**********************************************************
WINDOWS NT MAGAZINE SECURITY =
UPDATE
**Watching the =
Watchers**
The weekly Windows NT security =
update newsletter brought to you by
Windows NT Magazine and =
NTsecurity.net
http://www.winntmag.com/update/
**********************************************************
This week's issue sponsored = by:
Norton 2000 Corporate Edition =
from Symantec
http://www.symantec.com/specprog/sym/12899a.html
Stac Announces Replica NDM =
V2.0
http://www.stac.com/laptop
(Below Security Roundup) =
|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-=
December 8, 1999 - In this =
issue:
1. IN FOCUS
- Are =
You Certain You're Ready for Y2K?
2. SECURITY RISKS
- IE =
5.0 WPAD Spoofing
- IIS =
ISAPI Filter Plain Text Leak
- FTP =
Serv-U Subject to Denial of Service
- IE =
5.0 Subject to Frame Spoofing
3. ANNOUNCEMENTS
- =
Windows NT Magazine Launches ASP Email Newsletter
- The =
Bean Counter, the Techie, and the Future of Business
Intelligence
- =
Security Poll: Which Security-Related Management Skills Do You
Desire Most?
4. SECURITY ROUNDUP
- =
News: MiniZip Virus on the Loose
- =
News: Symantec Detects Babylonia Computer Virus
- =
News: Y2K-Specific Worm
5. NEW AND IMPROVED
- =
Desktop Virus Protection
- =
Authentication Tokens
6. HOT RELEASES
- =
K-Force
- =
VeriSign - The Internet Trust Company
7. SECURITY TOOLKIT
- Book =
Highlight: Network Security: In a Mixed Environment
- Tip: =
Listing Administrative Users
- =
HowTo: More Windows 2000 Topics, Acronyms, and Concepts
8. HOT THREADS
- =
Windows NT Magazine Online Forums:
* Hacker - What Can I =
Do?
- =
Win2KSecAdvice Mailing List:
* SP6a Included =
Security Fixes?
* SQL 7 Magic Packet =
Denial of Service
- =
HowTo Mailing List:
* PDC =
Multi-Homed
* Local Group Listing =
Utility
* Sync Time on Domain =
Computers
~~~~ SPONSOR: NORTON 2000 =
CORPORATE EDITION FROM SYMANTEC ~~~~
Norton 2000 gives you an easy, =
reliable, and flexible way to identify
Year 2000 desktop anomalies in =
applications and documents, to repair
potentially damaging files, and =
to fix system clocks and BIOS. Norton
2000 scans for two-digit dates =
in spreadsheet cells and formulas,
database fields, forms and =
text, and includes a reliable fix assistant
for Microsoft Excel files. It =
also checks desktop applications for
compliance, includes a SQL =
database component for roll-up graphing and
analysis, and it easily =
integrates with Norton System Center to support
one-console =
administration.
http://www.symantec.com/specprog/sym/12899a.html
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~=
~
Want to sponsor Windows NT =
Magazine Security UPDATE? Contact Vicki
Peterson (Western and =
International Advertising Sales Manager) at 877-
217-1826 or =
vpeterson@winntmag.com, OR Tanya T. TateWik (Eastern
Advertising Sales Manager) at =
877-217-1823 or ttatewik@winntmag.com.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~=
~
1. =
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D IN FOCUS =
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
Hello everyone,
Do you have all your Y2K =
remedies and prevention in place? Are you
sure? What about viruses, =
Trojans, and worms? How will you cover your
bases in that area?
If you don't think =
viruses and worms pose a Y2K threat, think again.
Researchers have reported at =
least two new Y2K-centric virus and worm
strains in recent weeks. =
Granted, you can head over to your favorite
antivirus software vendor site =
and download the latest signature
detection update files, but =
think about that action for a moment.
You're downloading signatures =
of viruses and worms that the vendor
knows about, and that's the key =
to any viral or worm detection and
eradication: knowledge.
The reality is =
that any number of undetected viruses and worms might
be out there waiting to trigger =
on a given date in the year 2000. The
problem is that we just don't =
know what's out there, and outside of a
good file and system integrity =
checker, you have no way to guarantee
that such code hasn't entered =
your system. The way you'll find out
about a Y2K-based infection is =
when a virus or worm actually activates.
Quite a dilemma, =
don't you think? Certainly, you can roll a
computer's date forward to see =
how your system reacts, but that
approach isn't really adequate =
to cover all the bases when it comes to
viruses and worms. For example, =
what if a given virus or worm only
triggers at a specific time of =
day? How can you test all the possible
time combinations for an entire =
year? Realistically, you can't.
The alternative =
route to date and time trigger checking is
comparative analysis. You can =
feasibly compare aspects of any system in
question against aspects of a =
similar system that is known to be
tamper-free. By examining =
Registry entries, file dates, and checksums,
you might be able to detect =
potential infection before that infection
becomes a serious =
problem.
With either route, =
the course is tough and time-consuming.
Comparative checks are =
certainly more time-conservative and beneficial
than date- and time-based =
testing alone, but even so, there is no
guarantee that something is not =
amiss. Can you accept that risk?
Perhaps your situation forces =
you to accept it, but perhaps not.
I've read messages =
on our HowTo for Security mailing list in which
people have indicated they will =
power down their Exchange servers and
other mission-critical systems =
to wait and see how the date rollover
affects others around the =
world. I like that approach, but not everyone
has the luxury of taking that =
course.
The bottom line is =
that you should protect your system's integrity
from the start with utilities =
such as TripWire
(http://www.tripwiresecurity.com/) and use a good antivirus scanner =
that fits your needs. In =
addition, handle all email messages with
caution until you're certain =
they're harmless. Do those things and
you'll significantly reduce the =
amount of worry you'll experience
regarding viruses and worms =
both now and in the future.
Using real-time =
integrity checkers and adequate email practices in
addition to up-to-date =
antivirus software will lessen the likelihood
that your servers or =
workstations will get hammered into bits of
useless data. As you know, an =
ounce of prevention is worth a pound of
cure. Until next time, have a =
great week.
Sincerely,
Mark Joseph Edwards, News =
Editor
mark@ntsecurity.net
2. =
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D SECURITY RISKS =
=3D=3D=3D=3D=3D=3D=3D=3D=3D
(contributed by Mark Joseph =
Edwards, http://www.ntsecurity.net)
* IE 5.0 WPAD SPOOFING
Tim Adam reported a problem =
with Internet Explorer (IE) 5.0 that
affects the Web Proxy =
Auto-Discovery (WPAD) protocol. According to
Microsoft's bulletin, "The =
IE 5 Web Proxy Auto-Discovery (WPAD) feature
enables Web clients to =
automatically detect proxy settings without user
intervention. The algorithm =
used by WPAD prepends the hostname 'wpad'
to the fully qualified domain =
name and progressively removes subdomains
until it either finds a WPAD =
server answering the hostname or reaches
the third-level domain. A =
vulnerability arises because in international
usage, the third-level domain =
might not be trusted. A malicious user
could set up a WPAD server and =
serve proxy configuration commands of
his or her choice."
Microsoft has =
released IE 5.01 (a new version), which remedies this
problem. Be sure to read the =
FAQ regarding this matter.
http://www.ntsecurity.net/go/load.asp?iD=3D/security/i=
e56.htm
http://www.microsoft.com/security/bulletins/MS99-054fa=
q.asp
* IIS ISAPI FILTER PLAIN TEXT =
LEAK
Microsoft reported a =
vulnerability in the Secure Sockets Layer (SSL)
ISAPI filter shipped with =
Internet Information Server (IIS) 4.0 and
Site Server 3.0. Other =
Microsoft products also use the filter.
According to Microsoft's =
report, "If called by a multi-threaded
application under very =
specific, and fairly rare, circumstances, a
synchronization error in the =
filter could allow a single buffer of
plain text to be transmitted =
back to the data's owner."
Microsoft has =
issued a patch for Intel and Alpha and a FAQ regarding
this matter.
http://www.ntsecurity.net/go/load.asp?iD=3D/security/i=
is2.htm
http://www.microsoft.com/security/bulletins/MS99-053fa=
q.asp
* FTP SERV-U SUBJECT TO DENIAL =
OF SERVICE
UssrLabs reported a possible =
denial of service (DoS) attack against
Deerfield.com's FTP Serv-U 2.5a =
caused by a buffer overflow condition.
A malformed SITE command causes =
the buffer overflow condition.
Deerfield.com is =
aware of the problem and has issued a patched
version of the software in FTP =
Serv-U 2.5b.
http://www.ntsecurity.net/go/load.asp?iD=3D/security/s=
ervu1.htm
http://ftpserv-u.deerfield.com/download.cfm=
* IE 5.0 SUBJECT TO FRAME =
SPOOFING
Georgio Guninski reported a =
problem with Internet Explorer (IE) 5.0
that lets frame spoofing take =
place. The problem can let an intruder
fool unsuspecting users into =
thinking they are visiting a trusted site,
when in fact, they are not. =
Microsoft has =
issued no comment regarding this matter. To protect
yourself against such attacks, =
be sure to read the instructions at the
Web page listed below.
http://www.ntsecurity.net/go/load.asp?iD=3D/security/i=
e55.htm
3. = =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D ANNOUNCEMENTS = =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
* WINDOWS NT MAGAZINE LAUNCHES =
ASP EMAIL NEWSLETTER
Stay current with the latest =
industry news and trends of the exciting
new application service =
provider (ASP) marketplace with ASP Review
UPDATE, a free bi-weekly email =
newsletter. With coverage of industry
players, available and emerging =
technologies, and tips on how to
evaluate service providers, ASP =
Review UPDATE is a must-read for IT and
business professionals who want =
to stay at the forefront of their
business. Enter your FREE =
subscription now at
http://www.winntmag.com/sub.cfm?code=3DUP99INLUP.
* THE BEAN COUNTER, THE TECHIE, =
AND THE FUTURE OF BUSINESS INTELLIGENCE
Everybody knows what business =
intelligence can do for a company. We
know what hidden information it =
can bring to light, what surprising
opportunities it can uncover, =
what competition-squashing power it can
unleash. But what are =
businesses really doing with it?
Readers of Windows =
NT Magazine and Business Finance Magazine told us
how they're applying business =
intelligence now and what they're
planning in the future, and =
their answers don't always jibe. What does
MIS know that Accounting =
doesn't? Find out at
http://www.businessfinancemag.com/busint99.html.
* SECURITY POLL: WHICH =
SECURITY-RELATED MANAGEMENT SKILLS DO YOU DESIRE
MOST?
Security training is a hot =
market right now. You might even have plans
to take some classes. If you do =
have such plans, what type of security
management skills do you desire =
most? Place your vote, and view the
survey results at the URL =
below.
http://www.ntsecurity.net/go/2c.asp?f=3D/polls.asp?idf=
=3D109&tb=3Dp
4. = =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D SECURITY ROUNDUP = =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
* NEWS: MINIZIP VIRUS ON THE =
LOOSE
The ExplorerZip Worm is back in =
the news again. Researchers have
discovered a new rendition of =
the dangerous virus in the wild. The new
version is compressed, letting =
it bypass detection routines that would
capture and contain =
ExplorerZip. The new virus, ExplorerZipPack (or
MiniZip), is very dangerous and =
spreading rapidly; therefore, you need
to guard against it =
immediately.
http://www.ntsecurity.net/go/2c.asp?f=3D/news.asp?IDF=3D=
188&TB=3Dnews
* NEWS: SYMANTEC DETECTS =
BABYLONIA COMPUTER VIRUS
Symantec discovered a new Y2K =
virus on December 6 that disguises itself
as a Y2K fix. The virus is =
unique because it can download its viral
components from the Internet. =
When the virus executes, it will wait for
an Internet connection. After =
detecting a connection, the virus
downloads several files from a =
Web server in Japan. This capability
lets the virus writer update =
the virus centrally.
http://www.ntsecurity.net/go/2c.asp?f=3D/news.asp?IDF=3D=
190&TB=3Dnews
* NEWS: Y2K-SPECIFIC WORM
Computer Associates warns of a =
new virus named W32.Mypics.Worm (Mypics)
that can cause extensive damage =
in the Year 2000. The worm spreads on
Windows and Windows NT =
platforms through email and has a highly
dangerous payload that triggers =
in 2000. The worm's payload can cause
users to lose all the data on =
their hard disks.
http://www.ntsecurity.net/go/2c.asp?f=3D/news.asp?IDF=3D=
189&TB=3Dnews
~~~~ SPONSOR: STAC ANNOUNCES =
REPLICA NDM V2.0 ~~~~
Recover your CEO's crashed PC =
while you enjoy a cup of coffee! Replica
NDM is the first to offer =
centrally managed backup and bare-metal
disaster recovery for all your =
desktop, mobile and remote PCs.
For more information and a FREE =
white paper on mobile PC backup by
Gartner Group, simply visit us =
at
http://www.stac.com/laptop
5. =
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D NEW AND IMPROVED =
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
(contributed by Carolyn =
Mascarenas, products@winntmag.com)
* DESKTOP VIRUS =
PROTECTION
Trend Micro announced =
OfficeScan Corporate Edition 3.5, antivirus
software for the corporate =
desktop. New features include mobile and
remote user support, improved =
interoperability and manageability,
incremental pattern file =
updates, new ActiveUpdate technology, and
additional antivirus client =
deployment methods. You can manage virus
prevention on the desktop =
without requiring involvement from the end
user. You can remotely install =
client software on the network to
perform virus scanning on the =
workstation. You can also configure and
update clients from a central =
Windows or Web-based management console.
OfficeScan =
Corporate Edition 3.5 runs on Windows NT. Pricing starts
at $300 for a 25-seat license. =
Contact Trend Micro, 408-867-6404.
http://www.antivirus.com
* AUTHENTICATION TOKENS
CRYPTOCard announced the KF-1 =
and the PT-1, new authentication tokens
in the company's CRYPTOAdmin =
4.1 administration platform. Unlike other
key chain-based authentication =
tokens, the KF-1 is a steel-cased unit
with PIN entry for activation. =
Only on activation does the KF-1 display
the password, eliminating the =
risks presented by systems that send the
PIN in the clear across the =
network. The PT-1 provides authentication
for accessing corporate =
networks with Palm handheld devices and
provides one-time password =
authentication without requiring the Palm
user to carry an additional =
hardware device. PT-1 has no predetermined
expiration date and is a =
one-time purchase for network security
officers.
CRYPTOAdmin 4.1 =
runs on Window NT, Linux, Sun Solaris, AIX, and
FreeBSD systems. For pricing, =
contact CRYPTOCard, 800-307-7042.
http://www.cryptocard.com
6. = =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D HOT RELEASE (ADVERTISEMENT) = =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
* K-FORCE
Afraid of getting lost on =
another job board? Real results by real
people at kforce.com. Resumes =
read by 2,300 Career Specialists,
Confidential Searching, and a =
Career Development Coach! Click on
***kforce.com*** where =
opportunity has a new address.
http://ad.doubleclick.net/clk;629716;3578931;w?http://=
www.kforce.com
* VERISIGN - THE INTERNET TRUST =
COMPANY
Protect your servers with =
128-bit SSL encryption! Get a FREE Guide
from VeriSign, "Securing =
Your Web Site for Business." Click Here!
http://www.verisign.com/cgi-bin/go.cgi?a=3Dn0160041500=
08000
7. = =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D SECURITY TOOLKIT = =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
* BOOK HIGHLIGHT: NETWORK =
SECURITY: IN A MIXED ENVIRONMENT
By Dan Blacharski
Online Price: $31.95
Softcover; 408 pages
Published by IDG Books =
Worldwide, March 1998
Protect your network with the =
help of Network Security: In a Mixed
Environment. Industry expert =
Dan Blacharski combines technical insight
and real-world experience to =
produce a solid how-to manual designed to
reduce the dangers inherent in =
mixed environment computing.
Network Security: =
In a Mixed Environment covers all the basics in
establishing a protected =
network, from determining security needs to
acquiring the right hardware =
and software. You'll get detailed
information on NetWare, Windows =
NT, and UNIX security features;
safeguarding your network =
against various threats; hardware and
software; security monitors; =
and more.
For Windows NT Magazine Security =
UPDATE readers only--Receive an
additional 10 PERCENT off the =
online price by typing in WINNTMAG in the
referral field on the Shopping =
Basket Checkout page. To order this
book, go to http://www.fatbrain.com/shop/info/0764531522?from=3DSU=
T864.
* TIP: LISTING ADMINISTRATIVE =
USERS
(contributed by Mark Joseph Edwards, http://www.ntsecurity.net)
Rick Mitchell posted a message =
on the "HowTo for Security" mailing list
asking readers if they know of =
a utility that will remotely dump a list
of users in a particular group =
on a Windows NT 4.0 server. Rick says he
has more than 250 NT servers in =
his domain, and he needs a tool that
will provide a list of all =
users who have administrative rights on each
machine.
The Microsoft =
Windows NT Server 4.0 Resource Kit is the most obvious
place to seek such utilities. =
Within the resource kit, you can find two
utilities: local.exe and =
global.exe. Each tool lists users and groups
by domain or server.
In addition, =
SomarSoft's DumpACL utility can identify users and
groups and identify NTFS and =
share permissions. Frank Ramos' tools at
SomarSoft are all free.
Adkins Resource =
also produces a nifty tool to get the job done. Head
over to its Web site and =
download Hyena 2.2. Pricing for the tool
starts at $269, and it's =
available as a 30-day evaluation.
http://mspress.microsoft.com/reslink
http://www.somarsoft.com
http://www.adkins-resource.com
* HOWTO: MORE WINDOWS 2000 =
TOPICS, ACRONYMS, AND CONCEPTS
Zubair Ahmad presents his third =
column in an occasional series of
Windows 2000 Ready Web =
exclusive features that define new Windows 2000
(Win2K) terms and concepts. =
http://www.ntsecurity.net/go/2c.asp?f=3D/howto.asp?IDF=
=3D115&TB=3Dhowto
8. = =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D HOT THREADS = =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
* WINDOWS NT MAGAZINE ONLINE = FORUMS
The following text is from a =
recent threaded discussion on the Windows
NT Magazine online forums =
(http://www.winntmag.com/support).
December 02, 1999, 01:33 =
P.M.
Hacker - What Can I Do?
I'm hoping someone can help me. =
I have what I believe to be a hacker
attempting to access my mail =
server. I'm showing entries in my Security
Event Log with an outside SMTP =
attempt to access my server. It then
says "LogonUser()call =
failed with error. Logon failure: unknown user
name or bad password." I'm =
assuming this means someone is trying to
enter but is unsuccessful. If I =
am incorrect, or if anyone has any
ideas as to how I can track =
this person down or scare them off, let me
know. Any help would be =
appreciated. Thanks in advance.
Thread continues at
http://www.winntmag.com/support/Forums/Application/Ind=
ex.cfm?CFApp=3D69&Message_ID=3D80519
* WIN2KSECADVICE MAILING =
LIST
Each week, we offer a quick =
recap of some of the highlights from the
Win2KSecAdvice mailing list. =
The following threads are in the spotlight
this week:
1. SP6A INCLUDED SECURITY =
FIXES?
http://www.ntsecurity.net/go/w.asp?A2=3DIND9912A&L=3DW=
IN2KSECADVICE&P=3D307
2. SQL 7 MAGIC PACKET DENIAL OF =
SERVICE
http://www.ntsecurity.net/go/w.asp?A2=3DIND9912A&L=3DW=
IN2KSECADVICE&P=3D792
Follow this link to read all =
threads for Dec. Week 1:
http://www.ntsecurity.net/go/win2ks-l.asp?s=3Dwin2ksec=
* HOWTO MAILING LIST
Each week we offer a quick =
recap of some of the highlights from the
"HowTo for Security" =
mailing list. The following threads are in the
spotlight this week:
1. PDC MULTI-HOMED
http://www.ntsecurity.net/go/L.asp?A2=3DIND9912A&L=3DH=
OWTO&P=3D2986
2. LOCAL GROUP LISTING =
UTILITY
http://www.ntsecurity.net/go/L.asp?A2=3DIND9912A&L=3DH=
OWTO&P=3D200
3. SYNC TIME ON DOMAIN =
COMPUTERS
http://www.ntsecurity.net/go/L.asp?A2=3DIND9912A&L=3DH=
OWTO&P=3D2886
Follow this link to read all =
threads for Dec. Week 1:
http://www.ntsecurity.net/go/l.asp?s=3Dhowto
|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-=
WINDOWS NT MAGAZINE SECURITY =
UPDATE STAFF
News Editor - Mark Joseph =
Edwards (mje@winntmag.com)
Ad Sales Manager (Western and =
International) - Vicki Peterson
(vpeterson@winntmag.com)
Ad Sales Manager (Eastern) - =
Tanya T. TateWik (ttatewik@winntmag.com)
Editor - Gayle Rodcay =
(gayle@winntmag.com)
New and Improved - Carolyn =
Mascarenas (products@winntmag.com)
Editor-at-Large - Jane Morrill =
(jane@winntmag.com)
|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-=
Thank you for reading Windows NT = Magazine Security UPDATE.
To subscribe, go to =
http://www.winntmag.com/update or send email to
listserv@listserv.ntsecurity.net with the words "subscribe =
securityupdate anonymous" =
in the body of the message without the
quotes.
To unsubscribe, send email to =
listserv@listserv.ntsecurity.net with the
words "unsubscribe =
securityupdate" in the body of the message without
the quotes.
To change your email address, =
you must first unsubscribe by sending
email to =
listserv@listserv.ntsecurity.net with the words "unsubscribe =
securityupdate" in the =
body of the message without the quotes. Then,
resubscribe by going =
to http://www.winntmag.com/update and entering
your current contact =
information or by sending email to
listserv@listserv.ntsecurity.net with the words "subscribe =
securityupdate anonymous" =
in the body of the message without the
quotes.
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D =
GET UPDATED! =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
Receive the latest information =
on the NT topics of your choice.
Subscribe to these other FREE =
email newsletters at
http://www.winntmag.com/sub.cfm?code=3Dup99inxsup<=
/FONT>.
Windows NT Magazine =
UPDATE
Windows NT Magazine Thin-Client =
UPDATE
Windows NT Exchange Server =
UPDATE
Windows 2000 Pro UPDATE
ASP Review UPDATE
SQL Server Magazine =
UPDATE
|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-=
Copyright 1999, Windows NT =
Magazine
Security UPDATE Newsletter is =
powered by LISTSERV software
http://www.lsoft.com/LISTSERV-powered.html<=
/U>