=====================================================================
WINDOWS SECURITY DIGEST                                   1999 SERIES
Watching the Watchers                                October 18, 1999
=====================================================================
         SPONSORED BY VERISIGN - THE INTERNET TRUST COMPANY

                          -- C O N T E N T S --

      << WEB SITE NEWS >>
          * Got Attrition?
          * Packetstorm Security!
          * Spotlight: New Security Product Database
          * Spotlight: HotFix Hotlist

      << NT SECURITY RISKS >>
          * Excel Symbolic Links
          * JavaScript Redirect

      << IN THE NEWS >>
          * Wired for Warfair
          * Why Hacking Contests Are a Bad Idea
          * Melissa Varient Virus Discovered
          * NTFS for Windows 98

      << FEATURE ARTICLES >>
          * Anatomy of an Intrusion
          * Getting the Drop on Network Intruders
          * State of Security 2000
          * Fear, Uncertainty, and Doom
          * So You Want to Be a Cryptographer?

      << HOW TO >>
          * Motives and Methods: A Virus Tutorial Part 2
          * C2 Compliance Check

      << NOTABLE HACK ATTACKS >>
          * George W. Bush Jr. Presidential Campaign Site


Hello -

You may have noticed that since the beginning of August, we have
started making significant changes to our Web site, located at
http://www.ntsecurity.net.
Of course, the changes are designed to serve each of you better,
and as such we're interested in learning what you think so far.
Please feel free to drop me a line with any comments you have
regarding the new Web site as well as its features and content.

Thanks,
Mark, mark@ntsecurity.net


==== SPONSORED BY VERISIGN - THE INTERNET TRUST COMPANY ====
Start preparing for holiday customers NOW - protect your
site with 128-bit SSL encryption! Get VeriSign's FREE guide,
"Securing Your Web Site for Business." You will learn
everything you need to know about using SSL to encrypt
your e-commerce transactions for serious online security.
http://www.verisign.com/cgi-bin/go.cgi?a=n032602130009000
============================================================

_____________________________________________________________________
___________________________ WEB SITE NEWS ___________________________

*** GOT ATTRITION?
  NT Security News is now providing a mirror from ATTTRITION.ORG that
contains a list of the most recent Web site defacements, as reported
to the fine folks at ATTRITION. You'll find a link on the home page
currently listed under the "So What's New?" section.
  Be sure to take a look at this data from time to time. It provides
a decent perspective on the number of sites that are defaced daily
around the globe.
  http://www.ntsecurity.net/go/loadit.asp?iD=/scripts/attrition.asp

*** PACKETSTORM SECURITY
  As you may know, Packetstorm Security is now back online. For those
not already familiar with Packetstorm, the site offers a wealth of
security information in the form of bug reports, security-related
programs and code, whitepapers, technical documents, and more.
  We now provide an up-to-the-minute mirror of all the latest
additions to Packetstorm easily accessible from our home page. Be
sure to check the list from time to time. As you'll learn by watching
our Packetstorm page, many of the items added each day to do not
pertain to Microsoft-based network and application security.
Nonetheless, it is without question worth the effort to look for items
that do pertain to your networks. Be sure to check this page each day.
  http://www.ntsecurity.net/go/loadit.asp?iD=/scripts/packetstorm.asp

*** SPOTLIGHT: NEW SECURITY PRODUCT DATABASE
  We've recently added a brand new security product database to the
site. Using the new Web pages, any security-related product vendor
may add their product listings to our site where tens of thousands of
users will see them every single month.
  And, once your products are listed online you may return at any
time to modify your entries as you see fit. For example, when you
release a new version of a listed product, the details of your new
version appear on our site as fast as you can modify the listing.
  If your company sells products that are related to security, you
should definitely swing by our site and list them with us. Think of
it as free advertising. To list your products at NTSecurity.NET,
click the link below:
  http://www.ntsecurity.net/go/loadit.asp?id=/products/start.asp
  To see what the vendor product listings look like, follow this
link:
http://www.ntsecurity.net/go/loadit.asp?id=/products/listproducts.asp

*** SPOTLIGHT: HOTFIX HOTLIST!
  The Hotfix Hotlist is a feature that many of you asked us for time
and time again - so we finally created exactly what you asked for.
The Hotfix Hotlist is a singular resource for all service packs and
fixes related to just about any major Microsoft product. So now,
instead of tediously surfing Microsoft's Web site and FTP site
looking for new security patches, you can simply visit our Hotfix
Hotlist, select a product, and everything you need regarding services
packs and security-related hotfixes appears on the screen, complete
with hotlinks to Support Online articles, downloable fix files,
one-click top-level FTP directory access, and more. Plus, you can
click one link to see all new fixes for almost any Microsoft released
in the last 45 days. Come check it out!
  http://www.ntsecurity.net/go/loadit.asp?id=/fixes.asp

_____________________________________________________________________
__________________________ NT SECURITY RISKS ________________________

*** EXCEL SYMBOLIC LINK VULNERABILITY
    Software Effected: Excel 97 and Excel 2000
David Young reported a problem with Excel 97 and Excel 2000 symbolic
link files that can contain macros, which execute without permission.
Microsoft has released a patch for the problem. The Excel 97 patch
also corrects a problem with macros imported from Lotus 1-2-3 or
Quattro Pro, where those macros also run without permission.
  For complete details, including links to Microsoft's FAQ, the
Support Online articles, and the patches, please visit our Web site:
  http://www.ntsecurity.net/go/load.asp?iD=/security/excel-slk.htm

  PUT A REMINDER on your calendar to load this fix!
  JUST CLICK THE LINK BELOW:
  http://www.ntsecurity.net/to-do/excel-slk.vcs

*** JAVASCRIPT REDIRECT
    Software Effected: Internet Explorer 4.01 and 5.0
Georgio Guninski reported a problem with IE regarding JavaScript and
redirects which could allow a Web site to read files on a remote
user's system without that user's knowledge.
  According to Georgi's message, "Internet Explorer 5.0 under Windows
95 and WinNT 4.0 (suppose Win98 is vulnerable) allows reading local
files and text/HTML files from any domain. Window spoofing is
possible. It is also possible in some cases to read files behind
fiewall."
  "The problem is a HTTP redirect to "javascript:" URLs. If you open
a local file and the change its location to an URL that redirects to
"javascript:JavaScript code" then the JavaScript code is executed in
the security context of the original local file and has access to its
DOM. The local file may be sent to an arbitrary server. In a similar
way one may do window spoofing. This vulnerability may be exploited
using HTML email message or a newsgroup posting."
  http://www.ntsecurity.net/go/loader.asp?iD=/security/javascript.htm

_____________________________________________________________________
____________________________ IN THE NEWS ____________________________

*** WIRED FOR WARFARE
  Time Magazine offers an interesting view of how at least one group of
Mexican guerillas are using the Internet to wage cyberwar against
their enemies. [Time Magazine]
  http://www.ntsecurity.net/go/2c.asp?f=/news.asp?IDF=164&TB=news

*** WHY HACKING CONTESTS ARE A BAD IDEA
  Ira Winkler, author of Corporate Espionage, offers up his opinion
of the latest PC Week challenge that offers everyone the chance to
hack into a Linux or Windows NT system. [ZDNet]
  http://www.ntsecurity.net/go/2c.asp?f=/news.asp?IDF=163&TB=news

*** MELISSA VARIENT DISCOVERED IN THE WILD
  According to a recent Network Associates report, a varient of the
dangerous Melissa virus has been discovered in the wild.
  http://www.ntsecurity.net/go/2c.asp?f=/news.asp?IDF=162&TB=news

*** NTFS FOR WINDOWS 98
  Mark Russinovich and Bryce Cogswell of SysInternals have released a
beta version of their new NTFS file system utility for Windows 9x
systems.
  http://www.ntsecurity.net/go/2c.asp?f=/news.asp?IDF=161&TB=news

=====================================================================
               Want to sponsor the newsletter or Web site?
                  Send email to ads@ntsecurity.net
=====================================================================
_____________________________________________________________________
______________________________ FEATURES _____________________________

*** ANATOMY OF AN INTRUSION
  Greg Shipley offers a great feature detailing many of the means by
which an intruder may approach your particular systems in an attempt
to break in. [Network Computing]
  http://www.ntsecurity.net/go/2c.asp?f=/features.asp?IDF=130&TB=f

*** GETTING THE DROP ON NETWORK INTRUDERS
  In her feature for Network World, Ellen Messmer discusses various
intrusion detection systems (IDS,) as well as the nature of the
industry regarding ongoing development. [Network World]
  http://www.ntsecurity.net/go/2c.asp?f=/features.asp?IDF=129&TB=f

*** STATE OF SECURITY 2000
  Network Computing offers a bird's eye view of the challenges we'll
all face in the coming years. In this article, which discusses VPNs,
PKI, firewalls, intrusion detection systems, various various security
tools, and antivirus concerns, experts offer the skinny on what to
expect and to keep things in a proper perspective. [Network Computing]
  http://www.ntsecurity.net/go/2c.asp?f=/features.asp?IDF=128&TB=f

_____________________________________________________________________
_______________________________ HOW TO ______________________________

*** MOTIVES AND METHODS: A VIRUS TUTORIAL PART 2
  In part two of her ongoing series, Diane Levine discusses
additional virus-like risks that may also jeopardize a network. Items
include, Trojans, worms, logic bombs, time bombs, backdoors, and
rabbits.
  http://www.ntsecurity.net/go/2c.asp?f=/howto.asp?IDF=110&TB=h

_____________________________________________________________________
_______________________ NOTEABLE HACK ATTACKS _______________________

*** GEORGE W. BUSH PRESIDENTIAL CAMPAIGN SITE
Crackers defaced the presidential campaign site of Republican
candidate George W. Bush early Tuesday, October 18th. The picture of
Bush normally seen on the site was replaced with a photo of the Texas
governor pictured with a red hammer and sickle along with a call for
"a new October revolution."
  In a stroke of irony, Bush's Web site just happens to be hosted by
the Austin-based ISP "Illuminati Online." No archive of the cracked
site has been made available, and not-so-coincidentally, no one has
claimed responsibility for the defacement.
_____________________________________________________________________
______________________________ CONTACTS _____________________________

-- EDITOR:        Mark Edwards, mark@ntsecurity.net
-- ADVERTISING:   Jeffrey Scott Strayer, ads@ntsecurity.net
-- WEB SITE:      General Delivery, webmaster@ntsecurity.net

Have something to contribute to this newsletter? Send it to us!
Email: press@ntsecurity.net
_____________________________________________________________________

Copyright (c) 1999 - NTSecurity.Net - ALL RIGHTS RESERVED
This newsletter maybe be forwarded or copied so long as the entire
content, including this notice, remain intact.