Security UPDATE, July 16, 2003
Windows & .NET Magazine Security UPDATE--July 16, 2003
==== This Issue Sponsored By ====
HP & Microsoft Network Storage Solutions Road Show http://list.winnetmag.com/cgi-bin3/DM/y/eA0D74Eh0CCB07cD0AM
1. In Focus: Antispam Movement: Readers Respond
2. Security Risks - Buffer Overflow in XP SP1's Rundll32.exe - Buffer Overrun in Windows SMB - Buffer Overrun in Windows HTML Converter - Privilege-Elevation Vulnerability in Win2K
3. Announcements - Exchange 2003: Do You Plan to Migrate or Wait? - Find Your Next Job at Our IT Career Center
4. Security Roundup - News: One Last Follow-Up: The Future of Patch Management - News: Watch Out for the Scammers - Feature: Win2K SP4 Tightens Security for Programs and Services 5. Security Toolkit - Virus Center - FAQ: What's the Easiest Way to View the Contents of the Windows NT 4.0 SAM Database on a Remote Machine?
6. Event - New Active Directory Web Seminar! 7. New and Improved - Install a Not-So-Tiny Firewall - Replace Passwords with Biometrics - Submit Top Product Ideas
8. Hot Thread - Windows & .NET Magazine Online Forums - Featured Thread: Possible Attempt to Compromise Security
9. Contact Us See this section for a list of ways to contact us.
==== Sponsor: HP & Microsoft Network Storage Solutions Road Show ==== ==========
Missed the Network Storage Solutions Road Show? If you couldn't make the HP & Microsoft Network Storage Solutions Road Show, you missed Mark Smith talking about Windows-Powered NAS, file server consolidation, and more. The good news is that you can now view the Webcast event in its entirety at: http://list.winnetmag.com/cgi-bin3/DM/y/eA0D74Eh0CCB07cD0AM
==== 1. In Focus: Antispam Movement: Readers Respond ==== by Mark Joseph Edwards, News Editor, firstname.lastname@example.org
In last week's Security UPDATE commentary (see the URL below), I discussed spam and presented some news stories that reveal the tug-of-war taking place between lawmakers and companies whose interests might be jeopardized in one way or another by various proposals for legal solutions. Several readers wrote to share their opinions about unsolicited email. I thank everyone who responded and offer you some of those responses. http://www.secadministrator.com/articles/index.cfm?articleid=39554
Jay C. described his concerns about do-not-spam lists. Using such lists might become cost-prohibitive for companies that rely on unsolicited commercial email (UCE) to gain new business leads. Legitimate small businesses rely on email advertising to help them compete against large corporations. He believes that the opt-in approach offers a better direction because it lets advertisers target people who've indicated that they don't mind receiving the advertising from a reputable source.
Steve W. wrote that he's concerned about the ever-increasing sophistication of spammers, who continue to discover ways to get their messages past spam filtering systems. Steve is also concerned about the increasing amount of malicious software (malware) that email messages help propagate, which affects many e-commerce companies, including banks and supply chains. He thinks the best solution will be authenticated email, the use of IP Security (IPSec), and encryption. Steve points out that standards and applications to handle junk email and address other privacy concerns will emerge because they're in demand.
Pat M. wrote that identity management could help curb UCE. If email were authenticated, taking action against abusers would be easier. Pat also thinks that "truth in advertising" laws should apply to advertising message subjects, which would make the email messages far easier to filter.
George S. wrote, "You mentioned some possibilities for controlling spam but left out the most important and effective one: Make spamming a capital crime." I laughed because junk mail obviously aggravates George. I also sympathize--but hope he was joking about the "capital crime" designation.
Greg F. points out that a big problem with stopping spammers is that many of them aren't located in the United States or in countries that might take action against them. Furthermore, he points out that even when an entity is found to have an open SMTP relay (or proxy for that matter), you can't necessarily find someone to contact to close it--because it's often difficult to determine exactly who was using a given IP address. In addition, few people want to do the work to trace a spammer who uses open relays and proxies--the work is tedious.
Bill P. points out that open proxies, open relays, and open Wi-Fi (the 802.11b wireless standard) networks contribute hugely to spam. Tracking spammers who use such gateways is difficult but not impossible. However, Bill acknowledges that sometimes even when you successfully track a spammer to a given domain, you encounter another problem in trying to identify the culprit: false domain registration information.
Bill also notes that antispam legislation probably won't do much good unless technological provisions back it up. For example, you'd have to disable registrars who don't enforce accurate contact information; disable domain names that contain inaccurate contact information; disconnect any site that operates (knowingly or not) an open proxy, mail relay, Wi-Fi network, or another device that spammers can use; and cancel peering agreements between ISPs when an ISP is lax about preventing spam. You would also need legal exceptions that would let someone probe a mail-sending service to determine whether it's spammer-friendly because it operates an open relay or proxy. (Currently, people can be charged with a crime in some areas of the country for simply probing a system without first getting permission to do so.)
David Norris Carden sent me a copy of "Federal SPAM Legislation," a paper that he wrote while working on his master's degree in Information Security at Capella University. In the paper, he examined various proposals for legislation. Of the eight proposals he analyzed, he found that several would do little to mitigate the overall problem of junk email. However, one stood out as having more preventive measures than the rest: H.R. 2515, dubbed "The Anti-Spam Act of 2003."
If passed into law, the act would require email advertising to contain a subject ID, adult-content ID, opt-out mechanism, valid return address, and physical address. In addition, it would make false email headers and subject lines illegal, restrict the harvesting of email addresses, and let victims bring civil action against violators.
Norris's "Federal SPAM Legislation" paper is online (see the first URL below); read it to learn more about antispam legislation. To read more about H.R. 2515, visit the Spamlaws.com Web site (see the second URL below). http://rasquel.com/security.htm http://www.spamlaws.com/federal/108hr2515.html
Spamlaws.com is a great place to review existing and proposed laws from all over the world. You can drill down (e.g., to a given state) to see the local issues. You can also look at case law, such as the recent Intel versus Hamidi case in California. Check out the Web site periodically; it's a great resource. http://www.spamlaws.com
==== 2. Security Risks ==== contributed by Ken Pfeil, email@example.com
Buffer Overflow in XP SP1's Rundll32.exe Rick Patel has reported a buffer-overflow vulnerability in Windows XP Service Pack 1's (SP1's) rundll32.exe file. Microsoft hasn't yet responded to this problem. http://www.secadministrator.com/articles/index.cfm?articleid=39547
Buffer Overrun in Windows SMB Jeremy Allison and Andrew Tridgell discovered a new vulnerability in Windows XP, Windows 2000, and Windows NT 4.0 that can result in the execution of arbitrary code on the vulnerable computer. Microsoft has released Security Bulletin MS03-024 (Buffer Overrun in Windows Could Lead to Data Corruption) to address this vulnerability and recommends that affected users immediately apply the patch mentioned in the bulletin. http://www.secadministrator.com/articles/index.cfm?articleid=39558
Buffer Overrun in Windows HTML Converter Microsoft reported a new vulnerability in its HTML converter that can result in the execution of arbitrary code on the vulnerable computer. Microsoft has released Security Bulletin MS03-023 (Buffer Overrun In HTML Converter Could Allow Code Execution) to address this vulnerability and recommends that affected users immediately apply the patch mentioned in the bulletin. http://www.secadministrator.com/articles/index.cfm?articleid=39557
Privilege-Elevation Vulnerability in Win2K Chris Paget of Next Generation Security Software (NGSSoftware) discovered a new vulnerability in Windows 2000 that could result in system compromise through privilege escalation. This vulnerability stems from a flaw in the way Utility Manager handles Windows messages. Microsoft has released Security Bulletin MS03-025 (Flaw in Windows Message Handling through Utility Manager Could Enable Privilege Elevation) to address this vulnerability and recommends that affected users immediately apply the patch mentioned in the bulletin. http://www.secadministrator.com/articles/index.cfm?articleid=39559
==== 3. Announcements ==== (from Windows & .NET Magazine and its partners)
Exchange 2003: Do You Plan to Migrate or Wait? Windows & .NET Magazine and Aelita Software would like to know about your organization's plans to migrate to Exchange Server 2003. Take our brief survey, "Windows & .NET Magazine: The State of Exchange Migration," and sign up to receive a free white paper titled, "Upgrade or Migrate? Deployment Options for Exchange 2000/2003." Give us your feedback today! http://www.zoomerang.com/survey.zgi?8772R0JP8V3CRHX4RMX08T1F
Find Your Next Job at Our IT Career Center Check out our new online career center, in which you can browse current job openings, post your resume, and create automated notifications to notify you when a job is posted that meets your specifications. It's effective, it's private, and there's no charge. Visit today! http://windows.itcareerpath.com
==== 4. Security Roundup ====
One Last Follow-Up: The Future of Patch Management Paul Thurrott discusses a few additional issues about patch management. Included in the discussion are Windows Update, Automatic Update, Software Update Services (SUS), Systems Management Server (SMS), and future changes to the Windows OS that will affect patch management in the Longhorn long run. Be sure to read the article to learn what Microsoft is up to. http://www.winnetmag.com/windowsserver2003/index.cfm?articleid=39545 News: Watch Out for the Scammers SurfControl is warning users to use extra security precautions against "brand spoofing," which is a tactic used to defraud people. The technique involves scammers who send out mass email messages hoping to lure people to fake Web sites that appear to be the Web sites of legitimate companies. http://www.secadministrator.com/articles/index.cfm?articleid=39556 Feature: Win2K SP4 Tightens Security for Programs and Services Windows 2000 Service Pack 4 (SP4) introduces two new rights that tighten Win2K's security model and make it compatible with Windows Server 2003. To avoid problems with installed programs, you need to understand how these new rights restrict previously allowed activity. Learn about the new rights in Paula Sharick's article on our Web site. http://www.secadministrator.com/articles/index.cfm?articleid=39534
==== 5. Security Toolkit ====
Virus Center Panda Software and the Windows & .NET Magazine Network have teamed to bring you the Center for Virus Control. Visit the site often to remain informed about the latest threats to your system security. http://www.secadministrator.com/panda
FAQ: What's the Easiest Way to View the Contents of the Windows NT 4.0 SAM Database on a Remote Machine? contributed by Jan De Clercq, firstname.lastname@example.org
A. You don't need remote control software; NT 4.0 User Manager includes a feature that lets you connect to the NT 4.0 security database of another domain or another machine. To connect to another SAM, choose Select Domain from the User menu to open the Select Domain dialog box. In this dialog box, you can select a domain or type the name of a machine that isn't a domain controller (DC). If you type a name, make sure that you precede it with two backslashes.
Select the Low Speed Connection check box if you want to connect to a remote SAM over a connection with relatively low bandwidth (e.g., a RAS connection). If you select this option, User Manager won't display the list of users and groups stored in the remote SAM. You'll need to use the options under User Manager's User menu to manage remote users and groups. In addition, you won't be able to manage remote global groups.
==== 6. Event ====
New Active Directory Web Seminar! Discover how to securely manage Active Directory in a multiforest environment, establish attribute-level auditing without affecting AD performance, and more! Space is limited--register today! http://www.winnetmag.com/seminars/securead
==== 7. New and Improved ==== by Sue Cooper, email@example.com
Install a Not-So-Tiny Firewall Tiny Software released Tiny Firewall 5.0 Enterprise Edition, software that now offers integrated security for the desktop and server with a network firewall, intrusion prevention and detection, files and registry access, and Windows resources control. As an administrator, you can define the granularity of populating security policies based on your organizational structure. You can create rules for specific applications running under specific accounts and apply them simultaneously on Windows Server 2003 and Windows XP/2000 computers. The intrusion detection and prevention modules are signature-based and fully configurable down to the user level. Contact Tiny Software at 408-919-7360 or on the company's Web site. http://www.tinysoftware.com
Replace Passwords with Biometrics SAFLINK announced that its new version of SAFsolution supports Microsoft's new identity management product, Active Directory Application Mode (ADAM) for the Windows Server 2003 environment. Expected to ship this fall, the biometric security software lets you tighten network security by replacing text passwords with an authentication system that uses unique physical characteristics, such as fingerprints, irises, voice patterns, and facial contours. It's compatible with nearly 30 hardware devices and offers COM+ private components, network load balancing, and COM+ application recycling. Contact SAFLINK at 800-762-9595 or 425-278-1100. http://www.saflink.com
Submit Top Product Ideas Have you used a product that changed your IT experience by saving you time or easing your daily burden? Do you know of a terrific product that others should know about? Tell us! We want to write about the product in a future What's Hot column. Send your product suggestions to firstname.lastname@example.org.
==== 8. Hot Thread ====
Windows & .NET Magazine Online Forums http://www.winnetmag.com/forums
Featured Thread: Possible Attempt to Compromise Security (Ten messages in this thread)
A user on a network who runs Windows XP Professional with Service Pack 1 (SP1) and Microsoft Office XP with SP1 receives the following error message in Microsoft Word when he attempts to browse a mapped network drive on a Windows 2000 Server system:
"The system detected a possible attempt to compromise security. Please ensure that you can contact the server that authenticated you"
The user can't access the server and is locked out. After the account is unlocked, he manages to log on successfully. However, if he tries to browse the file again, he's locked out again. Why does this happen, and how can the problem be corrected? Lend a hand or read the responses: http://www.winnetmag.com/forums/rd.cfm?cid=42&tid=55214
==== Sponsored Links ====
AutoProf Jerry Honeycutt Desktop Deployment Whitepaper http://list.winnetmag.com/cgi-bin3/DM/y/eA0D74Eh0CCB0BBDo0Ap
Sybari Learn about the new security features of Exchange 2003 -- FREE! http://list.winnetmag.com/cgi-bin3/DM/y/eA0D74Eh0CCB0BBOG0AM
=============== This email newsletter is brought to you by Security Administrator, the print newsletter with independent, impartial advice for IT administrators securing Windows and related technologies. Subscribe today. http://www.secadministrator.com/sub.cfm?code=saei25xxup
==== 9. Contact Us ====
About the newsletter -- email@example.com About technical questions -- http://www.winnetmag.com/forums About product news -- firstname.lastname@example.org About your subscription -- email@example.com About sponsoring Security UPDATE -- firstname.lastname@example.org
Thank you! __________________________________________________________ Copyright 2003, Penton Media, Inc.