**********************************************************
WINDOWS 2000 MAGAZINE SECURITY UPDATE 
**Watching the Watchers**
The weekly Windows 2000 and Windows NT security update newsletter brought 
to you by Windows 2000 Magazine and NTSecurity.net
http://www.win2000mag.com/update/ 
**********************************************************

This week's issue sponsored by
Trend Micro -- Your Internet VirusWall 
http://www.antivirus.com/welcome/tax_stress041200.htm

How to Detect Denial of Service Attacks in Real-Time
http://www.win2000mag.com/jump.cfm?ID=25
(Below SECURITY ROUNDUP) 

|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-
April 12, 2000 - In this issue:

1. IN FOCUS
     - Sting Operations in Effect

2. SECURITY RISKS
     - RealPlayer Buffer Overflow Condition
     - Cold Fusion Forums Exposed
     - Bypass Excel Code Execution Warning Dialogs

3. ANNOUNCEMENTS
     - Spruce Up Your Web Site with Windows 2000 Headlines
     - Put Your Knowledge of Microsoft Products to the Test!
     - Windows 2000 Magazine Presents: The Windows 2000 Experience 

4. SECURITY ROUNDUP
     - News: Shun the Frumious Bandersnatch
     - News: Bullet Product Might Raise Privacy Concerns
     - News: Managed Intrusion Detection Services

5. NEW AND IMPROVED
     - Managed Antivirus Solution 
     - Free Open Source Security Tool

6. HOT RELEASES (ADVERTISEMENT)
     - GFI's LANguard - Internet/Network Access Control
     - Network-1 Security Solutions – Securing e-Business Networks

7. SECURITY TOOLKIT
     - Book Highlight: SSL and TLS Essentials: Securing the Web
     - Tip: Enable IPSec Logging

8. HOT THREADS 
     - Windows 2000 Magazine Online Forums
         System Account Locked Out
     - Win2KSecAdvice Mailing List
         PCAnywhere Weak Password Encryption
     - HowTo Mailing List
         NTLMV2 on Win95 RAS Clients
         Null Session Logon

~~~~ SPONSOR: TREND MICRO -- YOUR INTERNET VIRUSWALL ~~~~
As the deadline for filing income taxes draws closer, you would have one 
less worry if you had Trend Micro's reliable antivirus software on your 
network servers. A world leader in antivirus and content security 
technologies, Trend Micro's centrally web-managed Internet gateway, Notes 
and Exchange email server, desktop machine and network server protection 
forms a protective, content security VirusWall around your entire 
enterprise network.
http://www.antivirus.com/welcome/tax_stress041200.htm

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Want to sponsor Windows 2000 Magazine Security UPDATE? Contact Jim Langone 
(Western Advertising Sales Manager) at 800-593-8268 or jim@win2000mag.com, 
OR Tanya T. TateWik (Eastern and International Advertising Sales Manager) 
at 877-217-1823 or ttatewik@win2000mag.com.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

1. ========== IN FOCUS ==========

Hello everyone,

Have you considered building a honey pot on your network? A honey pot is a 
device designed to catch intruders by fooling the intruder with false 
presentation. Such devices can be very simple or incredibly complex, 
depending on what you want them to do. In any case, honey pots are decoys 
that emulate either part or all of a network.
   Traditionally, such devices have been used to steer attackers into what 
appears to be an easy target, when in most cases, it's an attacker's worst 
nightmare. When the attacker takes the bait and begins banging away at the 
honey pot, the honey pot records all actions so they can be analyzed to 
learn how the attacker works. Additionally, a company can often use that 
information as evidence to convict the attacker of any committed crimes. In 
a nutshell, a honey pot acts like a sneaky virtual undercover cop.
   I've heard faint grumblings recently regarding new sting operations on 
the Internet that are designed to lure hotshot Web and e-commerce site 
crackers into certain doom. The operations take honey pots one step 
further. Now that you can emulate an entire network with software, why not 
add full-blown e-commerce storefronts to further sweeten the pot? I think 
that's a great idea and, if rumors are correct, that's exactly what's 
happening en force. Sources tell me these new honey pots leave no stone 
unturned when it comes to presentation. Names, addresses, credit card 
information, prior purchasing records, personal preferences, and more are 
included to give these sites the most authentic feel possible.
   If your network doesn't have a honey pot, perhaps you should consider 
building one. Such devices offer value as a way to gather evidence, as a 
deterrent, and as an educational tool that can teach administrators how a 
given site cracker works. You can build a simple honey pot using scripts, 
compiled code, and tools such as the VMware emulator 
(http://www.vmware.com), or you might want to use a commercially designed 
product such as Network Associates' Sting (http://www.nai.com) or Recourse 
Technologies' ManTrap (http://www.recourse.com).
   On another note, last week, I mentioned application service providers 
(ASPs) and their exposure to attack. I said that ASPs are sitting ducks, 
which is true if the ASPs provide service via the Internet. But many of you 
wrote to remind me that there is still such a thing as private circuits, 
which lend tremendous value to an ASP-based solution. Thanks to everyone 
that sent me thoughts and suggestions.
   Private circuits are a fabulous idea when it comes to ASP connections. 
With private circuits, the chances for an attack against your network are 
dramatically reduced. Furthermore, network response times will be more 
consistent because you probably don't have to share bandwidth with the rest 
of the world as you do on the public Internet.
   In addition to those advantages, private circuits restrict the types of 
attacks that an intruder can launch. Flooding a network or sniffing packets 
is difficult when you don't have a connection or path into that network. 
Private circuitry means that an attacker must have inside help or take 
extreme measures to cause even the slightest disruption to your network. A 
construction crew is likely to be more burdensome than a potential cracker. 
I can't tell you how many times such a crew has accidentally cut one of my 
fiber cables while trying to push pipe or repair a sidewalk.
   ASPs promise to make business operations simpler for all. And if you're 
willing to buy into that solution now as an early adopter of such 
technology, consider the peaceful feeling you could enjoy by knowing your 
connection to an ASP is totally private. If you do the math and weigh the 
real-world risks, I think you'll find that private circuits are clearly the 
way to go. Until next time, have a great week.

Sincerely,
Mark Joseph Edwards, News Editor
mark@ntsecurity.net

2. ========== SECURITY RISKS =========
(contributed by Mark Joseph Edwards, mark@ntsecurity.net)

* REALPLAYER BUFFER OVERFLOW CONDITION
Adam Munter discovered a buffer overflow condition in the Win32 version of 
RealNetworks' RealPlayer basic client, versions 6 and 7. The overflow 
occurs when a user enters more than 299 characters as a location from which 
to retrieve media files. If RealPlayer is embedded into a Web page, the 
overflow condition might also cause the browser to crash.
   http://www.ntsecurity.net/go/load.asp?iD=/security/realplayer1.htm

* COLD FUSION FORUMS EXPOSED
Allaire's Cold Fusion contains a bug that lets users view and post to 
secure conference threads via unsecured conferences and via email. 
According to Allaire's report, the security problem in the code exists in 
certain unscoped variables and the base-coding schema of forums. The 
problem involves the variable rightAccessAllForums, which the forum code 
doesn't handle properly. The bug lets a user post and view conferences that 
they're not part of or lets users sign up for forums that haven't yet been 
created.
   http://www.ntsecurity.net/go/load.asp?iD=/security/coldfusion2.htm

* BYPASS EXCEL CODE EXECUTION WARNING DIALOGS
When an Excel user starts a macro that resides outside of the current 
spreadsheet (e.g., in another spreadsheet), Excel by design generates a 
warning dialog box. However, this dialog box is not generated if the macro 
consists of Excel 4.0 Macro Language commands in an external text file.

3. ========== ANNOUNCEMENTS ==========

* SPRUCE UP YOUR WEB SITE WITH WINDOWS 2000 HEADLINES
Add instant depth to your Web site's content by posting Windows 2000 
(Win2K) news headlines, industry commentary and analysis, and IT poll 
results.  Our headlines, updated daily, will keep your Web visitors current 
on the latest happenings in the IT world by linking them to full news 
articles and editorials at Windows 2000 Magazine online. Registration and 
maintenance is easy--and free! To find out more, visit  
http://www.win2000mag.net/affiliateprog/affiliateprog.html.

* PUT YOUR KNOWLEDGE OF MICROSOFT PRODUCTS TO THE TEST!
Play the Microsoft TechNet Puzzler and use your expertise to win a trip to 
the Tech-Ed 2000 Conference in Orlando and a BMW Z3 Roadster!
http://www.microsoft.com/technet/puzzler/default.asp

* WINDOWS 2000 MAGAZINE PRESENTS: THE WINDOWS 2000 EXPERIENCE 
Before making any decisions about Windows 2000 (Win2K), get all the 
facts from a trusted source. The Windows 2000 Experience Web site 
gives you the how-to knowledge, resources, and product information 
you need to evaluate and deploy Win2K. Check out our news, in-depth 
articles, forums, and product offerings--all focused squarely on Win2K. 
http://www.windows2000experience.com

4. ========== SECURITY ROUNDUP ==========

* NEWS: SHUN THE FRUMIOUS BANDERSNATCH
Encryption uses nontraditional methods to communicate a meaning, just as 
Lewis Carroll wrote in nontraditional lingo when composing the famous poem, 
Jabberwocky. That's what the 6th Circuit Court of Appeals said Tuesday, 
April 4, when it declared that encryption code is protected by the First 
Amendment. The court decided that phrases such as Carroll's "shun the 
frumious bandersnatch" are no different than a computer-encrypted message, 
and thus, obscure forms of communication are protected under the First 
Amendment.
   http://www.ntsecurity.net/go/2c.asp?f=/news.asp?IDF=115&TB=news

* NEWS: BULLET PRODUCT MIGHT RAISE PRIVACY CONCERNS
Internet Security Systems (ISS) in Atlanta has developed a new product 
(code-named Bullet) that lets companies scan a Web site visitor's PC for 
Trojans and viruses. The tool is designed to prevent spread of such 
nuisances to e-commerce sites. Company CEO Thomas Noonan said the use of 
such technology might cause privacy invasion concerns.
   http://www.cnn.com/2000/TECH/computing/04/06/scan.visitors.idg

* NEWS: MANAGED INTRUSION DETECTION SERVICES
Counterpane Internet Security and Internet Security Systems (ISS) have 
begun offering managed intrusion detection services. Counterpane's 
technology involves a black box based on Linux, which captures data and 
transmits that data back to Counterpane for analysis. The ISS solution 
involves the use of its SafeSuite platform, where the ISS supplies 
personnel to a company's operation center.
   http://www.nwfusion.com/news/2000/0403intrusion.html

~~~~ SPONSOR: HOW TO DETECT DENIAL OF SERVICE ATTACKS IN REAL-TIME ~~~~
Protect yourself against Denial of Service (DoS) attacks with NetProwler 
and Intruder Alert by transparently monitoring traffic in real-time and 
reacting instantly. Learn about DoS attacks with your FREE guide, 
"Everything You Need to Know About Intrusion Detection," at: 
http://www.win2000mag.com/jump.cfm?ID=25
AXENT is the leading provider of e-security solutions for your business, 
delivering integrated products and expert services to 45 of the Fortune 50 
companies.

5. ========== NEW AND IMPROVED ==========
(contributed by Judy Drennen, products@win2000mag.com)

* MANAGED ANTIVIRUS SOLUTION 
SonicWALL and myCIO.com announced a strategic partnership to protect 
customers against viruses. SonicWALL protects users against viruses by 
embedding antivirus enforcement policies developed around myCIO.com's 
VirusScan ASaP antivirus application service into the company's SonicWALL 
line of Internet security appliances. This approach delivers a Web-based, 
easy-to-use solution to protect e-business from prevalent network threats. 
The antivirus software upgrade to the SonicWALL Internet security appliance 
will be available in Q2, 2000, and runs on Windows 2000 (Win2K), Windows 
NT, and Windows 9x. For more information, contact SonicWALL, 408-745-9600 
or visit the company Web site, or you can contact myCIO.com at its company 
Web site.
   http://www.sonicwall.com
   http://www.mycio.com 

* FREE OPEN SOURCE SECURITY TOOL
Reliable Software Technologies (RST) announced ITS4, a free, open-source 
software tool that identifies more than 130 of the most common security 
problems during the software development and auditing process. ITS4 
codifies security expertise into rules used to identify potential security 
problems in source code. ITS4 statically scans C and C++ source code for 
potential security vulnerabilities. The product is a command-line tool that 
works across UNIX environments and will also run on Windows if you have 
CygWin installed. The CygWin tools function by using the CygWin library, 
which provides a UNIX-like API on top of the Win32 API. For more 
information, contact Reliable Software Technologies at 703-404-5757 or go 
to its Web site.
   http://www.rstcorp.com

6. ========== HOT RELEASES (ADVERTISEMENT) ==========

* GFI'S LANGUARD - INTERNET/NETWORK ACCESS CONTROL
Concerned about unproductive Internet use at work? GFI’s LANguard monitors 
all Internet traffic to prevent this. LANguard lets you specify which sites 
& what type of content are allowed. For your free 5-user version, visit: 
http://www.gfi.com/securitylan.shtml!

* NETWORK-1 SECURITY SOLUTIONS – SECURING E-BUSINESS NETWORKS
Getting nervous about denial of service attacks? CyberwallPLUS-SV is the 
first embedded firewall for NT servers. It secures servers with network 
access controls and intrusion prevention. Visit 
http://www.network-1.com/products/svintro.htm for a free evaluation kit and 
white paper.

7. ========== SECURITY TOOLKIT ==========

* BOOK HIGHLIGHT: SSL AND TLS ESSENTIALS: SECURING THE WEB
By Stephen Thomas
Online Price $27.95
Softcover; 197 Pages
Published By John Wiley & Sons, March 2000
ISBN 0471383546

This book provides an inside look at secure Web transactions with Secure 
Socket Layer (SSL) encryption and the much-anticipated Transport Layer 
Security (TLS). E-businesses have long used SSL, a public key cryptography 
method, to encrypt sensitive information, verify a user's identity before 
allowing access, and discourage spoofing. However, because SSL is a closed 
protocol, Web programmers had no resources for adding advanced security 
measures--until now. Written by the author of "IPng and the TCP/IP 
Protocols" (Wiley), "SSL and TLS Essentials" contains the complete 
documentation of SSL, plus coverage of TLS and Microsoft's Server Gated 
Cryptography (SGC). The book also provides a concise tutorial in 
cryptography using eight real-world scenarios that illustrate protocol 
operations and details of SSL messaging.

For Windows 2000 Magazine Security UPDATE readers only--Receive an 
additional 10 percent off the online price by typing WIN2000MAG in the 
discount field on the Shopping Basket Checkout page. To order this book, go 
to:
http://www.fatbrain.com/shop/info/0471383546?from=win2000mag

Or visit the Windows 2000 Magazine Network Bookstore at:
http://www1.fatbrain.com/store.cl?p=win2000mag&s=97772

TIP: ENABLE IPSEC LOGGING 
(contributed by http://www.ntfaq.com) 

A reader asks whether it's possible to enable logging for IPSec. The answer 
is yes. To enable IPSec logging, perform the following Registry change, but 
be careful. Incorrect Registry edits can lead to a non-bootable system.
Start the Registry Editor (regedit.exe) and move to 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PolicyAgent. 
From the Edit menu, select New, then Key, and then define the key name as 
"Oakley" without the quotes. Next, select the newly created Oakley key and 
then select New, DWORD Value from the Edit menu. Enter the DWORD name as 
"EnableLogging" without the quotes and set its value to 1. After you've 
completed the definitions, restart the PolicyAgent service so that the 
changes take affect. Keep in mind that the logs will be written to the 
%systemroot%\debug\oakley.log file.

8. ========== HOT THREADS ==========

* WINDOWS 2000 MAGAZINE ONLINE FORUMS

The following text is from a recent threaded discussion on the Windows 
2000 Magazine online forums (http://www.win2000mag.com/support). 

April 04, 2000, 09:11 A.M. 
System Account Locked Out 
I have just implemented password policies on one of our domains and am 
getting a message in the Event Log saying that the user account is locked 
out for account ID SYSTEM. All seems to be working okay but I'm not sure 
what this means. Can anyone tell me what this message means? Will 
"something" not be working? Thanks in advance.

Thread continues at
http://www.win2000mag.com/support/Forums/Application/Index.cfm?CFApp=69&Message_ID=97839.

* WIN2KSECADVICE MAILING LIST
Each week we offer a quick recap of some of the highlights from the
Win2KSecAdvice mailing list. The following thread is in the spotlight
this week:

PCAnywhere Weak Password Encryption
When users log on, they are prompted for an NT username and password. The 
username and password are then encrypted through the PCAnywhere method and 
decrypted by the host computer for validation by the NT domain controller. 
Someone snooping on the traffic between the two stations can unlock both 
the PCAnywhere and NT account.
http://www.ntsecurity.net/go/w.asp?A2=IND0004B&L=WIN2KSECADVICE&P=184

Follow this link to read all threads for April, Week 2:
   http://www.ntsecurity.net/go/win2ks-l.asp?s=win2ksec

* HOWTO MAILING LIST
Each week we offer a quick recap of some of the highlights from the
HowTo for Security mailing list. The following threads are in the
spotlight this week:

1. NTLMV2 on Win95 RAS Clients
I am trying to implement NTLMV2 authentication for WIN95 RAS clients. I 
have followed KB article Q239869 and installed the dsclient.exe, verified 
it's installed as outlined, and performed the Registry hack to level 3 
(send NTLM2 responses only). However an SMB capture reveals that only the 
LM hash is being used, the NTLM hash is zero filled. The DCs are SP6a. What 
am I missing?
http://www.ntsecurity.net/go/L.asp?A2=IND0004A&L=HOWTO&P=2274

2. Null Session Logon
The book I have on NT security briefly mentions that the threat with the 
Null Credentials logon is that it allows a Null session connection over the 
Named Pipe Share(IPC$) and this can allow a potential intruder to obtain a 
listing of user account names, account policy settings.
http://www.ntsecurity.net/go/L.asp?A2=IND0004A&L=HOWTO&P=1621

Follow this link to read all threads for April, Week 2:
   http://www.ntsecurity.net/go/l.asp?s=howto

|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-

WINDOWS 2000 MAGAZINE SECURITY UPDATE STAFF
News Editor - Mark Joseph Edwards (mje@win2000mag.com)
Ad Sales Manager (Western) - Jim Langone (jim@win2000mag.com)
Ad Sales Manager (Eastern) - Tanya T. TateWik (ttatewik@win2000mag.com)
Associate Publisher/Network - Martha Schwartz (mschwartz@win2000mag.com)
Editor - Gayle Rodcay (gayle@win2000mag.com)
New and Improved – Judy Drennen (products@win2000mag.com)
Copy Editor – Judy Drennen (jdrennen@win2000mag.com)

|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-

========== GET UPDATED! ==========
Receive the latest information about the Windows 2000 and Windows NT topics 
of your choice. Subscribe to these other FREE email newsletters at 
http://www.win2000mag.com/sub.cfm?code=up99inxsup.

Windows 2000 Magazine UPDATE
Windows 2000 Magazine Thin-Client UPDATE
Windows 2000 Magazine Exchange Server UPDATE
Windows 2000 Magazine Storage UPDATE
Windows 2000 Pro UPDATE
ASP Review UPDATE
SQL Server Magazine UPDATE
SQL Server Magazine XML UPDATE
IIS Administrator UPDATE
WinInfo UPDATE




SUBSCRIBE/UNSUBSCRIBE/CHANGE ADDRESS

Thank you for reading Windows 2000 Magazine Security UPDATE.

You are currently subscribed to securityupdate as: packet@PACKETSTORM.SECURIFY.COM

To subscribe, go to the UPDATE home page at
http://www.win2000mag.com/update
or send a blank email to join-securityupdate@list.win2000mag.net.

To remove yourself from the list, send a blank email to
leave-securityupdate-120275L@list.win2000mag.net.

To change your email address, send a message with the sentence

set securityupdate email="new email address"

as the message text to securityupdate@list.win2000mag.net. Replace the words "new email address" with your new email address (include the quotes).

If you have questions or problems with your UPDATE subscription, please contact securityupdate@win2000mag.com. We will address your questions or problems as quickly as we can, but please allow 2 issues for resolution.

|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|

Copyright 2000, Windows 2000 Magazine