Security UPDATE, April 30, 2003

********************

Windows & .NET Magazine Security UPDATE--brought to you by Security Administrator, a print newsletter bringing you practical, how-to articles about securing your Windows Server 2003, Windows 2000, and Windows NT systems. http://www.secadministrator.com

********************

~~~~ THIS ISSUE SPONSORED BY ~~~~

HFNetChkLT-FREE Patch Mgmt on 50 CPUs. No Timeouts! http://www.shavlik.com

HP & Microsoft Network Storage Solutions Road Show http://www.winnetmag.com/roadshows/nas (below IN FOCUS)

~~~~~~~~~~~~~~~~~~~~

~~~~ SPONSOR: HFNetChkLT-FREE PATCH MGMT ON 50 CPUS. NO TIMEOUTS! ~~~~ Introducing NEW Shavlik HFNetChkLT -- the FREE version of the new HFNetChkPro 4.0, an automated scanning and remediation solution from Shavlik, the developers of HFNetChk and MBSA for Microsoft. It includes loads of new features that save time for busy security professionals while offering greater enterprise security. HFNetChkPro 4.0 automates patch remediation for Microsoft Office, Windows Server 2003, Exchange, SQL, Outlook, Java Virtual Machine and more. Its intuitive Drag-n-Drop Patch Management interface allows you to precisely control which groups will be scanned, by what criteria and when and how patches are deployed. Visit www.shavlik.com to download it! http://www.shavlik.com ~~~~~~~~~~~~~~~~~~~~

April 30, 2003--In this issue:

1. IN FOCUS - The Legal Liability of Information Security

2. SECURITY RISKS - Multiple Vulnerabilities in Microsoft IE - MHTML Arbitrary Code Execution in Microsoft Outlook Express - Buffer Overflow in Cisco ACS for Windows

3. ANNOUNCEMENTS - Get Armed with the Same Security Protection Used by the Department of Defense! - Microsoft TechEd 2003, June 1-6, Dallas, TX

4. SECURITY ROUNDUP - News: NetVision Helps Patrol NetWare Servers - News: Microsoft Releases Windows Server 2003 Resource Kit Tools - News: Microsoft Partners with Storage Industry for Enhanced Storage Security - Feature: Protect Your Network from Intrusion

5. INSTANT POLL - Results of Previous Poll: Windows Server 2003 - New Instant Poll: Cyber-Insurance

6. SECURITY TOOLKIT - Virus Center - FAQ: How Can I Audit Users Who Start and Stop Services?

7. NEW AND IMPROVED - Protect Back-End Storage - Secure Enterprise Applications - Submit Top Product Ideas

8. HOT THREADS - Windows & .NET Magazine Online Forums - Featured Thread: How Do I Establish a Cisco VPN Tunneling Solution? - HowTo Mailing List - Featured Thread: Are MAILTO and POST Safe for Transactions?

9. CONTACT US See this section for a list of ways to contact us.

~~~~~~~~~~~~~~~~~~~~

1.

IN FOCUS

(contributed by Mark Joseph Edwards, News Editor, mark@ntsecurity.net)

* THE LEGAL LIABILITY OF INFORMATION SECURITY

In last week's Security UPDATE commentary, I discussed the changing legal landscape regarding security. I have a bit more to say about the subject. The SysAdmin, Audit, Network, Security (SANS) Institute recently offered the Webcast "Legal Liability For Information Security: Ask the Experts." If you didn't tune in, you missed some interesting perspectives. (For a rebroadcast of the SANS Webcast, visit the URL below. Register and follow the instructions to access the show in the archives.) http://www.sans.org/webcasts/042303.php

In one segment of the Webcast, attorney Marc Zwillinger offered his opinions about how torts will soon affect companies based on their information security practices (or the lack thereof). Without getting into complicated legal interpretations, one can define a tort as basically damage, injury, or a wrongful act that occurs either willfully or through negligence.

In the past, to get into trouble in the arena of information security, you typically had to either break the law or break or violate a contract. Legal experts now think we'll start to see litigants suing entities for torts civilly--and perhaps even prosecuting them criminally, depending on the circumstances.

For example, if your company is aware that it runs an open mail relay, and a spammer uses your mail system to send email in a way that causes harm or damage to another entity, your company has effectively committed a tort and might be found liable in a court of law. In another example, if you don't properly secure private user or customer information and that information becomes compromised, you might be held liable for civil damages.

In the United States, almost anyone can sue someone else for almost any reason. So staying out of court might become increasingly difficult in some security-related instances. The legal experts note several ways you can help prevent litigation regarding your information security.

One of the key factors in determining liability is whether you've taken reasonable steps toward keeping your systems and information secure. Another factor is how you respond to security incidents. These factors will probably determine whether and how you're found liable in the event that someone brings a legal action against you or your company. How you handle those matters--which steps you've taken to keep information secure and how you respond to security incidents--might also affect whether you qualify for cyber-insurance.

When asked which were the most important security-related steps to take, members of the legal panel recommended that you explicitly assign responsibilities for security matters, put those assignments in writing, and have the responsible parties sign them physically, digitally, or both. You should take appropriate action before something becomes a problem for your business. You must be aware of the different layers of law under which you operate (local, county, state, federal, international) and respond to requirements accordingly. Find a capable lawyer to help ensure you aren't caught off guard. Finally, be sure you assign access rights and responsibilities carefully, after assessing people's skill levels and their need for access relative to their specific tasks and your business needs. Doing so can help avoid liabilities stemming from negligence.

Do the insurance and the legal industries seem poised to start steering the information security industry more directly toward what it must do and how to do it? Will a day come when people won't be able to connect to the Internet without a proper license and cyber-insurance of some sort? I hope such potential changes won't occur--at least until after the day that computer software and hardware vendors become legally liable for defective products. I think many people agree that, like automobiles, software and hardware should have both better "precautionary devices" and more knowledgeable "drivers."

In any case, it's clear that your company's security practices must be stated, assigned, and carried out to keep your company out of court in case of a mishap. You should know which security elements will come into play when courts make decisions about liability and take steps to address those elements--not only to avoid litigation but also to protect your company, its customers, and you.

~~~~~~~~~~~~~~~~~~~~

~~~~ SPONSOR: HP & MICROSOFT NETWORK STORAGE SOLUTIONS ROAD SHOW ~~~~ TIME IS RUNNING OUT TO CATCH OUR STORAGE ROAD SHOW! Attend the HP & Microsoft Network Storage Solutions Road Show, and learn how existing and future storage solutions can save your company money--and make your job easier! Attendees have lots of chances to win incredible prizes. There is absolutely no fee for this event, but space is limited. We've just added Minneapolis to our list of cities, so register now! http://www.winnetmag.com/roadshows/nas ~~~~~~~~~~~~~~~~~~~~

2.

SECURITY RISKS

(contributed by Ken Pfeil, ken@winnetmag.com)

* MULTIPLE VULNERABILITIES IN MICROSOFT IE Mark Litchfield of Next Generation Security Software (NGSSoftware), Andreas Sandblad, and Jouko Pynnonen of Oy Online Solutions discovered that Microsoft Internet Explorer (IE) 6.0, IE 5.5, and IE 5.01 contain four vulnerabilities, the most serious of which can result in the execution of arbitrary code on the vulnerable system. Microsoft has released Security Bulletin MS03-015 (Cumulative Patch for Internet Explorer) to address these vulnerabilities and recommends that affected users immediately apply the appropriate patch mentioned in the bulletin. For more details about these problems as well as links to the bulletin visit our Web site. http://www.secadministrator.com/articles/index.cfm?articleid=38781

* MHTML ARBITRARY CODE EXECUTION IN MICROSOFT OUTLOOK EXPRESS Microsoft reported a vulnerability in Microsoft Outlook Express 6.0 and Outlook Express 5.5 that can result in the execution of arbitrary code on the vulnerable system. This vulnerability is a result of flaw in the Mime Encapsulation of Aggregate HTML (MHTML) URL Handler. To exploit this vulnerability, an attacker can construct a URL and either host it on a Web site or send it by email. In the Web-based scenario, when a user clicks the site-hosted URL, the attacker can then read or launch files already present on the local machine. Microsoft has released Security Bulletin MS03-014 (Cumulative Patch for Outlook Express) to address this vulnerability and recommends that affected users immediately apply the patch mentioned in the bulletin. http://www.secadministrator.com/articles/index.cfm?articleid=38780

* BUFFER OVERFLOW IN CISCO ACS FOR WINDOWS Cisco Secure ACS for Windows contains a buffer-overflow condition that can permit a Denial of Service (DoS) attack and a root compromise. The problem appears to lie in the software's handling of logon sequences. Cisco Systems recommends that customers either upgrade to repaired versions of Cisco Secure ACS or install Cisco Secure ACS so that it denies or restricts access to management interfaces. Users who want to restrict access to management interfaces need to block access to ACS on port 2002. Cisco has released a bulletin and free upgrades, which you can download from the company's Web site. http://www.secadministrator.com/articles/index.cfm?articleid=38778

3.

ANNOUNCEMENTS

(brought to you by Windows & .NET Magazine and its partners)

* GET ARMED WITH THE SAME SECURITY PROTECTION USED BY THE DEPARTMENT OF DEFENSE! Computer security is a top priority for organizations and individuals because you don't want to leave confidential data open to intrusion. Now, individuals can get the same protection offered for corporate and government networks. For $69.95 Harris STAT Scanner Home Edition enables you to accurately identify and eliminate security deficiencies. http://www.softwareshelf.com/products/statscanner.asp

* MICROSOFT TECHED 2003, JUNE 1-6, DALLAS, TX Realize your potential at TechEd 2003, Microsoft's premier technical conference. Join network administrators, developers, architects, and messaging/security specialists for sessions on Windows Server 2003, Visual Studio .NET 2003, and all .NET developer languages. 350+ technical sessions, hands-on labs, free betas, demos. Don't miss this opportunity; make sure to register today! http://go.microsoft.com/fwlink/?linkid=14028

4.

SECURITY ROUNDUP

* NEWS: NETVISION HELPS PATROL NETWARE SERVERS NetVision announced a new product that fills a need for Fortune 500 and Fortune 1000 companies: eDirectory Policy Manager Knowledge Module for PATROL. The module is an intrusion prevention and remediation solution that integrates BMC Software's PATROL management platform and Novell NetWare servers. NetVision will comarket the new knowledge module with BMC Software. http://www.secadministrator.com/articles/index.cfm?articleid=38763

* NEWS: MICROSOFT RELEASES WINDOWS SERVER 2003 RESOURCE KIT TOOLS Microsoft released its free set of resource kit tools for Windows Server 2003. The "Microsoft Windows Server 2003 Resource Kit" includes utilities that administrators, developers, and power users can use to manage Active Directory (AD), group policy, TCP/IP networks, the registry, security, scalability, and many other aspects of the Windows 2003 OS. The resource kit tools run on Windows XP and any member of the Windows 2003 family of products. http://www.winnetmag.com/windowsserver2003/index.cfm?articleid=38747

* NEWS: MICROSOFT PARTNERS WITH STORAGE INDUSTRY FOR ENHANCED STORAGE SECURITY Microsoft has announced plans to help enhance Storage Area Network (SAN) security. The company is working with the storage industry to promote the adoption of the Internet Engineering Task Force (IETF) standard Remote Authentication Dial-In User Service (RADIUS) protocol, which is part of its Windows Server 2003 and Windows 2000 OS platforms and integrates with Active Directory (AD). Microsoft's industry partners for RADIUS include SAN fabric vendors such as Brocade Communications Systems, McDATA, and QLogic. http://www.secadministrator.com/articles/index.cfm?articleid=38753

* FEATURE: PROTECT YOUR NETWORK FROM INTRUSION When you think about intrusion detection, consider a modern paraphrase of an old question: "If an attack occurs on your network and no one knows about it, did the attack really occur?" Detecting attacks on your network is crucial, but doing so is also difficult. That's where intrusion detection comes in. Intrusion detection is important, especially in a multilayered defense-in-depth strategy. To learn more about intrusion detection, read Jason Harper's article on our Web site. http://www.secadministrator.com/articles/index.cfm?articleid=24650

5.

INSTANT POLL

* RESULTS OF PREVIOUS POLL: WINDOWS SERVER 2003 The voting has closed in Windows & .NET Magazine's Security Administrator Channel nonscientific Instant Poll for the question, "Will your company upgrade to Windows Server 2003 for better security?" Here are the results from the 203 votes. - 31% Yes--within 1 year - 10% Yes--within 2 years - 8% Yes--within 3 years - 21% Not sure - 30% No * NEW INSTANT POLL: CYBER-INSURANCE The next Instant Poll question is, "Does your company have cyber-insurance?" Go to the Security Administrator Channel home page and submit your vote for a) Yes--We have it, b) No--But we plan to obtain it, c) No--We won't get it until it's required by law, or d) No. http://www.secadministrator.com

6.

SECURITY TOOLKIT

* VIRUS CENTER Panda Software and the Windows & .NET Magazine Network have teamed to bring you the Center for Virus Control. Visit the site often to remain informed about the latest threats to your system security. http://www.secadministrator.com/panda

* FAQ: HOW CAN I AUDIT USERS WHO START AND STOP SERVICES? (contributed by Randy Franklin Smith, rsmith@montereytechgroup.com)

A: Like files and folders, services are access-controlled objects, and every access-controlled object has a security descriptor. Part of a service's security descriptor is the system ACL (SACL), which you can use to track access to that object. The only way to view or change a service's current SACL is through security templates. To reach the security templates, log on to the server and open the Microsoft Management Console (MMC) Security Templates snap-in. To create a new template, right-click the security templates path. Select New Template, click System Services, then double-click the appropriate service (e.g., Telnet). Select the "Define this policy setting in the template" check box, then click Edit Security to open the Security for Telnet dialog box. This dialog box contains the service's ACL, which you can use to fine-tune who has start and stop authority. To read the complete answer to this question and view screen shots of the dialog boxes, be sure to visit the URL below. http://www.secadministrator.com/articles/index.cfm?articleid=24669

7.

NEW AND IMPROVED

(contributed by Sue Cooper, products@winnetmag.com)

* PROTECT BACK-END STORAGE NeoScale Systems released CryptoStor FC, a wire-speed storage security appliance for data storage access, transport, and privacy. Fully transparent, the inline storage appliance inspects storage traffic and applies data access controls and encryption to the data payload at gigabit rates. CryptoStor FC lets you centrally manage hundreds of storage data security policies without performance degradation. CryptoStor FC uses two-factor smart card authentication to secure remote, roles-based administration. Platform and application-independent, the appliance can be deployed with the Fibre Channel fabric, in front of storage subsystems, and behind storage gateways. CryptoStor FC prices start at $35,000. Contact NeoScale Systems at 408-586-1300 or info@neoscale.com. http://www.neoscale.com

* SECURE ENTERPRISE APPLICATIONS Entrust announced Entrust Entelligence Security Provider 7.0 to secure desktop applications that leverage the Windows security framework, including their files and forms, eforms, email, VPNs, and wireless LANs (WLANs). With a "footprint" of less than 1MB and a customizable installation that leverages Windows-installer technology, Security Provider 7.0 lets your users access their enterprise applications with a single logon. Security Provider provides strong authentication between a Web server and an end user, protecting access to both Web and desktop applications. A simple self-service feature lets users recover file keys and encrypted messages if they forget their passwords. Entrust Entelligence Security Provider 7.0 supports Windows XP/2000/NT systems that support 128-bit encryption. Contact Entrust at 888-690-2424 or entrust@entrust.com. http://www.entrust.com

* SUBMIT TOP PRODUCT IDEAS Have you used a product that changed your IT experience by saving you time or easing your daily burden? Do you know of a terrific product that others should know about? Tell us! We want to write about the product in a future What's Hot column. Send your product suggestions to whatshot@winnetmag.com.

8.

HOT THREADS

* WINDOWS & .NET MAGAZINE ONLINE FORUMS http://www.winnetmag.com/forums

Featured Thread: How Do I Establish a Cisco VPN Tunneling Solution? (Three messages in this thread)

A user wants to let his five remote users access the company network from the users' ISP dial-up connections in various states around the country. The users could then use Microsoft Outlook natively to manage such functions as correspondence and contacts. His network uses a Cisco Systems PIX Firewall, and he needs some guidance on how to implement a VPN tunneling solution on the firewall. He wants to know whether he can simply install the Cisco VPN client software on the remote users' machines or whether the firewall will need some special configuration also. Lend a hand or read the responses: http://www.winnetmag.com/forums/rd.cfm?cid=42&tid=57909

* HOWTO MAILING LIST http://63.88.172.96/listserv/page_listserv.asp?s=howto

Featured Thread: Are MAILTO and POST Safe for Transactions? (Three messages in this thread)

A user wants to know what the dangers are of someone sending a credit card number over the Internet using MAILTO and POST links. Read the responses or lend a hand at the following URL: http://63.88.172.96/listserv/page_listserv.asp?A2=IND0301E&L=HOWTO&P=281 9.

CONTACT US

Here's how to reach us with your comments and questions:

* ABOUT IN FOCUS -- mark@ntsecurity.net

* ABOUT THE NEWSLETTER IN GENERAL -- letters@winnetmag.com (please mention the newsletter name in the subject line)

* TECHNICAL QUESTIONS -- http://www.winnetmag.com/forums

* PRODUCT NEWS -- products@winnetmag.com

* QUESTIONS ABOUT YOUR SECURITY UPDATE SUBSCRIPTION? Customer Support -- securityupdate@winnetmag.com

* WANT TO SPONSOR SECURITY UPDATE? emedia_opps@winnetmag.com

******************** This email newsletter is brought to you by Security Administrator, the print newsletter with independent, impartial advice for IT administrators securing a Windows 2000/Windows NT enterprise. Subscribe today! http://www.secadministrator.com/sub.cfm?code=saei25xxup

Receive the latest information about the Windows and .NET topics of your choice. Subscribe to our other FREE email newsletters. http://www.winnetmag.com/email

|-+-|-+-|-+-|-+-|-+-|

Thank you for reading Security UPDATE. __________________________________________________________ Copyright 2003, Penton Media, Inc.