmag.com) New and Improved – Carolyn Mascarenas (products@winntmag.com) Copy Editor – Judy Drennen (jdrennen@winntmag.com) |-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+- Thank you for reading Windows NT Magazine Security UPDATE To subscribe, go to http://www.winntmag.com/update or send email to listserv@listserv.ntsecurity.net with the words "subscribe securityupdate anonymous" in the body of the message without the quotes. To unsubscribe, send email to listserv@listserv.ntsecurity.net with the words "unsubscribe securityupdate" in the body of the message without the quotes. To change your email address, you must first unsubscribe by sending email to listserv@listserv.ntsecurity.net with the words "unsubscribe securityupdate" in the body of the message without the quotes. Then, resubscribe by going to http://www.winntmag.com/update and entering your current contact information or by sending email to listserv@listserv.ntsecurity.net with the words "subscribe securityupdate anonymous" in the body of the message without the quotes. ========== GET UPDATED! ========== Receive the latest information on the NT topics of your choice. Subscribe to these other FREE email newsletters at http://www.winntmag.com/sub.cfm?code=up99inxsup. Windows NT Magazine UPDATE Windows NT Magazine Thin-Client UPDATE Windows NT Exchange Server UPDATE Windows 2000 Pro UPDATE ASP Review UPDATE SQL Server Magazine UPDATE |-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+- Copyright 2000, Windows NT Magazine Security UPDATE Newsletter is powered by LISTSERV software http://www.lsoft.com/LISTSERV-powered.html