********************************************************** WINDOWS 2000 MAGAZINE SECURITY UPDATE **Watching the Watchers** The weekly Windows 2000 and Windows NT security update newsletter brought to you by Windows 2000 Magazine and NTSecurity.net http://www.win2000mag.com/update/ ********************************************************** This week's issue sponsored by Trend Micro -- Your Internet VirusWall http://www.antivirus.com/memorialday.htm Network-1 Security Solutions - NT/2000 Host Firewalls http://www.network-1.com/eval/eval6992.htm (Below SECURITY ROUNDUP) |-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+- May 24, 2000 - In this issue: 1. IN FOCUS - Is PKI Secure Enough? 2. SECURITY RISKS - Offline Explorer Exposes System Files - NiteServer FTP Server Denial of Service - Windows IP Fragment Reassembly - Internet Explorer Frame Domain Verification - Internet Explorer Unauthorized Cookie Access - Internet Explorer Malformed Component Attribute - Unchecked Buffer in Lotus Domino 5.0.1 - Crashing NetProwler 3.0 - BlackICE Blank Password and Code Execution 3. ANNOUNCEMENTS - Windows 2000/NT 4.0 Security and Control Conference and Expo - Microsoft Tech-Ed 2000 WebCast 4. SECURITY ROUNDUP - News: New Love Packs a Wallop - News: The Upcoming Outlook Security Patch: Should You Load It? 5. NEW AND IMPROVED - Improved Internet Update Speed - Internet Banking Services and Internet 911 6. HOT RELEASE (ADVERTISEMENT) - Mail Essentials: Anti-Virus Gateway for Exchange! - Palm IIIc Giveaway - Windows NT Security Survey 7. SECURITY TOOLKIT - Book Highlight: Internet and Intranet Security Management: Risks and Solutions - Tip: Make My Computer Show Current Username and Machine Name - Ultimate Security Toolkit: SecurePC - Writing Secure Code: Parsing POP Input - Windows 2000 Security: Delegating Password Reset Control 8. HOT THREADS - Windows 2000 Magazine Online Forums Migrating a BDC to a New Domain - Win2KSecAdvice Mailing List Possible New Email Virus Concept and Bypass IE Settings - HowTo Mailing List Biometrics Security ~~~~ SPONSOR: TREND MICRO--YOUR INTERNET VIRUSWALL ~~~~ Stop LOVELETTER and other viruses as you prepare for the long Memorial Day weekend to make sure your network doesn't also take a vacation! Install Trend Micro's reliable antivirus software across your network to keep it running and virus-free. A world leader in antivirus and content security technologies, Trend Micro's centrally web-managed Internet gateway, Notes and Exchange email server, desktop machine and network server protection--forms an ironclad content security VirusWall around your entire enterprise network. A FREE 30-day evaluation is at http://www.antivirus.com/memorialday.htm ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Want to sponsor Windows 2000 Magazine Security UPDATE? Contact Jim Langone (Western Advertising Sales Manager) at 800-593-8268 or jim@win2000mag.com, OR Tanya T. TateWik (Eastern and International Advertising Sales Manager) at 877-217-1823 or ttatewik@win2000mag.com. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 1. ========== IN FOCUS ========== Hello everyone, If e-commerce is a hot subject, then so is public key infrastructure (PKI). But what value does PKI really have? If you ask some experts, the answer is little value if any, and the cited reasons are many. I recently read an article, "Ten Risks of PKI: What You're not Being Told about Public Key Infrastructure," by Carl Ellison and Bruce Schneier. Ellison is a senior security architect for Intel, and Schneier is founder of Counterpane Internet Security and author of "Applied Cryptography," the Blowfish and Twofish encryption algorithms, and other published material. In the article, the men address the question of whether PKI is really needed for e-commerce. Ellison and Schneier remind us that e-commerce doesn't need PKI because e-commerce is already flourishing, with online vendors everywhere taking orders that lack a PKI-based certificate. On the other hand, Ellison and Schneier suggest that PKI does, in fact, need e-commerce to flourish; without it, PKI is a dead market. To support those allegations, the authors discuss ten risks associated with PKI. To summarize, Ellison and Schneier point out that no mechanism exists to determine who used a given key, and certificate common names don't offer an easy way to identify the certificate owner. The authors present a long list of items related to how certificate information is mishandled during and after key generation and point out that when it comes to information security, people generally misunderstand the word trust. Ellison and Schneier make some great points when suggesting that PKI technology is short-sighted on security and long-sighted on profit making. Although the article offers no thoughts about replacements for PKI, it did shoot down the entire idea of single sign-on (SSO) technology, citing PKI as the culprit behind SSO popularity. Ellison and Schneier think that if it weren't for marketing hype and the mad rush toward e-commerce, people would realize just how insecure PKI technology is. Take some time to read their article (http://www.counterpane.com/pki-risks-ft.txt), and let me know what you think. I'm also interested in whether your company depends on PKI for some amount of security? If so, how do you use it? If not, is it a consideration for future e-commerce or SSO projects? Does the article by Ellison and Schneier change your opinion? Stop by our home page (http://www.ntsecurity.net) and take the latest survey, or send me your thoughts by email. I'm anxious to know what you think. Until next time, have a great week. Sincerely, Mark Joseph Edwards, News Editor mark@ntsecurity.net 2. ========== SECURITY RISKS ========= (contributed by Mark Joseph Edwards, mark@ntsecurity.net) * OFFLINE EXPLORER EXPOSES SYSTEM FILES A user named Wyzewun reported a security risk in MetaProduct's Offline Explorer. According to the report, Offline Explorer starts a service on port 800 that lets an intruder remotely view a Web user's cache. The service is vulnerable to directory traversal bugs, which let remote users connect to a system and view files that reside outside of the cache directory. The remote user can access files using the long-known "GET ..\.." command sequence style. MetaProducts is aware of the issue but has not yet responded. http://www.ntsecurity.net/go/load.asp?iD=/security/offexpl1.htm * NITESERVER FTP SERVER DENIAL OF SERVICE A user named Wyzewun reported four security problems in the NiteServer FTP server software. When the daemon receives 40 or more USER commands, the system runs out of memory and crashes. When a password command (PASS) is not terminated and the service is continually sent characters, the system allocates memory for those characters until it runs out of memory. Sending the service a PORT command followed by an immediate client disconnect causes the FTP service to stop accepting connections. Sending a long parameter with the RNTO command causes the server to stop accepting connections. The vendor is aware of the problem but has not yet responded. http://www.ntsecurity.net/go/load.asp?iD=/security/niteftp1.htm * WINDOWS IP FRAGMENT REASSEMBLY BindView's Razor Team discovered that sending large numbers of identical, fragmented IP packets to a Windows 2000 or Windows NT 4.0 host might cause the host to stop responding for the duration of the attack due to 100 percent CPU utilization. Microsoft has released a patch to correct the problem. http://www.ntsecurity.net/go/load.asp?iD=/security/windows3.htm * INTERNET EXPLORER FRAME DOMAIN VERIFICATION Andrew Nosenko reported that Internet Explorer (IE) lets a user retrieve another user's files through a bug in cross-frame navigation security checks. According to Microsoft's report, when a Web server opens a frame within a window under IE, the IE security model should let the parent window access the data in the frame only if the two windows are in the same domain. However, two functions available in IE do not properly perform domain checking, and the parent window can open a frame that contains a file on the local computer. This might let a malicious Web site operator view files on the computer of a visiting user. Microsoft has released a patch to correct the problem. http://www.ntsecurity.net/go/load.asp?iD=/security/ie5-17.htm * INTERNET EXPLORER UNAUTHORIZED COOKIE ACCESS Marc Slemko reported a problem in Internet Explorer (IE) that might let a Web site operator add, read, or change cookies without a user's authorization. According to Microsoft's bulletin, the IE security model restricts cookies so that only sites within the originator's domain can read them. However, by using a specifically malformed URL, a malicious Web site operator can access another site's cookies and read, add or change them. Microsoft has released a patch to correct this issue. http://www.ntsecurity.net/go/load.asp?iD=/security/ie5-18.htm * INTERNET EXPLORER MALFORMED COMPONENT ATTRIBUTE The Japanese group UNYUN reported that the code used to invoke ActiveX components in Internet Explorer (IE) has an unchecked buffer. Through the bug, a Web site operator can cause code to run on a remote user's computer without the user's knowledge. The unchecked buffer is exposed only when certain attributes are specified in conjunction with each other. Microsoft has released a patch to correct the problem. http://www.ntsecurity.net/go/load.asp?iD=/security/ie5-19.htm * UNCHECKED BUFFER IN LOTUS DOMINO 5.0.1 Michal Zalewski discovered that Lotus Domino Server 5.0.1 has an unchecked buffer that can let arbitrary code run on the server. During an SMTP mail session, the client requires a MAIL FROM command to tell the server who the mail is from. By appending 4KB of characters to the end of the email address in the MAIL FROM command, a malicious user can crash the server. The vendor is aware of the problem but has not yet responded. http://www.ntsecurity.net/go/load.asp?iD=/security/domino5-1.htm * CRASHING NETPROWLER 3.0 A researcher named rain.forest.puppy discovered that by sending two fragmented packets to a machine monitored by Axent Technologies' NetProwler, an attacker can crash the service. The packets must be sent to a machine being monitored by a spoofed source address of the actual NetProwler monitoring system. Axent Technologies is aware of this matter but has not yet responded. http://www.ntsecurity.net/go/load.asp?iD=/security/netprowler3-1.htm * BLACKICE BLANK PASSWORD AND CODE EXECUTION According to a bulletin released by rain.forest.puppy (the discoverer), Network ICE's BlackICE product has two security problems. First, the software uses a default logon of iceman, with no password. Any user with that knowledge can log on to a BlackICE server on port 8081 or send it security alerts on port 8082. Second, BlackICE uses the Microsoft Jet 3.5 engine to store alerts. As you know, the Jet engine is vulnerable to various attacks. The vendor has released a patch for these problems. http://www.ntsecurity.net/go/load.asp?iD=/security/icecap1.htm 3. ========== ANNOUNCEMENTS ========== * WINDOWS 2000/NT 4.0 SECURITY AND CONTROL CONFERENCE AND EXPO The Windows 2000/NT 4.0 Security and Control Conference and Expo comes to Boston, July 11 through 13, 2000, with optional workshops on July 10 and July 13. Produced by MIS Training Institute and its security division, Information Security Institute, and co-sponsored by Windows 2000 Magazine, this conference is the place to gain the technical skills and real-world knowledge you need to successfully implement and exploit Microsoft’s newest OS. For more details or to register, call 508-879-7999, ext. 346, or go to http://www.misti.com/conference_show.asp?id=NT00US. * MICROSOFT TECH-ED 2000 WEBCAST The Microsoft Tech-Ed 2000 WebCast, June 5 through 8, is for developers and IT professionals who need the technical content being presented at Microsoft Tech-Ed 2000 but can’t attend. You can view a total of 36 session for only $99.00. There will be a Q&A session with the WebCast audience after each of the 18 live sessions, including live Q&A with Bill Gates and Bob Muglia after their keynotes. Register today at http://msdn.microsoft.com/events/tewebcast/default.asp. 4. ========== SECURITY ROUNDUP ========== * NEWS: NEW LOVE PACKS A WALLOP As expected, several variations of the Love Letter worm are making their way around the Internet. The latest rendition, named New Love, is far meaner and trickier than the rest. As with Love Letter, New Love spreads by sending itself as a file attachment to all addresses in the Outlook address book. The difference is that New Love attaches itself to an email using a random filename derived from the victim's list of recently opened documents (as seen under Start, Documents), but the attachment will always have a .vbs extension. Be sure to read the entire story to learn what else New Love can do to a system. http://www.ntsecurity.net/go/2c.asp?f=/news.asp?IDF=143&TB=news * NEWS: THE UPCOMING OUTLOOK SECURITY PATCH: SHOULD YOU LOAD IT? Microsoft will release a security patch for Outlook 2000 and Outlook 98 sometime this week. If you're looking for details about that patch or wondering how to protect Outlook 97 mail clients from viral infection, be sure to read the advice from Windows 2000 Magazine contributor Sue Mosher. In the May 19 edition of her Exchange Messaging Outlook newsletter, Mosher covers the finer points of the patch to help you decide whether you should load it and whether the patch is enough to stop dangerous viruses and worms. http://www.ntsecurity.net/go/2c.asp?f=/news.asp?IDF=142&TB=news ~~~~ SPONSOR: NETWORK-1 SECURITY SOLUTIONS--NT/2000 HOST FIREWALLS ~~~~ The #1 rule in network security is, "You can hack what you can’t access." CyberwallPLUS is the world’s best packet filtering firewall. It provides fine grain access control for all NT/2000 servers and desktops. CyberwallPLUS is the only firewall that gives system administrators the intrusion detection and prevention needed to secure hosts and cost-effectively scale to preserve performance and reliability. It stops hackers dead. Visit http://www.network-1.com/eval/eval6992.htm for a free CyberwallPLUS evaluation kit and white paper. 5. ========== NEW AND IMPROVED ========== (contributed by Judy Drennen, products@win2000mag.com) * IMPROVED INTERNET UPDATE SPEED Symantec announced significant improvement of its LiveUpdate infrastructure to handle the increase in Internet update requests that a virus crisis triggers. Symantec will improve the availability and speed at which customers can get updates via the Internet by 800 percent. Symantec will also increase the number of LiveUpdate servers to more than 2000, which will provide local access to customers in all major markets around the world. For more information, go to the Symantec Press Center on the Web site. http://www.symantec.com/PressCenter/ * INTERNET BANKING SERVICES AND INTERNET 911 Internet Security Systems (ISS) announced the first online banking services based on new Online Scanning technology and announced the launch of an expanded Emergency Response Service--the 911 of the Internet. ISS has also expanded its SAFEsuite software platform and launched a strategic e-business insurance alliance with INSUREtrust. For more information on these products, visit the ISS Web site. http://www.iss.net/company/press_office/pressrel2000.php 6. ========== HOT RELEASE (ADVERTISEMENT) ========== * MAIL ESSENTIALS: ANTI-VIRUS GATEWAY FOR EXCHANGE! Worried about email attachments with viruses, infected VB-scripts, dangerous executables? Quarantine such emails and keep your server healthy - with Mail essentials! Mail essentials adds virus scanning, content filtering & more to your Exchange server. http://www.gfi.com/exchmesbug.shtml * PALM IIIC GIVEAWAY - WINDOWS NT SECURITY SURVEY WIN A PALM IIIc - NO PURCHASE OR LIST SUBSCRIPTION REQUIRED. The Palm IIIc is the first Palm Organizer with a COLOR screen. You could win one by completing our five minute computer security survey. http://www.tpis.com.au/survey 7. ========== SECURITY TOOLKIT ========== * BOOK HIGHLIGHT: INTERNET AND INTRANET SECURITY MANAGEMENT: RISKS AND SOLUTIONS By Lech Janczewski Online Price: $69.95 Softcover; 250 pages Published by Idea Group Publishing, February 2000 ISBN 1878289713 "Internet and Intranet Security Management: Risks and Solutions" addresses information security concerns from the managerial, global point of view. To order this book, go to http://www.fatbrain.com/shop/info/1878289713?from=win2000mag or visit the Windows 2000 Magazine Network Bookstore at http://www1.fatbrain.com/store.cl?p=win2000mag&s=97772 * TIP: MAKE MY COMPUTER SHOW CURRENT USERNAME AND MACHINE NAME (contributed by http://www.windows2000faq.com) As you know, each Windows desktop has a My Computer icon. Clicking the icon opens the My Computer folder, displaying available resources such as hard disks, printers, Dialup Networking, scheduled tasks, and mobile device connections. Did you know you can change the folder name to display the locally logged in user's name? To do so, open Regedt32.exe and navigate to HKEY_CLASSES_ROOT\CLSID\ subtree, locate the key named 20D04FE0-3AEA-1069-A2D8-08002B30309D, and follow one of the two instruction sets below, depending on whether you have Windows 2000 or Windows NT 4.0. For Win2K systems, select and edit LocalizedString. Copy its text contents to a safe location such as Notepad. The contents should be something similar to "@D:\WINNT\system32\shell32.dll,-9216@1033,My Computer" without the quotes. Next, delete the LocalizedString value. Create a new value with the same name (LocalizedString) with a type of REG_EXPAND_SZ. Paste the saved text into the text field of the newly created value, but edit the prefix before saving it. Replace the text "My Computer" in the string with "%username% on %computername%" without the quotes. For example, a modified string might read @D:\WINNT\system32\shell32.dll,-9216@1033,%username% on %computername%. For NT 4.0 systems, select the item in the right pane and delete it. On the Edit menu, click Add Value, and leave the Value Name blank. Select a Data Type of REG_EXPAND_SZ and in the string box enter "%userName% on %computername%" without the quotes. Now close Regedt32 and refresh the desktop to see the new display caption. * ULTIMATE SECURITY TOOLKIT: SECUREPC SecurePC lets administrators select the rights and privileges that end users have on their workstations. You can use the product to configure policies that protect Windows NT, Windows 9x, and Windows 3.x workstations. Steve Manzuik takes a close look at the tool in his current Web exclusive column. Be sure to read the entire review on our Web site. http://www.ntsecurity.net/go/ultimate.asp * WRITING SECURE CODE: PARSING POP INPUT In his current Web exclusive column, David LeBlanc addresses the question, "What do you need to know to protect your POP3 server when handling user input?" As you'll learn, you need to come up with a function that lets you retrieve a line of user input from a socket without overflowing the buffers. Be sure to read the entire article on our Web site, where you'll find LeBlanc's complete source code examples. http://www.ntsecurity.net/go/seccode.asp * WINDOWS 2000 SECURITY: DELEGATING PASSWORD RESET CONTROL A key example of the power of Windows 2000's Active Directory (AD) is its ability to let nonadministrators (e.g., Help Desk staff) reset forgotten passwords without granting these users sweeping administrative authority. In addition, AD lets administrators monitor this sensitive activity. As a security administrator working with Win2K, you need to understand how to delegate password reset authority. To learn all about this new OS feature, read Randy Franklin Smith's Web exclusive column on our Web site. http://www.ntsecurity.net/go/win2ksec.asp 8. ========== HOT THREADS ========== * WINDOWS 2000 MAGAZINE ONLINE FORUMS The following text is from a recent threaded discussion on the Windows 2000 Magazine online forums (http://www.win2000mag.com/support). May 17, 2000, 12:21 P.M. Migrating a BDC to a New Domain Does anyone know of a way to migrate a BDC from one domain to another without rebuilding the server. One would think with all the corporate mergers that there would be a way to facilitate this move? Any advice will be helpful. Thread continues at http://www.win2000mag.com/support/Forums/Application/Index.cfm?CFApp=69&Message_ID=103550. * WIN2KSECADVICE MAILING LIST Each week we offer a quick recap of some of the highlights from the Win2KSecAdvice mailing list. The following threads are in the spotlight this week. Possible New Email Virus Concept and Bypass IE Settings While looking for a way to bypass the Internet Explorer Security setting that disables all downloads, I noticed that IE automatically downloads image files (unless you have images disabled) and stores them in the Temporary Internet Files folder. I did some testing on how IE (IE 5.0, Win98) handles those image files and found that it downloads the first few bytes, checks for a valid image file header, and if the header is present, it will download the rest of the file. http://www.ntsecurity.net/go/w.asp?A2=IND0005c&L=WIN2KSECADVICE&P=88 Follow this link to read all threads for May, Week 3: http://www.ntsecurity.net/go/w.asp?A1=ind0005c&L=win2ksecadvice * HOWTO MAILING LIST Each week we offer a quick recap of some of the highlights from the HowTo for Security mailing list. The following threads are in the spotlight this week. Biometrics Security I have noticed that Compaq has released its own biometric hardware, and it's cheap ($99 dollars per unit) for a small number of clients. I have a couple of questions on biometric security. Is it better than regular text-based passwords? Would it remove the threat of L0phtCrack? http://www.ntsecurity.net/go/L.asp?A2=IND0005d&L=HOWTO&P=79 Follow this link to read all threads for May, Week 3: http://www.ntsecurity.net/go/l.asp?A1=ind0005c&L=howto |-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+- WINDOWS 2000 MAGAZINE SECURITY UPDATE STAFF News Editor - Mark Joseph Edwards (mje@win2000mag.com) Ad Sales Manager (Western) - Jim Langone (jim@win2000mag.com) Ad Sales Manager (Eastern) - Tanya T. TateWik (ttatewik@win2000mag.com) Associate Publisher/Network - Martha Schwartz (mschwartz@win2000mag.com) Editor - Gayle Rodcay (gayle@win2000mag.com) New and Improved - Judy Drennen (products@win2000mag.com) Copy Editor - Judy Drennen (jdrennen@win2000mag.com) |-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+- ========== GET UPDATED! ========== Receive the latest information about the Windows 2000 and Windows NT topics of your choice, including Win2K Pro, Exchange Server, thin- client, training and certification, SQL Server, IIS administration, XML, application service providers, and more. Subscribe to our other FREE email newsletters at http://www.win2000mag.com/sub.cfm?code=up00inxwnf. |-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+- SUBSCRIBE To subscribe send a blank email to subscribe-Security_UPDATE@list.win2000mag.net. UNSUBSCRIBE To unsubscribe, send an email to U-A3.15.87030@list.win2000mag.net. Or click http://go.win2000mag.net:80/UM/U.ASP?A3.15.87030 and you will be removed from the list. Thank you! If you have questions or problems with your UPDATE subscription, please contact securityupdate@win2000mag.com. ___________________________________________________________ Copyright 2000, Windows 2000 Magazine