********************************************************** WINDOWS 2000 MAGAZINE SECURITY UPDATE **Watching the Watchers** The weekly Windows NT and Windows 2000 security update newsletter brought to you by Windows 2000 Magazine and NTSecurity.net http://www.win2000mag.com/update/ ********************************************************** This week's issue sponsored by UltraBac.com http://www.ultrabac.com/counter/winnt003s.htm Symantec http://www.symantec.com/specprog/sym/11200e.html (Below Announcements) |-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+- March 22, 2000 - In this issue: 1. IN FOCUS - New Precedents About To Be Set? 2. SECURITY RISKS - Oracle Web Listener May Run Arbitrary Commands - Microsoft Media License Manager Denial of Service - Internet Information Server Chunked Encoding Post 3. ANNOUNCEMENTS - Windows 2000 Magazine Affiliate Program 4. NEW AND IMPROVED - Security Scripting Language - Email Security Product 5. HOT RELEASE (ADVERTISEMENT) - VeriSign - The Internet Trust Company 6. SECURITY TOOLKIT - Book Highlight: Windows 2000 Security Little Black Book 7. HOT THREADS - Windows 2000 Magazine Online Forums: PST Files as Offline Folders - Win2KSecAdvice Mailing List: Help for Relentless Port Scanning Win2K's Default High Security Policy - HowTo Mailing List: Legal Question Regarding Security Windows 2000 Desktop Lockdown ~~~~ SPONSOR: ULTRABAC.COM ~~~~ UltraBac backup and disaster recovery software for NT3.51/NT4/Win2000 announces the release of Version 5.5. UltraBac v5.5 offers a new Oracle agent based on API's, enhanced Disaster Recovery features, enhanced SQL 7.0 database restore options; and a new proprietary Locked File Backup (LFB) agent. Disaster recovery enhancements for image backups include tape spanning with software compression, a new GUI for creating disaster recovery boot floppies, and support for Hewlett Packard's new One Button Disaster Recovery (OBDR) functionality that was recently added to HP's tape drive products. For more information and to download your FREE 45-day copy, click here: http://www.ultrabac.com/counter/winnt003s.htm ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Want to sponsor Windows 2000 Magazine Security UPDATE? Contact Jim Langone (Western Advertising Sales Manager) at 800-593-8268 or jim@win2000mag.com, OR Tanya T. TateWik (Eastern Advertising and International Advertising Sales Manager) at 877-217-1823 or ttatewik@win2000mag.com. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 1. ========== IN FOCUS ========== Hello everyone, Piracy is a big concern for a lot of development companies. The amount of money reportedly lost each year at the hands of pirates is staggering. Naturally, developers take the matter seriously and guard the security of their code-based assets as fiercely as they can. One progressive way to guard software assets is to place the code into the public domain under some form of open-source licensing scheme. Thus, piracy becomes a moot point, and development takes more of a front seat to profits. However, many firms develop code that could not feasibly be protected under an open-source scheme. Instead, their products' protection must rely on honesty or secrecy. Take, for example, the DVD- based Content Scrambling System (CSS) software technology, which relies on secrecy for protection. Developers use CSS to encrypt DVD-based media so that only DVD players can decrypt and play that media. This approach minimizes unauthorized duplication. But in November 1999, someone posted a program called DeCSS that can decrypt media that is copy protected with CSS. The release of DeCSS has caused quite a ruckus in the computer industry as well as in the motion picture industry. Naturally, Hollywood wants to protect its movies from unauthorized duplication and is going to extremes to do so. In late December 1999, the DVD Copy Protection Association filed a lawsuit in California suing Web site operators who had posted copies of the DeCSS program. The association also sued Web site operators who merely posted links to sites that had the program online for download. The courts handed down an injunction prohibiting US sites from posting the code. But hackers and supporters have struck back hard. Attorneys for the defendants wanted the CSS code submitted as evidence in the case, which would make the code a matter of public record because civil lawsuits are public information. In addition, hackers from Australia will soon air the source code on Australian television. Australian law does not prohibit such action. I think Hollywood has the right to sue the developers of DeCSS and people who distribute the program, but I also think the developers of DeCSS have the right to tell the world what they discovered. After all, the developers of DeCSS weren't the people who said the CSS technology was secure--they only proved that it wasn't. That statement leads me to an interesting thought: What about the people who developed and promoted CSS as a secure technology in the first place? Aren't they to blame, too? If a company claims its technology is secure, but it turns out that the product is not, could the company be sued for fraud? The case raises so many questions that it likely will set more than one precedent for the computer industry and the Internet. I think those precedents will include new legal views on antipiracy and reverse engineering, which could dramatically impact the way security-related problems are discovered and reported in the future. If you're a developer or a company that sells security-related solutions (whether software, hardware, or services), be sure to keep an eye on the DeCSS case. It might change the way you do business. Before I sign off this week, I want to inform you all that the NTSecurity.net Web site may be offline until Friday morning. We have encountered some unexpected difficulties while moving the site from one data center to another. Thanks for your patience while we work to quickly bring the site back online. Until next time, have a great week. Sincerely, Mark Joseph Edwards, News Editor mark@ntsecurity.net 2. ========== SECURITY RISKS ========= (contributed by Mark Joseph Edwards, mark@ntsecurity.net) * ORACLE WEB LISTENER MAY RUN ARBITRARY COMMANDS Oracle Application Server ships with a component called Oracle Web Listener. Cerebus Information Security reported a problem with the component that could let an intruder run arbitrary commands on the server. http://listserv.ntsecurity.net/scripts/wa-ntsecurity.exe?A2=ind0003b&L=win2ksecadvice&F=&S=&P=4178 * MICROSOFT MEDIA LICENSE MANAGER DENIAL OF SERVICE According to Microsoft's documentation, Windows Media License Manager is part of a technology set that enables distribution of copyrighted digital media. When Media Player opens a protected medium, it contacts the media provider to receive a license key. A malformed license key request can cause the License Manager to halt. For details, see Microsoft Support Online article Q257200 (http://support.microsoft.com/support/kb/articles/Q257/2/00.ASP?LNG=ENG&SA=ALLKB&FR=0). * INTERNET INFORMATION SERVER CHUNKED ENCODING POST Internet Information Server (IIS) supports chunked encoding transfers for PUT and POST operations; however, the server does not limit the amount of memory that can be requested for such a transfer during a given user session. Therefore an attacker can request large amounts of memory from the server and cause a Denial of Service (DoS) attack for the duration of that user's session. According to Microsoft's report, when the attacker closes the Web browser, IIS resumes normal operation. For more information, see Microsoft Support Online article Q252693 (http://support.microsoft.com/support/kb/articles/q252/6/93.asp?LNG=ENG&SA=ALLKB&FR=0). 3. ========== ANNOUNCEMENTS ========== * WINDOWS 2000 MAGAZINE AFFILIATE PROGRAM Windows 2000 Magazine, in cooperation with LinkShare, announces a new Web affiliate program. By simply placing a text or banner link on your Web site, you can earn up to $10 for each customer who clicks through from your site to ours and orders a subscription to either Windows 2000 Magazine or SQL Server Magazine. For more information, visit http://www.win2000mag.com/AboutUs/Index.cfm?Action=affiliate or http://www.sqlmag.com/Info/affiliate.cfm. ~~~~ SPONSOR: SYMANTEC ~~~~ Norton Ghost? 6.0 is the premier tool for Windows 2000 migration, PC deployment, cloning, and PC recovery. It dramatically reduces IT costs by streamlining the configuration of networked workstations. Administrators can restore a system image onto a failed PC in as little as seven minutes, and reduce PC deployment and upgrade times by 90 percent or more. Click here to order your free trialware! http://www.symantec.com/specprog/sym/11200e.html 4. ========== NEW AND IMPROVED ========== (contributed by Judy Drennen, products@win2000mag.com) * SECURITY SCRIPTING LANGUAGE Trusted Systems Services (TSS) announces AdvancedChecker 2.0, a security scripting language for Windows 2000 (Win2K) and Windows NT that installs, checks, sets, and fixes network security for large and small sites. AdvancedChecker is available as a beta. New features include user-defined macros, functions to query the Security log and System and Application Event logs, and the ability to compile several source files into one object file. Contact TSS, 217-344-0996. http://www.trustedsystems.com * EMAIL SECURITY PRODUCT TurnSafe Technologies announced SafeWrite, an email security product featuring advanced encryption technology. SafeWrite is easy to use-- just type in the recipient's address and send your message. SafeWrite lets you send secure messages without having to worry about the receiver's software, without having to keep track of any public keys, and without forcing the receiver to install SafeWrite or other special viewing software. You can use your existing POP, IMAP4, Web-based, or AOL email account. SafeWrite is compatible with most OSs, including Windows, MacOs, Linux, OS/2, and UNIX. SafeWrite sends messages with dissolving keys, so that after a user reads a message, it cannot be re- opened. SafeWrite secure email service is available by subscription to individuals for 2 years at a cost of $39.95, and includes product updates during the subscription period. Multiuser and domain rates are also available. http://www.turnsafe.com 5. ========== HOT RELEASE (ADVERTISEMENT) ========== * VERISIGN - THE INTERNET TRUST COMPANY Protect your servers with 128-bit SSL encryption! Get a FREE guide, "Securing Your Web Site for Business." You'll learn how to use SSL encryption for serious online security. http://www.verisign.com/cgi-bin/go.cgi?a=n016005190008000 6. ========== SECURITY TOOLKIT ========== * BOOK HIGHLIGHT: WINDOWS 2000 SECURITY LITTLE BLACK BOOK By Ian Mclean Online Price: $19.95 Softcover; 400 pages Published by Coriolis, February 2000 ISBN: 1576103870 "Windows 2000 Security Little Black Book" is an indispensable tool for the security professional working in the Windows 2000 (Win2K) environment. This book is packed with methods and tips for implementing secure, but useable, network policies. Whether you work in a small organization with a few hundred users or a large multinational group working across WANs and the Internet, you'll find the information you need presented in an accessible, user- friendly format. Using this book, you can unlock the secrets of Win2K's Active Directory (AD), Group Policy, security protocols, encryption, public key security, security certificates, smart cards, IP security, VPNs, and the security toolset. For Windows 2000 Magazine Security UPDATE readers only--Receive an additional 10 PERCENT off the online price by typing WIN2000MAG in the referral field on the Shopping Basket Checkout page. To order this book, go to http://www.fatbrain.com/shop/info/1576103870?from=SUT864. 7. ========== HOT THREADS ========== * WINDOWS 2000 MAGAZINE ONLINE FORUMS The following text is from a recent threaded discussion on the Windows 2000 Magazine online forums (http://www.win2000mag.com/support). March 17, 2000, 07:09 A.M. PST Files as Offline Folders When selecting my network-based PST Folders as Offline Folders, I get a synchronization error and it fails. The rest of the folders can be set as offline. I have already shut down Outlook and checked that there are no file locks or anything. I did successfully select them in RC2, but since upgrading, I can't do it. Anyone know if there is a fix or is this a "feature?" Thread continues at http://www.win2000mag.com/support/Forums/Application/Index.cfm?CFApp=70&Message_ID=95536 * WIN2KSECADVICE MAILING LIST Each week we offer a quick recap of some of the highlights from the Win2KSecAdvice mailing list. The following threads are in the spotlight this week: 1. Help for Relentless Port Scanning http://listserv.ntsecurity.net/scripts/wa-ntsecurity.exe?A2=ind0003c&L=win2ksecadvice&P=1614 2. Win2K's Default High Security Policy http://listserv.ntsecurity.net/scripts/wa-ntsecurity.exe?A2=ind0003c&L=win2ksecadvice&P=861 * HOWTO MAILING LIST Each week we offer a quick recap of some of the highlights from the HowTo for Security mailing list. The following threads are in the spotlight this week: 1. Legal Question Regarding Security http://listserv.ntsecurity.net/scripts/wa-ntsecurity.exe?A2=ind0003c&L=howto&P=2783 2. Windows 2000 Desktop Lockdown http://listserv.ntsecurity.net/scripts/wa-ntsecurity.exe?A2=ind0003c&L=howto&P=12148 |-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+- WINDOWS 2000 MAGAZINE SECURITY UPDATE STAFF News Editor - Mark Joseph Edwards (mje@win2000mag.com) Ad Sales Manager (Western) - Jim Langone (jim@win2000mag.com) Ad Sales Manager (Eastern) - Tanya T. TateWik (ttatewik@win2000mag.com) Associate Publisher/Network - Martha Schwartz (mschwartz@win2000mag.com) Editor - Gayle Rodcay (gayle@win2000mag.com) New and Improved Judy Drennen (products@win2000mag.com) Copy Editor Judy Drennen (jdrennen@win2000mag.com) |-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+- |-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+- Thank you for reading Windows 2000 Magazine Security UPDATE. To subscribe, go to the UPDATE home page at http://www.win2000mag.com/update or send an email to join-securityupdate@list.win2000mag.net. To remove yourself from the list, send a blank email to leave-securityupdate@list.win2000mag.net. To change your email address, send a message with the content below to securityupdate@list.win2000mag.net. set securityupdate email="new email address" Replace "new email address" (including quotes) with your new email address. If you have questions or problems with your UPDATE subscription, please contact owner-securityupdate@list.win2000mag.net. ========== GET UPDATED! ========== Receive the latest information on the Windows 2000 and Windows NT topics of your choice. Subscribe to these other FREE email newsletters at http://www.win200 0mag.com/sub.cfm?code=up99inxsup. Windows 2000 Magazine UPDATE Windows 2000 Magazine Thin-Client UPDATE Windows 2000 Magazine Exchange Server UPDATE Windows 2000 Magazine Enterprise Storage UPDATE Windows 2000 Pro UPDATE ASP Review UPDATE SQL Server Magazine UPDATE SQL Server Magazine XML UPDATE IIS Administrator UPDATE WinInfo UPDATE |-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-| Copyright 2000, Windows 2000 Magazine